Advanced Security and Mobile Networks

Transcription

1 WJ Buchanan. ASMN (1) Advanced Security and Mobile Networks Unit 1: Network Security

2 Application Presentation Session Transport Network Data Link Physical OSI Application Transport Internet Internet model OSI and Internet models WJ Buchanan. ASMN (2)

3 Screening irewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Screening firewall: ilters for source and destination TCP ports Screen firewall: ilters for source and destination IP addresses Application Transport Internet Internet model irewalls WJ Buchanan. ASMN (3)

4 Screening irewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Transport Internet Screening firewall: Advantages: -Simple. - Low costs Disadvantages: - Complexity of rules. - Cost of managing firewall. - Lack of user-authentication. Internet model irewalls and Proxies WJ Buchanan. ASMN (4)

5 or example the firewall may block TP traffic going out of the network. A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number Router Screening irewall WJ Buchanan. ASMN (5)

6 Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are TP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic. ACLs WJ Buchanan. ASMN (6)

7 Router# access-list access-list-value {permit deny} source source-mask Router# access-list 1 deny Router# access-list 1 deny Router# access-list 1 deny Router# access-list 1 permit ip any any Standard ACLs filter on the source IP address Router (config)# interface Ethernet0 Router (config-if)# ip address Router (config-if)# ip access-group 1 in Standard ACLs WJ Buchanan. ASMN (7)

8 E1 Traffic from any address rather than can pass Router# access-list 1 deny Router# access-list 1 permit ip any any E Match this part Ignore this part Router (config)# interface Ethernet0 Router (config-if)# ip address Router (config-if)# ip access-group 1 in Standard ACLs WJ Buchanan. ASMN (8)

9 Unit 1: Network Security E Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic ! interface Ethernet0 ip address ip access-group 1 in! access-list 1 deny access-list 1 permit ip any any Standard ACLs WJ Buchanan. ASMN (9)

10 Router# access-list access-list-value {permit deny} {test-conditions} Unit 1: Network Security Router(config)#access-list 100 deny ip host Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip host Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address Router (config-if)# ip access-group 100 in Extended ACLs WJ Buchanan. ASMN (10)

11 Unit 1: Network Security E1 E from Router(config)#access-list 100 deny ip host Router(config)#access-list 100 permit ip any any to Denies traffic from to the network Router(config)#access-list 100 deny ip Router(config)#access-list 100 permit ip any any Denies traffic from any host on to the network Extended ACLs WJ Buchanan. ASMN (11)

12 All other traffic can flow Traffic blocked to the barred site ! interface Ethernet0 ip address ip access-group 100 in! access-list 100 deny ip access-list 100 permit ip any any Extended ACLs are applied as near to the source as possible, as they are more targeted Example of an Extended ACL WJ Buchanan. ASMN (12)

13 An extended ACLs can also filter for TCP/UDP traffic, such as: Optional field in brackets Router(config)#access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port access-list 101 deny tcp eq telnet host eq telnet access-list 101 permit ip any any E No Telnet Access to E Extended ACLs filtering TCP traffic WJ Buchanan. ASMN (13)

14 access-list 101 permit. access-list 101 deny ip any any E1 access-list 101 deny. access-list 101 permit ip any any E1 E A closed firewall, permits some things, and denies everything else E An open firewall, denies some things, and permits everything else Open and closed firewalls WJ Buchanan. ASMN (14)

15 To block Napster traffic destined for port 8888: (config)# access-list 100 deny tcp any eq 8888 log (config)# access-list 100 deny udp any eq 8888 log (config)# interface e0 (config-if)# ip access-group 100 in or Kazaa (on port 1214): (config)# access-list 101 deny tcp any eq 1214 log (config)# access-list 101 deny udp any eq 1214 log (config)# interface e0 (config-if)# ip access-group 101 in Gnutella can be blocked with ports 6346 and 6347, while ICQ is blocked with or example blocking Kazza, Gnutella, Napster and ICQ WJ Buchanan. ASMN (15)

16 Screening irewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Proxy: Advantages: - User-oriented authentication. - User-oriented logging. - User-oriented accounting. Disadvantages: - Build specifically for each application (although the SOCKS protocol has been designed, which is an all-one proxy). Application Transport Internet Internet model irewalls WJ Buchanan. ASMN (16)

17 Accesses are made through the proxy Screening firewall filters packets, based on source/destination IP addresses and TCP ports Our irst Security Model WJ Buchanan. ASMN (17)

18 Data can be send to the proxy E1 E Barred Barred hostname myrouter! interface Ethernet0 ip address ip access-group 100 in! interface Ethernet1 ip address ip access-group 101 in! access-list 100 permit ip any access-list 100 deny any any! access-list 101 permit ip any host access-list 101 deny any any end Access to proxy is allowed Everything else is barred Blocking the Incoming Traffic to Hosts WJ Buchanan. ASMN (18)

19 Data can be sent from the proxy E1 E Barred Barred hostname myrouter! interface Ethernet0 ip address ip access-group 100 in! interface Ethernet1 ip address ip access-group 100 in! access-list 100 permit ip any access-list 100 deny any any! access-list 101 permit ip any host access-list 101 deny any any end Blocking Outgoing Traffic from Hosts WJ Buchanan. ASMN (19)

20 Screened firewall only allows traffic to flow to and from the proxy Screened firewall only allows traffic between the hosts and the proxy An Improvement - Application Level irewall WJ Buchanan. ASMN (20)

21 WWW server Access made to WWW site on Port HTTP goes out on TCP port 6588, to the proxy Proxy setup WJ Buchanan. ASMN (21)

22 WWW server Access made to WWW site on Port HTTP (web browsers) (port 6588) HTTPS (secure web browsers) (port 6588) SOCKS4 (TCP proxying) (port 1080) SOCKS4a (TCP proxying w/ DNS lookups) (port 1080) SOCKS5 (only partial support, no UDP) (port 1080) NNTP (usenet newsgroups) (port 119) POP3 (receiving ) (port 110) SMTP (sending ) (port 25) TP (file transfers) (port 21) Proxy setup WJ Buchanan. ASMN (22)

23 Unit 1: Network Security WWW server Only telnet, ftp, http and pop3 are allowed hostname myrouter! interface Ethernet1 ip address ip access-group 101 in!! access-list 101 permit tcp any any eq telnet host access-list 101 permit tcp any any eq ftp host access-list 101 permit tcp any any eq http host access-list 101 permit tcp any any eq pop3 host access-list 101 deny any any! end iltering incoming ports WJ Buchanan. ASMN (23)

24 Unit 1: Network Security WWW server Only telnet, ftp, http and pop3 are allowed out hostname myrouter! interface Ethernet0 ip address ip access-group 100 in!! access-list 100 permit tcp host any any eq telnet access-list 100 permit tcp host any any eq ftp access-list 100 permit tcp host any any eq http access-list 100 permit tcp host any any eq pop3 access-list 100 deny any any! end iltering outgoing ports WJ Buchanan. ASMN (24)

25 WWW server Access made to WWW site on Port /06/ :26:19.957: HTTP Client connection accepted from /06/ :26:21.620: HTTP Client connection accepted from /06/ :26:23.232: HTTP Closing socket (2) 03/06/ :26:23.863: HTTP Client connection accepted from /06/ :26:26.527: HTTP Closing socket (2) 03/06/ :26:26.737: HTTP Client connection accepted from /06/ :26:29.091: HTTP Closing socket (2) 03/06/ :26:29.371: HTTP Client connection accepted from /06/ :26:29.431: HTTP Closing socket (2) 03/06/ :26:30.453: HTTP Closing socket (1) 03/06/ :26:31.644: HTTP Client connection accepted from /06/ :26:32.786: HTTP Closing socket (1) 03/06/ :26:33.126: HTTP Client connection accepted from Proxy logging WJ Buchanan. ASMN (25)

26 Unit 1: Network Security WWW server The log will always show the address of the proxy. Proxy allows: The hosts to be hidden from the outside. Private addresses can be used for the internal network. Logging of data packets. User-level authentication, where users may require a username and a password. Isolation of nodes inside the network, as they cannot be directly contacted. Proxy logging WJ Buchanan. ASMN (26)

27 : :4444 Outgoing data data : :4444 Incoming data data : :5555 Outgoing data data : :5555 Incoming data data PAT (Port address translation) Maps many addresses to one global address. N Network address translation WJ Buchanan. ASMN (27)

28 : :4444 Outgoing data data : :4444 Incoming data data N : :5555 Outgoing data data : :5555 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port : : :80 NAT router remembers the source and destination IP address and ports Network address translation WJ Buchanan. ASMN (28)

29 : :4444 Outgoing data data : :4444 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port : : : : : : : : : : : :80 N : :5555 Outgoing data data : :5555 Incoming data data New connects in the table Network address translation WJ Buchanan. ASMN (29)

30 : :4444 Outgoing data data : :4444 Incoming data data Nat: Hides the network addresses of the network. Bars direct contact with a host. Increased range of address. Allow easy creation of subnetworks. Network address translation N : :5555 Outgoing data data : :5555 Incoming data data WJ Buchanan. ASMN (30)

31 Static translation. Each public IP address translates to a private one through a static table. Good for security/logging/traceabilty. Bad, as it does not hide the internal network. IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic. Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used a1.b1.c1.d1 a2.b2.c2.d2 Private address a1.b1.c1.d1 a2.b2.c2.d2 Private address N N w1.x1.y1.z1 w2.x2.y2.z2 Public address w.x.y.z w.x.y.z Public address NAT WJ Buchanan. ASMN (31)

32 a1.b1.c1.d1 Or a1.b1.c1.d1 Or an.bn.cn.dn a1.b1.c1.d1 a1.b1.c1.d1 an.bn.cn.dn Private address Server pool N NAT device selects the least used resource w.x.y.z Public address NAT - Load balancing WJ Buchanan. ASMN (32)

33 a1.b1.c1.d1 a2.b2.c2.d2 Private address N a1.b1.c1.d1 a2.b2.c2.d2 Private address w1.x1.y1.z1 w2.x2.y2.z2 Public address N NAT is good as we are isolated from the external public network, where our hosts make the initiate connections w.x.y.z Public address but what happens if we use applications which create connections in the reverse direction, such as with TP and IRC?.. we thus need some form of backtracking of connections in the NAT device. NAT - Backtrack connections WJ Buchanan. ASMN (33)

34 Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping. Corporate WWW site a1.b1.c1.d1 N Dynamic NAT is good for security, as it hides the network. Unfortunately it has two major weaknesses: - Backtracking allows external parties to trace back a connection. - If the NAT device becomes compromised the external party can redirect traffic. w1.x1.y1.z1 Compromised NAT table causes the connection to point to the external intruder s WWW site Backtracking External Intruder s WWW site NAT - Weaknesses. WJ Buchanan. ASMN (34)

35 Our side (trusted) DMZ - an area where military actions are prohibited. Their side (untrusted) De-Militarized Zone (DMZ) WJ Buchanan. ASMN (35)

36 Our side (trusted) DMZ - an area where military actions are prohibited. Their side (untrusted) De-Militarized Zone (DMZ) WJ Buchanan. ASMN (36)

37 Untrusted network Traffic is allowed to flow from the corporate intranet to the untrusted network (typically, the Internet) DMZ allows untrusted traffic to flow to corporate servers De-Militarized Zone (DMZ) This is a weak approach as the firewall in the DMZ could be attacked, which might compromise the corporate intranet. An improved method is N WWW server Corporate intranet Public TP server De-Militarized Zone (DMZ) - Double Legged irewall WJ Buchanan. ASMN (37)

38 Untrusted network DMZ allows untrusted traffic to flow to corporate servers Another bastion is Inserted to isolate the Corporate intranet from untrusted networks which leads to De-Militarized Zone (DMZ) N WWW server NAT device hides the corporate network to the outside Corporate intranet Public TP server De-Militarized Zone (DMZ) - Improved Method WJ Buchanan. ASMN (38)

39 Enemy takes some time to penetrate each level of defence Unit 1: Network Security orth-line defence Third-line defence Second-line defence irst-line defence Defence-in-depth WJ Buchanan. ASMN (39)

40 Untrusted network Defence-in-depth puts as many obstacles in the way of an intruder, so that it becomes harder to penetrate the network, and it is easier to detect the intrusion Defence-in-depth Audit/ logging De-Militarized Zone (DMZ) N Intrusion Detection System WWW server Public TP server WJ Buchanan. ASMN (40)

41 Untrusted network De-Militarized Zone (DMZ) In secure networks, firewalls should ban incoming TCP SYN packets, as these identify an incoming connection Defence-in-depth Audit/ logging N Intrusion Detection System WWW server Public TP server WJ Buchanan. ASMN (41)

42 Corporate Corporate Intranet Intranet 1 VPN router Untrusted network (Internet) Private addresses Corporate Corporate Intranet Intranet VPN router VPN s - Virtual Private Networks WJ Buchanan. ASMN (42)

43 Corporate Corporate Intranet Intranet 1 VPN router Untrusted network (Internet) or a connection between and , the VPN router negotiates the connection, and generates encryption keys. This creates a tunnel over the untrusted network. Corporate Corporate Intranet Intranet VPN router VPN s - Virtual Private Networks WJ Buchanan. ASMN (43)

44 Corporate Corporate Intranet Intranet 1 VPN router Untrusted network (Internet) They then encrypt all the data packets for the connection. The encryption process will be discussed in Unit 3.. The biggest problem with VPNs is latency Corporate Corporate Intranet Intranet VPN router VPN s - Virtual Private Networks WJ Buchanan. ASMN (44)

45 Corporate Corporate Intranet Intranet 1 VPN router Untrusted Untrusted network network (Internet) (Internet) Untrusted Untrusted network network (Internet) (Internet) Untrusted Untrusted network network (Internet) (Internet) Corporate Corporate Intranet Intranet In a mesh architecture has a connection between each VPN router VPN router Corporate Corporate Intranet Intranet VPN router VPN s - Mesh Architecture WJ Buchanan. ASMN (45)

46 Corporate Corporate Intranet Intranet 2 Untrusted Untrusted network network (Internet) (Internet) Hub Untrusted Untrusted network network (Internet) (Internet) Untrusted Untrusted network network (Internet) (Internet) VPN router Corporate Corporate Intranet Intranet In a spoke architecture a hub switches between VPN s Corporate Corporate Intranet Intranet VPN router VPN s - Spoke Architecture WJ Buchanan. ASMN (46)

47 Internet Layer security: IPSEC Uses cryptographic methods: Authentication Header (AH) Encapsulated Security Payload (ES) The AH provide AUTHENTICATION. The ESP provides CONIDENTIALITY. IPSEC will be covered in Unit 3. Application Transport Internet Internet model Internet Layer Security WJ Buchanan. ASMN (47)

48 Transport Layer Protection includes: SSL (Secure Socket Layer). MD5/SHA for authentication and RC4/DES for encryption. PCT (Private Communication Technology). Secure sockets include: Port: 443. https (HTTP + SSL). Port: 465. ssmtp (SMTP + SSL). Port: 563. snntp (NNTP + SSL). These will be covered in Unit 3. Application Transport Internet Internet model Transport Layer Security WJ Buchanan. ASMN (48)

49 Application Layer protection includes: PGP. Application Layer Protocols: https (HTTP + SSL). ssmtp (SMTP + SSL). snntp (NNTP + SSL). Typical encryption schemes: DES, Triple-DES, Typical authentication schemes: MD5 encryption: PGP These will be covered in Unit 3. Application Transport Internet Internet model Application Layer Security WJ Buchanan. ASMN (49)