Transcript Internet Security

Internet Security
ECT 582
Robin Burke
Outline
Homework #5
 Host security
 Firewalls
 IPsec / VPN

Homework #5

solution
Host security

Every Internet host is vulnerable to
attack


Network port is a front door to the
whole world
How to make hosts more secure?
attacks
 defenses

Attacks on Hosts





DoS
 flood host with requests to tie up resources
Authentication breach
 attack authentication system to gain access
Application vulnerability
 attack application program to inject foreign code
Virus/Trojan Horse
 attack OS with a malicious program (malware)
Social Engineering
 attack organization to obtain authentication or other
information
Denial of Service

Attacks take different forms
bogus requests
 abuse of Internet protocols


Characteristics
sudden change in system load
 services unavailable or very slow

• may cause system crash

particular hosts targeted
Defenses


Turn off unused services
 if bogus packets never received, fewer resources
used
Request throttling
 only accept requests at a certain rate
• prevent server overload, but may hamper legitimate
users

Request filtering
 only allow requests from certain hosts
 allow a fixed number of requests from a given host in
a certain period
• doesn't work against distributed attack

Most other approaches applied elsewhere in network
Authentication breach

Characteristics


attacker tries to get access by
masquerading as legitimate user
Needs user id and password
brute-force attack
 sniffing attack
 cracking attack

Authentication: brute force

Execution



user ids typically easy to find (email address,
user directory on web)
attempt all passwords
Defense


request throttling
lock-out
• stop allowing authentication after n failed trials
• can create denial of service
Authentication: sniffing

Execution



copy all network traffic
look for packets with authentication
information
Defense

use protocols in which authentication
information is encrypted
• FTPS instead of FTP
• SSH instead of telnet
• HTTPS instead of HTTP
Authentication: cracking

Execution



steal copy of encrypted password file
attempt to decrypt passwords
Defense

access control measures to prevent access
to password files
• vary by system

good passwords
• more than 8 characters
• combinations of numeric and non-alphanumeric,
upper- and lower-case
Application attack

Characteristics

application bug is exploited
• often buffer overflow

inject attacker's code into system
• code executes with application privileges

can be used to launch additional attacks
• classic "worm" behavior

Needs



knowledge of application
needs to know OS
Often downloadable tools can be used
Application attack cont'd

Defenses
attention to software security patches
 subscribe to CERT mailing list
 investigate vendor's coding practices
 incorporate security into development
methodology
 examine application logs for
unexpected activities

Malware

Characteristics

user deceived into executing
malicious code
• Many avenues: ActiveX controls, binary
email attachments, web scripts
Many tools exist to create
 Worm behavior possible

• email replication
Malware, cont'd

Defenses
 anti-virus software
• signatures must be updated regularly

email scanning
• server-based best

application settings
• IE scripting
• MS Office macros
• very problematic


user education
better solution
• less vulnerable applications / OSes
• finer grainer control
Social Engineering


Scenario
 Call up individual in company (typically a secretary or
switchboard person) Alice
 Ask for name of tech support person (Bob)
 Calls 2nd secretary Eve, claiming to work for Bob.
 Tell Eve to reset her account password to the one he
will give her.
 Eve complies and now hacker has account access
Result
 2 phone calls = security hole
Social Engineering, cont'd

Characteristics
 very easy to do
• Kevin Mitnick's favorite method

many kinds of information are sensitive
• names, job descriptions, hardware/software
configuration

Defense
 need to know
• don't give information to everyone
• what they don't know, they can't reveal

security policies
• "Let me call you back."

user education
Problematic fact

Many avenues for host security to be
compromised
simple user error is enough
 a large organization will have many
hosts

Sun Tzu on firewalls


"If [the enemy] sends reinforcements
everywhere, he will everywhere be weak"
-- The Art of War
Translation


enforcing perfect host security everywhere is
impossible
Solution


force the confrontation to take place at a
single known location
concentrate defense at that point
Firewall
A dedicated gateway machine with
special security precautions on it,
used to service outside network,
especially Internet connections and
dial-in lines. The idea is to protect a
cluster of more loosely administered
machines hidden behind it...
--- FOLDOC
Firewalls

Idea



Build security measures into a single host
Force all inbound and outbound Internet
traffic to pass through
Enables



establishing a single security policy that all
machines share
machines behind the firewall have some
protection
firewall machine can be specially configured
Firewall policies

Both in-bound and out-bound



what the outside world can do
what local users can do
Applications

which applications are accessible
• boils down to port numbers

Hosts


which hosts are accessible
Users

which users have access
Firewall features

Minimal



Better



port blocking
host blocking
configurable logging
user authentication / blocking
Best

stateful inspection
• track the progress of individual sessions
• allow only legal actions
Other features


Often implemented at the firewall
NAT
 network address translation
 internal machines can "illegal" IP addresses
• can't be reached by routing
firewall pretends to originate requests
VPN
 virtual private network
 encrypted traffic between firewall and external host
 host authenticates and then is "inside" the firewall


Limitations

Firewall only defends the connection it is on







dial-in not protected
wireless LAN not protected
walking out with a CD-ROM, etc.
Firewall can't protect against malware
Firewalls can't protect against malicious
insiders
Firewalls must be carefully configured and
closely monitored
Firewalls can lead to a false sense of
security
Firewall types
Packet-filtering
 Application-level gateway
 Circuit-level gateway

Packet-filtering

Firewall inspects packets and filters
according to a policy

usually host- and port-based
Circuit-level gateway


Firewall decides whether to allow
connection
Then just passes packets along
Application-level gateway

Firewall is a proxy for all interactions
TCP/IP Packet

Internet communication is done through
packets


A packet is a fixed-size set of bytes with a
specific format
A typical TCP/IP packet contains:


Source IP, Source Port, Destination IP,
Destination Port
Payload
• message part
Packet routing
Email
Port
Port
Browser
File
My Computer
IP address: 140.192.32.123
Web Server
Email Server
Internet
FTP Server
Remote Computer
IP Address: 207.46.249.27
Packet-Filtering Router


A router applies a set of rules to each IP packet and
forward or discards the packet
The filter is typically set up as a list of rules based on
matches to fields in the IP or TCP header
 The fields are source/destination IP address, port
number, etc.
 If there is a match to one of the rules, that rules is
invoked to determine whether to forward or discard
the packet
 If there is no match, the a default action is taken
• Default discard policy
• Default forward policy
Example
Action
Ourhost
Port
Theirhost
Port
comment
Block
*
*
*
*
Default
Action
Ourhost
Port
Theirhost
Port
comment
Block
*
*
207.46.29.27
*
We don't trust this host
Allow
140.192.32.1
25
*
*
Connection to our SMTP
port
Action
Ourhost
Port
Theirhost
Port
comment
Allow
140.192.*.*
*
*
25
Connection to their SMTP
port
Windows Firewall

Note this is a software firewall

not a dedicated firewall machine
Outbound policies




Typically less restrictive than in-bound
But – good citizenship
 make it more difficult for hackers
A packet filter can reject outbound packets with illegal
IP addresses
 could not have been legally generated inside the
network
Example
 140.192.*.* are DePaul IP addresses
 if an outbound packet has a source address of
207.34.102.2
• it is probably forged
Characteristics


Pluses
 Packet-filtering routers are simple, transparent to
users, and fast
Minuses
 The router cannot prevent attacks that employ
application-specific vulnerabilities or functions
 The logging functionality in the router is limited
 Most routers do not support advanced user
authentication schemes
 The router is vulnerable to attacks and exploits that
take advantage of flaws in TCP/IP
 The routers are susceptible to security breaches
caused by improper configurations
Circuit-Level Gateway

It does not permit end-to-end TCP connection



It can be a stand-alone system
Or, it can be a specialized function performed by
an application-level gateway for certain application
It sets up two TCP connections



One TCP connection between inner host to the
gateway
Another TCP connection between the gateway to
outside host
It relays TCP segment from one connections to
the other without examining the contents
Characteristics

Pluses



Each established connection can be logged
Can protect against some DoS attacks
Minuses


May slow establishment of TCP connections
Does not protect against attack to legal
services
• buffer overflow
Application-level gateway


Also "proxy server"
The firewall relays application-level traffic



external host contacts gateway
gateway contacts internal host
If the gateway does not support a specific
application

the service cannot be forwarded across the
firewall
Characteristics

Pluses




every operation can be inspected and
logged
user authentication can be done at the
gateway
identity of internal system is hidden
Minuses



slowest firewall
hardest to configure
costliest
Asymmetric gateway
Application-level gateway on inbound
connections
 Circuit-level gateway on outbound
connections

internal users implicitly trusted
 lower overhead

Bastion host

From firewall definition
"dedicated gateway machine"
 "special security precautions"


Precondition for gateway firewalls
need a computer to perform gateway
operations
 but this computer is the first thing
hackers will attack

Host

Secure operating system

OpenBSD
Minimal services installed
 Very restrictive authentication



one-time passwords
Often some type of write-once logging

CD-ROM, uni-directional tape
Proxy software



Specialized proxy software for each service
being gatewayed
Relay only to specific internal hosts
Each proxy process runs without disk
access



except for startup
Each proxy process runs with minimal
system privileges
Each proxy process maintains detailed logs
Example firewalls
singled-homed screened host
 dual-homed screen host
 screened-subnet

Single-homed screened host


Router allows inbound IP packets only to bastion
host, and outbound IP packets from bastion host
Bastion host performs authentication and proxy
functions
Dual-homed screen host

Bastion host has two network addresses


one internal, one external
If router is compromised, firewall host still
protects internal network
Screened-subnet


Internal network is completely separate
Internal network is invisible to Internet
Tunneling

Restrictive firewall is good for security
bad for availability
 users cannot work from home

Firewall F
Host B
X
Host A
Please access service
S on Host B
Denied. Local users
only!
internal
service
S
Tunneling cont'd


Tunnel encrypts original packet and creates a new
packet
 source = tunnel entrance
 destination = tunnel exit
Tunnel exit decrypts payload and insert packet into
local network
 as if packet had originated locally
Firewall
Please deliver
contents to
tunnel at Host F
Host A
Please access service
S on Host B
Tunnel
Host B
Tunnel
Please access
service S on
Host B
internal
service
S
Please access
service S on
Host B
IPsec

Goals
authenticate packet origins
 provide integrity for packet contents
 encrypt packets
 tunnel packets

IPsec, cont'd
Two protocols
 Authentication Header Protocol



authentication + integrity
Packet Encryption Protocol

authentication + integrity +
confidentiality
Authentication Header
Protocol

source IP cannot be spoofed
depends on secret key agreement
 based on public key certificates


message contents cannot be modified
secure hash of payload is computed
by sender
 verified by receiver

Packet Encryption Protocol
Use AHP and
 Symmetric encryption of packet
payload
 Diffie-Helman key agreement is part
of protocol

Security association

Endpoints of tunnel must agree on
protocol type
 cryptographic algorithms
 keys
 duration of key


Each packet contains an identifier

labeling the particular security
association used for that packet
VPN

Establish a tunnel between



remote user (or site)
local firewall
Requires




availability of IPsec
installing VPN software on each remote
client
VPN server at firewall, called the gateway
public key certificate for gateway
VPN, cont'd

Users
access Internet normally (dial-up,
DSL, etc.)
 then turn on VPN
 VPN has authentication procedure
 User's machine becomes part of the
internal network

• inside the firewall
VPN, cont'd


Need good authentication of users
 because once authenticated, machine becomes
virtually local
 "trusted"
Tunnel is reasonably secure
 IPsec cryptographic hash protects against
modification
 DH key exchange provides mechanism to share
secret keys
 secret key exchange prevents session hijacking
 server public key certificate protects against man-inthe-middle
Next week

Web application security

online reading