Advanced Linux Firewalls

Transcription

2 Agenda IntrusionDetectionandPreventionviaiptables Snortruleemulationviaiptablesextensions (fwsnort) iptablesloganalysis(psad) iptableslogdatavisualizations psad+afterglow+gnuplot SinglePacketAuthorization+fwknop 1.9.2release LiveDemo Copyright(C)2008MichaelRash 2

4 WhyTalkaboutiptablesinthe ContextofIntrusionDetection? SnortandcommercialIDSinfrastructureismature(subjectto usualconcernsaroundfalsepositives),butwhystopthere? IDS'scanthemselvesbetargeted,bothfromthedetectionand codeexecutionstandpoints ModifiedStick/SnottosendfakedattacksoverTor SnortDCE/RPCPreprocessorvulnerability Defense in depthisimportant Hostfragmentreassemblyissueslessofaconcernforiptables stringmatching(moreonthislater) Copyright(C)2008MichaelRash 4

5 IDSandiptables Canspecifygranularpacketheadertests,and loggingformatcontainsnearlyallinteresting packetheaderfields Canmatchagainstconnectionstates UsefulformitigatingStick/Snotstyleattacks Stringmatchinginthekernelstartedinthe2.4 days(patchappliedvianetfilterpatch o matic); madeavailableagainin Copyright(C)2008MichaelRash 5

6 IDSandiptables(cont'd) Kerneltextsearch(linux/lib/ts_*)infrastructure Boyer MooreandKnuth Morris Prattalgorithms StringmatchingenabledbydefaultinrecentLinuxkernels Yougetnetworklayerdefragmentationforfreewhen connectiontrackingisusedyoudon'thavetorelyon properconfigurationoffrag3;itisthedefragmentation algorithmofthehost Stringmatchingwithinthefiltertablehappensafter networkdefrag Copyright(C)2008MichaelRash 6

7 HowAboutIntrusionPrevention? PlentyofreasonsNOTtorespond(falsepositives,possibilityof attackerabuse,possibilityoffingerprintingtheresponse mechanism) However: Canenvisionscenarioswherecontrollingtheshapeofapplicationlayerdatathat cantalktolocalsocketsisagoodthingiptablescanenforcethedroptarget (thisispreventioninsteadofjustsomeweakresponsemechanism) Someautomatedattacksdonotbotherwithobfuscation/encryptiontargetrich environment Sometimesitisnoteasytopatchaproductionserverwhoseuptimemustremain high(assumingapatchevenexists) Copyright(C)2008MichaelRash 7

8 fwsnort TranslatesSnortsignaturesinto equivalent iptablesrules usingstringmatchextensionandnetfilterconnection trackingsubsystem AlltranslatedSnortsignaturesareplacedwithinuser definedchains,towhichpacketsarejumpedfrombuilt in chains(input,output,andforward) Maintainsstrictseparationfromexistingiptablespolicy Approximately60%ofallSnort 2.3.3rules(rememberthis isanidssupplement)canbetranslated Copyright(C)2008MichaelRash 8

9 fwsnort(cont'd) ReportingviaLOGtarget(integrateswithpsad) WhitelistsviatheRETURNtarget BlacklistsviatheDROPorREJECTtargets EmulationofSnortconfigvariablessuchas$HOME_NETand $EXTERNAL_NET Snortsignatureinfostoredwiththeiptablescommentmatchin kernel space iptablesisinlinebydefinition;easytoconfigurefwsnorttouse thedroporrejecttargets Copyright(C)2008MichaelRash 9

10 psad iptablesloganalyzer andsyslogreporting Fwsnortintegration DShieldintegration iptableslogvisualizationwithafterglowandgnuplot Built inpassiveosfingerprintingderivedfromp0f (requires log tcp options) IPoptionsdecoding(requires log ip options) Copyright(C)2008MichaelRash 10

11 psad(cont'd) CandetectSnortsignaturesthatdonotrequire applicationlayertests(sourceroutingattempts,lowttl values,icmpsourcequench,nachiworm,etc.).this isallpossiblebyvirtueofiptableslogformat completeness. DetectionofmanyportscantypesgeneratedbyNmap Timeout basedauto blocking(optional,andcanbe restrictedtoapplicationlayermatcheswithfwsnort) Whitelists/Blacklists Copyright(C)2008MichaelRash 11

14 ExampleSnortRule:nmap ExecutionviaWebServer alerttcp$external_netany >$HTTP_SERVERS $HTTP_PORTS (msg:"web ATTACKSnmapcommandattempt"; flow:to_server,established;content:"nmap%20";nocase; classtype:web application attack;sid:1361;rev:5;) Copyright(C)2008MichaelRash 14

15 fwsnorttranslation $IPTABLES AFWSNORT_FORWARD_ESTAB d /24 ptcp dport80 mstring string"nmap%20" algobm mcomment comment"msg:web ATTACKSnmapcommand attempt;classtype:web application attack; rev:5;fws:0.9.0;" jlog log tcp options log prefix"[1]sid1361estab" Copyright(C)2008MichaelRash 15

16 BLEEDING EDGEVIRUS Signature(MultipleContentFields) alerttcp$external_net$http_ports > $HOME_NETany(msg:"BLEEDING EDGEVIRUS Trojan Spy.Win32.BancosDownload";flow: established,from_server;content:"[aspackdie!]"; content:" 0f6d079e6c626c6800d22f636d649d11 afaf45c772ac5f3138d0 ";classtype:trojan activity; reference:url,securityresponse.symantec.com/avcenter/ve nc/data/pwsteal.bancos.b.html;sid: ;rev:6;) Copyright(C)2008MichaelRash 16

17 (translated) $IPTABLES AFWSNORT_FORWARD_ESTAB d /24 ptcp sport80 mstring string "[AspackDie!]" algobm mstring hex string" 0f6d 079e6c626c6800d22f636d649d11afaf45c772 ac5f3138d0 " algobm mcomment comment"msg: BLEEDING EDGEVIRUSTrojan Spy.Win32.Bancos Download;classtype:trojan activity;reference: url,securityresponse.symantec.com/avcenter/venc/data/pw steal.bancos.b.html;rev:6;fws:0.9.0;" jlog log ip options log tcp options log prefix"[640]sid ESTAB" Copyright(C)2008MichaelRash 17

18 SupportedSnortRuleOptions AllSnortruleheader options itype icode content ttl(ttlmatch) flow(conntrack) tos(tosmatch) flags ipopts offset ip_proto depth resp dsize(lengthmatch) Copyright(C)2008MichaelRash 18

19 UnsupportedSnortRuleOptions: LostinTranslation pcre flowbits byte_test< u32module(comingsoon2.6supportadded) byte_jump< u32module(comingsoon2.6supportadded) asn1 window< includediniptableslogs isdataat id< includediniptableslogs Copyright(C)2008MichaelRash 19

20 UnsupportedSnortRuleOptions (cont'd) icmp_id< includediniptableslogs icmp_seq< includediniptableslogs seq< includedwith log tcp sequence ack< includedwith log tcp sequence sameip< includediniptableslogs Thereareafewothers thosethatareloggedcanbe analyzedbypsad Copyright(C)2008MichaelRash 20

22 iptablestcplogmessage Mar1120:21:22minastirithkernel:[199] SID1361ESTABIN=eth1OUT= MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 00SRC= DST= LEN=60 TOS=0x00PREC=0x00TTL=63ID=11112DF PROTO=TCPSPT=28778DPT=80WINDOW=5840 RES=0x00ACKPSHURGP=0OPT ( A02A041D20CC386B1) Copyright(C)2008MichaelRash 22

26 p0fsignaturematchwithpsad Mar823:23:48minastirithkernel:DROP IN=eth0OUT=MAC=00:13:46:3a:41:4b: 00:90:1a:a0:1c:ec:08:00SRC= DST=71.N.N.NLEN=60TOS=0x00PREC=0x00TTL=55 ID=23249DFPROTO=TCPSPT=54155DPT=3128 WINDOW=5840RES=0x00SYNURGP=0OPT (020405B A04C4FF5B ) S4:64:1:60:M*,S,T,N,W7:Linux:2.6:8:Linux2.6.8andnewer Copyright(C)2008MichaelRash 26

27 iptablesudplogmessage Mar1120:50:54minastirithkernel:[153] SID IN=eth0OUT= MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 00SRC= DST= LEN=40 TOS=0x00PREC=0x00TTL=63ID=29758DF PROTO=UDPSPT=32046DPT=61LEN=20 Copyright(C)2008MichaelRash 27

29 iptablesicmplogmessage Mar1120:57:18minastirithkernel:[98] SID IN=eth0OUT= MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 00SRC= DST= LEN=128TOS=0x00PREC=0x00TTL=63ID=53466 PROTO=ICMPTYPE=8CODE=0ID=27459SEQ=0 Copyright(C)2008MichaelRash 29

32 HoneynetScanChallenge#34 Challengesummary: Challengeinformationandanalysiscanbefound here: BothSnortandiptableslogdatamadeavailableto thecommunity(39mbofiptablesdata) Containsportscans,portsweeps,trafficfrom worms,andoutrightcompromisesofhoneynet systems Copyright(C)2008MichaelRash 32

33 PortSweepVisualization psad -m iptables.data --gnuplot -CSV-fields src:not /16 dp:count --gnuplot-graph points -gnuplot-3d --gnuplot-view 74,77 -gnuplot-file-prefix portsweep Copyright(C)2008MichaelRash 33

36 HoneynetVisualizations: CompromisedHosts Lookforoutboundconnectionsfromhoneynet hostswithafterglow(see #psad CSV miptablessyslog CSV fields "src: /24dstdp" perl afterglow.pl ccolor.properties neato Tgif ooutbound_connections.gif Copyright(C)2008MichaelRash 36

38 NachiWormVisualization Lookfor92 byteicmpechorequests #psad CSV miptablessyslog CSV fields "srcdstip_len:92" CSV max300 CSV regex "PROTO=ICMP.*TYPE=8" perlafterglow.pl c color.properties neato Tgif o nachi_worm.gif Copyright(C)2008MichaelRash 38

41 PassiveAuthorization Basicidea: Combineadefault droppacketfilterwithapassive mechanismtoauthenticate(andauthorize)clients Thesecuritybenefitisderivedfromareductioninthe complexityofcodethatanarbitraryipaddresscaninteract with.everyfunctionhasanon zeroprobabilityofcontaining asecurityvulnerability ThisisNOTsecuritythroughobscurity;thisisconcealment (similartopasswordsandencryptionkeys) Copyright(C)2008MichaelRash 41

42 PortKnocking Usespacketheaderstotransmitinformation=>serious protocollimitations Difficulttoprotectagainstreplayattacks Lowdatatransfercapabilityimpliesasymmetricencryptionisnot feasible Knocksequencestriviallybustedfromanysourcewithspoofed duplicatepackets PortknockingsequenceslooklikeportscanstoanyIDS/IPSthatis watching Copyright(C)2008MichaelRash 42

43 SinglePacketAuthorization Next generationportknocking Usesapplicationlayerdata Replayattackseasilythwarted Supportsasymmetricciphers Onlyasinglepacketistransmitted,somuchless likelytotriggerids/ipsalarms Copyright(C)2008MichaelRash 43

44 fwknopfeatures fwknopd server includessupportforiptablesandipfw firewalls(linux,macosx,andfreebsd). fwknopclientincludessupportforlinux,macosx, FreeBSD,Windows2000,XP(underCygwin)orviathe WindowsUI(developedbySeanGreven) SPApacketsareencryptedeitherviaRijndaelorwithan asymmetricalgorithmsupportedbygnupg SupportsoutboundandinboundNAT(SNATandDNAT, withdnatsupportnewinfwknop 1.9.0) Copyright(C)2008MichaelRash 44

45 Newinfwknop Client derivedfirewallaccesstimeouts Removalofencoded Salted prefixfromrijndaelspapackets SupportforLinux cooked interfaces(e.g.pppoe) Selectabledigestalgorithmsforreplayattackdetection(SHA256, SHA1,orMD5) BlacklistexclusionsforSPApackets SpecialthankstotheSPAPICTteam(Calsoftsecurityenthusiasts+students fromthepuneinstituteofcomputingtechnology: featuresinfwknop Copyright(C)2008MichaelRash 45

47 fwknopspapacketformat randomnumber(16bytes) username timestamp softwareversion messagetypeandcontent: 0=>commandmode/commandtoexecute 1=>accessmode/IP,proto,port 2=>forwardaccessmode/IP,proto,port/internalIP,externalNATPort (optional)server_auth(post0.9.2release) messagedigest(sha256/sha1/md5) Copyright(C)2008MichaelRash 47

48 ExampleSPAPackets Cleartextmessage(fieldsarebase64encodedbeforeencrypted): :cm9vdA==: :1.9.2 pre6:1:mti3ljaumc4ylhrjcc8ymg==:yaynmuufyi/93syvrviib4mxkbhn/93cb +Ceu5cUUf4 TwoSPApackets(encryptedwiththeRijndaelcipher): 9aoMEM9Jr5vHTdvKbx +phe3in6onbglezorpld4y1ymcgw1udngm1mai/8b2s41aohabyfvnzyxchfy Sp7hPusjzLyRhwStmDzFFazHxzNmBh9xsgAvrGLqmmQzYhS+ +7XmtIH2D8hPjpaDGaGzs1nZPxGpZ2mQ5bjhBkutwcrkqCbe9wZf0o /buclg8gnm4+wldclkxktywjqedemhjwh +g4lrgaal09cykpv9501z52zp00e/bru5oe/bkojed8hvewk3ldoyvvuxfpwt9c DF7FG6xF/Rk4FhjcDPkaqVZb4CpMr7Yqr2wyL5Lxqy6YI7rt2ZdqaVGBIdGtzlHL OoXnz5j4mC1+H6hxa7e0pO Copyright(C)2008MichaelRash 48

49 FutureWork WebproxythatcreatesSPApacketsonbehalf ofanyonewithawebbrowser IntegrationwiththepffirewallonOpenBSD Integrationwithadditionalclients(scp,sftp,mail clients,etc.) FirefoxSPAextension fwknopisopensource,pleasesubmitpatches! Copyright(C)2008MichaelRash 49

52 References(cont'd) AnAnalysisofPortKnockingandSinglePacketAuthorization : SinglePacketAuthorizationwithfwknop : EnhancingFirewalls:ConveyingUserandApplicationIdentificationtoNetwork Firewalls : WikipediaonPortKnocking: Hakin9onPortKnockingandSPA: LinuxJournalarticles: Copyright(C)2008MichaelRash 52