Firewalls

Evil Hackers FirewallYour network

Firewalls mitigate risk Block many threats They have vulnerabilities

Firewalls can be your connection to the Internet. As a prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Typical Network Stack Application Layer (FTP, HTTP, SSH, etc.) Transport Layer (TCP, UDP, ICMP) Internet Layer (IP) Network Access Layer (Ethernet, FDDI, etc.) (If you have a Novel or AppleShare network, the IP layer will be different.) (Carrier Pigeon Network Layer: RFC1149 on 1 April 1990 defines the Avian Transport Protocol)

Packet Organization Each layer’s packet organization has a header and data fields. Each layer treats the information it gets from the layer above it as data, i.e. every layer adds a header.

Encapsulation Application (FTP, HTTP, …) Transport (TCP,UDP,…) Internet (IP) Network (Ethernet) Data Header

Ethernet Layer Header: –Packet Type, e.g. IP –Source Address Original source or last router on path –Destination Address Final destination or next router Maybe multicast or broadcast –Addresses are Media Access Control (MAC) Data is an IP packet

IP Layer Header –IP Source Address, e.g –IP Destination Address –IP Protocol Type, e.g. TCP, UDP, ICMP Data: TCP packet (or UDP, etc.) Fragmentation If (network max packet size < IP max size) split data into multiple packets (fragments)

TCP Layer Header –TCP Source Port (2-bytes) –TCP Destination Port –TCP Flags: designates packet type ACK, SYN, etc. Data: application data, e.g. FTP data

Multicast or Broadcast Source Legitimate use: DHCP request uses a broadcast source since it doesn’t have a valid address Illegitimate use: sending a broadcast source to a single destination will prompt a broadcast reply allowing you to use the destination as a broadcast source Since DHCP isn’t external (normally), block broadcast source

IP Fragmentation Prevent fragmentation with path MTU discovery –Maximum Transmission Unit (MTU) –Send message with “don’t fragment” set If (error returned), decrease size else increase size

Packet Filters & Fragmentation Solution: packet filter only first packet and let non-first packets through If you drop the first, a higher level protocol (TCP) will invalidate the rest. Problem #1: destination holds non-first packets waiting for the missing one (until timeout) resulting in Denial of Service!

Packet Filter & Fragmentation Problem #2: attacker carefully constructs overlapping fragments so that non-first packets contain useful information. Overlapping fragments may be reassembled into invalid packets causing the OS to crash.

Packet Filter & Fragmentation Problem #3: Attacker can get information to otherwise blocked ports by having valid TCP packets in non-first fragments which slip through.

Packet Filter & Fragmentation Solutions Fragment reassembly before filtering Time consuming Reject all non-first fragments May reject otherwise good connections, but they will retransmit. Increased use of MTU is reducing fragmentation

TCP TCP is reliable because it guarantees to the application layer: –Provide data in order it was sent –Provide all data sent –Will not provide duplicates It will kill a connection before violating any.

Blocking TCP To block a TCP connection, simply block the first packet. The first packet is unique: ACK is not set –“start-of-connection” packet Can enforce a policy of only allowing connections to external servers, i.e. deny external connection requests to internal servers

TCP Options Common TCP Options: –ACK (acknowledgement) –SYN (synchronize) –RST (reset) –FIN (finish) 3-way handshake uses ACK & SYN RST & FIN are used to close connections

TCP Options Firewalls use ACK and RST –ACK indicates first packet of connection –RST tells people to “shut up” without providing a useful error message

TCP Sequence Numbers Sequence numbers allow reconstruction of correct order of packets Supposed to begin with a random number, but often is not random—vulnerability! How to hijack a TCP connection?

Hijacking a TCP Connection Attackers needs Ability to forge TCP/IP packets. Initial sequence number Knowledge that a TCP connection has started (but not the ability to see it) When the TCP connection started Ability to redirect responses to you OR continue the conversation without responses to you while achieving your goal Thought to be too hard, but exists in the wild.

UDP Since UDP does not guarantee reliability there is no uniquely identifiable first packet

ICMP Examples –Echo Request: send by ping –Echo Response –Time exceeded (really hops exceeded) –Destination unreachable –Redirect (router redirected a packet and is telling the sender that a better way exists)

ICMP “Destination Unreachable” has codes to indicate reason The relevant ones are “Fragmentation Needed” and “Don’t Fragment” used for path MTU discovery Desirable to drop all other “unreachable” replies since they provide useful information to scanners. Most firewalls do not allow discrimination on ICMP reason.

ICMP Attacks ICMP packets should be very small— large one indicate a problem so filter out large ones. For example, echo packets allow padding which could contain data. Not useful for cracking, but could be used to maintain a connection to a compromised site.

IP over IP Encapsulating IP over IP –Encrypted traffic –Mobile IP (movement with fixed IP) –Burying protocol Multicast over non-supporting networks IPv6 over IPv4 –VPN: virtual private networks Problem: cannot see “actual” IP packet (encrypted) or may not look at it

Low-level attacks Port scanning –Send SYN without ACK; receives SYN if open or RST if not –Send FIN “all options on” = Christmas tree (lights it up) “all options off” = null Either can crash a weak TCP/IP stack

Low-level Attacks IP Spoofing: Apparent problem: reply not sent to attacker –Attacker can intercept reply –Attacker doesn’t care to see it (e.g. DoS) –Attacker doesn’t want reply: smurf attack redirects response to attack while multiplying replies with broadcast source

Packet Filtering Pro/Con Pro –One filter can protect an entire network –Simple filtering is efficient –Widely available Con –Not perfect: hard to configure and test –Reduces router performance –Some security policies cannot be enforced, e.g. block a user

Network Address Translation (NAT) (Linux calls it masquerading) Server NAT Client

NAT Pro/Con Pro –Enforces control over outbound connections –Dynamic translation is more restrictive changed mapping increases attack difficulty –Conceals internal configuration Con –Dynamic translation requires maintaining state (how long to keep connection open?) –Interferes with some encryption schemes –Dynamic translation interferes with logging –Dynamic translation of ports can interfere with filtering