ECE579S-Class 4_2011 - Electrical & Computer Engineering

Download Report

Transcript ECE579S-Class 4_2011 - Electrical & Computer Engineering

ECE579S:
Computer and Network Security
4: Network Security Issues
Professor Richard A. Stanley. PE
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #1
Last time...
• System design should be based on
simplicity and restriction
• Developing secure systems is hard, but
security needs to be designed in, not bolted
on later
• Covert channels are a serious problem, and
steganography is the current method of
choice
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #2
Thought for the Day
“When computers (people) are networked, their power
multiplies geometrically. Not only can people share all that
information inside their machines, but they can reach out
and instantly tap the power of other machines (people),
essentially making the entire network their computer.”
Scott McNeely, CEO Sun Microsystems
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #3
Threats and Vulnerabilities
• Threats are “just there”
• Vulnerabilities occur due to design choices
we make along the way
• They are not the same thing!
• Risks occur at the intersection of threats
and vulnerabilities with the assets we are
trying to protect
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #4
Vulnerability Assessment
•
•
•
•
•
What is it?
Why do we care?
Whose job is it?
How good a job do we have to do?
How can we describe vulnerabilities?
– OVAL
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #5
Warning!
• In this lecture, we will discuss techniques for
enumerating and attacking networks. This
discussion is intended to help you understand how
to protect networks, and is not a recommendation
for or approval of this sort of activity.
• Under no circumstances should you scan or
otherwise probe a network without the explicit
authorization of its management. Doing so could
violate U. S. Federal law (18 USC § 1030).
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #6
How To Rob a Bank
• Just walk in and demand the money
–
–
–
–
–
–
–
Where is the bank?
How do you know there is any money?
Where to park the getaway car?
Are there any guards or surveillance devices?
Will you need a disguise?
What kinds of things might go wrong?
What if they say “NO?”
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #7
Success Requires Planning
• Whether robbing a bank or breaching
network security, you need to plan ahead
• Planning ahead is known as vulnerability
assessment
– Acquire the target (case the joint)
– Scan for vulnerabilities (find the entry points)
– Identify poorly protected data (shake the doors)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #8
Information in Plain Sight
• Lots of valuable information is just lying
around waiting to be used
–
–
–
–
telephone directories
company organization charts
business meeting attendee lists
promotional material
• The Internet has made having a company
web page the measure of being “with it”
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #9
Target: FBI
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #10
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #11
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #12
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #13
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #14
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #15
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #16
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #17
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #18
?
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #19
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #20
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #21
You get the idea
• There is a lot of information out there, and it
is readily available to anyone
• Good intelligence usually consists of open
source material properly collated
• Law enforcement used to have special
access to this sort of information--now it’s
out on the ‘net
• Network access speeds up the rate at which
good intelligence can be collected
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #22
Determine Your Scope
• Check out the target’s web page
–
–
–
–
–
–
–
physical locations
related companies or entities
merger/acquisition news
phone numbers, contact information
privacy or security policies
links to other related web servers
check the HTML source code
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #23
Refine Your Search
• Run down leads from the news, etc.
– Search engines are a good way
– Check USENET postings
– Use advanced search capabilities to find links
back to target
• Search on “worcester polytechnic security” gives ~
32,400 hits
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #24
Use the Government
• EDGAR
– SEC site (www.sec.gov/edgarhp.htm)
– Search for 10-Q and 10-K reports
– Try to find subsidiary organizations with
different names
• Think about what your organization has on
databases available to the public
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #25
Zero In On The Networks
• InterNIC
–
–
–
–
–
http://www.internic.net/
Organization
Domain
Network
Point of contact
• www.networksolutions.com
• www.arin.net
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #26
Query on Found Data
• POC
– May be (often is) POC for other domains
– Query for email addresses –
• Search for @wpi.edu (harder to do than earlier)
• Scan found items for addresses and try them out
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #27
Query the DNS
• Insecure DNS configuration can reveal
information that should be kept confidential
• Zone transfers are popular attack
methodologies
–
–
–
–
nslookup often used
pipe output to a text file
review the text file at your leisure
select potential “good targets” based on data
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #28
Map Network Connectivity
• traceroute
– Unix and Win/NT
– tracert in NT for file name legacy reasons
– Shows hops from router to destination
• Graphical tools exist, too
– VisualRoute
– www.visualroute.com
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #29
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #30
Detailed Scanning
• Network ping sweeps
– Who is active?
– Automated capabilities with some tools
• ICMP queries
– Reveal lots of information on systems
• System time
• Network mask
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #31
Port Scanning
•
•
•
•
•
•
Identify running services
Identify OS
Identify specific applications of a service
Very popular
Very simple
Very dangerous
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #32
Some Port Scan Types
•
•
•
•
Connect Scan--completes 3-way handshake
SYN--should receive SYN/ACK
FIN--should receive RST on closed ports
Xmas tree--sends FIN, URG, PSH; should receive
RST for closed ports
• Null--turns off all flags; target should send back
RST for closed ports
• UDP--port probably open if no “ICMP port
unreachable” message received
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #33
Identify Running Services
•
•
•
•
•
nmap
netcat
Udp_scan (and others from SATAN)
Using SYN scan is usually stealthy
Beware of DoS results
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #34
OS Detection
• Stack fingerprinting
– Vendors interpret RFCs differently
• Example:
– RFC 793 states correct response to FIN probe is none
– Win/NT responds with FIN/ACK
• Based on responses to specific probes, possible to
make very educated guesses as to what OS running
– Nmap database so accurate, it is used in commerical
products (e.g. eEye Retina scanner)
– Automated tools to make this easy!
• Nmap
Spring 2011
© 2000-2011, Richard A. Stanley
(www.insecure.ord/nmap/)
ECE579S/4 #35
Enumeration
• Try to identify valid user accounts on poorly
protected resource shares, e.g. on Windows-based
systems
– net view
• lists domains on network
• can also list shared resources
– nltest -- identifies primary & backup domain controllers
– SNMP
– open a telnet connection
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #36
Automated, Graphical Tools
• Can trace network topology very accurately
– ID machines by IP, OS, etc.
– Makes attack much easier
• No shortage of possible tools
– Frequent additions to list
– One source:
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #37
Many Other Scanners
• eEye Retina Scanner
– http://www.eeye.com/html/resources/tours/retina/index.html
• Nessus
– Unix-based system and network scanner
• NeWT
– Windows port of Nessus with graphical frontend
– http://www.tenablesecurity.com/products/newt.shtml
• …and lots more. Google is your friend.
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #38
Network Based Attacks
Oldies and Goodies--It Isn’t Magic
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #39
Word of Warning
• Some of the attacks about to be described
are as old as network attacks themselves
– This doesn’t make studying them a waste of
time
– There is nothing new under the sun -- old
attacks keep popping up in new clothes
“Those who do not study history are condemned
to repeat it.”
George Santayana
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #40
Getting Fingered
Aimee Girard (agirard)
Home: /usr3/agirard
Shell: /sh/tcsh
Building: Unknown
Work phone: Unknown
Directory: /usr3/agirard
Shell: /sh/tcsh
No unread mail.
Aimee Girard has never logged on.
No plan.
Home phone: Unknown
Andrew George Marut (agmarut)
Home: /usr2/agmarut
Shell: /sh/tcsh
Building: Unknown
Work phone: Unknown
Home phone: Unknown
Directory: /usr2/agmarut
Shell: /sh/tcsh
Mail forwarded to:
[email protected]
Andrew George Marut (agmarut) is not presently logged in.
Last seen on ece.wpi.edu at Tue Mar 27 03:06:03 2001
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #41
Do You Know Who?
ece(ttyp9):~> who
crcalvo
ttyp0
rcl
ttyp1
renato
ttyp2
anshul
ttyp4
pavan
ttyp5
lavanya
ttyp6
clements
ttyp7
aelliott
ttyp8
rstanley
ttyp9
bram
ttypa
gaubatz
ttypb
Spring 2011
© 2000-2011, Richard A. Stanley
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
14
20
20
20
19
20
20
20
20
20
20
17:52
07:53
08:38
09:18
04:08
08:53
09:45
10:46
12:18
10:42
10:42
ECE579S/4 #42
TCP Review
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #43
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #44
TCP Actions
• Assumes IP addresses are valid and correct
• If sequence number received  sequence
number expected, packet is refused
(discarded), system waits for correctly
numbered packet
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #45
Sequence Number Prediction
• Determine server’s IP address
– Sniffing packets
– Trying host numbers in order
– Connect w/browser, observe address in status
• Try addresses in the server’s address space
• Monitor packet sequence numbers
• Predict and spoof the next sequence number
– Hacker now appears to be a legitimate user
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #46
Purpose, Detection & Defense
• Once on net as an internal user, hacker can
use net as a base for other attacks, or to
access information on the net just spoofed
• Detection: look for sequential “Access
denied” entries in the audit log
• Prevention: if available, enable real-time
notification of large number of sequential
access denial entries
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #47
SYN Flood
• Send a normal SYN packet to a server, as if
to open a TCP connection
• When the server returns a SYN/ACK
packet, ignore it
• Send another SYN packet to the server
• Repeat as necessary
• ...until server cannot handle any more
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #48
FINish, But Don’t Start
• Attacker sends FIN packet to server, but has
not previously established a TCP connection
• Server replies with RST packet
• Attacker now knows that port on that server
is alive and functioning
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #49
Passive Sniffing
• Hacker obtains access to network segment;
observes and analyzes traffic
– Unauthorized access to legitimate computer
(packet monitors standard Windows fixture)
– Unauthorized added NIC on segment
• Purpose: gather intelligence, read traffic
• Defense:
– Secure authentication schemes (Kerberos)
– Data encryption
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #50
Desynchronization Attacks
• Hacker forces both ends of TCP session into
a desynchronized state
• Hacker then uses a third-party host (a
computer connected to the physical segment
under attack) to intercept original packets
and create acceptable replacement packets
that mimic the real ones that would have
been exchanged
• NB: desynchronized  disconnected
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #51
ACK Storm
• Primary flaw of desynchronization attack
• Receipt of unacceptable packet generates ACK
packet to source with expected sequence number
– First ACK packet from server contains server’s own
sequence number
– Client refuses packet, because it did not initially send
the modified-request packet
– Client now sends its own ACK packet, and ...
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #52
The End of the Storm
• In theory, the ACK storm is an infinite loop
• BUT…
– If ACK packet lost, no further ACK is sent,
because the packet contains no data payload
– TCP communicates over a lossy network (i.e.
packets will get lost)
– With non-zero packet loss, storm quickly ends
– Self-regulating
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #53
More ACK Info
• All networks lose packets, so retransmission
occurs
• When an active attack such as described
before occurs, even more retransmission
occurs than in the normal course of events
• Extra packets due to the ACK storms
• One data packet can generate 10-300 empty
ACK packets
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #54
Detecting Attacks
• Detect desynchronized states
– Use packet reader (i.e., a sniffer) to view
sequence numbers at both ends of a connection
– Sequence numbers show if desynchronized
• Packet percentage counting
– Collect statistics on normal network operations
– Use statistics to detect packet storms resulting
from attacks
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #55
Spoofing
“You can fool all of the people some
of the time. You can fool some of the
people all of the time. But you can’t
fool all of the people all of the time.”
Abraham Lincoln
Fooling most of the people most of the time
is usually good enough!
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #56
IP Spoofing-1
• Hacker changes masquerade host IP address
to the trusted client’s address
• Hacker builds source route to server with
direct path packets should take to/from
server and back to hacker’s host, with
trusted client as last hop in route to server
• Hacker uses source route to send client
request to server
• What’s wrong with this picture?
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #57
IP Spoofing -2
• Simpler approach: wait until client system
shuts down and impersonate the system
– Example: Unix NFS uses IP only addresses to
authenticate clients
– Hacker sets up PC with name and IP address of
legitimate client, then initiates connection to
Unix host
– Typical “insider” attack, as needs knowledge of
which computers are not active
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #58
Spoofing E-mail
•
•
•
•
•
•
Open your email client
Change the “Name” field to something else
Change the “Email address” to something else
Delete the Incoming Mail Server address
Delete the value of Mail Server User Name
If you were really bad, you would find an
outgoing mail server that allowed anonymous
login for outgoing mail, and put its name here
• The approach above is good enough to fool most
people most of the time
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #59
Automated Spoofing
• C2MYAZZ
– Who knows to what this filename refers?
– Hijacks session without disrupting connectivity
– This clever utility exploits what was intended
as a feature for convenience and backwards
compatibility
– So, since this is well-known, the tool must be
hard to get or overtaken by events, yes?
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #60
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #61
Preventing Spoofing
• Firewall packet filtering
– Audit incoming traffic. You should never find
packets with source and destination addresses
in the local domain coming in from outside.
BUT…this takes lots of effort
– Don’t allow packets that appear to have
originated locally to come in from outside
• Hard, especially when hacker is inside
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #62
Buffer Overflow Examples
• Sending oversize ICMP packets
• Sending IIS 3.0 a 4048 byte URL request
• Sending email with 256-character file name
attachments to Netscape/MS email clients
• SMB logon to NT with incorrect data size
• Sending Pine user an email with “from”
address > 256 characters
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #63
What Do You Intend?
• Take over a session
– Why?
– What information do you want to get/put?
• Associate with a network more or less
permanently
• Deny service to selected servers / networks
/ clients?
• Anything else?
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #64
The Dreaded Cookie
# Netscape HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
home.netscape.com FALSE /
FALSE 942189161
cc98a714-14298-900987956-4
.doubleclick.net TRUE /
FALSE 1920499140
.netscape.com
TRUE /
FALSE 1293840000
24.128.181.249:0921530518:183152
www.netscape.com FALSE /
FALSE 942189161
cfc84b26-10757-921530518-1
.imgis.com TRUE /
FALSE 1078108157 JEB2
A80C29F3DBB5C25F1880B5F93004CF94
Spring 2011
© 2000-2011, Richard A. Stanley
NGUserID
id3aa44cd0
UIDC
NGUserID
ECE579S/4 #65
If You Don’t Like Cookies?
• Use a utility or your browser tools to
remove them (IE and Netscape 6 and later)
– Find them using the FIND function; they’re all
over the place (especially in Windows)
– But they keep coming back!
• In Windows, accept those you want, set the
C:/Windows/Cookies folder as Read Only
• In Unix, make cookies.txt zero-length R/O
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #66
How to Keep Up?
• Common Vulnerabilities and Exposures
– http://www.cve.mitre.org/
• CVE is
– A dictionary, NOT a database
– A community effort
– Freely available
• In short, this is not a “how to hack” list
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #67
What About Hacker Sites?
• Can provide an idea of the current state of
affairs, and also toolkits
• BE CAREFUL!
– What you download may come with little
“surprises”
• If you download, quarantine and test
– These sites don’t just exist to serve hackers;
some also exist to hack
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #68
Firewalls
• Effective means of protection a local system
or network of systems from network-based
security threats while affording access to the
outside world via WAN`s or the Internet
• Despite common opinion, not a panacea or
an “out-of-the-box” security solution
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #69
Firewall is to Network
as
User privilege is to Operating system
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #70
What Is a Firewall?
• A router with attitude?
• A device to implement an access control
policy?
• A physical device?
• A logical device?
• The preferred solution for network
protection?
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #71
Where Does This Term
Come From?
Firewall means a fire separation of noncombustible
construction that subdivides a building or separates adjoining
buildings to resist the spread of fire that has a fire-resistance
rating as prescribed in the Building Code and that has
structural stability to remain intact under fire conditions for the
required fire-rated time. (Italics added)
Source: The Ontario Fire Code, § 1.2.1.2
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #72
Firewall Design
Principles
• Information systems undergo a steady
evolution (from small LAN`s to Internet
connectivity)
• Strong security features for all workstations
and servers not established
• Segregating “inside” from “outside” can
offer security advantages
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #73
Firewall Design
Principles
• The firewall is inserted between the
premises network and the Internet or
another external network
• Aims:
– Establish a controlled link
– Protect the premises network from Internetbased or “outside” attacks
– Provide a single choke point (good or bad?)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #74
Firewall Characteristics
• Design goals:
– All traffic from inside to outside must pass
through the firewall (physically blocking all
access to the local network except via the
firewall)
– Only authorized traffic (defined by the local
security policy) will be allowed to pass
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #75
Firewall Characteristics
• Design principles:
– The firewall itself is immune to penetration
(use of trusted system with a secure operating
system)
– Although this is a noble goal, it is virtually
impossible to achieve!
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #76
Firewall Characteristics - 1
• Service control
– Determines the types of external services that
can be accessed, inbound or outbound
• Direction control
– Determines the direction in which particular
service requests are allowed to flow
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #77
Firewall Characteristics - 2
• User control
– Controls access to a service according to which
user is attempting to access it
• Behavior control
– Controls how particular services can be used
(e.g. filter e-mail)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #78
Types of Firewalls
• Three common types of Firewalls:
– Packet-filtering routers
– Application-level gateways
– Circuit-level gateways
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #79
Packet-filtering Firewall
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #80
Packet-Filtering Firewall
• Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet based on conformance to the rules
• Filters packets going in both directions
• The packet filter is typically set up as a list
of rules based on matches to fields in the IP
and/or TCP header
• Two default policies (discard or forward)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #81
Packet Filtering Firewall
• Advantages:
– Simple
– Transparent to users
– High speed
• Disadvantages:
– Difficult to set up packet filter rules
– Lack of authentication
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #82
Packet Filtering Firewall
• Possible attacks and appropriate
countermeasures
– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #83
Application-level Gateway
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #84
Application-level Gateway
• Also called proxy server
• Acts as a relay of application-level traffic
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #85
Application-level Gateway
• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable
applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each
connection (gateway as splice point)
– Speed
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #86
Circuit-level Gateway
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #87
Circuit-level Gateway
• Stand-alone system, or
• Specialized function performed by an
application-level gateway
• Sets up two TCP connections
• The gateway typically relays TCP segments
from one connection to the other without
examining the contents
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #88
Circuit-level Gateway
• Security function consists of determining
which connections will be allowed
• Typically used where the system
administrator trusts the internal users
• An example is the SOCKS package
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #89
Bastion Host
• Sometimes called a DMZ
• A system identified by the firewall
administrator as a critical strong point in the
network´s security
• The bastion host serves as a platform for an
application-level or circuit-level gateway
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #90
Firewall Configurations
• In addition to using simple configuration of
a single system (single packet filtering
router or single gateway), more complex
configurations are possible
• Three common configurations
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #91
Firewall Configurations
• Screened host firewall system (singlehomed bastion host)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #92
Screened Host Firewall
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
• Configuration for the packet-filtering router:
– Only packets from and to the bastion host are
allowed to pass through the router
• The bastion host performs authentication
and proxy functions
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #93
Screened Host Firewall
• Greater security than single configurations :
– Implements both packet-level and applicationlevel filtering (allowing for flexibility in
defining security policy)
– An intruder must generally penetrate two
separate systems (but if outside router
compromised, what then?)
• Affords flexibility in providing direct
Internet access (public information server,
e.g. Web server)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #94
Firewall Configurations
• Screened host firewall system (dual-homed
bastion host)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #95
Dual-homed Bastion Host
• Even if the packet-filtering router is
completely compromised
– Traffic between the Internet and other hosts on
the private network has to flow through the
bastion host
– Provides two layers of security
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #96
Firewall Configurations
• Screened-subnet firewall system
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #97
Screened-Subnet Firewall
• Most secure configuration of the three
• Two packet-filtering routers are used
– One between bastion host and external network
– One between bastion host and internal network
• Creates an isolated sub-network
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #98
Screened-Subnet Firewall
• Advantages:
– Three levels of defense to thwart intruders
– Outside router advertises only the existence of
the screened subnet to the Internet (internal
network is invisible to the Internet)
– Inside router advertises only the existence of
the screened subnet to the internal network
(systems on the inside network cannot construct
direct routes to the Internet)
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #99
Summary - 1
• Attacking a network is no different from robbing a
bank; you have to plan if you expect to be
successful
• There are three basic steps to planning, which is
called vulnerability assessment:
– Acquire the target (case the joint)
– Scan for vulnerabilities (find the entry points)
– Identify poorly protected data (enumeration)
• This applies if you are inside or outside the
protected perimeter!
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #100
Summary - 2
• TCP/IP was not intended as a secure
protocol; as a result, it has vulnerabilities
that can be exploited
• There are many ways to get access to info
• There are many types of attacks that can be
mounted over network connections in order
to gain unauthorized access to resources
• Never forget, the best access is hands-on
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #101
Summary - 3
• Useful to enforce security policy at the network
edges
– Don’t help against inside threats
• Popularly believed to provide “hardened” security
as they come out of the box
• If not properly configured, can introduce more
problems than they solve
• Come in both hardware and software flavors, but
all have software inside
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #102
Homework - 1
1. Research attack scenarios and tools that
you find in literature or on the Internet.
Describe two attack scenarios and the tools
required (if any) that would enable you to
break into the WPI network from outside.
Don’t actually break in, or try to!!
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #103
Homework - 2
2. Describe how a SMURF attack works
(don’t just parrot the description you find).
Describe how to stop it.
3. You are the network administrator. How
would you defend against the threats of
target acquisition and vulnerability
scanning?
Spring 2011
© 2000-2011, Richard A. Stanley
ECE579S/4 #104