Myspace failure to properly filter scripts ... TCP Prox

1
Information Security Fundamentals

• Chapter X
• Basic Networking

2
Network Access

• TCP/IP is the protocol for communicating.
• Like sending a letter
• Home Address IP address
• Person Port number
• Computers have IP addresses
• Applications have Port numbers
• THERE ARE NO USERS IN THE NETWORK LAYER

3
Question

• Argue for or against using IP address to
  represent a specific computer on the Internet

4
(No Transcript)
5
Port Numbers

• port numbers are divided into three ranges
• Well Known Ports 0-1023
• Registered Ports 1024 - 49151
• Dynamic/Private Ports 49152 - 65535
• The IETF regulates new protocols for well known
  and registered ports
• www.ietf.org

6
Network access

• The Internet Assigned Numbers Authority maintains
  the port to protocol registry

http//www.iana.org/assignments/port-numbers
7
TCP/IP

• Privileged ports
• Protocols running on ports 0-1023 are considered
  Privileged
• They are actively managed by IANA
• On windows and Unix there are services or daemons
  running all the time listening for connections
• Vulnerabilities in these listeners can cause
  problems
• By default many systems have these services
  enabled

8
Vulnerabilities

• FTP problems
• anonymous access (numerous)
• Even security vendors products are affected
  (watchguard SOHO firewall)
• Misconfigurations (FTP has 2 ports, data and
  command firewalls and FTP servers are often
  configured incorrectly)

9
Web vulnerabilities

• Myspace failure to properly filter scripts
• Oracle Application Server Web Cache contains heap
  overflow vulnerability
• iPlanet Web Server Enterprise Edition and
  Netscape ... and Netscape Enterprise Server
  malformed Web Publisher command causes denial-of
  service

10
Standard services running on Fedora (Linux)

• Conman console services via telnet (remote mgt)
• Dhcdbd Dynamic Host Control Protocol
• Hald Hardware abstraction Layer Daemon
• Hsqldb Java Database connector
• Httpd Web server
• ip6tables and iptables IP tables Linux basic
  firewall filter and IP protocol translater (more
  later)
• Kudzu Like boot time plug and play
• Lisa File services including windows
• NetworkManager and NetworkManagerDispatcher
  switches tcp connections from physical I/Fs
• Named Domain Name Service
• NFSD Network File System
• Nscd Name (User) Service Cache Allows you to
  use LDAP or Active Directory for Unix Logins
• Openvpn Virtual Private Network
• Portmap For remote procedure call serviced
  different from Windows
• Postfix Email services (only needed if you are
  a mail relay)
• Rdisc Router discovery
• Saslauthd Simple authentication for connection
  based services
• Sendmail the original

11
Security Rule 3

• The fundamental problem with networking is the
  lack of authentication

12
TCP Origins

• Designed in the late 1970s as a replacement for
  the IMP protocol
• Requirements were for guaranteed delivery
• Because computers were so new authentication
  was assumed
• Arpanet officially converted to TCP by 1983

13
When did problems really start to happen?

• Rapid adoption due to WWW
• Early-Mid 90s
• States start to look at adding criminal liability
  for hacking
• NSF gives up control and commercial utilization
  expands
• Hacking becomes a passtime

14
Hacker Tools trend
packet forging / spoofing
Hacking Tools
sniffer / sweepers
exploiting known vulnerabilities
back doors
GUI
Relative Technical Complexity
stealth diagnostics
hijacking sessions
self-replicating code
disabling audits
Average Intruder
password cracking
password guessing
1980 1985 1990
1995
Source GAO Report to Congress, 1996
15
Commercial Response

• Early Firewalls were developed
• Trusted Information Systems developed the
  firewall toolkit free in source code form
• Sold by TIS to commercial users
• Proxy based

16
OSI Stack

• http//www.commsdesign.com/design_corner/OEG200304
  16S0015

17
IP header

• http//www.networksorcery.com/enp/protocol/ip.htm

18
Internet Address.A 32 bit value that contains
the network and host number fields. There are
five classes of internet addresses The class
indicates the size of the network and host
fields. Internet addresses are commonly displayed
in dotted decimal notation format XXX.XXX.XXX.XXX.

• http//www.networksorcery.com/enp/protocol/ip.htm

19
(No Transcript)
20
Proxy based firewalls a tale of Irony
Allow or Deny
Internet
Dst addr
172.41.92.080
1
2
3
1
4
3
2
4
21
Benefits of a TCP Proxy
TCP/IP Packet Streams

• Traffic Grooming
• Timeouts and retransmissions from clients are
  eliminated
• TCP segments are all in order (no dropped or
  out-of-order packets)
• Optimizes MTU to server
• DoS Attack Mitigation
• Since incoming TCP/IP headers are stripped off,
  common protocol-based hacking attacks dont pass
  through
• Malformed (often malicious) TCP/IP packets are
  dropped before they ever get to the server
• Unused TCP service ports can be blocked (example
  only traffic to ports 80, 25 and 443 are left
  open)

Malformed Packet
3
22
Hackers Manipulate TCP/IP Headers to Attack
Servers
Port Scanning
TCP ACK Flood
Session Hijacking
TCP Header
WinNuke
Tear Drop, Jolt2 (Fragmentation Attacks)
XMAS Tree (All Flags 1)
IP Header
Hiding Viruses Via TTL Crafting
23
TCP Proxy Operation Provides Powerful Attack
Mitigation

• TCP Proxy Operation Filters Out Common Layer 3-4
  DoS Attacks
• IP Fragmentation Attacks (Tear Drop, Tiny Packet,
  Jolt2, etc)
• Malformed TCP Headers (XMAS, FIN w/o ACK, etc)
• WinNuke (URG flags sent to Port 139 of a PC
  running Windows)
• TCP Port Scanning
• TCP ACK floods
• Steath attacks using crafted Time-to-Live (TTL)
  fields in IP headers
• Protects against future protocol-based attacks

24
Operating System (OS) Fingerprinting

• DoS attackers usually need to identify the OS
  running on the target server(s) or host(s) in
  order to select the appropriate attack method
• Fingerprinting techniques query the targets
  TCP/IP stack and then analyze the responses (ex
  NMAP, QueSO)
• TCP/IP stacks differ in how they respond to legal
  and illegal queries hence their responses form a
  fingerprint identifying the OS and version

OpenBSD V2.4
TCP/IP Queries
Target Host
TCP/IP Responses From target host
Ah, these responses indicate the servers OS is
OpenBSD v2.4
25
A TCP Proxy Shields Servers from TCP/IP
Fingerprinting Probes

• A TCP proxy presents its own TCP/IP responses to
  client probes
• Hackers never see the actual TCP/IP headers
  transmitted by the server or host
• The identity of the target server or host is
  hidden, greatly reducing the chances of a
  subsequent DoS/DDoS attack

?????
TCP/IP Probes
TCP Proxy
????
Proxy responds to probes instead of destination
host
TCP/IP Responses (From Proxy)
Hey, these responses do not match any OS! What
gives?
26
Popular Fingerprinting Methods

• TCP Proxying Thwarts Popular Fingerprinting
  Methods1 Such As
• FIN probe
• Bogus Flag
• TCP ISN sampling
• DF flag set in IP header
• TCP Initial Window
• ACK value
• TCP options
• ICMP Messages
• IP Fragmentation Handling

1. Information is from Remote OS Detection vai
TCP/IP Stack Fingerprinting, available at
http//www.insecure.org/nmap/nmap-fingerprinting-
article.html
27
Stateful Inspection
Compares Dst addr/port for allow or deny
access Usually allow all outbound connections to
flow freely
Dst addr
Allow or Deny
1
172.41.92.080
3
1
2
3
4
2
4
No inspection
28
Allowing all outbound connections

• What kind of questions would you ask before
  creating that as your policy?

29
Which is more secure?

• Neither Cisco's PIX Firewall, nor the
  Context-Based Access Control (CBAC) feature of
  Cisco's IOS Firewall Feature Set, protects hosts
  against certain denial of service attacks
  involving fragmented IP packets.
• Out of order packet processing does not happen on
  most inspection based firewalls.
• Fragments are passed through unmodified on
  CheckPoint, Cisco, Juniper

30
Why were stateful inspection FWs more popular

• Proxy Firewalls are slower
• Initial releases were source code only
• Proxy Firewalls couldnt deal with new
  complicated protocols (H.323 voip) without
  upgrades
• 1 Reason Check Point had a GUI

31
Security Rule 4

• To make security ubiquitous it has to be easy to
  use

32
(No Transcript)
33
With the advent of Firewallswe now have
Authentication
Authorization
What am I permitted to do?
Who or what am I
Access Control
Audit Monitoring
Rules that grant or deny access to a resource
Log and monitor what actually happens
34
Network Privacy

• Introducing the VPN

35
VPN - Definition

• A virtual private network (VPN) is a private
  communications network often used by companies or
  organizations, to communicate confidentially over
  a public network.

36
History

• Two major types
• IPSEC
• SSL VPNs
• Initially popular because there was a great ROI
  to move from private leased lines (telco) for the
  free (relatively) transport of the Internet

37
IPSEC

• RFC 2401 Security Architecture for IP Nov98
• Designed by really smart people S.Kent BBN
• To provides security services at the IP layer by
  enabling a system to select required security
  protocols, determine the algorithm(s) to use for
  the service(s), and put in place any
  cryptographic keys required to provide the
  requested services
• By Authenticating - IP Authentication Header (AH)
• And Encapsulating (encrypting payload data)
• BUT
• Because these security services use shared secret
  values (cryptographic keys), IPsec relies on a
  separate set of mechanisms for putting these keys
  in place.
• http//rfc.net/rfc2401.htmls3.1

38
SSL VPN

• RFC 2246 TLS jan 99
• Taher Elgamal a noted cryptographer invented SSL
  in the mid 90s
• Designed for anonymous clients (internet
  browsers) to authenticated servers
• Authentication protocol is built in.
• Defacto standard until RFC 2246
• Open sourced www.openssl.org
• Microsoft tried to create a proprietary version
  to combat Netscapes popularity

39
SSL
HTTPS URL

• Secure Sockets Layer (SSL) is the de facto method
  for protecting web data in transit
• Built into every major web browser today
• Also used for
• Wireless
• Instant Messaging
• VPNs
• Secure email
• EDI
• Web Services
• eGovernment

SSL Secured Lock
40
Interoperability of IPSEC VPNs

• A BIG problem
• What kinds of issues might cause Interoperability
  issues?

41
In order to do cryptography you have to share a
secret

• The problem with IPSEC was there were too many
  ways to share the secret
• Skipjack
• ISAKMP
• Oakley
• IKE
• Son of IKE

42
Some people have solved the interoperability
problem

• http//www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-
  NGLinux-FreeSWAN-Gateway.htmlcheckpoint

43
Interoperability of SSL VPNs

• None..

44
IPSEC vs SSL
SSL
IPSEC
45
Benefits of IPSEC vs SSL

• Discussion topic

46
Advances in VPNs

• Integrated anti-spyware
• Policy enforcement with VPN-1
• Secure auto-remediation to aid security policy
  compliance
• Outbound threat protection

47
With VPNs for a select group of users
Authentication
Authorization
What am I permitted to do?
Who or what am I
Access Control
Audit Monitoring
Rules that grant or deny access to a resource
Log and monitor what actually happens
48
Vulnerability Assessment

• As firewall usage and Internet usage continued to
  grow there was no good way to validate
  firewall effectiveness

49
Vulnerability Assessment

• Basically taking attack tools and running them
  against your own resources
• In the early days you had to be careful
• Nabisco
• Large automotive Manufacturer

50
How VA works
SCANNER
51
To make VA work

• You need to discover all the nodes you want to
  test
• Nmap http//insecure.org/nmap/
• Try to run destructive tests in non-destructive
  mode
• Have a lot of time available
• Sometimes difficult to access the subnets you
  want to test

52
VA was great but

• If you ran VA against an out of the box windows
  system it would generate over 200 vulnerabilities

53
VA was overwhelming

• Common Vulnerabilities and Exposures
• cve.mitre.org/
• Common Vulnerability Scoring
• http//nvd.nist.gov/cvss.cfm
• Integrated with workflow
• Vulnerability management
• Patch Management
• Still didnt give you a THREAT posture
• Because THREAT is context sensitive

54
Why are threats context sensitive?
Unauth PDA
SQL Slammer
Rogue Access
SCANNER
55
SQL Slammer

• DB High asset value x High Risk VA Means High
  Threat
• What if the database is NOT accessible from the
  Internet
• What if the database is surrounded by routers
  which filter for SQL slammer?
• VA cant tell you the likelihood of an event
  occuring

56
Threat Management

• Today there are tools that allow you to create
  and evaluate threat scenarios
• http//www.redseal.net/interactive_demo_v07.html

57
Another FW problem

• Auditing and Monitoring
• Firewalls generate HUGE logs
• A simple T1 connection can generate over 1 GB/day
• Firewalls dont understand the full range of
  threats

58
Solution - IDS

• Intrusion Detection Systems
• Monitors network connections for malware
  specific to TCP/ICMP/UDP and other network
  protocols
• Does NOT Detect malware in files

59
IDS Timeline
60
IDS has been around for a LONG time

• 1983, SRI International Dr. Dorothy Denning
  developed a system to monitor Mainframe events
• 1984 SRI sponsored research into login tracking
  on the Arpanet
• 1988 Airforce sponsored DIDs
• Lead to Netranger (now Cisco IDS)
• ISSs RealSecure
• 1996 Dr Peter Neuman at SRI conceputalized
  Emerald
• 1997-1998 First commercial applications

61
IDS Today

• Snort
• Opensource
• Numerous commercial solutions
• Continuing research by federal government

62
IDS How it works

• Signatures State diagrams

Bad State 1
Initial
Bad State N
Hack
63
Things IDS systems look for

• Bad flags
• Bad protocol transitions
• FTP moves to a directory it shouldnt
• An HTTP send without a get
• Sendmail commands out of order

64
IDS algorithms

• Protocol conformity
• Signatures
• Anomaly Detection

65
IDS limitations

• Speed
• Keeping track of all connections and all their
  state requires lots of CPU and memory
• General purpose CPUs not so great at packet
  processing
• Most high end Network IDS systems use special
  purpose hardware

66
IDS Problems

• Accuracy
• Because IDS systems DO NOT understand the target
  vulnerabilities

67
IDS problems

• Often only set up on the I-gateway so miss
• Accidental worms let loose by internal users or
  guests
• Most can not handle day zero attacks
• Even if you had IDS SQL Slammer would have been
  missed
• Require a lot of tuning

68
Some final thoughts on Firewalls

• Proxys are back in style
• To deal with application attacks
• More companies are implementing outbound
  filtering
• But it is so easy to tunnel over SSL, and many
  services offer SSL based remote connectivity

69
Circumventing the firewall

• Thanks for the push!  It's really strange - I can
  get an ssh login out of the firewall, but when I
  try to hit one of the forwarded ports, I get the
  dreaded "administratively prohibited" error.  I
  didn't know that a firewall could distinguish a
  forwarded port from an interactive login.But I
  noticed that SDF also provides sshd on port 443,
  and when I went in that way, it worked like a
  charm.  Well worth the 36 fee.

70
Circumventing the firewall

• There is even a patent issued to a now bankrupt
  company on how to tunnel VOIP through firewalls.
• (without changing the firewall rules of course)

71
Discussion Topics