1 / 15

Defense Techniques

Defense Techniques. Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008. Overview. Firewalls General Overview Packet Filter, Circuit-Level Gateway, Application Gateway Stateful-Inspection Firewalking. Firewall. Local network is trusted „Outside“ is potentially malicious

finola
Download Presentation

Defense Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008

  2. Overview • Firewalls • General Overview • Packet Filter, • Circuit-Level Gateway, Application Gateway • Stateful-Inspection • Firewalking

  3. Firewall • Local network is trusted • „Outside“ is potentially malicious • Unprotected network • security is implemented on each host • single vulnerable host would violate whole network security • administrative nightmare • Protected network • place barrier at the borders of trusted, inside network • barrier provides access control • helps with system monitoring and simplifies management  such a barrier is called firewall

  4. Firewall • Not the ultimate solution • cannot deal satisfatorily with content • vulnerable to inside attacks and covert channels • potential performance bottlenecks • when compromised, network is unprotected • Security Strategies • least privilege • only permissions that are necessary should be granted • defense in depth • additional security installations should be present • fail-safe • a failing firewall may not reduce security

  5. Packet Filter • Packet filters route packets between internal andexternal hosts • Do it selectively – perform filtering • allow or block certain types of packets • Screening procedure is based on • Protocol (whether the packet is a TCP, UDP, or ICMP packet) • IP source/destination address • TCP or UDP source/destination port • TCP flags • ICMP message type • Inbound and outbound interfaces may be used to specify rules

  6. Packet Filter • Filtering Rules - filtering is specified using a set of rules • Each rules specifies • action (allow, deny) • source address/port pattern • destination address/port pattern • presence or absence of flags • When a packet is received the rules are applied in anordered sequence • if a rule matches the corresponding action is taken • if no rule matches, a default action is taken

  7. Packet Filter • Might be vulnerable to spoofing • only filter packets coming from outside • Fragmented Datagrams • discarded when not enough information to apply filter • when first fragment contains enough information, remaining one are passed unchecked • potential vulnerability • first fragment with innocent values • other fragments with non-zero offset rewrite these values with malicious ones • reassembled fragment is delivered to protected service

  8. Packet Filter • Advantages • easy to implement (relies onexisting hardware) • good performance Limits • limited auditing • difficult to configure • not very flexible, extensible • can be bypassed by “tunnelinginformation” • FreeBSD - ipfw, ipf • Linux • iptables, ipchains

  9. Gateway • A gateway is a host with two (or more) networkinterfaces • (usually) operating system is configured so that IP forwarding isdisabled • Traffic can pass across the gateway only if there is anapplication that explicitly operates the transfer (proxy) • Proxy Service • application that acts as anintermediary between client within the protected networkand server in the outside world and vice versa • when a client requests a connection to the outside, itactually connects to the proxy • proxy examines the connection request with respect to security policy • and possibly opens the actual connection to the server on behalfof the client

  10. Circuit-Level Gateway • Not only checks packets, but sessions / connections - TCP handshaking • Transparently exchange data • Do not need to be aware of the protocol • Can not perform application-level filtering

  11. Application Gateway • Application-level gateways interpret the particular applicationprotocol being “proxied” • e.g. HTTP / FTP • need to know the application protocol details • need a different proxy for each protocol • can perform advanced filtering (e.g. on particularcommands) • Advantages • cheap • extensive logging possible • very secure – internal network invisible • Limits • scalability, performance bottleneck

  12. Stateful Inspection • acts as a packet filter, circuite-level and application-level gateway • but accesses higher-level protocol information • allows to track sessions (e.g. ftp) • virtual sessions for connection-less protocols (e.g. UDP) • firewallstores ports used in a particular UDPtransaction • temporarily creates an exception to let theanswer pass through • Cisco PIX, Check Poin Firewall 1 , Sepehr 4100,3400

  13. De-Militarized Zone • DMZ – de-militarized zone • network area between two packet filters • external filter only allows traffic from outside • internal filter only allows traffic from inside • separates external and internal network • contains hosts that provide • external services (e.g. webserver, DNS) and • application gateways for internal clients • when hosts are compromised • internal traffic cannot be sniffed • protection from internal packet filter

  14. Firewalking • Technique used to test the rules of a firewall withouttriggering inside IDS • Tools available athttp://www.packetfactory.net/Projects/Firewalk/ • Based on similar mechanism as used by traceroute • firewall at hop n • host at hop n+m • TTL set to n+1 • If a TTL expired message is received the firewall didn’t filterthe packet • Scan of firewall ACLs performed without triggering inside logging mechanisms

  15. References • [1]National Institute of Sdandards and Technology, Guidelines on Firewalls and Firewall Policy , NIST SP 800-42, 2002. • [2] Sepehr S. T. Co. LTD, Sepehr Firewalls, October 2008. • [3] D. Brent Chapman & Elizabeth D. Zwicky,Building Internet Firewalls, O.Reilly, 2nd Edition, 2000.

More Related