480 likes | 494 Views
COMP3123 Internet Security. Richard Henson University of Worcester November 2011. Week 6: Securing a LAN connected to the Internet against Attack. Objectives: Explain what a Firewall is, why it is needed, and why users find it frustrating…
E N D
COMP3123 Internet Security Richard Henson University of Worcester November2011
Week 6: Securing a LAN connected to the Internet against Attack • Objectives: • Explain what a Firewall is, why it is needed, and why users find it frustrating… • Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall • Relate the principles of IP and TCP port filtering to the challenge posed by threats to LAN server security from Internet
Unsecured LAN-Internet Connection via Router INTERNET/EXTERNAL NETWORK ROUTER – no packet filtering Internal Network ...
An Unsecured LAN-Internet Connection via Router Layer 3 Layer 3 Data through unchanged Layer 2 Layer 2 Layer 1 Layer 1 router
An Unsecured LAN-Internet Connection via Router • Routers only process data up to OSI level 3 • even with full user authentication on network services… • outgoing IP packets are untouched unless IP filtering is used • BUT, IP filtering will slow down packet flow… • Also… • request by a LAN client for Internet data across a router reveals the client IP address • this is a desired effect…. • “local” IP address must be recorded on the remote server • picks up required data & returns it via the router and server to the local IP address • problem – could be intercepted, and future data to that IP address may not be so harmless…
An Unsecured LAN-Internet Connection via Router • Another problem: wrath of IANA • IP address awarding & controlling body • big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… • If local clients have direct access to the Internet and they can be allocated locally, this COULD happen • Safeguard: • use DHCP (dynamic host configuration protocol) • allocate client IP from within a fixed range allocated to that domain by IANA
A LAN-Internet connection via Gateway INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion e.g. Novell IPX/SPX Internal Network ...
A LAN-Internet connection via Gateway • At a gateway, processing goes up the protocol stack: • to at least level 4 • Possibly right up to level 7 • Because local packets can be converted into other formats: • remote network therefore does not have direct access to the local machine • IP packets only recreated at the desktop • local client IP addresses therefore do not need to comply with IANA allocations
Creating a “Secure Site”? • To put it bluntly – a secure site is a LAN that provides formidable obstacles to potential hackers • keep a physical barrier between local server and the internet • Physical barrier linked through an intermediate computer called a Firewall or Proxy Server • may place unnecessary restrictions on access • security could be provided at one of the seven layers of the TCP/IP stack
Security Architecture & Secure sites • This includes all aspects of security controls • can be imposed on internal users through group policy objects • external attempts to hack cannot be controlled in this way, because they are not authorised users • What about external threats? • need to focus on external data and security controls to deal with it…
The Firewall… INTERNET/EXTERNAL NETWORK No data in… TCP/IP out Firewall TCP/IP Internal Network ...
Using a Firewall to secure Routed Connections • Completely separate local network data from Internet data using a physical barrier: • Firewall (robust but inflexible) • Proxy Server (flexible) • Either solution will have a similar safeguarding effect to using a gateway: • client IP addresses will not interact with the Internet • therefore do not need to be IANA approved • but makes good sense to use DHCP anyway…
What is a Firewall? • “A set of components that restricts access between a protected network and the Internet” • therefore divides a potential internetwork into internal and external components: • Internal Network • under consideration from a security point of view • keptlogicallyseparate from the Internet • External Network • Generally assumed to be the Internet or network that cannot be secured
A Firewall should… • Protect the network from: • TCP/IP attacks, probes and scans • denial of service attacks • malicious code such as viruses, worms and trojans • Provide, depending upon the security policy and the type of firewall used: • Network Address Translation (NAT) • authentication or encryption services • web filtering • To do this, it must be appropriately configured…
The Screening Router X Blocked Services Screening Router
Screening Routers • Every IP packet contains: • IP address of source • IP address of destination • source and destination TCP port(s) • protocol being used (e.g. FTP, SMTP,etc) • A router simply routes the packet towardsits destination address • A screening router: • scrutinises whole packet headers • decideswhat to do with the packet
The Screening Router • Packets checked individually • therefore requires more processing power than a standard router • Once a packet has been scrutinised, the screening router can take one of three actions: • block the packet • forward it to the intended destination • forward it to another destination • IP addresses on the internal network can therefore be “protected” from external packets with a particular source address
The Proxy Server Firewall with Proxy service Real server Request to proxy server Internal Network ...
TheProxy Server • A firewall that offers a client-server “proxy” service • allows the firewall to act as an intermediate party between the Internet and local network services: • intercepts user (client) requests for services such as FTP • decides whether or not to forward them to the true server • The effect is that the internal and external computers talk to the proxy service rather than directly to each other
Proxy Service - continued • The user on either side of the firewall is presented with an illusion that they are talking to a real server • in fact they are both dealing with a proxy • So if an outside user tries to “hack” into the network server… • the actual internal network architecture is hidden • A proxy server can be programmed to block certain requests, sites, actions e.g: • blocking certain WWW sites • preventing FTP downloads
DMZ (Demilitarized Zone) • Beyond the firewall but not yet through the Internet Router/Gateway… • A router normally stops incoming Internet traffic from getting on your network • unless the traffic is in response to one of your computers • or when using port forwarding • Alternately… • incoming traffic can go to one computer on your network by establishing a "Default DMZ Server“ (humorous reference to "Demilitarized Zone") • avoids having to figure out what ports an Internet application wants • all ports are open for that computer…
Bastion Host • Acts as a firewall, and also runs the proxy and other services • Main or only point of contact between users of an internal network and theexternal network • Must be highly secured because it is vulnerable to attack • External logins to the Bastion Host must not be allowed as user accounts represent an easy way to attack networks…
Dual Homed Host • Based on dual homed computer (2+ interfaces) • Does NOT allow through routing of packets • Communication through the DHH occurs as follows: • via proxies • Userslogin to DHH • However: • logging in of users to DHH will create further security problems… • Not all Internet services can be proxiedfor technical reasons
INTERNET Dual Homed Host ** Firewall ** Dual-homed Host with proxy services
Screened Host • Uses a screening router • can block certain types of service • Routes packets to internal bastion only • may act as a proxy for services • Disadvantage: • if the internal bastion is hacked into • then other computers on the internal network can then easily be accessed
Screened Host INTERNET X Blocked Services Firewall Screening Router Bastion Host (Proxy Services)
Typical Types of External Attacks - 1 • Exhaustive • “brute force” attacks using all possible combinations of passwords to gain access • Inference • taking educated guesses on passwords, based on information gleaned • TOC/TOU (Time of check/use) • 1. use of a “sniffer” to capture log on data • 2. (later) using captured data & IP address in an attempt to impersonate the original user/client
Typical Types of External Attacks - 2 • Three other types of attacks that firewalls should be configured to protect against: • denial of service (DOS) attacks • distributed denial of service (DDOS) attacks • IP Spoofing (pretence that the data is coming from a “safe” source IP address
Firewalls and TCP, UDP ports • Remember this model? TELNET FTP SMTP NFS DNS SNMP TCP UDP IP
TCP ports that may be open to attack • TCP and UDP ports • both important features of TCP/IP • provide logical links for passing data between the transport layer and an application layer service • Usually defined by an RFC (remember those?) • Examples: • FTP: port 21 Telnet: port 23 • SMTP: port 25 DNS: port 53 • HTTP: port 80 POP3: port 110 • Problem… • what if the service isn’t being used?…
Blocking TCP ports with a Firewall • Very many TCP and UDP ports: • 0 - 1023 are tightly bound to application services • 1024 – 49151 more loosely bound to services • 49152 – 65535 are private, or “dynamic” • In practice, any port over 1023 could be assigned dynamically to a service… • One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled
Blocking TCP ports with a Firewall • Generally, TCP ports should be: • EITHER open for a service (e.g. HTTP on port 80) • OR… blocked if no service, to stop opportunists • But if the firewall only allows “official services” this can cause problems for legitimate users • e.g. if port 25 is blocked, email data cannot be sent
Protecting Against TCP/IP Attacks, Probes and Scans • TCP/IP protocol stack has been largely unchanged since the early 1980's: • more than enough time for hackers to discover their weaknesses • often attack through a particular TCP port
TCP Port 21: FTP (File Transfer Protocol) • FTP servers excellent • BUT by their very nature they open up very big security holes • those that allow anonymous logins are used: • to launch attacks on the server itself, by connecting to the C: drive and downloading viruses or overwriting/deleting files • to store pirated files and programs • Precaution: • configure FTP servers NOT to accept anonymous logins • only allow access to port 21 through the firewall to that particular server
Making Effective use of the DMZ • Ever better alternative for port 21 security: • place FTP server on a perimeter network, or "DMZ" of the firewall • A DMZ is used to segregate inherently insecure servers that require a higher degree of network access from the rest of your network • an FTP server on a DMZ that has been compromised will then not be able to be used to attack the rest of the network • of course, if there is no FTP server, a DMZ might not be necessary…
TCP Port 23: Telnet • Telnet is really good for providing access to servers and other devices • accessing a server via Telnet is very much like being physically located at the server console • Protecting against Telnet is simple: • block ALL access to port 23 from the outside • block perimeter networks to the inside • Protecting internal servers from attack from the inside: • configure them to accept telnet connections from very few sources • block port 23 completely…
TCP Port 25: SMTP • Email programs large, complex, accessible… • Therefore an easy target… • Buffer overrun: • attacker enters more characters – perhaps including executable code - into an email field (e.g. To: ) than is expected by an email server • error could be generated • hackers could gain access to the server and the network • SPAM attack: • protocol design allows a message to go directly from the originator's email server to the recipient's email server • can ALSO be relayed by one or more mail servers in the middle • BUT… this is routinely abused by spammers • forward message to thousands of unwilling recipients
Port 25 SMTP: solution… • Buffer Overrun: • Solution: put server on a perimeter network • Spam Attack • Solution: DISABLE the relaying facility…
TCP and UDP Port 53: DNS (Domain Name Service) • One of the core protocols of the Internet • without it, domain name to IP address translation would not exist • PROBLEMS: If a site hosts DNS, attackers will try to: • modify DNS entries • download a copy of your DNS records (a process called zone transfer)
Port 53 DNS: Solution… • Solution: • configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server • the one downstream from you e.g. your ISP • consider creating two DNS servers: one on your perimeter network, the other on the internal network: • perimeter DNS will answer queries from the outside • internal DNS will respond to all internal lookups • configure a Stateful inspection firewall to allow replies to internal DNS server, but deny connections being initiated from it
TCP Port 79: Finger • A service that enumerates all the services you have available on your network servers: • invaluable tool in probing or scanning a network prior to an attack! • To deny all this information about network services to would-be attackers, just block port 79…
TCP Ports 109-110: POP (Post Office Protocol) • POP easy-to-use… • but sadly it has a number of insecurities • The most insecure version is POP3 which runs on port 110 • if the email server requires POP3, block all access to port 110 except to that server • if POP3 not used, block port 110 entirely…
TCP Ports 135 and 137 NetBIOS • The Microsoft Windows protocol used for file and print sharing • last thing you probably want is for users on the Internet to connect to your servers' files and printers! • Block NetBIOS. Period!
UDP Port 161 SNMP • SNMP is important for remote management of network devices: • but also it poses inherent security risks • stores configuration and performance parameters in a database that is then accessible via the network… • If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… • So… if SNMP is used: • allow access to port 161 from internal network only • otherwise, block it entirely
Denial of Service (DoS) Attacks • An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services. • One of the primary DOS attacks uses Ping, an ICMP (Internet Control Message Protocol) service: • sends a brief request to a remote computer asking it to echo back its IP address
“Ping” Attacks • Dubbed the "Ping of Death“ • Two forms: • the attacker deliberately creates a very large ping packet and then transmits it to a victim • ICMP can't deal with large packets • the receiving computer is unable to accept delivery and crashes or hangs • an attacker will send thousands of ping requests to a victim so that its processor time is taken up answering ping requests, preventing the processor from responding to other, legitimate requests • Protection: • block ICMP echo requests and replies • ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages
Distributed Denial of Service Attacks/IP Spoofing • Related : • A DDOS attack has occurred when attackers gain access to a wide number of PCs and then use them to launch a coordinated attack against a victim • often rely on home computers, since they are less frequently protected (they can also use worms and viruses) • If IP spoofing is used, attackers can gain access to a PC within a protected network by obtaining its IP address and then using it in packet headers
Protection against DDOS & IP Spoofing • Block traffic coming into the network that contains IP addresses from the internal network… • In addition, block the following private IP, illegal and unroutable addresses: • Illegal/unroutable: • 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0 • “Private” addresses useful for NAT, or Proxy Servers (RFC 1918): • 10.0.0.0-10.255.255.255 • 172.16.0.0-172.31.255.255 • 192.168.0.0-192.168.255.255 • Finally, keep anti-virus software up-to-date, & firewall software patched and up-to-date