Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan Frei, and Dilip Many Network Security, HS 2012
The IT Executive s Armory What makes senior IT executives sleep well at night? They know they follow best practices for securing the IT infrastructure Competent and effective security group Anti-virus tools and spam filters Firewalls and intrusion-detection systems Process for managing security-related updates in place Passwords & cryptography Educated and trustworthy users Role-based access control Source: http://hardlyhohum.blogspot.com/2010_12_01_archive.html
Firewalls Network Security, HS 2012
Firewalls Defined A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust. The configuration is called a policy. Firewall as Reference Monitor Put in a place where it sees all data Examines every packet Works through rules Attack Attack
Firewall Rules Direction Ingress: Filter incoming traffic (commonly done) Egress: Filter outgoing traffic (rarely done) Default Policy (what to do when no rule matches) Default accept versus default reject Deny Access Drop - silently drop packet Reject - drop packet and inform sender (ICMP) Addressing Transparency Firewall and network fingerprinting
Firewall Rule Processing NIC = Network Interface Card
Stateless Firewall - Packet Filter Functionality Examine a packet at the network layer Decision based on header in packet Pros Application independent Good performance and scalability Cons No state or application context Source: CheckPoint
Stateful Firewall Functionality Keep track of the state of the network connections Decision based on session state Pros Easier to specify rules Cons State explosion State for UDP?
Application Layer Firewall Functionality Take application state into security decision Pros Application awareness Cons Need to support many application protocols. Performance, scalability
Special Case: Web Application Firewall (WAF) Protect web-based applications from malicious requests Response to trend towards Software as a Service (SaaS) Request filtering Request patterns (signatures) - Forceful browsing (what is this?), SQL injection, cross-site scripting, buffer overflow attempts, checking number of form parameters,... Static or dynamic blacklisting / whitelisting False positive problem Implementation often as a reverse proxy Reverse proxy client is outside the internal network
Firewall Attack/Bypass Techniques IP source address spoofing Doesn t work well with TCP-based attacks (why?) Artificial fragmentation The port number is only in the first fragment Without reassembly, attack gets through (why?) Vulnerabilities Exploiting vulnerabilities in firewall software/os Exploit vulnerabilities in target application Denial of Service State explosion (what s the FW fallback policy?) Tunneling/Covert channel Submit data in ICMP ping packets, use DNS requests as channel
Firewall Detection By Port Scanning Port scanning Identify potential firewall IP address through traceroute Port scan targets, analyze response - Check source IP address of responses of blocked/open ports - Analyze differences in responses Firewall detection avoidance Firewall improves obscurity by spoofing the source address of the RST/ACK packet to be that of the target host. Tools: nmap, firewalk, hping
Firewall Detection by Exceeding TTL Play with Time to Live (TTL) Set packet TTL to expire one hop past firewall If packet is passed by firewall, a TTL expired should be received (ICMP_TIME_EXCEEDED) If packet is blocked by firewall, either of the following happens: - An ICMP administratively prohibited response is received. - The packet is dropped without comment. Firewall detection evasion Firewall checks for low TTL Firewall spoofs or creates response Trying to keep the existence of your firewall secret is OK, but it s not a security technique
Firewall Configuration: iptables/netfilter Netfilter is the Linux packet filter Iptables is user-mode tool for configuring netfilter Can do deep packet inspection, examine state, NAT Firewall contains chains, linked to tables, contain rules. Tables traversed at certain parts in packet processing, can do table-specific things to packets Preconfigured tables: filter drop or accept packets nat change source or destination addresses mangle change the packet in more generalised ways raw specialised processing
Netfilter Configuration Network mangle/nat PREROUTING Routing For other machine mangle/filter FORWARD For this machine mangle/filter INPUT Routing mangle/nat POSTROUTING Local Process Routing mangle/nat/filter OUTPUT Network Source: http://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html
Iptables/Netfilter: Rule Targets What to do when packet matches rule ACCEPT accept the packet DROP drop the packet on the floor QUEUE hand the packet off to a user-space process (rarely used) RETURN stop processing in this chain and resume in the previous chain (rarely used) MASQUERADE only in nat table: rewrite source or destination address with address of outgoing or incoming interface
Anatomy of a Netfilter Rule (1) Add to the end of the INPUT chain (in the filter table, the default) Incoming packet on eth0 netfilter configuration command state module iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT Jump to the ACCEPT target (= accept the packet) Packet belongs to or is related to an established connection Accept all packets destined for this machine where we have a preexisting connection
Anatomy of an Iptables Rule (2) Protocol is TCP Any source, any destination (network addresses in CIDR notation) Packet is going to HTTP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT Packet has SYN flag set Accept all packets destined for this machine that want to establish a HTTP connection
Iptables Example Script (Not Complete) iptables -P INPUT DROP # -P = policy = default policy iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -F -t nat # -F = flush = remove all rules so that chain is empty # eth1 = internal net, eth0 = Internet, lo = loopback iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT # Something missing here? iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP # Something weird here? iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT Source: http://oceanpark.com/notes/firewall_example.html
Organizational (Not Technical) Challenges Large Rulesets Firewall rulesets are complex and grow over time, with thousands of rules on a single firewall. Rulesets are hard to manage and understand (do they really reflect your security policy?). Big Organizations Tools needed to manage hundreds of firewalls securely. What is the process to change rulesets? Conflicting goal: networking vs. security staff Networking staff: Paid for providing connectivity, blamed for disruptions. Security staff: Paid to protect and disrupt connectivity
Introduction to Intrusion Detection and Prevention Systems (IDS/IPS) Network Security, HS 2012
Firewalls are Not Enough Firewalls can t block all malicious traffic Many ports must be kept open for legitimate applications to run Users unwittingly download dangerous applications or other forms of malicious code Peer-to-peer and instant messaging have introduced new infection vectors Protection inside the security perimeter required Remember: Always on = Always a target
Intrusion Detection / Intrusion Prevention Intrusion Detection (try to) detect intrusions on the network (but see discussion of false positive rate below) traffic is compared to a database of attack signatures various detection methods and techniques exist Intrusion Prevention Selectively block traffic after detection IDS/IPS Output Alerts (.. many of them false positives) - Very sensitive to rule sets and traffic characteristics (10% < FP < 95%) Action (block, pass), Reporting, Analysis http://www.infosecwriters.com/hhworld/hh8/ava.txt http://www.cs.ucdavis.edu/research/tech-reports/2007/cse-2007-1.pdf
Fred Cohen (1984): Completely Precise Intrusion Detection is Not Possible Assume you have an algorithm that always decides correctly whether a given packet is malicious or not Now I build a packet with the following features: It contains code that will be executed on the target computer On the target computer, it runs the detection algorithm on itself If the detection algorithm says it s benign - Then delete some files - Else terminate So it s malicious if and only if the algorithm says it s OK (Originally a result on viruses)
IDS s generate lots of events..
Classification of IDS / IPS Dimensions Object of observation Point of observation Method of observation Packet Analysis of packet headers and content Host By software running in the host, or device monitoring one host Signature Comparison of observed events against database of signature of malicious events Method Flow Analysis of flow parameters (IP address, ports, # of packets, # of bytes, timing parameters,...) Network By data collectors attached at strategic places in the network Behavior Detection of deviation from normal state; requires knowledge of ground truth