Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Transcription

1 Applied IT Security System Security Dr. Stephan Spitz

2 Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security Security Threats on Networks Firewalls and Intrusion Detection Systems Applied Cryptography Device Security Public Key Infrastructures Authentication Protocols Encryption and digital Signatures in topical Applications Smart Cards, Secure µprocessors and Crypto Libraries Security Certification The Future of IT Security

3 Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security Security Threats on Networks Today Firewalls and Intrusion Detection Systems Applied Cryptography Device Security Public Key Infrastructures Authentication Protocols Encryption and digital Signatures in topical Applications Smart Cards, Secure µprocessors and Crypto Libraries Security Certification The Future of IT Security

4 Overview Firewalls and IDS Firewall Appliance Concepts and Limitations Integration in Networks Overview Firewall Products Firewall Components Static and dynamic IP Filtering TCP-/UDP-Relays and Socks Application Gateways and Proxies Address Translation (NAT and IGD) Intrusion Dedection Systems IDS / IPS Functionality IDS Integration with Firewalls

5 Firewall Concepts Simplest Concept: Single FW with IP-Filter and Proxy for certain application protocols IP-Filter checks the IP packets i.e. : - Type of packet (TCP, UDP, ICMP, ) - IP address of sender and receiver - Port number (TCP, UDP) of sender and receiver - Flags in the TCP header Proxy checks the data on application level (mail, WWW, etc.)

6 Firewall Limitations Firewalls can also have security holes in their OS A misconfiguration of the Firewall is not unlikely Proxy: Especially application level protocols are complex and sometimes have security holes Attacks do not necessarily come from the Internet, also internal users can be responsible for attacks Only one Firewall is a single point of failure

7 Firewall Integration (1) LAN INTERNET CheckPoint FireWall-1 Cisco PIX WWW-Server SMTP-Server Demilitarized Zone (DMZ)

8 Firewall Integration (2) LAN Intersystem NET (max. 14 IPs) Transfer NET (max. 14 IPs) INTERNET IP \28 IP \28 NIC 4 NIC 1 IP NIC 1 NIC 1 IP NIC 3 IP NIC 2 NIC 2 Router 2 IP NIC 2 IP IP IP FW Router 1 DMZ (max. 6 IPs) IP \29 FW Mgmt IP WWW-Server SMTP-Server IP IP

9 Firewall Products Firewall Type Advantages/Disadvantages CheckPoint FireWall-1 Cisco PIX + Unix software FW with a lot of features (communication between several FWs, VPN & PKI integration, Attachment Modules) - Complex configuration + High-end Hardware-FW with the well known PIX configuration syntax - Support of less functionality than FireWall-1 Cisco Hardware Router + Cisco Routers can be configured as IP filter with the PIX syntax - Only filter functionality, no application gateway Harded Linux + The Linux kernel can be configured as IP filter with the tool ipfwadm + cheap, simple FW - Only filter functionality, no application gateway

10 Static IP Filtering ACL Outgoing e.g. FastEthernet 0/1 ACL Incoming e.g. FastEthernet 0/0 INTERNET e.g. internal mailserver IP Firewall Stateless routing via fixed incoming/outgoing ACL Static routing rules (Cisco PIX syntax): e.g. yahoo.de Router (config)# ip access-list extended outgoing Router (config)# ip access-list extended incoming Router (config-ext-nacl)# permit tcp host Router (config-ext-nacl)# permit tcp any eq SMTP host any eq SMTP gt 1023 established Router (config)# interface FastEthernet 0/1 Router (config)# interface FastEthernet 0/0 Router (config-if)# ip access-group outgoing in Router (config-if)# ip access-group incoming in Fragmentation Attacks are still possible with static filtering

11 Dynamic IP Filtering Statelful routing via one reflexive ACL and a dynamic adapted table Example Dynamic routing rule (Cisco PIX syntax): Router (config)# ip access-list extended outgoing Router (config)# permit tcp host eq 25 evaluate mailtraffic Router (config-ext-nacl)# ip access-list extended incoming Router (config)# permit tcp any any reflect mailtraffic A Temporary table is created containing the following information: ID protocol Source IP Source Port Dest. IP Dest. Port 1 TCP Problem: How long should the table information be stored i.e. timeout value (connection loss v.s. application)?

12 Advantages of Dynamic IP Filtering Only one filter rule per connection is necessary, extra rule for response packet is not necessary Response packets are only accepted on the specified source port, no port filtering necessary (RPCs!) Response packets are only accepted during an active connection, later the packets are discarded (FIN flag in TCP signals con. end) After a configured timeout the filter rule is removed from the temporary table But FTP/RPC problem (flexible port definition inside protocol)

13 Stateful Inspection IP filtering does not address the problem of data analysis on application level which is necessary, because a special port for the answer is specified on application level e.g. RPC calls as used in SUN s NFS (Network File System) a port for data is negotiated over the control flow port of the FTP protocol on application level Statful Inspection means to look deeper in the traffic to make additional decisions based on the application-level information e.g. knowledge of the portmapper protocol for RPCs Statful Inspection opens smaller "holes" through which traffic can pass e.g. instead of permitting any program to send TCP traffic on port 80, it is ensured that packets belong to an existing HTTP session.

14 TCP-/UDP Relays and Socks Relays/Socks are little server programs listening on a certain port and opening a connection to a predefined target computer on demand Computer X Relay Computer with fixed forwarding table Target Computer INTERNET Typical application: Domain Name replication from an internal to an external Name Server Still no security on application level, only network security is addressed

15 Application Gateways / Proxies Application Gateways/Proxies process data on application level independently of IP packets HTTP Request HTTP Request INTERNET Computer X HTTP Response Internet Proxy HTTP Response Complete division of both sides of the network i.e. the proxy has to emulate the communication protocol (HTTP, SMTP, RPC, etc.) Many proxies can additionally cache data, e.g. WWW pages for performance reasons Proxies need in many cases a user authentification

16 Network Adress Translation (NAT) Internet proxy translates the IP addresses static or dynamic: internal IP + (port) internet IP INTERNET Computer X with internal IP Internet Proxy with real Internet IP Internal IPs (which are not routed in the Internet RFC 1918): (10/8) (172.16/12) ( /16)

17 IDS Functionality How can an attack be identified by an Intrusion Detection System: Log file analysis (host based IDS) Network traffic analysis (network based IDS) Network traffic analysis in a segment based on certain statically configured constraints (static IDS) Certain attacks (Ping-of-Death, SYN-Flood, etc.) can be identified by their unique network fingerprint Another possibility is the detection of exceptions to the normal network traffic with heuristic anaylsis over a (long) period of time An IDS tries to hijack unwished network transit like a hacker (IP Spoofing, Sequence Number Guessing) to find out more information An IDS can cause a significant impact on the network performance

18 Structure of an IDS (Example Snort) Snort tries to detect an attack with pattern matching i.e. certain attack patterns are stored in a database e.g. ICMP portscan Snort analyses packets according to sender and receiver IPs, source and destination ports, TCP flags and analysis of the payload (string matching) Snort reports an attack via syslog, SMB messages or Unix sockets An attack is traced in log files or in a SQL database; the ACID or SnortSnarf PlugIns provide a Graphical User Interface An IDS can malfunction in two directions: false positives and false negatives

19 IDS and Firewall Integration (1) LAN INTERNET Firewall 1 Firewall 2 Intrusion Detection System 1 Internal network protection e.g. viruses and worms Intrusion Detection System 2 Detection of external attacks

20 IDS and Firewall Integration (2) An IDS traces the complete progress of an attack, unlike a FW An IDS can try to find out more information about the attacker than the FW and try to apply countermeasures An IDS can act inside the LAN whereas a FW acts only on segment borders An IDS can support a FW with extra logging information Certain IDS act very close with a FW and can even change the FW configuration higher flexibility regarding application protocols Example: RealSecure/IIS is designed to protect and interact with CheckPoint s FireWall-1