Identity-based firewalling

Similar documents
CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Chapter 8 roadmap. Network Security

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Computer Security and Privacy

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

NETWORK SECURITY. Ch. 3: Network Attacks

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

How to Configure Authentication and Access Control (AAA)

Meeting 39. Guest Speaker Dr. Williams CEH Networking

Switched environments security... A fairy tale.

User Role Firewall Policy

CIT 380: Securing Computer Systems. Network Security Concepts

CSC 474/574 Information Systems Security

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

HikCentral V1.3 for Windows Hardening Guide

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Firewall and IDS/IPS. What is a firewall?

Definition of firewall

Hands-On TCP/IP Networking

Introduction to Firewalls using IPTables

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Gigabit SSL VPN Security Router

Fundamentals of Network Security v1.1 Scope and Sequence

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Realms and Identity Policies

Stateless Firewall Implementation

CSC 4900 Computer Networks: Security Protocols (2)

20-CS Cyber Defense Overview Fall, Network Basics

Unit 4: Firewalls (I)

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

CyberP3i Course Module Series

Defending Yourself Against The Wily Wireless Hacker

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

SE 4C03 Winter 2005 Network Firewalls

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

ASA Access Control. Section 3

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Network security session 9-2 Router Security. Network II

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Network Security. Thierry Sans

A Study on Intrusion Detection Techniques in a TCP/IP Environment

UDP-based Amplification Attacks and its Mitigations

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

User Identity Sources

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Lecture 08: Networking services: there s no place like

Cisco Security Monitoring, Analysis and Response System 4.2

Internet Security: Firewall

Networking interview questions

Chapter 2. Switch Concepts and Configuration. Part II

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

This material is based on work supported by the National Science Foundation under Grant No

Web server Access Control Server

HikCentral V.1.1.x for Windows Hardening Guide

This release of the product includes these new features that have been added since NGFW 5.5.

Meeting 40. CEH Networking

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

User s Manual. How to configure and use FortGuard Professional Anti-DDoS Firewall

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

CE Advanced Network Security

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Understanding Cisco Cybersecurity Fundamentals

CSCI 680: Computer & Network Security

Cisco Next Generation Firewall Services

Computer Networks. Wenzhong Li. Nanjing University

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Implementing Firewall Technologies

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Lab Configure Basic AP security through GUI

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

NGFW Security Management Center

Network Security Fundamentals

Port Mirroring in CounterACT. CounterACT Technical Note

11 aid sheets., A non-programmable calculator.

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Host Identity Sources

High Availability Synchronization PAN-OS 5.0.3

Prerequisites CNS-220 Citrix NetScaler Essentials and Traffic Management

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Citrix NetScaler Administration Training

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

This document contains important information about the current release. We strongly recommend that you read the entire document.

WIALAN Technologies, Inc. Unit Configuration Thursday, March 24, 2005 Version 1.1

Instructions 1 Elevation of Privilege Instructions

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

GE Fanuc Intelligent Platforms

Firewall Identification: Banner Grabbing

SRX als NGFW. Michel Tepper Consultant

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

PROTECTING INFORMATION ASSETS NETWORK SECURITY

AccessEnforcer Version 4.0 Features List

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Transcription:

Identity-based firewalling INL 15 rue Berlier 75013 Paris, France Hack.lu, Luxembourg 2008 NuFW, identity-based firewalling 1/ 34

Firewall evolution Security policy Definition The set of management statements that documents an organization s philosophy of protecting its computing and information assets, or the set of security rules enforced by the system s security features. Components of an organisation: Information assets Network resources Individuals Security enforcement point: Doors Switches, Firewalls Applications NuFW, identity-based firewalling 2/ 34

Firewall evolution New network usages What is new? Every organisation user now works on a computer Everyone gets mobile The old stronghold model Inside == good, outside == bad This doesn t work well with massive, and mobile usages Security policy bypasses come from inside too NuFW, identity-based firewalling 3/ 34

Firewall evolution What firewalls focus on NuFW, identity-based firewalling 4/ 34

Firewall evolution Something has been forgotten How firewalls view a company: NuFW, identity-based firewalling 5/ 34

Firewall evolution Something has been forgotten How security officers view a company: NuFW, identity-based firewalling 6/ 34

Motivation of identity-based filtering Identity-based packet filtering Security policy is mainly about role-based constraints on behavior of members of the organization. Security officer needs to differentiate users at the access level. Policy statements that classical firewalls can t handle A teacher and a student in the same classroom should not have the same rights on the network. Only accountants should access the telnet based application installed on a AS400. NuFW, identity-based firewalling 7/ 34

Motivation of identity-based filtering Network application pre authentication vulnerabilities Where is user authentication needed? Applications suffer from pre authentication vulnerabilities. User authentication at application level is not enough. 2007-2008 examples IIS authentication bypass a Solaris telnet bypass b Permission bypass on Oracle Application Server Portal c a http://isc.sans.org/diary.html?storyid=2915 b http://www.kb.cert.org/vuls/id/881872 c http://www.securityfocus.com/bid/29119/discuss NuFW, identity-based firewalling 8/ 34

Motivation of identity-based filtering No good existing solution All firewalls on the market bind user identities with low level elements of the OSI layer. This is formally wrong...... and practically it opens the way to many attacks or security policy bypasses. NuFW, identity-based firewalling 9/ 34

1 Introduction 2 Existing solutions 3 NuFW algorithm 4 NuFW usage 5 Conclusion NuFW, identity-based firewalling 10/ 34

Static binding Static IP/User binding The trick Static User to IP mapping Based on some belief: an IP can not be stolen Microsoft Windows IP conflict detection Subject to easy attack: Simple IP stealing Disconnect connected computer Exploit # arpspoof -t target host NuFW, identity-based firewalling 11/ 34

Static binding Static MAC/IP/User binding Another trick Static User to IP/MAC mapping Based on some strong belief: a MAC address can not be changed Subject to easy attack Mac address change Exploit # macchanger --mac=01:23:45:67:89:ab eth1 NuFW, identity-based firewalling 12/ 34

Dynamic binding Dynamic IP/User binding Yet another trick Dynamically bind user and IP Based on some strong belief: a MAC address can not be changed an IP address can not be stolen Subject to easy attack IP address change Exploit # macchanger --mac=01:23:45:67:89:ab eth1 # arpspoof -t target host NuFW, identity-based firewalling 13/ 34

Dynamic binding Dynamic user/ip binding, a dangerous "security" feature Marketing efforts to convince administrators: Identity-based rules are announced in the middle of various secure technologies Most product documentations hide limitations of used technology A dangerous gap exists Administrators use their firewall interface to design per-user rules They have no clue about firewall bindings like "User == IP" in the backend But that s how things "work"! 1 1 http://seclists.org/bugtraq/2003/jun/0218.html NuFW, identity-based firewalling 14/ 34

Dynamic binding You re doing it wrong! NuFW, identity-based firewalling 15/ 34

Dynamic binding Multiuser limitations One for all and all for one First user logged on firewall gets his rules Subsequent users from the same IP get the same rules Typical example : Kerio Wingate case Identification done at first HTTP proxy use a Valid as long as firewall receives traffic from computer Timeout is 3 hours Virtually full time for a terminal server Admin usually connects first after a reboot a http://download.kerio.com/dwn/kwf6-en.pdf NuFW, identity-based firewalling 16/ 34

Dynamic binding IP = User with NAT? Everyone behind NAT router is seen with the same IP address IP or MAC based authentication can not work All NATed computers are seen as first authenticated user A common problem: Netscreen authentication (bugtraq mailing-list) Authpf etc NuFW, identity-based firewalling 17/ 34

Dynamic binding 802.1x Method Associate switch port with user Advanced authentication mechanism Requires support on all equipments Drawback/Caveats Needs hardware that supports authentication This still assumes "one computer == one user", which is formally wrong No support for multiuser systems (Citrix, TSE, Linux,...) No fine-grained (per protocol, per user role) filtering or logging. Just pushes a switch port into a VLAN. NuFW, identity-based firewalling 18/ 34

Why they fail Shared attacks What they all do is A priori authentication IP = User Static (Unlimited) Dynamic (Time-based,...) Session has to be kept alive to maintain the User/IP association All in all, what it takes to steal a user s identity on the network is to spoof an IP address NuFW, identity-based firewalling 19/ 34

Why they fail Timeout attacks Substitute network parameter during keep alive Can be done on all systems Slightly difficult for 802.1x because of physical down link detection Put hub between switch and user Wait for user association before substituting NuFW, identity-based firewalling 20/ 34

NuFW concepts NuFW: A strict authenticating firewall NuFW, identity-based firewalling 21/ 34

NuFW concepts Strict authenticating firewall principles No "IP==user" or "MAC==user" binding at all Every connection is authenticated by their emitting user The UserID is checked and validated strictly At the opening time of the connection Client Authenticates on the user directory (AD, LDAP,...) Secure channel from user to firewall Respect TCP/IP RFCs No alteration of standard network flows NuFW, identity-based firewalling 22/ 34

NuFW concepts Consequences NuFW requires an Agent on the client computer To authenticate To send requested information Interaction with host system NuFW, identity-based firewalling 23/ 34

NuFW concepts "A posteriori" connection authentication "A posteriori" Authentication is done after packet emission User is requested to prove that he has emitted the packet Avoids timeout attacks Per connection Authenticates each connection individually Brings multiuser system support NuFW, identity-based firewalling 24/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm NuFW algorithm NuFW, identity-based firewalling 25/ 34

NuFW algorithm Implementation NuFW runs on Linux firewalls NuFW uses userspace decision system provided by Netfilter (QUEUE or NFQUEUE) Linux 2.4 or 2.6 required Heavy conntrack usage (>= 2.6.18 recommended) NuFW and iptables # iptables -A FORWARD -m state \ --state ESTABLISHED -j ACCEPT # iptables -A FORWARD -p tcp --dport 23 \ -m state --state NEW --syn -j NFQUEUE NuFW, identity-based firewalling 26/ 34

Impacts of NuFW and possible caveats Performances No impact on bandwith Only impacts the opening of authenticated connections Conntrack handles all remaining packets (99,98%) No perceptible delay for user Around 15ms to open a new connection Global performance From 2000 to 4000 new authenticated connections/s Enough for most networks We are working with the Netfilter team to improve performance NuFW, identity-based firewalling 27/ 34

Impacts of NuFW and possible caveats NuFW and Network Address Translation Protocol limitations Firewall sees: Source and destination IP, Port Viewed from firewall Client sees and announces: Source and destination IP, Port Viewed from client Any transformation on IP parameters will cause a failure NuFW, identity-based firewalling 28/ 34

Impacts of NuFW and possible caveats NuFW and Network Address Translation NAT usage All address translations have to occur after NuFW authentication NuFW firewall itself can do NAT (source or destination) NuFW, identity-based firewalling 29/ 34

Impacts of NuFW and possible caveats Supported protocols : TCP and UDP UDP On Linux, unprivileged user cannot get enough information. Requires administrative privileges: Available on Windows Can be done for Linux (TODO) System level connection Some connections are established by the kernel ICMP On recent Windows, DNS requests through the svchost.exe service Network sharing protocols Eric Leblond, Vincent Deffontaines, NFS, SMB Sebastien Tricaud NuFW, identity-based firewalling 30/ 34

Impacts of NuFW and possible caveats Man in the middle attack 2 Method Attacker intercepts all packets but lets authentication flows run normally. Client sends a packet to initiate a new connection. Attacker drops the packet and sends a new legit connection with same IP parameters. Client authenticates the packet that reached the gateway. However This means legit user does not get its traffic working. It also means the attacker does not choose were to connect. This is a TCP/IP attack, not a NuFW one. Use flow encryption if you don t trust your network (or anyway you ll have your passwords sniffed!) 2 See the Eficaas link in references NuFW, identity-based firewalling 31/ 34

NuFW availability Chronology 2001-2004: proof of concept, no crypto on exchanges. NuFW, identity-based firewalling 32/ 34

NuFW availability Chronology 2001-2004: proof of concept, no crypto on exchanges. 2005: NuFW 1.0 - First usable, stable release. TLS encryption of exchange Connection to standard user directories via PAM (LDAP, AD,...) NuFW, identity-based firewalling 32/ 34

NuFW availability Chronology 2001-2004: proof of concept, no crypto on exchanges. 2005: NuFW 1.0 - First usable, stable release. TLS encryption of exchange Connection to standard user directories via PAM (LDAP, AD,...) 2006: NuFW 2.0 - Many "linting" options daemons support reload send ICMP datagram when rejecting a connection Prelude IDS logging support Time-based ACL support NuFW, identity-based firewalling 32/ 34

NuFW availability Chronology 2001-2004: proof of concept, no crypto on exchanges. 2005: NuFW 1.0 - First usable, stable release. TLS encryption of exchange Connection to standard user directories via PAM (LDAP, AD,...) 2006: NuFW 2.0 - Many "linting" options daemons support reload send ICMP datagram when rejecting a connection Prelude IDS logging support Time-based ACL support 2007: NuFW 2.2 IPv6 support Support for per user routing and QoS Client/Server Protocol enhancements Command mode for interactive administration. NuFW, identity-based firewalling 32/ 34

NuFW availability Associated tools Nulog NuFW, identity-based firewalling 33/ 34

NuFW availability Associated tools Nulog Other web interfaces Nuface: rule management Nutrack: connection tracking display and modification NuFW, identity-based firewalling 33/ 34

NuFW availability Who uses NuFW? Organisations with distinguished user profiles Having the network administrator do Human Resources with IP addresses sucks! Is your boss fired? Let the HR remove him from the directory. You don t need to modify the firewall. If an intern gets to be a salesman in your organisation, just let the HR set them in the right group. NuFW, identity-based firewalling 34/ 34

NuFW availability Who uses NuFW? Organisations with distinguished user profiles Having the network administrator do Human Resources with IP addresses sucks! Is your boss fired? Let the HR remove him from the directory. You don t need to modify the firewall. If an intern gets to be a salesman in your organisation, just let the HR set them in the right group. Advanced logging Keep track of who sends network flows No need to wonder "Who had that IP address 3 monthes ago?" when problems appear. NuFW, identity-based firewalling 34/ 34

A strict approach Bringing users to IP filter NuFW strictly implements security policies It opens the way to new usages Links with external applications Interactions with routing and QoS Already used in real life Multiple governemental organisations Technology shipped in EdenWall UTM appliance NuFW, identity-based firewalling 35/ 34

Questions? contacts: mail: nufw-core-team@nufw.org links: NuFW: http://www.nufw.org/ INL: http://www.inl.fr/ EdenWall: http://www.edenwall.com Prelude IDS: http://www.prelude-ids.org/ Nuface: http://software.inl.fr/trac/trac.cgi/wiki/edenwall/nuface Nulog: http://software.inl.fr/trac/trac.cgi/wiki/edenwall/nulog Eficaas: http://www.nufw.org/eficaas/ NuFW, identity-based firewalling 36/ 34

Detailed NuFW algorithm NuFW, identity-based firewalling 37/ 34

Protocol independant Single Sign On Get username from firewall logging SELECT username FROM log WHERE source_ip=192.168.1.0 AND source_port=2327\ AND destination_ip=192.168.33.3 \ AND destination_port=80 and protocol=6 and state=established; NuFW, identity-based firewalling 38/ 34

Working with IDS NuFW, identity-based firewalling 39/ 34

Information source for intrusion detection The firewall knows the user Apache logs the destination user Prelude correlator combines both information Alert if srcuser!= dstuser React NuFW, identity-based firewalling 40/ 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback