Computer Network Lab 2017 Fachgebiet Technische Informatik, Joachim Zumbrägel Overview Security Type of attacks Firewalls Protocols Packet filter 1
Security Security means, protect information (during and after processing) against impairment and loss of confidentiality, integrity and availability. Given by: increasing of availability and storage strategies: Backup, Redundant Systems, Raid-Systems protection against unauthorized access: Firewalls, encryption algorithm, etc. Security requirements Confidentiality protects confidential information against unintended access. Integrity guarantees that the data are authentic and undamaged. Availability ensures that authorized persons are able to access data and communication services at every time. 2
CIA Triad Threats Active attacks Intrusion of unauthorized persons Impairment and disturbance of networking Data modification Passive Attacks Password listening Data listening Network traffic analysis 3
Aggresssor Who is aggressive Competitors Hacker/Cracker (Beginners, Professional) Professional Hacker (industrial espionage) Colleagues (approx. 70% of all attacks come from Colleagues) NSA Examples By use of so called trojans, hackers got access to passwords of Microsoft employees. So the hackers were able to stole the newest source code release of a Microsoft operation system. Yahoo was a victim of a Denial-Of-Service Attack. The Website of yahoo was more than 3 hours not available. Sony Corp. said hackers may have gained access to personal information (like name, address, country, e- mail address, birthdate, etc.) on the 75 million users of its PlayStation Network. 4
Kind of attacks Password attack Data attack Malicious Code Scanner Spoofing DOS-Attack Password attacks 3 Methods Guess on base of known or speculated user accounts (names). Brute force attack on a password file by use of special applications, i.e. Crack. Listening on connections in order to find out user names and their passwords. 5
Data attack by sniffers Data attack are done by use of so called sniffers. Sniffer respectively network monitoring tools are applications which are originally used in order to monitor and analyse network traffic. Well known tool = WIRESHARK Promiscous mode Usually a computer receives via its network interface card only these packages which are destined for itself. But it is possible to get access to all traffic. This could be done when the network interface card is running in a special mode, the promiscuous mode. Extremely dangerous: A sniffer is installed on a central machine which is accessed by many clients 6
Malicious Code Malicious Code is unauthorized code (could be in a legal application) doing jobs which are unknown by the user and usually undesired. Examples: Viruses Trojan horses Worms Scanner Scanner are security tools which are originally used in order to find out some weak points of a system. There are system scanner and network scanner. System scanner: scans its local host in order to find out security gaps or configuration problems. Network scanner: scans computer connected to a network. They check services and ports und deliver therefore information about possible security gaps. 7
Spoofing Spoofing is used in order to outwit authentication and identification mechanism which are basing on trustworthy addresses and/or hostnames. a distinction is drawn between: IP-Spoofing denotes the corruption of the sender-ip address. DNS-Spoofing means the corruption of entries in DNS-servers. Dos-Attacks DOS = Denial of Service. Most common attack (simple and fast). Goal is to knock out the attacked system or at least to interfere the access for valid users. Not easy to intercept. Next step: DDOS = Distributed Denial of Service: Several machines start an attack at the same time. Example: TCP-SYN Flooding, PING, MAIL-Bombing 8
Firewall Basics A Firewall is a hurdle between to nets which must be cleared in order to allow communication from one net to the other. Each communication between the nets must be done over the firewall. Internet private, local net Firewall Firewall definition A firewall consists of one or more hard- and software components. A firewall connects two networks in a way that all traffic between the networks must pass the firewall. A Firewall implements a security strategy, which realises access restrictions and if required attack recording. A Firewall let only pass those data packages which fulfil the security strategy. 9
What a firewall can do Restriction of traffic between two networks. Access only to special machines or services. Network monitoring and recording => protocols. Manipulation of network traffic by use of special (i.e. traffic limitation, IP-Address replacement, etc.). What a firewall can t do Closing security gaps directly. Correction of configuration or installation mistakes. Find out viruses or Trojans. Making a network totally secure. 10
Firewall-concepts Packet filter Filtering on network layer (IP-Addresses and Ports). Proxy-Gateways Circuit Level Gateway Filtering on transport layer. Application Level Gateway Filtering on application level (protocol dependent). Graphical Firewall All internet applications running outside of the protected network. Only graphical information are delivered Proxy-Gateway Proxy=lock keeper A Proxy firewall act as a server for the client and as a client for the server. HTTP Gateway FTP Gateway Internet private, local Net Firewall with application dependent Proxy-Services 11
Proxy Gateway Offers application specific services for clients. Control and observe functions for a specific application. Example: Avoid that a client uses ftp in order to transfer data in (via put command) to an external ftp-server. Access to special HTTP-Sites is forbidden In opposite to packet filters the connection is really interrupted. IP-Addresses of the internal net are invisible. Protocols Application HTTP FTP SMTP DNS SNMP RIP Transport TCP UDP Internet IP Phys. Network Ethernet Token-Ring ATM 12
IP It carries the transport protocols TCP and UDP. It builds IP-Packages out of the data which have to be transmitted. It adds additional information, the IP-Header. It contains source and destination address. TCP TCP (Transmission Control Protocol) confirms every received data package. TCP repeats each data package until its receiving is confirmed. TCP is reliable 32 BIT 13
Port communication TCP/IP operates by IP-Addresses and Ports each IP-Adresse has 2 16 potential ports The ports below 1024 are standardized (standard ports), which are allocated to dedicated services, i.e.: 23 telnet 25 smtp 80 http 443 https 23 25 80 443....... 30000. Packet filter Filtering of Data packages: Sender/Destination IP-Addresses Sender/ Destination -Ports (Services) Protocols (TCP,UDP, ICMP) Separate Filtering of incoming Packages (INPUT) und outgoing Packages (OUTPUT). Different rules for Input-Filter and Output-Filter. List of rules are so called chains. A package is checked by one rule after the other until either one rule matches or the end of list is reached. 14
Packet filter (Policies) Every chain has a default setting for package treatment, the so called policies. The policies come into play after a data package were checked by all rules of a chain. If no rule matches the default policy applies. There are two different strategies: Deny every package. Only well defined kind of packages are allowed. (Better). Allow every package. Only well defined kind of packages are forbidden. Packet filter (Reject, Drop) Packet filters have two different methods to handle a non accepted package. Reject: The Package will be deleted and an ICMP-Error message is delivered to the sender. Drop: The Package will be deleted. Drop is the better choice, because: less traffic, the package could be part of a attack, even an error message could be an useful information for an aggressor. 15
Filtering incoming packets Filtering according to Sender- IP There a some groups of IP-Addresses which could be generally dropped. For example: IP-Addresses of the own Subnet, etc. Filtering according to Destination-IP Only packages addressing the own network are accepted. Filtering according sender/destination Port We have to distinguish between requests of external clients to our own servers and incoming answers of external servers destined for local clients. Stateful filtering Stateful Filtering means the capability to store the state and contextual information of a TCP connection. =>Dynamic packet filter analyse the state of an TCP- Connection. Connection request of client: SYN Acknowledgement of server: ACK-SYN Acknowledgement of client: ACK Further transfer (from both sides): ACK Packages (containing a ACK-Flag) from outside to inside are only accepted if a package from inside to outside (containing a SYN-Flag) was sent before. 16
Iptables Iptables (Packet filter under Linux) Three Chains: INPUT, OUTPUT, FORWARD. Routing decides if a package is delivered to the INPUT-Chain or to the FORWARD-Chain. Input vs. Forward Chain Packages for the machine itself are checked at first by the INPUT-Chain. If the INPUT Chain accepts the packages it reaches the actual machine. Packets for foreign machines (in our local protected net) are running through the FORWARD-Chain. If the packages is accepted it is delivered to the appropriated network interface. 17
Chains and routing Routing Forward- Chain Drop Input- Chain Local Processes Output- Chain Drop Drop IP Tables some commands Delete rules iptables --flush Drop all packages iptables policy INPUT DROP iptables policy OUTPUT DROP iptables policy FORWARD DROP Reject incoming packages coming from the IP-Address of our own external interface iptables A input i eth0 s <myipadress> -j DROP 18
Our netlab firewall Server N incoming eth 0 eth 1 outgoing Switch N outgoing incoming Internet Firewall Client N How can I protect my own PC Deactivate all services which are not required. Deinstall all programs which are not permanently used. Deinstall all programs with well known security gaps. (even when you need them). Inform yourself about security gaps and use updates. Install a virus scanner (Freeware: AntiVir). Install ore use your personal firewall 19