1 / 48

COMP3123 Internet Security

COMP3123 Internet Security. Richard Henson University of Worcester November 2011. Week 6: Securing a LAN connected to the Internet against Attack. Objectives: Explain what a Firewall is, why it is needed, and why users find it frustrating…

Download Presentation

COMP3123 Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COMP3123 Internet Security Richard Henson University of Worcester November2011

  2. Week 6: Securing a LAN connected to the Internet against Attack • Objectives: • Explain what a Firewall is, why it is needed, and why users find it frustrating… • Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall • Relate the principles of IP and TCP port filtering to the challenge posed by threats to LAN server security from Internet

  3. Unsecured LAN-Internet Connection via Router INTERNET/EXTERNAL NETWORK ROUTER – no packet filtering Internal Network ...

  4. An Unsecured LAN-Internet Connection via Router Layer 3 Layer 3 Data through unchanged Layer 2 Layer 2 Layer 1 Layer 1 router

  5. An Unsecured LAN-Internet Connection via Router • Routers only process data up to OSI level 3 • even with full user authentication on network services… • outgoing IP packets are untouched unless IP filtering is used • BUT, IP filtering will slow down packet flow… • Also… • request by a LAN client for Internet data across a router reveals the client IP address • this is a desired effect…. • “local” IP address must be recorded on the remote server • picks up required data & returns it via the router and server to the local IP address • problem – could be intercepted, and future data to that IP address may not be so harmless…

  6. An Unsecured LAN-Internet Connection via Router • Another problem: wrath of IANA • IP address awarding & controlling body • big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… • If local clients have direct access to the Internet and they can be allocated locally, this COULD happen • Safeguard: • use DHCP (dynamic host configuration protocol) • allocate client IP from within a fixed range allocated to that domain by IANA

  7. A LAN-Internet connection via Gateway INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion e.g. Novell IPX/SPX Internal Network ...

  8. A LAN-Internet connection via Gateway • At a gateway, processing goes up the protocol stack: • to at least level 4 • Possibly right up to level 7 • Because local packets can be converted into other formats: • remote network therefore does not have direct access to the local machine • IP packets only recreated at the desktop • local client IP addresses therefore do not need to comply with IANA allocations

  9. Creating a “Secure Site”? • To put it bluntly – a secure site is a LAN that provides formidable obstacles to potential hackers • keep a physical barrier between local server and the internet • Physical barrier linked through an intermediate computer called a Firewall or Proxy Server • may place unnecessary restrictions on access • security could be provided at one of the seven layers of the TCP/IP stack

  10. Security Architecture & Secure sites • This includes all aspects of security controls • can be imposed on internal users through group policy objects • external attempts to hack cannot be controlled in this way, because they are not authorised users • What about external threats? • need to focus on external data and security controls to deal with it…

  11. The Firewall… INTERNET/EXTERNAL NETWORK No data in… TCP/IP out Firewall TCP/IP Internal Network ...

  12. Using a Firewall to secure Routed Connections • Completely separate local network data from Internet data using a physical barrier: • Firewall (robust but inflexible) • Proxy Server (flexible) • Either solution will have a similar safeguarding effect to using a gateway: • client IP addresses will not interact with the Internet • therefore do not need to be IANA approved • but makes good sense to use DHCP anyway…

  13. What is a Firewall? • “A set of components that restricts access between a protected network and the Internet” • therefore divides a potential internetwork into internal and external components: • Internal Network • under consideration from a security point of view • keptlogicallyseparate from the Internet • External Network • Generally assumed to be the Internet or network that cannot be secured

  14. A Firewall should… • Protect the network from: • TCP/IP attacks, probes and scans • denial of service attacks • malicious code such as viruses, worms and trojans • Provide, depending upon the security policy and the type of firewall used: • Network Address Translation (NAT) • authentication or encryption services • web filtering • To do this, it must be appropriately configured…

  15. The Screening Router X Blocked Services Screening Router

  16. Screening Routers • Every IP packet contains: • IP address of source • IP address of destination • source and destination TCP port(s) • protocol being used (e.g. FTP, SMTP,etc) • A router simply routes the packet towardsits destination address • A screening router: • scrutinises whole packet headers • decideswhat to do with the packet

  17. The Screening Router • Packets checked individually • therefore requires more processing power than a standard router • Once a packet has been scrutinised, the screening router can take one of three actions: • block the packet • forward it to the intended destination • forward it to another destination • IP addresses on the internal network can therefore be “protected” from external packets with a particular source address

  18. The Proxy Server Firewall with Proxy service Real server Request to proxy server Internal Network ...

  19. TheProxy Server • A firewall that offers a client-server “proxy” service • allows the firewall to act as an intermediate party between the Internet and local network services: • intercepts user (client) requests for services such as FTP • decides whether or not to forward them to the true server • The effect is that the internal and external computers talk to the proxy service rather than directly to each other

  20. Proxy Service - continued • The user on either side of the firewall is presented with an illusion that they are talking to a real server • in fact they are both dealing with a proxy • So if an outside user tries to “hack” into the network server… • the actual internal network architecture is hidden • A proxy server can be programmed to block certain requests, sites, actions e.g: • blocking certain WWW sites • preventing FTP downloads

  21. DMZ (Demilitarized Zone) • Beyond the firewall but not yet through the Internet Router/Gateway… • A router normally stops incoming Internet traffic from getting on your network • unless the traffic is in response to one of your computers • or when using port forwarding • Alternately… • incoming traffic can go to one computer on your network by establishing a "Default DMZ Server“ (humorous reference to "Demilitarized Zone") • avoids having to figure out what ports an Internet application wants • all ports are open for that computer…

  22. Bastion Host • Acts as a firewall, and also runs the proxy and other services • Main or only point of contact between users of an internal network and theexternal network • Must be highly secured because it is vulnerable to attack • External logins to the Bastion Host must not be allowed as user accounts represent an easy way to attack networks…

  23. Dual Homed Host • Based on dual homed computer (2+ interfaces) • Does NOT allow through routing of packets • Communication through the DHH occurs as follows: • via proxies • Userslogin to DHH • However: • logging in of users to DHH will create further security problems… • Not all Internet services can be proxiedfor technical reasons

  24. INTERNET Dual Homed Host ** Firewall ** Dual-homed Host with proxy services

  25. Screened Host • Uses a screening router • can block certain types of service • Routes packets to internal bastion only • may act as a proxy for services • Disadvantage: • if the internal bastion is hacked into • then other computers on the internal network can then easily be accessed

  26. Screened Host INTERNET X Blocked Services Firewall Screening Router Bastion Host (Proxy Services)

  27. Typical Types of External Attacks - 1 • Exhaustive • “brute force” attacks using all possible combinations of passwords to gain access • Inference • taking educated guesses on passwords, based on information gleaned • TOC/TOU (Time of check/use) • 1. use of a “sniffer” to capture log on data • 2. (later) using captured data & IP address in an attempt to impersonate the original user/client

  28. Typical Types of External Attacks - 2 • Three other types of attacks that firewalls should be configured to protect against: • denial of service (DOS) attacks • distributed denial of service (DDOS) attacks • IP Spoofing (pretence that the data is coming from a “safe” source IP address

  29. Firewalls and TCP, UDP ports • Remember this model? TELNET FTP SMTP NFS DNS SNMP TCP UDP IP

  30. TCP ports that may be open to attack • TCP and UDP ports • both important features of TCP/IP • provide logical links for passing data between the transport layer and an application layer service • Usually defined by an RFC (remember those?) • Examples: • FTP: port 21 Telnet: port 23 • SMTP: port 25 DNS: port 53 • HTTP: port 80 POP3: port 110 • Problem… • what if the service isn’t being used?…

  31. Blocking TCP ports with a Firewall • Very many TCP and UDP ports: • 0 - 1023 are tightly bound to application services • 1024 – 49151 more loosely bound to services • 49152 – 65535 are private, or “dynamic” • In practice, any port over 1023 could be assigned dynamically to a service… • One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled

  32. Blocking TCP ports with a Firewall • Generally, TCP ports should be: • EITHER open for a service (e.g. HTTP on port 80) • OR… blocked if no service, to stop opportunists • But if the firewall only allows “official services” this can cause problems for legitimate users • e.g. if port 25 is blocked, email data cannot be sent

  33. Protecting Against TCP/IP Attacks, Probes and Scans • TCP/IP protocol stack has been largely unchanged since the early 1980's: • more than enough time for hackers to discover their weaknesses • often attack through a particular TCP port

  34. TCP Port 21: FTP (File Transfer Protocol) • FTP servers excellent • BUT by their very nature they open up very big security holes • those that allow anonymous logins are used: • to launch attacks on the server itself, by connecting to the C: drive and downloading viruses or overwriting/deleting files • to store pirated files and programs • Precaution: • configure FTP servers NOT to accept anonymous logins • only allow access to port 21 through the firewall to that particular server

  35. Making Effective use of the DMZ • Ever better alternative for port 21 security: • place FTP server on a perimeter network, or "DMZ" of the firewall • A DMZ is used to segregate inherently insecure servers that require a higher degree of network access from the rest of your network • an FTP server on a DMZ that has been compromised will then not be able to be used to attack the rest of the network • of course, if there is no FTP server, a DMZ might not be necessary…

  36. TCP Port 23: Telnet • Telnet is really good for providing access to servers and other devices • accessing a server via Telnet is very much like being physically located at the server console • Protecting against Telnet is simple: • block ALL access to port 23 from the outside • block perimeter networks to the inside • Protecting internal servers from attack from the inside: • configure them to accept telnet connections from very few sources • block port 23 completely…

  37. TCP Port 25: SMTP • Email programs large, complex, accessible… • Therefore an easy target… • Buffer overrun: • attacker enters more characters – perhaps including executable code - into an email field (e.g. To: ) than is expected by an email server • error could be generated • hackers could gain access to the server and the network • SPAM attack: • protocol design allows a message to go directly from the originator's email server to the recipient's email server • can ALSO be relayed by one or more mail servers in the middle • BUT… this is routinely abused by spammers • forward message to thousands of unwilling recipients

  38. Port 25 SMTP: solution… • Buffer Overrun: • Solution: put server on a perimeter network • Spam Attack • Solution: DISABLE the relaying facility…

  39. TCP and UDP Port 53: DNS (Domain Name Service) • One of the core protocols of the Internet • without it, domain name to IP address translation would not exist • PROBLEMS: If a site hosts DNS, attackers will try to: • modify DNS entries • download a copy of your DNS records (a process called zone transfer)

  40. Port 53 DNS: Solution… • Solution: • configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server • the one downstream from you e.g. your ISP • consider creating two DNS servers: one on your perimeter network, the other on the internal network: • perimeter DNS will answer queries from the outside • internal DNS will respond to all internal lookups • configure a Stateful inspection firewall to allow replies to internal DNS server, but deny connections being initiated from it

  41. TCP Port 79: Finger • A service that enumerates all the services you have available on your network servers: • invaluable tool in probing or scanning a network prior to an attack! • To deny all this information about network services to would-be attackers, just block port 79…

  42. TCP Ports 109-110: POP (Post Office Protocol) • POP easy-to-use… • but sadly it has a number of insecurities • The most insecure version is POP3 which runs on port 110 • if the email server requires POP3, block all access to port 110 except to that server • if POP3 not used, block port 110 entirely…

  43. TCP Ports 135 and 137 NetBIOS • The Microsoft Windows protocol used for file and print sharing • last thing you probably want is for users on the Internet to connect to your servers' files and printers! • Block NetBIOS. Period!

  44. UDP Port 161 SNMP • SNMP is important for remote management of network devices: • but also it poses inherent security risks • stores configuration and performance parameters in a database that is then accessible via the network… • If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… • So… if SNMP is used: • allow access to port 161 from internal network only • otherwise, block it entirely

  45. Denial of Service (DoS) Attacks • An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services. • One of the primary DOS attacks uses Ping, an ICMP (Internet Control Message Protocol) service: • sends a brief request to a remote computer asking it to echo back its IP address

  46. “Ping” Attacks • Dubbed the "Ping of Death“ • Two forms: • the attacker deliberately creates a very large ping packet and then transmits it to a victim • ICMP can't deal with large packets • the receiving computer is unable to accept delivery and crashes or hangs • an attacker will send thousands of ping requests to a victim so that its processor time is taken up answering ping requests, preventing the processor from responding to other, legitimate requests • Protection: • block ICMP echo requests and replies • ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages

  47. Distributed Denial of Service Attacks/IP Spoofing • Related : • A DDOS attack has occurred when attackers gain access to a wide number of PCs and then use them to launch a coordinated attack against a victim • often rely on home computers, since they are less frequently protected (they can also use worms and viruses) • If IP spoofing is used, attackers can gain access to a PC within a protected network by obtaining its IP address and then using it in packet headers

  48. Protection against DDOS & IP Spoofing • Block traffic coming into the network that contains IP addresses from the internal network… • In addition, block the following private IP, illegal and unroutable addresses: • Illegal/unroutable: • 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0 • “Private” addresses useful for NAT, or Proxy Servers (RFC 1918): • 10.0.0.0-10.255.255.255 • 172.16.0.0-172.31.255.255 • 192.168.0.0-192.168.255.255 • Finally, keep anti-virus software up-to-date, & firewall software patched and up-to-date

More Related