1 / 16

CSIS 4490 Firewall Security Peter Kruszka

CSIS 4490 Firewall Security Peter Kruszka. High level security issue survey Expert recommendations Discussion of ipchains. Security Breeches. Security is a people issue Internal security issues account for ~75% Deliberate Accidental Physical access

mayten
Download Presentation

CSIS 4490 Firewall Security Peter Kruszka

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSIS 4490Firewall SecurityPeter Kruszka • High level security issue survey • Expert recommendations • Discussion of ipchains

  2. Security Breeches • Security is a people issue • Internal security issues account for ~75% Deliberate Accidental • Physical access Top secret – keep physically separate Physical – floppies, etc, can be carried out • Deliberate logical assaults from external sources • Firewalls are implemented to protect against unwanted intrusions from external sources

  3. Simple Firewall Architecture

  4. Complex Firewall configuration

  5. General Vulnerabilities Top 20 logical vulnerabilities http://www.sans.org/top20.htm • G1 - Default installs of operating systems and applications • G2 - Accounts with No Passwords or Weak Passwords • G3 - Non-existent or Incomplete Backups • G4 - Large number of open ports • G5 – Not filtering packets for correct incoming and outgoing addresses • G6 - Non-existent or incomplete logging • G7 - Vulnerable CGI Programs

  6. Windows Vulnerabilities • W1 - Unicode Vulnerability (Web Server Folder Traversal) • W2 - ISAPI Extension Buffer Overflows • W3 - IIS RDS exploit (Microsoft Remote Data Services) • W4 - NETBIOS - unprotected Windows networking shares • W5 - Information leakage via null session connections • W6 - Weak hashing in SAM (LM hash)

  7. Unix Vulnerabilities • U1 - Buffer Overflows in RPC Services • U2 - Sendmail Vulnerabilities • U3 - Bind Weaknesses • U4 - R Commands • U5 - LPD (remote print protocol daemon) • U6 – sadmind and mountd • U7 - Default SNMP Strings

  8. Chains and Rules • Firewall security encompasses filtering incoming packets • Unix firewalls filter packets based on CHAINS and RULES • Chains 1 Input 2 Output 3 Forward 4 User defined • Rules specify criteria for a packet and a target Instruct the kernel what to look for in the packet header There can be many rules If no rules, consult policy (accept / reject) • /sbin/ipchains -- administers Unix IP firewall rules • /etc/sysconfig/ipchains -- rule database

  9. Packet filter criteria • packet header information • - source address • - destination address • - protocol • - source port • - destination port • - packet length • - connection state information • packet payload (message content)

  10. Recommended Packet Filtering http://www.cert.org/tech_tips/packet_filtering.html Carnegie Mellon University. CERT/CCComputer Emergency Response Team. • DNS zone transfers socket 53 (TCP) • tftpd socket 69 (UDP) • link socket 87 (TCP) (commonly used by intruders) • SunRPC & NFS socket 111 and 2049 (UDP and TCP) • BSD UNIX "r" cmds sockets 512, 513, and 514 (TCP) • lpd socket 515 (TCP) • uucpd socket 540 (TCP) • openwindows socket 2000 (UDP and TCP) • X windows socket 6000+ (UDP and TCP)

  11. # top 4:59pm up 16 min, 3 users, load average: 0.62, 0.51, 0.34 57 processes: 53 sleeping, 3 running, 0 zombie, 1 stopped CPU states: 16.8% user, 2.6% system, 0.0% nice, 80.4% idle Mem: 94460K av, 91244K used, 3216K free, 0K shrd, 1924K buff Swap: 192740K av, 0K used, 192740K free 45672K cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 1407 root 15 0 13948 13M 12068 R 10.4 14.7 0:31 kdeinit 441 root 15 0 1028 1028 828 R 3.0 1.0 0:09 top 1292 root 15 0 12772 12M 11176 S 1.1 13.5 0:19 kdeinit 1089 root 15 0 17868 13M 3280 S 0.5 14.2 0:29 X 1 root 15 0 472 472 416 S 0.0 0.4 0:04 init 2 root 15 0 0 0 0 SW 0.0 0.0 0:00 keventd 3 root 15 0 0 0 0 SW 0.0 0.0 0:00 kapmd 570 root 15 0 0 0 0 SW 0.0 0.0 0:00 eth0 572 root 16 0 664 664 576 S 0.0 0.7 0:00 dhcpcd 650 root 15 0 544 544 456 S 0.0 0.5 0:00 syslogd /etc/syslog.conf 655 root 15 0 440 440 380 S 0.0 0.4 0:00 klogd logs packet events 675 rpc 15 0 556 556 472 S 0.0 0.5 0:00 portmap 703 rpcuser 19 0 712 712 612 S 0.0 0.7 0:00 rpc.statd 815 root 15 0 480 480 424 S 0.0 0.5 0:00 apmd 869 root 25 0 1196 1196 1012 S 0.0 1.2 0:01 sshd 943 root 15 0 1772 1772 1280 S 0.0 1.8 0:00 sendmail

  12. /etc/sysconfig/ipchainsFirewall set for high security # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. :input ACCEPT :forward ACCEPT :output ACCEPT -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

  13. ipchains explained -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT DNS xfr, lpd, uucp -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECTXwindows -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

  14. Additional ipchain examples #spoofing protection /sbin/ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY /sbin/ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY # Default policy /sbin/ipchains -P input DENY

  15. Editing utilities • Via command line /sbin/ipchains • Utilities • Lokkit • Source code from www.sourceforge.com • Devil-Linux • Firestarter - GUI

  16. www references • www.interhack.net/pubs/fwfaq • www.tldp.org/HOWTO/Firewall-HOWTO.html • http://tldp.org/HOWTO/IPCHAINS-HOWTO.html • http://www.linux-firewall-tools.com/linux/ • http://www.sans.org/top20.htm • http://www.cert.org/tech_tips/packet_filtering.html

More Related