Outline. 0 Topic 5.1: TCP/IP Vulnerabilities. 0 Topic 5.2: Routing Security

Transcription

1

2 Outline 0 Topic 5.1: TCP/IP Vulnerabilities 0 TCP/IP security problems 0 Topic 5.2: Routing Security 0 BGP security 0 Topic 5.3: Attack Mitigation and Countermeasures 0 Topic 5.4: Attack Detection 2

3 TCP/IP Security Problems 0 Internet consists of public, untrusted, and unreliable IP networks 0 TCP/IP was designed for connectivity 0 Basic delivery service 0 Host implementation vulnerabilities 0 Software had/have/will have bugs 0 Some elements in the specification were left to implementers 3

4 TCP/IP Security Problems 0 Reading: 0 Security Problems in the TCP/IP Protocol Suite by Steve Bellovin, in Annual Computer Security Applications Conference, December Attacks on different layers 0 IP Attacks 0 ICMP Attacks 0 TCP Attacks 0 Routing Attacks 0 Application Layer Attacks 4

5 Security Flaws in IP 0 IP addresses are filled in by the originating host 0 IP address spoofing 0 Using source address for authentication 0 r-utilities: rlogin, rsh, rcp, rhosts, 0 Authentication check is simply the IP address 0 Traffic amplification attack 0 IP allows broadcast destination 0 Problems caused by IP fragmentation 0 End hosts need to keep the fragments till all the fragments arrive 5

6 Address Spoofing 0 Packet routing in IP networks is based on destination address information only 0 Correctness of source address is not verified 0 Spoofing enables most (D)DoS attacks 0 Using packets with spoofed or faked source addresses to disguise the identity of the attacking systems 0 Cause problems in defense 0 Identification of the attacking systems is needed 0 Some detection mechanisms also need information of attack sources 0 Legal prosecution of attackers and prevention of new attacks 6

7 ICMP 0 ICMP is used as a control plane for IP messages 0 Ping (connectivity probe) 0 Destination Unreachable (error notification) 0 Time Exceeded (error notification) 0 Main reasons make ICMP particular interesting for attackers 0 No authentication 0 Routers respond to it 0 It may be addressed to broadcast addresses 0 ICMP flood: exploitation of the standard behavior of TCP/IP stacks 7

8 ICMP Flood 0 PING Flood 0 Flooding the target host with great amounts of ICMP messages 0 Smurf Attack 0 Pinging a broadcast address with the source address forged to refer to the victim 0 Keys: amplification and IP spoofing Internet Attacking System 0 DoS or DDoS? 0 Resource depletion Broadcast Enabled Network Victim System 8

9 ICMP Flood 0 All ICMP messages can be abused in this way 0 Fraggle attack is the equivalent UDP version: port 7 and 19 0 Countermeasure: 0 Avoid amplification 0 Configure to ignore ICMP requests to broadcast addresses 0 Configure to not forward packets directed to broadcast addresses 0 Avoid IP spoofing 0 Filtering of forged packets 9

10 ICMP Redirect Routing 0 ICMP redirect message is used by gateways to advertise better routes 0 Can cause the host to switch gateways 0 Redirect attack 0 Force routing through attacker 0 Benefit of doing this? 0 Man-In-The-Middle attack, sniffing spoofed ICMP redirect compromised 10

11 Abusing ICMP 0 ICMP destination unreachable 0 Can cause the host to drop connection 0 Countermeasure: 0 Check to ensure that the message belongs to particular connection 0 Restrict route changes 11

12 ping of death 0 One of the first DoS attacks 0 A popular pastime of early hackers 0 Send oversized and malformed packets to another computer 0 Many OS/routers crash or reboot by a malformed ping packet that is larger than 65,535 bytes 0 Due to IP fragmentation: 13-bit fragment offset field and 8 bytes data 0 An IP fragment with maximum offset has a data larger than 8 bytes will blow up most fixed buffer size implementations 0 Countermeasure: add checks in the reassembly process or in firewalls 12

13 TCP Attacks 0 TCP/IP uses a three-way handshake to establish a connection 0 Client needs to receive SYN(ISN S ) 0 Server needs to keep waiting for ACK(ISN S ) 13

14 Sequence Number Prediction 0 Blind Spoofing: X impersonating a trusted host T 0 ISN is a random number, however, it is predictable 0 Non-randomness incremented by a constant per second, and by half when a new connection is initiated 14

15 Sequence Number Prediction 0 How to predict a random ISN? 0 Monitor a legitimate connection to get a valid ISN S 0 Guess the ISN S on the next connection with a high confidence 0 T can detect the attack and reset the connection 0 Choose T not in use 0 DoS T so it can t answer 0 Can be used in connection hijacking 0 Only need to know the SN of the target session 15

16 Countermeasure 0 Different connections should generate random sequence numbers independently 0 Duplicate packets? 0 Randomize the increment so that sequence numbers are not predictable 0 Pick a few bits randomly in each increment 0 Use cryptographic algorithms for ISN generation 0 Logging and alert mechanisms 0 Unusual ICMP Ping, SYN, 16

17 Blind TCP RST Attack 0 TCP reset: use a RST packet to terminate a TCP connection 0 Blind TCP RST attacks forge the TCP RST packet 0 RST packet will be accepted if its SN falls into the receive window 0 32-bit sequence number 0 Window size varies: say 32K bits 0 Blind attack: = 17 bit address space, 2 17 guesses 0 On DSL connection: 130K RST attempts in minutes 0 Feasible in long-lived sessions 17

18 SYN Flooding DoS 0 Spoof initial SYN packets (to avoid being caught) 0 Exploit state allocated at server after initial SYN packet 0 Send a SYN and don t reply with ACK 0 Server will wait for 511 seconds for ACK 0 listen()call 0 Finite queue size for incomplete connections (1024) 0 Once the queue is full it doesn t accept requests 0 Countermeasure 0 Use the SYN-Cookie: not available on all devices 0 Restrict resource allocation: # of connections, memory 18

19 Source Routing 0 Source routing 0 An IP option that lets the source list specific routers on the path to the destination 0 The responder includes the source route on the reply packets 0 If the inverse of the supplied route is used as the return path, it permits address spoofing 19

20 Source Routing Attacks 20

21 Source Routing Attacks 0 The attack: two-way spoofing 0 Open a TCP connection to the remote rsh spoofing the address of a trusted host 0 The attacker includes itself in the source route list 0 The attacker will see the reply packets before the machine that is being spoofed 0 Countermeasure 0 Most OSes ignore source routes these days 0 Reject source-routed packets at border routers 0 Reject pre-authorized connections via source routing 21

22 RIP Vulnerabilities 0 Routing Information Protocol 0 A distance vector routing protocol used for local network 0 Routers exchange reachability and distance vectors for all the subnetworks on local networks 0 Notification of changes is propagated quickly 0 Information received is unchecked 22

23 RIP Vulnerabilities 0 Advertise bogus routing information to 0 Claim a route to a particular unused host (impersonate) 0 Compromise address-based authentication 0 Impersonate an active host (sniffing, MITM) 0 DoS, traffic redirection, connection hijacking 23

24 RIP Vulnerabilities 0 Countermeasure 0 Filter packets based on source/destination address 0 Check validity of new routes before accepting 0 Authenticate RIP updates 0 Log the traffic for anomaly 0 RIP has fallen out of fashion (still on some medium sized networks) 0 Similar attacks exist in interdomain routing protocols 0 Defense against routing attacks is still considered a research problem 24

25 ARP Vulnerabilities 0 Address Resolution Protocol: an interface between Link layer and Network layer 0 To map IP address onto MAC 0 ARP request: who has x.x.x.x? 0 ARP response: me 25

26 ARP Vulnerabilities 0 Allows changes to link layer to be independent of IP addressing 0 A stateless protocol 0 ARP accept replies without requests 0 LAN hosts cache ARP replies, and the last one in wins 0 Spoof an IP address 0 Send a spoofed ARP reply saying your MAC address owns an IP address 0 Just repeat frequently so that cache doesn t timeout 0 Lead to sniffing, session hijacking, MITM, DoS 26

27 ARP Spoofing 0 Lots of other ways to abuse ARP 0 Due to no authentication 0 No simple good solution 0 Publish MAC address of router/default gateway and trusted hosts 0 Statically define the IP to Ethernet address mapping 0 arp -s ab 0 Software implemented checking to detect ARP spoofing 0 Smart bridges/routers keep track of MACs 27

28 Attacking IP Routing 0 Types of routing attacks: 0 Dynamic intranet routing: RIP attacks 0 Static intranet routing: ARP poisoning 0 BGP routing: next class 0 Ad hoc wireless network routing 0 Goals of routing attacks: 0 Passive: attacker-in-the middle eavesdropping 0 Active: attacker-in-the-middle modifications 0 (D)DoS 0 Black holes in routing 0 Redirected flooding 28

29 Outline 0 Topic 5.1: TCP/IP Vulnerabilities 0 TCP/IP security problems 0 Attacks 0 Topic 5.2: Routing Security 0 BGP security 0 Topic 5.3: Attack Mitigation and Countermeasures 0 Topic 5.4: Attack Detection 29

30 AS7007 Incident 0 Internet disruption on April 25, A routing black hole 0 Accidentally announced routes to the Internet 30

31 Routing Network routing is to determine the desirable path from source to destination 0 desirability depends on the type of protocols being used 31

32 Routing Protocols 0 Routers speak to each other 0 They exchange topology and cost info 0 Each router calculates the shortest path to a destination 0 Forward packets along locally shortest path 32

33 Routing Security 0 Attacker can lie to other routers 0 Hop-by-hop authentication is not sufficient 0 The problem is not the link from Z to X 0 Hard because X has no knowledge of Z's real connectivity 3 33

34 0 Traffic is diverted 0 enemy can see the traffic 0 enemy can easily modify the traffic 0 enemy can drop the traffic Link-cutting Attacks Wormhole Attacks 34

35 Bellovin s Study on Link Cutting 0 Using Link Cuts to Attack Internet Routing, by Bellovin and Gansner 35

36 Link Cutting Scheme 0 If some v i ε on shortest path from s to t, we are done 36

37 Link Cutting Scheme 0 For each v i ε, compute shortest simple path from s to t through v i. If none exists, no solution possible 37

38 Link Cutting Scheme 0 Pick shortest path P of length l, set each edge an infinite cut cost, and set all others to 1. 38

39 Link Cutting Scheme 0 Find the minimal cost s-t cut of ν ε 39

40 Link Cutting Scheme 0 For each edge c i in the cut, remove it 0 if the shortest path for s to t through c i is less than or equal to l 40

41 Open Shortest Path First (OSPF) 0 Each node announces its own connectivity and link cost 0 Re-advertises all information received from peers 0 Learns the full map of the network 0 Calculates the shortest path from itself to all destinations limited to a few thousand nodes at most 41

42 OSPF Security Features 0 LSA content LSA only includes links to a router s immediate neighbors 0 Flooding every LSA is flooded throughout the AS 0 Everyone sees the whole map 0 Monitoring station can note discrepancies from reality 0 But bad guys can also send out different announcements in different directions 0 Fight-back mechanism when a router receives LSA of its own but newer than its last instance, sends a new LSA 0 Bidirectional advisements links must be advertised by both ends 42

43 OSPF Security Features 0 Per-link authentication: authenticate each OSPF packet based on a shared secret of all routers to the link 0 MD5(data key length) 0 Hop-by-hop: the packet is re-authenticated at each hop 0 Manual key management: many routers share a same key in most ASs 0 Cannot defend an authorized party being dishonest 43

44 How to Secure OSPF? 0 Digitally sign each routing update (expensive!) 0 OSPF with Digital Signatures RFC 2154 by Murphy et al., Address authorization certificate 0 Each router has certain interfaces direct network reachability 0 Each router has a certificate binding its public key to its valid addresses 0 CA has to know the proper addresses for each router. (But that s the norm in OSPF environments) 44

45 OSPF Attacks 0 Assume an insider attacker knows the secret key 0 Falsifying self LSAs 0 Limited effectiveness 0 Falsifying LSA of a phantom router 0 Can evade fight-back 0 But no direct impact on the routing tables of the routers 0 Falsifying peer LSA 0 MaxSeq Number Attack: set seq# to 0x7fffffff 0 Trigger immediate fight-back: victim router also gets false LSA 0 Periodic Injection: send forged LSA at a high rate (5 sec by default) 0 Can mute the victim router 0 High maintenance and no stealthy 45

46 Persistent OSPF Attacks 0 Remote False Adjacency attack 0 Trick a remote victim to establish an adjacency with a phantom router on victim s local network 0 Attacker impersonates a phantom router on the subnet 0 Even without seeing messages to the phantom router Persistent OSPF Attacks, Gabi Nakibly, Alex Kirshon, Dima Gonikman, Dan Boneh, NDSS

47 Persistent OSPF Attacks 0 Remote False Adjacency attack 0 In the Hello Protocol: continuously sending next packet every RTT 47

48 Persistent OSPF Attacks 0 Remote False Adjacency attack 0 Maintain attack by periodically sending spoofed Hello packets ~every 40 seconds 48

49 Persistent OSPF Attacks 0 Remote False Adjacency attack 0 Maintain attack by periodically sending spoofed Hello packets ~every 40 seconds 0 Black-hole traffic from all over the AS to a specific subnet 49

50 Persistent OSPF Attacks 0 Remote False Adjacency attack 0 Maintain attack by periodically sending spoofed Hello packets ~every 40 seconds 0 Black-hole traffic from all over the AS to a specific subnet 0 Wormhole at the phantom router 50

51 Persistent OSPF Attacks 0 Disguised LSA 0 LSA is identified by: sequence no., checksum, age 0 Age field tolerates 15 minutes difference 0 The actual payload of the LSA is not used to distinguish LSAs 0 Two LSAs are considered identical/duplicate even their advertised links are different 0 The Attack: falsify LSA with the same field values 0 The disguised LSA will be viewed as a valid duplicate and does not trigger fight-back 0 However, other routers may not install the LSA consider as a duplicate 0 Disguise the LSA to the next valid instance of the LSA 51

52 Persistent OSPF Attacks 0 Disguised LSA 0 Attacker can wait for a new valid LSA instance, and flood the disguise to its neighbors 0 Much faster on the part of AS that is father from the victim Or 0 Attacker deliberately triggers the fight-back mechanism by a trigger LSA 52

53 Persistent OSPF Attacks 0 Disguised LSA 0 How to craft the next LSA? 0 SN of the fight-back LSA: SN of the trigger LSA +1 0 Age is the elapsed time since the LSA s origination 0 Can simply set to 0 0 Checksum can be predicted from the predictable header 53

54 Persistent OSPF Attacks 0 Vulnerabilities 0 A same secret key is used for all links 0 Use different keys 0 Anti source-ip spoofing 0 The master can complete adjacency protocol without seeing slave s message 0 Require protocol change: ask Master to prove it has seen a DBD message 0 Backwards compatible: ask to resend with probability p 0 Two LSAs are identical with different content 0 Extend LSA database by storing a hash of the LSA 0 Fight-back LSA content is predictable 54

55 Border Gateway Protocol (BGP) 0 BGP is the protocol used to route packets at AS level 0 De facto inter-domain protocol of the Internet 0 Bellman-Ford path vector protocol 0 Everyone builds a route to every AS in the Internet based on paths received from neighbors 0 Routes are flooded to neighbors errors affect globally 0 No authentication of announcements 0 Policy based routing protocol 0 Path selection is not always the shortest path 0 Policies driven by economics AS-1 AS-2 55

56 The BGP Protocol 0 AS-path: the sequence of ASs a route traverses 0 Like distance vector, plus additional information 0 Used to detect loops and to apply policy 0 Default choice: route with fewest # of ASs AS /16 AS 2 AS /16 AS /16 AS /16: AS 2 AS 3 AS /16: AS 2 AS /16: AS 2 AS 5 56

57 The BGP Protocol 0 BGP messages 0 Open: Establish a peering session 0 Keep Alive: Handshake at regular intervals 0 Notification: Shuts down a peering session 0 Update: Announce new routes or withdraw previously announced routes announcement = IP prefix + attributes values 57

58 BGP Operation: Connection Setup 0 A router speaks BGP with another router 0 BGP peers: physically connected routers in different ASs 0 Connection setup 0 BGP runs over TCP (port 179) 0 When the router comes online: creates a BGP session with its peers 0 Moves from the Idle state to the Connect state 0 Moves into the Established state when the connection is established 58

59 BGP Operation: Information Exchange 0 Once the BGP session is active, peers exchange routing data through the UPDATE message 0 Announce a list of advertised IP prefixes 0 Withdrawn routes 0 Prefixes with different policy attributes are sent in separate UPDATE messages 0 Route setup can create heavy exchanges of messages and be computationally intensive for the router 59

60 0 Route decisions BGP Operation: Path Attributes 0 Border routers receive many origin announcements/ route advertisements, one from each of their peers 0 Choose the best path and send their selection downstream 4 ASs, 4 hops Source 2 ASs, 9 hops Destination 60

61 BGP Operation: Path Attributes 0 BGP attributes to help routers choose the best path 0 ORIGIN: shows prefix was learned from interior or exterior routing 0 AS_PATH: a list of ASs that the prefix has passed through during this advertisement 0 Prefix with the fewest ASs is usually preferred 0 Included to prevent looping 0 NEXT-HOP: IP address that is used to reach the advertising router 61

62 Other Common Path 0 BGP attributes (cont.) Attributes 0 MULTI-EXIT DISCRIMINATOR: if two ASs connect in multiple locations, the MED is used by a peer to favor a particular link (with smaller MED value) 0 LOCAL-PREF: used by the local AS to assign a degree of preference of one link for a given prefix over another 0 ATOMIC-AGGREGATE: let the router know not to deaggregate an advertisement into more specific prefixes 0 AGGREGATOR: specifies AS and router that performed aggregation of a prefix 62

63 BGP Misconfiguration 0 One of the largest problems with BGP 0 A leading cause of instability on the Internet 0 Many causes: carelessness, poor configuration tools, underspecified network requirements, 0 Slow detection: may lurk for months or years before it is detected or its effects felt 0 Changing network topology 0 Unexpected network states Understanding BGP misconfiguration, Ratul Mahajan, David Wetherall, Tom Anderson, SIGCOMM

64 0 Methodology: BGP Misconfiguration 0 RouteViews BGP listener 0 route-views2.oregon-ix.net 0 Collected a repository for over 3 years and 23 vantage points on Internet 0 Contacted ASs for information on causes Understanding BGP Misconfiguration, Ratul Mahajan, David Wetherall, Tom Anderson, SIGComm

65 BGP Misconfiguration 0 Observation 1: errors detected 0 Origin misconfiguration 0 Failure to summarize an address space 0 Prefix hijacking incorrect advertisement of addresses 0 Improper route export 0 Exporting routes/paths that violate stated ISP policies 65

66 BGP Misconfiguration 0 Observation 2: problems are universal, pervasive, and pathological prefixes seeing misconfiguration per day % of 2002 table size 0 3 in 4 new prefix advertisements result of misconfigurations 0 About 15 hijacks per day at Conclusion: constant stream of incorrect information being received by routers 66

67 Attacks Against BGP 0 Control Plane 0 Timing 0 Availability 0 Data Plane 0 Origin 0 Path 67

68 Prefix Hijacking 0 An attacker can forge an UPDATE message that claims to originate a known prefix 0 Advertise a prefix for address space belonging to others 0 An organization could decide to be AT&T for a day, and advertise /8 0 Outbound route filtering should catch this 0 Many operators do not perform filtering policy within AS 68

69 Black Holes are out of sight 0 Short Path Attack: 0 If another AS advertises one of our prefixes, 69

70 Black Holes are out of sight 0 Prefix becomes unreachable from the part of the net believing C4 s announcement 70

71 71

72 Longer Prefix Attack 0 B owns 10.0/16. Z sees < 10.0/16, { W, B } > 0 When A advertises <10.0.0/17, {A, W}> 0 Z will route packets for /17 to A it has a longer prefix 0 Black holes 0 W will never see that path, and hence won t pass it to B the path (falsely) contains W, so it will be rejected by W 72

73 Prefix Destabilization 0 An attacker can cause BGP dampening at the victim peer 0 By forcing route flapping on a given link 0 Routes that flap are penalized by being suppressed 0 The period of suppression increases depending on how many times the BGP session changes state and length of the prefix 0 Longer prefixes are penalized more than shorter ones 73

74 Path Modification 0 BGP is a path-vector protocol, so the length of the path is a major factor in accepting a route 0 AS path prepending can be used to bias a route (adding the same AS number repeatedly to a route) 0 An attacker with the ability to modify the AS path can force traffic to follow patterns it otherwise wouldn t 74

75 Path Forgery 0 If an AS_PATH attribute is completely forged, the attacker has even more control over traffic 0 Allow traffic analysis 0 Traffic is engineered in the direction the attacker desires 0 Lead to black holes 0 As previously discussed 75

76 Policy Modification 0 By modifying policy attributes, traffic can be biased in certain ways and routing can be compromised 0 Example: 0 Changing the MED or Local_Pref values can cause suboptimal routing within the peer s or local AS 76

77 Spoofing 0 A forged BGP OPEN message can bring down a connection 0 If a connection is in the process of being opened, an attacker sending an OPEN message can cause a collision 0 Legitimate connection would be terminated 0 Similarly, a BGP KEEPALIVE sent while peers are connecting will cause the session to fail 0 KEEPALIVE messages are heartbeat messages to ensure the BGP connection exists 0 If peers are in Connect, Active or OpenSent state 77

78 Availability Attacks 0 Modifying BGP Timers 0 KeepAlive timer, Hold timer and OpenDelay timer 0 If the attacker gains control of the timer and alters it, messages and the connection itself may be dropped 0 Forged NOTIFICATION message 0 NOTIFICATION indicates an error 0 Whenever this message is passed, the connection is brought down and the peer states change to Idle 0 Syntax or parse errors with BGP messages 0 If a packet is malformed, values are invalid or message headers contain errors, the peer will drop the connection 78

79 Route Flooding 0 Any attack that causes a connection to bounce 0 Will force peers to dump their routing tables to it 0 Overwhelm the router depending on the number of routes it receives 0 Computationally and bandwidth intensive 0 E.g., route flapping 0 Penalized by BGP dampening algorithms that force suppression of the advertisement 79

80 Physical Attacks 0 Physical destruction of the router 0 As always, network security is dependent on physical security 0 Link cutting 0 Taking control of the router 0 For example, exploiting a buffer overflow (such as the SNMP attack) can cause the router to reboot 0 If the attacker knows the network topology, bringing down certain links (through DoS attacks, or a backhoe) can force traffic into the pattern they desire 80

81 BGP Security Problems Revisit 0 We have reviewed types of BGP attacks: 0 BGP identity 0 Validating the membership of BGP routers to declared ASs 0 IP spoofing 0 BGP content 0 Path validation 0 Prefix-hijacking, black-holes 0 Host impersonation 81

82 BGP Security Problems Revisit 0 Security problems from BGP sessions: 0 Changing of IP prefixes & AS numbers 0 Changing of routing policy & route attributes 0 Security problems from TCP connections: 0 Passive attacks against confidentiality 0 Insertion, deletion, modification, & replaying of messages 0 DoS attacks: typical TCP DoS, route flapping & link cutting 82

83 Solving BGP Security 0 Most deployed techniques for securing BGP have been at the local level 0 Filtering: drop invalid BGP messages when they are passed between ASs 0 Ingress filtering (as it is received) 0 Egress filtering (as it is sent) 0 Types of filtering 0 By prefix (e.g., bogon/martian list) 0 By path (e.g., customer advertisement of provider routes) 0 By policy (e.g., some community strings that represent paths/policies that an AS does not want to support) 83

84 Solving BGP Security 0 Most deployed techniques for securing BGP have been at the local level 0 Securing BGP peering: protect peer communications with BGP-speaking routers 0 Integrity 0 Confidentiality 0 Authenticity 0 Non-repudiation 0 Note: this is really a transport security issue securing point-topoint communications 84

85 Generalized TTL Security Mechanism (GTSM) 0 TCP time-to-live: RFC At a packet s origin, the TTL is set to the maximum number of hops that the packet can traverse 0 TTL decremented at each hop 0 Packets are dropped when TTL goes to 0 0 Packets stuck in transient routing loops do not congest the network 0 Idea: use TTL to ensure that every packet received came from peer (assuming one hop) 0 Set TTL = 255 (Q: how about TTL=1?) 0 Receiver checks TTL on all packets 0 If not 254, it is forged 85

86 Cryptographic Tools 0 Cryptographic tools provide underlying security to BGP proposed and future solutions: 0 Pairwise keying 0 Cryptographic hash functions 0 Message authentication code 0 Diffie-Hellman key negotiation 0 Public key infrastructure 0 Public key cryptographic primitives 0 Certificates and attestations 86

87 TCP-MD5 Signature 0 A simple solution: RFC 2385 add an MD5 digest in a TCP segment 0 Share a private secret (e.g., password) 0 Compute a keyed MAC on each TCP packet passed between the two routers 0 Check MAC upon receipt of each packet 0 It provides integrity and authenticity 0 Defend against TCP spoofing and hijacking 0 However, it s costly in implementation 0 Use static shared secret lack of periodic rekeying 0 Need manual configuration, which neither scales to many routers nor supports key maintenance 87

88 HOP Integrity Protocols 0 How to avoid manual configuration? 0 Idea: [Gouda et al. 2000] 0 Diffie-Hellman key negotiation: obtaining secret keys using public-key encryption 0 A weak protocol: per hop integrity (MAC) 0 A strong protocol: adding replay protection (sequence numbers) 0 Provides peer source authentication and data 88

89 Smith s Countermeasures 0 Smith et al. proposed five countermeasures to secure inter-domain routing 1. Encrypt all BGP messages between peers 0 Provide hop integrity 2. Add a message sequence number to all BGP messages 0 Protect against message replay, delete 3. Add a sequence number (or time-stamps) to UPDATEs 0 Protect against route reply 4. Add a PREDECESSOR path attribute to UPDATEs 0 Provide path validation 5. Digitally sign all the UPDATEs 0 Protect against route forgery 0 An ad hoc suite of countermeasures go beyond the basic peer security 89

90 IPsec 0 IPsec provides all the basic guarantees needed to implement router-to-router BGP security 0 Independent of intermediate connectivity 0 IKE/ISAKMP used to establish transient keys 0 Avoid cryptanalysis of long-term keys 0 ESP/AH provide confidentiality, integrity, replay protection,... 0 Problems: 0 Key management rekeying is an issue 0 Overheads can be expensive if not managed correctly 90

91 Peer Session Summary Integrity Confidentiality Replay Prevention DOS Prevention GTSM no no no no MD5 Integrity yes no yes no HOP Protocol yes no yes no Smith.et al. yes yes yes no IPsec (AH) yes no yes yes IPsec (ESP) yes yes yes yes 0 GTSM and MD5 are used for low cost and easy to implement 0 IPsec can provide a long-term solution 0 AH/ESP w/out confidentiality is popular 0 Form the base for comprehensive BGP security solutions 91

92 BGP Security Protocols 0 Incremental solutions locally implemented, limited interaction with external parties 0 Defensive filtering (IP prefixes, AS paths, policies) 0 Protection of underlying TCP connections 0 More comprehensive architectures have been proposed to solve BGP security issue 0 S-BGP (Secure Border Gateway Protocol): [Kent et al. 99] 0 SPV (Secure Path Vector Routing): [Hu et al. 2004] 0 sobgp (Secure Origin BGP): [White et al. 03] 0 IRV (Internet Routing Validation): [Goodell et al. 03] 92

93 Four Goals 1. Is the AS originating the prefix authorized to advertise it? 0 An advertisement for /24 originating in AS How to verify AS65500 is supposed to advertise this prefix? 2. Does the AS advertising the prefix actually have a path to it? 0 An advertisement from a BGP peer in AS65501 that it can reach /24 0 How to verify that AS65501 actually has a path to the AS originating /24? 93

94 Four Goals 3. Is the peer advertising the route authorized by the originator or owner of the destination to advertise a path to the destination? 0 An advertisement for /24 originating in AS65500 from a BGP peer in AS Is AS65501 authorized to do so? 4. Does the path advertised by a peer AS fall within the policies the local network administrators have set forward? 0 Whether or not the AS Path advertised by the peer is an acceptable path to send the traffic along? 94

95 S-BGP 0 Secure BGP was the first leading candidate for routing security 0 Still under consideration, but somewhat limited 0 Goal: 0 Verify IP prefix and AS number of UPDATEs 0 Authenticate the party that uses them in routing advertisement 0 Method: 0 Sign origination and routing announcements 0 Validate path attributes in UPDATEs via the use of digital signature and public key certificates 95

96 S-BGP PKIs 0 Implementation begins with two PKIs 0 Organization PKI 0 Binding routers to organizations to ASs 0 Keys for routers, AS numbers 0 Origin authentication PKI 0 Authenticating address blocks 0 How trust is formalized? 0 Through a resource allocation hierarchy 0 SIDR working group, regional registries 96

97 S-BGP 0 S-BGP includes: 0 Address attestations 0 The owner of a prefix authorize an AS to originate routes to the prefix 0 Route attestations 0 An AS authorize a neighbor to advertise the prefix 0 IPsec 0 Provide point-to-point security between routers 0 ESP is commonly used for authentication, data integrity and antireplay 97

98 Address Attestations 0 Attestations of 0 Prefix ownership 0 Delegation 0 E.g., organization A delegates prefix to organization : 0 S-BGP distributes address attestations out-of-band 0 Signing and distribution use external interfaces or services other than BGP 0 Everyone is required to obtain and validate their own copies of ownership/origin 0 Through the validation of a delegation chain from IANA to the advertising AS 98

99 Route Attestations 0 Attestations of the transient state of the network advertisements/routes 0 Distributed as a new attribute in BGP UPDATEs 0 Signed recursively by each AS as it traverses the network 0 Each advertisement signs everything it receives, plus the last hop 0 Nested signatures Indicates the order of ASs traversed Adversary cannot add or remove intermediate ASs 99

100 S-BGP Issues 0 Lack of single point of trust 0 Is there any authority that everyone will trust to provide address/route certification? 0 Chinese Military vs. NSA? 0 Cost 0 Validating signatures is very computationally expensive 0 Can a router sustain the load? 0 Incremental deployability 0 It requires changes to BGP message formats 0 So all implementations must change 0 Should avoid flag day type of changes 100

101 sobgp 0 Secure Origin BGP 0 CISCO s entry in the securing Internet routing rodeo 0 Proposed by Russ White and others in Cisco Systems 0 Viewed as the manufacturer approach to implementing security within BGP 0 Released as a kind of refutation of S-BGP, which was seen as too expensive and unwieldy to be practical 0 An open model that allows providers to implement security much more flexibly 0 Within the confines of existing policy and infrastructure 101

102 sobgp Design Requirements 0 Must not rely on a central authority of any type 0 Distributed processing and trust 0 Provide some level of security without the participation of every AS 0 Must be incrementally deployable 102

103 sobgp Solution Overview 0 Basic idea 0 Network providers act as a joint authority 0 Issue certificates for all relevant routing data 0 E.g., policy, address management, paths 0 Solution overview 1. Verify that the originator of a route is authorized to do so 0 That is, the advertised AS path represents a valid path to the originator 0 Use a topology database forged path can be plausible 103

104 sobgp Solution Overview 2. Add a new BGP SECURITY message (extension to BGP) 0 Carry security information address attestation is distributed inband 0 No changes to existing messages for backwards compatibility and incremental deployment 0 Removal of messages? 3. Leverage existing protocol and security mechanisms 0 Fixed additional scalability requirements 0 Per-AS information and route policies advertised once 0 Caching? 4. No additional information in UPDATEs 0 Low processing impact (sort of) 104

105 Certificates 0 sobgp defines a PKI for authenticating and authorizing entities and organizations 0 Three types of certificates 0 Entity Certificate 0 Establish AS identity 0 Authorization Certificate 0 Assign/delegate IP prefix 0 Policy Certificate 0 Define per-as or pre-prefix policies 0 Propagate AS inter-connectivity topology map 105

106 Entity Certificates 0 EntityCert identifies which router is associated with which AS 0 Ties an AS number with a public key 0 Certificate exchanges/trust relations are not yet defined 0 Prior to or within routing exchanges 0 Uses Web-of-Trust model 0 Root keys distributed out-of-band 0 Validate other certificates 106

107 Authorization Certificates 0 AuthCert defines the delegation of address space 0 Ties an AS to a block of IP addresses 0 Similar as S-BGP origin authentication 0 Address attestation 0 Different from S-BGP 0 OA is distributed in-band 0 Using SECURITY message 0 Per-Prefix Policy Certificates 0 AuthCert is not distributed alone 0 Wrapped in a PrefixPolicyCert 0 With policies of the originator 107

108 Path Authentication 0 Verify if the advertiser of a route actually has a path to the destination 0 With AuthCert 0 Each sobgp router builds a local topology database 0 A table of address blocks and corresponding ASs 0 Build a topology map of paths of the entire internetwork 0 ASPolicyCert: a list of an AS s peers 0 Router can form a global topology database and a static topology graph 108

109 Policy Certificates 0 Pairwise signing: the topology database contains peering attestations 109

110 Global Topology Map 0 Two-way connectivity check 0 If receives an update from Check if connects to ASPolicyCert of ASPolicyCert of Check if connects to ASPolicyCert of ASPolicyCert of

111 Path Plausibility 0 Issues in checking path authenticity 0 Original S-BGP is dynamic: via UPDATE message 0 sobgp topology database and graph are fundamentally static 0 Route attestation is static: changes only when new policy certificate is issued and accepted 0 So, issues occur in topology update, synchronization across ASs 0 Is Path Authentication stronger than Path Plausibility? 0 Each AS in S-BGP is authentication of a relationship between itself and its predecessor and successor ASs 0 The set of acceptable AS paths in S-BGP is a subset of the set of paths acceptable under SoBGP 111

112 Path Plausibility (5,(4,(3,(2,1 ) 2 ) 3 ) 4 ) 5 (5,4) 4 (4,3) 3 (3,2) 2 (2,1) 1 0 Q1: Is Path Lengthening in sobgp but not S-BGP? 0 Q2: Is Path Shortening possible in S-BGP but not sobgp? 0 Assuming no colluding adversaries and full deployment 0 SoBGP: path shortening violates topology database 112

113 SoBGP vs S-BGP 0 The similarities: 0 Both secure only the control plane 0 Both do origin authentication 0 Both cannot defend against colluding adversaries (using wormhole in sbgp, using two lying PolicyCerts in SoBGP) 0 Both are only fuzzily effective if incrementally deployed SoBGP Web of Trust Fuzzy Security Level New SECURITY Message No crypto per UPDATE msg Path Plausibility (Static) SBGP PKI Fixed Security Level Signed UPDATE Messages Crypto required per UPDATE msg Path Authentication ( Dynamic ) 113

114 Outline 0 Topic 5.1: TCP/IP Vulnerabilities 0 TCP/IP security problems 0 Topic 5.2: Routing Security 0 BGP security 0 Topic 5.3: Attack Mitigation and Countermeasures 0 Topic 5.4: Attack Detection 114

115 DoS & DDoS 0 Recall ICMP flood 0 Attack type 1 Ping flood 0 Send huge amounts of ICMP messages to block computational resources and crash some TCP/IP stacks 0 ICMP messages need to be processed at the destination 0 Attack type 2 Smurf attack 0 Initiate ICMP storms by sending to a broadcast address 0 ICMP echo requests need to be answered with an ICMP echo response 0 Recall UDP flood Fraggle attack 0 Target small bandwidth connections 0 UDP is not congestion aware 115

116 Packet Filtering 0 To filter out attack packets and drop them 0 E.g., ACL that looks for ICMP unreachable messages Router(config)# <--permit and deny other types of traffic--> Router(config)# access-list 100 deny icmp any any unreachable 0 E.g., ACL that blocks UDP traffic to port 1434 Router(config)# access-list 100 deny udp any any eq E.g., ingress filtering on perimeter routers to forbid inbound packets from non-routable networks Router(config)# interface type [slot_#/]port_# Router(if-config)# no ip unreachables 0 116

117 Packet Filtering 0 Filterable and non-filterable attacks 0 Are flood packets critical for the service offered by the victim? 0 ICMP ping flood on a Web server 0 HTTP request flood on a Web server 0 DNS request flood on a name server 0 If the flood packets request legitimate services, filtering out the packet would result in DoS to both attackers and legitimate users 117

118 Rate Limiting 0 For non-filterable attacks and DDoS attacks 0 Enforcing rate limiting to limit the impact of the attack on the target network 0 Allows a router to control the transmission rate of specific flows 0 If attack flows can be identified they can be rate-limited 0 E.g., Cisco router enables ICMP rate-limiting feature Router(config)# ip icmp rate-limit unreachable [df] milliseconds 0 If packets arrive at a higher rate they will be queued or dropped 118

119 Rate Limiting 0 Committed Access Rate (CAR) 0 Limits traffic entering or leaving an interface 0 Match on any of the following criteria: IP traffic, IP precedence value, MAC address, or permit statements in ACL Router(config-if)# rate-limit {input output} [access-group [rate-limit] acl-index] bps burst_normal burst_max conform-action action exceedaction action 0 E.g. rate limit Smurf traffic ISP(config)# access-list 100 permit icmp any any echo ISP(config)# access-list 100 permit icmp any any echo-reply ISP(config)# interface serial0 ISP(config-if)# rate-limit output access-group conform-action transmit exceed-action drop 119

120 Rate Limiting 0 Rate limiting is deployed 0 when the attack detection has a high number of false positives 0 or when it cannot precisely characterize the attack stream 0 However, legitimate users will experience degraded service 0 Challenges 0 How to distinguish good and bad packets? 0 How to handle packets with spoofed source addresses? 120

121 Rate Limiting 0 Aggregate-based Congestion Control and Pushback 0 aggregate a subset of traffic with an identifiable property 0 E.g., TCP SYN packets, packets to destination D, 0 pushedbackd periodically updates rate limiter s parameters Partial view of a router bad good R8-D is congested Implementing Pushback: Router-Based Defense Against DDoS Attacks, Ioannidis and NDSS

122 Rate Limiting 0 A congestion signature is the common property of the congestion flows 0 Determined using drop set a sample of the dropped packets 0 Input interface, output interface, timestamp, packet size, reason 0 A large amount of dropped packets indicates congestion 0 Identifying responsible aggregates 0 Detects aggregates based only on IP destination address 0 If w i > (1 + d%)w o, match the destination address of each dropped packet against routing table 0 Sort the drop set with the prefix as the key 0 Count to find the most frequent prefix congestion signature 122

123 Anti-Spoofing 0 Address spoofing: the correctness of source address is not verified 0 DDoS attacks often involve packets with spoofed or faked source addresses to disguise the identity of the attacking systems 0 IPSec 0 Authenticate address with cryptographic hash functions and secret key 0 Problems: 0 IPSec requires key exchange 0 Authentication consumes CPU False authentication may cause DoS 0 Filtering out forged packets 0 Ingress/egress filtering 0 Unicast reverse path forwarding: urpf 0 Source address validity enforcement protocol: SAVE 123

124 Ingress/Egress Filtering 0 Filter the packets at the edge of the network to reduce the address space that can be used by the attacker 0 Ingress filtering 0 Block incoming packets with a source address belonging to the network 0 Block incoming packets from the public Internet with a private source address 0 Egress filtering 0 Block outgoing packets with a source IP that does not belong to the network 0 Problems: 0 Require a lot of management 0 Decrease performance 0 Profit is mostly at the victim side ISPs do not want to spend effort for egress filtering 0 A large number of users are directly connected to the Internet no egress filtering is possible 124

125 Unicast Reverse Path Forwarding 0 urpf: enable a router to verify the reachability of the source address in packets being forwarded 0 Strict mode 0 Check if the receiving interface is the shorter to the source 0 Does not support asymmetric routes or multi-homing 0 Loose mode 0 Check if the receiving interface knows a path to the source 0 Less secure useless there is a default route in the routing table 0 Available in several commercial routers: implementation varies 125

126 SAVE: Source Address Validity Enforcement 0 Source address validity enforcement protocol [INFOCOM 2002] 0 Routers build a table to specify the valid incoming interface for packets carrying a given source address 0 Routers periodically send SAVE updates towards corresponding destination address space in forwarding table 0 Handle route change faster: Routers maintain incoming tree 126

127 SAVE: Source Address Validity Enforcement 0 Source address validity enforcement protocol [INFOCOM 2002] 0 Routers build a table to specify the valid incoming interface for packets carrying a given source address 0 Routers periodically send SAVE updates towards corresponding destination address space in forwarding table 0 Handle route change faster: Routers maintain incoming tree 127

128 Traceback: Packet Insertion 0 To identify the source address and the attack path of a packet without relying on the source address information 0 Bellovin (2000): probabilistically send an ICMP traceback packet forward to the destination host of an IP packet with a low probability 0 For 1 out of 20,000 packets, routers send an ITrace message with router ID and info about original packet to the same destination 0 If a flow contains enough packets, the destination is likely to receive ITrace messages from every router on the path 128

129 Limitations 0 Limitation of Packet Insertion based Traceback 0 Router infrastructure has to be modified 0 Destination has to store original packets for later comparison with ITrace message 0 Need a large number of packets/flow 0 Long traceback time for distributed low-rate attacks 0 ITrace messages need to be authenticated, e.g. using PKI 0 Inserted ICMP packets may influence network behavior 0 ICMP traffic is often rate-limited by routers and preferentially dropped during congestion 129

130 Traceback: Packet Marking 0 Use normal (potentially attacking) packets to send path information to the destination 0 Router Stamping 0 Let packets carry IP addresses of routers they run through 0 Routers randomly decide to store their IP address in one of the reserved slots 0 Destination is able to deduce the complete path if enough packets are received 130

131 Traceback: Packet Marking 0 Edge Coding 0 Let packets carry edge information 0 The start and end address of a link between two subsequent routers plus the distance of that link to the destination 0 Edge information is compressed, fragmented, and encoded into the identification field of the IP header hard to reassemble 0 Routers randomly decide to store edge information into a passing IP packet Practical Network Support for IP Traceback, S. Savage, D. Wetherall, A. Karlin, and T. Anderson, SIGCOMM

132 Limitations 0 Limitation of Packet Marking based Traceback 0 Change of existing protocol 0 Router infrastructure has to be modified 0 Incompatible with IP fragmentation if identification field is used 0 High overhead 0 Requires large number of packets per flow 0 Additional packet overhead in case of IP option fields 0 Routers have to perform complex computation to get the right marking 0 In some schemes, destination has to perform complex path reconstruction algorithm 0 Most schemes cannot cope well with distributed attacks 0 Most schemes are vulnerable to fake markings made by the attackers 132

133 Link Monitoring 0 Test if a given link carries attack traffic directed to the victim 0 Link Monitoring 0 Hop-by-hop link testing starting at the victim until sources or ingress points are found 0 Use router logging functionality: input debugging, Netflow 0 Look for packets matching the attack signature, determine the ingress interface, and continue with adjacent router 0 Network Reconfiguration 0 Temporary interruption of traffic directed to the victim 0 If the link contributes to the attack, attack traffic at the victim should stop or decline 0 Temporary flooding towards the router that is nearest to victim 0 If the link contributes to the attack, link congestion will cause more attack packets to be dropped before reaching the victim 133

134 Logging 0 Packet Logging: Trajectory Sampling 0 Apply hash-based packet filtering/sampling at routers 0 All routers select the same packets because they use the same hash function 0 Information about logged packets is periodically reported to a measurement system 0 Flow logging: 0 Log packet flows or source-destination pairs instead of single packets in order to reduce required storage 0 Average flow consists of approximately 7.75 packets 0 Memory can be reduced increase time by the same factor 134

135 Network Security: a tool view 0 Communication Security and Services 0 SSH, SSL/TLS, IPsec, DNSsec, 0 Filtering 0 Firewalls 0 Isolation 0 VPNs, VLANs 0 Detection and Mitigation 0 Intrusion detection 0 DDOS tools 135

136 The Threats 0 Adversary 1: some external network entity attempting to gain access to internal resources 0 Adversary 2: some internal but malicious entity trying to expose sensitive data to external services 0 Adversary 3: some internal or external entity that is preventing access to internal resource (DOS/DDoS) 136

137 Network Firewalls 0 Usually, a network firewall is installed at a point where the protected subnetwork is connected to a less trusted network 0 Firewalls realize access control on the subnetwork level 0 Firewall divides inner and outer networks within a domain: 0 DMZ: a zone between LAN and Internet 137

138 Firewalls 0 Examine traffic and make access control decisions 0 Filtering traffic based on policy determines what is (not) acceptable traffic 0 Mapping attributes to address and ports 0 Blocking invalid packets A good spot for mail, file, or Web servers 138

139 Firewalls 0 Firewalls may perform other duties: 0 Network address translation 0 Logging (forensics, SLA) 0 Flagging (intrusion detection) 0 Authentication, encryption/decryption (VPN) 0 QOS (differentiated services) 0 Firewalls can t 0 Protect against malicious insiders 0 Protect against connections that don t go through it 0 Protect against completely new threats 0 Protect fully against viruses 139

140 Packet Filtering 0 Usually router-based 0 Cheap 0 Make decisions on per-packet basis 0 Stateless no context of connections is used 140

141 Firewall Architectures 0 Basic Architecture using one packet filtering router 0 Can be a workstation with two network interfaces and routing, filtering software or a router device 0 The Dual-Homed Host Architecture 0 A general purpose computer with two network interfaces 0 Provide proxy services to internal (and/or external) clients 141

142 Firewall Architectures 0 The Screened Host Architecture 0 Packet filter 0 Allows permitted IP traffic to flow between the screened host and the Internet 0 Blocks all direct traffic between other internal hosts and the Internet 0 Screened host 0 Provides proxy services 0 Despite partial protection by the packet filter the screened host acts as a bastion host 142

143 Firewall Architectures 0 The Screened Subnet Architecture 0 Create a perimeter between two packet filters 0 The inner packet filter 0 Serves for additional protection in case the bastion host is ever compromised 0 The Split Screened Subnet Architecture 0 Splits the perimeter network in two distinct networks 0 Provide security in depth 143

144 Packet Filtering 0 Examine packets headers, in both directions, and compare traffic attributes to known patterns 0 Source IP address and port number 0 Destination IP address and port number 0 Transport protocol type 0 Allow/block traffic according to rules (ACLs) 0 IP source and destination addresses 0 Transport protocol number 0 TCP/UDP source and destination ports 0 Sequence number 0 Time 144

145 Stateless Packet Filtering 0 Running without state 0 Firewall rules Firewall Rule Packet Direction Source Address Destination Address Packet Type Source Port Destination Port ACK Action A incoming ext TCP 23 * * deny 0 Per-interface rules 0 When multiple rules 0 Rules applied from top to bottom 0 Packets not explicitly allowed by a rule should be rejected 145

146 Firewall Rules Example 0 Ex 1: block a spammer but allow anyone else to send to the local gateway Firewall Rule Packet Direction Source Address Destination Address Packet Type Source Port Destination Port ACK Action A incoming spammer Mail-GW TCP * * * deny * * Mail-GW TCP * 25 * allow 0 Ex 2: allow all conversations with remote mail gateways X Firewall Rule Packet Direction Source Address Destination Address Packet Type 0 Should only allow outgoing calls Source Port Destination Port ACK Action B * * {int hosts} TCP * 25 * allow Firewall Rule Packet Direction Source Address Destination Address Packet Type Source Port Destination Port ACK Action B incoming * {int hosts} TCP 25 * 1 allow outgoing {int hosts} * TCP * 25 * allow 146

147 Role of Packet Filters 0 Though not very useful as general-purpose firewalls, it s very efficient 0 Can be applied in high capacity links 0 Can be used to drop connections where we don t want expensive application-level firewalls 0 E.g., Point firewalls A Web Firewall: only allowing in ports 80 and 443, and blocking everything else 147

148 Role of Packet Filters 0 E.g., Address filtering 0 Block internal IP addresses from coming in from outside 0 Prevent address spoofing from going out Per-interface rules on inbound services: 148

149 xlisting 0 Blacklisting specifying specific connectivity that is explicitly disallowed 0 E.g., prevent connections from badguys.com 0 Whitelisting specifying specific connectivity that explicitly allowed 0 E.g., allow connections from goodguys.com 0 These are useful for IP filtering, SPAM mitigation, 149

150 Stateless Packet Filtering 0 Advantages 0 cheap 0 easy to implement 0 low overhead 0 Disadvantages 0 hard to setup advanced filter rules 0 hard to manage access to dynamic services 0 limited capability to support certain protocols 150

151 Insufficient to support 0 Problems with UDP 0 UDP has no notion of connection: cannot distinguish a request or reply 0 Address-spoofing is easy 0 Blocking known-dangerous ports? Permitting known-safe sources? Dynamic filtering? 0 Example: DNS 0 Determine if allowing external queries for inbound services: open resolver (DNS cache poisoning, DNS amplification/reflection, ) 0 Recursive queries: BIND 0 Put DNS to DMZ 0 Use non-firewall tools to mitigate DOS attacks: e.g., Bind Guard 151

152 Insufficient to support 0 Problem with ICMP 0 ICMP packets can be utilized for reflection attacks 0 However, it s also important to allow certain types: e.g., Path MTU response 0 Simple packet filter cannot match things up 0 Problem with RPC 0 RPC service binds to random port numbers, e.g., NIS 0 No way to know in advance which to block and which to permit 0 Authenticated RPC in NIS+ 0 Cannot use simple packet filter 152

153 Insufficient to support 0 Problem with FTP, SIP, 0 Such service use a secondary channel for data transfer 0 Should maintain state 0 FTP uses active or passive modes 0 PORT mode: server connects to client 0 PASV mode: client connects to server 0 Data connection at random port numbers 0 Should not put too much restriction on port numbers 153

154 Stateful Packet Filtering 0 Single packet contains insufficient data for making access control decision 0 TCP sessions establishing 0 Stateful Packet Filtering: takes historical context into consideration can change the rule dynamically 154

155 SPF Diagram 0 Record per-connection state 0 Use a dynamic state table to maintain state information 0 Initial TCP packets in a session are remembered 0 Associate inbound packet with the state created by outbound packet 0 Packets in an existing connection will be checked against state table and update table 0 Packets in a new connection will be checked against security policy 155

156 Example: Firewall Access for FTP 0 Goal: to allow a user to FTP to the FTP server (at ) from any IP address 156

157 Example: Firewall Access for 0 What rules do we need? FTP 1. Rules to allow all packets from any client to FTP control and data ports 2. Rules to allow FTP server to send packets back to any IP address with TCP ports Firewall Rule Packet Direction Source Address Destination Address Packet Type Source Port Destination Port Action 101 incoming * TCP > allow 101 incoming * TCP > allow Firewall Rule Packet Direction Source Address Destination Address Packet Type Source Port Destination Port Action 102 outgoing * TCP 21 >1023 allow 102 outgoing * TCP 20 >1023 allow 157

158 Example: Firewall Access for FTP 3. In fact, we need a rule set that corresponds to FTP Direction Source Addr. Dest. Addr Protocol Source Port Dest. Port ACK Set Notes In Ext Int TCP > No for 1st Incoming FTP request Out Int Ext TCP 21 >1023 Yes Response to incoming request Out Int Ext TCP 20 >1023 No for 1st Data channel creation for incoming FTP request, normal mode In Ext Int TCP > Yes Data channel responses for incoming FTP request, normal mode In Ext Int TCP >1023 >1023 No for 1st Data channel creation for incoming FTP request, passive mode Out Int Ext TCP >1023 >1023 Yes Data channel responses for incoming FTP request, passive mode Out Int Ext TCP > No for 1st Outgoing FTP request In Ext Int TCP 21 >1023 Yes Response to outgoing request In Ext Int TCP 20 >1023 No for 1st Data channel creation for outgoing FTP request, normal mode Out Int Ext TCP > Yes Data channel responses for outgoing FTP request, normal mode Out Int Ext TCP >1023 >1023 No for 1st Data channel creation for outgoing FTP request, passive mode In Ext Int TCP >1023 >1023 Yes Data channel responses for outgoing FTP request, passive mode 158

159 Stateful Packet Filtering 0 More powerful to implement complex policies 0 Moe expensive 0 Solve problems in some protocols 0 Can handle UDP query/response 0 Can associate ICMP packets with connection 0 State table associated with inbound traffic 0 It can solve some inbound/outbound filtering issues (FTP) 0 However, 0 It still has problems with random ports, RPC, SIP 0 It still has problems with complex semantics 159

160 Network Address Translator (NAT) 0 NAT translates private IP address to public IP address 0 Translate source address in IP header 0 Sometimes port numbers too NAPT 0 For outbound packets 0 Create state table entry + Translate address 0 For inbound packets 0 Look up state table entry + Translate address 0 Similar to stateful packet filter but offers more 0 However, this does not necessarily mean it s more secure 0 Put obstacles for some protocols, e.g., FTP, SIP, 160

161 Moving Up the Stack 0 Security at higher layers is always a problem 0 IP packet filter can t protect against bogus TCP data 0 TCP-layer firewall cannot protect against bugs in SMTP 0 SMTP proxies can t protect against problems in s Application-Layer Firewalls 161

162 Application Firewalls 0 Serve as relays for connections 0 Application proxies 0 Circuit gateways 162

163 Application Firewalls 0 Understand application protocols, HTTP, SMTP, Telnet, 0 Proxy impersonates both client and server to each other 0 Packets received and processed by server 0 Packets created by client 0 Advantages 0 Tuned to applications: 0 Do arbitrary processing of application payloads with more context 0 Only paying performance price for particular applications 0 Provide high-level of security 163

164 Application Firewalls 0 Understand application protocols, HTTP, SMTP, Telnet, 0 Proxy impersonates both client and server to each other 0 Packets received and processed by server 0 Packets created by client 0 Disadvantages 0 Does not protect against lower layer attacks 0 Resource intensive: per connection process 0 Complex, computationally expensive 0 Non-trivial implementation concern: new protocols need new proxy applications 164

165 Application Proxies 0 FTP Proxy solve problem with the PORT command: 0 Scan the FTP control channel: if a PORT command is spotted, tell the firewall to open that port temporarily for an incoming connection 0 Can do similar things with RPC (or Telnet) define filters based on RPC applications rather than port numbers 0 Web Proxy 0 Provide performance advantage: caching 0 Can enforce site-specific filtering rules 0 proxy 0 Combine an application firewall and a packet filter 165

166 Circuit Gateways 0 Works as a proxy at the TCP layer 0 Set up two connections to inside user and outside server, respectively 0 Screen incoming TCP/IP packets similar to a packet filter 0 Rules specifications are similar as packet filter 0 Determine which connection to be allowed or blocked 0 However, process differently 0 Packets are not routed 0 Instead, generate new connection for the allowed connection from firewall to server 166

167 Circuit Gateways 0 No application-specific semantics 0 Support more services 0 Less control over data 0 Can handle UDP 0 Most common example: SOCKS 0 Supports TCP 0 SOCKS5 also supports UDP 167

168 Circuit Gateways 0 Client programs need to be aware 0 Change applications to speak the circuit gateway protocol instead of UDP or TCP 0 Use socket-compatible circuit gateway libraries 0 For SOCKS instead of standard C library 0 Open-source development 0 Can add authentication to circuit 0 Provide low to medium level of security 168

169 Other Firewalls 0 Personal Firewalls 0 Not rely on topology only the host is considered inside, and everything else is outside 0 Add-on to the main protocol stack 0 Most act as packer filters 0 Some are application-linked 0 Act on port numbers, or application specific 0 Individuals/administrators set the rules 0 Easy to reject protocols based on personal preferences 0 Distributed Firewalls 0 Use IPsec to divide inside and outside 0 Insider has certificate to authenticate 169

170 Real-world Firewalls 0 Linux built-in: ipfw, ipchain, iptable 0 IP packet filter 0 Checkpoint Firewall 0 Stateful packet filter (market leader, expensive) 0 Cisco PIX Firewall 0 Stateful packet filter (fast, inexpensive) 0 SOCKS server OpenSSH, PUTTY 0 Circuit-level proxy 0 Symantec Endpoint Protection firewall 170