Networks and Firewalls

defiantneedlessΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 4 χρόνια και 21 μέρες)

90 εμφανίσεις

1
1
Networks and Firewalls
2
R
eview
ing
Networks for secure
IT
-S
ystems

and
F
irewalls

ISO/OSI Reference Model

Short analysis of network protocols to find out what is
needed for a secure network

TCP/IP

Internet protocol

Transfer control protocol

UDP

User data protocol

DHCP and NAT

Firewall technologies and their models

Implementation of your firewall

Firewall policies
2
3
Network
A
rchitecture and
P
rotocols
Part 1
This part is
relevant
for
the first exam
.
[Part 2:
Firewall
technologies
will
be
considered later
in
detail]
4
Network and Protocols (Part 1)

ISO/OSI Model

Short analysis of network protocols to find out
what is needed for a secure network

TCP/IP

Internet
P
rotocol

Transfer
C
ontrol
P
rotocol

UDP

User
D
ata
P
rotocol

DHCP

Dynamic Host Configuration Protocol and

Network Access Translation Protocol

ICMP

Internet Control Message Protocol
3
5

Messages in single networks/intranets are
called frames; and

messages in internets are named packets.

Data link frames contain destination addresses
to deliver each frame to its destination station
or router in the network.
6
ISO/OSI Reference Model (ISO 7498-2)
Computer A
Computer B
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
Network layer
Data link layer
Physical layer
Peer-to-peer communication
Intermediates, like router, gates etc.
Real data flow
Logic
al
data flow
7
6
5
4
3
2
1
4
7
ISO/OSI Reference Model vs. TCP/IP
(IP [RFC 791], RFC= request for comments)
ISO/OSI reference model
TCP/IP model
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
FTP, SMTP, HTTP
Not included
TCP, UDP
IP
Data link layer
Physical layer
1
2
3
4
5
6
7
8
Layer Cooperation Through
Encapsulation on the Source Host
Application
Process
Transport
Process
Internet
Process
Data Link
Process
Physical
Process
HTTP
Message
HTTP
Message
HTTP
Message
HTTP
Message
DL
Hdr
TCP
TCP
Hdr
Hdr
IP
Hdr
TCP
TCP
Hdr
Hdr
IP
Hdr
TCP
Hdr
DL
TrIr
Converts Bits of Frame into Signals
Note: the following is the final
frame for supervisory TCP segments
DL
Hdr
TCP
TCP
Hdr
Hdr
IP
Hdr
DL
TrIr
Encapsulation of HTTP
message in data field
of the TCP segment
Encapsulation of HTTP
message in data field
of the IP packet
Encapsulation of HTTP
message in data field
of a frame
5
9
Layer Cooperation Through
Decapsulation
on the Destination Host
Application
Process
Transport
Process
Internet
Process
Data Link
Process
Physical
Process
HTTP
Message
HTTP
Message
HTTP
Message
HTTP
Message
DL
Hdr
TCP
TCP
Hdr
Hdr
IP
Hdr
TCP
TCP
Hdr
Hdr
IP
Hdr
TCP
Hdr
DL
TrIr
Converts Signals into Bits of Frame
Decapsulation
of HTTP
message in data field
of the TCP segment
Decapsulation of HTTP
message in data field
of the IP packet
Decapsulation of HTTP
message in data field
of a frame
10
Internet Protocol (IP)
6
11
IP
P
acket
Version
Header
size
Service
type
Size (max. 65535)
Identification
Flags Fragment-offset
TTL
Time to live
Protocol
Header checksum
Source address
Destination address
IP options
Padding
(extra bits)
Data field (payload)
IP
header
12
IP - Notes [IP4, IP6]

Bits 0-3 (4 bits) hold the version number

Bits 4-7 (4 bits [in 32-bit words, IP6]) hold
the header length

Bits 8-15 hold the server information (Diff-
Server information, IP6)

Bits 16-31 hold the total length value

Bits 32-47 hold the identification value
7
13
Hierarchical IP addresses
128.171
.
17
.
13

32-bit IP addresses are hierarchical

Network part tells what network the host is on

Subnet part tells what subnet on the host on within
the network

Host part specifies the host on its subnet

Routers along the way have to look only at network
or subnet parts, except for the router that delivers
the packet to the destination host

Total is 32 bits; part sizes vary

Network masks tells the size of the network part

Subnet mask tells the length of the network plus
subnet parts combined
14
IP addresses and security

NOTE that IP is unreliable!

IP works on level 3!

IP does not correct errors!

IP address spoofing: Sending a message with a

false
IP address

Gives the sender the anonymity so that the attacker cannot be
identified

Can exploit trust between hosts if the spoofed IP address is
that of

a host

the victim host trusts

LAND attack:

Send victim a packet with victim

s IP
address in both source and

destination address fields
and the same port number for the source and
destination.
8
15
IP addresses and security -
other IP header fields

Protocol fields: Identifies content of IP data

Firewall need this information to know how to process the packet

s
data field

Time-to-live (TTL) field

Each router decrements the TTL value by one

Router decrementing TTL field to zero discards the packet

Router also sends an error advisement message to the sender

The packet containing this message reveals the sender

s IP address
to the attacker

Traceroute
program in UNIX uses TTL time-outs to trace the routers
along the route to a destination host.

In Windows, the
Tracert
program is used instead of
Traceroute
.

Tracerroute
or
Tracert
use TTL to map the route to the host and they
can be applied to scan the network.
16
IP addresses and security -
other IP header fields (2)

Total Length Field (maximum size)

The total length field gives the length of the entire IP
packet in bytes. This is a 16-bit field, so the
maximum size is 65535.

An early
DoS
attack, the Ping-of-Death attack, used
a ping packet whose length was greater than 65535.

To do so an attacker sends an IP packet containing an
ICMP message (later in detail) that is illegally to long.

Many early TCP/IP programs crashed.

Most operation system reject now such packets
automatically.
9
17
IP addresses and security -
other IP header fields (3)

Fragmentation

Routers may fragment IP packets (data fields) en
route

All fragments have the same identification field value

Fragments offset values allows fragments to be
ordered

More fragments bit 0 in the last fragment

Teardrop attack: Crafted fragmented packet does
not make sense when reassembled

Some firewalls drop all fragmented packets, which
are rare today
18
IP
o
ptions from the IT-security viewpoint

IP options: 8
-
bit range, additional functions

u
se
d
by the system administration to check or
control connections

important
i
n IT-security

option number 3 - loose source routing,

option number 9 - strict source routing;
T
hese options are
applied
for specific routing of the IP
packet to its destination

Options are dangerous
[retracing is possible, but do not avoid

the spoofing
of IP addresses and can be undermined, J.S.]
10
19
Transfer Control Protocol
20
Transfer
C
ontrol
P
rotocol (TCP)

TCP is a reliable protocol that works on level 4.

TCP establishes a logical peer-to-peer connection, and
specified services.

After transmission of the packets
,
the destination
computer (target device) checks if the packets have
been received in the correct order as given by a
sequential numbering of the submitted packets.

A
n a
cknowledgement is sent to the source computer
(if the transmission of all packets could be completed).

When an error is detected, the transmission process is
restarted.
11
21
Port
C
oncept

A port is a 16 Bit address.

Services, especially operation system services (so
called daemons in Unix), are connected via ports.

The associated daemon
s
are listener
s
, which are
waiting for incoming messages.

On the application level a portmapper maps the port
to the addressed service.

Many network daemons to support the network
connection services have a unique port number; this
means a unique address.

Standard daemons are mapped to ports <= 256
They are often named well-known ports.
22
x11
TCP
6000-6xxx
NFS
UDP
2049
shell
TCP
514
rlogin
TCP
513
kerberos
UDP
88
http
TCP
80
finger
TCP
79
tftp
UDP
69
smtp
TCP
25
telnet
TCP
23
ftp
TCP
21
Daemon
Protocol
Port
Red
labeled
ports
can be
attacked
12
23
TCP
C
onnection
3-phase
H
andshake
P
rotocol
Data
Server
Client
Ack
=
Seq
S
+ 1
Server
Client
Sequence
Seq
S
Ack
=
Seq
C
+ 1
Client
Server
Sequence
Seq
C
Server
Client
IP packet contains
Responder
Sender
24
User Data Protocol (UDP)

Connectionless protocol on level 4

IP is only extended in the sense that processes
(daemons) can be mapped and connected to
the ports.

Packet loss can NOT be detected.

The order in the sequence of the submitted
packets can NOT be monitored and can NOT
be guaranteed. - Such mechanisms have to be
implemented at the application level.
13
25
I
nsecurity of UDP and TCP

No acknowledgement implemented in UDP

Identification and authentication via the IP
address only

No distinction between the initial phase, when
a connection is established and the use of the
established connection

No simple filtering of UDP packets
(
by
using a firewall)

Attacks via masquerade
(Here I will add at least two

sl
i
des later on).
26
Some
R
emarks on
Dynamic Host Configuration (DHCP) (1)
RFC 2131 and RFC 2132

A device / a computer which submits and
receives data from the internet has to have an
IP address.

IP addresses have a size of 32 Bits, which is
valid for a limited period.

Dynamic Host Configuration Protocols (DHCP)
are responsible for dynamic mapping of IP
addresses.

The (inter)network connection is established
while booting via a broadcast message.
14
27
Some
R
emarks on
Dynamic Host Configuration (DHCP)

(2)

All DHCP servers which receive this
broadcast request answer with an IP address.

The requester takes the first incoming IP
address and
sends
a
request
-
message
from
this DHCP server.

The DHCP server allocates this IP address
and sends a
n
acknowledgement.

The received IP address is leased for
a
certain period.
Note that the IP address is not available for
the client / requester if an expansion of

th
is
period is required.
28
Some Remarks on
Network Access Translation Protocol (NAT)

Table for address translation on the router / switch or
server is administrated

e.g. to handle limited services, like printing services, or

to hide the local addresses by access from the WWW.

Router / switch or server is the gateway to the Internet,
which has a globally unique IP address.

Messages sent in the (network) domain have to be
submitted to the Internet.

NAT handles a mapping between the global IP address
and domain-specific IP addresses.
15
29
Example
U
sing NAT
Local network

10.0.42.x
PC 1
10.0.42.1
PC 2
10.0.42.2
10.0.42.16
NAT
130.3.18.39
Internet
NAT
table
PC 1: 10.1.42.1:16587 130.3.18.39.20001
PC2: 10.0.42.2: 32006 130.3.18.39.20004
FTP server
Web server
30
Security Problems Using
DHCP and NAT

Advantages:

both hide real IP addresses,

as a consequence, it is more complicated to initiate attacks
which are based on the knowledge of the IP address itself

Disadvantages:

no filtering

redirection of IP addresses (and ports) only

Problem:
If the attacker knows the internal / local
structure of the network, no kind of safety, security
and protection can be guaranteed.