Transcript Intrusion Detection - University of Sunderland

Firewalls
CSEM02
University of Sunderland
Harry R. Erwin, PhD
Resources
• Garfinkel and Spafford, 1996, Practical UNIX and
Internet Security, O’Reilly, ISBN: 1-56592-148-8
• Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0471-25311-1.
• Anderson, 2001, Security Engineering, Wiley,
ISBN:0-471-38922-6.
• Zwicky, Cooper & Chapman, 2001, Building
Internet Firewalls, O’Reilly.
Definition
• Firewall (Schneier)
– Originally an iron wall that protected train passengers
from engine fires. Didn’t protect the engineer—there
may be a lesson for sysadmins here.
– In early networks, a device that protected a segment of
a network from failures in other segments
– Now a device that protects an internal network from
malicious intruders.
• Does not deal with the 70+% of attacks that come from inside.
• Does not deal with most vulnerabilities (see next slide)—only
those associated with network connections.
Top 20 Vulnerabilities
(www.sans.org, 4 Dec 2006)
Operating Systems
• Internet Explorer
• Windows Libraries
• Microsoft Office and Outlook Express
• Windows Services
• Internet Explorer (IE)
• Windows Configuration Weaknesses
• Mac OS X
• Unix Configuration Weaknesses
Network Devices
• VoIP Servers and Phones
• Network and Other Devices Common
Configuration Weaknesses
Cross-Platform Applications
•
Web Applications
•
Database Software
•
P2P File Sharing Applications
•
Instant Messaging
•
Media Players
•
DNS Servers
•
Backup Software
•
Security, Enterprise, and Directory
Management Servers
Security Policy and Personnel
•
Excessive User Rights and Unauthorized
Devices
•
Users (Phishing/Spear Phishing)
Special Section
•
Zero Day Attacks and Prevention Strategies
Current Problem Categories
-Top Vulnerabilities in Windows Systems
•
W1. Windows Services
•
W2. Internet Explorer
•
W3. Windows Libraries
•
W4. Microsoft Office and Outlook
Express
•
W5. Windows Configuration
Weaknesses
-Top Vulnerabilities in Cross-Platform
Applications
•
C1. Backup Software
•
C2. Anti-virus Software
•
C3. PHP-based Applications
•
C4. Database Software
•
C5. File Sharing Applications
•
C6. DNS Software
•
C7. Media Players
•
C8. Instant Messaging Applications
•
C9. Mozilla and Firefox Browsers
•
C10. Other Cross-platform Applications
-Top Vulnerabilities in UNIX Systems
•
U1. UNIX Configuration Weaknesses
•
U2. Mac OS X
-Top Vulnerabilities in Networking Products
•
N1. Cisco IOS and non-IOS Products
•
N2. Juniper, CheckPoint and Symantec
Products
•
N3. Cisco Devices Configuration
Weaknesses
Perimeter Defense
• No good against internal uprisings
• Denial of service will remains threat
• Must be complete—otherwise the hacker
will go around it.
• Must still contain gateways, which become
the main vulnerabilities.
Boundary Protection
• The careful use of boundary mechanisms
allows the designer to segment the network
into protected domains, isolated from the
internet and telephone service.
• This limits damage and prevents malicious
attackers from gaining entry.
Hub and Ring Architectures
• Hub architecture—packets transmitted by one
device are reflected to all devices. Can be digital
or analog. Analog hubs reduce signal strength,
limiting the number of devices. Speed of light
delays also limit the spatial extent of the LAN.
• Ring architecture—each device connects to a ring
of connections. One packet at a time circulates
around the ring. If it arrives back at the device
unchanged, it is deemed to have been successfully
transmitted. Otherwise it is retransmitted.
Gateway
• Typically a router connected to the hub or
ring. Has external connections.
• Uses routing tables to find a route to a
server. Sends the packet out that route.
• If a server isn’t reachable, an ICMP
DEST_UNREACH packet is generated and
eventually returns to the source.
Switches
• ‘Smart’ hubs that transfer packets between
networks. Fast switches are based on state
machine architectures.
• Can block a sniffer from accessing local traffic.
• Virtual LANs can be isolated and connected via
switches
• Not a security mechanism. Performance is too
important for switches to do much processing.
Virtual Private Network (VPN)
• Encrypted tunneling (stunnel or ssh) can be used
to link distant LANs via switches.
• Usually handled peer-to-peer with the routers and
firewalls passing encrypted packets. This is
message-level encryption.
• Can also be handled using link-level or packetlevel encryption. Link-level uses COMSEC
devices and has a high maintenance overhead.
Boundary Mechanisms Used to
Secure Networks
Note: Firewalls and routers are basic tools of
network security.
• Filtering routers
• Firewalls:
–
–
–
–
Packet Filters
Proxies
NAT (network address translation)
Screens
• Personal firewalls
• “Demilitarized Zones” (DMZs)
Attacks on Boundary
Mechanisms
Three approaches used by hackers:
1. Go around it.
–
–
–
–
Internet connections from photocopiers, soft drink
machines, and other devices
Maintenance ports on network devices
Unauthorized modems
Attack trusted peers instead
2. Sneak past it.
3. Take the firewall over.
–
–
Buggy software
Insecure operating systems
Filtering Router
• A basic router that provides stateless protection:
– Only passes legitimate packets, which is good. What
packets are legitimate is a policy decision. Two basic
strategies:
• Default permit—easier to configure but riskier
• Default deny—safer but inflexible (UoS policy)
Neither is a panacea.
– A filtering router doesn’t connect SYN ACKs to the
related SYN packets or other packets involved in the
connection. This can be exploited by a smart attacker.
Firewall
• Smarter than a simple filtering router. Enforces your
chosen policies. May sniff traffic.
• Blocks access as part of a defense in depth strategy.
• Can serve as a proxy for the clients behind it.
• Can encrypt traffic between separate locations.
• Can even be stateful, tracking connections, not just
packets—reducing throughput, but harder to fool.
(Remains vulnerable to slow attacks.)
• Note however, a filtering router plus strong endpoint
security (hardened workstations) is more secure than an
isolated firewall.
Firewall Anatomy
Based on chokes and gates (Garfinkel and Spafford):
• Choke
– A component that restricts the free flow of packets
between networks based on some policy.
• Gate
– Handles port connections.
– Single machines that handle all ports are “bastion hosts”
– Programs that might be supported include
• network clients (undesirable),
• proxy servers, and
• network servers.
How to Program a Simple Packet
Filtering Choke
• Block all packets for services not used.
• Block all packets with IP source routing
options
• Allow incoming TCP connections to
predetermined network servers.
• Allow outgoing TCP connections. (You
might want to some used by malware.)
Pros and Cons of Packet Filtering
• Pros
– Cheap and easy
– Flexible
• Cons
– Usually lacks logging
– Complex rulesets that are hard to configure and untestable
– ftp not handled well unless passive mode is set (due to the high
port numbers used by ftp)
– Security can be silently compromised
– Remote administration can be compromised
– Insider attacks are easy
– Packet contents are not monitored
Firewall Types
• Packet filters
– Usually based on a filtering router, but stateful
• Proxy-based firewalls
– Services are provided by the visible firewall
• Packet-rewriting firewalls (NAT)
– Transparent to applications
• Screens
– No IP address; run in stealth mode
How Network Address
Translation (NAT) Works
• A server anonymises traffic by replacing the true
address on the LAN with its own address and vice
versa.
• Incoming packets from inside addresses can be
quietly dropped.
• Aka “proxying with network address translation”.
• Can also cache data received to save on network
bandwidth
Personal Firewalls
•
•
•
•
•
•
This is a router/firewall installed on your personal PC.
Usually a simple packet filter.
Now available for most modern operating systems.
MacOS X, BSD Unix, and Linux use ipfw.
Windows XP has a proprietary firewall. Average.
Commercial firewalls either manage the firewall
provided by the OS or replace it with their own.
• Watch out for snake oil.
Personal Firewalls for Windows
Machines
• Some Free Ones
–
–
–
–
Microsoft Internet Connection Firewall (XP default)
ZoneAlarm (good, better than ipfw)
Tiny Firewall (good, USAF uses)
Sygate® Personal Firewall™ (good)
• More Expensive
–
–
–
–
Black Ice Defender (well-regarded)
ZoneAlarm Pro (good)
Norton Personal Firewall (OK)
McAfee Personal Firewall (subscription)
“Demilitarized Zone” (DMZ)
• A place on your network where you put
your public services.
• Reduces the external threat, but protects
your private network.
• External firewall (to the internet) has a
limited number of restrictions.
• Internal firewall (to your private network)
has more restrictions.
Running a Windows Firewall
• If you are responsible for a Windows firewall (incomplete):
–
–
–
–
–
–
–
–
–
–
Enable auditing, accounting, and full logging. Monitor them.
Use strong authentication. Install a logon banner.
Rename the Administrator account.
No user or guest accounts. Generally, block all user access.
Manually configure the machine. Install all security patches.
Use NTFS.
Protect the bios configuration.
Block removable devices and unused ports.
Support only TCP/IP. You may need to enable SMNP.
Disable unneeded services, in particular WINS TCP/IP, Computer
Browser, NetBIOS, RPC, Server, and Workstation. Check that patches/
hotfixes/updates don’t reenable them.
Running a UNIX Firewall
• If you are responsible for a UNIX firewall:
–
–
–
–
–
–
–
–
–
Enable auditing, accounting, and full logging. Monitor them.
Use strong authentication.
Firewall machines should not have user accounts.
Block X11 server ports.
Do not mount NFS (etc.). Export databases read-only. Disks
should be mounted read-only where possible.
Remove binaries not needed for the firewall. Disable unneeded
network services.
chmod all system directories to 711.
Remove /etc/hosts.equiv and /etc/hosts.lpd
Use process and disk quotas and monitor them.
Conclusions
• You may need a firewall, but you will need a lot
more and probably more urgently:
– Start by ensuring you have strong end-point security.
Make sure you have the latest service pak installed.
– Install/enable personal firewalls on all machines.
– Use a filtering router as a minimum.
– Finally consider using a firewall.
• Watch for snake oil!
• Manage your security actively!
• Good luck!