Advanced Linux Firewalls

Similar documents

Attack Detection and Response with Linux Firewalls

Introduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network

Snort ids. Alert (file) Fig. 1 Working of Snort

EZ Snort Rules Find the Truffles, Leave the Dirt. David J. Bianco Vorant Network Security, Inc. 2006, Vorant Network Security, Inc.

Working with Snort Rules

Stateful Firewalls. Hank and Foo

APPENDIX 1. DDoS RULES

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Linux Firewall Wizardry. By Nemus

FIREWALL AND NAT Lecture 7a

+ iptables. packet filtering && firewall

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Using Snort for Network-Based Forensics

Network Security Management

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Lab Objectives & Turn In

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Why use Scapy? Blue Team. Red Team. Test IDS/IPS Test Firewall Learn more about TCP/IP (down and dirty) Application response(fuzzing)

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

CIT 480: Securing Computer Systems. Firewalls

INTRODUCTION TO FIREWALL SECURITY

GregSowell.com. Mikrotik Security

CIT 480: Securing Computer Systems. Firewalls

Main functions of Linux Netfilter

Linux Networking Basics

Linux Routers and Community Networks

Firewalls (IPTABLES)

TECHNICAL NOTES. Security Firewall IP Tables

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

Introduction to Firewalls

login timeout 30 access list ALL line 20 extended permit ip any any port 9053 interval 15 passdetect interval 30

Innominate mguard Version 6

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Don't Get Owned at DEF CON

Solution of Exercise Sheet 5

How to protect your home/office network?

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Load Balancing Smoothwall Secure Web Gateway

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

1.0 Introduction. 2.0 Data Gathering

Host Fingerprinting and Firewalking With hping

Firewalls. Pehr Söderman KTH-CSC

Ulogd2, Advanced firewall logging

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

How To Understand A Firewall

Netfilter / IPtables

Load Balancing SIP Quick Reference Guide v1.3.1

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Chapter 8 Network Security

Nixu SNS Security White Paper May 2007 Version 1.2

Manuale Turtle Firewall

From Network Security To Content Filtering

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Internet infrastructure. Prof. dr. ir. André Mariën

Load Balancing Sophos Web Gateway. Deployment Guide

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

IP Address: the per-network unique identifier used to find you on a network

CS5008: Internet Computing

Load Balancing Bloxx Web Filter. Deployment Guide

IP Filter/Firewall Setup

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

USER GUIDE. FortiGate IPS User Guide Version 3.0 MR5.

Symantec Event Collector 4.3 for Cisco PIX Quick Reference

Load Balancing Trend Micro InterScan Web Gateway

Assignment 3 Firewalls

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Security: Attack and Defense

Firewalls. Chien-Chung Shen

Load Balancing Clearswift Secure Web Gateway

Definition of firewall

Internet Security Firewalls

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls, Tunnels, and Network Intrusion Detection

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall implementation and testing

Packet filtering with Linux

CS 161 Computer Security

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Host Discovery with nmap

TDC s perspective on DDoS threats

Analysis of Network Packets. C DAC Bangalore Electronics City

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Privacy Impact Assessment for EINSTEIN 2. May 19, Contact Point United States Computer Emergency Readiness Team (US-CERT) (888)

Safeguards Against Denial of Service Attacks for IP Phones

IP - The Internet Protocol

Transcription:

AdvancedLinuxFirewalls MichaelRash SecurityArchitect EnterasysNetworks,Inc. http://www.cipherdyne.org/ 03/12/2008 SOURCEBoston,2008 Copyright(C)2008MichaelRash 1

Agenda IntrusionDetectionandPreventionviaiptables Snortruleemulationviaiptablesextensions (fwsnort) iptablesloganalysis(psad) iptableslogdatavisualizations psad+afterglow+gnuplot SinglePacketAuthorization+fwknop 1.9.2release LiveDemo Copyright(C)2008MichaelRash 2

NoStarchPress,Oct2007 Copyright(C)2008MichaelRash 3

WhyTalkaboutiptablesinthe ContextofIntrusionDetection? SnortandcommercialIDSinfrastructureismature(subjectto usualconcernsaroundfalsepositives),butwhystopthere? IDS'scanthemselvesbetargeted,bothfromthedetectionand codeexecutionstandpoints ModifiedStick/SnottosendfakedattacksoverTor SnortDCE/RPCPreprocessorvulnerability Defense in depthisimportant Hostfragmentreassemblyissueslessofaconcernforiptables stringmatching(moreonthislater) Copyright(C)2008MichaelRash 4

IDSandiptables Canspecifygranularpacketheadertests,and loggingformatcontainsnearlyallinteresting packetheaderfields Canmatchagainstconnectionstates UsefulformitigatingStick/Snotstyleattacks Stringmatchinginthekernelstartedinthe2.4 days(patchappliedvianetfilterpatch o matic); madeavailableagainin2.6.14 Copyright(C)2008MichaelRash 5

IDSandiptables(cont'd) Kerneltextsearch(linux/lib/ts_*)infrastructure Boyer MooreandKnuth Morris Prattalgorithms StringmatchingenabledbydefaultinrecentLinuxkernels Yougetnetworklayerdefragmentationforfreewhen connectiontrackingisusedyoudon'thavetorelyon properconfigurationoffrag3;itisthedefragmentation algorithmofthehost Stringmatchingwithinthefiltertablehappensafter networkdefrag Copyright(C)2008MichaelRash 6

HowAboutIntrusionPrevention? PlentyofreasonsNOTtorespond(falsepositives,possibilityof attackerabuse,possibilityoffingerprintingtheresponse mechanism) However: Canenvisionscenarioswherecontrollingtheshapeofapplicationlayerdatathat cantalktolocalsocketsisagoodthingiptablescanenforcethedroptarget (thisispreventioninsteadofjustsomeweakresponsemechanism) Someautomatedattacksdonotbotherwithobfuscation/encryptiontargetrich environment Sometimesitisnoteasytopatchaproductionserverwhoseuptimemustremain high(assumingapatchevenexists) Copyright(C)2008MichaelRash 7

fwsnort TranslatesSnortsignaturesinto equivalent iptablesrules usingstringmatchextensionandnetfilterconnection trackingsubsystem AlltranslatedSnortsignaturesareplacedwithinuser definedchains,towhichpacketsarejumpedfrombuilt in chains(input,output,andforward) Maintainsstrictseparationfromexistingiptablespolicy Approximately60%ofallSnort 2.3.3rules(rememberthis isanidssupplement)canbetranslated Copyright(C)2008MichaelRash 8

fwsnort(cont'd) ReportingviaLOGtarget(integrateswithpsad) WhitelistsviatheRETURNtarget BlacklistsviatheDROPorREJECTtargets EmulationofSnortconfigvariablessuchas$HOME_NETand $EXTERNAL_NET Snortsignatureinfostoredwiththeiptablescommentmatchin kernel space iptablesisinlinebydefinition;easytoconfigurefwsnorttouse thedroporrejecttargets Copyright(C)2008MichaelRash 9

psad iptablesloganalyzer Emailandsyslogreporting Fwsnortintegration DShieldintegration iptableslogvisualizationwithafterglowandgnuplot Built inpassiveosfingerprintingderivedfromp0f (requires log tcp options) IPoptionsdecoding(requires log ip options) Copyright(C)2008MichaelRash 10

psad(cont'd) CandetectSnortsignaturesthatdonotrequire applicationlayertests(sourceroutingattempts,lowttl values,icmpsourcequench,nachiworm,etc.).this isallpossiblebyvirtueofiptableslogformat completeness. DetectionofmanyportscantypesgeneratedbyNmap Timeout basedauto blocking(optional,andcanbe restrictedtoapplicationlayermatcheswithfwsnort) Whitelists/Blacklists Copyright(C)2008MichaelRash 11

iptablespacketflow Copyright(C)2008MichaelRash 12

fwsnortpacketflow Copyright(C)2008MichaelRash 13

ExampleSnortRule:nmap ExecutionviaWebServer alerttcp$external_netany >$HTTP_SERVERS $HTTP_PORTS (msg:"web ATTACKSnmapcommandattempt"; flow:to_server,established;content:"nmap%20";nocase; classtype:web application attack;sid:1361;rev:5;) Copyright(C)2008MichaelRash 14

fwsnorttranslation $IPTABLES AFWSNORT_FORWARD_ESTAB d 192.168.10.0/24 ptcp dport80 mstring string"nmap%20" algobm mcomment comment"msg:web ATTACKSnmapcommand attempt;classtype:web application attack; rev:5;fws:0.9.0;" jlog log tcp options log prefix"[1]sid1361estab" Copyright(C)2008MichaelRash 15

BLEEDING EDGEVIRUS Signature(MultipleContentFields) alerttcp$external_net$http_ports > $HOME_NETany(msg:"BLEEDING EDGEVIRUS Trojan Spy.Win32.BancosDownload";flow: established,from_server;content:"[aspackdie!]"; content:" 0f6d079e6c626c6800d22f636d649d11 afaf45c772ac5f3138d0 ";classtype:trojan activity; reference:url,securityresponse.symantec.com/avcenter/ve nc/data/pwsteal.bancos.b.html;sid:2001726;rev:6;) Copyright(C)2008MichaelRash 16

(translated) $IPTABLES AFWSNORT_FORWARD_ESTAB d 192.168.10.0/24 ptcp sport80 mstring string "[AspackDie!]" algobm mstring hex string" 0f6d 079e6c626c6800d22f636d649d11afaf45c772 ac5f3138d0 " algobm mcomment comment"msg: BLEEDING EDGEVIRUSTrojan Spy.Win32.Bancos Download;classtype:trojan activity;reference: url,securityresponse.symantec.com/avcenter/venc/data/pw steal.bancos.b.html;rev:6;fws:0.9.0;" jlog log ip options log tcp options log prefix"[640]sid2001726 ESTAB" Copyright(C)2008MichaelRash 17

SupportedSnortRuleOptions AllSnortruleheader options itype icode content ttl(ttlmatch) flow(conntrack) tos(tosmatch) flags ipopts offset ip_proto depth resp dsize(lengthmatch) Copyright(C)2008MichaelRash 18

UnsupportedSnortRuleOptions: LostinTranslation pcre flowbits byte_test< u32module(comingsoon2.6supportadded) byte_jump< u32module(comingsoon2.6supportadded) asn1 window< includediniptableslogs isdataat id< includediniptableslogs Copyright(C)2008MichaelRash 19

UnsupportedSnortRuleOptions (cont'd) icmp_id< includediniptableslogs icmp_seq< includediniptableslogs seq< includedwith log tcp sequence ack< includedwith log tcp sequence sameip< includediniptableslogs Thereareafewothers thosethatareloggedcanbe analyzedbypsad Copyright(C)2008MichaelRash 20

IntroducingiptablesLogs TCP UDP ICMP Copyright(C)2008MichaelRash 21

iptablestcplogmessage Mar1120:21:22minastirithkernel:[199] SID1361ESTABIN=eth1OUT= MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 00SRC=192.168.10.3DST=192.168.10.1LEN=60 TOS=0x00PREC=0x00TTL=63ID=11112DF PROTO=TCPSPT=28778DPT=80WINDOW=5840 RES=0x00ACKPSHURGP=0OPT (0101080A02A041D20CC386B1) Copyright(C)2008MichaelRash 22

iptablesipheadercoverage Copyright(C)2008MichaelRash 23

iptablestcpheadercoverage Copyright(C)2008MichaelRash 24

PassiveOSFingerprinting RequiredIP/TCPheaderfieldsforp0f: InitialTTL TCPwindowsize DFbit SYNpacketsize TCPoptionsandorderspecification Copyright(C)2008MichaelRash 25

p0fsignaturematchwithpsad Mar823:23:48minastirithkernel:DROP IN=eth0OUT=MAC=00:13:46:3a:41:4b: 00:90:1a:a0:1c:ec:08:00SRC=208.53.138.16 DST=71.N.N.NLEN=60TOS=0x00PREC=0x00TTL=55 ID=23249DFPROTO=TCPSPT=54155DPT=3128 WINDOW=5840RES=0x00SYNURGP=0OPT (020405B40402080A04C4FF5B0000000001030307) S4:64:1:60:M*,S,T,N,W7:Linux:2.6:8:Linux2.6.8andnewer Copyright(C)2008MichaelRash 26

iptablesudplogmessage Mar1120:50:54minastirithkernel:[153] SID2001597IN=eth0OUT= MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 00SRC=192.168.10.3DST=192.168.10.1LEN=40 TOS=0x00PREC=0x00TTL=63ID=29758DF PROTO=UDPSPT=32046DPT=61LEN=20 Copyright(C)2008MichaelRash 27

iptablesudpheadercoverage Copyright(C)2008MichaelRash 28

iptablesicmplogmessage Mar1120:57:18minastirithkernel:[98] SID2003294IN=eth0OUT= MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 00SRC=192.168.10.3DST=192.168.10.1 LEN=128TOS=0x00PREC=0x00TTL=63ID=53466 PROTO=ICMPTYPE=8CODE=0ID=27459SEQ=0 Copyright(C)2008MichaelRash 29

iptablesicmpheadercoverage Copyright(C)2008MichaelRash 30

HowAboutaniptablesLogData Source? HoneynetProjectScanChallenges Copyright(C)2008MichaelRash 31

HoneynetScanChallenge#34 Challengesummary: Challengeinformationandanalysiscanbefound here:http://www.honeynet.org/scans/scan34/ BothSnortandiptableslogdatamadeavailableto thecommunity(39mbofiptablesdata) Containsportscans,portsweeps,trafficfrom worms,andoutrightcompromisesofhoneynet systems Copyright(C)2008MichaelRash 32

PortSweepVisualization psad -m iptables.data --gnuplot -CSV-fields src:not11.11.0.0/16 dp:count --gnuplot-graph points -gnuplot-3d --gnuplot-view 74,77 -gnuplot-file-prefix portsweep Copyright(C)2008MichaelRash 33

VisualizingPortSweeps(IPvs. DestinationPortvs.PacketCount) Copyright(C)2008MichaelRash 34

TheTopPortSweeper: 200.216.205.189vs.TCP/3306 Copyright(C)2007MichaelRash 35

HoneynetVisualizations: CompromisedHosts Lookforoutboundconnectionsfromhoneynet hostswithafterglow(see http://www.secviz.org) #psad CSV miptablessyslog CSV fields "src:11.11.79.0/24dstdp" perl afterglow.pl ccolor.properties neato Tgif ooutbound_connections.gif Copyright(C)2008MichaelRash 36

Copyright(C)2008MichaelRash 37

NachiWormVisualization Lookfor92 byteicmpechorequests #psad CSV miptablessyslog CSV fields "srcdstip_len:92" CSV max300 CSV regex "PROTO=ICMP.*TYPE=8" perlafterglow.pl c color.properties neato Tgif o nachi_worm.gif Copyright(C)2008MichaelRash 38

Copyright(C)2008MichaelRash 39

EnhancingiptablesLogData Use log ip options Use log tcp sequence Use log tcp options Moreattackscanbedetected,andoperating systemscanbepassivelyfingerprinted Copyright(C)2008MichaelRash 40

PassiveAuthorization Basicidea: Combineadefault droppacketfilterwithapassive mechanismtoauthenticate(andauthorize)clients Thesecuritybenefitisderivedfromareductioninthe complexityofcodethatanarbitraryipaddresscaninteract with.everyfunctionhasanon zeroprobabilityofcontaining asecurityvulnerability ThisisNOTsecuritythroughobscurity;thisisconcealment (similartopasswordsandencryptionkeys) Copyright(C)2008MichaelRash 41

PortKnocking Usespacketheaderstotransmitinformation=>serious protocollimitations Difficulttoprotectagainstreplayattacks Lowdatatransfercapabilityimpliesasymmetricencryptionisnot feasible Knocksequencestriviallybustedfromanysourcewithspoofed duplicatepackets PortknockingsequenceslooklikeportscanstoanyIDS/IPSthatis watching Copyright(C)2008MichaelRash 42

SinglePacketAuthorization Next generationportknocking Usesapplicationlayerdata Replayattackseasilythwarted Supportsasymmetricciphers Onlyasinglepacketistransmitted,somuchless likelytotriggerids/ipsalarms Copyright(C)2008MichaelRash 43

fwknopfeatures fwknopd server includessupportforiptablesandipfw firewalls(linux,macosx,andfreebsd). fwknopclientincludessupportforlinux,macosx, FreeBSD,Windows2000,XP(underCygwin)orviathe WindowsUI(developedbySeanGreven) SPApacketsareencryptedeitherviaRijndaelorwithan asymmetricalgorithmsupportedbygnupg SupportsoutboundandinboundNAT(SNATandDNAT, withdnatsupportnewinfwknop 1.9.0) Copyright(C)2008MichaelRash 44

Newinfwknop 1.9.2 Client derivedfirewallaccesstimeouts Removalofencoded Salted prefixfromrijndaelspapackets SupportforLinux cooked interfaces(e.g.pppoe) Selectabledigestalgorithmsforreplayattackdetection(SHA256, SHA1,orMD5) BlacklistexclusionsforSPApackets SpecialthankstotheSPAPICTteam(Calsoftsecurityenthusiasts+students fromthepuneinstituteofcomputingtechnology: http://tech.groups.yahoo.com/group/spapict/)whocontributedmanyofthenew featuresinfwknop 1.9.2. Copyright(C)2008MichaelRash 45

fwknopforwardaccessviadnat rules Copyright(C)2008MichaelRash 46

fwknopspapacketformat randomnumber(16bytes) username timestamp softwareversion messagetypeandcontent: 0=>commandmode/commandtoexecute 1=>accessmode/IP,proto,port 2=>forwardaccessmode/IP,proto,port/internalIP,externalNATPort (optional)server_auth(post0.9.2release) messagedigest(sha256/sha1/md5) Copyright(C)2008MichaelRash 47

ExampleSPAPackets Cleartextmessage(fieldsarebase64encodedbeforeencrypted): 5514438870168371:cm9vdA==:1203874973:1.9.2 pre6:1:mti3ljaumc4ylhrjcc8ymg==:yaynmuufyi/93syvrviib4mxkbhn/93cb +Ceu5cUUf4 TwoSPApackets(encryptedwiththeRijndaelcipher): 9aoMEM9Jr5vHTdvKbx +phe3in6onbglezorpld4y1ymcgw1udngm1mai/8b2s41aohabyfvnzyxchfy Sp7hPusjzLyRhwStmDzFFazHxzNmBh9xsgAvrGLqmmQzYhS+ +7XmtIH2D8hPjpaDGaGzs1nZPxGpZ2mQ5bjhBkutwcrkqCbe9wZf0o /buclg8gnm4+wldclkxktywjqedemhjwh +g4lrgaal09cykpv9501z52zp00e/bru5oe/bkojed8hvewk3ldoyvvuxfpwt9c DF7FG6xF/Rk4FhjcDPkaqVZb4CpMr7Yqr2wyL5Lxqy6YI7rt2ZdqaVGBIdGtzlHL OoXnz5j4mC1+H6hxa7e0pO Copyright(C)2008MichaelRash 48

FutureWork WebproxythatcreatesSPApacketsonbehalf ofanyonewithawebbrowser IntegrationwiththepffirewallonOpenBSD Integrationwithadditionalclients(scp,sftp,mail clients,etc.) FirefoxSPAextension fwknopisopensource,pleasesubmitpatches! Copyright(C)2008MichaelRash 49

LiveDemo... Copyright(C)2008MichaelRash 50

References SecurityDataVisualization : http://www.nostarch.com/securityvisualization.htm SecVizSecurityVisualization :http://www.secviz.org RaffaelMarty'sBlogandAfterGlowproject:http://raffy.ch/blog/ MRTG:http://oss.oetiker.ch/mrtg/(psadsupportcomingsoon) Gnuplot:http://www.gnuplot.info/ Copyright(C)2008MichaelRash 51

References(cont'd) AnAnalysisofPortKnockingandSinglePacketAuthorization : http://www.securethoughts.net/spa/ SinglePacketAuthorizationwithfwknop : http://www.cipherdyne.org/fwknop/docs/spa.html EnhancingFirewalls:ConveyingUserandApplicationIdentificationtoNetwork Firewalls :http://pages.cpsc.ucalgary.ca/~degraaf/ WikipediaonPortKnocking:http://en.wikipedia.org/wiki/Port_knocking Hakin9onPortKnockingandSPA:http://mscoder.org/en/haking/articles_html.html LinuxJournalarticles: http://www.linuxjournal.com/article/9565 http://www.linuxjournal.com/article/9621 Copyright(C)2008MichaelRash 52

Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org Copyright(C)2008MichaelRash 53