Transcript CSE331-29

CSE331:
Introduction to Networks
and Security
Lecture 29
Fall 2002
Announcements
• Project 3 is due today.
• Project 4 will be available on the web site this
afternoon.
• Homework 3 will be handed out on
Wednesday.
CSE331 Fall 2002
2
Recap
• Access Control (Authorization)
– Access Control Matrix
– Access Control Lists
• Today
– Capability Lists
– Firewalls
CSE331 Fall 2002
3
Capabilities Lists
A[s][o]
Obj1
Obj2
…
ObjN
Subj1
{r,w,x}
{r,w}
…
{}
Subj2
{w,x}
{}
…
{r}
…
…
…
…
…
SubjM
{x}
{r,w,x}
…
{r,w,x}
For each subject, store a list of (Object x Rights) pairs.
CSE331 Fall 2002
4
Capabilities
• A capability is a (Object, Rights) pair
– Used like a movie ticket (“Harry Potter”, {view})
• Should be unforgeable
– Otherwise, subjects could get illegal access
• Authentication takes place when the
capabilities are granted (not needed at use)
• Harder to do revocation (must find all tickets)
– Capabilities can be passed from subject to subject
• Easy to audit a subject, hard to audit an
object
CSE331 Fall 2002
5
Implementing Capabilities
• Must be able to name objects
• Unique identifiers
–
–
–
–
Must keep map of UIDs to objects
Must protect integrity of the map
Extra level of indirection to use the object
Generating UIDs can be difficult
• Pointers
– Name changes when the object moves
– Remote pointers in distributed setting
– Aliasing possible
CSE331 Fall 2002
6
Unforgeability of Capabilities
• Special hardware: tagged words in memory
– Can’t copy/modify tagged words
• Store the capabilities in protected address
space
• Could use static scoping mechanism of safe
programming languages.
– Java’s “private” fields
• Could use cryptographic techniques
– OS kernel could sign (Object, Rights) pairs using a
private key
– Any process can verify the capability
CSE331 Fall 2002
7
Firewalls
Filter
Inside
Filter
Gateway
Outside
• Filters protect against “bad” packets.
• A gateway machine restores needed services.
• Protect services offered internally from outside access.
• Provide outside services to hosts located inside.
CSE331 Fall 2002
8
Possible Firewall Architecture
Hosts
Gateway
Routers
Networks
DMZ
Internal
Network
“Demilitarized Zone”
Filtering Routers
External
Network
CSE331 Fall 2002
9
Benefits of Firewalls
• Increased security for internal hosts.
• Reduced amount of effort required to counter
break ins.
• Possible added convenience of operation
within firewall (with some risk).
• Reduced legal and other costs associated
with hacker activities.
CSE331 Fall 2002
10
Costs of Firewalls
• Hardware purchase and maintenance
• Software development or purchase, and
update costs
• Administrative setup and training, and
ongoing administrative costs and troubleshooting
• Lost business or inconvenience from broken
gateway
• Loss of some services that an open
connection would supply.
CSE331 Fall 2002
11
Kinds of Firewalls
• Filtering: operates by filtering based on
packet headers
• Circuit: operates at the level of TCP
• Application: operates at the level of the
application
CSE331 Fall 2002
12
Filtering Firewalls
• Filtering can take advantage of the following
information from network and transport layer
headers:
–
–
–
–
–
Source
Destination
Source Port
Destination Port
Flags (e.g. ACK)
CSE331 Fall 2002
13
IPv4 Packet Format
• IPv4 (Version field set to “4”)
Version Hlen
TOS
Ident
Length
Flags
TTL
Protocol
Offset
Checksum
SourceAddr
DestinationAddr
Options(variable length)
Pad
Other Headers
and Payload
CSE331 Fall 2002
14
TCP and UDP packets
• Protocols support O.S. “port numbers”:
UDP
SrcPort
Checksum
TCP
DstPort
SrcPort
Length
DstPort
SequenceNum
Acknowledgment
HL
Other Headers
and Payload
0 Flags Advert.Wind.
Checksum
UrgPtr
Options (variable)
Other Headers
and Payload
CSE331 Fall 2002
15
Three-Way Handshake
CSE331 Fall 2002
16
TCP State Transitions
CSE331 Fall 2002
17
Ports
• Ports are used to
distinguish applications
and services on a
machine.
• Low numbered ports
are often reserved for
server listening.
• High numbered ports
are often assigned for
client requests.
• Port 7 (UDP,TCP): echo
server
• Port 13 (UDP,TCP): daytime
• Port 20 (TCP): FTP data
• Port 21 (TCP): FTP control
• Port 23 (TCP): telnet
• Port 25 (TCP): SMTP
• Port 79 (TCP): finger
• Port 80 (TCP): HTTP
• Port 123 (UDP): NTP
• Port 2049 (UDP): NFS
• Ports 6000 to 6xxx (TCP):
X11
CSE331 Fall 2002
18
Filter Example
Action ourhost port
block *
*
allow GW
25
theirhost
BAD
*
port
*
*
comment
untrusted host
allow our SMTP port
Apply rules from top to bottom with assumed default entry:
Action ourhost port
block *
*
theirhost
*
port
*
comment
default
Bad entry intended to allow connections to SMTP from inside:
Action ourhost port
allow *
*
theirhost
*
port
25
comment
connect to their SMTP
This allows all connections from port 25, but an outside machine
can run anything on its port 25!
CSE331 Fall 2002
19
Filter Example Continued
Permit outgoing calls to port 25.
Action src
allow {our hosts}
allow *
port
*
25
dest
*
*
port
25
*
flags
*
ACK
comment
their SMTP
their replies
This filter doesn’t protect against IP address spoofing.
The bad hosts can “pretend” to be one of {our hosts}.
CSE331 Fall 2002
20
When to Filter
Router
Outside
Inside
CSE331 Fall 2002
21
On Input or Output
• Filtering on output can be more efficient since
it can be combined with table lookup of the
route.
• However, some information is lost at the
output stage
– e.g. the physical input port on which the packet
arrived.
– Can be useful information to prevent address
spoofing.
• Filtering on input can protect the router itself.
CSE331 Fall 2002
22
Recommend: Filter ASAP
Action
block
allow
allow
src
BAD
*
GW
port
*
*
25
dest
*
GW
*
port
*
25
*
comment
we don’t trust them
connect to our SMTP
our reply packets
dest
BAD
GW
*
port
*
25
*
comment
subtle difference
connect to our SMTP
our reply packets
Is preferred over:
Action
block
allow
allow
src
*
*
GW
port
*
*
25
CSE331 Fall 2002
23
Example of a Pitfall
• Filter output to allow incoming and outgoing
mail, but prohibit all else.
Action
allow
allow
block
dest
*
*
*
port
25
>= 1024
*
comment
incoming mail
outgoing responses
nothing else
• Apply this output filter set to both interfaces of
the router. Does it work?
• Unintended consequence: allows all
communication on high numbered ports!
CSE331 Fall 2002
24