450 likes | 633 Views
CMPT 471 Networking II. Filtering, Wrappers, Proxies. Packet Filtering. A basic technique for providing network security Most often done by the router or multi-homed host connecting the local network to the outside world (the internet). Security provided at one location.
E N D
CMPT 471Networking II Filtering, Wrappers, Proxies
Packet Filtering • A basic technique for providing network security • Most often done by the router or multi-homed host connecting the local network to the outside world (the internet). • Security provided at one location. • Router may be implemented on a linux host using ipchains or iptables (software in the host) • Router may also be a dedicated piece of hardware with onboard software
Packet Filtering • Normally a router • examines the IP destination address and determines where to forward each packet • Runs software that updates and maintains the routing tables on which forwarding is based • A packet filtering router also examines the packet headers to determine if they are consistent with the security policies • If it is consistent the packet is forwarded • If it is not consistent the packet is dropped (logged)
Packet Filtering Router • Allows you to determine the type of packets that should be passed between the internet and your internal network based on information in each packet’s headers • MAC header (transport layer): • source and destination Ethernet addresses, • arriving and departing interface, • protocol type • IP header(network layer), • source and destination IP address • IP options
Packet Filtering Router • Allows you to determine the type of packets that should be passed between the internet and your internal network based on information in each packet’s headers • ICMP UDP TCP IGMP headers, • message types, • source and destination port numbers, • TCP control flags …
Filtering a Packet • When a filter is applied to a packet the packet may cause one or more of the following actions to occur • Forwarded the packet to the destination • Drop the packet without notifying the sender • Drop the packet with a notifying error message returned to the sender • Log information about the packet (for possible later analysis) • Notify an administrator about the packet (for potentially dangerous packets
Filtering a Packet • The filtering of a packet may also cause • Modification of the packet (e.g.Translate addresses for NAT) • Sending of the packet to a destination other than that given in its header (e.g to proxy rather than to final destination) • Sending of the packet to one of a list of destinations (servers) for load balancing • Modification of filtering rules (e.g. accept replies to a sent UDP packet, but not to general UDP packets, or deny all traffic from an address that sent the filtering router a hostile packet)
What to Filter? Some examples • Remove suspicious packets that may be a danger to the network behind the filters. For example • Packets arriving from outside the network with a source address inside the local network. (Forged or due to leak) • Limit contacts (usually IP addresses, ethernet addresses also used) • Limit the addresses that can be contacted from within the network • Limit the addresses from which packets can gain access into the network • Limit protocols available
What to Filter? Some examples • Allow/Disallow IP options (more expensive to screen individual options) • Source routing or traceroute can be used to gain information about your private network and can be a large security hole • Fragmentation can be used to attack a system • Screen which services you make available to those outside your firewall and within your firewall • Services using specific ports can be blocked by filtering out all packets to the designated ports. • May want to block “dangerous” services like TFTP, XWindows, remote login services.
Limiting contacts • Limit the addresses that can be contacted from within the network • Allow only particular blocks of addresses, only attach to needed sites • Disallow contact to inappropriate sites • Limit the addresses from which packets can gain access into the network • Block troublesome sites (spammers … ) • Allow only trusted sites
Limiting contacts: problems • These contact limiting filters, based on source (or destination) address are not foolproof. • Remember that it is possible to spoof (make it appear the packet is coming from an acceptable IP address) • All that is needed is some software to custom build packets. • A sender from a host you have filtered out can still get packets into your system by making them appear to come from a host you trust.
Limiting contacts: addressing problems • The only way to be sure the packets are really coming from where they indicate they are coming from and have not been changed or created on route is to require that the packets be authenticated. • Authentication along with address filtering is more effective than address filtering alone • Note that we can filter on destination or source but not on user, user is not a property stored in the headers.
Limiting Protocols: protocol checking • You may disallow protocols that use particular well know ports by filtering out any packets bound for those ports (about to be sent or received) • You may allow some protocols by opening or leaving open the well know ports they use • it is possible to write an application that uses a well know port for a purpose other than the protocol normally assigned to it. • It is possible to send malformed packets to the ports. This is a component of some well known attacks. • Should filter to remove packets destined for well know open ports that do not conform to the format for the expected protocol.
Fragmentation and filtering • Only the first packet of a fragmented IP datagram contains the TCP, or UDP header • Cannot filter other fragments using rules based on port numbers (no TCP or UDP header, no port numbers) • Since an IP stack will throw away packets unless all fragments are received. Filter first packet and rely on IP to throw away the rest • May work for incoming packets • Not always sufficient for protecting outgoing packets.
Fragmentation and filtering • Consider outgoing packets. They can have two sources • A legitimate internal user sending packet out through your firewall. • This is a very difficult way to get data out for a malicious internal user, there are many easier ways, you cannot protect against this • A hacker who has managed to send a packet into your system that has requested a large packet be returned • In this second case the correct approach is to protect the system against the request packet.
Fragmentation and filtering • If a hacker does manage to get your system to send a large packet that must be fragmented • Perhaps a copy of a password database! • all of a large packet except the first fragment will be passed through the packet filter. • All fragments but the first are passed through the firewall to the internet • The hacker can capture the fragments and compromise the networks security by accessing the contents of the fragments
Other problems with fragments • In normal operation fragments will not overlap • Attackers (and sometimes bugs) may purposely send fragments that do overlap • OS’s react differently to overlapping fragments, many of them react very badly • Denial of service attacks: overlapping fragments slowing or crashing the OS • Hiding of damaging data that would otherwise be filtered.
Solving problems with fragments • Easiest approach: Do not allow fragmentation • Can cause connection to fail when a fragmented packet is sent/received (difficult to debug) • Preferred approach: Have the firewall hold the fragments and reassemble them before forwarding (re-fragmentation may then be necessary) • Leaves the firewall open to denial of service attacks when attacker send large number of fragments to saturate the firewall
Solving problems with fragments • It is usually not possible for the firewall to predict what the final reassembled packet will be in the cases where the fragments overlap • In regions where fragments overlap the final contents of the reassembled packet is OS implementation dependent. • The contents may be taken from the first fragment that arrived, the last fragment that arrived, the earliest fragment in the packet, or the latest fragment in the packet • Prediction before forwarding is not practical
Source Routing • May provide information about your private network you do not wish to publish. Allows for information to be extracted from your network. • Spoofing will not do it, you can get information in, but you have lied about your address so you will not get any replies • However, Source Routing can be used to conceal the identity of the true sender
Source Routing • If you construct a source routing packet, with your address as one of the intermediate addresses in the source route, and the acceptable address as the source of the source route, you may be able to intercept the resulting packet on the way back. • IPv6 prohibits this by preventing the return of packets along a source route unless the source of those packets has been authenticated
Suppose hosts F and T are friendly, and host H is a hacker trying to attack host F. A packet is sent from H which H claims comes from T. .r indicates the receiving interface, .t the transmitting interface Src Dst LIST F R3.r R1.t, H.t, T packet transmitted from H F T R1.t, H.t, R3.t rewrite as packet leaves R3 Source Routing Example
When T receives the packet it will construct the reply using source routing, with the source route order reversed Src Dst LIST T R3.t H.t, R1.t, F return packet as transmitted from F T H.t R3.r, R1.t, F rewrite as packet leaves R1 H intercepts the packet and does not forward it Source Routing Example
Summary: Linux Packet Filtering Arriving packets routing Forward chain Outgoing packets Input chain Output chain Local processes routing
Built in linux filtering function • There are three built in ‘chains’, INPUT, FORWARD, and OUTPUT where you can place packet filtering rules • The iptables command is used to administer each chain • Rules in the INPUT chain are applied to packets that are destined for processes running on the local host • Rules in the OUTPUT chain are applied to packets that are generated by processes running on the local host • Rules in the FORWARD chain are applied to packets that arrive at this host and wll be immediately forwarded to another host
Advantages of Packet Filtering • One screening router can be used to protect a whole network • The simplest filters are extremely efficient in comparison to alternate solutions like proxies • Many applications and filtering systems easily available, both commercial and freeware
Disadvantages of Packet Filtering • Filtering rules can be difficult to configure • Filtering rules can be hard to test • Filtering rules can interact with each other and produce unexpected results • Not all protocols can be intercepted with filtering • Not all policies can be implemented using filtering • Packet filtering reduces router performance • Failures in filtering packages or sets of filtering rules may cause security breaches that do not cause failure of the filtering application.
Wrappers: 1 • Filtering works using the header information only. To use further information (application level contents) use a wrapper to encase the application • Rather than executing the application directly, the wrapper is executed • Checks commands and parameters being passed • Looks for ‘dangerous’ inputs or outputs, • Check inputs to check for buffer overflow attacks • Check outputs to prevent sending of proprietary data from your site • May log traffic
Wrappers • When convinced the packet is safe the wrapper calls the application and passes on the packet • If the application wants to send a reply the reply packet will be sent to the wrapper • The wrapper will check and send the packet on • Wrappers can also be used to • Probe for more information about the client • Log requests and replies • Provide messages informing potential clients of alternate available methods of communincation
Example: Why use wrappers • Preventing buffer overflow attacks • Simple approach • Some character sequences can be expanded to very large blocks of characters. • These large blocks may overflow a buffer corrupting the stack frame beyond the end of the buffer • More sophisticated approach • Direct the attack, make the buffer overrun overwrite the return address of a subroutine. • When the subroutine returns it will return to the attackers code rather than the original intended code
Proxies Protected Network INTERNET client PROXY server user FIREWALL
A prospective client contacts the proxy agent The proxy agent repackages the client's request. The resulting request appears to originate from the proxy agent. The proxy agent sends the message to the server The server's reply returns to the proxy agent The proxy agent again repackages the message and sends it to the original client From the client's point of view the proxy looks like the server From the server's point of view the proxy looks like the client How a proxy works
Approaches to Proxying: 1 • Proxy aware user procedures • The client programs is unaware that it is talking to a proxy rather than directly to the server • Requires users to execute extra steps to use the proxy • User must connect to the proxy • User must then instruct the proxy to make a connection to the server
Approaches to Proxying: 2 • Proxy aware client (application software): • Client is modified to understand how to deal with a proxy (for external and sometimes internal) • User of the application does not need to know if the client is modified (except possibly for installation). To the user the client will appear the same as an unmodified client • If modified clients are available this is the easiest and most robust approach to proxying • Some commonly available examples include web browsers, ftp, telnet (only some applications and platforms)
Approaches to Proxying: 3 • Proxy aware operating system • Modified system calls: • Replace the network programming libraries with modified libraries that support proxies • This may also require some changes to the clients (modified calls) • May cause problems with • Statically linked software • Software using custom dynamically linked libraries • Software that attempts to modify connections
Approaches to Proxying: 4 • Proxy aware router • Transparent Proxying (transparent to client) • Hybrid Proxying (like filtering + proxy) • packet interception and diversion • Packets are filtered as they pass some choke point in the network. • Some types of packets are diverted to a proxy (based on addresses, ports …) • Has similar problems to packet filtering
Application Specific Proxies: Allows the application to provide additional services like Monitoring of protocol exchanges Control based on protocol actions May be required by applications that exchange IP addresses or port information (not using the IP header) Types of Proxies
Generic Proxies: Do not understand the applications they proxy Provide basic packet relay functionality, address and port mapping Provides logging Types of Proxies
Using Proxies • Generally used to allow hosts in a local network to the access external servers on the Internet. • Straightforward to use proxies for services that run over TCP connections using well know ports • Possible to use proxies for services that run over UDP connections using well know ports • More difficult (may require application specific proxies) to use proxies for services that use transparent ports, and/or combinations of TCP and UDP
TCP proxy using well known port • Internal machine connecting to external TCP server contacts the internal machine running the proxies. The internal machine sees the proxy as the server • Proxy checks the request from the internal machine and modifies it as necessary (e. g. replacing the source address with the address of the proxy) • Proxy machine sends the request to the server
TCP proxy using well known port • Server replies to the proxy. The server sees the proxy as the destination of its connection • Proxy receives reply, modifies it as necessary and forwards it to the internal client machine. • The proxy maintains the connections between the internal client and the external server
UDP proxy • Additional complications: • UDP is connectionless • Packets can be lost • Reply’s may not arrive • UDP packets not associated with the application may also arrive in the same time window • must match responses to requests • Not usually possible for a generic proxy • May simply use a time window and pass all UDP packets received (risks here)
Generic Proxy: Modified system calls • SOCKS: handles TCP and UDP by substituting the standard socket library with the SOCKS library. • RFC 1928 • SOCKSv5 also provides authentication of the client by the server
Advantages of proxying • Can log activity of the server or client • Can keep critical command packets only • Can provide caching of information sent/received • Can improve performance, reducing retransmission of data • Can authenticate users • Easier than with packet filtering • Can provide filtering • Looking at specific types of connections • May be able to filter more specifically and effectively
Disadvantages of proxying • May need protocol or application specific proxies • This increases installation and maintenance • May require modifications to clients and applications • Added work • May not be possible for proprietary applications • May not be available for most up to date versions of protocols or applications • May cause delay in your site being able to offer new services