Internet Security

ECT 582

Robin Burke

Outline

Homework #5 Host security Firewalls IPsec / VPN

Homework #5

solution

Host security

Every Internet host is vulnerable to attackNetwork port is a front door to the

whole world How to make hosts more secure?

attacksdefenses

Attacks on Hosts

DoS flood host with requests to tie up resources

Authentication breach attack authentication system to gain access

Application vulnerability attack application program to inject foreign code

Virus/Trojan Horse attack OS with a malicious program (malware)

Social Engineering attack organization to obtain authentication or other

information

Denial of Service

Attacks take different formsbogus requestsabuse of Internet protocols

Characteristicssudden change in system loadservices unavailable or very slow

• may cause system crash

particular hosts targeted

Defenses

Turn off unused services if bogus packets never received, fewer resources

used Request throttling

only accept requests at a certain rate• prevent server overload, but may hamper legitimate

users Request filtering

only allow requests from certain hosts allow a fixed number of requests from a given host in

a certain period• doesn't work against distributed attack

Most other approaches applied elsewhere in network

Authentication breach

Characteristicsattacker tries to get access by

masquerading as legitimate user Needs user id and password

brute-force attacksniffing attackcracking attack

Authentication: brute force

Execution user ids typically easy to find (email address,

user directory on web) attempt all passwords

Defense request throttling lock-out

• stop allowing authentication after n failed trials• can create denial of service

Authentication: sniffing

Execution copy all network traffic look for packets with authentication

information Defense

use protocols in which authentication information is encrypted

• FTPS instead of FTP• SSH instead of telnet• HTTPS instead of HTTP

Authentication: cracking

Execution steal copy of encrypted password file attempt to decrypt passwords

Defense access control measures to prevent access

to password files• vary by system

good passwords• more than 8 characters• combinations of numeric and non-alphanumeric,

upper- and lower-case

Application attack

Characteristics application bug is exploited

• often buffer overflow inject attacker's code into system

• code executes with application privileges can be used to launch additional attacks

• classic "worm" behavior Needs

knowledge of application needs to know OS

Often downloadable tools can be used

Application attack cont'd

Defensesattention to software security patchessubscribe to CERT mailing listinvestigate vendor's coding practicesincorporate security into development

methodologyexamine application logs for

unexpected activities

Malware

Characteristicsuser deceived into executing

malicious code• Many avenues: ActiveX controls, binary

email attachments, web scripts

Many tools exist to createWorm behavior possible

• email replication

Malware, cont'd

Defenses anti-virus software

• signatures must be updated regularly email scanning

• server-based best application settings

• IE scripting• MS Office macros• very problematic

user education better solution

• less vulnerable applications / OSes• finer grainer control

Social Engineering

Scenario Call up individual in company (typically a secretary or

switchboard person) Alice Ask for name of tech support person (Bob) Calls 2nd secretary Eve, claiming to work for Bob. Tell Eve to reset her account password to the one he

will give her. Eve complies and now hacker has account access

Result 2 phone calls = security hole

Social Engineering, cont'd

Characteristics very easy to do

• Kevin Mitnick's favorite method many kinds of information are sensitive

• names, job descriptions, hardware/software configuration

Defense need to know

• don't give information to everyone• what they don't know, they can't reveal

security policies• "Let me call you back."

user education

Problematic fact

Many avenues for host security to be compromisedsimple user error is enougha large organization will have many

hosts

Sun Tzu on firewalls

"If [the enemy] sends reinforcements everywhere, he will everywhere be weak"

-- The Art of War Translation

enforcing perfect host security everywhere is impossible

Solution force the confrontation to take place at a

single known location concentrate defense at that point

Firewall

A dedicated gateway machine with special security precautions on it, used to service outside network, especially Internet connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind it...

--- FOLDOC

Firewalls

Idea Build security measures into a single host Force all inbound and outbound Internet

traffic to pass through Enables

establishing a single security policy that all machines share

machines behind the firewall have some protection

firewall machine can be specially configured

Firewall policies

Both in-bound and out-bound what the outside world can do what local users can do

Applications which applications are accessible

• boils down to port numbers Hosts

which hosts are accessible Users

which users have access

Firewall features

Minimal port blocking host blocking

Better configurable logging user authentication / blocking

Best stateful inspection

• track the progress of individual sessions• allow only legal actions

Other features

Often implemented at the firewall NAT

network address translation internal machines can "illegal" IP addresses

• can't be reached by routing firewall pretends to originate requests

VPN virtual private network encrypted traffic between firewall and external host host authenticates and then is "inside" the firewall

Limitations

Firewall only defends the connection it is on dial-in not protected wireless LAN not protected walking out with a CD-ROM, etc.

Firewall can't protect against malware Firewalls can't protect against malicious

insiders Firewalls must be carefully configured and

closely monitored Firewalls can lead to a false sense of

security

Firewall types

Packet-filtering Application-level gateway Circuit-level gateway

Packet-filtering

Firewall inspects packets and filters according to a policy usually host- and port-based

Circuit-level gateway

Firewall decides whether to allow connection

Then just passes packets along

Application-level gateway

Firewall is a proxy for all interactions

TCP/IP Packet

Internet communication is done through packets A packet is a fixed-size set of bytes with a

specific format A typical TCP/IP packet contains:

Source IP, Source Port, Destination IP, Destination Port

Payload• message part

Packet routing

Port PortEmail

Browser

File

Web Server

FTP Server

Email Server

My ComputerIP address: 140.192.32.123

Remote ComputerIP Address: 207.46.249.27

Internet

Packet-Filtering Router

A router applies a set of rules to each IP packet and forward or discards the packet

The filter is typically set up as a list of rules based on matches to fields in the IP or TCP header The fields are source/destination IP address, port

number, etc. If there is a match to one of the rules, that rules is

invoked to determine whether to forward or discard the packet

If there is no match, the a default action is taken• Default discard policy• Default forward policy

Example

Action Ourhost Port Theirhost Port comment

Block * * 207.46.29.27 * We don't trust this host

Allow 140.192.32.1 25 * * Connection to our SMTP port

Action Ourhost Port Theirhost Port comment

Block * * * * Default

Action Ourhost Port Theirhost Port comment

Allow 140.192.*.* * * 25 Connection to their SMTP port

Windows Firewall

Note this is a software firewallnot a dedicated firewall machine

Outbound policies

Typically less restrictive than in-bound But – good citizenship

make it more difficult for hackers A packet filter can reject outbound packets with illegal

IP addresses could not have been legally generated inside the

network Example

140.192.*.* are DePaul IP addresses if an outbound packet has a source address of

207.34.102.2• it is probably forged

Characteristics

Pluses Packet-filtering routers are simple, transparent to

users, and fast Minuses

The router cannot prevent attacks that employ application-specific vulnerabilities or functions

The logging functionality in the router is limited Most routers do not support advanced user

authentication schemes The router is vulnerable to attacks and exploits that

take advantage of flaws in TCP/IP The routers are susceptible to security breaches

caused by improper configurations

Circuit-Level Gateway

It does not permit end-to-end TCP connection It can be a stand-alone system Or, it can be a specialized function performed by

an application-level gateway for certain application It sets up two TCP connections

One TCP connection between inner host to the gateway

Another TCP connection between the gateway to outside host

It relays TCP segment from one connections to the other without examining the contents

Characteristics

Pluses Each established connection can be logged Can protect against some DoS attacks

Minuses May slow establishment of TCP connections Does not protect against attack to legal

services• buffer overflow

Application-level gateway

Also "proxy server" The firewall relays application-level traffic

external host contacts gateway gateway contacts internal host

If the gateway does not support a specific application the service cannot be forwarded across the

firewall

Characteristics

Pluses every operation can be inspected and logged user authentication can be done at the

gateway identity of internal system is hidden

Minuses slowest firewall hardest to configure costliest

Asymmetric gateway

Application-level gateway on inbound connections

Circuit-level gateway on outbound connectionsinternal users implicitly trustedlower overhead

Bastion host

From firewall definition"dedicated gateway machine""special security precautions"

Precondition for gateway firewallsneed a computer to perform gateway

operationsbut this computer is the first thing

hackers will attack

Host

Secure operating systemOpenBSD

Minimal services installed Very restrictive authentication

one-time passwords Often some type of write-once logging

CD-ROM, uni-directional tape

Proxy software

Specialized proxy software for each service being gatewayed

Relay only to specific internal hosts Each proxy process runs without disk

access except for startup

Each proxy process runs with minimal system privileges

Each proxy process maintains detailed logs

Example firewalls

singled-homed screened host dual-homed screen host screened-subnet

Single-homed screened host

Router allows inbound IP packets only to bastion host, and outbound IP packets from bastion host

Bastion host performs authentication and proxy functions

Dual-homed screen host

Bastion host has two network addresses one internal, one external

If router is compromised, firewall host still protects internal network

Screened-subnet

Internal network is completely separate Internal network is invisible to Internet

Tunneling

Restrictive firewall is good for securitybad for availabilityusers cannot work from home

Host A

Host B

internalservice

S

Firewall F

X

Please access serviceS on Host B

Denied. Local usersonly!

Tunneling cont'd

Tunnel encrypts original packet and creates a new packet source = tunnel entrance destination = tunnel exit

Tunnel exit decrypts payload and insert packet into local network as if packet had originated locally

Host A

Host B

internalservice

S

Firewall

Tunnel Tunnel

Please access serviceS on Host B

Please accessservice S onHost B

Please delivercontents totunnel at Host F

Please accessservice S onHost B

IPsec

Goalsauthenticate packet originsprovide integrity for packet contentsencrypt packetstunnel packets

IPsec, cont'd

Two protocols Authentication Header Protocol

authentication + integrity Packet Encryption Protocol

authentication + integrity + confidentiality

Authentication Header Protocol

source IP cannot be spoofeddepends on secret key agreementbased on public key certificates

message contents cannot be modifiedsecure hash of payload is computed

by senderverified by receiver

Packet Encryption Protocol

Use AHP and Symmetric encryption of packet

payload Diffie-Helman key agreement is part

of protocol

Security association

Endpoints of tunnel must agree onprotocol typecryptographic algorithmskeysduration of key

Each packet contains an identifier labeling the particular security

association used for that packet

VPN

Establish a tunnel between remote user (or site) local firewall

Requires availability of IPsec installing VPN software on each remote

client VPN server at firewall, called the gateway public key certificate for gateway

VPN, cont'd

Users access Internet normally (dial-up,

DSL, etc.)then turn on VPNVPN has authentication procedureUser's machine becomes part of the

internal network• inside the firewall

VPN, cont'd

Need good authentication of users because once authenticated, machine becomes

virtually local "trusted"

Tunnel is reasonably secure IPsec cryptographic hash protects against

modification DH key exchange provides mechanism to share

secret keys secret key exchange prevents session hijacking server public key certificate protects against man-in-

the-middle

Next week

Web application securityonline reading