Firewall Threat Defense Features

Transcription

1 Firewall Threat Defense Features Introducing the Cisco IOS Firewall

2 Firewalls The most well-known security device is the firewall. By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. A firewall can also be used to isolate one compartment from another. When applying the term firewall to a computer network, a firewall is a system or group of systems that enforces an access control policy between two or more networks

3 Firewalls

4 Who needs a firewall? Network Attacks Reconnaissance attacks Access attacks Denial of service attacks Worms, viruses, and Trojan horses

5 Thinking Like a Hacker : Seven Steps to Hacking a Network Seven steps for compromising targets and applications: Step 1 Perform footprint analysis (reconnaissance) Step 2 Detail the information Step 3 Manipulate users to gain access Step 4 Escalate privileges Step 5 Gather additional passwords and secrets Step 6 Install back doors Step 7 Leverage the compromised system

6 Software Tools Hackers can use some of the tools listed here. All of these tools are readily available to download, and security staff should know how these tools work. Netcat: Netcat is a featured networking utility that reads and writes data across network connections using the TCP/IP protocol. Microsoft EPDump and Remote Procedure Call (RPC) Dump: These tools provide information about Microsoft RPC services on a server:the Microsoft EPDump application shows what is running and waiting on dynamically assigned ports.the RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC endpoints for status and other information on RPC.. GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network.. Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems.

7 Attacks Based on Minimal Intelligence Attacks that require little intelligence about the target network: Reconnaissance Access attacks DoS and Distributed DoS (DDoS)

8 Attacks Based on Intelligence or Insider Information Attacks that typically require more intelligence or insider access: Worms, viruses, and Trojan horses Application layer attacks Threats to management protocols

9 Specific Attack Types Packet sniffers IP weaknesses Password attacks DoS or DDoS Man-in-the-middle attacks Application layer attacks Trust exploitation Port redirection Virus Trojan horse Operator error Worms

10 Reconnaissance Attack Network reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. Network reconnaissance cannot be prevented entirely. IDSs ( at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.

11 Footprint Analysis (Reconnaissance) Web pages, phone books, company brochures, subsidiaries, etc Knowledge of acquisitions nslookup command to reconcile domain names against IP addresses of the company s servers and devices Port scanning to find open ports and operating systems installed on hosts traceroute command to help build topology WHOIS queries

12 Reconnaissance Attack Example Sample IP address query Sample domain name query

13 Packet Sniffers Host A Router A Router B Host B A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. The following are the packet sniffer features: Packet sniffers exploit information passed in clear text. Protocols that pass information in the clear include the following: Telnet FTP SNMP POP Packet sniffers must be on the same collision domain.

14 Packet Sniffer Mitigation The techniques and tools that can be used to mitigate packet sniffer attacks include: Authentication Using strong authentication is a first option for defense against packet sniffers. Cryptography If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message Anti-sniffer tools Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate. Switched infrastructure A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers effectiveness.

15 Man-in-the-Middle Attacks Host A Data in clear text Host B Router A Router B A man-in-the-middle attack requires that the hacker have access to network packets that come across a network. A man-in-the-middle attack is implemented using the following: Network packet sniffers Routing and transport protocols Possible man-in-the-middle attack uses include the following: Theft of information Hijacking of an ongoing session Traffic analysis DoS Corruption of transmitted data Introduction of new information into network sessions

16 IP Spoofing IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted. Uses for IP spoofing include the following: IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.

17 IP Spoofing Attack Mitigation The threat of IP spoofing can be reduced, but not eliminated, using these measures: Access control configuration Encryption RFC 3704 filtering Additional authentication requirement that does not use IP address-based authentication; examples are: Cryptographic (recommended) Strong, two-factor, one-time passwords

18 DoS Attacks

19 DDoS Attack Example

20 DoS and DDoS Attack Mitigation The threat of DoS and DDoS attacks can be reduced using: Anti-spoof features on routers and firewalls Proper configuration of anti-spoof features on your routers and firewalls can reduce your risk of attack. These features include an appropriate filtering with access lists, unicast reverse path forwarding that looks up the routing table to identify spoofed packets, disabling of source route options, and others. Anti-DoS features on routers and firewalls Proper configuration of anti-dos features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open TCP connections that a system allows at any given time. Traffic rate limiting at the ISP level An organization can implement traffic rate limiting with the organization s ISP

21 Password Attacks Hackers can implement password attacks using several different methods: Brute-force attacks Dictionary Attacks Trojan horse programs IP spoofing Packet sniffers

22 Password Attacks L0phtCrack can take the hashes of passwords and generate the clear text passwords from them. Passwords are computed using two different methods: Dictionary cracking Brute force computation

23 Password Attack Mitigation Password attack mitigation techniques: Do not allow users to use the same password on multiple systems Disable accounts after a certain number of unsuccessful login attempts Do not use plaintext passwords For example strong passwords. (Use my8!rthd8y rather than mybirthday )

24 Trust Exploitation

25 Trust Exploitation Trust exploitation refers to an individual taking advantage of a trust relationship within a network. An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network. These network segments often contain DNS, SMTP, and HTTP servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network. Another example of trust exploitation is a Demilitarised Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.

26 Trust Exploitation A hacker leverages existing trust relationships. Several trust models exist: Windows: Domains Active directory Linux and UNIX: NIS NIS+

27 Trust Exploitation Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address In the DMZ example, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall The hacker s next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. This attack can be stopped if the firewall allows only minimum or no connectivity from the DMZ to the inside interface

28 Port Redirection

29 Unauthorized Access Unauthorized access includes any unauthorized attempt to access a private resource: Not a specific type of attack Refers to most attacks executed in networks today Initiated on both the outside and inside of a network The following are mitigation techniques for unauthorized access attacks: Eliminate the ability of a hacker to gain access to a system Prevent simple unauthorized access attacks, which is the primary function of a firewall

30 Application Layer Attacks Application layer attacks have the following characteristics: Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for example, send mail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered

31 End Station (Host) Vulnerabilities Host machines are particularly vulnerable to attack if not adequately protected. The main threats are: Viruses Trojan horse attacks Worms

32 Viruses A computer virus is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user sending it over a network as a file or as an payload or carrying it on a removable medium such as a floppy disk, USB disk ( memory stick ), or CD / DVD Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages Source: Wikepedia Computer virus

33 Trojan Horse A Trojan horse is a program that - unlike a virus - contains or installs a malicious program the payload or 'trojan Trojan horses may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed There are two common types of Trojan horses One is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives

34 Worms A computer worm is a self-replicating executable computer program. It uses a network to send copies of itself to other hosts ( end-user machines on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

35 Malicious software containment Viruses and Trojan horses can be contained by: Effective use of antivirus software Keeping up to date with the latest developments in these methods of attacks Keeping up to date with the latest antivirus software and application versions Implementing host-based intrusion prevention systems (for example, Cisco Security Agent)

36 Worm Attack, Mitigation and Response The anatomy of a worm attack has three parts: The enabling vulnerability: A worm installs itself on a vulnerable system Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets Payload: Once the worm infects the device, the attacker has access to the host often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

37 Worm attack mitigation Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. Recommended steps for worm attack mitigation: Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network. Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network. Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

38 Determining Vulnerabilities and Threats There are several tools and techniques that can be used to find vulnerabilities in your network Once any vulnerabilities have been identified, mitigation steps can be considered and utilised as appropriate Some common tools include: Blue s PortScanner Wireshark (formerly Ethereal) Microsoft Baseline Security Analyzer Nmap

39 Blue s Port Scanner Blue s Port Scanner is a fast network scanner that can scan over 300 ports per second on a NT or Windows 2000 machine. it comes with a Windows XP - style interface, and offers TCP and UDP scanning as well as a Anti-Flood function Blue s Port Scanner

40 Wireshark (Ethereal) Wireshark is the world's foremost network protocol analyser, and is the standard in many industries. It is the continuation of a project that started in Hundreds of developers around the world have contributed to it, and it is still under active development. Wireshark

41 Microsoft Baseline Security Analyzer

42 Nmap Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source

43 Best Practices to Defeat Hackers Keep patches up to date Shut down unnecessary services and ports Use strong passwords and change them often Control physical access to systems Curtail unexpected and unnecessary input Perform system backups and test them on a regular basis Warn everybody about social engineering Encrypt and password-protect sensitive data Use appropriate security hardware and software Develop a written security policy for the company

44 Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that offers the following features and functionality : router, Ethernet switch, wireless access point, firewall Small-to medium office firewalls, Enterprise firewalls dedicated firewalls devices

45 Firewalls All firewalls fall within three classes: Appliance-based firewalls Appliance-based firewalls are hardware platforms that are designed specifically as dedicated firewalls. The appliance may serve other functions, but they are secondary to the firewall feature set. Server-based firewalls A server-based firewall consists of a firewall application that runs on a network operating system (NOS) such as UNIX, NT or Win2K, or Novell. The underlying operating system is still present, so vulnerabilities and resource use of the operating system must be taken into consideration when implementing this type of firewall. Integrated firewalls An integrated firewall is implemented by adding firewall functionality to an existing device.

46 Most common rules and features of firewalls Packet filtrering Block incoming network traffic based on source or destination Block outgoing network traffic based on source or destination Block network traffic based on content Make internal resource available (DMZ) Allow connections to internal network Report on network traffic and firewall activites

47 Packet filtering Packet filtering is the selective passing or blocking of data packets as they pass through a network interface. The criteria that is used when inspecting packets are based on the Layer 3 (IPv4 and IPv6) and Layer 4 (TCP, UDP, ICMP, and ICMPv6) headers. The most often used criteria are source and destination address, source and destination port, and protocol.

48 Access control list (ACL) Firewall can use packet filtering to limit information entering a network, or information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables

49 Access Policy Access control list

50 DMZ demilitarized zone A DMZ is an interface that sits between a trusted network segment ( your network) and an untrusted segment network segment ( Internet), providing physical isolation between the two networks that is enforced by a series of connectivity rules within the firewall.

51 DMZ A DMZ is established between security zones. DMZs are buffer networks that are neither the Inside nor the Outside network.

52 Layered Defense Features Access control is enforced on traffic entering and exiting the buffer network to all security zones by: Classic routers Dedicated firewalls DMZs are used to host services: Exposed public services are served on dedicated hosts inside the buffer network. The DMZ may host an application gateway for outbound connectivity. A DMZ blocks and contains an attacker in the case of a break-in.

53 Multiple DMZs Three Separate DMZs Multiple DMZs provide better separation and access control: Each service can be hosted in a separate DMZ. Damage is limited and attackers contained if a service is compromised.

54 Modern DMZ Design Various systems (a stateful packet filter or proxy server) can filter traffic. Proper configuration of the filtering device is critical.

55 Firewall Technologies Firewalls use three technologies: Packet filtering Application layer gateway (ALG) Stateful packet filtering

56 Packet Filtering Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags that you compile in an ACL.

57 Packet Filtering Example Router(config)# access-list 100 permit tcp any established Router(config)# access-list 100 deny ip any any log Router(config)# interface Serial0/0 Router(config-if)# ip access-group 100 in Router(config-if)# end

58 Application Layer Gateway The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.

59 ALG Firewall Device

60 Stateful Packet Filtering Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, and ICMP types and codes. Stateful inspection then remembers certain details, or the state of that request.

61 Stateful Firewalls Also called stateful packet filters and applicationaware packet filters. Stateful firewalls have two main improvements over packet filters: They maintain a session table (state table) where they track all connections. They recognize dynamic applications and know which additional connections will be initiated between the endpoints. Stateful firewalls inspect every packet, compare the packet against the state table, and may examine the packet for any special protocol negotiations. Stateful firewalls operate mainly at the connection (TCP and UDP) layer.

62 The Cisco IOS Firewall Feature Set The Cisco IOS Firewall Feature Set contains these features: Standard and extended ACLs Cisco IOS Firewall Cisco IOS Firewall IPS Authentication proxy Port-to-Application Mapping (PAM) NAT IPsec network security Event logging User authentication and authorization

63 Cisco IOS Firewall Packets are inspected when entering the Cisco IOS firewall if the packets are not specifically denied by an ACL. Cisco IOS Firewall permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. Cisco IOS Firewall protects against DoS attacks.

64 Cisco IOS Authentication Proxy HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

65 Cisco IOS IPS Acts as an inline intrusion prevention sensor traffic goes through the sensor When an attack is detected, the sensor can perform any of these actions: Alarm: Send an alarm to SDM or syslog server. Drop: Drop the packet. Reset: Send TCP resets to terminate the session. Block: Block an attacker IP address or session for a specified time. Identifies 700+ common attacks

66 Cisco IOS ACLs Revisited ACLs provide traffic filtering by these criteria: Source and destination IP addresses Source and destination ports ACLs can be used to implement a filtering firewall leading to these security shortcomings: Ports opened permanently to allow traffic, creating a security vulnerability. The ACLs do not work with applications that negotiate ports dynamically.

67 Cisco IOS Firewall TCP Handling

68 Cisco IOS Firewall UDP Handling

69 How Cisco IOS Firewall Works

70 Cisco IOS Firewall Supported Protocols Regardless of the application layer protocol, Cisco IOS Firewall will inspect: All TCP sessions All UDP connections Enhanced stateful inspection of application layer protocols Outgoing requests to the Internet, and responses from the Internet are allowed. X Incoming requests from the Internet are blocked.

71 Alerts and Audit Trails Cisco IOS Firewall generates real-time alerts and audit trails. Audit trail features use syslog to track all network transactions. With Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

72 Intrusion Detection System IDS is a passive device: Traffic does not pass through the IDS device. Typically uses only one promiscuous interface. IDS is reactive: IDS generates an alert to notify the manager of malicious traffic. Optional active response: Further malicious traffic can be denied with a security appliance or router. TCP resets can be sent to the source device.

73 Intrusion Prevention System IPS is an active device: All traffic passes through IPS. IPS uses multiple interfaces. Proactive prevention: IPS denies all malicious traffic. IPS sends an alert to the management station.

74 Combining IDS and IPS IPS actively blocks offending traffic: Should not block legitimate data Only stops known malicious traffic Requires focused tuning to avoid connectivity disruption IDS complements IPS: Verifies that IPS is still operational Alerts you about any suspicious data except known good traffic Covers the gray area of possibly malicious traffic that IPS did not stop