Network Security Essentials 2/e
Download
Report
Transcript Network Security Essentials 2/e
CSCE 815 Network Security
Lecture 22
Intrusions
April 10, 2003
Protocol Review
IP internet protocol – routing packets through network
TCP – connection oriented transport
UDP –
ARP – address resolution protocol ***
ICMP – internet control message protocol ***over IP
DHCP Application layer – FTP, HTTP, SMTP, SNMP, SSH
–2–
CSCE 815 Sp 03
Buffer Overflow comments
GDB
gcc –g
breakpoints
single step
info [frame, regs, …]
print [format] variable
Linux vs CYGWIN
–3–
CSCE 815 Sp 03
IP Spoofing Attacks
Spoofing means fraudulently authenticating one
machine as another
Fraudulent send IP packet to A with
source IP address field=“IP address of B”
Raw sockets Blind Spoofing: TCP handshake guessing sequence
numbers
“Exploit code for IP Smart Spoofing ”
http://www.mail-archive.com/bugtraq@securityfocus.
com/msg09855.html
–4–
CSCE 815 Sp 03
Raw Socket Creation
Reference Stevens “Unix Network Programming” Ch 25
#include <socket.h>
int sockfd;
1. Create the raw socket
sockfd = socket(AF_INET, SOCK_RAW, protocol)
2. The IP_HDRINCL socket option can be set
int on = 1;
setsocketopt(sockfd, IPPRTO_IP, IP_HDRINCL, &on sizeof(on))
3. Bind(sockfd, &addr, sizeof(addr))
4. Sendto(sockfd, sendbuf, len,0, dstAddr, dstAddrLen)
–5–
CSCE 815 Sp 03
Preventing IP Spoofing Attacks
Preventing IP spoofing
have your routers reject packets with local
addresses from the outside
also have them reject internal packets claiming to
originate from the outside
authenticate packets from inside
–6–
CSCE 815 Sp 03
ARP Spoofing
Address resolution Protocol (ARP)
IP address hardware(ethernet) address mapping
send ARP packet “who has IP address and what is
your hardware address?”
ARP cache – table of recent responses
ARP Spoofing
1. Assume IP address “a” of trusted host
2. Respond to ARP packets for address “a”
3. Sending false hardware address (I.e. the fraud’s
address)
Solution: make ARP cache static (manual updates!?!)
–7–
CSCE 815 Sp 03
ARP Spoofing
Address resolution Protocol (ARP)
IP address hardware(ethernet) address mapping
send ARP packet “who has IP address and what is
your hardware address?”
ARP cache – table of recent responses
ARP Spoofing
1. Assume IP address “a” of trusted host
2. Respond to ARP packets for address “a”
3. Sending false hardware address (I.e. the fraud’s
address)
Solution: make ARP cache static (manual updates!?!)
–8–
CSCE 815 Sp 03
DNS Spoofing
Domain Name System (DNS)
hierarchical name servers map FQDN IP address
UDP packet sent with name to name server
Chinese dissidents Spoofing
http://www.dit-inc.us/hj-09-02.html
–9–
CSCE 815 Sp 03
Web Spoofing
– 10 –
CSCE 815 Sp 03
Email Spoofing
– 11 –
CSCE 815 Sp 03
Security Myth
“The only secure computer is the one that is turned off
and unplugged”
Once connected to internet it becomes a target
So shutdown all unnecessary services.
Myth 2 “My firewall will stop the pesky crackers!”
– 12 –
CSCE 815 Sp 03
The Players, Platforms and Attacks
The Players:
The Black Hats
Script kiddies
The White Hats
Platforms of attackers
1.
2.
3.
Windows
Linux/NetBSD/FreeBSD
OpenBSD billed as “the most secure OS freely available”
Attacks
– 13 –
Denial of Service
Viruses, Trojans, malicious scripts
Web defacement
CSCE 815 Sp 03
Network Administrator Tools
Network Administration tools
(MSDOS/Windows) ipconfig
ifconfig
netstat
/etc/… not really tools as much as files
/sbin/…
Find ethernet/IP addresses
More tools
– 14 –
http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid=
23
CSCE 815 Sp 03
ARP Spoofing Revisited
Linux World
/sbin
arp
Iptables, ipchains, ipfwadm
Arp comand –print the table
Ping somewhere then use arp to look at the table again
– 15 –
CSCE 815 Sp 03
What is a Firewall?
a choke point of control and monitoring
interconnects networks with differing trust
imposes restrictions on network services
only authorized traffic is allowed
auditing and controlling access
can implement alarms for abnormal behavior
is itself immune to penetration
provides perimeter defence
– 16 –
CSCE 815 Sp 03
Firewall Limitations
cannot protect from attacks bypassing it
eg sneaker net, utility modems, trusted organisations,
trusted services (eg SSL/SSH)
cannot protect against internal threats
eg disgruntled employee
cannot protect against transfer of all virus infected
programs or files
– 17 –
because of huge range of O/S & file types
CSCE 815 Sp 03
Firewalls – Packet Filters
– 18 –
CSCE 815 Sp 03
Firewalls – Packet Filters
simplest of components
foundation of any firewall system
examine each IP packet (no context) and permit or deny
according to rules
hence restrict access to services (ports)
possible default policies
– 19 –
that not expressly permitted is prohibited
that not expressly prohibited is permitted
CSCE 815 Sp 03
Firewalls – Packet Filters
– 20 –
CSCE 815 Sp 03
Attacks on Packet Filters
IP address spoofing
fake source address to be trusted
add filters on router to block
source routing attacks
attacker sets a route other than default
block source routed packets
tiny fragment attacks
– 21 –
split header info over several tiny packets
either discard or reassemble before check
CSCE 815 Sp 03
Firewalls with IPtables (Linux)
IPtables
IPchains
Netfilter
“10 minutes to an iptables-based Linux firewall”
by Joshua Drake
http://www.linuxworld.com/site-stories/2001/0920.ipchains.html
“Taming the Wild Netfilter”
September 01, 2001 by David A. Bandel
– 22 –
http://www.linuxjournal.com/article.php?sid=4815
CSCE 815 Sp 03
Firewalls with IPtables (Linux)
[root@jd root]# /sbin/iptables -h
iptables v1.2.1
Usage: iptables -[ADC] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain
Append to chain
--delete -D chain
Delete matching rule from chain
--delete -D chain rulenum
[...]
– 23 –
CSCE 815 Sp 03
Firewalls with IPtables (Linux)
No incoming traffic (tcp connections)
/sbin/iptables -A INPUT -p tcp --syn -j DROP
Accept incoming SSH (port 22) why?
/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 -destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn -j DROP
Add rule to allow a web server to the chain
– 24 –
/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 -destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j
ACCEPT
/sbin/iptables -A INPUT -p tcp --syn -j DROP
CSCE 815 Sp 03
Chroot Jails
References:
http://librenix.com/ general purpose security/Linux site
http://www.gsyc.inf.uc3m.es/~assman/jail/index.html
chroot environment:
– 25 –
CSCE 815 Sp 03
Chroot Implementation
– 26 –
CSCE 815 Sp 03
User-mode Linux
UML (binding problem)
http://user-mode-linux.sourceforge.net/
creates a virtual Machine
allows you to run multiple instances of Linux on the
same system at the same time
designed for a variety of purposes, such as kernel
debugging, testing applications
– 27 –
CSCE 815 Sp 03
Firewalls – Stateful Packet Filters
examine each IP packet in context
keeps tracks of client-server sessions
checks each packet validly belongs to one
better able to detect bogus packets out of context
– 28 –
CSCE 815 Sp 03
Firewalls - Application Level Gateway (or
Proxy)
– 29 –
CSCE 815 Sp 03
Firewalls - Application Level Gateway (or
Proxy)
use an application specific gateway / proxy
has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
need separate proxies for each service
– 30 –
some services naturally support proxying
others are more problematic
custom services generally not supported
CSCE 815 Sp 03
Firewalls - Circuit Level Gateway
– 31 –
CSCE 815 Sp 03
Firewalls - Circuit Level Gateway
relays two TCP connections
imposes security by limiting which such connections
are allowed
once created usually relays traffic without examining
contents
typically used when trust internal users by allowing
general outbound connections
SOCKS commonly used for this
– 32 –
CSCE 815 Sp 03
Bastion Host
highly secure host system
potentially exposed to "hostile" elements
hence is secured to withstand this
may support 2 or more net connections
may be trusted to enforce trusted separation between
network connections
runs circuit / application level gateways
or provides externally accessible services
– 33 –
CSCE 815 Sp 03
Firewall Configurations
– 34 –
CSCE 815 Sp 03
Firewall Configurations
– 35 –
CSCE 815 Sp 03
Firewall Configurations
– 36 –
CSCE 815 Sp 03
Access Control
given system has identified a user
determine what resources they can access
general model is that of access matrix with
subject - active entity (user, process)
object - passive entity (file or resource)
access right – way object can be accessed
can decompose by
– 37 –
columns as access control lists
rows as capability tickets
CSCE 815 Sp 03
Access Control Matrix
– 38 –
CSCE 815 Sp 03
Trusted Computer Systems
information security is increasingly important
have varying degrees of sensitivity of information
cf military info classifications: confidential, secret etc
subjects (people or programs) have varying rights of access to
objects (information)
want to consider ways of increasing confidence in systems to
enforce these rights
known as multilevel security
– 39 –
subjects have maximum & current security level
objects have a fixed security level classification
CSCE 815 Sp 03
Bell LaPadula (BLP) Model
one of the most famous security models
implemented as mandatory policies on system
has two key policies:
no read up (simple security property)
a subject can only read/write an object if the current security level
of the subject dominates (>=) the classification of the object
no write down (*-property)
– 40 –
a subject can only append/write to an object if the current security
level of the subject is dominated by (<=) the classification of the
object
CSCE 815 Sp 03
Reference Monitor
– 41 –
CSCE 815 Sp 03
Evaluated Computer Systems
governments can evaluate IT systems
against a range of standards:
TCSEC, IPSEC and now Common Criteria
define a number of “levels” of evaluation with
increasingly stringent checking
have published lists of evaluated products
– 42 –
though aimed at government/defense use
can be useful in industry also
CSCE 815 Sp 03
Summary
have considered:
– 43 –
firewalls
types of firewalls
configurations
access control
trusted systems
CSCE 815 Sp 03