csce 815 network security lecture 22 intrusions april 10, 2003
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 22 Lecture 22CSCE 815 Network Security CSCE 815 Network Security Lecture 22 Lecture 22
IntrusionsIntrusions
April 10, 2003
– 2 – CSCE 815 Sp 03
Protocol ReviewProtocol Review
IP internet protocol – routing packets through networkIP internet protocol – routing packets through network
TCP – connection oriented transportTCP – connection oriented transport
UDP – UDP –
ARP – address resolution protocol ***ARP – address resolution protocol ***
ICMP – internet control message protocol ***over IPICMP – internet control message protocol ***over IP
DHCP - DHCP -
Application layer – FTP, HTTP, SMTP, SNMP, SSHApplication layer – FTP, HTTP, SMTP, SNMP, SSH
– 3 – CSCE 815 Sp 03
Buffer Overflow commentsBuffer Overflow comments
GDBGDB
gcc –g gcc –g
breakpointsbreakpoints
single stepsingle step
info [frame, regs, …]info [frame, regs, …]
print [format] variableprint [format] variable
Linux vs CYGWINLinux vs CYGWIN
– 4 – CSCE 815 Sp 03
IP Spoofing AttacksIP Spoofing Attacks
Spoofing means fraudulently authenticating one Spoofing means fraudulently authenticating one machine as anothermachine as another
Fraudulent send IP packet to A with Fraudulent send IP packet to A with
source IP address field=“IP address of B”source IP address field=“IP address of B”
Raw sockets - Raw sockets -
Blind Spoofing: TCP handshake guessing sequence Blind Spoofing: TCP handshake guessing sequence numbersnumbers
““Exploit code for IP Smart Spoofing ”Exploit code for IP Smart Spoofing ”
http://www.mail-archive.com/bugtraq@securityfocushttp://www.mail-archive.com/bugtraq@securityfocus. . com/msg09855.htmlcom/msg09855.html
– 5 – CSCE 815 Sp 03
Raw Socket CreationRaw Socket Creation
Reference Stevens “Unix Network Programming” Ch 25Reference Stevens “Unix Network Programming” Ch 25#include <socket.h>
int sockfd;
1.1. Create the raw socketCreate the raw socketsockfd = socket(AF_INET, SOCK_RAW, protocol)
2.2. The IP_HDRINCL socket option can be setThe IP_HDRINCL socket option can be setint on = 1;
setsocketopt(sockfd, IPPRTO_IP, IP_HDRINCL, &on sizeof(on))
3.3. Bind(sockfd, &addr, sizeof(addr))Bind(sockfd, &addr, sizeof(addr))
4.4. Sendto(sockfd, sendbuf, len,0, dstAddr, dstAddrLen)Sendto(sockfd, sendbuf, len,0, dstAddr, dstAddrLen)
– 6 – CSCE 815 Sp 03
Preventing IP Spoofing AttacksPreventing IP Spoofing Attacks
Preventing IP spoofingPreventing IP spoofing
have your routers reject packets with local have your routers reject packets with local addresses from the outsideaddresses from the outside
also have them reject internal packets claiming to also have them reject internal packets claiming to originate from the outsideoriginate from the outside
authenticate packets from insideauthenticate packets from inside
– 7 – CSCE 815 Sp 03
ARP SpoofingARP Spoofing
Address resolution Protocol (ARP)Address resolution Protocol (ARP)
IP address IP address hardware(ethernet) address mapping hardware(ethernet) address mapping
send ARP packet “who has IP address and what is send ARP packet “who has IP address and what is your hardware address?”your hardware address?”
ARP cache – table of recent responsesARP cache – table of recent responses
ARP SpoofingARP Spoofing
1.1. Assume IP address “a” of trusted hostAssume IP address “a” of trusted host
2.2. Respond to ARP packets for address “a”Respond to ARP packets for address “a”
3.3. Sending false hardware address (I.e. the fraud’s Sending false hardware address (I.e. the fraud’s address)address)
Solution: make ARP cache static (manual updates!?!)Solution: make ARP cache static (manual updates!?!)
– 8 – CSCE 815 Sp 03
ARP SpoofingARP Spoofing
Address resolution Protocol (ARP)Address resolution Protocol (ARP)
IP address IP address hardware(ethernet) address mapping hardware(ethernet) address mapping
send ARP packet “who has IP address and what is send ARP packet “who has IP address and what is your hardware address?”your hardware address?”
ARP cache – table of recent responsesARP cache – table of recent responses
ARP SpoofingARP Spoofing
1.1. Assume IP address “a” of trusted hostAssume IP address “a” of trusted host
2.2. Respond to ARP packets for address “a”Respond to ARP packets for address “a”
3.3. Sending false hardware address (I.e. the fraud’s Sending false hardware address (I.e. the fraud’s address)address)
Solution: make ARP cache static (manual updates!?!)Solution: make ARP cache static (manual updates!?!)
– 9 – CSCE 815 Sp 03
DNS SpoofingDNS Spoofing
Domain Name System (DNS)Domain Name System (DNS) hierarchical name servers map FQDN IP address UDP packet sent with name to name server
Chinese dissidents SpoofingChinese dissidents Spoofing
http://www.dit-inc.us/hj-09-02.htmlhttp://www.dit-inc.us/hj-09-02.html
– 10 – CSCE 815 Sp 03
Web SpoofingWeb Spoofing
– 11 – CSCE 815 Sp 03
Email SpoofingEmail Spoofing
– 12 – CSCE 815 Sp 03
Security MythSecurity Myth
““The only secure computer is the one that is turned off The only secure computer is the one that is turned off and unplugged”and unplugged”
Once connected to internet it becomes a targetOnce connected to internet it becomes a target
So shutdown all unnecessary services.So shutdown all unnecessary services.
Myth 2 “My firewall will stop the pesky crackers!”Myth 2 “My firewall will stop the pesky crackers!”
– 13 – CSCE 815 Sp 03
The Players, Platforms and AttacksThe Players, Platforms and Attacks
The Players:The Players: The Black Hats Script kiddies The White Hats
Platforms of attackersPlatforms of attackers1. Windows2. Linux/NetBSD/FreeBSD3. OpenBSD billed as “the most secure OS freely available”
AttacksAttacks Denial of Service Viruses, Trojans, malicious scripts Web defacement
– 14 – CSCE 815 Sp 03
Network Administrator ToolsNetwork Administrator Tools
Network Administration toolsNetwork Administration tools (MSDOS/Windows) ipconfig ifconfig netstat /etc/… not really tools as much as files /sbin/…
Find ethernet/IP addressesFind ethernet/IP addresses
More toolsMore tools http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid
=23
– 15 – CSCE 815 Sp 03
ARP Spoofing RevisitedARP Spoofing Revisited
Linux WorldLinux World
/sbin/sbin arp Iptables, ipchains, ipfwadm
Arp comand –print the tableArp comand –print the table
Ping somewhere then use arp to look at the table againPing somewhere then use arp to look at the table again
– 16 – CSCE 815 Sp 03
What is a Firewall?What is a Firewall?
a a choke pointchoke point of control and monitoring of control and monitoring
interconnects networks with differing trustinterconnects networks with differing trust
imposes restrictions on network servicesimposes restrictions on network services only authorized traffic is allowed
auditing and controlling accessauditing and controlling access can implement alarms for abnormal behavior
is itself immune to penetrationis itself immune to penetration
provides provides perimeter defenceperimeter defence
– 17 – CSCE 815 Sp 03
Firewall LimitationsFirewall Limitations
cannot protect from attacks bypassing itcannot protect from attacks bypassing it eg sneaker net, utility modems, trusted organisations,
trusted services (eg SSL/SSH)
cannot protect against internal threatscannot protect against internal threats eg disgruntled employee
cannot protect against transfer of all virus infected cannot protect against transfer of all virus infected programs or filesprograms or files because of huge range of O/S & file types
– 18 – CSCE 815 Sp 03
Firewalls – Packet FiltersFirewalls – Packet Filters
– 19 – CSCE 815 Sp 03
Firewalls – Packet FiltersFirewalls – Packet Filters
simplest of components simplest of components
foundation of any firewall system foundation of any firewall system
examine each IP packet (no context) and permit or deny examine each IP packet (no context) and permit or deny according to rules according to rules
hence restrict access to services (ports)hence restrict access to services (ports)
possible default policiespossible default policies that not expressly permitted is prohibited that not expressly prohibited is permitted
– 20 – CSCE 815 Sp 03
Firewalls – Packet FiltersFirewalls – Packet Filters
– 21 – CSCE 815 Sp 03
Attacks on Packet FiltersAttacks on Packet Filters
IP address spoofingIP address spoofing fake source address to be trusted add filters on router to block
source routing attackssource routing attacks attacker sets a route other than default block source routed packets
tiny fragment attackstiny fragment attacks split header info over several tiny packets either discard or reassemble before check
– 22 – CSCE 815 Sp 03
Firewalls with IPtables (Linux)Firewalls with IPtables (Linux)
IPtablesIPtables
IPchainsIPchains
NetfilterNetfilter
““10 minutes to an iptables-based Linux firewall”10 minutes to an iptables-based Linux firewall”by by Joshua DrakeJoshua Drake http://www.linuxworld.com/site-stories/2001/0920.ipchains.html
““Taming the Wild Netfilter”Taming the Wild Netfilter”September 01, 2001 by September 01, 2001 by David A. David A. BandelBandel http://www.linuxjournal.com/article.php?sid=4815
– 23 – CSCE 815 Sp 03
Firewalls with IPtables (Linux)Firewalls with IPtables (Linux)
[root@jd root]# /sbin/iptables -h[root@jd root]# /sbin/iptables -hiptables v1.2.1iptables v1.2.1Usage: iptables -[ADC] chain rule-specification [options]Usage: iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -P chain target [options] iptables -h (print this help information) iptables -h (print this help information)
Commands:Commands:Either long or short options are allowed.Either long or short options are allowed. --append -A chain Append to chain --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum --delete -D chain rulenum [...] [...]
– 24 – CSCE 815 Sp 03
Firewalls with IPtables (Linux)Firewalls with IPtables (Linux)
No incoming traffic (tcp connections)No incoming traffic (tcp connections) /sbin/iptables -A INPUT -p tcp --syn -j DROP
Accept incoming SSH (port 22) why?Accept incoming SSH (port 22) why? /sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --
destination-port 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --syn -j DROP
Add rule to allow a web server to the chainAdd rule to allow a web server to the chain /sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --
destination-port 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j
ACCEPT /sbin/iptables -A INPUT -p tcp --syn -j DROP
– 25 – CSCE 815 Sp 03
Chroot JailsChroot Jails
References:References: http://librenix.com/ general purpose security/Linux site http://www.gsyc.inf.uc3m.es/~assman/jail/index.html
chroot environment: chroot environment:
– 26 – CSCE 815 Sp 03
Chroot ImplementationChroot Implementation
– 27 – CSCE 815 Sp 03
User-mode Linux User-mode Linux
UML (binding problem)UML (binding problem) http://user-mode-linux.sourceforge.net/
creates a virtual Machine creates a virtual Machine
allows you to run multiple instances of Linux on the allows you to run multiple instances of Linux on the same system at the same time same system at the same time
designed for a variety of purposes, such as kernel designed for a variety of purposes, such as kernel debugging, testing applications debugging, testing applications
– 28 – CSCE 815 Sp 03
Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters
examine each IP packet in contextexamine each IP packet in context keeps tracks of client-server sessions checks each packet validly belongs to one
better able to detect bogus packets out of context better able to detect bogus packets out of context
– 29 – CSCE 815 Sp 03
Firewalls - Application Level Gateway (or Proxy)Firewalls - Application Level Gateway (or Proxy)
– 30 – CSCE 815 Sp 03
Firewalls - Application Level Gateway (or Proxy)Firewalls - Application Level Gateway (or Proxy)use an application specific gateway / proxy use an application specific gateway / proxy
has full access to protocol has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user
need separate proxies for each service need separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported
– 31 – CSCE 815 Sp 03
Firewalls - Circuit Level GatewayFirewalls - Circuit Level Gateway
– 32 – CSCE 815 Sp 03
Firewalls - Circuit Level GatewayFirewalls - Circuit Level Gateway
relays two TCP connectionsrelays two TCP connections
imposes security by limiting which such connections imposes security by limiting which such connections are allowedare allowed
once created usually relays traffic without examining once created usually relays traffic without examining contentscontents
typically used when trust internal users by allowing typically used when trust internal users by allowing general outbound connectionsgeneral outbound connections
SOCKS commonly used for thisSOCKS commonly used for this
– 33 – CSCE 815 Sp 03
Bastion HostBastion Host
highly secure host system highly secure host system
potentially exposed to "hostile" elements potentially exposed to "hostile" elements
hence is secured to withstand this hence is secured to withstand this
may support 2 or more net connectionsmay support 2 or more net connections
may be trusted to enforce trusted separation between may be trusted to enforce trusted separation between network connectionsnetwork connections
runs circuit / application level gateways runs circuit / application level gateways
or provides externally accessible services or provides externally accessible services
– 34 – CSCE 815 Sp 03
Firewall ConfigurationsFirewall Configurations
– 35 – CSCE 815 Sp 03
Firewall ConfigurationsFirewall Configurations
– 36 – CSCE 815 Sp 03
Firewall ConfigurationsFirewall Configurations
– 37 – CSCE 815 Sp 03
Access ControlAccess Control
given system has identified a user given system has identified a user
determine what resources they can accessdetermine what resources they can access
general model is that of access matrix withgeneral model is that of access matrix with subject - active entity (user, process) object - passive entity (file or resource) access right – way object can be accessed
can decompose bycan decompose by columns as access control lists rows as capability tickets
– 38 – CSCE 815 Sp 03
Access Control MatrixAccess Control Matrix
– 39 – CSCE 815 Sp 03
Trusted Computer SystemsTrusted Computer Systems
information security is increasingly important information security is increasingly important
have varying degrees of sensitivity of informationhave varying degrees of sensitivity of information cf military info classifications: confidential, secret etc
subjects (people or programs) have varying rights of access to subjects (people or programs) have varying rights of access to objects (information)objects (information)
want to consider ways of increasing confidence in systems to want to consider ways of increasing confidence in systems to enforce these rightsenforce these rights
known as multilevel securityknown as multilevel security subjects have maximum & current security level objects have a fixed security level classification
– 40 – CSCE 815 Sp 03
Bell LaPadula (BLP) ModelBell LaPadula (BLP) Model
one of the most famous security modelsone of the most famous security models
implemented as mandatory policies on system implemented as mandatory policies on system
has two key policies: has two key policies:
no read upno read up (simple security property) (simple security property) a subject can only read/write an object if the current security level
of the subject dominates (>=) the classification of the object
no write downno write down (*-property) (*-property) a subject can only append/write to an object if the current security
level of the subject is dominated by (<=) the classification of the object
– 41 – CSCE 815 Sp 03
Reference MonitorReference Monitor
– 42 – CSCE 815 Sp 03
Evaluated Computer SystemsEvaluated Computer Systems
governments can evaluate IT systemsgovernments can evaluate IT systems
against a range of standards:against a range of standards: TCSEC, IPSEC and now Common Criteria
define a number of “levels” of evaluation with define a number of “levels” of evaluation with increasingly stringent checkingincreasingly stringent checking
have published lists of evaluated productshave published lists of evaluated products though aimed at government/defense use can be useful in industry also
– 43 – CSCE 815 Sp 03
SummarySummary
have considered:have considered: firewalls types of firewalls configurations access control trusted systems