Security Type of attacks Firewalls Protocols Packet filter

(1)

Overview

• Security

• Type of attacks

• Firewalls

• Protocols

• Packet filter

(2)

Computer Net Lab/Praktikum Datenverarbeitung 2 2

Security

• Security means, protect information (during and after processing) against impairment and loss of confidentiality, integrity and

availability. Given by:

– increasing of availability and storage strategies: Backup, Redundant Systems, Raid-Systems – protection against unauthorized access:

(3)

Security requirements

• Availability

ensures that authorized persons are able to access data and communication services at every time.

• Integrity

guarantees that the data are authentic and undamaged

.

• Privacy

(4)

Threats

• Active attacks

– Intrusion of unauthorized persons

– Impairment and disturbance of networking – Data modification

• Passive Attacks

– Password listening – Data listening

(5)

Aggressor

Who is aggressive

– Competitors

– Hacker/Cracker (Beginners, Professional) – Professional Hacker (industrial espionage)

– Colleagues (approx. 70% of all attacks come from Colleagues)

(6)

Examples

• Februay2001

Hacker stole around 80.000 DIN-A-4 Pages with privacy

information like credit card numbers, passwords, etc. from the server of the World Economic Forum.

• October 2000

by use of so called trojans hackers got access to passwords of Microsoft employees. So the hackers were able to stole the newest source code release of a Microsoft operation system. • February 2000

Yahoo was a victim of a Denial-Of-Service Attack. The Website of yahoo was more than 3 hours not available.

(7)

Kind of attacks

• Password attack

• Data attack

• Malicious Code

• Scanner

• Spoofing

• FTP, MAIL, Telnet

• DOS-Attack

(8)

Password attack

• 3 Methods

– Guess on base of known or speculated user accounts (names).

– Brute force attack on a password file by use of special applications, i.e. Crack.

– Listening on connections in order to find out user names and their passwords.

(9)

Data attack

• Data attack are done by use of so called sniffers.

• Sniffer respectively network monitoring tools are applications

which are originally used in order to monitor and analyse network traffic.

• Usually a computer receives via its network interface card only these packages which are destined for itself.

• But it is possible to get access to all traffic. This could be done when the network interface card is running in a special mode, the promiscuous mode.

(10)

Malicious Code

• Malicious Code is unauthorized code (could be in a legal application) doing jobs which are unknown by the user and usually undesired.

• Examples: – Viruses

– Trojan horses – Worms

(11)

Scanner

• Scanner are security tools which are originally used in order to find out some weak points of a system. There are system

scanner and network scanner. • System scanner:

scans its local host in order to find out security gaps or configuration problems.

• Network scanner:

scans computer connected to a network. They check services and ports und deliver therefore information about possible

(12)

Spoofing

• Spoofing is used in order to outwit authentification and identification mechanism which are basing on trustworthy addresses and/or hostnames.

• a distinction is drawn between : – IP-Spoofing

denotes the corruption of the sender-IP address. – DNS-Spoofing

(13)

FTP, Mail, Telnet

• FTP:

– Authentification by use of user name and password. – No encryption of data and password.

• Mail:

– Sending of big mails affects the mail servers availability (Mail bombing).

– Sending of mails with wrong sender information. • Telnet:

(14)

DOS

-

Attacks

• DOS = Denial of Service.

• Most common attack (simple and fast).

• Goal is to knock out the attacked system or at least to interfere the access for valid users.

• Not easy to intercept.

• Next step: DDOS = Distributed Denial of Service Several machines start an attack at the same time. Example: TCP-SYN Flooding, PING

(15)

Firewall Basics

• A Firewall is a hurdle between to nets which must be cleared in order to allow communication from one net to the other. Each communication between the nets must be done over the firewall.

(16)

Definition Firewall

• A firewall consists of one or more hard- and software components.

• A firewall connects two networks in a way that all traffic between the networks must pass the firewall.

• A Firewall implements a security strategy, which realises access restrictions and if required attack recording.

• A Firewall let only pass those data packages which fulfil the security strategy.

(17)

What a Firewall can do

• Restriction of traffic between two networks. • Access only to special machines or services. • Network monitoring and recording => protocols.

• Manipulation of network traffic by use of special (i.e. traffic limitation, IP-Address replacement, etc.).

(18)

What a Firewall can‘t do

• Closing security gaps directly.

• Correction of configuration or installation mistakes. • Find out viruses or Trojans.

(19)

Firewall

-

Concepts

• Packet filter

Filtering on network layer (IP-Addresses and Ports). • Proxy-Gateways

– Circuit Level Gateway

Filtering on transport layer. – Application Level Gateway

(20)

Proxy

-

Gateway

• Proxy=lock keeper

• A Proxy firewall act as a server for the client and as a client for the server.

Firewall with application dependent Proxy-Services Internet private, local Net HTTP Gateway FTP Gateway

(21)

Proxy

-

Gateway

• Offers application specific services for clients.

• Control and observe functions for a specific application • Example:

– Avoid that a client uses ftp in order to transfer data in (via „put“ command) to an external ftp-server.

– Access forbidden for special HTTP-Sites

• In opposite to packet filters the connection is really interrupted. • IP-Addresses of the internal net are invisible.

(22)

Protocols

HTTP FTP SMTP Application DNS SNMP RIP TCP UDP Transport IP Internet

Ethernet Token-Ring ATM

(23)

IP

• It carries the transport protocols TCP and UDP.

• It builds IP-Packages out of the data which have to be transmitted.

• It adds additional information, the IP-Header. It contains source and destination address.

(24)

TCP

• TCP (Transmission Control Protocol) confirms every received data package.

• TCP repeats each data package until its receiving is confirmed. • TCP is reliable, that means the transmission is guaranteed.

(25)

Port Communication

134.91.100.1

• Communication via TCP/IP operates by IP-Addresses and Ports. • Each IP-Address has 216 potential ports.

• The ports below 1024 are standardized (standard ports), which are allocated to dedicated services, i.e.:

23 telnet 25 smtp 80 http 443 https

(26)

Packet filter

• Filtering of Data packages:

– Sender/Destination IP-Addresses – Sender/ Destination -Ports (Services) – Protocols (TCP,UDP, ICMP)

• Separate Filtering of incoming Packages (INPUT) und outgoing Packages (OUTPUT).

• Different rules for Input-Filter and Output-Filter. • List of rules are so called chains.

• A package is checked by one rule after the other until either one rule matches or the end of list is reached.

(27)

Packet filter (Chains)

network interface incoming packet IINPUT-CHAIN rule 1 matches rule 2 matches no rule 3 matches rule 1 matches no rule 2 matches no

(28)

Packet filter (Policies)

• Every chain has a default setting for package treatment, the so called policies. The policies come into play after a data package were checked by all rules of a chain.

• If no rule matches the default policy applies. • There are two different strategies:

– Deny every package. Only well defined kind of packages are allowed. (Better).

– Allow every package. Only well defined kind of packages are forbidden.

(29)

Packet filter (Reject vs. Drop)

• Packet filters have two different methods to handle a non accepted package.

– Reject: The Package will be deleted and an ICMP-Error message is delivered to the sender.

– Drop: The Package will be deleted. • Drop is the better choice, because:

– less traffic,

– the package could be part of a attack,

(30)

Filtering of incoming packages

• Filtering according to Sender- IP

There a some groups of IP-Addresses which could be generally dropped. For example: IP-Addresses of the own Subnet, etc. • Filtering according to Destination-IP

Only packages addressing the own network are accepted. • Filtering according sender/destination Port

We have to distinguish between requests of external clients to our own servers and incoming answers of external servers destined for local clients.

(31)

Filtering of outgoing packages

• Filtering according Sender IP

Only packages with correct IP-Addresses of our own network are allowed to pass.

• Filtering according Destination IP

Depends on requested services, i.e.: request to an external mail server.

• Filtering according Sender-Ports

Client-Requests to external resources are usually done by ports above 1024. Local servers use well defined ports (below 1024) when they send an answer to external clients.

(32)

Stateful

Filtering

• Stateful Filtering means the capability to store the state and contextual information of a TCP network connection.

=>Dynamic packet filter analyse the state of an TCP-Connection.

Connection request of client: SYN

Acknowledgement of server: ACK-SYN Acknowledgement of client: ACK

Further transfer (from both sides): ACK

• Packages (containing a ACK-Flag) from outside to inside are only accepted if a package from inside to outside (containing a SYN-Flag) was sent before.

(33)

Iptables

(1)

• Iptables (Packet filter under Linux)

• Three Chains: INPUT, OUTPUT, FORWARD.

• Routing decides if a package is delivered to the INPUT-Chain or to the FORWARD-Chain.

• Packages for the machine itself are checked at first by the INPUT-Chain. If the INPUT Chain accepts the packages it reaches the actual machine.

• Packets for foreign machines (in out local protected net) are running through the FORWARD-Chain. If the packages is accepted it is delivered to the appropriated network interface.

(34)

IPTables

(2)

Forward-Chain Routing Input-Chain Lokale Prozesse Output-Chain Drop Drop Drop

(35)

IPTables

(some commands)

• Delete rules iptables --flush

• Drop all packages

iptables –policy INPUT DROP iptables –policy OUTPUT DROP iptables –policy FORWARD DROP

• Reject incoming packages coming from the IP-Address of

our own external interface

(36)

Firewall example

(37)

How can I protect my own PC

• Deactivate all services which are not required.

• Deinstall all programs which are not permanently used.

• Deinstall all programs with well known security gaps. (even when you need them).

• Inform yourself about security gaps and use updates. • Install a virus scanner (Freeware: AntiVir).