COMP3123 Internet Security

COMP3123 COMP3123 Internet SecurityInternet Security

Richard HensonRichard HensonUniversity of WorcesterUniversity of Worcester

NovemberNovember 20102010

Week 6: Securing a LAN Week 6: Securing a LAN connected to the Internet connected to the Internet

against Attackagainst Attack Objectives:Objectives:

Explain what a Firewall is, why it is needed, Explain what a Firewall is, why it is needed, and why users find it frustrating…and why users find it frustrating…

Explain what a Proxy Service is, and why it Explain what a Proxy Service is, and why it can be a more flexible solution than a can be a more flexible solution than a firewallfirewall

Relate the principles of IP and TCP port Relate the principles of IP and TCP port filtering to the challenge posed by threats filtering to the challenge posed by threats to LAN server security from Internetto LAN server security from Internet

...

ROUTER – no packet filtering

INTERNET/EXTERNAL NETWORK

InternalNetwork

Unsecured LAN-Internet Unsecured LAN-Internet Connection via RouterConnection via Router

An Unsecured LAN-Internet An Unsecured LAN-Internet Connection via RouterConnection via Router

router

Layer 3

Layer 1

Layer 2

Layer 3

Layer 2

Layer 1

Data through unchanged


Routers only process data up to OSI level 3Routers only process data up to OSI level 3 even with full user authentication on network services…even with full user authentication on network services…

» outgoing IP packets are untouched outgoing IP packets are untouched unless IP filtering is unless IP filtering is usedused

BUT, IP filtering will slow down packet flow…BUT, IP filtering will slow down packet flow… Also…Also…

request by a LAN client for Internet data across a router request by a LAN client for Internet data across a router reveals the client IP addressreveals the client IP address» this is a desired effect….this is a desired effect….» ““local” IP address must be recorded on the remote server local” IP address must be recorded on the remote server » picks up required data & returns it via the router and picks up required data & returns it via the router and

server to the local IP addressserver to the local IP address problem – could be intercepted, and future data to that IP problem – could be intercepted, and future data to that IP

address may not be so harmless…address may not be so harmless…


Another problem: wrath of IANAAnother problem: wrath of IANA IP address awarding & controlling bodyIP address awarding & controlling body big penalties if ANY internal LAN IP address big penalties if ANY internal LAN IP address

conflicts with an existing Internet IP address they conflicts with an existing Internet IP address they allocated…allocated…

If local clients have direct access to the If local clients have direct access to the Internet and they can be allocated locally, Internet and they can be allocated locally, this COULD happenthis COULD happen Safeguard:Safeguard:

» use DHCP (dynamic host configuration protocol)use DHCP (dynamic host configuration protocol)» allocate client IP from within a fixed range allocate client IP from within a fixed range

allocated to that domain by IANAallocated to that domain by IANA

...

GATEWAY – packet conversion


InternalNetwork

A LAN-Internet connection A LAN-Internet connection via Gatewayvia Gateway

e.g. TCP/IP

e.g. Novell IPX/SPX

A LAN-Internet connection A LAN-Internet connection via Gatewayvia Gateway

At a gateway, processing goes up the At a gateway, processing goes up the protocol stack:protocol stack: to at least level 4to at least level 4 Possibly right up to level 7Possibly right up to level 7

Because local packets can be converted into Because local packets can be converted into other formats:other formats: remote network therefore does not have direct remote network therefore does not have direct

access to the local machineaccess to the local machine IP packets only recreated at the desktopIP packets only recreated at the desktop local client IP addresses therefore do not need to local client IP addresses therefore do not need to

comply with IANA allocationscomply with IANA allocations

Creating a “Secure Site”?Creating a “Secure Site”? To put it bluntly – a secure site is a LAN that To put it bluntly – a secure site is a LAN that

provides formidable obstacles to potential provides formidable obstacles to potential hackershackers keep a physical barrier between local server and keep a physical barrier between local server and

the internetthe internet Physical barrier linked through an Physical barrier linked through an

intermediate computer called a Firewall or intermediate computer called a Firewall or Proxy ServerProxy Server may place unnecessary restrictions on accessmay place unnecessary restrictions on access security could be provided at one of the seven security could be provided at one of the seven

layers of the TCP/IP stacklayers of the TCP/IP stack

Security Architecture & Security Architecture & Secure sitesSecure sites

This includes all aspects of security controlsThis includes all aspects of security controls can be imposed on internal users through group can be imposed on internal users through group

policy objectspolicy objects external attempts to hack cannot be controlled in external attempts to hack cannot be controlled in

this way, because they are not authorised usersthis way, because they are not authorised users What about external threats?What about external threats?

need to focus on external data and security need to focus on external data and security controls to deal with it…controls to deal with it…

...

Firewall


InternalNetwork

The Firewall…The Firewall…

TCP/IP out

TCP/IP

No data in…

Using a Firewall to secure Using a Firewall to secure Routed ConnectionsRouted Connections

Completely separate local network data from Completely separate local network data from Internet data using a physical barrier:Internet data using a physical barrier: Firewall (robust but inflexible)Firewall (robust but inflexible) Proxy Server (flexible)Proxy Server (flexible)

Either solution will have a similar Either solution will have a similar safeguarding effect to using a gateway:safeguarding effect to using a gateway: client IP addresses will not interact with the client IP addresses will not interact with the

InternetInternet therefore do not need to be IANA approvedtherefore do not need to be IANA approved but makes good sense to use DHCP anyway…but makes good sense to use DHCP anyway…

What is a What is a FirewallFirewall?? ““A set of components that restricts A set of components that restricts

access between a protected network access between a protected network and the Internet”and the Internet”therefore dividestherefore divides a potential a potential interinternetwork network

into internal and externalinto internal and external components: components:» Internal NetworkInternal Network

under consideration from a security point of viewunder consideration from a security point of view keptkept logicallylogically separate from the Internetseparate from the Internet

» External NetworkExternal Network Generally assumed to be the Internet or network that Generally assumed to be the Internet or network that

cannot be securedcannot be secured

A Firewall should…A Firewall should… Protect the network from:Protect the network from:

TCP/IP attacks, probes and scans TCP/IP attacks, probes and scans denial of service attacksdenial of service attacks malicious code such as viruses, worms and malicious code such as viruses, worms and

trojanstrojans Provide, depending upon the security policy Provide, depending upon the security policy

and the type of firewall used: and the type of firewall used: Network Address Translation (NAT)Network Address Translation (NAT) authentication or encryption services authentication or encryption services web filteringweb filtering

To do this, it must be appropriately To do this, it must be appropriately configured…configured…

The Screening The Screening RoutRouterer

Screening Router

BlockedServices

X

Every IP packet containsEvery IP packet contains::IP address of sourceIP address of sourceIP address of destinationIP address of destinationsource and destination source and destination TCP TCP port(s)port(s)protocol being used (e.g. FTP, SMTP,protocol being used (e.g. FTP, SMTP, etc)etc)

A rA router simply routes outer simply routes the the packet packet totowardswards itsits destination address destination address

A A screeningscreening router: router:scrutinises whole packet scrutinises whole packet headersheadersdecidedecidess what to do with the packetwhat to do with the packet

Screening Screening RoutRoutersers

The Screening RouterThe Screening Router Packets checked individuallyPackets checked individually

therefore requires more processing power than a therefore requires more processing power than a standard routerstandard router

Once a packet has been scrutinised, the Once a packet has been scrutinised, the screening router can take one of three screening router can take one of three actions:actions: block the packetblock the packet forward forward it it to the intended destinationto the intended destination forward it to another destinationforward it to another destination

IP addresses on the internal network can IP addresses on the internal network can therefore be “protected” from external packets therefore be “protected” from external packets with a particular source address with a particular source address

The Proxy ServerThe Proxy Server

...

Firewall withProxy service

InternalNetwork

Request to proxy server

Real server

TheThe Proxy ServerProxy Server

A firewall that offers a client-server “proxy” serviceA firewall that offers a client-server “proxy” service allows the firewall to act as an intermediate party allows the firewall to act as an intermediate party

between the Internet and local network services:between the Internet and local network services:» interceptsintercepts user (client) requests for services such as user (client) requests for services such as

FTPFTP» decides whether or not to decides whether or not to forward them to the true forward them to the true

serverserver TheThe effect is that effect is that the internal and external the internal and external

computers talk tocomputers talk to the the proxy service proxy service rather than rather than directly to each otherdirectly to each other

The user The user on either side of the firewall on either side of the firewall is is presented with an illusion that they are talking presented with an illusion that they are talking to to aa real server real server in fact they are both dealing with a proxyin fact they are both dealing with a proxy

So if an outside user tries to “hack” into the So if an outside user tries to “hack” into the network network server…server… the actual internal network architecture is hiddenthe actual internal network architecture is hidden

A proxy server canA proxy server can be programmed to block be programmed to block certain requests, sites, actionscertain requests, sites, actions e.g: e.g: blocking certain WWW sitesblocking certain WWW sites preventing FTP downloadspreventing FTP downloads

Proxy ServiceProxy Service - continued - continued

DMZ (Demilitarized Zone)DMZ (Demilitarized Zone) Beyond the firewall but not yet through the Beyond the firewall but not yet through the

Internet Router/Gateway…Internet Router/Gateway… A router normally stops incoming Internet traffic A router normally stops incoming Internet traffic

from getting on your networkfrom getting on your network unless the traffic is in response to one of your unless the traffic is in response to one of your

computerscomputers or when using port forwardingor when using port forwarding

Alternately…Alternately… incoming traffic can go to one computer on your incoming traffic can go to one computer on your

network by establishing a "Default DMZ Server“ network by establishing a "Default DMZ Server“ (humorous reference to "Demilitarized Zone") (humorous reference to "Demilitarized Zone")

avoids having to figure out what ports an Internet avoids having to figure out what ports an Internet application wants application wants

» all ports are open for that computer…all ports are open for that computer…

Bastion HostBastion Host Acts as a firewall, and also runs the proxy and

other services Main or only point of contact between users of

an internal network and the external network Must be highly secured because it is

vulnerable to attack External logins to the Bastion Host must not

be allowed as user accounts represent an easy way to attack networks…

Dual Homed HostDual Homed Host Based on dual hoBased on dual hommed computer (2+ ed computer (2+

interfaces)interfaces) Does NOT allow through routing of packetsDoes NOT allow through routing of packets Communication through the DHH occurs as Communication through the DHH occurs as

follows:follows: via proxiesvia proxies UsersUsers login to DHHlogin to DHH

HoweverHowever:: logging in of users to DHH will create further logging in of users to DHH will create further

security problemssecurity problems…… NNot all Internet servicesot all Internet services can be proxied can be proxied forfor

technical reasonstechnical reasons

** Firewall **Dual-homedHost with proxyservices

INTERNETDual Homed Host

Uses a screening routerUses a screening routercan block certain types of servicecan block certain types of service

Routes packets to internal bastion Routes packets to internal bastion onlyonlymay act as a proxy for servicesmay act as a proxy for services

Disadvantage: Disadvantage: ifif the internal bastion is hacked into the internal bastion is hacked into then other computers on the internal then other computers on the internal

network can then easily be accessednetwork can then easily be accessed

Screened HostScreened Host

INTERNETScreened Host

BlockedServices

X

Screening Router

Bastion Host

(Proxy Services)

Firewall

Typical Types of Typical Types of External Attacks - 1External Attacks - 1

ExhaustiveExhaustive ““brute force” attacks using all possible brute force” attacks using all possible

combinations of passwords to gain accesscombinations of passwords to gain access InferenceInference

taking educated guesses on passwords, based on taking educated guesses on passwords, based on information gleanedinformation gleaned

TOC/TOU (Time of check/use)TOC/TOU (Time of check/use) 1. use of a “sniffer” to capture log on data1. use of a “sniffer” to capture log on data 2. (later) using captured data & IP address in an 2. (later) using captured data & IP address in an

attempt to impersonate the original user/clientattempt to impersonate the original user/client

Typical Types of Typical Types of External Attacks - 2External Attacks - 2

Three other types of attacks that Three other types of attacks that firewalls should be configured to protect firewalls should be configured to protect against: against: denial of service (DOS) attacksdenial of service (DOS) attacks distributed denial of service (DDOS) attacksdistributed denial of service (DDOS) attacks IP Spoofing (pretence that the data is IP Spoofing (pretence that the data is

coming from a “safe” source IP addresscoming from a “safe” source IP address

Firewalls and TCP, UDP portsFirewalls and TCP, UDP ports Remember this model?Remember this model?

TELNET FTP NFS DNS SNMP

TCP UDP

IP

SMTP

TCP ports that may be open TCP ports that may be open to attackto attack

TCP and UDP portsTCP and UDP ports both important features of TCP/IPboth important features of TCP/IP provide logical links for passing data between the provide logical links for passing data between the

transport layer and an application layer servicetransport layer and an application layer service Usually defined by an RFC (remember those?)Usually defined by an RFC (remember those?) Examples:Examples:

FTP: port 21 FTP: port 21 Telnet: port 23Telnet: port 23 SMTP: port 25SMTP: port 25 DNS: port 53DNS: port 53 HTTP: port 80HTTP: port 80 POP3: port 110POP3: port 110

Problem…Problem… what if the service isn’t being used?…what if the service isn’t being used?…

Blocking TCP ports with a Blocking TCP ports with a FirewallFirewall

Very many TCP and UDP ports:Very many TCP and UDP ports: 0 - 1023 are tightly bound to application services0 - 1023 are tightly bound to application services 1024 – 49151 more loosely bound to services1024 – 49151 more loosely bound to services 49152 – 65535 are private, or “dynamic”49152 – 65535 are private, or “dynamic”

In practice, any port over 1023 could be In practice, any port over 1023 could be assigned dynamically to a service…assigned dynamically to a service…

One of the more useful features of a firewall is One of the more useful features of a firewall is that ports can be configured, and therefore that ports can be configured, and therefore data flow can be monitored and controlleddata flow can be monitored and controlled

Blocking TCP ports Blocking TCP ports with a Firewallwith a Firewall

Generally, TCP ports should be:Generally, TCP ports should be:EITHER open for a service (e.g. HTTP on EITHER open for a service (e.g. HTTP on

port 80)port 80)OR… blocked if no service, to stop OR… blocked if no service, to stop

opportunistsopportunists But if the firewall only allows “official But if the firewall only allows “official

services” this can cause problems for services” this can cause problems for legitimate userslegitimate userse.g. if port 25 is blocked, email data e.g. if port 25 is blocked, email data

cannot be sentcannot be sent

Protecting Against TCP/IP Protecting Against TCP/IP Attacks, Probes and ScansAttacks, Probes and Scans

TCP/IP protocol stack has been TCP/IP protocol stack has been largely unchanged since the early largely unchanged since the early 1980's:1980's:more than enough time for hackers to more than enough time for hackers to

discover their weaknessesdiscover their weaknessesOften attack through a particular TCP Often attack through a particular TCP

portport

TCP Port 21: FTP (File TCP Port 21: FTP (File Transfer Protocol) Transfer Protocol)

FTP servers excellentFTP servers excellent BUT by their very nature they open up very big BUT by their very nature they open up very big

security holessecurity holes those that allow anonymous logins are used:those that allow anonymous logins are used:

» to launch attacks on the server itself, by to launch attacks on the server itself, by connecting to the C: drive and downloading viruses connecting to the C: drive and downloading viruses or overwriting/deleting filesor overwriting/deleting files

» to store pirated files and programsto store pirated files and programs Precaution: Precaution:

configure FTP servers NOT to accept anonymous configure FTP servers NOT to accept anonymous loginslogins

only allow access to port 21 through the firewall to only allow access to port 21 through the firewall to that particular serverthat particular server

Making Effective use Making Effective use of the DMZof the DMZ

Ever better alternative for port 21 security:Ever better alternative for port 21 security:» place FTP server on a place FTP server on a perimeter network, orperimeter network, or

"DMZ" of the firewall"DMZ" of the firewall A DMZ is used to segregate inherently insecure A DMZ is used to segregate inherently insecure

servers that require a higher degree of network servers that require a higher degree of network access from the rest of your networkaccess from the rest of your network» an FTP server on a DMZ that has been an FTP server on a DMZ that has been

compromised will then not be able to be used to compromised will then not be able to be used to attack the rest of the networkattack the rest of the network

» of course, if there is no FTP server, a DMZ might of course, if there is no FTP server, a DMZ might not be necessary…not be necessary…

TCP Port 23: TelnetTCP Port 23: Telnet Telnet is really good for providing access to Telnet is really good for providing access to

servers and other devicesservers and other devices accessing a server via Telnet is very much like being accessing a server via Telnet is very much like being

physically located at the server consolephysically located at the server console Protecting against Telnet is simple: Protecting against Telnet is simple:

block ALL access to port 23 from the outsideblock ALL access to port 23 from the outside block perimeter networks to the insideblock perimeter networks to the inside

Protecting internal servers from attack from the Protecting internal servers from attack from the inside:inside: configure them to accept telnet connections from configure them to accept telnet connections from

very few sourcesvery few sources block port 23 completely…block port 23 completely…

TCP Port 25: SMTPTCP Port 25: SMTP Email programs large, complex, accessible…Email programs large, complex, accessible…

Therefore an easy target…Therefore an easy target… Buffer overrun:Buffer overrun:

» attacker enters more characters – perhaps including attacker enters more characters – perhaps including executable code - into an email field (e.g. To: ) than is executable code - into an email field (e.g. To: ) than is expected by an email serverexpected by an email server

– error could be generatederror could be generated– hackers could gain access to the server and the networkhackers could gain access to the server and the network

SPAM attackSPAM attack::» protocol design allows a message to go directly from protocol design allows a message to go directly from

the originator's email server to the recipient's email the originator's email server to the recipient's email serverserver

can ALSO be relayed by one or more mail servers in the middlecan ALSO be relayed by one or more mail servers in the middle BUT… this is routinely abused by spammersBUT… this is routinely abused by spammers

– forward message to thousands of unwilling recipientsforward message to thousands of unwilling recipients

Port 25 SMTP: solution…Port 25 SMTP: solution…

Buffer Overrun:Buffer Overrun:Solution: put server on a perimeter Solution: put server on a perimeter

networknetwork Spam AttackSpam Attack

Solution: DISABLE the relaying Solution: DISABLE the relaying facility…facility…

TCP and UDP Port 53: DNS TCP and UDP Port 53: DNS (Domain Name Service)(Domain Name Service)

One of the core protocols of the InternetOne of the core protocols of the Internetwithout it, domain name to IP address without it, domain name to IP address

translation would not existtranslation would not exist PROBLEMS: If a site hosts DNS, PROBLEMS: If a site hosts DNS,

attackers will try to:attackers will try to:modify DNS entriesmodify DNS entriesdownload a copy of your DNS records (a download a copy of your DNS records (a

process called process called zone transfer)zone transfer)

Port 53 DNS: Solution…Port 53 DNS: Solution… Solution:Solution:

configure firewall to accept connections from the configure firewall to accept connections from the outside to TCP port 53 only from your secondary outside to TCP port 53 only from your secondary DNS serverDNS server» the one downstream from you e.g. your ISPthe one downstream from you e.g. your ISP

consider creating two DNS servers: one on your consider creating two DNS servers: one on your perimeter network, the other on the internal network:perimeter network, the other on the internal network:» perimeter DNS will answer queries from the outsideperimeter DNS will answer queries from the outside» internal DNS will respond to all internal lookupsinternal DNS will respond to all internal lookups» configure a Stateful inspection firewall to allow configure a Stateful inspection firewall to allow

replies to internal DNS server, but deny connections replies to internal DNS server, but deny connections being initiated from itbeing initiated from it

TCP Port 79: FingerTCP Port 79: Finger

A service that enumerates all the A service that enumerates all the services you have available on your services you have available on your network servers:network servers:invaluable tool in probing or scanning a invaluable tool in probing or scanning a

network prior to an attack!network prior to an attack! To deny all this information about To deny all this information about

network services to would-be attackers, network services to would-be attackers, just block port 79…just block port 79…

TCP Ports 109-110: POP TCP Ports 109-110: POP (Post Office Protocol)(Post Office Protocol)

POP easy-to-use…POP easy-to-use…but sadly it has a number of insecuritiesbut sadly it has a number of insecurities

The most insecure version is POP3 The most insecure version is POP3 which runs on port 110which runs on port 110if the email server requires POP3, block all if the email server requires POP3, block all

access to port 110 except to that serveraccess to port 110 except to that serverif POP3 not used, block port 110 entirely…if POP3 not used, block port 110 entirely…

TCP Ports 135 and 137 TCP Ports 135 and 137 NetBIOSNetBIOS

The Microsoft Windows protocol used The Microsoft Windows protocol used for file and print sharingfor file and print sharinglast thing you probably want is for users on last thing you probably want is for users on

the Internet to connect to your servers' files the Internet to connect to your servers' files and printers!and printers!

Block NetBIOS. Period!Block NetBIOS. Period!

UDP Port 161 SNMPUDP Port 161 SNMP SNMP is important for remote management SNMP is important for remote management

of network devices:of network devices: but also it poses inherent security risksbut also it poses inherent security risks stores configuration and performance parameters stores configuration and performance parameters

in a database that is then accessible via the in a database that is then accessible via the network…network…

If network is open to the Internet, hackers can If network is open to the Internet, hackers can gain a large amount of very valuable gain a large amount of very valuable information about the network…information about the network…

So… So… if if SNMP is used:SNMP is used: allow access to port 161 from internal network only allow access to port 161 from internal network only otherwiseotherwise, block it entirely, block it entirely

Denial of Service (DoS) AttacksDenial of Service (DoS) Attacks An An attempt to harm a network by attempt to harm a network by

flooding it with traffic so that network flooding it with traffic so that network devices are overwhelmed and unable to devices are overwhelmed and unable to provide services. provide services.

One of the primary DOS attacks uses One of the primary DOS attacks uses Ping, an ICMP (Internet Control Ping, an ICMP (Internet Control Message Protocol) service:Message Protocol) service:sends a brief request to a remote computer sends a brief request to a remote computer

asking it to echo back its IP addressasking it to echo back its IP address

““Ping” AttacksPing” Attacks Dubbed the "Ping of Death“Dubbed the "Ping of Death“ Two forms:Two forms:

the attacker deliberately creates a very large ping the attacker deliberately creates a very large ping packet and then transmits it to a victimpacket and then transmits it to a victim» ICMP can't deal with large packetsICMP can't deal with large packets» the receiving computer is unable to accept the receiving computer is unable to accept

delivery and crashes or hangsdelivery and crashes or hangs an attacker will send thousands of ping requests to an attacker will send thousands of ping requests to

a victim so that its processor time is taken up a victim so that its processor time is taken up answering ping requests, preventing the processor answering ping requests, preventing the processor from responding to other, legitimate requestsfrom responding to other, legitimate requests

Protection: Protection: block ICMP echo requests and repliesblock ICMP echo requests and replies ensure there is a rule blocking "outgoing time ensure there is a rule blocking "outgoing time

exceeded" & "unreachable" messagesexceeded" & "unreachable" messages

Distributed Denial of Service Distributed Denial of Service Attacks/IP SpoofingAttacks/IP Spoofing

Related :Related : A DDOS attack has occurred when attackers gain A DDOS attack has occurred when attackers gain

access to a wide number of PCs and then use access to a wide number of PCs and then use them to launch a coordinated attack against a them to launch a coordinated attack against a victimvictim» often rely on home computers, since they are less often rely on home computers, since they are less

frequently protected (they can also use worms frequently protected (they can also use worms and viruses)and viruses)

If IP spoofing is used, attackers can gain access to If IP spoofing is used, attackers can gain access to a PC within a protected network by obtaining its IP a PC within a protected network by obtaining its IP address and then using it in packet headersaddress and then using it in packet headers

Protection against DDOS Protection against DDOS & IP Spoofing& IP Spoofing

Block traffic coming into the network that contains Block traffic coming into the network that contains IP addresses from the internal network…IP addresses from the internal network…

In addition, block the following private IP, illegal In addition, block the following private IP, illegal and unroutable addresses:and unroutable addresses: Illegal/unroutable:Illegal/unroutable:

» 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0 ““Private” addresses useful for NAT, or Proxy Servers (RFC 1918):Private” addresses useful for NAT, or Proxy Servers (RFC 1918):

» 10.0.0.0-10.255.255.25510.0.0.0-10.255.255.255» 172.16.0.0-172.31.255.255172.16.0.0-172.31.255.255» 192.168.0.0-192.168.255.255192.168.0.0-192.168.255.255

Finally, keep anti-virus software up-to-date, & Finally, keep anti-virus software up-to-date, & firewall software patched and up-to-datefirewall software patched and up-to-date

Documents

COMP3123 Internet Security