1 CMPT 471 Networking II Filtering, Wrappers, Proxies © Janice Regan, 2006-2013.
Post on 21-Jan-2016
214 Views
Preview:
Transcript
1
CMPT 471Networking II
Filtering, Wrappers, Proxies
© Janice Regan, 2006-2013
2© Janice Regan, 2006-2013
Packet Filtering A basic technique for providing network security Most often done by the router or multi-homed
host connecting the local network to the outside world (the internet). Security provided at one location. Router may be implemented on a linux host using
ipchains or iptables (software in the host) Router may also be a dedicated piece of hardware
with onboard software
3© Janice Regan, 2006-2013
Packet Filtering Normally a router
examines the IP destination address and determines where to forward each packet
Runs software that updates and maintains the routing tables on which forwarding is based
A packet filtering router also examines the packet headers to determine if they are consistent with the security policies If it is consistent the packet is forwarded If it is not consistent the packet is dropped (logged)
4© Janice Regan, 2006-2013
Packet Filtering Router Allows you to determine the type of packets that
should be passed between the internet and your internal network based on information in each packet’s headers MAC header (transport layer):
source and destination Ethernet addresses, arriving and departing interface, protocol type
IP header(network layer), source and destination IP address IP options
5© Janice Regan, 2006-2013
Summary: Linux Packet Filtering
Arrivingpackets
routing Outgoingpackets
Forwardchain
Inputchain
Outputchain
routingLocal
processes
6© Janice Regan, 2006-2013
Packet Filtering Router Allows you to determine the type of packets that
should be passed between the internet and your internal network based on information in each packet’s headers ICMP UDP TCP IGMP headers,
message types, source and destination port numbers, TCP control flags …
7© Janice Regan, 2006-2013
Filtering a Packet When a filter is applied to a packet the packet
may cause one or more of the following actions to occur Forwarded the packet to the destination Drop the packet without notifying the sender Drop the packet with a notifying error message
returned to the sender Log information about the packet (for possible later
analysis) Notify an administrator about the packet (for
potentially dangerous packets
8© Janice Regan, 2006-2013
Filtering a Packet The filtering of a packet may also cause
Modification of the packet (e.g.Translate addresses for NAT)
Sending of the packet to a destination other than that given in its header (e.g to proxy rather than to final destination)
Sending of the packet to one of a list of destinations (servers) for load balancing
Modification of filtering rules (e.g. accept replies to a sent UDP packet, but not to general UDP packets, or deny all traffic from an address that sent the filtering router a hostile packet)
9© Janice Regan, 2006-2013
What to Filter? Some examples Remove suspicious packets that may be a
danger to the network behind the filters. For example Packets arriving from outside the network with a
source address inside the local network. (Forged or due to leak)
Limit contacts (usually IP addresses, ethernet addresses also used) Limit the addresses that can be contacted from within
the network Limit the addresses from which packets can gain
access into the network Limit protocols available
10© Janice Regan, 2006-2013
What to Filter? Some examples Allow/Disallow IP options (more expensive to
screen individual options) Source routing or traceroute can be used to gain
information about your private network and can be a large security hole
Fragmentation can be used to attack a system Screen which services you make available to
those outside your firewall and within your firewall Services using specific ports can be blocked by
filtering out all packets to the designated ports. May want to block “dangerous” services like TFTP,
XWindows, remote login services.
11© Janice Regan, 2006-2013
Limiting contacts Limit the addresses that can be contacted from
within the network Allow only particular blocks of addresses, only attach
to needed sites Disallow contact to inappropriate sites
Limit the addresses from which packets can gain access into the network Block troublesome sites (spammers … ) Allow only trusted sites
12© Janice Regan, 2006-2013
Limiting contacts: problems These contact limiting filters, based on source
(or destination) address are not foolproof. Remember that it is possible to spoof (make it
appear the packet is coming from an acceptable IP address) All that is needed is some software to custom build
packets. A sender from a host you have filtered out can
still get packets into your system by making them appear to come from a host you trust.
13© Janice Regan, 2006-2013
Limiting contacts: addressing problems
The only way to be sure the packets are really coming from where they indicate they are coming from and have not been changed or created on route is to require that the packets be authenticated.
Authentication along with address filtering is more effective than address filtering alone
Note that we can filter on destination or source but not on user, user is not a property stored in the headers.
14© Janice Regan, 2006-2013
Limiting Protocols: protocol checking You may disallow protocols that use particular well know
ports by filtering out any packets bound for those ports (about to be sent or received)
You may allow some protocols by opening or leaving open the well know ports they use it is possible to write an application that uses a well
know port for a purpose other than the protocol normally assigned to it.
It is possible to send malformed packets to the ports. This is a component of some well known attacks.
Should filter to remove packets destined for well know open ports that do not conform to the format for the expected protocol.
15© Janice Regan, 2006-2013
Fragmentation and filtering Only the first packet of a fragmented IP
datagram contains the TCP, or UDP header Cannot filter other fragments using rules based on
port numbers (no TCP or UDP header, no port numbers)
Since an IP stack will throw away packets unless all fragments are received. Filter first packet and rely on IP to throw away the rest May work for incoming packets Not always sufficient for protecting outgoing packets.
16© Janice Regan, 2006-2013
Fragmentation and filtering Consider outgoing packets. They can have two
sources A legitimate internal user sending packet out through
your firewall. This is a very difficult way to get data out for a
malicious internal user, there are many easier ways, you cannot protect against this
A hacker who has managed to send a packet into your system that has requested a large packet be returned In this second case the correct approach is to
protect the system against the request packet.
17© Janice Regan, 2006-2013
Fragmentation and filtering If a hacker does manage to get your system to
send a large packet that must be fragmented Perhaps a copy of a password database! all of a large packet except the first fragment will
be passed through the packet filter. All fragments but the first are passed through the
firewall to the internet The hacker can capture the fragments and
compromise the networks security by accessing the contents of the fragments
18© Janice Regan, 2006-2013
Other problems with fragments In normal operation fragments will not
overlap Attackers (and sometimes bugs) may
purposely send fragments that do overlap OS’s react differently to overlapping
fragments, many of them react very badly Denial of service attacks: overlapping fragments
slowing or crashing the OS Hiding of damaging data that would otherwise be
filtered.
19© Janice Regan, 2006-2013
Solving problems with fragments Easiest approach: Do not allow fragmentation
Can cause connection to fail when a fragmented packet is sent/received (difficult to debug)
Preferred approach: Have the firewall hold the fragments and reassemble them before forwarding (re-fragmentation may then be necessary) Leaves the firewall open to denial of service attacks
when attacker send large number of fragments to saturate the firewall
20© Janice Regan, 2006-2013
Solving problems with fragments It is usually not possible for the firewall to
predict what the final reassembled packet will be in the cases where the fragments overlap In regions where fragments overlap the final
contents of the reassembled packet is OS implementation dependent. The contents may be taken from the first fragment that
arrived, the last fragment that arrived, the earliest fragment in the packet, or the latest fragment in the packet
Prediction before forwarding is not practical
21© Janice Regan, 2006-2013
Source Routing May provide information about your private
network you do not wish to publish. Allows for information to be extracted from your network. Spoofing will not do it, you can get information in, but
you have lied about your address so you will not get any replies
However, Source Routing can be used to conceal the identity of the true sender
22© Janice Regan, 2006-2013
Source Routing If you construct a source routing packet, with your
address as one of the intermediate addresses in the source route, and the acceptable address as the source of the source route, you may be able to intercept the resulting packet on the way back.
IPv6 prohibits this by preventing the return of packets along a source route unless the source of those packets has been authenticated
23© Janice Regan, 2006-2013
Suppose hosts F and T are friendly, and host H is a hacker trying to attack host F.
A packet is sent from H which H claims comes from T. .r indicates the receiving interface, .t the transmitting interface
Src Dst LIST
F R3.r R1.t, H.t, T
packet transmitted from H
F T R1.t, H.t, R3.t
rewrite as packet leaves R3
Source Routing Example
24© Janice Regan, 2006-2013
When T receives the packet it will construct the reply using source routing, with the source route order reversed
Src Dst LIST
T R3.t H.t, R1.t, F
return packet as transmitted from F
T H.t R3.r, R1.t, F
rewrite as packet leaves R1
H intercepts the packet and does not forward it
Source Routing Example
25© Janice Regan, 2006-2013
Summary: Linux Packet Filtering
Arrivingpackets
routing Outgoingpackets
Forwardchain
Inputchain
Outputchain
routingLocal
processes
26© Janice Regan, 2006-2013
Built in linux filtering function There are three built in ‘chains’, INPUT, FORWARD, and
OUTPUT where you can place packet filtering rules The iptables command is used to administer each chain
Rules in the INPUT chain are applied to packets that are destined for processes running on the local host
Rules in the OUTPUT chain are applied to packets that are generated by processes running on the local host
Rules in the FORWARD chain are applied to packets that arrive at this host and wll be immediately forwarded to another host
27© Janice Regan, 2006-2013
Advantages of Packet Filtering One screening router can be used to
protect a whole network The simplest filters are extremely efficient
in comparison to alternate solutions like proxies
Many applications and filtering systems easily available, both commercial and freeware
28© Janice Regan, 2006-2013
Disadvantages of Packet Filtering
Filtering rules can be difficult to configure Filtering rules can be hard to test Filtering rules can interact with each other and produce
unexpected results Not all protocols can be intercepted with filtering Not all policies can be implemented using filtering Packet filtering reduces router performance Failures in filtering packages or sets of filtering rules
may cause security breaches that do not cause failure of the filtering application.
29© Janice Regan, 2006-2013
Wrappers: 1 Filtering works using the header information only. To
use further information (application level contents) use a wrapper to encase the application
Rather than executing the application directly, the wrapper is executed Checks commands and parameters being passed Looks for ‘dangerous’ inputs or outputs,
Check inputs to check for buffer overflow attacks Check outputs to prevent sending of proprietary data from
your site
May log traffic
30© Janice Regan, 2006-2013
Wrappers When convinced the packet is safe the wrapper
calls the application and passes on the packet If the application wants to send a reply the reply
packet will be sent to the wrapper The wrapper will check and send the packet on
Wrappers can also be used to Probe for more information about the client Log requests and replies Provide messages informing potential clients of
alternate available methods of communincation
31© Janice Regan, 2006-2013
Example: Why use wrappers Preventing buffer overflow attacks
Simple approach Some character sequences can be expanded to very large
blocks of characters. These large blocks may overflow a buffer corrupting the
stack frame beyond the end of the buffer
More sophisticated approach Direct the attack, make the buffer overrun overwrite the
return address of a subroutine. When the subroutine returns it will return to the attackers
code rather than the original intended code
32© Janice Regan, 2006-2013
Proxies
Protected Network
PROXYclient server
FIREWALL
user INTERNETINTERNET
33© Janice Regan, 2006-2013
A prospective client contacts the proxy agent The proxy agent repackages the client's request. The
resulting request appears to originate from the proxy agent. The proxy agent sends the message to the server The server's reply returns to the proxy agent The proxy agent again repackages the message and sends it
to the original client
From the client's point of view the proxy looks like the server From the server's point of view the proxy looks like the client
How a proxy works
34© Janice Regan, 2006-2013
Approaches to Proxying: 1 Proxy aware user procedures
The client programs is unaware that it is talking to a proxy rather than directly to the server
Requires users to execute extra steps to use the proxy User must connect to the proxy User must then instruct the proxy to make
a connection to the server
35© Janice Regan, 2006-2013
Approaches to Proxying: 2 Proxy aware client (application software):
Client is modified to understand how to deal with a proxy (for external and sometimes internal)
User of the application does not need to know if the client is modified (except possibly for installation). To the user the client will appear the same as an unmodified client
If modified clients are available this is the easiest and most robust approach to proxying
Some commonly available examples include web browsers, ftp, telnet (only some applications and platforms)
36© Janice Regan, 2006-2013
Approaches to Proxying: 3 Proxy aware operating system
Modified system calls: Replace the network programming libraries with
modified libraries that support proxies This may also require some changes to the clients
(modified calls) May cause problems with
Statically linked software Software using custom dynamically linked libraries Software that attempts to modify connections
37© Janice Regan, 2006-2013
Approaches to Proxying: 4 Proxy aware router
Transparent Proxying (transparent to client) Hybrid Proxying (like filtering + proxy) packet interception and diversion Packets are filtered as they pass some
choke point in the network. Some types of packets are diverted to a
proxy (based on addresses, ports …) Has similar problems to packet filtering
38© Janice Regan, 2006-2013
Types of Proxies Application Specific Proxies:
Allows the application to provide additional services like Monitoring of protocol exchanges Control based on protocol actions
May be required by applications that exchange IP addresses or port information (not using the IP header)
39© Janice Regan, 2006-2013
Types of Proxies
Generic Proxies: Do not understand the
applications they proxy Provide basic packet relay
functionality, address and port mapping
Provides logging
40© Janice Regan, 2006-2013
Using Proxies Generally used to allow hosts in a local network to the
access external servers on the Internet. Straightforward to use proxies for services that run over
TCP connections using well know ports Possible to use proxies for services that run over UDP
connections using well know ports More difficult (may require application specific proxies)
to use proxies for services that use transparent ports, and/or combinations of TCP and UDP
41© Janice Regan, 2006-2013
TCP proxy using well known port
Internal machine connecting to external TCP server contacts the internal machine running the proxies. The internal machine sees the proxy as the server
Proxy checks the request from the internal machine and modifies it as necessary (e. g. replacing the source address with the address of the proxy)
Proxy machine sends the request to the server
42© Janice Regan, 2006-2013
TCP proxy using well known port Server replies to the proxy. The server sees the
proxy as the destination of its connection Proxy receives reply, modifies it as necessary
and forwards it to the internal client machine. The proxy maintains the connections between
the internal client and the external server
43© Janice Regan, 2006-2013
UDP proxy
Additional complications: UDP is connectionless
Packets can be lost Reply’s may not arrive UDP packets not associated with the application
may also arrive in the same time window must match responses to requests
Not usually possible for a generic proxy May simply use a time window and pass all UDP
packets received (risks here)
44© Janice Regan, 2006-2013
Generic Proxy: Modified system calls
SOCKS: handles TCP and UDP by substituting the standard socket library with the SOCKS library.
RFC 1928 SOCKSv5 also provides authentication of
the client by the server
45© Janice Regan, 2006-2013
Advantages of proxying Can log activity of the server or client
Can keep critical command packets only Can provide caching of information sent/received
Can improve performance, reducing retransmission of data
Can authenticate users Easier than with packet filtering
Can provide filtering Looking at specific types of connections May be able to filter more specifically and effectively
46© Janice Regan, 2006-2013
Disadvantages of proxying May need protocol or application specific proxies
This increases installation and maintenance May require modifications to clients and
applications Added work May not be possible for proprietary applications
May not be available for most up to date versions of protocols or applications May cause delay in your site being able to offer new
services
top related