Download presentation
Presentation is loading. Please wait.
Published byRegina Carter Modified over 9 years ago
1
SCSC 455 Computer Security Network Security
2
Control access to system Access control mechanisms in specific network programs e.g. 1, wu-FTP server support mulitple security directive in /etc/ftpaccess e.g. 2, Apache server: /etc/httpd.conf Control network traffic at network layer -- Firewall operates at the lowest level of the networking protocol stack. examines and discards packets from unauthorized systems before they have a chance to attack applications Use advanced routing techniques IP masquerading “Hides” LAN clients from hackers on the Internet
3
Access control at different layers
4
Index Linux firewall NAT and proxy Protect network traffic through encryption
5
Firewall A firewall -- a packet filter access control operating at the lowest level of the networking protocol stack Firewalls rely on rules Rules: the configuration settings that define certain characteristics of an IP package and the action to take for packages meeting the specified criteria Networking stacks in Linux are contained in the kernel gives Linux great control over network packet management
6
IP Chains The IP Chains are a list of rules for how packets are handled Linux kernel includes three default chains Input chains: packets coming from outside the system on which the rule is executed pass through Forward chains: packets coming from outside the system on which the rule is executed and that need to be routed to another system pass through Output chains: Packets coming from within the system on which the rule is executed and that are destined for other systems pass through User defined chains can be added.
7
IP Chains
8
Options in IP Chains
9
Append a new rule to a chain (-A). # ipchains -A input -s 127.0.0.1 -p icmp -j DENY Insert a new rule at some position in a chain (-I). # ipchains -I input 1 -j DENY Delete the first rule that matches in a chain (-D). # ipchains -D input -s 127.0.0.1 -p icmp -j DENY Emptying all rules out of a chain, using the `-F' command. # ipchains -F forward List all the rules in a chain # ipchains -L -n input
10
Options in IP Chains -P: default policy for a chain when a packet hits the end of a built-in chain, the policy of the chain determines the fate of the packet. The policy can be any of the ACCEPT, DENY, REJECT or MASQ. MASQ is only valid for the `forward' chain. E.g. # ipchains -P forward DENY
11
Options in IP Chains -j “jump to” target ACCEPT allows the packet through. DENY drops the packet as if it had never been received. REJECT drops the packet, but (if it's not an ICMP packet) generates an ICMP reply to the source to tell it that the destination was unreachable. MASQ tells the kernel to masquerade the packet. For this to work, your kernel needs to be compiled with IP Masquerading enabled. REDIRECT tells the kernel to send a packet to a local port instead of wherever it was heading. is only valid for packets traversing the input chain. RETURN which is identical to falling off the end of the chain immediately
12
ipchains Example E.g.1 # ping 127.0.0.1 # ipchains -I input -s 127.0.0.1 -p icmp -j DENY # ping 127.0.0.1 E.g. 2 #ipchains -A input –j DENY #ipchains -A input –s 192.168.10.0/0 -j ACCEPT
13
Options in IP Chains -i specifies the name of an interface to match. An interface is the physical device the packet came in on, or is going out on. use the ifconfig command to list the interfaces which are `up'. What is lo interface? The lo interface is usually called the loopback interface. If packets from a local process are destined for a local process, they will go through the output chain with interface set to `lo', then return through the input chain with interface also `lo'. -p specifies the protocol `TCP', `UDP' or `ICMP'.
14
Options in IP Chains -s and –d specify the source and destination Representing in full name, such as `localhost' or `www.linuxhq.com'. Representing in IP address such as `127.0.0.1'. Representing as a group of IP addresses, such as `199.95.207.0/24' an extra argument indicating the TCP or UDP port, or an (inclusive) range of ports e.g., -p TCP -s 0.0.0.0/0 :1023
15
Options in IP Chains ! (inversion) flags can have their arguments preceded by `!' to match addresses NOT equal to the ones given. E.g. 1, `-s ! localhost' matches any packet not coming from localhost. E.g. 2 -p TCP -d 0.0.0.0/0 ! www to specify every TCP packet BUT a WWW packet, How about the following? -p TCP -d ! 192.168.1.1 www -p TCP -d 192.168.1.1 ! www -p TCP -d ! 192.168.1.1 ! www
16
What Not To Filter Out in ipchains ICMP packets ICMP packets are used to indicate failure for other protocols (such as TCP and UDP). Blocking these packets means that you will never get `Host unreachable' or `No route to host' errors; any connections will just wait for a reply that never comes. TCP Connections to DNS (nameservers) DNS doesn't always use UDP. If the reply from the server exceeds 512 bytes, the client uses a TCP connection (still going to port number 53) to get the data.
17
Graphical Firewall Configuration Utilities Linux supports several graphical tools that can be used to set up a firewall Red Hat Linux includes the lokkit program that walks you through questions and establishes rules based on your security choices Red Hat Linux also includes the firewall-config program, which allows the set up of complex firewall rules
18
Graphical Firewall Configuration Utilities – Lokkit (1)
19
Graphical Firewall Configuration Utilities – Lokkit (2)
20
Graphical Firewall Configuration Utilities – firewall-config (1)
21
Graphical Firewall Configuration Utilities – firewall-config (2)
22
NetFilter / IP Tables NetFilter the new and improved Linux packet filtering system and uses a different architecture than IP Chains provides hooks at five different points in packet processing A hook refers to the ability to connect another program at that point The list of rules associated with the hooks are similar to IP Chains and are called IP Tables
23
Using NetFilter / IP Tables NetFilter / IP Table provide: The ability to act on packets based on their state – stateful packets filtering Examination and alteration of just about any header field in a packet - packet mangling Selection of packets to be logged based on the value of any header field Passing of packets to regular Linux programs for further processing outside of the Linux kernel Implementation of intelligent routing based on Quality of Service (QoS) features
24
Index Linux firewall NAT and proxy Protect network traffic through encryption
25
Network Address Translation and IP masquerading The IP Chains feature also provides a special routing functionality -- Network Address Translation (NAT) NAT is a routing technique that alters address or other header information in a packet One popular type of NAT is IP masquerading network address translation in which packets from many computers on a LAN appear as if they came from one computer.
26
IP masquerading #ipchains -A forward -s 192.168.100.0/24 -j MASQ
27
NAT pros and cons NAT pros: Using NAT, a single IP can permit an entire LAN to connect to the Internet. Behind the router, the same private IP addresses can be reused on every LAN A remote computer cannot connect to a client within a masqueraded LAN. The router effectively hides the entire LAN. NAT cons: However, IP masquerading can make some network services (FTP, IRC, streaming audio) unworkable. Q: Why? To make these protocols work, additional kernel modules for the specific protocols have to be installed.
28
Proxy Server A proxy server is very similar to IP masquerading, but the proxy works at the application level, not the IP level must configure each client on the LAN so that it use a special port for the proxy (instead of using the default port) E.g., “Squid” is a proxy server in Linux Clients use 8080 or 8008 instead of the default web port 80 A proxy server provides security against outside attacks by insulating clients. let you control the access to the outside system can cache the results (such as web pages) to improve performance
29
Proxy server
30
Transparent proxy Transparent proxy – IPchains or IPtables can redirect packet based on the port to which the packet is addressed Is an alternative to using a proxy server Do not need to configure the clients – the proxy activity is “transparent” to the clients All clients’ requests packets must pass through a gateway to reach the Internet. The router is configured to redirect some packets to a particular port at the proxy server. The proxy server masquerades these packets and send them out. The proxy server also processes the received packet from Internet and return them to a client.
31
Transparent Proxying
32
Index Linux firewall NAT and proxy Protect network traffic through encryption
33
Encrypting Network Traffic What we have covered: The firewall restrict network traffic. The special routing techniques isolates clients in a LAN from the Internet However, the contents of packets in LAN or through Internet are visible to everyone. With network analysis tool (a sniffer), the hackers can view the packets. The general strategy is encrypting the packets. Some solutions: Secure shell (SSH) IPSec ( Note: IPsec operate at the network layer. more flexible, but more complex and with higher overhead )network layer
34
The Secure Shell (SSH) The Secure Shell (SSH) package is a client-server protocol similar to Telnet A client program ssh and a server program sshd SSH replaces Telnet and rlogin for better security SSH use the same encryption techniques as GPG 1. Exchange asymmetric keys to establish the identity of a user requesting a connection 2. Pass a symmetric session key securely 3. Encrypt all subsequent traffic by symmetric session key.
35
OpenSSH The OpenSSH implementation of the SSH is used on most Linux distributions OpenSSH is available to other OSs, such as UNIX, Windows, Macintosh, PalmOS, … A client program ssh & a server daemon sshd $man ssh $man sshd SSH connections use port 22 by default Make sure sshd daemon is running on the system to which you want to connect. To check the status of the sshd daemon $/etc/rc.d/init.d/sshd status Make sure no firewall is blocking traffic on port 22 between your client and server computer
36
SSH1 & SSH2 OpenSSH support two versions: SSH1 uses a public key encryption system to authenticate connections But does NOT support strong symmetric encryption of the subsequent traffic SSH2 uses a more robust authentication process supports strong encryption of all network traffic, such as AES (128-, 192-, or 256-bit), Blowfish, CAST128.
37
Different Ways to Authenticate in SSH Method 1. To rely on the r-utilites files E.g., ~/.rhosts Insecure not recommended Method 2. To use passwords authentication 1. Login a ssh server by user name and password on the server 2. $ ssh –l username server 3. Then you are prompted for the password 4. This method is much better than the rhost method or unencrypted Telnet. 5. However, it does NOT provide public key authentication of the session.
38
Use public key authentication in SSH Method 3. To use public key authentication is a more secure way to authenticate a connection in SSH Must set up key pairs for your own user account $ ssh-keygen -t rsa -b 2048 -t specify a key type (either RSA or DSA) -b specify the key size (default is 1024 bits) Your private key is stored in ~/.ssh/id_rsa and your public key is stored in ~/.ssh/id_rsa.pub Enter a passphrase to protect your ssh key pair It is optional. You may choose to press Enter to leave the key pair unprotected by a passphrase. This decision depends on who else is using your computer and how you intend to use ssh to access your account on remote systems.
39
Use public key authentication in SSH (2) Once a key pair generated on one account, you should place the public key from that account in the ~/.ssh/authorized_keys file on each system where you want to log in using ssh. This can be done through scp, FTP, email or floppy disk e.g., copy from Alice’s PC /home/alice/.ssh/id_rsa.pub to Bob’s PC /home/bob/.ssh/authorized_keys
40
OpenSSH features OpenSSH supports a number of useful features: Replace telnet and rlogin To secure connections for protocols not inherently secure E.g., the X protocol for serving remote graphical applications (The detailed steps on p505 are not required in this course.) Port forwarding: Is a routing technique that allows encryption of many other protocols over SSH connections E.g., SMTP, FTP, POP3, SWAT (The Samba Web Administration Tool)
41
Example of Port forwarding in SSH A system administrator wants to use SWAT to manage many Samba servers on a large LAN from a single system client1. However, using in SWAT in a browser, none of the traffic (including the password you must enter) is encrypted.
42
Other Tunneling Protocols The concept behind using SSH port forwarding is that you can tunnel and insecure protocol inside a secure protocol The Point-to-Point Tunneling Protocol (PPTP) is a standard for creating a virtual private network (VPN) Microsoft created PPTP PPTP uses two communication channels between a client and a server a control channel and an encrypted data channel Using stunnel section (P508 – 509) is NOT required in this course.
43
Tunneling an insecure protocol under a secure protocol
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.