ECE 578 Term Paper Network Security through IP packet Filtering

Transcription

1 ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon State University 1. Introduction The increase in the Internet use in the last decade has been phenomenal; it has become an important medium for communication, business transactions and a lot other applications. The rapid increase in internet has connected millions of computers world wide, in order to communicate with the external world companies need to connect to the internet. The private networks of individual organizations known as Intranet which is a private network have to be connected to the public network i.e. Internet. The individual networks of the organizations need to be protected from public access in order to provide security to their private data. Thus network security is an important issue to be dealt with. Lot of techniques has been proposed to reduce the risks and enhance the security of networks. 2. Techniques for implementing Secure Internet Gateways The most common techniques that are used for implementing Secure Internet Gateways are Packet filtering and application layer gateway which provides proxy access to the internet. Another technique uses packet filtering gateway along with an authentication server. In this paper Packet filtering has been thoroughly discussed. 3. Packet filtering 3.1 Over View of packet filtering Data is divided into fixed length parts known as packets. All the data flowing through the network must be of the type packet. Packets contain lot of information regarding source, destination, protocol used and lot of other useful information. The Packet header information can be used by the router to provide the system administrators ability to manage the data and the network connections between systems. The parameters used to implement the access control mechanisms may be the host address, network number interface direction, protocol and the port number. The basic principle in all the implementations is to parse the packet header and then determine whether the packet is to be routed or dropped, the decision is made by applying some basic rules.

2 3.2 How packet filtering Works Packet filtering involves parsing the header information of the packets and making decision whether to drop or route the packet. The decision can be based on several parameters as mentioned earlier. Apart from the information in the packet header, some Packet filtering implementations allow the administrator to specify the rules that are to be followed in making the decision. The rules specified by the administrator can be based on either inbound or outbound packets. Ability to specify the rules based on both inbound and outbound packets will give the administrator significant control over the appearance of the router in the filtering scheme and will help filtering on routers consisting of more than two interfaces. Attackers from the outside world can fake the internal source addresses and can claim to be from internal host, to make sure this does not happen the administrator should have knowledge of the source from where the packets are coming, by knowing the interface from where the packet came we can drop all the packets which fake the internal source addresses.

3 3.3 Strategies of packet filtering The main advantages of packet filtering are being able to reduce the unwanted packet traffic and to protect from malicious and unwanted use of network sources. Several strategies can be used to implement packet filtering. Some of them as following: Routing Table Solutions In this scheme the decision to route or drop the packet is based on the routing table lookup. The routing table entries decide to which destinations packets may be routed to and to which they are not supposed to. This Solution is helpful when static routes are used. Routing Protocols like RIP are used but these are not secure. Routers can choose from which sources they want to accept the RIP information, this is helpful in preventing incorrect information that was provided accidentally. Input and Output Filtering In this scheme filtering is done on the external interface of a network in both input and output directions. By doing this the network security is achieved without slowing down the internal routing in the network. Source Address Filtering In this scheme the internal network connections will have one authentication scheme and the connections to the outside network will have another. Internal connections constitute the connections with in the organizations

4 internal address space. If a filter is applied to the external interface that rejects the packets which claim to be from inside but actually are from the outside connection i.e. the source and destination addresses are in the internal address space but the packet arrives from outside the network. Protocol Port Filtering In this scheme the destination port is examined to decide which set of destination ports can be accessed from the external network by applying a filter restricting the services that can be accessed from the external network. For example any of the TCP services like SMTP, nntp, ftp-data, ftp, finger, telnet, login and shell can be denied access to the external networks. Advanced Filtering Strategies Some Other strategies followed by commercial vendors like Novell in its Border Manager 3.7 are Static Packet Filtering and Advanced features like TCP ACK bit filtering, Dynamic Packet filtering, and Fragmented packet filtering. Static Packet Filtering In Static Packet filtering each packet that crosses the border between the internal networks i.e. intranet and the external network i.e. internet is examined. The static packet filter examines the header information of each packet to identify the parameters such as Protocol ID, Source and destinations IP addresses and Port numbers, router interface for the incoming and outgoing packets. These parameters are examined and then the decision of forwarding or dropping the packet is done following the fixed set of inbound and outbound rules. TCP ACK bit filtering In TCP ACK bit filtering only the packets with the TCP ACK bit set are allowed into the network. TCP ACK filtering prevents all the external hosts from initiating TCP connections to internal hosts without authentication. Dynamic Packet filtering In Dynamic packet filtering also known as stateful packet filtering keeps track of the outgoing packets which it has allowed passing and allows only those corresponding packets to return. A return filter is dynamically created to allow the

5 response packet when ever a packet is transmitted to the public network.this scheme supports both connection less and connection oriented protocols. Fragmented packet filtering Packets are divided in to small chunk called fragments, the first fragment has the complete header information, previously only the first packet was dropped assuming that the following packets cannot be reassembled without the header information, but these subsequent packets can be used to flood the network consuming the bandwidth to avoid this the filtering discards the first packet as well as all the subsequent packets if they have the same source and destination addresses and interfaces. 3.4 Packet filtering Specifications Usually the packet filtering rules are specified as tables consisting of the actions and the conditions that should be applied in a particular order in deciding to drop or forward a packet. If a packet satisfies the conditions specified then the action required for that condition is taken. Some filtering applications also specify whether to notify the sender if the packet is dropped or to log the packet and the action that is taken on it in their rules. Different methods of application of rules can be followed.some filtering applications follow all the rules sequentially some apply rules based on the source and destination without following any order and so on. 3.5 Packet filtering example [1] Let us assume that a network administrator of a company with Class B network decides to prevent access to his network from the internet in general /16. The administrator has a special subnet in his network ( /24) that is used in a collaborative project with a local university which has class B network ; he wishes to permit access to the special subnet ( /24) from all subnets of the university ( /16). Finally, he wishes to deny access (except to the subnet that is open to the whole university) from a specific subnet ( /24) at the university, because the subnet is known to be insecure and a haven for crackers. For simplicity, we will consider only packets flowing from the university to the corporation; symmetric rules (reversing the SrcAddr and DstAddr in each of the rules below) would need to be added to deal with packets from the corporation to the university. Rule C is the "default" rule, which specifies what happens if none of the other rules apply.

6 Rule SrcAddr DstAddr Action A / /24 permit B / /16 deny C / /0 deny 4. Risks involved in Packet Filtering 4.1 Complex of packet filtering specifications Setting up filters correctly using low level specifications is a very difficult task, sometimes some rules turn out to be superfluous and unnecessary and result in denying the entry of genuine packets. The order of the rules plays an important role in correctly specifying the filter. The difficult the rules are to understand less the likelihood that the rules will be correct. The filtering capabilities of a router depend upon the way the rules are specified and the order in which they are to be applied. Filtering implementations require the rules specified by the administrator to be simple and easy for the router to parse and apply, but make them very difficult for the administrator to comprehend and consider. 4.2 Dependence on accurate IP source addresses The decisions made by most of the filtering applications require the IP source addresses to be accurate.but the IP addresses can be easily faked, thus in this case being able to filter the inbound packets comes handy as we can prevent packets which fake internal addresses but are actually coming from an external network. By implementing the inbound filters on external interfaces the filtering specifications for the internal interfaces can be made simple and secure. 4.3 Risks in IP source Routing IP source routing is also a potential risk. In IP source routing the routing information is specified in the packet it self and does not give the routers the authority to make the decision by themselves. The attacker can use this to his advantage and can attack the networks. Thus it s not a good idea to allow packets with IP source route instructions until and unless there is specific requirement to do so. The decision to disable or enable and how to disable are done by the vendors and differ from one vendor to another. 4.4 IP Fragmentation Perils

7 IP fragmentation introduces complications in packet filtering. An IP packet can be divided into small chunks called fragments at any of the router and then reassembled at another router into the original packet. The problem with fragmentation is that only the first packet has the information about the protocol used and other necessary information that may be used for making the decision of dropping or forwarding the packet. Most of the filtering applications just drop the first packet and some of them drop the first as well as all the subsequent fragments. Dropping just the first fragment and allowing the rest of the fragments is not a good practice as they may contain some important or confidential data and also the attackers can use this packets to choke the network. 5. Design Issues We always desire more flexibility and efficiency although its use is primarily influenced. The following are some necessary considerations to make packet filtering firewall robust and flexible. Resource limitations: Memory requirement and the time taken to classify the packet should be balanced. Number of rules to be supported: Arbitrary limits on number of rules can not be presented. Number of fields (dimensions) used: The user can specify any number of header fields for the purpose of packet classification. If not, it will reduce the flexibility. Nature of rules: All types of matches (exact, mask-based, and range-based matches) will be allowed by the rules. Protocol independence: If so, filtering will be support by different protocols and at different levels. General and sufficiently specification language: If so, it can specify various types of filters. Efficient update: In the processing of packets, the addition and removal of rules should be with minimum disruption. Auditing: The packet filter should be able to keep a log of all access attempts.

8 Rules prioritization: Imposing arbitrary priorities on those rules, so that only one rule will be finally applicable. Matching arbitrary field: Arbitrary fields, including that from link layer, network layer, and transport layer, even application layer headers might be interested. Maintainability: Highly desired feature is if there are easy and visual ways to specify the rules and if it can visually show the semantics and relationships of the rules in the access list. Fragmentation and scalability are also desired features. But not all existing packet filters meet all of the requirements. Some packet filters might focus more important or are not difficult to implement while other aspects they just ignore. 6. Classification Algorithms Classification Algorithms matching a packet is the highest priority rule. An algorithm is suitable to a packet filter depending on many factors some of the most popular packet classification algorithms are listed below with short descriptions: Sequential matching: It is simplicity and efficient use of memory, but because of the linearly time to perform classification, it has poor scaling properties. Hardware algorithms using ternary CAMs: Paralleling comparison makes it more attractive than the linear search algorithm. Grid of tries: The trie data structure is extended to two fields. If there are only two fields, this provides a good solution. However, it does not extend very well for more than two fields. Crossproducting: Another more general solution can handle more than two fields. It generally uses 1.5 MB of memory for 50 rules, a form of caching technique may be used for more rules. Bit-parallelism in hardware: An optimized scheme for hardware implementation, which employs bit-level parallelism to match multiple fields concurrently.

9 RFC classification: A multi-stage algorithm, called RFC (recursive flow classification) can be used to classify 30 million packets per second in pipelined hardware, or one million packets per second in software. 7. Problems with Current Packet Filtering Implementations Packet filtering can be as a tool to improve total network security. An increasing number of IP routers offer this possibility. Packet filtering can be a very secure and useful tool if administrators properly use it. Currently, a number of difficulties arise in the design and implementation in order to make packet filtering firewall secure and efficient.. Some of the problems that need to be addressed are listed below: Wrongly classify: A packet filter may wrongly classify a packet when the source IP address be spoofed. Filtering based on source port faces similar problem, such as the source machine might be running an unsuspected client or server on that port. Variable header length: The options field makes the IP packet header length variable. So, locating the higher level protocol information can be difficult, such as TCP/UDP headers, when using simple offset-based pattern matching techniques. Fragment packet : When a packet is fragmented, some packet filters just drop the first fragment, assuming that the other fragments will be useless to the receiver. However, risks arise here, hackers may find ways to fool the system. However, it can significantly make the packet filtering process complicate. Predefined header fields: This has severe impact on flexibility. Unless the administrator can specify precisely which header fields are to be used in decision making, the desired security policy can not be effectively implemented. For instance, one may wish to block packets with TCP SYN flag set, but the packet filter may not allow this field to be used for filter specification. 8. Possible Solutions for Current Packet Filtering Problems Improve syntax of filter specification Make all relevant header fields as filtering criteria available Allow outbound filters also inbound filters Make developing, testing, and monitoring filters tools available Simplify specification of common filters

10 9. Discussions The idea of packet filtering, in general, was first talked in [Mogul et al., 1987] and later expanded by others [McCanne & Jacobson, 1993,]. Multiple header fields make fast and effective classification of packets be a challenging problem. There are mainly two ways to implement filtering system: one is interpreter-based which interpret the instructions with a set of instructions (compiled from the rule specification) and an interpreter engine. Another one is pattern-based which does not require an interpreter engine and use some comparison mechanism match a pattern. It is also possible to use both of those approaches together to achieve a balance between convenience and efficiency. 10. Conclusions The concepts filtering and classification are generally referenced together. According to specified filter rules, Filtering requires the ability to classify packets. The rules can be viewed as logical functions on the packet header fields. Classification of packets also arises in other areas of computing, such as routing, policy based routing, differentiated Quality of Service, traffic billing, etc. [Gupta & McKeon, 1999]. However, not all of them use classification based on multiple fields in the packet header. Packet filtering is currently Packet filtering is a very useful technique for computer security. Some simple improvements to filter specification mechanisms could greatly make the lives of network administrators simplify and increase their confidence. When combined with other techniques, a very secure system can be developed 11. References 1. Network (In) Security through IP Packet Filtering D. Brent Chapman (great circle associates) Published in proceedings of the Third USENIX UNIX security symposium, Baltimore, MD; September, Novell Border Manager 3.7 Documentation m37/over/data/ae70ppq.html 3. [Corbridge et al., 1991] Corbridge, B., Henig, R., & Slater, C. (1991). Packet

11 filtering in an IP router. In Proceedings of the fifth Large Installation Systems Administration Conference, San Diego, California, USA. 4. [McCanne & Jacobson, 1993] McCanne, S. & Jacobson, V. (1993). The BSD packet filter: A new architecture for user-level packet capture. In Proceedings of the Winter 1993 USENIX Conference. 5. [Engler & Kaashoek, 1996] Engler, D. & Kaashoek, M. F. (1996). DPF: Fast, flexible message demultiplexing using dynamic code generation. In Proceedings of the ACM SIGCOMM [Gupta & McKeown, 1999] Gupta, P. & McKeown, N. (1999). Packet classification on mutiple fields. In Proceedings of ACM SIGCOMM 99.