lectures 1 and 2 firewalls and their...

1

Lectures 1 and 2

INFS 766/INFT 865Prof. Ravi Sandhu

Internet Security Protocols Spring 2000

INFS 766/INFT 865Internet Security Protocols

Lectures 1 and 2Firewalls and Their Limitations

Prof. Ravi Sandhu

2© Ravi Sandhu 2000

REFERENCE BOOKS

u Network Security Essentials, William Stallings,Prentice-Hall, 2000

u Security Technologies for the World Wide Web, RolfOppliger, Artech House, 2000

u Internet and Intranet Security, Rolf Oppliger, ArtechHouse, 1998

u Building Internet Firewalls, Brent Chapman andElizabeth Zwicky, O’Reilly and Associates, 1995

u Network Security: Private Communication in a PublicWorld, C. Kaufman, R. Perlman and M. Speciner,Prentice-Hall, 1995

2

Lectures 1 and 2




WEB SOURCES

u source for RFCs and IETFl http://www.ietf.org

u cryptographic sourcesl RSA’s frequently asked questions: http://www.rsa.com/rsalabs/newfaql NIST encryption home page: http://csrc.nist.gov/encryption/

u firewall sourcesl Links to many vendor sites: http://www.waterw.com/~manower/vendor.htmll Firewalls mailing lists and searchable archive: http://lists.gnac.net/firewallsl Firewalls frequently asked questions: http://www.clark.net/pub/mjr/pubs/fwfaq


SECURITY COURSES CYCLE

u Falll INFS 762 Information Systems Securityl INFS 767 Secure Electronic Commerce

u Springl INFS 766 Internet Security Protocolsl INFS 765 Database Securityl INFT 862 Formal Models for Computer Security

3

Lectures 1 and 2



OPENING REMARKS


INTERNET INSECURITY

u Internet insecurity spreads at Internet speedl Morris worm of 1987l Password sniffing attacks in 1994l IP spoofing attacks in 1995l Denial of service attacks in 1996l Email borne viruses 1999

u Internet insecurity grows at super-Internet speedl security incidents are growing faster then the Internet

(which has roughly doubled every year since 1988)

4

Lectures 1 and 2




INTERNET SECURITY

u There are no clear cut boundaries inmodern cyberspacel AOL-Microsoft war of 1999l Hotmail password bypass of 1999l Ticketmaster deep web links


SECURITY OBJECTIVES

INTEGRITYmodification

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

USAGE-CONTROLpurpose

5

Lectures 1 and 2




SECURITY TECHNIQUES

u Preventionl access control

u Detectionl auditing/intrusion detectionl incident handling

u Acceptancel practicality


THREATS, VULNERABILITIESASSETS AND RISK

u THREATS are possible attacksu VULNERABILITIES are weaknessesu ASSETS are information and

resources that need protectionu RISK requires assessment of threats,

vulnerabilities and assets

6

Lectures 1 and 2




RISK

uOutsider Attackn insider attack

uInsider Attackn outsider attack


PERSPECTIVE ON SECURITY

u No silver bulletsu A process NOT a turn-key productu Requires a conservative stanceu Requires defense-in-depthu A secondary objectiveu Absolute security does not exist

u Security in most systems can be improved

7

Lectures 1 and 2




PERSPECTIVE ON SECURITY

u absolute security is impossible doesnot mean absolute insecurity isacceptable


ENGINEERING AUTHORITY & TRUST4 LAYERS

PolicyModel

ArchitectureMechanism

What?

How?

Assurance

8

Lectures 1 and 2



INTRUSION SCENARIOS


CLASSICAL INTRUSIONSSCENARIO 1

u Insider attackl The insider is already an authorized user

u Insider acquires privileged accessl exploiting bugs in privileged system programsl exploiting poorly configured privileges

u Install backdoors/Trojan horses tofacilitate subsequent acquisition ofprivileged access

9

Lectures 1 and 2




CLASSICAL INTRUSIONSSCENARIO 2

u Outsider attacku Acquire access to an authorized

accountu Perpetrate an insider attack


NETWORK INTRUSIONSSCENARIO 3

u Outsider/Insider attacku Spoof network protocols to

effectively acquire access to anauthorized account

10

Lectures 1 and 2




DENIAL OF SERVICEATTACKS

u Flooding network ports with attacksource masking

u TCP/SYN flooding of internet serviceproviders in 1996


INFRASTRUCTUREATTACKS

u router attacksl modify router configurations

u domain name server attacksu internet service attacks

l web sitesl ftp archives

11

Lectures 1 and 2



INTERNET ARCHITECTUREAND PROTOCOLS


OSI REFERENCE MODEL

higherlevel

protocols

lowerlevel

protocolsor

networkservices

higherlevel

protocols

lowerlevel

protocolsor

networkservicesPhysical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

END USER A END USER B

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

PHYSICAL MEDIUM

Enduser

functions

Networkfunctions

12

Lectures 1 and 2




OSI REFERENCE MODEL

END USER A END USER B

higherlevel

protocols

lowerlevel

protocolsor

networkservices

higherlevel

protocols

lowerlevel

protocolsor

networkservices

SOURCE NODE DESTINATION NODEINTERMEDIATENETWORK NODE


layer5-7

4

3

2

TCP/IP PROTOCOL STACKBASIC PROTOCOLS

TELNET FTP SMTP HTTP etc

TCP UDP

IP

Ethernet Token-Ring ATM PPP etc

13

Lectures 1 and 2





u IP (Internet Protocol)l connectionless routing of packets

u UDP (User Datagram Protocol)l unreliable datagram protocol

u TCP (Transmission Control Protocol)l connection-oriented, reliable, transport

protocol



u TELNET: remote terminalu FTP (File Transfer Protocol)u TFTP (Trivial File Transfer Protocol)u SMTP (Simple Mail Transfer Protocol)u RPC (Remote Procedure Call)u HTTP (Hyper Text Transfer Protocol)u and others

14

Lectures 1 and 2




TELNET FTP SMTP HTTP etc

TCP UDP

IP

Ethernet Token-Ring ATM PPP etc

layer5-7

4

3

2

TCP/IP PROTOCOL STACKINFRASTRUCTURE PROTOCOLS

ICMP

ARP RARP

DNS RIP EGPBGP


TCP/IP PROTOCOL STACKINFRASTRUCTURE PROTOCOLS

u ICMP: Internet Control Message Protocolu ARP: Address Resolution Protocolu RARP: Reverse Address Resolution Protocolu DNS: Domain Name Serviceu RIP: Routing Information Protocolu BGP: Border Gateway Protocolu EGP: External Gateway Protocol

15

Lectures 1 and 2




TELNET FTP SMTP HTTP

TCP UDP

IP

Ethernet Token-Ring ATM

layer5-7

4

3

2

TCP/IP PROTOCOL STACKSECURITY PROTOCOLS

ICMP

ARP RARP

DNS RIP EGPBGP

IPSEC

SSL


INTERNET STANDARDSPROCESS

u IETF: Internet Engineering Task Forcel Application Areal General Areal Internet Areal Operational Requirements Areal Routing Areal Security Areal Transport Areal User Services Area

16

Lectures 1 and 2




IETF SECURITY AREAACTIVE WORKING GROUPS

u IP Security Protocol (IPSEC)u Transport Layer Security (TLS)u Secure Shell (SECSH)u Public Key Infrastructure X.509 (PKIX)u Domain Name System Security (DNSSEC)u S/MIME Mail Security (SMIME)u Simple Public Key Infrastructure (SPKI)u Common Authentication Technology (CAT)u Web Transaction Security (WTS)u One Time Password Authentication (OTP)u Authenticated Firewall Traversal (AFT)u An Open Specification for Pretty Good Privacy (OPENPGP)


RFCs AND IETF DRAFTS

u RFCsl Standards

n Proposed Standardn Draft Standardn Internet Standard

l Informationall Experimentall Historic

u IETF draftsl work in progressl expire after 6 months

17

Lectures 1 and 2




MUST, SHOULD, MAY

u MUSTl mandatory, required of compliant

implementations

u SHOULDl strongly recommended but not required

u MAYl possibilityl even if not stated a may is always allowed

unless it violates MUST NOT

TCP/IP VULNERABILITIES

18

Lectures 1 and 2




BASIC TCP/IPVULNERABILITIES

u many dangerous implementations ofprotocolsl sendmail

u many dangerous protocolsl NFS, X11, RPCl many of these are UDP based


BASIC TCP/IPVULNERABILITIES

u solutionl allow a restricted set of protocols

between selected external and internalmachines

l otherwise known as firewalls

19

Lectures 1 and 2




IP PACKET

u headeru data

l carries a layer 4 protocoln TCP, UDP

l or a layer 3 protocoln ICMP, IPSEC, IP

l or a layer 2 protocoln IPX, Ethernet, PPP


TCP INSIDE IP

IPHEADER

TCPHEADER

20

Lectures 1 and 2




IP HEADER FORMAT

u version: 4bit, currently v4u header length: 4 bit, length in 32 bit wordsu TOS (type of service): unusedu total length: 16 bits, length in bytesu identification, flags, fragment offset: total 16 bits used for

packet fragmentation and reassemblyu TTL (time to live): 8 bits, used as hop countu Protocol: 8 bit, protocol being carried in IP packet, usually

TCP, UDP but also ICMP, IPSEC, IP, IPX, PPP, Ethernetu header checksum: 16 bit checksumu source address: 32 bit IP addressu destination address: 32 bit IP address


IP HEADER FORMAT

u optionsl source routing

n enables route of a packet and its responseto be explicitly controlled

l route recordingl timestampingl security labels

21

Lectures 1 and 2




TCP HEADER FORMAT

u source port numberl source IP address + source port number is a

socket: uniquely identifies sender

u destination port numberl destination IP address + destination port number

is a socket : uniquely identifies receiver

u SYN and ACK flagsu sequence numberu acknowledgement number


TCP 3 WAY HANDSHAKE

initiator responderSYN(X)

SYN(Y), ACK(X)

ACK(Y)

22

Lectures 1 and 2




TCP SYN FLOODINGATTACK

u TCP 3 way handshakel send SYN packet with random IP source

addressl return SYN-ACK packet is lostl this half-open connection stays for a

fairly long time out period

u Denial of service attacku Basis for IP spoofing attack


IP SPOOFING

u Send SYN packet with spoofedsource IP address

u SYN-flood real source so it dropsSYN-ACK packet

u guess sequence number and sendACK packet to targetl target will continue to accept packets

and response packets will be dropped

23

Lectures 1 and 2




TCP SESSION HIJACKING

u Send RST packet with spoofedsource IP address and appropriatesequence number to one end

u SYN-flood that endu send ACK packets to target at other

end


SMURF ATTACK

u Send ICMP ping packet with spoofedIP source address to a LAN whichwill broadcast to all hosts on the LAN

u Each host will send a reply packet tothe spoofed IP address leading todenial of service

24

Lectures 1 and 2




ULTIMATE VULNERABILITY

u IP packet carries no authentication ofsource address

u IP spoofing is possiblel IP spoofing is a real threat on the Internetl IP spoofing occurs on other packet-switched

networks also, such as Novell’s IPX

u Firewalls do not solve this problemu Requires cryptographic solutions

FIREWALLS

25

Lectures 1 and 2




WHAT IS A FIREWALL?

internalnetwork

FIRE-WALL

externalInternet


WHAT IS A FIREWALL?

u all traffic between external andinternal networks must go throughthe firewalll easier said than done

u firewall has opportunity to ensurethat only suitable traffic goes backand forthl easier said than done

26

Lectures 1 and 2




ULTIMATE FIREWALL

internalnetwork

externalInternet

AirGap


BENEFITS

u secure and carefully administerfirewall machines to allow controlledinteraction with external Internet

u internal machines can beadministered with varying degrees ofcare

u does work

27

Lectures 1 and 2




BASIC LIMITATIONS

u connections which bypass firewallu services through the firewall

introduce vulnerabilitiesu insiders can exercise internal

vulnerabilitiesu performance may sufferu single point of failure


TYPES OF FIREWALLS

u Packet filtering firewallsl IP layer

u Application gateway firewallsl Application layer

u Circuit relay firewallsl TCP layer

u Combinations of these

28

Lectures 1 and 2




PACKET FILTERING FIREWALLS

u IP packets are filtered based onl source IP address + source port numberl destination IP address + destination

port numberl protocol field: TCP or UDPl TCP protocol flag: SYN or ACK


FILTERING ROUTERS

internalnetwork packet

filteringrouter

externalInternet

i-nw-to-router

router-to-i-nw

e-nw-to-router

router-to-e-nw

mailgateway

29

Lectures 1 and 2





u drop packets based on filtering rulesu static (stateless) filtering

l no context is kept

u dynamic (statefull) filteringl keeps context


PACKET FILTERINGFIREWALLS

u Should never allow packet withsource address of internal machineto enter from external internet

u Cannot trust source address to allowselective access from outside

30

Lectures 1 and 2




FILTERING ROUTERS

internalnetwork 1

packetfilteringrouter

externalInternet

mail gateway(internal network 3)

internalnetwork 2


FILTERING HOST

internalnetwork

externalrouter

externalInternet

packetfilteringfirewall

host

u one can use a packet filtering firewall even ifconnection to Internet is via an external serviceprovider

31

Lectures 1 and 2





u packet filtering is effective forcoarse-grained controls

u not so effective for fine-grainedcontroll can do: allow incoming telnet from a

particular hostl cannot do: allow incoming telnet from a

particular user


APPLICATION GATEWAYFIREWALLS

internalnetwork

externalrouter

externalInternet

applicationgatewayfirewall

host

SIMPLESTCONFIGURATION

32

Lectures 1 and 2




APPLICATION PROXIES

u have to be implemented for eachservice

u may not be safe (depending onservice)


CLIENT-SIDE PROXIESInternal-Client External-Server

u allow outgoing http for web accessto external machines from internalusers

u requires some client configuration

33

Lectures 1 and 2




SERVER-SIDE PROXIESExternal-Client Internal-Server

u allow incoming telnet for access toselected internal machines from selectedexternal users

u requires some cryptographic protection tothwart sniffing and IP spoofing

u becoming increasingly important forl electronic commercel VPNl remote access security


FIREWALL ARCHITECTURESDUAL HOMED HOST

Bastion Host(Application

Gateway)

Router RouterIntranet

Internet

Bastion Host(ExternalService)

34

Lectures 1 and 2




FIREWALL ARCHITECTURESSCREENED SUBNET

Packet Filter

Router RouterIntranet

Internet

Bastion Host(ExternalService)

INTRUSION DETECTION

35

Lectures 1 and 2




RELATED TECHNOLOGIES

u Intrusion detectionu Vulnerability assessmentu Incident responseu Honey potsu Sniffer probes


INTRUSION DETETCIONTECHNIQUES

u Policy detection (or knowledge-based)l default permit

n attack-signature based detectionn also called misuse detection

l default denyn specification-based detection

u Anomaly detection (or behavior-based)n requires user profilingn requires some learning capability in the system

u Combinations of these

36

Lectures 1 and 2




INTRUSION DETECTIONDATA SOURCE

u network-based intrusion detectionl multiple sensor points

u host-based intrusion detectionl multi-host based

u application-based intrusion detectionu combinations of these


ATTACKER

u Outsiderl easier

u insiderl harder

37

Lectures 1 and 2




INTRUSION DETECTION ISSUES

u effectivenessu efficiencyu securityu inter-operabilityu ease of useu transparency


INTRUSION DETECTIONCHALLENGES

u False alarm rateu Performance and scalability

38

Lectures 1 and 2




BASE RATE FALLACY

u Test for a disease is 99% accuratel 100 disease-free people tested, 99 test negativel 100 diseased people tested, 99 test positive

u Prevalence of disease is 1 in 10,000u Alice tests positiveu What is probability Alice has the disease?


BASE RATE FALLACY

u Test for a disease is 99% accuratel 100 disease-free people tested, 99 test negativel 100 diseased people tested, 99 test positive

u Prevalence of disease is 1 in 10,000u Alice tests positiveu What is probability Alice has the disease?

1 in 100u False alarm rate: 99 in 100 !!!!!

39

Lectures 1 and 2




BASE RATE FALLACYBAYE’S THEOREM

u population: 1,000,000u diseased: 100u disease free: 999,900u false positive: 9,999u true positive: 99u Alice’s chance of disease:

99/(9,999+99) = 1/100


BASE RATE FALLACY99.99% ACCURACY

u population: 1,000,000u diseased: 100u disease free: 999,900u false positive: 99.99u true positive: 99.99u Alice’s chance of disease:

99.99/(99.99+99.99) = 1/2

40

Lectures 1 and 2




NETWORK-BASED INTRUSIONDETECTION SIGNATURES

u port signaturesu header signaturesu string signatures


NETWORK-BASED INTRUSIONDETECTION ADVANTAGES

u Complements firewallsu broad visibility into network activityu no impact on network performanceu transparent installation

41

Lectures 1 and 2




NETWORK-BASED INTRUSIONDETECTION DISADVANTAGES

u False positivesu miss new unknown attacksu scalability with high-speed networksu passive stanceu emergence of switched Ethernet


HOST-BASED INTRUSIONDETECTION

u host wrappers or personal firewallsl look at all network packets, connection

attempts, or login attempts to the monitoredmachine

n example, tcp-wrapper

u host-based agentsl monitor accesses and changes to critical

system files and changes in user privilegen example, tripwire

42

Lectures 1 and 2




INTRUSION DETECTIONSTANDARDS

u None existu ongoing efforts

l CIDF: common intrusion detectionframeworkfor sharing information

l IETF Intrusion Detection Working Groupjust started


INTRUSION DETECTION

u Needs to integrate with othersecurity technologies such ascryptography and access control

u one component of defense-in-depthlayered security strategy

u incident-response and recovery areimportant considerations

lectures 1 and 2 firewalls and their...

Documents