1 / 25

Packet Filtering

Packet Filtering. CS-480b Dick Steflik. Stateless Packet Filters. A border router configured to pass or reject packets based on information in the header of each individual packet can theoretically be configured to pass/reject based on any field but usually done based on: protocol type

max
Download Presentation

Packet Filtering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packet Filtering CS-480b Dick Steflik

  2. Stateless Packet Filters • A border router configured to pass or reject packets based on information in the header of each individual packet • can theoretically be configured to pass/reject based on any field • but usually done based on: • protocol type • IP address • TCP/UDP port • Fragment number • Source routing information

  3. Protocol Filtering • Filtering based on the IP protocol field allows rejecting of entire protocol suites • UDP • TCP • ICMP • IGMP • This is almost too general • ex suppose you block UDP then any TCP based application won’t be able to convert host/domain to IP address • so it is seldom used.

  4. IP Address Filtering • Pass/reject packets based on membership in a set of acceptable IP addresses • Usually not used to block specific hosts • oscar is frequently blocked so corporate users can use AIM • same for some disk backup services • Usually block source routed packets • big security hole (explained later) • If a hacker knows an address that the filter will pass they can easily forge a packet that will pass through the filter

  5. Port Filtering • Most commonly used filtering method • can also be thought of as protocol filtering as most ports below 1024 relate to specific high level protocols • pass all but those specified • reject all but those specified • Important ports/protocol to block: • telent • NetBIOS • POP • NFS • X Windows • Windows Terminal Services • pcAnywhere and VNC

  6. Source Route Filtering • Source routed packed should never be allowed into your network • Source routing was added to IP to accommodate debugging • Allows you to specify the path a packet will take through your network • Strict Source Routing • Specifies the exact path to be taken • Loose Source Routing • Indicates one or more hosts the packet must go through • A hacker can plug in their own address and force packets to travel through a machine that they can sniff

  7. Loose Source Routing • A packet is given a list of hops to be taken • Each packet carries same source address, destination is whatever the next IP in the hop path is; the hop path is in the IP Option field. • 131 is the type for Loose Source Routing • Length – total length of the option • Offset – byte offset to next IP to hop to IP Option field 1 byte 1 byte 1byte 4 bytes 4 bytes Type Length offset IP 1 IP2 ……… 131

  8. Loose Source Routed Example For example, if a packet was generated from 10.1.1.1, with a final destination of 172.16.1.1 via a hop to 192.168.1.1, the intial packet would have a source of 10.1.1.1, a dest of 192.168.1.1, and an IP option with a length of 7, an offset of 4, and the IP address starting at byte 4 of 172.16.1.1. If 192.168.1.1 forwards LSR packets, it would re-emit the packet with a source of 10.1.1.1, dest of 172.16.1.1, offset of 8, and the IP address at offset 4 of 192.168.1.1. 10.1.1.1 192.168.1.1 172.16.1.1 Initial source=10.1.1.1 dest. = 192.168.1.1 IP Option 131,7,4,172.16.1.1 Initial source=10.1.1.1 dest. = 172.16.1.1 IP Option 131,8,4,192.168.1.1 Problem with loose source routing is that some stacks will reverse the source route when responding to a source routed packet, this would make it trivial for a hacker to spoof a packet coming from a trusted source and insert their own address in the source route. The hacker can then sniff on it; the unsuspecting victim would then send return traffic to the spoofed source but LSR it through the attacker

  9. Fragmentation Filtering • Fragmentation was added to IP to facilitate passing through a network that only supports small packet sizes • Any router in the path can break a large packet up into smaller pieces • problem is that the port number is only in the first fragment meaning that filtering on TCP or UDP is lost

  10. Problems with Stateless Filters • Effectiveness of stateless filters is limited due to: • They cannot check the payload of the packets • service related filtering can only be done by application level proxies • They do not retain the state of the connections

  11. Stateful Packet Filtering • Record the state of all connections flowing through the firewall and use the connection state as the basis for dropping packets • create an in memory state table for the state of all Network and session layers • pass only packets relating to allowed (configured) ports that are currently in the state table. • Drop entries when the TCP close session happens or after a few minutes, this insures that the table stays “clean” and without holes in in it • Newer Firewalls all provide Stateful packet filtering • some also provide higher level protocol proxying

  12. Hacking Through Packet Filters • The following exploits are common: • TCP can only be filtered in the 0th fragment • setting the fragment number to 1 the packet will usually passe through the packet filter • Older packet filters only filter ports below 1024 • used to be that only HTTP used higher numbered ports for passing data back to web browsers, many new applications use ports above 1024 for normal communication • Public services must be forwarded • services like the updating of web pages via Netscape Composer must be controlled (possibly bt IP address) to limit public access • Trojan horses can defeat packet filters using NAT

  13. Best Practices • Use a proxy • physically breaks the network path • Use Stateful Packet Filters • can’t be bypassed like stateless filters • Disable all Ports by Default • enable only what is absolutely needed • if a Trojan Horse get in it will most likely set up a server that the hacker can then attach to, it the port is blocked, this can’t happen • Secure the Base Operating System (Hardening) • apply all patches provided by vendor • check the vendor web site frequently • always use a hardened protocol stack

  14. IP Chains • Stateless packet filter • optionally built into the Linux kernel • will pass or deny packets based on a rule set applied against IP header fields • used in v 2.2 kernels, replaced by IPTables in 2.4 kernels

  15. IPChains Flow lo interface IP Packet checksum sanity Input Chain Route Decision Forward Chain Output Chain ACCEPT Local DENY DENY DENY Demasquerade

  16. IPChains Commands Command Description -A Add rule to chain -D Delete rule from chain -I Insert rule -R Replace rule -F Flush all rules -L List all rules -N Create new chain -X Delete user defined chain -P Set default targe

  17. IPChains Command Options Command Option Description -s Source address of packet -d Destination address of packet -i Interface packet is arriving from -p Protocol -j Target to send packet to -y For -p tcp. Packet is SYN packet. --icmp-type For -p icmp. -l Log the packet to syslog. /var/log/messages Available in Red Hat 6.0+ kernel

  18. IPChains Targets System targets Description (policy) ACCEPT Let packet through DENY Deny packet REJECT Deny packet and notify sender MASQ Forward chain masquerade REDIRECT Send to different port RETURN Handled by default targets

  19. IPChains- Chain Types IP input chain IP output chain IP forwarding chain User defined chains (just give it a new name instead of the built-in names: input, output or forward)

  20. IPChains Example # Flush Rules ipchains -F forward ipchains -F output ipchains -F input # Set default to deny allipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Add Rules# Accept packets from itself (localhost) (s)ource to itself (d)estination # Keeps system logging, X-Windows or any socket based service working. ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo # Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l # Accept requests/responses from/to your own firewall machine ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0# Allow outgoing packets source (s) to destination (d)ipchains -A input -j ACCEPT -p all -s 192.168.10.0/24 -i eth1ipchains -A output -j ACCEPT -p all -s 192.168.10.0/24 -i eth1# Deny and log (option -l) outside packets from internet which claim to be from your loopback interfaceipchains -A input -j REJECT -p all -s localhost -i eth0 -lipchains -A forward -s 192.168.10.0/24 -j MASQipchains -A forward -i eth1 -j MASQ# Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward

  21. IPTables Commands -A , --append Append rule to chain -D , --delete Delete rule from chain -I , --insert Insert rule at beginning or at specified sequence number in chain. -R , --replace Replace rule -F , --flush Flush all rules -Z , --zero Zero byte counters in all chains -L , --list List all rules. Add option --line-numbers for rule number. -N , --new-chain Create new chain -X , --delete-chain Delete user defined chain -P , --policy Set default policy for a chain -E , --rename-chain Rename a chain

  22. IPTables Command Options -s , --source Source address of packet -d , --destination Destination address of packet -I , --in-interface Interface packet is arriving from -o , --out-interface Interface packet is going to -p , --protocol Protocol: *tcp --sport port[:port] --dport port[:port] --syn *udp *icmp *mac -j , --jump Target to send packet to -f , --fragment Fragment matching -c , --set-counters Set packet/byte counter -m tcp , --match tcp *--source-port port[:port] (port # or range #:#) *--destination-port port[:port] *--tcp-flags -m state , --match state --state *ESTABLISHED *RELATED *NEW *INVALID (Push content, not expected to recieve this packet.)

  23. IPTables Defined Policies Defined Policies Description ACCEPT Let packet through DROP Deny packet with no reply REJECT Deny packet and notify sender RETURN Handled by default targets MARK Used for error response. Use with option --reject-with type MASQUERADE Used with nat table and DHCP. LOG Log to file and specify message: °--log-level # °--log-prefix "prefix" °--log-tcp-sequence °--log-tcp-options °--log-ip-options ULOG Log to file and specify userpace logging messages SNAT Valid in PREROUTING chain. Used by nat. REDIRECT Used with nat table. Output. DNAT Valid in POSTROUTING chain. Output. QUEUE Pass packet to userspace.

  24. IPTables Example • Simple firewall for the desktop Linux system: • iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT • Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.) Allow network input/output from self (lo).

  25. …more # Allow loopback access. This rule must come before the rules denying port access!!iptables -A INPUT -i lo -p all -j ACCEPT - Rule for your computer to be able to access itself via the loopbackiptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFSiptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFSiptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windowsiptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font serveriptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer portiptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer portiptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFSiptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFSiptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny packets which claim to be from your loopback interface.

More Related