Network level Filtering Firewall Network based Intrusion Detection Firewalls Intrusion Prevention Systems Peremiter defense Btw internet intranet Block traffic violating security policy Dawn Song dawnsong cs berkeley edu Internet Internal Network 1 This Lecture 2 Power of Network based Filtering Network based Filtering Power Mechanism Challenges Why we do it as opposed to host based filtering Central chokepoint uses single place to easily enforce a security policy on 1 000 s of machines Similar to airport security few entrances Firewall operation does not rely on host security Power Broad spectrum Packet filtering stateless only header based Application firewall stateful content based understanding application semantics 3 4 Security Policy based on IP Header Packet Filters Simplest kind of firewall is a packet filter Router with list of access control rules Router checks each received packet against security rules to decide to forward or drop it Each rule specifies which packets it applies to based on a packet s header fields Specify source and destination IP addrs port numbers and protocol names or wild cards Each rule also specifies an action for matching packets ALLOW or DROP ACTION PRTCL SRC PT DEST PT A TCP service is specified by machine s IP address and TCP port number on it Web server www cs berkeley edu at 169 229 60 105 port 80 Mail service at 169 229 60 93 port 25 UDP services similarly identified Identify each svc with triplet m r p m is machine s IP addr A B C D MASK r is a TCP UDP protocol identifier p is the port number List of rules is examined one by one First matching rule determines how packet will be handled 5 6 Problem Outbound Connections Fail Example Inside host opens TCP connection to port 80 on external machine Want to allow Inbound mail connections to our mail server 1 2 3 4 25 All outbound connections Nothing else Consider this ruleset Initial SYN packet passed through by rule 2 SYN ACK packet coming back is dropped Fails rule 1 not destined for port 25 Fails rule 2 source not inside host Matches rule 3 DROP allow tcp 1 2 3 4 25 allow tcp 1 2 3 drop Distinguish between 2 kinds of inbound pkts This policy doesn t work TCP connections are bidirectional 3 way handshake send SYN receive SYN ACK send ACK send DATA w ACK bit Allow inbound packets associated with an outbound connection to pass Restrict inbound packets associated with an inbound connection 7 Inbound versus Outbound Connections Key idea use a feature of TCP ACK bit set on all packets except first one Recipients discard any TCP packet with ACK bit set if packet is not associated with an existing TCP connection Solution ruleset 8 Example Using This Ruleset Outside attacker trying to exploit finger service TCP port 79 vulnerability Tries to open an inbound TCP connection to our finger server Attempt 1 Sends SYN pkt to int machine Pkt doesn t have ACK bit set so fw rule drops it allow tcp 1 2 3 4 25 allow tcp 1 2 3 allow tcp int hosts if ACK bit set drop Attempt 2 Sends SYN ACK pkt to internal machine Rules 1 and 3 allow inbound connections to port 25 on machine 1 2 3 4 Rules 2 and 3 allow outbound connections to any port FW permits pkt then dropped by TCP stack ACK bit set but isn t part of existing connection We can specify policies restricting inbound connections arbitrarily 9 10 IP Spoofing Another Security Hole Attack Analysis IP protocol doesn t prevent attacker from sending pkt with wrong spoofed src addr Attack allows connections to internal hosts Violates of our security policy Allows attacker to exploit any security holes Most routers ignore src addrs Suppose 1 2 3 7 is an internal host Ex finger service vulnerability Caveat Attacker sends spoofed TCP SYN packet Src addr 1 2 3 7 dest addr target internal machine dest port 79 rule 2 allows Target replies with SYN ACK pkt to 1 2 3 7 and waits for ACK to finish 3 way handshake Attacker sends spoofed TCP ACK packet Attacker then sends data packet Attacker has to guess Initial Sequence Number set by target in SYN ACK packet sent to 1 2 3 7 many ways to guess Modified Solution Packet filter marks each packet with incoming interface ID and rules match IDs Recall Router has 2 interfaces forwards packets from one to another 11 12 New Solution Other Kinds of Firewalls Packet filters are quite crude firewalls New ruleset Network level using TCP UDP and IP headers Int interface in ext interface out allow tcp out allow tcp in allow tcp out drop Alternative examine data field contents 1 2 3 4 25 in out in if ACK bit set Application layer firewalls application firewalls Can enforce more restrictive security policies and transform data on the fly Allows inbound packets only if destined to 1 2 3 4 25 rule 1 or if ACK bit set rule 3 Drops all other inbound packets For more information on firewalls read Cheswick Bellovin and Rubin Firewalls and Internet Security Repelling the Wily Hacker Packet filtering sw available for many OS s Clean solution defeats IP spoofing threat Linux iptables OpenBSD FreeBSD PF and Windows XP SP2 firewall Simplifies ruleset admin no hardcode internal hosts list 13 Deployment 14 Administravia Extremely broad deployment Many commercial products Proj 2 Mean 23 7 Standard deviation 2 6 9 groups extra credit High speed firewalls IPSes New products on webapp filtering 15 Network based Intrusion Detection Prevention 16 Attacks on NIDS Often stateful deep packet inspection Algorithmic complexity attacks Evasion attacks Stealthy port scanning Full stream re assembly Content based analysis Examples Snort Bro Commercial appliances Detection methods Misuse detection signature based E g snort rules anomaly detection specification based or statistical based E g port scanning detection Often much more complex than packet filters 17 18 Algorithmic Complexity Attacks Complexity Attack on Hash Table DoS attacks not only serious for denying service but can be more severe by using it as a component of an attack DoS attack on IDS enables other attacks to remain undetected Denial of Service via Algorithmic Complexity Attacks by Crosby and Wallach On average a hash table has O n overhead to insert n elements In the worst case a hash table may have O n2 overhead to insert n elements Attack against Perl hash table 90K inserts Random 2 sec Worse case 6500 sec 19 20 Complexity Attack Against Bro NIDS Evasion Normalization Bro uses simple xor to hash values for hash table Problems Easy to find collisions Complete fragment reassembly necessary to detect
View Full Document
Unlocking...