Overview. Packet filter

(1)

Computer Network Lab 2015

(2)

Overview

S

it

• Security

• Type of attacks

• Firewalls

• Protocols

Protocols

• Packet filter

(3)

Security

• Security means protect information (during

y

Security means, protect information (during

and after processing) against impairment and

loss of confidentiality integrity and availability

loss of confidentiality, integrity and availability.

Given by:

–

increasing of availability and storage strategies:

Backup Redundant Systems Raid Systems

Backup, Redundant Systems, Raid-Systems

(4)

Security requirements

• Confidentiality

y

q

Confidentiality

protects confidential information against

unintended access

unintended access.

• Integrity

t

th t th d t

th

ti

d

guarantees that the data are authentic and

undamaged

.

• Availability

ensures that authorized persons are able to

(5)

(6)

Threats

• Active attacks

Active attacks

–

Intrusion of unauthorized persons

I

i

t d

di t b

f t

ki

–

Impairment and disturbance of networking

–

Data modification

• Passive Attacks

P

d li t i

–

Password listening

–

Data listening

N t

k t ffi

l i

–

Network traffic analysis

(7)

Aggresssor

Who is aggressive

gg

Who is aggressive

–

Competitors

H k /C k (B i

P f

i

l)

–

Hacker/Cracker (Beginners, Professional)

–

Professional Hacker (industrial espionage)

C ll

(

70% f ll tt k

f

C ll

)

–

Colleagues (approx. 70% of all attacks come from Colleagues)

–

NSA

(8)

Examples

• By use of so called trojans, hackers got access to

p

By use of so called trojans, hackers got access to

passwords of Microsoft employees. So the hackers

were able to stole the newest source code release of a

Microsoft operation system.

• Yahoo was a victim of a Denial-Of-Service Attack The

• Yahoo was a victim of a Denial-Of-Service Attack. The

Website of yahoo was more than 3 hours not available.

• Sony Corp said hackers may have gained access to

• Sony Corp. said hackers may have gained access to

personal information (like name, address, country,

e-mail address, birthdate, etc.) on the 75 million users of

,

)

its PlayStation Network .

(9)

Kind of attacks

• Password attack

Password attack

• Data attack

• Malicious Code

• Scanner

• Spoofing

• DOS-Attack

(10)

Password attacks

• 3 Methods

3 Methods

–

Guess on base of known or speculated user accounts (names).

B t f

tt k

d fil b f

i l li ti

–

Brute force attack on a password file by use of special applications,

i.e. Crack.

Listening on connections in order to find out user names and their

–

Listening on connections in order to find out user names and their

(11)

Data attack by sniffers

• Data attack are done by use of so called

y

Data attack are done by use of so called

sniffers.

S iff

ti

l

t

k

it

i

t

l

• Sniffer respectively network monitoring tools

are applications which are originally used in

d

t

it

d

l

t

k t

ffi

order to monitor and analyse network traffic.

• Well known tool = “WIRESHARK”

(12)

Promiscous mode

• Usually a computer receives via its network

Usually a computer receives via its network

interface card only these packages which are

destined for itself

destined for itself.

• But it is possible to get access to all traffic.

Thi

ld b d

h

th

t

k i t

f

This could be done when the network interface

card is running in a special mode, the

i

d

promiscuous mode.

Extremely dangerous: A sniffer is installed on a

t

l

hi

hi h i

d b

central machine which is accessed by many

clients

(13)

Malicious Code

• Malicious Code is unauthorized code (could be

Malicious Code is unauthorized code (could be

in a legal application) doing jobs which are

unknown by the user and usually undesired

unknown by the user and usually undesired.

• Examples:

–

Viruses

–

Trojan horses

–

Worms

(14)

Scanner

Scanner are security tools which are originally

used in order to find out some weak points of a

system There are system scanner and network

system. There are system scanner and network

scanner.

S

t

• System scanner:

scans its local host in order to find out security gaps or configuration

problems

problems.

• Network scanner:

t t d

t

k

Th

h k i

d t

scans computer connected to a network. They check services and ports

und deliver therefore information about possible security gaps.

(15)

Spoofing

• Spoofing is used in order to outwit

p

g

Spoofing is used in order to outwit

authentication and identification mechanism

which are basing on trustworthy addresses

and/or hostnames.

di ti

ti

i d

b t

• a distinction is drawn between:

–

IP-Spoofing

denotes the corruption of the sender-IP address.

–

DNS-Spoofing

th

ti f t i i DNS

(16)

Dos-Attacks

• DOS = Denial of Service

DOS = Denial of Service.

• Most common attack (simple and fast).

• Goal is to knock out the attacked system or at

least to interfere the access for valid users.

• Not easy to intercept.

• Next step: DDOS = Distributed Denial of

Service: Several machines start an attack at the

same time.

(17)

Firewall Basics

A Firewall is a hurdle between to nets which must

be cleared in order to allow communication from

one net to the other Each communication

one net to the other. Each communication

between the nets must be done over the firewall.

(18)

Firewall definition

• A firewall consists of one or more hard- and

A firewall consists of one or more hard- and

software components.

A fi

ll

t t

t

k i

th t

• A firewall connects two networks in a way that

all traffic between the networks must pass the

fi

ll

firewall.

• A Firewall implements a security strategy,

p

y

gy,

which realises access restrictions and if

required attack recording.

q

g

(19)

What a firewall can do

• Restriction of traffic between two networks

Restriction of traffic between two networks.

A

l t

i l

hi

i

• Access only to special machines or services.

• Network monitoring and recording =>

protocols.

p

• Manipulation of network traffic by use of

(20)

What a firewall can‘t do

• Closing security gaps directly

Closing security gaps directly.

C

ti

f

fi

ti

i

t ll ti

• Correction of configuration or installation

mistakes.

• Find out viruses or Trojans.

j

• Making a network totally secure

• Making a network totally secure.

(21)

Firewall-concepts

• Packet filter

p

Packet filter

Filtering on network layer (IP-Addresses and Ports).

• Proxy Gateways

• Proxy-Gateways

–

Circuit Level Gateway

Filt i t

t l

Filtering on transport layer.

–

Application Level Gateway

Filtering on application level (protocol dependent)

Filtering on application level (protocol dependent).

• Graphical Firewall

All

i t

t li ti

i t id f

th t t d t

k

O l

All internet applications running outside of the protected network. Only

(22)

Proxy-Gateway

• Proxy=lock keeper

y

Proxy=lock keeper

• A Proxy firewall act as a server for the client

d

li

t f

th

and as a client for the server.

Internet

HTTP Gateway

FTP Gateway

Firewall with application dependent

private,

(23)

Proxy Gateway

• Offers application specific services for clients

y

Offers application specific services for clients.

• Control and observe functions for a specific

li

ti

E

l

application. Example:

–

Avoid that a client uses ftp in order to transfer data in (via „put“

command) to an external ftp-server.

–

Access to special HTTP-Sites is forbidden

• In opposite to packet filters the connection is

really interrupted.

(24)

Protocols

HTTP FTP SMTP

Application

DNS SNMP RIP

TCP

UDP

Transport

IP

I t

t

IP

Internet

Ethernet

Token-Ring

ATM

(25)

IP

• It carries the transport protocols TCP and UDP.

It carries the transport protocols TCP and UDP.

• It builds IP-Packages out of the data which have to be

transmitted

transmitted.

• It adds additional information, the IP-Header. It

contains source and destination address

(26)

TCP

• TCP (Transmission Control Protocol) confirms every

TCP (Transmission Control Protocol) confirms every

received data package.

• TCP repeats each data package until its receiving is

TCP repeats each data package until its receiving is

confirmed.

(27)

Port communication

• TCP/IP operates by IP-Addresses and Ports

TCP/IP operates by IP-Addresses and Ports

• each IP-Adresse has 2

16 potential ports

• The ports below 1024 are standardized (standard ports),

which are allocated to

dedicated services, i.e.:

23 telnet

25 smtp

80 httpp

443 https

(28)

Packet filter

• Filtering of Data packages:

Filtering of Data packages:

–

Sender/Destination IP-Addresses

Sender/ Destination Ports (Services)

–

Sender/ Destination -Ports (Services)

–

Protocols (TCP,UDP, ICMP)

• Separate Filtering of incoming Packages (INPUT) und

outgoing Packages (OUTPUT).

Different r les for Inp t Filter and O tp t Filter

• Different rules for Input-Filter and Output-Filter.

• List of rules are so called chains.

• A package is checked by one rule after the other until

either one rule matches or the end of list is reached.

(29)

Packet filter (Policies)

• Every chain has a default setting for package

(

)

Every chain has a default setting for package

treatment, the so called policies. The policies

come into play after a data package were

checked by all rules of a chain.

If

l

t h

th d f

lt

li

• If no rule matches the default policy applies.

• There are two different strategies:

g

–

Deny every package. Only well defined kind of packages are

allowed. (Better).

(

)

(30)

Packet filter (Reject, Drop)

• Packet filters have two different methods to

(

j

p)

Packet filters have two different methods to

handle a non accepted package.

R j t Th P k

ill b d l t d d ICMP E

i

–

Reject: The Package will be deleted and an ICMP-Error message is

delivered to the sender.

Drop: The Package will be deleted

–

Drop: The Package will be deleted.

• Drop is the better choice, because:

–

less traffic,

–

the package could be part of a attack,

–

even an error message could be an useful information for an

aggressor.

(31)

Filtering incoming packets

• Filtering according to Sender- IP

g

g p

Filtering according to Sender- IP

There a some groups of IP-Addresses which could be generally

dropped. For example: IP-Addresses of the own Subnet, etc.

pp

p

,

• Filtering according to Destination-IP

Only packages addressing the own network are accepted

Only packages addressing the own network are accepted.

• Filtering according sender/destination Port

We have to distinguish between requests of external clients to our

own servers and incoming answers of external servers destined for

local clients.

(32)

Stateful filtering

• Stateful Filtering means the capability to store the state

g

Stateful Filtering means the capability to store the state

and contextual information of a TCP connection.

=>Dynamic packet filter analyse the state of an

TCP-Connection

.

–

Connection request of client: SYN

Acknowledgement of server: ACK-SYN

Ackno ledgement of client ACK

Acknowledgement of client: ACK

Further transfer (from both sides): ACK

• Packages (containing a ACK Flag) from outside to

• Packages (containing a ACK-Flag) from outside to

(33)

Iptables

• Iptables (Packet filter under Linux)

p

Iptables (Packet filter under Linux)

• Three Chains: INPUT, OUTPUT, FORWARD.

• Routing decides if a package is delivered to the

INPUT-Chain or to the FORWARD-Chain.

(34)

Input vs. Forward Chain

• Packages for the machine itself are checked at

p

Packages for the machine itself are checked at

first by the INPUT-Chain. If the INPUT Chain

accepts the packages it reaches the actual

machine.

P

k t f

f

i

hi

(i

l

• Packets for foreign machines (in our local

protected net) are running through the

FORWARD Ch i

If th

k

i

t d

FORWARD-Chain. If the packages is accepted

it is delivered to the appropriated network

i t

f

(35)

Chains and routing

g

Forward-Chain

Routing

Chain

Drop

Input

Local

Output

Drop

Input-Chain

Local

Processes

Output-Chain

(36)

IP Tables some commands

• Delete rules

Delete rules

iptables --flush

• Drop all packages

iptables –policy INPUT DROP

iptables policy INPUT DROP

iptables –policy OUTPUT DROP

iptables –policy FORWARD DROP

• Reject incoming packages coming from the IP-Address of

j

g p

g

our own external interface

(37)

Our netlab firewall

Server N Server N incoming outgoing eth 1 eth 0 Switch N outgoing _incoming Internet Firewall