Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. August 13, 2015

Transcription

1 Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan August 13, / 30

2 Firewall A network security system that monitors and controls the incoming and outgoing network traffic based on predetermined s. ecurity rules [Wikipedia] Can be implemented in both hardware and software A firewall security policy dictates which traffic is authorized to pass in each direction May be designed to operate as a filter at the level of IP packets, or may operate at a higher protocol layer 2 / 30

3 Firewall basic operations Pass/deny decision Firewall examines each packet passing through it. If the packet is a provable attack packet, the firewall drops the packet If the packet is not a provable attack packet, the firewall passes the packet on to its destination Usually maintains log file about each dropped packet 3 / 30

4 Traffic overload If a firewall cannot filter all of the traffic passing through it, it drops packets it cannot process Secure because it prevents attack packets from getting through But it creates a self-inflicted denial-of-service attack by dropping legitimate traffic 4 / 30

5 Firewall capacity Firewalls must have the capacity to handle the incoming traffic volume Some can handle normal traffic but cannot handle traffic during heavy attacks They must be able to handle incoming traffic at wire speed the maximum speed of data coming into each port 5 / 30

6 Firewall Filtering mechanisms 1 Static packet filtering 2 Stateful packet inspection filtering 3 Network address translation 4 Application proxy filtering 5 Intrusion prevention system filtering 6 Antivirus filtering 6 / 30

7 Static packet filtering Looking packets one at a time: Static packet filtering looks at packets one at a time, in isolation A serious limitation because many attacks can only be stopped by understanding a packet s place in a stream of packets For example, TCP SYN segment and TCP SYN/ACK segment are legitimate packets exchanged between two hosts to establish a TCP connection But, TCP SYN/ACK segment alone can be an attack packet which cannot be proved by a static firewall In case of attack the target host will respond with RST segment exposing its existence 7 / 30

8 Static packet filtering Looking only at some fields in the Internet and Transport headers static packet filter firewalls only look at the internet and transport layer headers Moreover, they only look at some fields in these headers Cannot stop all attacks, including attacks that require the filtering of application messages or the filtering of header fields that static packet filtering does not examine 8 / 30

9 Usefulness of static packet filtering Incoming ICMP echo packets and other scanning probe packets Outgoing responses to scanning probe packets Packets with spoofed IP addresses (e.g., incoming packets with the source IP addresses of hosts inside the firm) Packets that have nonsensical field settings,such as a TCP segment with both the SYN and FIN bits set 9 / 30

10 Usefulness of static packet filtering Incoming ICMP echo packets and other scanning probe packets Outgoing responses to scanning probe packets Packets with spoofed IP addresses (e.g., incoming packets with the source IP addresses of hosts inside the firm) Packets that have nonsensical field settings,such as a TCP segment with both the SYN and FIN bits set 10 / 30

11 Perspective of static packet filtering No longer used as the main filtering mechanism for border firewalls May be used as a secondary filtering mechanism on main border firewalls Also may be implemented in border routers, which lie between the Internet and the firewall. It stops simple, high-volume attacks to reduce the load on the main border firewall 11 / 30

12 Stateful packet inspection Nearly all corporate border firewalls today use the stateful packet inspection (SPI) filtering method Focuses on connections, which are persistent conversations between different programs on different computers 12 / 30

13 Stateful packet inspection Stateful packet inspection for a packet not attempting to open a connection 13 / 30

14 Packets That Do Attempt to Open a Connection By default, SPI firewalls permit all attempts to open a connection from an internal host to an external host By default, the SPI firewall stops all external hosts from opening connections to internal hosts To specify exceptions to default rules, SPI firewalls have access control lists Access control lists (ACLs) consist of a series of rules that are exceptions to the default behavior The rules are executed in order, beginning with the first If a rule DOES NOT apply to the connection-opening attempt, the firewall goes to the next ACL rule If the rule DOES apply, the firewall follows the rule 14 / 30

15 Network Address Translation (NAT) Does not actually filter packets but effectively provides a great deal of protection Used as secondary type of protection to guard against sniffing and probing Attackers can place sniffers outside of corporate networks As packets from these corporate networks pass through the sniffer, the sniffer captures them and notes source IP addresses and port numbers 15 / 30

16 NAT operations 16 / 30

17 NAT operations An internal client (IP: , port:3333) sends a packet to an external server The NAT firewall intercepts all outgoing traffic and replaces source IP addresses ( ) and source port numbers (3333) with external IP addresses ( ) and port numbers (4444) Sends the packet to the external server NAT firewall places the internal socket and the external socket in the translation table The server replies to destination socket :4444 The NAT firewall receives the packet, looks into the translation table, translates destination socekt and forwards the packet to the internal host 17 / 30

18 Protection through NAT firewall The sniffer cannot learn internal IP addresses or port numbers Network scanning probes are automatically rejected because the IP addresses and port numbers will not be in the translation table 18 / 30

19 NAT traversal Certain protocols have problems with NAT: VoIP, IPsec VoIP creates a new port number for a conversation after an administrative connection is made IPsec requires true internal IP addresses NAT traversal methods 19 / 30

20 Application proxy firewalls and content filtering Inspects application content in all traffic between clients and servers Considering an HTTP interaction, an HTTP proxy program on the application proxy firewall does the filtering The HTTP proxy program establishes HTTP connections to both the client and the webserver To the client, the proxy program acts like a webserver To the webserver, the HTTP proxy program acts like a browser client On receiving packets, the firewall retrieves the message and inspects the content Passes the message on if no problem found 20 / 30

21 Application proxy firewalls and content filtering 21 / 30

22 Processing load Maintaining two connections for each client/server pair is highly processing-intensive. Can only handle a limited number of client/server pairs Cannot handle the heavy traffic load, not suitable to be used as main border firewalls For most applications, there are no specific patterns that can be filtered Most application proxy firewalls, support either HTTP or SMTP 22 / 30

23 Roles of application proxy firewalls To protect internal clients from malicious external servers To protect an internal server from external clients 23 / 30

24 Application proxy firewalls: client protections To protect clients, an HTTP application proxy firewall can perform: URL checking against black-listed URLs (phishing sites, pornography sites, or recreational sites) Scripts inspection in downloaded webpages MIME type checking in an HTTP response message to allow/drop downloaded files according to policy 24 / 30

25 Application proxy firewalls: Server protections To protect servers, an HTTP application proxy firewall: Can inspect the method in the URL header. The POST might be disallowed by policy to prevent clients from uploading malware, pornography,... Can filter out HTTP request messages that appear to contain SQL injection attacks 25 / 30

26 Application proxy firewalls: other protections Internal IP address hiding: Like NAT, application proxy firewalls hide the IP addresses of internal hosts Header destruction: Discards network and transport layer headers to inspect the message and recreate them before passing to host Protocol fidelity: Use of well-known allowed port (HTTP port 80) for a blocked service is denied since the firewall can differentiate HTTP interaction from others 26 / 30

27 Intrusion Prevention Systems (IPSs) Grew out of an earlier technology called Intrusion Detection Systems (IDSs) IDSs examine streams of packets to look for suspicious activities that indicate possible attacks If an IDS detects an apparently serious attack, it may send an alarm message to admin If the attack does not seem too serious, the IDS will merely log it Deep Packet Inspection: looks at all fields in the packet (IP, TCP, UDP headers), and application message Packet Stream Analysis: a stream of ICMP echo messages trying different IP addresses (systematic scan) 27 / 30

28 Intrusion Prevention Systems (IPSs) IPSs use IDS filtering methods for attack detection IPSs actually stop some kinds of attacks instead of merely identifying them and generating alarms Application-specific integrated circuits (ASICs) can do filtering in hardware Hardware filtering is much faster than software filtering, allowing IPSs to be used even when traffic volume is high 28 / 30

29 IPS actions Dropping packets: In many cases, the IPS will drop attack packets, acting like a traditional firewall Limiting traffic: limits suspicious traffic to a certain percentage of the total bandwidth. The undesirable traffic (P2P) will not result in an overloaded network 29 / 30

30 Antivirus Filtering Firewalls normally do not do antivirus filtering Firewalls can closely work with antivirus filtering servers All major firewall vendors have protocols for working with antivirus servers Firewall makes decision to pass the object to antivirus server Antivirus server inspects the object, if it does not drop it then passes it to the receiver or back to the firewall for onward transmission 30 / 30