Ch12: Electronic Mail Security - PowerPoint PPT Presentation

1 / 45

About This Presentation

Title:

Ch12: Electronic Mail Security

Description:

Internet connectivity. Consisting of various premises networks all hook into the Internet ... Internet connectivity is no longer an option for most organizations ... – PowerPoint PPT presentation

Number of Views:91

Avg rating:3.0/5.0

Slides: 46

Provided by: hyo5

Category:

more less

Transcript and Presenter's Notes

Title: Ch12: Electronic Mail Security

1
Firewalls
2
Outline

Firewall design principles
Firewall characteristics
Types of firewalls
Firewall configurations
Trusted systems
Data access control
The concept of trusted systems
Trojan horse defense

3
Firewalls

Effective means of protecting a local system or
network of systems from network-based security
threats while affording access to the outside
world via WANs or the Internet

4
Firewall Design Principles

Evolution of information systems
Centralized system
A central mainframe directly connected
terminals
LAN
Interconnecting PCs, servers, terminals
mainframe
Premises network
Consisting of LANs
Enterprise-wide network
Consisting of distributed premises networks
interconnected by a private WAN
Internet connectivity
Consisting of various premises networks all hook
into the Internet

5
Firewall Design Principles

Internet firewalls
Internet connectivity is no longer an option for
most organizations
Strong security features for all workstations and
servers not established (not practical)
The firewall is inserted between the premises
network and the Internet to establish a
controlled link
Aims of firewall
Protecting the premises network from
Internet-based attacks
Providing a single choke point (where security
audit can be imposed)

6
Firewall Characteristics

Design goals
All traffic from inside to outside, and vice
versa, must pass through the firewall (physically
blocking all access to the local network except
via the firewall)
Only authorized traffic (defined by the local
security police) will be allowed to pass
The firewall itself is immune to penetration (use
of trusted system with a secure operating system)

7
Firewall Characteristics

General techniques
Service control
Determines the types of Internet services that
can be accessed, inbound or outbound (filtering
with IP address service port , e.g. Web or
email service)
Direction control
Determines the direction in which particular
service requests are allowed to flow thru the
firewall
User control
Controls access to a service according to which
user is attempting to access it (both local users
and external users)
Behavior control
Controls how particular services are used (e.g.
filtering e-mail to eliminate spam)

8
Firewall Characteristics

Firewall capabilities
Defines a single choke point (security
capabilities are consolidated on a single system)
Provides a location for monitoring
security-related events (auditing alarming)
Provides convenient platform for some Internet
functions (e.g. address translation, logging
Internet usage)
Can serves as the platform for IPSec (used to
implement VPN)
Firewall limitations
Cannot protect against attacks that bypass it
(e.g. dial-up access)
Does not protect against internal threats (e.g. a
disgruntled employee)
Cannot protect against the transfer of
virus-infected programs or files (because various
OS applications are supported inside, it is
impractical to scan all incoming files, emails,
etc)

9
Types of Firewalls

Three common types of firewalls
Packet-filtering routers
Application-level gateways
Circuit-level gateways
Bastion host

10
Packet-Filtering Router

Filtering by rules
Applies a set of rules to each IP packet and then
forwards or discards the packet (in both
directions)
The packet filter is typically set up as a list
of rules based on matches to fields in the IP or
transport (TCP or UDP) header
If a match to a rule is found, the rule is
invoked
If no match is found, a default policy is taken
Default policies
Discard Discard, if not expressly permitted
(tradeoff ease of use?, security?)
Forward Forward, if not expressly prohibited
(tradeoff ease of use?, security?)

11
Packet-Filtering Router

Example A Inbound mail is allowed, but only to
a gateway host. However, mail from host SPIGOT is
blocked.
Example B Explicit statement of the default
policy.
Example C Any inside host can send mail to the
outside. The problem with this rule is that the
use of port 25 for SMTP receipt is only a
default.

12
Packet-Filtering Router

Example D This rule set achieves the intended
result that was not achieved in C taking
advantage of a feature of TCP connections (ACK
flag of a TCP segment).
Example E This rule set is one approach to
handling FTP-like services with two connections
(using control connection port and data
connection port). The 3rd rule allows packets
destined for a high-numbered port (nonservers) on
an internal machine.

13
Packet-Filtering Router

Advantages
Simplicity
Transparency to users
High speed
Disadvantages
Difficulty of dealing with applications at the
packet-filtering level
Difficulty of setting up packet filter rules
correctly
Lack of Authentication

14
Packet-Filtering Router

Possible attacks vs. countermeasures
IP address spoofing
The attacker replaces source address of packets
with an address of trusted internal host
? Discards packets with an inside source address
if the packet arrives on an external interface
Source routing attacks
The source station specifies the route that a
packet should take as it crosses the Internet (in
the hope that this will bypass security measures)
? Discards all packets that use the source route
option
Tiny fragment attacks
The intruder uses IP fragmentation option to
create extremely small fragments and force the
TCP header information into a separate packet
fragment (in the hope that only the first
fragment is examined and the remaining are passed
thru).
? Discards all packets where the protocol type
is TCP and the IP Fragment Offset is equal to 1

15
Application-Level Gateway

Also called a proxy server
Acts as a relay of application-level traffic
If the gateway does not implement the proxy code
for a specific application, the service is not
supported
The gateway can be configured to support only
application-specific features
Authentication the user is asked for the name
of the remote host, valid user ID and
authentication information

16
Application-Level Gateway

Advantages
More secure than packet filters
Only need to scrutinize a few allowable
applications (rather than trying to deal with the
numerous possible combinations that are to be
allowed and forbidden at the TCP and IP level)
Easy to log and audit all incoming traffic at the
application level
Disadvantages
Additional processing overhead on each connection
(as the splice point, the gateway must examine
and forward all traffic in both directions)

17
Circuit-Level Gateway

Types of circuit-level gateway
A stand-alone system
A specialized function performed by an
application-level gateway
Security function
The gateway relays TCP segments without examining
the contents
The gateway determines which connections will be
allowed

18
Circuit-Level Gateway

Use of circuit-level gateway
A situation in which the system admin trusts the
internal users
The gateway can be configured to support
Application-level or proxy service on inbound
connections
? incurs examining overhead for incoming
application data for forbidden functions
Circuit-level functions for outbound connections
? does not incur overhead on outgoing data

19
Circuit-Level Gateway

Example implementation SOCKS package
Defined in RFC 1928 (SOCKS version 5)
SOCKS components
The SOCKS server (runs on UNIX-based firewall)
The SOCKS client library (runs on internal hosts)
SOSKS-ified versions of several client (such as
FTP and TELNET)
SOCKS procedures
The client opens a TCP connection to the SOCKS
port (TCP 1080) on the SOCKS server
The client performs authentication with
negotiated method
The client sends a relay request
After evaluating the request, the SOCKS server
either establishes the connection or denies it

20
Bastion Host

A system identified by the firewall administrator
as a critical strong point in the networks
security
It serves as a platform for an application-level
or circuit-level gateway

21
Bastion Host

Common characteristics
A trusted system with secure OS
Only the services considered essential are
installed
Additional authentication required to access the
proxy service
Each proxy is configured to support only a subset
of the standard applications command set
Each proxy is configured to allow access only to
specific hosts
Each proxy maintains detailed audit information
Each proxy module is a very small SW package
specifically designed for network security
Each proxy is independent of other proxies
A proxy generally performs no disk access other
than to read its initial configuration file
Each proxy runs as a nonprivileged user in a
private and secured directory

22
Firewall Configurations

In addition to the use of simple configuration of
a single system (single packet filtering router
or single gateway), more complex configurations
are possible
Three common configurations
Screened host firewall with single-homed bastion
Screened host firewall with dual-homed bastion
Screened subnet firewall

23
Screened Host Firewall, Single-Homed Bastion

Consists of two systems
A packet-filtering router
Configured so that only packets from and to the
bastion host are allowed to pass thru
A bastion host
Performs authentication and proxy functions

24
Screened Host Firewall, Single-Homed Bastion

Advantages
Greater security than single configurations
This configuration implements both packet-level
and application-level filtering (allowing for
flexibility in defining security policy)
An intruder must generally penetrate two separate
systems
Flexibility in providing direct Internet access
For public information server (such as a Web
server), the router can be configured to allow
direct traffic from the Internet
Disadvantages
If the router is completely compromised, traffic
could flow directly thru the router between the
Internet and the private network

25
Screened Host Firewall, Dual-Homed Bastion

Physically prevents security breach of the
previous configuration
Traffic between the Internet and other hosts on
the private network has to flow through the
bastion host
The advantages of the previous configuration are
present here as well

26
Screened Subnet Firewall

The most secure configuration of the three
Two packet-filtering routers are used (creation
of an isolated subnet)
Advantages
Three levels of defense to thwart intruders
The outside router advertises only the existence
of the screened subnet to the Internet (internal
network is invisible to the Internet)
The inside router advertises only the existence
of the screened subnet to the internal network
(the systems on the inside network cannot
construct direct routes to the Internet)

27
Trusted Systems

One way to enhance the ability of a system to
defend against intruders and malicious programs
is to implement trusted system technology

28
Data Access Control

Access control by OS
Through the user access control procedure (log
on), a user can be identified to the system
Associated with each user, there can be a profile
that specifies permissible operations and file
accesses
The operating system can enforce rules based on
the user profile (and may grant a user permission
to access a file or use an application, no
further security checks)
Access control by DBMS
Previous scheme is not sufficient for a system
including sensitive data in its database
The DBMS must control access to specific records
or even portions of records in the database

29
Data Access Control

Access control models
Access matrix
Access control list
Capability list (Capability tickets)

30
Access Matrix

A general model of access control
Basic elements
Subject An entity capable of accessing objects
(generally a process representing any user or
application that gains access to an object)
Object Anything to which access is controlled
(e.g. files, portions of files, programs and
segments of memory)
Access right The way in which an object is
accessed by a subject (e.g. read, write and
execute)

31
Access Control List

Decomposition of the access matrix by columns
An access control list lists users (processes)
and their permitted access rights
The list may contain a default or public entry
defines default set of rights)

32
Capability List

Decomposition of the access matrix by rows
A capability list (ticket) specifies authorized
objects and operations for a user (process)
Each user has a number of tickets and may be
authorized to loan or give them to others
Management of tickets
Tickets may be dispersed around the system ?
great security problem
The ticket must be unforgeable
A solution the OS holds all tickets in a region
of memory inaccessible to users

33
The Concept of Trusted Systems

Multilevel security
Definition of multiple categories or levels of
data
Commonly found in the military (information
category unclassified, confidential, secret,
top secret)
A subject at a high level may not convey
information to a subject at a lower level or
noncomparable level unless that flow accurately
reflects the will of an authorized user
Two rules of multilevel security
No read up a subject can only read an object of
less or equal security level (simple security
property)
No write down a subject can only write into an
object of greater or equal security level
(-Property)

34
The Concept of Trusted Systems

Reference monitor concept
Multilevel security for a data processing system

35
The Concept of Trusted Systems

Reference monitor
Controlling element in the HW and OS of a
computer that regulates the access of subjects to
objects on basis of security parameters
Accesses security kernel database
Enforces the security rules (no read up no
write down)
Security kernel database
A file that lists
Security clearance the access privileges of
each subject
Classification level the protection attributes
of each object
Audit file
Stores important security events such as
Detected security violations
Authorized changes to the security kernel database

36
The Concept of Trusted Systems

Reference monitor properties
Complete mediation the security rules are
enforced on every access
Every access to data in memory, disk and tape
must be mediated
Pure SW implementation too high performance
penalty
Isolation the reference monitor and database
are protected from unauthorized modification
It must not be possible for an attacker to change
the logic of the reference monitor or the
contents of the security kernel database
Verifiability the reference monitors
correctness must be provable
It must be possible to demonstrate mathematically
that the reference monitor enforces the security
rules and provides complete mediation and
isolation

37
The Concept of Trusted Systems

Trusted system
A system that can provide such verification
The Commercial Product Evaluation Program
The Computer Security Center (within the NSA)
evaluates commercially available products as
meeting the security requirement
The center classifies evaluated products
according to the range of security features
The evaluations are needed for DoD procurements
but are published and freely available
The evaluations can serve as guidance to
customers for the purchase of commercial
equipment

38
Trojan Horse Defense

Trojan horse attack

RW
RW
39
Trojan Horse Defense

Secure, trusted operating systems
One way to secure against Trojan Horse attacks

RW
RW

Security level assignment
Bob and Bobs data file Sensitive (higher)
Alice and Alices data file Public (lower)
When the Trojan horse program attempts to store
the string in the Back-pocket file
-Property (no write down rule) is violated
The attempt is disallowed by the reference
monitor

40
Appendix A1 Firewall Products
PS (Proxy Service) / FW (Firewall)
41
Appendix A2 LINUX Firewall

Original IP firewall (2.0 kernels) configuration

Categories -I Input rule -O Output rule
-F Forwarding rule Commands -a
policy Append a new rule -i
policy Insert a new rule -d
policy Delete an existing rule -p
policy Set the default policy -l List all
existing rules -f Flush all existing
rules Policies accept Allows matching
datagrams to be received, forwarded, or
transmitted deny Blocks matching datagrams
from being received, forwarded, or transmitted
reject Blocks matching datagrams from being
received, forwarded, or transmitted, and sends
ICMP error message Parameters -P
protocol Can be TCP, UDP, ICMP, or all (-P
tcp) -S address/mask port Source IP
address that this rule will match (-S
172.29.16.1/24 ftpftp-data) -D address/mask
port Specify the destination IP address that
this rule will match (-D 172.29.16.1/24 smtp)
-V address Specify the address of the network
interface on which the packet is received (-I) or
is being sent (-O) (-V 172.29.16.1) -W
name Specify the name of the network interface
(-W ppp0) Options -b This is used for
bidirectional mode -o This enables logging of
matching datagrams to the kernel log -y This
is used to match TCP connect datagrams
-k This is used to match TCP acknowledgement
datagrams
42
Appendix A2 LINUX Firewall

Example command
We want our internal network users to be able to
log into FTP servers on the Internet to read and
write files. But we don't want people on the
Internet to be able to log into our FTP servers.
We know that FTP uses two TCP ports
Port 20 ftp-data
Port 21 ftp

43
Appendix A2 LINUX Firewall

Firewall configuration script

The TCP services we wish to allow to pass - ""
empty means all ports note space
separated TCPIN"smtp www" TCPOUT"smtp www ftp
ftp-data irc" The UDP services we wish to
allow to pass - "" empty means all ports note
space separated UDPIN"domain" UDPOUT"domain"
The ICMP services we wish to allow to pass - ""
empty means all types ref /usr/include/netinet/
ip_icmp.h for type numbers note space
separated ICMPIN"0 3 11" ICMPOUT"8 3 11"
Logging uncomment the following line to enable
logging of datagrams that are blocked by the
firewall. LOGGING1
!/bin/bash
IPFWADM
VERSION This sample configuration is for a
single host firewall configuration with no
services supported by the firewall machine
itself.
USER CONFIGURABLE
SECTION The name and location of the ipfwadm
utility. Use ipfwadm-wrapper for 2.2.
kernels. IPFWADMipfwadm The path to the
ipfwadm executable. PATH"/sbin" Our internal
network address space and its supporting network
device. OURNET"172.29.16.0/24" OURBCAST"172.29.1
6.255" OURDEV"eth0" The outside address and
the network device that supports
it. ANYADDR"0/0" ANYDEV"eth1"
44
Appendix A2 LINUX Firewall

Firewall configuration script (contd)

UDP - INCOMING We will allow UDP datagrams in
on the allowed ports. IPFWADM -I -a accept -P
udp -W ANYDEV -D OURNET UDPIN UDP -
OUTGOING We will allow UDP datagrams out on the
allowed ports. IPFWADM -I -a accept -P udp -W
OURDEV -D ANYADDR UDPOUT ICMP - INCOMING
We will allow ICMP datagrams in of the allowed
types. IPFWADM -I -a accept -P icmp -W ANYDEV
-D OURNET UDPIN ICMP - OUTGOING We will
allow ICMP datagrams out of the allowed
types. IPFWADM -I -a accept -P icmp -W OURDEV
-D ANYADDR UDPOUT DEFAULT and LOGGING All
remaining datagrams fall through to the default
rule and are dropped. They will be logged if
you've configured the LOGGING variable
above. if "LOGGING" then Log barred
TCP IPFWADM -I -a reject -P tcp -o Log
barred UDP IPFWADM -I -a reject -P udp -o
Log barred ICMP IPFWADM -I -a reject -P icmp
-o fi end.
END USER CONFIGURABLE SECTION

Flush the Incoming table rules IPFWADM -I -f
We want to deny incoming access by
default. IPFWADM -I -p deny SPOOFING We
should not accept any datagrams with a source
address matching ours from the outside, so we
deny them. IPFWADM -I -a deny -S OURNET -W
ANYDEV SMURF Disallow ICMP to our broadcast
address to prevent "Smurf" style attack. IPFWADM
-I -a deny -P icmp -W ANYDEV -D OURBCAST
TCP We will accept all TCP datagrams belonging
to an existing connection (i.e. having the ACK
bit set) for the TCP ports we're allowing
through. This should catch more than 95 of
all valid TCP packets. IPFWADM -I -a accept -P
tcp -D OURNET TCPIN -k -b TCP - INCOMING
CONNECTIONS We will accept connection requests
from the outside only on the allowed TCP
ports. IPFWADM -I -a accept -P tcp -W ANYDEV -D
OURNET TCPIN -y TCP - OUTGOING CONNECTIONS
We accept all outgoing tcp connection requests on
allowed TCP ports. IPFWADM -I -a accept -P tcp
-W OURDEV -D ANYADDR TCPOUT -y
45
Appendix B TCSEC