Transcript Lesson 7

Firewalls, VPNs, and Modem
Security
Lesson 07
Filters and Firewalls
 Filter -- a software program or device that monitors
incoming and outgoing packets on a computer network
to determine whether the packets should be allowed to
enter or leave a computer system.
 Firewall -- a network monitor or collection of monitors
placed between an organization’s internal network and
the Internet or between two local area networks.
Junk E-Mail Filters
 Some ISP’s attempt to filter junk email
extra load it places on servers
annoyance factor
what if it is not junk?
 Attempts to eliminate junk e-mail
Check “From” field or IP address for known spammers
Check to see if it originated from mail delivery agent frequently used
by spammers
 All approaches potentially eliminate valid (non-spam)
email
Web Filtering
 Used to “prevent certain materials from entering into
a system while users are browsing the Web.”
 Often offered as an alternative to legislative actions
such as the Communications Decency Act.
Filtering at the receiving end does not inhibit free speech
 The problem is that the filters are not completely
accurate
numerous reports of “inappropriate” material not being
filtered or valid info being blocked
Web Filtering


Net Shepherd Family Search filter returned only 1% of sites returned by
non-filtered search using Alta Vista -- even though search was on items
such as “American Red Cross”, “Thomas Edison”, and “National
Aquarium”.
One university’s filtering blocked the Edupage newsletter because of
the sentence:
“The new bill is more narrowly focused than the CDA, and is targeted strictly at
impeding the flow of commercial pornography on the World Wide Web.”


Cybersitter blocked sites for National Organization for Women, Godiva
chocolates, and the teen website Peacefire.
Cyber Patrol allowed 6 of the first 16 sites listed on Yahoo’s category
“Sex: Virtual Clubs”
Web Filtering
 World Wide Web Consortium approach to filtering
based on assigned labels and ratings and is called the
Platform for Internet Content Selection (PICS)
does not dictate labels, instead allows groups to establish
their own.
 European Commission proposed a similar rating
scheme. Governments could develop site-rating
systems and SW provided that would allow teachers
and parents to filter unwanted info.
 Another proposal is an adult only domain
Firewalls
(Firewalls: The complete reference by Strassberg et al.)
“The computer or computers that stand between trusted
networks (such as internal networks) and untrusted
networks (such as the Internet), inspecting all traffic that
flows between them.”
 Firewalls have the following attributes:

All communications pass through the firewall
The firewall permits only traffic that is authorized
The firewall can withstand attacks upon itself
Firewalls

Four architectures (???)
Rule processing on routers – earliest and simplest
Packet Filtering – Also called packet screening: decide to allow or
reject specific packets as they enter your network
Stateful Inspection – looks at contents of packet not just header
Application Level Gateway -- also known as proxy gateways, used to
forward service-specific traffic (e.g. email).
– Proxies act as a middleman preventing direct connection, the proxy will take
the request and, if allowed by the policy, will forward it.
– Proxy ‘understands’ the service and can make better filtering decisions (thus
theoretically more secure) but less flexible and more time consuming
Circuit Level Gateway -- simply relays bytes from a port on one
system to another on an external network.
– Connection appears to originate from firewall and not internal system
 No direct connection between internal and external systems – but not filtered
Hybrid Firewalls – e.g. filter some protocols, use application gateway
on others
Packet Filtering
Operation
discard
allow
discard
source
bad.host
our.host
128.236.*.*
port
*
25
>1023
destination
*
*
our.host
port
*
*
>1023
type
*
*
tcp
Operation
allow
discard
allow
discard
allow
source
bad.host
bad.host
our.host
128.236.*.*
*
port
25
*
25
>1023
*
destination
our.host
*
*
our.host
*
port
25
*
*
>1023
*
type
*
*
*
tcp
*
Firewall Architectures
Internet
Screening Router
Firewall Architectures
Dual-homed host Architecture
Internet
Dual-homed host
Firewall Architectures
Screened host Architecture
Internet
X
Screening Router
Bastion
Host
Bastion Hosts
 A specially ‘armored’ and protected host.
May run special ‘secure’ or ‘stripped down’ version
of OS
Only essential services are run on it.
User accounts generally not permitted (admin only)
 Machines inside of the firewall should not trust
the Bastion Host.
Firewall Architectures
Screened subnet Architecture
Internet
Bastion host
Exterior Router
Perimeter Network
Interior Router
Internal Network
So, what’s the difference between them?
Screening router
very primitive, just a souped up router
Dual-homed host (firewall)
Routing function turned off, external systems can’t communicate directly with
internal systems!
Provides services through proxies
Screened Host
router provides routing and packet filtering functions
Bastion provides single system to heavily secure.
Screened subnet
no defenses between bastion and other systems in screened host firewall, thus if
bastion compromised, the internal network is vulnerable.
Screened subnet adds another router to add another layer of protection. This router
can be configured to only allow certain services.
Firewall Architectures
Multiple Exterior Routers
Supplier
Network
Internet
Bastion host
Exterior Router
Exterior Router
Perimeter Network
Interior Router
Lab Network
Internal Network
Checkpoint Firewall Sample Rule Set
Cisco System PIX Firewall
Network Address Translation (NAT)
 Firewalls can also provide NAT services
 Allows a LAN to use one set of addresses for
internal purposes and a second set for external
traffic
Not all systems need a globally unique IP address
– Saves on IP addresses which is a concern for IPv4
Shields internal addresses from public view
Network Address Translation (NAT)
• There are a limited number of IP addresses available and
not every system needs one.
• NAT was developed to provide a means to translate private
IP addresses into public IP addresses.
– A device (typically a router or firewall) will accomplish this translation
process.
Source: 63.69.110.110
Destination: 207.25.71.23
Source: 10.1.1.123
Destination: 207.25.71.23
Firewall
performs NAT
Source: 207.25.71.23
Destination: 10.1.1.123
Source: 207.25.71.23
Destination: 63.69.110.110
Emerging Technologies
Consolidated Management Consoles – an attempt to
provide a single interface for the variety of security
devices an administrator may face (e.g. firewall, ACL’s
on routers)
 Content vectoring – “shuffle” certain traffic off to
ancillary internal or external handlers for additional
inspection or processing.
 Multifunction Devices – integration of multiple security
products into single platform (e.g. IDS and Firewall,
firewall with router, …)

Personal Firewalls
Designed to insulate vulnerable desktop OS from
attacks.
 Growth of residential and small-business broadband
Internet access also has increased the need for
personal firewalls.
 Spread of various Distributed Denial of Service attacks
which take advantage of unprotected platforms has also
helped to bring this issue forward.

Modem Security, Wardialing, and
Telecomm Firewalls
What is the Network?
There is a growing connectivity between the
Data Network
and the
Telephone Network
Network Security Technologies
Have Focused Almost Entirely on the TCP/IP
Network…
The Weakest Link is Now the Phone
Network.
The Data Network
• One pipe
• High speed
• Thousands of connections
• Controlled and monitored
• One chokepoint
… your Internet connection is just a dedicated,
high-speed telephone line.
The Telephone Network
Public Switched
Telephone Network
(PSTN)
• Thousands of pipes
• Low speed
• Uncontrolled
• Unmonitored
• No chokepoint
… think of your telephone network as thousands of
low-speed internet connections.
The TCP/IP Network
Internet
Attacker
Router
Web
Server
Firewall
Intrusion
Detection
Users
The Actual Network
Internet
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Security in The Actual Network
Internet
Attacker
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Security in The Actual Network
“2-4% of all
telephone lines have
active modems”
Internet
Attacker
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Unauthorized access to ISP’s
Virus protection
mechanisms can
be circumvented
Proprietary data
can be uploaded by
users
Internet
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Wardialers
 Step 1, Phone number footprinting
 Public Domains Wardialers
ToneLoc
THC
 Commercial
PhoneSweep
TeleSweep Secure
War Dialing the ‘Bay’
 In ’97, Peter Shipley dialed the San Francisco Bay
area looking for systems answered by a modem. He
eventually finished the entire range but the final
report hasn’t been published. Early results reported,
however, included:
1.4 million numbers dialed
– 500 an hour, 12,000 a day
14,000 of the lines dialed were reportedly modems
Some interesting results:





An East Bay medical facility gave unrestricted modem access to
patient records.
An Internet company offering financial services did not require a
password to modify its modem-accessible firewall.
A Fortune 100 company’s air conditioner and environmental control
units could be easily changed by modem allowing lights to be turned off
or heating/air conditioning to be changed.
Only 3 of every 1000 modem lines he checked posted a warning
banner (a requirement for gov. machines).
Some of the welcome banners gave the name of the operating system,
release, and name of corporation.
Carrier Exploitation
Once you have a number, now what?
Check the wardialing log, you can get some clues, then dial
back.
CONNECT 57600
HP995-400:
Expected a HELLO command. (CIERR 6057)
Many default sequences (e.g. HP MPE-XL systems)
CONNECT 57600
HP995-400: HELLO FIELD.SUPPORT
PASSWORD=TeleSup
Default for pcAnywhere -- no password/userid
and…you can always try brute force password guessing if
nothing else works!
The Current Prevention Approach
 Policy
 Scanning (ad hoc War Dialing)
 Administrative Action
Current Scanning Challenge
 Window of Visibility
 Time / Scalability
 Vulnerability Measurement
 Cost (Long Distance Charges)
 Data Collection and Consolidation
 Logging / Reporting
Solution
A better approach than the ad-hoc wardialing, is to apply the
same type of control that is found on the IP network to the
telephone network.
Thus, the solution is a firewall for the telephone network
The Telephone Network
Public Switched
Telephone Network
(PSTN)
• Thousands of pipes
• Low speed
• Uncontrolled
• Unmonitored
• No chokepoint
… think of your telephone network as thousands of
low-speed internet connections.
A Firewall for Phone Lines
Public Switched
Telephone Network
(PSTN)
• One virtual pipe
• Controlled and monitored
… get your hands around the problem, and take
control of the telephone network.
Remote Enterprise-wide Telecom
Firewall Protection
Internet
Public Telephone
Network
Router
Web
Server
Firewall
Voice
Modem
• Detect
• Log
• Alarm
• Block
Intrusion
Detection
RAS
(Dial-in Servers)
Telecom
Firewall
Users
PBX
Fax
Remote Enterprise-wide Telecom
Firewall Protection
Internet
Attacker
Public Telephone
Network
Router
Web
Server
Firewall
Voice
• Detect
• Log
• Alarm
• Block
Intrusion
Detection
RAS
(Dial-in Servers)
Modem
Telecom
Firewall
Users
PBX
Fax
TeleWall Telecommunications Firewall
Protect Phone-to-Switch
 Telephone fraud is a tremendous problem (1999:
$5B)
 Most PBX’s have a remote dial-up port for
maintenance purposes.
Often protected with a numeric password
 The same device used to protect against attacks
to unauthorized modems can be used to protect
the PBX as well.
PBX Hacking
Dial-up connections are the most frequent means of
remotely managing a PBX. Also frequently used for
vendor external support.
 Just like computers with default passwords, PBX’s often
have default access codes.
 What companies should do is remove defaults and if a
problem occurs, then provide access code to vendor,
unfortunately…this seldom is done.

Remote Enterprise-wide Telecom
Firewall Protection
Internet
Attacker
Public Telephone
Network
Router
DTMF Signaling Detection
Web
Server
Firewall
• Detect
• Log
• Alarm
• Block
Intrusion
Detection
RAS
(Dial-in Servers)
Telecom
Firewall
Users
PBX
IP Telephony Security Issues
GW
10/100
PBX
Router
PSTN
Internet
User Connected
Modem (IP Phone)
Telecommunication Firewalls
Log call progress
 Characterize call traffic
 Enforce Security and Usage Policy
 Control remote maintenance facility and port access
 Report resource utilization
 Fraud detection/prevention
 Trunk line status and usage
 Emergency notification
 ROI
 Protection of VoIP

Extensions to Telecomm
Firewalls
 Telephone bill reconciliation package.
 Secure Voice
 Secure VoIP
 Additional ‘password’ (DTMF signaling) for increased
security.
 Securing of SCADA (Supervisory Control and Data
Acquisition) systems.
Roosevelt Dam in Arizona
Virtual Private Networks (VPN)
 From WEBOPEDIA:
a network that is constructed by using public wires to
connect nodes. For example, there are a number of
systems that enable you to create networks using
the Internet as the medium for transporting data.
These systems use encryption and other security
mechanisms to ensure that only authorized users
can access the network and that the data cannot be
intercepted.
VPN’s – IP security issue
TCP/IP Packet
IP Header
Other Headers
User Data
Which of these is needed for routing across the Internet?
VPN’s and Tunneling

Most VPNs use tunneling to create a private
network across the Internet. Essentially,
tunneling is the process of placing an entire
packet within another packet and transmitting
it over a network. The protocol of the outer
packet is understood by the network and both
endpoints, called tunnel interfaces, where
the packet enters and exits the network.
 Firewalls, which can be used for NAT, can
also perform VPN services: e.g. Cisco PIX
VPN
SCADA systems
Supervisory control and data acquisition (SCADA) is a system that allows an
operator to monitor and control processes that are distributed among various
remote sites. There are many processes that use SCADA systems: hydroelectric,
water distribution and treatment utilities, natural gas, etc. SCADA systems
allow remote sites to communicate with a control facility and provide the
necessary data to control processes. For many of its uses, SCADA provides an
economic advantage. As distance to remote sites increase and difficulty to
access increases, SCADA becomes a better alternative to an operator or
repairman’s visiting the site for adjustments and inspections. Distance and
remoteness are two major factors for implementing SCADA systems
SCADA Elements
There are four major elements to a SCADA system: the operator, master
terminal unit (MTU), communications, and remote terminal unit (RTU).
RTU 1
RTU 2
MTU
RTU 3
RTU 4
Summary
 What is the Importance and Significance of this
material?
 How does this topic fit into the subject of “Voice
and Data Security”?