Java security (in a nutshell)
Download
Report
Transcript Java security (in a nutshell)
Firewalls and intrusion detection
systems
Bencsáth Boldizsár
Outline
Firewalls
Intrusion detection systems (IDS)
2
Introduction
– A firewall is a system or group of systems that enforces an
access control policy between networks
– Mostly the goal is to protect TCP/IP networks
– Other possible firewalls: between applications on a
windows environment, java card firewalls, etc.
Introduction
– Functions:
•
•
•
•
•
•
Blocking traffic
Permitting traffic
Enabling secure remote connections (VPN)
Logging traffic
Content filtering (blocking): viruses, attacks
Network management purposes (screening the traffic etc.)
3
Introduction
Main goals
The main goal of firewalling is
– to control unnecessary services, traffic
– to hide our internal network topology and services
– to protect against protocol errors (e.g. invalid SMTP commands can be
filtered)
– to enable logging
– to control the activity of internal users
– every accessible point is a possible security hole: With firewalling we
minimize the accessible points and we are making it more difficult to
deploy an attack
– we can make it more difficult to exploit the vulnerability: E.g. with tftp
denied it is more difficult to send files to the internet after an attack
– we can separate the network to subnetworks: an intrusion will not
compromise our whole system, just a subnetwork/server
4
A firewall is not good for…
- Stopping information flow/leakage:
Data can be leaked out even through DNS applications or e.g. HTTP
tunnels. It is very hard to protect against covert channels.
- Complete protection against intrusions:
Introduction
A single open port can be used to gain privileged access
An application proxy might not stop attacking through badly formed
parameters, etc.
An industry spy can use the telefax to transport secrets…
5
Introduction
Packet filtering – disable access to unwanted services
Port
State
Service
9/tcp open
discard
13/tcp open
daytime
21/tcp open
ftp
22/tcp open
ssh
23/tcp open
telnet
25/tcp open
smtp
37/tcp open
time
79/tcp open
finger
80/tcp open
http
109/tcp open
pop-2
110/tcp open
pop-3
139/tcp open
netbios-ssn
143/tcp open
imap2
515/tcp open
printer
587/tcp open
submission
1723/tcp open
pptp
3128/tcp open
squid-http
Port
State
Service
21/tcp open
ftp
22/tcp open
ssh
25/tcp open
smtp
80/tcp open
http
110/tcp open
pop-3
143/tcp open
imap2
3128/tcp filtered squid-http
6
Packet filtering
Introduction
Filtering based on network layer of the IP stack
Filtering rules described in rule base
Default permit / default deny design
Most routers have packet filtering capabilities
A good packet filter…
-Permits connections to really-needed services
-Also filters internal access – Most of the intrusions come from employees
-Detects anomalies – TCP packet without SYN handshake etc.
-Filters out all the services what we do not use currently (not only those we
don’t want to show)
-Hides internal network elements and architecture (NAT)
-Filters services available to internal hosts (e.g. filter out streaming)
Main problem:
Stateless? Stateful? How?
7
Packet filtering
Introduction
Packet filtering rules mostly based on:
IP protocol (UDP, TCP, …)
Source IP address
Destination IP address
Source/Destination port (socket)
Connection state (TCP: SYN, RST, established,… or
e.g. FTP states)
(rate control)
(filter rules based on time schedule – no streaming
before 8 p.m.)
incoming/outgoing interface
etc.
8
Application gateway
Introduction
Proxies rebuild the whole protocol (application layer gateway)
Needs to know the exact specification of the protocol we use
Can investigate the content of the flow
Can protect against protocol errors
More vulnerable to DoS
Can be more complicated to (internal) users (e.g. telnet proxy)
Lower performance
Higher security
9
Packet filter vs. Application gateway
Introduction
– Packet filtering without states is insecure
– Stateful packet filtering is fast
– Stateful packet filtering might not protect against some
protocol errors
– Application gateways are more sophisticated
– Application gateways are (mostly) not transparent, so an
internal webserver beyond an application gateway can not
log who is downloading the page
– Modern solutions mix the two methods.
10
Rule sets - example
– Linux iptables:
/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 23
/sbin/iptables -A INPUT -j LOG -p tcp -d 0/0 -v --dport 110 --tcp-flags SYN,ACK,FIN,RST SYN
/sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 110
/sbin/iptables -A INPUT -j DROP -p tcp -d 0/0 -v --dport 3128
Introduction
– Checkpoint Firewall – text:
:rule-base ("##Standard"
:rule (
:src ( : Any )
:dst ( : Any )
:services ( : Any )
:action ( : (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green) )
)
– Graphical tools / ruleset generators help
11
Architecture / Basic
router
Internet
„filters the traffic”
firewall
Architecture
it can be a dual-homed gateway or
a simple packet filter –
screening router
Internal network
12
Elements
Dual-homed gateway
single-homed gateway
Architecture
gateway: application level border element, e.g.: proxy server
Internal network
13
Packet filter only – screening router
router
Internet
Architecture
packet filter
Internal network
Can be a single
screening router
14
Packet filter with bastion host
router
Internet
packet filter
Architecture
Bastion host, here:
a dual-homed gateway
== proxy server
== application level firewall
Internal network
15
Packet filter with bastion host
router
Internet
packet filter
Architecture
Bastion host, here: a
proxy firewall
internal packet filter
Internal network
16
Packet filter with bastion host, DMZ, internal pf
many different
topologies can be
considered
router
Internet
Bastion host, here: a
proxy firewall
packet filter
?
Mail server
Web server
internal packet filter
Architecture
DMZ
De-Militarized Zone
Internal network
17
Platform and other parameters
Firewall - products
- Windows, Linux, Solaris, propriaty OS
- Hardened operating system
- With or without hardware
-
Working method (stateful inspection, application proxy)
No. of interfaces
Authentication methods
Maximum traffic
Ease of use
Price
18
Commercial & free products
Firewall - products
– Iptables, netfilter packet filtering
– Windows internal port filtering ( and IPSEC (policies), network sharing,
routing, etc. )
– Checkpoint Firewall (FW-1) Linux, Windows, Nokia
– Cisco PIX
– Symantec Enterprise Firewall ( <- Raptor )
– Secure Computing Sidewinder (incl. Gauntlet)
– Zorp (Balabit)
– NAI Firewall (Gauntlet->Secure Co)
– Evaluation: ICSA, Common Criteria, …
19
Personal firewalls
Personal firewalls
– Every single host on the Internet is a target
– Most users do not use tight security (no updates, bad passwords, no
security settings)
– Attacked clients might become zombies for a DoS attack or a relay for
spams and other attacks
– They need some protection
– Personal firewalls are mostly simple packet filters
– Drop incoming service requests (my windows pc is not a file server)
– Alert on (anomalous) outgoing requests
– Can protect against trojans / information leakage / privacy problems too
– Can be integrated with virus protection
20
Intrusion detection systems
– Intrusion detection:
detecting inappropriate, incorrect, or anomalous activity
misuse detection != intrusion detection
Host-based: operates on a (single) host
IDS
Network-based: operates on network data flows (e.g. promiscuous mode
network card on a dedicated host)
21
IDS Categories
In-Kernel vs. Userspace
Distributed vs. Atomic
Host-based vs. Network-based
Statistical vs. Signature Detection
Active vs. Passive
Proactive vs. Retroactive
Flat vs. Hierarchial
IDS
(Justin Lundy)
22
Host-based IDS
IDS
Checking log files for traces of attacks
Checking the condition of processes
Looking for anomalies of the authentication system ( Why is X
logging in from Thailand? Why is Z logging in during the
weekend?)
Checking the fingerprints of the installed binaries (Operating
system integrity)
Checking for malicious user code – possible hacker tools,
rootkits
Version (and critical security hole) checking
Checking for invalid www request URLs in web server’s log
files
Personal firewall?
…
23
Network based IDS
On a single network element (near the firewall) or can be
distributed: more agents are distributed on the network and a
central server makes the decision
Problem: Encrypted traffic cannot be analyzed (traffic analysis,
timing only)
Signature filters: looks for various signatures. Usual attacks
possess some kind of signature that identifies them
– problem: large number of possible signatures – high traffic rate (~GBps
lines) – large number of dropped packets – less accurate result
– problem: signatures has to be known. Regular updates needed and
much work to generate “good” signatures
– problem: polymorphic attack: One might change the attack scenario so
that the signature will not match
24
Anomaly detection
Mostly on statistical basis
Detects statistically exceptional events
Learning: Watching activity during ‘normal’ state and storing
patterns (who logs in, what is the origin, when, etc.)
Experience shows that 90% of attacks can be considered as
protocol usage anomalies.
Does not require signatures (except what it learns)
We should carefully add knowledge about “normal” activity,
such as RFC compilant state machines, it needs much work.
A non-RFC compilant client is not always an attacker – we
need flexibility
25
CIDF
– Model: Common Intrusion Detection Framework
intrusion detection components can be reused in other
systems
interface & communication protocols
– Architecture
IDS
•
•
•
•
Event generators (colloquially "E-boxes")
Event analyzers ("A-boxes")
Event databases ("D-boxes")
Response units ("R-boxes")
26