Firewalls - PowerPoint PPT Presentation

1 / 47

About This Presentation

Title:

Firewalls

Description:

Reverse DNS lookup will fail if BIND finds gandalf first, since the active host is catscan. ... Route Filtering and DNS reverse lookup: All have imperfections ... – PowerPoint PPT presentation

Number of Views:132

Avg rating:3.0/5.0

Slides: 48

Provided by: radf7

Category:

more less

Transcript and Presenter's Notes

Title: Firewalls

1
Firewalls VPNsChapter 4

Dr. Richard W. Tibbs
Edward B. Oakes

2
Security Threats

Software bugs configuration errors
Social Engineering
Obtaining passwords, illegal access by meeting
people at bars, etc.
Some people do this for a living to help
companies understand their vulnerabilities
Worms, Trojan Horses Viruses
Host and Port Scanning.
Popular open-source product Nessus does
portscanning via Nmap, and more.

3
Security Threats Contd.

IP Address Spoofing
TCP Vulnerabilities
Man in the middle attack MITM (tampers with the
secure channel mechanism)
Replaying
storing secure messages and sending them at a
later date
Denial of service
flooding a channel or other resource, denying
access to others

4
The Zone Concept
Figure 4.1
5
A DMZ is an Architectural Solution

Accomplishes separation between
Internet
DMZ
Internal networks

6
IP Address Spoofing via DDoSFeb. 2000 Attack
2) ICMP Echo Reply7 Packet from Spoofees on
Campus Source IP x.x.j.i, for all j, i Dest IP
1.2.3.4 (Untrue!)
Amazon.com IP 1.2.3.4
Yahoo.com IP 5.6.7.8
Campus Network IP Address x.x.x.i
Internet
. . .
Campus Network IP Address x.x.y.i
1) ICMP Echo Request Packet from Spoofer Source
IP 1.2.3.4 Dest IP x.x.j.i, for all j, i
(Untrue!)
7
IP Spoofing Countermeasures

The threats
RFC 1918 private address space
IANA unassigned public address space
Block both of these (easy, see Ch. 7 for more on
firewall protection from these threats)
Harder, are the publicly assigned addresses, such
as Amazon, Yahoo, etc.
See the Feb. 2000 Attacks.
Tools (Imperfect)
Unicast Reverse Path Forwarding
Route Filtering (RFC 1812, see Exercise 4.3)
Reverse DNS lookup

8
IP Spoofing

Unicast Reverse Path forwarding
Defined as follows
We have an incoming packet with a source IP
address.
Would we forward back to that address (as a
destination IP) via the same interface?
If so, then we will allow the packet in,
otherwise not.
Imperfections
What if there is only one way into the network?
Then all packets will be allowed
Even with multiple Internet connectivities, there
is no perfect way to prevent unwanted packets

9
IP Spoofing

Reverse DNS lookup.
Using the PTR records in DNS that do
IP address to Host name lookup.
Imperfect since
DNS database may be un-maintained
E.g., old host names still be in database while
new hosts (with different host names) have the
same IP addresses.
A problem with BIND DNS server Unix/Linux
See Exercise 4.1

10
Example

University rotates computers out of labs every
two years.
Each host in lab has two-week lease via DHCP.
This ends up in BIND database.
Procedure
Remove old machines, send to surplus
Install new machines same day.
No time for lease to expire.
Result polluted BIND database
New host catscan.xyz.edu has IP 1.2.3.4
So does old host gandalf.xyz.edu
Reverse DNS lookup will fail if BIND finds
gandalf first, since the active host is catscan.
See Case Study at end of chapter

11
Final Word on IP Spoofing

Unicast RPF, Route Filtering and DNS reverse
lookup
All have imperfections
A firewall may be the best method of preventing
IP spoofing. See Chapter 7 for more details.

12
Understanding Unicast RPF Route Filtering

We need to understand how route tables work to
understand
Unicast RPF
Route Filtering

13
IP Routing Recipe

Each packet passing through the IP layer has its
destination IP address extracted from the packet
header.
The IP layer proceeds through each row in the
route table with the same procedure
The mask in the route table row is ANDed (binary
AND operation) with the packets destination
address.
This result is compared with the Destination
Network field.
If a match is successful, the row is added to a
temporary table of successful matches
When all rows in the route table have been
scanned, the IP layer looks through the temporary
table of all successful matches and chooses the
row with the longest mask length. This is known
as the longest matching prefix rule, since the
rule chooses the most specific route in the
table.
If there are two rows with equal mask lengths,
then the metric field (not shown in figure 4.2)
is used as a tie-breaker.

14
Figure 4.2 Updated
Host P sends packet to google.com
Host P sends packet to Host L
15
Figure 4.2 notes

Packets for Host L and google.com originate from
Host P
Host Ps route table uses default route for both
packets, since neither Host L nor google.coms IP
addresses are on Host Ps subnet, 7.8.9.0/24
Host Ps default route sends both packets to
7.8.9.1, Router Bs address
Router B uses different rows to route the two
packets
Packet to google.com uses Bs default row. Next
hop is the Internet Gateway router 10.11.12.2
Packet to Host L is on a directly connected
subnet of router B (second row)

16
Route Filtering A quote from RFC 1918
A router SHOULD IMPLEMENT the ability to filter
traffic based on a comparison of the source
address of a packet and the forwarding table for
a logical interface on which the packet was
received. If this filtering is enabled, the
router MUST silently discard a packet if the
interface on which the packet was received is not
the interface on which a packet would be
forwarded to reach the address contained in the
source address. In simpler terms, if a router
wouldn't route a packet containing this
destination address through a particular
interface, it shouldn't believe the address if it
appears as a source address in a packet read from
this interface. added by Dr. Tibbs
17
Route filtering quiz

IP a packet bearing source IP 7.8.9.10 (host P)
and dest IP 1.2.3.4 (host L)
Arrives on Router Bs 10.11.12.1 interface,
What should router B do?
IP a packet bearing source IP 1.2.3.4 (host L)
and dest IP 10.11.12.13 (Server S)
Arrives on Router Bs 1.2.3.1 interface
What should router B do?

18
Route filtering quiz

IP a packet bearing source IP 7.8.9.10 (host P)
and dest IP 1.2.3.4 (host L)
Arrives on Router Bs 7.8.9.1 interface,
What should router B do?
IP a packet bearing source IP 1.2.3.4 (host L)
and dest IP 10.11.12.13 (Server S)
Arrives on Router Bs 7.8.9.1 interface
What should router B do?

19
Rules of Route Table Construction

The Destination network field, your route table
must successfully ( efficiently) route packets
destined for any subnetwork or those destined for
the internet.
Hint Which routers in Figure 4.10 might need
extra rows to avoid ICMP redirect messages?
Lookup ICMP redirect in a search engine.
The Next Hop field must be a specific IP on one
of the directly connected subnets of the device
(Router or host).
For the Interface column in Exercise 4.6, use the
MAC address annotated on the (two-letter Hex
code).
Remember that the interface column contains only
MAC addresses for the device itself.
We show IP addresses and MAC addresses
side-by-side in Table 4.1, but it is simpler to
use short MAC addresses.

20
Table 4.1 Windows Route Table via route print
command
Why are there so many different Mask Lengths in
this host table?
21
Notes on Table 4.1

The loopback row
192.168.1.3 /32 127.0.0.1 127.0.0.1 L0
How would a web server and a web client run
efficiently on the same host?

1. Web Browser
4. Web Server
1. Web Browser types http//198.168.1.3 as URL
2. This generates packet that is delivered to IP
layer 3. Row above is longest matching prefix
4. Web Server receives http GET request
2. TCP
3. IP
Data Link
Loopback 127.0.0.1
IP address 198.168.1.3
22
Notes on Table 4.1

Another loopback-related row
127.0.0.0 /8 127.0.0.1 127.0.0.1 L0
Other loopback addresses may be added.
This row allows any of those to go to 127.0.0.1,
usually bound to the name localhost
Other Rows
192.168.1.255 /32 192.168.1.3 192.168.1.3 00-
-F3
The subnet broadcast must be directed to this
machines IP
255.255.255.255 /32 192.168.1.3 192.168.1.3 00-
-F3
The IP address 255.255.255.255 means this
machine (not the entire Internet). We must have
this row as well.

23
IP addr show output (Linux)
ip addr sho 1 lo mtu 16436
qdisc noqueue link/loopback 000000000000
brd 000000000000 inet 127.0.0.1/8 brd
127.255.255.255 scope host lo 2 dummy0
mtu 1500 qdisc noop
link/ether 000000000000 brd
ffffffffffff 3 eth0 ,UP mtu 1500 qdisc pfifo_fast qlen
100 link/ether 0002e3130278 brd
ffffffffffff inet 1.2.3.89/26 brd
1.2.3.127 scope global eth0 4 eth1
mtu 1500 qdisc
pfifo_fast qlen 100 link/ether
0002e3127d94 brd ffffffffffff ine
t 192.168.1.254/24 brd 192.168.1.255 scope
global eth1
The phrase qdisc pfifo_fast qlen 100 indicates
other parameters including queueing discipline
for the interface is first-in-first-out (fifo)
and the queue length for the interface is 100
packets
24
Table 4.2 Linux Firewall Route Table via ip
route list table all
25
Figure 4.3 Smurf Fraggle Attack
26
Replay Attacks

Password Authentication Protocol (PAP)
Vulnerable to replay attack
Challenge Handshake Authentication Protocol
(CHAP)
Solves the replay attack by issuing a random
challenge
This involves a random number called a nonce

27
TCP Vulnerabilities

SYN Flood Attacks
Using three-way handshake of TCP, attacker could
generate a rapid number of SYNs
Objective is to exhaust resources, since each
connection requires a TCB data structure to track
the state of the connection
See Exercise 4.2

28
TCP Vulnerabilities

Connection Hijacking
See chapter 7 for more on this topic.
RFCs 793, 1337 and 1948 are good reading.
Can TCP sequence numbers be predicted? How can
that be avoided? (Ask class here ??? Hint
Cookies Hashes)
Christmas Tree attack
A TCP segment arrives with an invalid combination
of TCP flags set.
Examples
SYN FIN in the same segment
SYN, FIN, RST, PSH, URG, ACK (all flags)
Objective is to find bugs in TCP code that cause
a crash.

29
TCP/UDP Port Numbers

Standards based RFC 1700
well-known ports, 11023
registered ports, 102449151
ephemeral ports, 4915265535
These port numbers are now assigned by IANA at
www.iana.org/assignments/port-numbers.

30
TCP/UDP Port Numbers

However, many systems dont follow the standards
or IANAs assignments
Windows, Linux kernels below 2.4, BSD Unix,
default ephemeral range 1024 5000.
Linux kernel 2.4 and above, default ephemeral
range 32768 61000.
The command netstat a n can be used to identify
what TCP connections and UDP datagram services
are running on any host or server.

31
Man In the Middle

For MITMs we need a host of participants.
Alice First Participant.
Bob Second Participant.
Carol Third Participant.
Dave Fourth Participant.
Eve Eavesdropper.
Mallory Malicious attacker.
Sara a server.

32
An MITM Scenario Illustrated
ALICE
1) Alice connects to her online bank, Bob
2) Mallory also has an account at Bob. He copies
the banks certificate, and he knows through
social engineering that Alice has a large bank
account
Poses as Bob To Alice
MALLORY (MITM)
Bob, an Online Bank
3) Having hacked into the ISP that Alice uses, he
waits for a connection. Then, he
Poses as Alice To Bob
33
More on MITM

Mallory must subvert some part of the network in
some way that lets him carry out the deception.
Possible targets DNS, router, Alice or Bob's
machine, mail server, etc. to beat any
authentication mechanism Alice and Bob use.
Note DNS is sometimes used to distribute
certificates
Strong authentication defeats the MITM entirely
Mallory must work in real time, delivering
messages without introducing a delay large enough
to alert the victims
This is not hard if Alice and Bob are using
email quite difficult in some other situations

34
MITM Wrap-up

This requires quite a bit of planning on
Mallorys part.
If he can accomplish this, he can do whatever her
wants
Changing her transactions to transfer to his
account
You will notice that any secure online
transaction does not give you a chance to inspect
the servers certificate.
More on this issue in chapter 7.

35
Varieties of Firewalls

Stateless
Looks at packets one at a time, no sense of state
of connections
Stateful
Keeps track of connection state
Requires more memory, tables, processing speed
Possible for TCP as well as UDP
Proxy
Used to protect Web and Mail servers
Content-Aware

36
Stateful

Inspects flags, IP address, TCP/UDP ports,
Sequence numbers etc. of connections (UDP
doesnt have this but we can still keep track of
IP address and port number information)
Keep track of
Established connections
Related connections
Invalid connections

37
Traceroute issues with Firewalls

Traceroute (tracert on Windows) uses both ICMP
and UDP.
Traceroute recipe
Generate ICMP echo requests with TTLs increasing
from 130 (default)
When ICMP Echo request TTL is 0, router/host
sends back ICMP time exceeded (type 11) message.
ICMP type 11 cant tell traceroute that it has
reached the destination.
Traceroute uses UDP echo request (like Fraggle
attack).
How to allow traceroute, but defend Fraggle??

38
Shorewall Rate and Burst Limits

Traceroute will generate only a moderate number
of ICMP and UDP packets.
Shorewall (the firewall portion of LEAF) has a
rate and burst limit capability to defend against
Smurf (Uses ICMP)
Fraggle (Uses UDP)

39
Proxy firewalls