internet security ect 582 robin burke. outline homework #5 host security firewalls ipsec / vpn
TRANSCRIPT
Internet Security
ECT 582
Robin Burke
Outline
Homework #5 Host security Firewalls IPsec / VPN
Homework #5
solution
Host security
Every Internet host is vulnerable to attackNetwork port is a front door to the
whole world How to make hosts more secure?
attacksdefenses
Attacks on Hosts
DoS flood host with requests to tie up resources
Authentication breach attack authentication system to gain access
Application vulnerability attack application program to inject foreign code
Virus/Trojan Horse attack OS with a malicious program (malware)
Social Engineering attack organization to obtain authentication or other
information
Denial of Service
Attacks take different formsbogus requestsabuse of Internet protocols
Characteristicssudden change in system loadservices unavailable or very slow
• may cause system crash
particular hosts targeted
Defenses
Turn off unused services if bogus packets never received, fewer resources
used Request throttling
only accept requests at a certain rate• prevent server overload, but may hamper legitimate
users Request filtering
only allow requests from certain hosts allow a fixed number of requests from a given host in
a certain period• doesn't work against distributed attack
Most other approaches applied elsewhere in network
Authentication breach
Characteristicsattacker tries to get access by
masquerading as legitimate user Needs user id and password
brute-force attacksniffing attackcracking attack
Authentication: brute force
Execution user ids typically easy to find (email address,
user directory on web) attempt all passwords
Defense request throttling lock-out
• stop allowing authentication after n failed trials• can create denial of service
Authentication: sniffing
Execution copy all network traffic look for packets with authentication
information Defense
use protocols in which authentication information is encrypted
• FTPS instead of FTP• SSH instead of telnet• HTTPS instead of HTTP
Authentication: cracking
Execution steal copy of encrypted password file attempt to decrypt passwords
Defense access control measures to prevent access
to password files• vary by system
good passwords• more than 8 characters• combinations of numeric and non-alphanumeric,
upper- and lower-case
Application attack
Characteristics application bug is exploited
• often buffer overflow inject attacker's code into system
• code executes with application privileges can be used to launch additional attacks
• classic "worm" behavior Needs
knowledge of application needs to know OS
Often downloadable tools can be used
Application attack cont'd
Defensesattention to software security patchessubscribe to CERT mailing listinvestigate vendor's coding practicesincorporate security into development
methodologyexamine application logs for
unexpected activities
Malware
Characteristicsuser deceived into executing
malicious code• Many avenues: ActiveX controls, binary
email attachments, web scripts
Many tools exist to createWorm behavior possible
• email replication
Malware, cont'd
Defenses anti-virus software
• signatures must be updated regularly email scanning
• server-based best application settings
• IE scripting• MS Office macros• very problematic
user education better solution
• less vulnerable applications / OSes• finer grainer control
Social Engineering
Scenario Call up individual in company (typically a secretary or
switchboard person) Alice Ask for name of tech support person (Bob) Calls 2nd secretary Eve, claiming to work for Bob. Tell Eve to reset her account password to the one he
will give her. Eve complies and now hacker has account access
Result 2 phone calls = security hole
Social Engineering, cont'd
Characteristics very easy to do
• Kevin Mitnick's favorite method many kinds of information are sensitive
• names, job descriptions, hardware/software configuration
Defense need to know
• don't give information to everyone• what they don't know, they can't reveal
security policies• "Let me call you back."
user education
Problematic fact
Many avenues for host security to be compromisedsimple user error is enougha large organization will have many
hosts
Sun Tzu on firewalls
"If [the enemy] sends reinforcements everywhere, he will everywhere be weak"
-- The Art of War Translation
enforcing perfect host security everywhere is impossible
Solution force the confrontation to take place at a
single known location concentrate defense at that point
Firewall
A dedicated gateway machine with special security precautions on it, used to service outside network, especially Internet connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind it...
--- FOLDOC
Firewalls
Idea Build security measures into a single host Force all inbound and outbound Internet
traffic to pass through Enables
establishing a single security policy that all machines share
machines behind the firewall have some protection
firewall machine can be specially configured
Firewall policies
Both in-bound and out-bound what the outside world can do what local users can do
Applications which applications are accessible
• boils down to port numbers Hosts
which hosts are accessible Users
which users have access
Firewall features
Minimal port blocking host blocking
Better configurable logging user authentication / blocking
Best stateful inspection
• track the progress of individual sessions• allow only legal actions
Other features
Often implemented at the firewall NAT
network address translation internal machines can "illegal" IP addresses
• can't be reached by routing firewall pretends to originate requests
VPN virtual private network encrypted traffic between firewall and external host host authenticates and then is "inside" the firewall
Limitations
Firewall only defends the connection it is on dial-in not protected wireless LAN not protected walking out with a CD-ROM, etc.
Firewall can't protect against malware Firewalls can't protect against malicious
insiders Firewalls must be carefully configured and
closely monitored Firewalls can lead to a false sense of
security
Firewall types
Packet-filtering Application-level gateway Circuit-level gateway
Packet-filtering
Firewall inspects packets and filters according to a policy usually host- and port-based
Circuit-level gateway
Firewall decides whether to allow connection
Then just passes packets along
Application-level gateway
Firewall is a proxy for all interactions
TCP/IP Packet
Internet communication is done through packets A packet is a fixed-size set of bytes with a
specific format A typical TCP/IP packet contains:
Source IP, Source Port, Destination IP, Destination Port
Payload• message part
Packet routing
Port PortEmail
Browser
File
Web Server
FTP Server
Email Server
My ComputerIP address: 140.192.32.123
Remote ComputerIP Address: 207.46.249.27
Internet
Packet-Filtering Router
A router applies a set of rules to each IP packet and forward or discards the packet
The filter is typically set up as a list of rules based on matches to fields in the IP or TCP header The fields are source/destination IP address, port
number, etc. If there is a match to one of the rules, that rules is
invoked to determine whether to forward or discard the packet
If there is no match, the a default action is taken• Default discard policy• Default forward policy
Example
Action Ourhost Port Theirhost Port comment
Block * * 207.46.29.27 * We don't trust this host
Allow 140.192.32.1 25 * * Connection to our SMTP port
Action Ourhost Port Theirhost Port comment
Block * * * * Default
Action Ourhost Port Theirhost Port comment
Allow 140.192.*.* * * 25 Connection to their SMTP port
Windows Firewall
Note this is a software firewallnot a dedicated firewall machine
Outbound policies
Typically less restrictive than in-bound But – good citizenship
make it more difficult for hackers A packet filter can reject outbound packets with illegal
IP addresses could not have been legally generated inside the
network Example
140.192.*.* are DePaul IP addresses if an outbound packet has a source address of
207.34.102.2• it is probably forged
Characteristics
Pluses Packet-filtering routers are simple, transparent to
users, and fast Minuses
The router cannot prevent attacks that employ application-specific vulnerabilities or functions
The logging functionality in the router is limited Most routers do not support advanced user
authentication schemes The router is vulnerable to attacks and exploits that
take advantage of flaws in TCP/IP The routers are susceptible to security breaches
caused by improper configurations
Circuit-Level Gateway
It does not permit end-to-end TCP connection It can be a stand-alone system Or, it can be a specialized function performed by
an application-level gateway for certain application It sets up two TCP connections
One TCP connection between inner host to the gateway
Another TCP connection between the gateway to outside host
It relays TCP segment from one connections to the other without examining the contents
Characteristics
Pluses Each established connection can be logged Can protect against some DoS attacks
Minuses May slow establishment of TCP connections Does not protect against attack to legal
services• buffer overflow
Application-level gateway
Also "proxy server" The firewall relays application-level traffic
external host contacts gateway gateway contacts internal host
If the gateway does not support a specific application the service cannot be forwarded across the
firewall
Characteristics
Pluses every operation can be inspected and logged user authentication can be done at the
gateway identity of internal system is hidden
Minuses slowest firewall hardest to configure costliest
Asymmetric gateway
Application-level gateway on inbound connections
Circuit-level gateway on outbound connectionsinternal users implicitly trustedlower overhead
Bastion host
From firewall definition"dedicated gateway machine""special security precautions"
Precondition for gateway firewallsneed a computer to perform gateway
operationsbut this computer is the first thing
hackers will attack
Host
Secure operating systemOpenBSD
Minimal services installed Very restrictive authentication
one-time passwords Often some type of write-once logging
CD-ROM, uni-directional tape
Proxy software
Specialized proxy software for each service being gatewayed
Relay only to specific internal hosts Each proxy process runs without disk
access except for startup
Each proxy process runs with minimal system privileges
Each proxy process maintains detailed logs
Example firewalls
singled-homed screened host dual-homed screen host screened-subnet
Single-homed screened host
Router allows inbound IP packets only to bastion host, and outbound IP packets from bastion host
Bastion host performs authentication and proxy functions
Dual-homed screen host
Bastion host has two network addresses one internal, one external
If router is compromised, firewall host still protects internal network
Screened-subnet
Internal network is completely separate Internal network is invisible to Internet
Tunneling
Restrictive firewall is good for securitybad for availabilityusers cannot work from home
Host A
Host B
internalservice
S
Firewall F
X
Please access serviceS on Host B
Denied. Local usersonly!
Tunneling cont'd
Tunnel encrypts original packet and creates a new packet source = tunnel entrance destination = tunnel exit
Tunnel exit decrypts payload and insert packet into local network as if packet had originated locally
Host A
Host B
internalservice
S
Firewall
Tunnel Tunnel
Please access serviceS on Host B
Please accessservice S onHost B
Please delivercontents totunnel at Host F
Please accessservice S onHost B
IPsec
Goalsauthenticate packet originsprovide integrity for packet contentsencrypt packetstunnel packets
IPsec, cont'd
Two protocols Authentication Header Protocol
authentication + integrity Packet Encryption Protocol
authentication + integrity + confidentiality
Authentication Header Protocol
source IP cannot be spoofeddepends on secret key agreementbased on public key certificates
message contents cannot be modifiedsecure hash of payload is computed
by senderverified by receiver
Packet Encryption Protocol
Use AHP and Symmetric encryption of packet
payload Diffie-Helman key agreement is part
of protocol
Security association
Endpoints of tunnel must agree onprotocol typecryptographic algorithmskeysduration of key
Each packet contains an identifier labeling the particular security
association used for that packet
VPN
Establish a tunnel between remote user (or site) local firewall
Requires availability of IPsec installing VPN software on each remote
client VPN server at firewall, called the gateway public key certificate for gateway
VPN, cont'd
Users access Internet normally (dial-up,
DSL, etc.)then turn on VPNVPN has authentication procedureUser's machine becomes part of the
internal network• inside the firewall
VPN, cont'd
Need good authentication of users because once authenticated, machine becomes
virtually local "trusted"
Tunnel is reasonably secure IPsec cryptographic hash protects against
modification DH key exchange provides mechanism to share
secret keys secret key exchange prevents session hijacking server public key certificate protects against man-in-
the-middle
Next week
Web application securityonline reading