1 / 43

Computer Security: Principles and Practice

Computer Security: Principles and Practice. Routers: Read: Chapter 7 – Denial of Service. Second Edition by William Stallings and Lawrie Brown Lecture slides by Susan Lincke & Lawrie Brown. Objectives. Objectives: The student shall be able to:

lieu
Download Presentation

Computer Security: Principles and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security: Principles and Practice Routers: Read: Chapter 7 – Denial of Service Second Edition by William Stallings and Lawrie Brown Lecture slides by Susan Lincke & Lawrie Brown

  2. Objectives Objectives: The student shall be able to: • Define and describe the advantage of ingress filtering, egress filtering, black hole filtering, direct broadcast filtering, unicast reverse path forwarding. • Write CISCO commands to (for example): • Prevent tcp packets with port numbers ranging between 135 to 139 into the network from or to any IP address and log any violations. • Write two commands to establish a state-driven evaluation that allows only outgoing tcp connections to be established • Write ACLs in the correct order to configure a secure and efficient interface. • Save the active configuration to non-volatile memory (Not 2012)

  3. Classic Denial of Service Attacks • can use simple flooding ping • from higher capacity link to lower • causing loss of traffic • source of flood traffic easily identified

  4. TCP Connection Handshake

  5. SYN Spoofing • common attack • attacks ability of a server to respond to future connection requests • overflowing tables used to manage them • hence an attack on system resource

  6. SYN Spoofing Attack

  7. Types of Flooding Attacks • classified based on network protocol used • ICMP Flood • uses ICMP packets, e.g. echo request • typically allowed through, some required • UDP Flood • alternative uses UDP packets to some port • TCP SYN Flood • use TCP SYN (connection request) packets • but for volume attack

  8. DDoS Control Hierarchy

  9. Distributed Denial of Service Attacks • have limited volume if single source used • multiple systems allow much higher traffic volumes to form a Distributed Denial of Service (DDoS) Attack • often compromised PC’s / workstations • zombies with backdoor programs installed • forming a botnet • e.g. Tribe Flood Network (TFN), TFN2K

  10. Reflection Attacks • further variation creates a self-contained loop between intermediary and target • fairly easy to filter and block

  11. Amplification Attacks Send to Broadcast IP address: FF FF

  12. DoS Attack Defenses • high traffic volumes may be legitimate • result of high publicity, e.g. “slash-dotted” • or to a very popular site, e.g. Olympics etc • or legitimate traffic created by an attacker • three lines of defense against (D)DoS: • attack prevention and preemption • attack detection and filtering • attack source traceback and identification

  13. Attack Prevention Src=130.72.33.0 • block spoofed source addresses • on routers as close to source as possible • still far too rarely implemented • rate controls in upstream distribution nets • Slow down the originator or ‘upstream’ • e.g. some packet types: ICMP, some UDP, TCP/SYN • use modified TCP connection handling • use SYN cookies or encoded sequence # when table full • or selective or random drop when table full IP 130.69.84.0

  14. Attack Prevention • block IP directed broadcasts • block suspicious services & combinations • manage application attacks with “puzzles” to distinguish legitimate human requests: e.g., CAPTCHA • good general system security practices: e.g., hardened system • use mirrored and replicated servers when high-performance and reliability required

  15. Router Interfaces Interfaces are named according to their speeds: • Ethernet = 10bT • FastEthernet = 100bT • GBICethernet or GbEthernet = 1000bT • Serial = WAN CSU/DSU (with command: clockrate 56000) • 0 or 1 = on fixed format routers this is interface 0 or 1 • 0/0 = On Modular routers (which ours are) this is the first port on the first card of the router... • 0/1 = Second port first card • 1/0 = second card first port Example: On some routers you can have the following interfaces: • Ethernet 0 • FastEthernet 0/0 • FastEthernet 0/1 • FastEthernet 0/2 • FastEthernet 0/3 • GBICethernet 0/0 • GBICEthernet 1/0

  16. Router Configuration FastEthernet 0/0 FastEthernet 0/1 In In Net FilterIn LAN FilterIn Internet LAN Net FilterOut LAN FilterOut Out Out Ingress Filtering Egress Filtering Unicast Reverse Path Filtering

  17. Ingress Filtering Ingress Filtering: Filter packets coming from Internet into the zoned network • Protect against flooding, malicious activity from network • Filter IP addresses: 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 224.0.0.0/4 • Unicast Reverse Path Filtering: Prevents spoofing. • Further addresses listed at: http://www.cymru.com/Documents/bogon-dd.html

  18. Egress Filtering • Egress Filtering: Filter packets leaving internal network or zone towards internet • Prevents spoof or other attacks from affecting other networks Rules: • Default Permit: “That which is not expressly forbidden is permitted” • Default Deny: “That which is not expressly permitted is forbidden” Which would be used for Ingress Filtering, Egress Filtering?

  19. Unicast Reverse Path Forwarding • Prevent Forgery/Spoofing: Block packets from outside with source IP Addresses = inside • Source addresses can be verified against the routing table, by checking the IP address range from whence the packet arrived access-list 110 deny ip any any log-input ip cef #Enable Cicso Express Forwarding interface Ethernet 0 ip verify unicast reverse-path 110

  20. Direct Broadcast Filtering • Disable broadcast destination IP addresses no ip direct-broadcast • Smurf attack: Send SYN to broadcast address – all reply with SYN/ACK to origination IP address

  21. Routing techniques Black Hole Filtering: Net Police Filter: • Create routes to the null interface (null0) for specific IP addresses • E.g., Non-existent addresses • Avoid looping: We forward all 128.n.n.n to you – but you don’t have 128.37.64.25 and forward it back to us. • Prevents routes larger than 20 or 24 bit masking • Ensures routing table does not get too big, thereby slowing routing down

  22. Other CISCO routing commands If Routing configured well, turn off: • ICMP Redirects: “Don’t send to me – I’ll send it back to you anyway” no ip redirects • Source Routing: Source endpoint dictates packet’s route no ip source-route

  23. Router 10.1.1.22 10.1.1.1 Subnet 10.2.1.n Switch Border Router To Internet Router Subnet 10.3.1.n 10.1.1.23 UWP Lab Configuration • Border Router: Accepts or rejects based on IP/Port address • Proxy: Application-level control: web & file transfer • Switch: Routes to Subnet • Router: Access to/from Subnet Proxy 10.1.1.3

  24. Router 10.1.1.22 10.1.1.1 Subnet 10.2.1.n Switch Border Router To Internet Router Subnet 10.3.1.n 10.1.1.23 IP Routing • deny ip 0.0.0.0 0.255.255.255 any log • permit ip any 10.2.1.0 0.0.0.255 • deny ip any 10.2.0.0 0.0.255.255 log • no ip direct-broadcast • ip verify unicast reverse-path • no ip source-route Src=10.3.1.1 Dest=10.2.2.25 Dest=10.2.1.255 Dest=10.3.1.1 Proxy

  25. Standard ACL format: (Checks source IP addresses) access-list <number> <permit/deny> <sourceIP> [wildcard] • where <number> = 1-99 or 1300-1999 • Example: Checks that all outgoing packets from a subnet have valid IP source addresses: access-list 2 permit 220.10.5.0 0.0.0.255 access-list 2 permit 220.10.5.0/24 (same – not allowed) • Example: Checks that all incoming packets from the network have a valid source IP address (do not have an address with a first byte of 10): access-list 3 deny 10.0.0.0 0.255.255.255

  26. Extended ACL format: (Checks source & dest IP & Port addresses) access-list <number> <permit/deny> <protocol> <sourceIP> [wildcard] [src-port] <destIP> [wildcard] [dest-port] [other-options] • where <number> = 100-199 or 2000-2699 • Example: Do not allow any TCP packets with port numbers between 135-139 (with ‘any’ source or destination IP addresses): access-list 101 deny tcp any any range 135 139 log • Example: Permit UDP packets to destination host 220.10.5.33 with destination port number 600: access-list 102 permit udp any host 220.10.5.33 eq 600

  27. Reflexive ACL format: (Only allow outgoing sessions in this service) • Uses a state table to track state of session. Uses more CPU and memory than other formats. Works only with services that use a single transport connection (e.g., not active FTP.) The following rule requests that the state be tracked for the indicated connections: <permit/deny> tcp <sourceIP> [wildcard] [port] <destination> [wildcard] [port] reflect <rulename> • The following command indicates that reply sessions (not-initiated) only are allowed in this direction: evaluate <rulename> • Example: Only permit outgoing SSH sessions: Out Direction: permit tcp any anyeq 22 reflect ssh-filter In Direction: evaluate ssh-filter • Rules must be specified in a named access-list. SYN Reflect Evaluate SYN-ACK ACK

  28. Router Interfaces • Each interface has rules for its input and output • Rules are processed in order. Therefore, most common rules should be specified first for best performance. • If an ICMP message is returned to the TCP SSH connect request, we won’t get it. FastEthernet 0/0 FastEthernet 0/1 Network Router LAN/ Terminals In Out Out In

  29. Named Access Lists:(Grouped rules) • An alternate way to specify rules is by grouping them into an access-list, and naming the access list: ip access-list extended FilterOut permit tcp any anyeq 22 reflect ssh-filter deny tcp any eq ftp any range 0 1024 permit udp any host 192.168.2.5 eq ftp-data deny udp any any range 0 1024 ! (Note: all other access implicitly denied) ip access-list extended FilterIn evaluate ssh-filter FilterOut Named Access List Definition FilterIn Named Access List

  30. Associating an Access List with an Interface • The access-list is then associated with an interface: interface FastEthernet 0/0 ip address 220.10.5.36 255.255.255.0 ip access-group FilterIn in ip access-group FilterOut out

  31. Cisco Router:Access Control Lists <permit/deny> <protocol> <sourceIP> [wildcard] [src-port] <destIP> [wildcard] [dest-port] [other-options] deny tcp any any range 135 139 log permit udp any host 220.10.5.33 eq 600 <permit/deny> <sourceIP> [wildcard] [port] <destination> [wildcard] [port] reflect <rulename> Example: ip access-list extended FilterOut permit tcp any any eq 22 reflect ssh-filter permit tcp any any eq 80 deny tcp any any range 0 1024 deny tcp any any gt 1024 deny udp any any range 0 1024 ! ip access-list extended FilterIn evaluate ssh-filter permit tcp any any eq 80

  32. Example FilterOut Evaluate for efficiency & protection: ip access-list extended FilterOut permit tcp 10.2.1.0 0.0.0.255 any reflect tcp-filter permit udp 10.2.1.0 0.0.0.255 any reflect udp-filter permit icmp 10.2.1.0 0.0.0.255 any reflect icmp-filter evaluate smtp-filter deny ip any any log Router in out Internet Inner Network out in

  33. Static versus Reflexive: • Use static for absolutes: blocking private IP addresses, or specific protocols: SNMP, ping. Static is faster than Reflexives. • E.g., permit tcp any any eq 80 • Use Reflexives when necessary: Outgoing connections only are allowed. • permit icmp 10.2.1.0 0.0.0.255 any reflect icmp-filter • evaluate smtp-filter

  34. Router Modes for User Interface User mode: User can view information but cannot change anything. Router> Privileged mode: Supports modifications to routing tables, use of test and debug commands, and access to configuration modes. • To enter and exit Privileged mode, use commands enable and disable. Router> enable Router# disable > enable # configure User Mode Privileged Mode Configuration Mode # disable # (config) exit interface router …

  35. Router Modes for User Interface Global configuration mode: Used to enter one-line configuration (or routing) commands. • To enter Configuration mode, use commands configure and exit. At console, specify config terminal: Router# config terminal Router(config)# • Configuration mode has a number of submodes: interface, router, subinterface, controller, map-list, map-class, line. Router(config)# interface ethernet 0 Router(config-if)# exit Router(config) > enable # configure User Mode Privileged Mode Configuration Mode # disable # (config) exit interface router …

  36. Getting Help • Tab: Complete command for me • ?: Show commands, options Example: Router# clock ? set Set the time and date Router# clock set ? Current Time (hh : mm : ss)

  37. Configuration Files Two configuration files exist: • RAM=running-config • NVRAM=startup-config Running-config: What the router uses. • Commands to the config file change this file. Beta test all configurations before storing to nonvolatile (NV) RAM: NVRAM. Startup-config: The file the router uses after it boots. RAM configure terminal console or VTerm show running config erase startup-config NVRAM configure memory copy running-config startup-config Bit bucket copy tftp startup-config copy tftp running-config tftp server copy running-config tftp

  38. Table of CISCO Keywords in Routing Commands

  39. CISCO Table (2)

  40. CISCO Table (3)

  41. CISCO Table (4)

  42. CISCO Table (5)

  43. Review

More Related