EE579S Computer Security

Download Report

Transcript EE579S Computer Security

EE579T
Network Security
3: Topology & Firewalls
Prof. Richard A. Stanley
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #1
Thought for the Day
“Hire paranoids. Even though they have a
high false alarm rate, they discover all plots.”
Herman Kahn
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #2
Course Web Page Works!
• Another way to reach it, using a browser:
http://www.ece.wpi.edu/courses/ee579t/
• Don’t use the EE579T.html listing -- that
gets you the course description
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #3
Overview of Tonight’s Class
•
•
•
•
Review last week’s lesson
Look at network security in the news
Topology and Security
Firewalls
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #4
Last Week...
• Internetworking is the interconnection of
networks.
– Critical to modern networking
– Internet is an internetwork, converse is false
• Networks are based on multilayer protocols
• Most commonly used in our venues: IEEE
802.3 and TCP/IP
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #5
Network Security Last Week-1
• At least four separate vulnerabilities found
in Berkeley Internet Name Domain service,
used widely to provide DNS
– Mostly buffer overflow errors
– Root cause of Microsoft first problems last
week
• Repeated DDoS attacks against Microsoft
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #6
Network Security Last Week- 2
• Microsoft hires external firm to provide
security against hackers
– What message does this send about Microsoft
security expertise?
• Ramen worm found in the wild
– Attacks Red Hat Linux 6.2/7.0
– Gains root access and executes its own code on
target systems without user knowledge
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #7
Network Security Last Week- 3
• Wireless LAN’s moving into Starbucks
– 802.11b networking standard
– Use unlicensed 2.4 gHz band
– Is this a security issue?
• eBay hacker pleads “not guilty”
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #8
Topology
• Network topology is the view from 50,000
feet of the network interconnections
–
–
–
–
Star
Buss
Ring
Mesh
• Topology is realized using cabling or radio
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #9
Pulses Revisited
Amplitude
Time
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #10
Rectangular and Triangular
Pulses
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #11
Cosine Pulses
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #12
Cabling Thoughts
• At least the third harmonic of the signaling
frequency must be maintained
– 10 Mbps @ 30 mHz
– 100 Mbps @ 300 mHz
– Higher frequencies common
• UTP is the most common cabling now used
• Transmission paths are reciprocal
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #13
Bound vs. Unbound
• Bound
– Cables
– Fibers
• Unbound
– Radiated into free space
• Unbound signals can, and do, originate
from bound media
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #14
Signal Characteristics
• Bound
– Typically transmitted at baseband
– AM
• Unbound
– Typically demand carrier signal
– Modulation required
• Increased complexity
• Increased opportunity to intercept
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #15
How To Intercept?
• Common argument: “The equipment to
receive this signal is too complex for an
interceptor to acquire or use”
– True or false?
– If true, how does a legitimate recipient receive
and interpret the signal?
• Unbound signals perceived as easier to
intercept than bound
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #16
Intercepting Bound Signals
•
•
•
•
•
•
•
Inductive taps
Physical taps
Optical taps
Illicit connections
Stealing hard copy transcripts of sessions
Traffic analysis
…?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #17
Intercepting Unbound Signals
• Intercept receivers
• Legitimate receivers
– Set up as taps
– As bogus net members
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #18
Network Equipment
• NICs
• Repeaters
• Hubs
–
–
–
–
Repeater function
Performs cross-connect function
Enables star connection to buss network
Ubiquitous in modern packet networks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #19
Bridges
Net 1
B
Net 2
Bridge builds connection tables dynamically,
separates traffic that doesn’t have to transit nets.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #20
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #21
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #22
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #23
Switches
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #24
Routers
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #25
Security Concepts
• Networks that are segmented may have
increased security
• Interception of signals from both bound and
unbound media not too difficult
• Illicit connections lucrative sources of
information
• If topology is not secure, nothing else is
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #26
Firewalls
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #27
Where Does This Term
Come From?
Firewall means a fire separation of noncombustible
construction that subdivides a building or separates adjoining
buildings to resist the spread of fire that has a fire-resistance
rating as prescribed in the Building Code and that has
structural stability to remain intact under fire conditions for the
required fire-rated time.
Source: The Ontario Fire Code, § 1.2.1.2
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #28
Firewall is to Network
as
User privilege is to Operating system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #29
What Is a Firewall?
• A router with attitude?
• A device to implement an access control
policy?
• A physical device?
• A logical device?
• The preferred solution for network
protection?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #30
What Does a Firewall Do?
• Prevents outsiders from accessing your
network
– except under terms of your access policy
• Analyze packets
– inbound
– outbound
• Block prohibited addresses
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #31
How Does It Work?
• Static packet filtering
• Dynamic packet filtering
• Proxy
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #32
A Simple Example
• Rules
– Hosts on protected network may establish any
service sessions they wish with remote network
– Any already-established session is permitted
– Deny all other traffic
• This is a simple access control list
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #33
Consider TCP Session Setup
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #34
Firewalls Added
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #35
Established Session
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #36
Port Scan with SYN
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #37
Port Scan with FIN
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #38
Observations
• Static filtering is the most basic security
measure
• Both static and dynamic filtering can deal
with commonplace security problems
• Only dynamic filtering can deal with what
is going on as it changes
• Cascading the two may have possibilities
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #39
Proxies
• A proxy is a stand-in for the real thing
• Proxy servers
– interpose themselves between the real host and
the server
– are able to make routing decisions based on
packet payload
– bring their own set of problems
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #40
Proxy Example
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #41
Address Translation
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #42
Proxy Client
• Benefits
– Easy to configure
– Transparent authentication
• Disadvantages
–
–
–
–
Software deployment and maintenance
Application compatibility
Performance impact
Subnets can be a problem
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #43
Java & ActiveX
• Java is a platform-independent (mostly)
programming language
– Security was part of original design (sort of)
– Programs called applets
• ActiveX = specialized COM or OLE object
– Programs are ActiveX controls
– Programs created in some other language
– Major security problem
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #44
Filtering
• Proxy clients can often be set to filter Java,
ActiveX, and HTML
• Problems
– Increasingly, mobile code is critical to
internetworked application operation
– Knowing what to block can be a problem
– Remember the dancing pigs
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #45
Firewall OS
• Basic choices are Unix or Windows/NT
• Each has advantages & disadvantages
• No clear choice -- YOU have to decide
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #46
Logging
• Without logging, a firewall is nearly useless
• Logging needed for:
–
–
–
–
Analyzing usage
Analyzing attacks
Pre-empting attacks
Evidence
• But be careful
– Manual log reviews catch of all
problems
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #47
Policy
• Needed to configure firewall
• Essential to interpret log files
• Needed to support evidence
– If it wasn’t contrary to policy, what was wrong?
– Did we do what we should have done to secure
the system?
• Policy has to come first!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #48
Summary
• Attacking the network topology is basic,
and not limited to the the network media
• Firewalls can be a useful security tool
– Control access to/from network segments
– Filter traffic by type, source/destination,
content
– Provide logs of activity
• Firewalls are not a panacea, and can even be
dangerous if not properly configured
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #49
Homework - 1
1. Research the available commercial firewall
products. Choose three that run on either
Unix or NT. Compare and contrast these by
their mode(s) of operation and ease of
configuration. For each, indicate if it
performs static and/or dynamic packet
filtering, and if it is capable of proxy
firewall operations.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #50
Homework - 2
2. For the products you selected in Question
1, research the known vulnerabilities and
shortcomings of these products. How
would you counter these vulnerabilities?
3. How would you analyze the log file of any
one of the firewalls you have chosen? Find
and evaluate at least one product that is
capable of log file review and analysis.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #51
Homework - 3
4. Your organization has installed a 100BaseT
network using UTP cabling. You are
concerned about its security. How would
you attack this network? How would you
counter these attacks? How could you
know if these attacks had been attempted or
had succeeded?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #52
Assignment for Next Week
• Read course text, Chapters 9 and 10
• Next week’s topic: Authentication, Encryption,
and VPN’s
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/3 #53