Title: Myspace failure to properly filter scripts ... TCP Prox
1Information Security Fundamentals
- Chapter X
- Basic Networking
2Network Access
- TCP/IP is the protocol for communicating.
- Like sending a letter
- Home Address IP address
- Person Port number
- Computers have IP addresses
- Applications have Port numbers
- THERE ARE NO USERS IN THE NETWORK LAYER
3Question
- Argue for or against using IP address to
represent a specific computer on the Internet
4(No Transcript)
5Port Numbers
- port numbers are divided into three ranges
- Well Known Ports 0-1023
- Registered Ports 1024 - 49151
- Dynamic/Private Ports 49152 - 65535
- The IETF regulates new protocols for well known
and registered ports - www.ietf.org
6Network access
- The Internet Assigned Numbers Authority maintains
the port to protocol registry
http//www.iana.org/assignments/port-numbers
7TCP/IP
- Privileged ports
- Protocols running on ports 0-1023 are considered
Privileged - They are actively managed by IANA
- On windows and Unix there are services or daemons
running all the time listening for connections - Vulnerabilities in these listeners can cause
problems - By default many systems have these services
enabled
8Vulnerabilities
- FTP problems
- anonymous access (numerous)
- Even security vendors products are affected
(watchguard SOHO firewall) - Misconfigurations (FTP has 2 ports, data and
command firewalls and FTP servers are often
configured incorrectly)
9Web vulnerabilities
- Myspace failure to properly filter scripts
- Oracle Application Server Web Cache contains heap
overflow vulnerability - iPlanet Web Server Enterprise Edition and
Netscape ... and Netscape Enterprise Server
malformed Web Publisher command causes denial-of
service
10Standard services running on Fedora (Linux)
- Conman console services via telnet (remote mgt)
- Dhcdbd Dynamic Host Control Protocol
- Hald Hardware abstraction Layer Daemon
- Hsqldb Java Database connector
- Httpd Web server
- ip6tables and iptables IP tables Linux basic
firewall filter and IP protocol translater (more
later) - Kudzu Like boot time plug and play
- Lisa File services including windows
- NetworkManager and NetworkManagerDispatcher
switches tcp connections from physical I/Fs - Named Domain Name Service
- NFSD Network File System
- Nscd Name (User) Service Cache Allows you to
use LDAP or Active Directory for Unix Logins - Openvpn Virtual Private Network
- Portmap For remote procedure call serviced
different from Windows - Postfix Email services (only needed if you are
a mail relay) - Rdisc Router discovery
- Saslauthd Simple authentication for connection
based services - Sendmail the original
11Security Rule 3
- The fundamental problem with networking is the
lack of authentication
12TCP Origins
- Designed in the late 1970s as a replacement for
the IMP protocol - Requirements were for guaranteed delivery
- Because computers were so new authentication
was assumed - Arpanet officially converted to TCP by 1983
13When did problems really start to happen?
- Rapid adoption due to WWW
- Early-Mid 90s
- States start to look at adding criminal liability
for hacking - NSF gives up control and commercial utilization
expands - Hacking becomes a passtime
14Hacker Tools trend
packet forging / spoofing
Hacking Tools
sniffer / sweepers
exploiting known vulnerabilities
back doors
GUI
Relative Technical Complexity
stealth diagnostics
hijacking sessions
self-replicating code
disabling audits
Average Intruder
password cracking
password guessing
1980 1985 1990
1995
Source GAO Report to Congress, 1996
15Commercial Response
- Early Firewalls were developed
- Trusted Information Systems developed the
firewall toolkit free in source code form - Sold by TIS to commercial users
- Proxy based
16OSI Stack
- http//www.commsdesign.com/design_corner/OEG200304
16S0015
17IP header
- http//www.networksorcery.com/enp/protocol/ip.htm
18Internet Address.A 32 bit value that contains
the network and host number fields. There are
five classes of internet addresses The class
indicates the size of the network and host
fields. Internet addresses are commonly displayed
in dotted decimal notation format XXX.XXX.XXX.XXX.
- http//www.networksorcery.com/enp/protocol/ip.htm
19(No Transcript)
20Proxy based firewalls a tale of Irony
Allow or Deny
Internet
Dst addr
172.41.92.080
1
2
3
1
4
3
2
4
21Benefits of a TCP Proxy
TCP/IP Packet Streams
- Traffic Grooming
- Timeouts and retransmissions from clients are
eliminated - TCP segments are all in order (no dropped or
out-of-order packets) - Optimizes MTU to server
- DoS Attack Mitigation
- Since incoming TCP/IP headers are stripped off,
common protocol-based hacking attacks dont pass
through - Malformed (often malicious) TCP/IP packets are
dropped before they ever get to the server - Unused TCP service ports can be blocked (example
only traffic to ports 80, 25 and 443 are left
open)
Malformed Packet
3
22Hackers Manipulate TCP/IP Headers to Attack
Servers
Port Scanning
TCP ACK Flood
Session Hijacking
TCP Header
WinNuke
Tear Drop, Jolt2 (Fragmentation Attacks)
XMAS Tree (All Flags 1)
IP Header
Hiding Viruses Via TTL Crafting
23TCP Proxy Operation Provides Powerful Attack
Mitigation
- TCP Proxy Operation Filters Out Common Layer 3-4
DoS Attacks - IP Fragmentation Attacks (Tear Drop, Tiny Packet,
Jolt2, etc) - Malformed TCP Headers (XMAS, FIN w/o ACK, etc)
- WinNuke (URG flags sent to Port 139 of a PC
running Windows) - TCP Port Scanning
- TCP ACK floods
- Steath attacks using crafted Time-to-Live (TTL)
fields in IP headers - Protects against future protocol-based attacks
24Operating System (OS) Fingerprinting
- DoS attackers usually need to identify the OS
running on the target server(s) or host(s) in
order to select the appropriate attack method - Fingerprinting techniques query the targets
TCP/IP stack and then analyze the responses (ex
NMAP, QueSO) - TCP/IP stacks differ in how they respond to legal
and illegal queries hence their responses form a
fingerprint identifying the OS and version
OpenBSD V2.4
TCP/IP Queries
Target Host
TCP/IP Responses From target host
Ah, these responses indicate the servers OS is
OpenBSD v2.4
25A TCP Proxy Shields Servers from TCP/IP
Fingerprinting Probes
- A TCP proxy presents its own TCP/IP responses to
client probes - Hackers never see the actual TCP/IP headers
transmitted by the server or host - The identity of the target server or host is
hidden, greatly reducing the chances of a
subsequent DoS/DDoS attack
?????
TCP/IP Probes
TCP Proxy
????
Proxy responds to probes instead of destination
host
TCP/IP Responses (From Proxy)
Hey, these responses do not match any OS! What
gives?
26Popular Fingerprinting Methods
- TCP Proxying Thwarts Popular Fingerprinting
Methods1 Such As - FIN probe
- Bogus Flag
- TCP ISN sampling
- DF flag set in IP header
- TCP Initial Window
- ACK value
- TCP options
- ICMP Messages
- IP Fragmentation Handling
1. Information is from Remote OS Detection vai
TCP/IP Stack Fingerprinting, available at
http//www.insecure.org/nmap/nmap-fingerprinting-
article.html
27Stateful Inspection
Compares Dst addr/port for allow or deny
access Usually allow all outbound connections to
flow freely
Dst addr
Allow or Deny
1
172.41.92.080
3
1
2
3
4
2
4
No inspection
28Allowing all outbound connections
- What kind of questions would you ask before
creating that as your policy?
29Which is more secure?
- Neither Cisco's PIX Firewall, nor the
Context-Based Access Control (CBAC) feature of
Cisco's IOS Firewall Feature Set, protects hosts
against certain denial of service attacks
involving fragmented IP packets. - Out of order packet processing does not happen on
most inspection based firewalls. - Fragments are passed through unmodified on
CheckPoint, Cisco, Juniper
30Why were stateful inspection FWs more popular
- Proxy Firewalls are slower
- Initial releases were source code only
- Proxy Firewalls couldnt deal with new
complicated protocols (H.323 voip) without
upgrades - 1 Reason Check Point had a GUI
31Security Rule 4
- To make security ubiquitous it has to be easy to
use
32(No Transcript)
33With the advent of Firewallswe now have
Authentication
Authorization
What am I permitted to do?
Who or what am I
Access Control
Audit Monitoring
Rules that grant or deny access to a resource
Log and monitor what actually happens
34Network Privacy
35VPN - Definition
- A virtual private network (VPN) is a private
communications network often used by companies or
organizations, to communicate confidentially over
a public network.
36History
- Two major types
- IPSEC
- SSL VPNs
- Initially popular because there was a great ROI
to move from private leased lines (telco) for the
free (relatively) transport of the Internet
37IPSEC
- RFC 2401 Security Architecture for IP Nov98
- Designed by really smart people S.Kent BBN
- To provides security services at the IP layer by
enabling a system to select required security
protocols, determine the algorithm(s) to use for
the service(s), and put in place any
cryptographic keys required to provide the
requested services - By Authenticating - IP Authentication Header (AH)
- And Encapsulating (encrypting payload data)
- BUT
- Because these security services use shared secret
values (cryptographic keys), IPsec relies on a
separate set of mechanisms for putting these keys
in place. - http//rfc.net/rfc2401.htmls3.1
38SSL VPN
- RFC 2246 TLS jan 99
- Taher Elgamal a noted cryptographer invented SSL
in the mid 90s - Designed for anonymous clients (internet
browsers) to authenticated servers - Authentication protocol is built in.
- Defacto standard until RFC 2246
- Open sourced www.openssl.org
- Microsoft tried to create a proprietary version
to combat Netscapes popularity
39SSL
HTTPS URL
- Secure Sockets Layer (SSL) is the de facto method
for protecting web data in transit - Built into every major web browser today
- Also used for
- Wireless
- Instant Messaging
- VPNs
- Secure email
- EDI
- Web Services
- eGovernment
SSL Secured Lock
40Interoperability of IPSEC VPNs
- A BIG problem
- What kinds of issues might cause Interoperability
issues?
41In order to do cryptography you have to share a
secret
- The problem with IPSEC was there were too many
ways to share the secret - Skipjack
- ISAKMP
- Oakley
- IKE
- Son of IKE
42Some people have solved the interoperability
problem
- http//www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-
NGLinux-FreeSWAN-Gateway.htmlcheckpoint
43Interoperability of SSL VPNs
44IPSEC vs SSL
SSL
IPSEC
45Benefits of IPSEC vs SSL
46Advances in VPNs
- Integrated anti-spyware
- Policy enforcement with VPN-1
- Secure auto-remediation to aid security policy
compliance - Outbound threat protection
47With VPNs for a select group of users
Authentication
Authorization
What am I permitted to do?
Who or what am I
Access Control
Audit Monitoring
Rules that grant or deny access to a resource
Log and monitor what actually happens
48Vulnerability Assessment
- As firewall usage and Internet usage continued to
grow there was no good way to validate
firewall effectiveness
49Vulnerability Assessment
- Basically taking attack tools and running them
against your own resources - In the early days you had to be careful
- Nabisco
- Large automotive Manufacturer
50How VA works
SCANNER
51To make VA work
- You need to discover all the nodes you want to
test - Nmap http//insecure.org/nmap/
- Try to run destructive tests in non-destructive
mode - Have a lot of time available
- Sometimes difficult to access the subnets you
want to test
52VA was great but
- If you ran VA against an out of the box windows
system it would generate over 200 vulnerabilities
53VA was overwhelming
- Common Vulnerabilities and Exposures
- cve.mitre.org/
- Common Vulnerability Scoring
- http//nvd.nist.gov/cvss.cfm
- Integrated with workflow
- Vulnerability management
- Patch Management
- Still didnt give you a THREAT posture
- Because THREAT is context sensitive
54Why are threats context sensitive?
Unauth PDA
SQL Slammer
Rogue Access
SCANNER
55SQL Slammer
- DB High asset value x High Risk VA Means High
Threat - What if the database is NOT accessible from the
Internet - What if the database is surrounded by routers
which filter for SQL slammer? - VA cant tell you the likelihood of an event
occuring
56Threat Management
- Today there are tools that allow you to create
and evaluate threat scenarios - http//www.redseal.net/interactive_demo_v07.html
57Another FW problem
- Auditing and Monitoring
- Firewalls generate HUGE logs
- A simple T1 connection can generate over 1 GB/day
- Firewalls dont understand the full range of
threats
58Solution - IDS
- Intrusion Detection Systems
- Monitors network connections for malware
specific to TCP/ICMP/UDP and other network
protocols - Does NOT Detect malware in files
59IDS Timeline
60IDS has been around for a LONG time
- 1983, SRI International Dr. Dorothy Denning
developed a system to monitor Mainframe events - 1984 SRI sponsored research into login tracking
on the Arpanet - 1988 Airforce sponsored DIDs
- Lead to Netranger (now Cisco IDS)
- ISSs RealSecure
- 1996 Dr Peter Neuman at SRI conceputalized
Emerald - 1997-1998 First commercial applications
61IDS Today
- Snort
- Opensource
- Numerous commercial solutions
- Continuing research by federal government
62IDS How it works
- Signatures State diagrams
Bad State 1
Initial
Bad State N
Hack
63Things IDS systems look for
- Bad flags
- Bad protocol transitions
- FTP moves to a directory it shouldnt
- An HTTP send without a get
- Sendmail commands out of order
64IDS algorithms
- Protocol conformity
- Signatures
- Anomaly Detection
65IDS limitations
- Speed
- Keeping track of all connections and all their
state requires lots of CPU and memory - General purpose CPUs not so great at packet
processing - Most high end Network IDS systems use special
purpose hardware
66IDS Problems
- Accuracy
- Because IDS systems DO NOT understand the target
vulnerabilities
67IDS problems
- Often only set up on the I-gateway so miss
- Accidental worms let loose by internal users or
guests - Most can not handle day zero attacks
- Even if you had IDS SQL Slammer would have been
missed - Require a lot of tuning
68Some final thoughts on Firewalls
- Proxys are back in style
- To deal with application attacks
- More companies are implementing outbound
filtering - But it is so easy to tunnel over SSL, and many
services offer SSL based remote connectivity
69Circumventing the firewall
- Thanks for the push! It's really strange - I can
get an ssh login out of the firewall, but when I
try to hit one of the forwarded ports, I get the
dreaded "administratively prohibited" error. I
didn't know that a firewall could distinguish a
forwarded port from an interactive login.But I
noticed that SDF also provides sshd on port 443,
and when I went in that way, it worked like a
charm. Well worth the 36 fee.
70Circumventing the firewall
- There is even a patent issued to a now bankrupt
company on how to tunnel VOIP through firewalls. - (without changing the firewall rules of course)
71Discussion Topics