Introduction to Information Security 0368-3065, Spring 2017 Lecture 9: Network Defenses: Firewalls, NAT, VPN, DoS Avishai Wool Slides credit: John Mitchell, Stanford; Brian LaMacchia, U. Washington
Perimeter network defenses Plan for today Perimeter network defenses Firewalls NAT Protecting network connections IPSEC Denial of Service
Basic network protocols Last lecture Basic network protocols L2.5: ARP L3: IP, L4: TCP, UDP, L5: DNS Problems with them No SRC authentication: can’t tell where packet is from Packet sniffing Connection hijacking, spoofing, sequence numbers
Network Protocol Stack Application protocol Application Application TCP protocol Transport Transport Network IP protocol IP IP protocol Network Link Network Access Link Data Link Data Link
Should all traffic be allowed?
Reasons for traffic filtering Avoid data loss / theft Avoid misuse of assets Avoid damage to systems Legal / Regulatory “put a guard at the building entrance” … also lock the office doors … and also keep sensitive documents in a safe
decides whether to allow or block specific traffic based on a defined What is a firewall? A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. (Cisco)
What do firewalls check? Layer 3: Source IP address Destination IP address Protocol (TCP/UDP/ICMP/…) Layer 4: Destination Port Source Port (?) Other Criteria (sometimes): Direction (incoming/outgoing, network interface) Client program (if available)
Services and Port Numbers Protocol + Destination Port == “Service” TCP/80 is “http” TCP/22 is “ssh” Most daemons listen on a “well known” port Common convention, not mandatory Default: TCP client has “random” source port Usually above 1024, up to 65535 Unreliable as a filtering criterion
Types of firewall Host-based firewall Network Firewall: Stateless packet filter Statefull firewall
Host-based Firewall A host-based firewall is software running on a server or workstation. Control access to (and also from) a single computer. Can (usually does) filter based on program name Examples: Linux: iptables / netfilter Windows: Windows Firewall (Microsoft) ZoneAlarm (Check Point)
Host-based Firewalls
Properties of Host-based Firewalls Connecting program (client) is known Protection is as good as the rules in the policy ALLOW all services from anywhere to anywhere ?? Good default for a laptop/desktop: allow everything outbound (from selected programs) allow nothing inbound Policy is not centrally managed If attacker can log in – can turn off the firewall A form of Discretionary Access Control
Network Firewall Placed in the network path (as a router) Force all traffic to go through it Policy managed by IT / Security staff A form of Mandatory Access Control Connecting program (client) not reliably known
Network Firewall: Basic Topology
Network Firewalls: 2-Firewall Topology with DMZ DMZ: DeMilitarized Zone Network segment for semi-trusted systems
A Firewall can have Multiple Sides
Policy and Rules A single rule can refer to many IP addresses Usually a subnet like 132.66.0.0/16 A network firewall has many rules Overlaps are possible: … #100: Allow http from anywhere to 132.66.11.111 #101: Block http from anywhere to 132.66.0.0/16 First matching rule wins So #100 is an exception to #101
Stateless Packet Filters Every packet is filtered on its own Firewall does not “remember state of the connection” But TCP traffic is bi-directional: ClientServer: s-port = rand, d-port=80 ServerClient: s-port = 80, d-port=rand
Security Problem with Stateless Packet Filters Suppose we want to allow browsing to anywhere Requires 2 rules: Allow ClientAny when s-port=any, d-port=80, Allow AnyClient when s-port=80, d-port=any Insecure! Attacker can select source-port to non-random value! Can send packets to all services by setting s-port=80
Performance Problem with Stateless Packet Filters A network firewall has many rules Including monsters with 20,000 – 50,000 rules ! 1Gbps = approx. 1M packets per second Each packet needs to be compared to all rules Slow comparisons can become a serious bottleneck
Stateful Inspection in Firewalls Invented & Patented by Gil Shwed US patent 5,606,668, 1993 Shwed co-founded Check Point, serves as CEO to this day Simple & brilliant idea Solves both security and performance problems
How Stateful Inspection works #1 Put only the ClientServer rule in the policy Allow ClientAny when s-port=any, d-port=80 Filtering based on the reliable d-port 1st (SYN) packet seen by firewall: Clients1, with s-port=3777, d-port=80 store “(Client, s1, 3777, 80)” in a state table E.g., use a hash table data structure
How Stateful Inspection works #2 Algorithm when receive packet (s, d, s-port, d-port) // Fast path If ( “(s, d, s-port, d-port)” in state table, or “(d, s, d-port, s-port)” in state table ) : Allow // Slow Path Else if SYN packet check “(s, d, s-port, d-port)” against rules if decision is Allow: store in state table else Block
Analysis of Stateful Inspection Performance: Assume N rules, M connections. Lookup time: Fast Path: O(1) // with good (M)-size hash table Slow Path: O(N) // Naïve data structure Extremely effective on long TCP connections Less effective with short connections Security “pinhole” for return traffic of a specific connection Much more secure than stateless Management: need only 50% of rules
Network Address Translation (NAT)
Network Address Translation (NAT) A short term solution to IP addresses shortage Long term solution is IP v6 Some security element Idea: Hide many hosts behind a single IP address Allows use of private addresses (RFC1918) 10.0.0.0/8: 10.0.0.0-10.255.255.255 172.160.0.0/12: 172.16.0.0-172.32.255.255 192.168.0.0/16: 192.168.0.0-192.168.255.255 Private addresses: Non unique Not assigned Not routed by Internet routers
NAT hiding private addresses NAT replaces TCP source ports to allow return traffic to internal addresses
NAT: Concerns & Limitations Crosses layering: both L3 and L4 Breaks end-to-end reachability: a host in the public Internet cannot initiate communication to a host in a private network. Adds some security: harder for attacker to reach target Difficult to run a server on a home network Complications for non-TCP traffic, and for protocols that carry IP addresses inside the data
A Home Gateway Typically Includes: Layer 1+2: ADSL/Cable modem, Ethernet, WiFi Layer 2: Switch + WiFi hotspot Layer 2.5: DHCP (Dynamic Host Configuration Protocol) Dynamically assigns IP addresses to internal computers Layer 3: Router: “default gateway” for internal computers Layer 3+4: NAT device hiding internal addresses Layer 3+4: Firewall Layer 5: DNS server … Plus other features and capabilities
VPN
Network packets pass by untrusted hosts Defending against: Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a machine close to victim TCP state can be easy to guess Enables spoofing and session hijacking
Virtual Private Network (VPN) Different modes of use: LAN-to-LAN internetworking Remote access client connections LAN-to-LAN IPsec (Layer-3: network layer) Usually terminated at firewalls Remote access: Usually “SSL-VPN”
Credit: Checkpoint
Security extensions for IPv4 and IPv6 IP Authentication Header (AH) IPSEC Security extensions for IPv4 and IPv6 IP Authentication Header (AH) Authentication and integrity of payload and header IP Encapsulating Security Protocol (ESP) Confidentiality of payload
Recall packet formats and layers TCP Header Application Application message - data message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet IP TCP data Link Layer frame ETH IP TCP data ETF IP Header Link (Ethernet) Header Link (Ethernet) Trailer
IPSec Tunnel Mode: IPSEC header + IP header
IPSEC Tunnel Mode Firewalls
IPSEC Key Management
IPSEC Key Management IPSEC Key Management is all about establishing and maintaining Security Associations (SAs) between pairs of communicating hosts “hosts” are usually the firewalls at the 2 sides
Internet Key Exchange (IKE) Resynchronize two ends of an IPsec SA Choose cryptographic keys Reset sequence numbers to zero Authenticate endpoints Simple, right? Design evolved into something very complex Many modes and sub-protocols
General Idea of Main Mode Alice Bob gA mod p, nonceA {“Alice”, proof I’m Alice} key variant-dependent gB mod p, nonceB crypto suites I support crypto suites I choose {“Bob”, proof I’m Bob} Diffie-Hellman
Main-Mode-Preshared key S Alice Bob gA mod p, nonceA {“Alice”, proof I’m Alice} f(S,gAB) gB mod p, nonceB crypto suites I support crypto suites I choose {“Bob”, proof I’m Bob} f(S,gAB) This is a variant of Diffie-Hellman, with additional encryption f() with pre-shared secret key S to protect against MITM
IPSEC AH and NAT Change in address or port will cause message integrity check to fail Packet will be rejected by destination IPSEC AH cannot be used with NAT devices Orig IP Hdr AH Hdr TCP Hdr Data Message Integrity Check coverage (except for mutable fields)
Denial of Service (DoS)
Denial of Service Attack Definition An explicit attempt by attackers to prevent legitimate users of a service from using that service Threat model – taxonomy from CERT Consumption of network connectivity and/or bandwidth Consumption of other resources, e.g. queue, CPU Destruction or alternation of configuration information Malformed packets confusing an application, cause it to freeze Physical destruction or alternation of network components Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
Examples: Flooding Attacks Smurf attacks SYN Flood Distributed attacks: hierarchical structures Attacker’s goals: Amplification Anonymity
Smurf DoS Attack Send ping request to broadcast addr of subnet 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target Send ping request to broadcast addr of subnet E.g. dest=192.168.255.255 on subnet 192.168.0.0/16 Spoof source address to IP of DoS target Lots of responses: Every host on network sends a ping reply to victim gateway DoS Target DoS Source
Distributed DoS (DDoS) BadGuy Unidirectional commands Handler Handler Handler Coordinating communication Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Why such hierarchy? Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.[1] Attack traffic Victim
SYN Flooding Attack 90% of DoS attacks use TCP SYN floods Takes advantage of three way handshake Server starts “half-open” connections These build up… until queue is full and all additional requests are blocked
Store data (half-open) TCP Handshake C S SYNC Listening Store data (half-open) SYNS, ACKC Wait ACKS Connected
SYN Flooding C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5
SYN Flooding Explained Send many SYN requests, spoofed source IP Victim allocates resources for each request New thread, connection state maintained until timeout Fixed bound on half-open connections Resources exhausted requests from legitimate clients are denied
Preventing Denial of Service DoS caused by asymmetric state allocation SYN-Cookies ensure that the responder is stateless until initiator produced at least two messages Responder’s state (IP addresses and ports of the connection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator
SYN Cookies Listening… Does not store state Compatible with standard TCP; simply a “weird” sequence number scheme SYNS, ACKC sequence # = cookie Cookie must be unforgeable and tamper-proof Client should not be able to invert a cookie F(source addr, source port, dest addr, dest port, coarse time, server secret) F=crypto hash ACKS(cookie) Recompute cookie, compare with with the one received, only establish connection if they match More info: http://cr.yp.to/syncookies.html