[soen321-f04] more stuff (Sunday)[soen321-f04] more stuff (Sunday) David K. Probst PROBST at vax2.concordia.ca Sun Nov 14 10:36:17 EST 2004 Previous message: [soen321-f04] Thursday, November 11, 2004 Next message: [soen321-f04] more more stuff (Sunday) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] SOEN 321 Week 8 Lecture Material _________________________________ Principles of "Network security" ________________________________ Industrial espionage. Less than 5% of attacks are detected. Professionals who are after you won't use your machine to attack other companies, and that's how successful penetrations are usually found. Professionals are more likely to use non-technical means, too: social engineering, bribery, wiretaps, etc. Insider attacks introduce many new angles because insiders know what you have, know your weak points, and are on the inside of your firewall. What if your system administrator is a traitor? Attack types ____________ 1. Authentication problems (often fixable by cryptography). 2. Buggy code (most security problems can't be fixed by cryptography). 3. Denial of service. Preauthenticated connections are very dangerous. 'rlogin' relies on name-based authentication. User configuration of trust via '.rhosts' files is madness. Attack strategy: impersonate address or name of trusted machine. Name-spoofing via the DNS _________________________ An enemy who controls some part of the DNS can control connections to hosts named by that zone. An enemy who controls the address-to-name mapping can fool most address-based authentication schemes, since they're really _name based_. In other words, an attacker can succeed by spoofing either the source address _or_ the DNS. Such attacks on the DNS are quite possible, especially by DNS _cache contamination_. Routing _______ IP routers learn the topology of the net by means of _routing protocols_. An attacker who can inject fraudulent routing messages can subvert any address-based authentication mechanism. The threat is especially serious if the enemy can appear "closer" to the target than the site it is impersonating. Reminder: one-time password technologies should be used in all high-threat environments. Buffer overflows ________________ Many C programs use fixed-length arrays for strings, and don't check inputs. Carefully crafted inputs can inject code, and overwrite the return address on the stack to point to this code. The web _______ - Clients are multiprotocol. - Risks to servers: Very powerful facilities are needed to process interesting queries. - Risk to clients: Receipt of interpreter instructions. "Click here to infect your system". ---- Denial-of-service attacks _________________________ Deny you use of your own resources. Types: memory eaters, bandwidth cloggers, system crashers. Hard to defend against: attacks possible when cheaper for attacker to send the message than for you to process it. SYN-flooding is a memory eater. The "Schtroumpf attack" is a bandwidth clogger. Attacker sends 'ping' to intermediate network's broadcast address. Forged return address is target machine. All machines on the intermediate network receive the 'ping', and reply, clogging their outgoing net and the target's incoming net. Firewalls at the target don't help---it's too late by then. "Teardrop" and "Ping of death" are system crashers. The web menace ______________ Very complex administration and configuration. Very complex software structure: the servers try to validate source addresses; check passwords; parse file names; implement access restrictions; switch uids (which means they must run as root); etc. Scripts are the killer. Scripts are, in essence, programs that provide network services. Are they secure? Most such scripts are written by ordinary users. The languages used to write these scripts are often inappropriate. The existence of these scripts implies the need for their interpreters (and the programs they invoke, especially shell scrpts) to be accessible to the web servers. Structural issues _________________ - Complex code is rarely correct. - Complex administrative structures are rarely correct. - Strong safeguards---separate uids, 'chroot', etc.---aren't used, or are set up very late in the game. - Both www and system password files are often accessible to outsiders. - Symbolic links make it very easy for ordinary inside users to give away the store. Active content ______________ - Outsiders supply code to be executed on your machine. - Can this code be trusted? - Can it be contained? - How can we give active content enough power to be useful while still keeping it safe? Essentially, can user administer fine-grained permissions? Firewalls _________ Barrier between "us" and "them". Limits communication to the outside world (possibly a different domain of the same organization). Only a very few machines exposed to attack. Why use firewalls? __________________ - Most hosts have security holes. Proof: Most software is buggy. Therefore, most security software has security bugs. - Firewalls run much less code; hence, they have fewer security holes. - Firewalls can be professionally administered. - They partition the network into separate security domains. - Without such a partition, a network is essentially a giant virtual machine with an unknown set of privileged and unprivileged users. Should we fix the network protocols instead? ____________________________________________ - Network security is not the problem. - Firewalls are _not_ a solution to network problems. They are a network response to a host-security problem. - More precisely, they are a response to the dismal state of software engineering: taken as a whole, the profession does not know how to produce software that is secure, correct, and easy to administer. - Consequently, better network protocols will not reduce the need for firewalls. The best cryptography in the world will not guard against buggy code. - Still, we do need to engineer---and deploy---better security protocols. Advantages of firewalls: If you don't need it, get rid of it. Firewalls have no ordinary users and hence no '/etc/passwd' entries. Firewalls run few Internet services (no 'rlogin', 'finger', 'http', etc.). We can install conservative software (no 'sendmail', no recent fancy 'ftpd'). We can log everything and monitor the log files. We can keep copious backups. No ordinary machine can be run that way. Positioning of firewalls ________________________ It is very common to place a filter on each side of a gateway. The space between the two filters is called the "DMZ". Firewalls are used to protect administrative domains. Firewalls are components of enterprise systems. There are too many holes around and through most central corporate firewalls. Firewalls are most useful as an element protecting parts of any distributed system. A typical networked information system (NIS) will have many small "point" firewalls. Firewall placement is critical. For example, the proper order is: database | firewall | web server | clients Why no firewall protecting the web server? __________________________________________ - Turn off everything but the web server. The web server is very dangerous anyway. But a firewall can't protect it; it has to be accessible. - The channel between the web server and the database must be very narrow. - Authentication must be end-to-end, between the clients and the database. Firewall philosophies _____________________ 1. Block all dangerous destinations. 2. Block everything; unblock things known to be both safe and necessary. The first option gets you into an arms race with the attackers; you have to know everything that is dangerous. Option 2 is much safer. Types of firewalls __________________ - packet filters - dynamic packet filters - application gateways - circuit relays Most firewalls are combinations of these types. Packet filters ______________ - Router based and hence cheap. - Individual packets are accepted or rejected; no context is used. - Filter rules are hard to set up; the primitives are often inadequate, and different rules can interact. - Packet filters are are poor fit for 'ftp' and 'X11'. - It is hard to manage access to RPC-based services. - But packet filters are often sufficient for point firewalls. Sample rule set: block: theirhost == spigot allow: theirhost == 'any' AND theirport == 'any' AND ourhost == 'our-gw' AND ourport == 25 Incorrect rule set: allow: theirhost == 'any' AND theirport == 25 AND ourhost == 'any' AND ourport == 'any' Any remote process on port 25 can get in. Port 25 is SMTP (TCP). The right choice: allow: theirhost == 'any' AND theirport == 25 AND ourhost == 'any' AND ourport == 'any' AND (bitset ('ACK') OR source == 'inside') This permits outgoing calls. But the "ACK" rule opens the door to "stealth" scanning. Life is complicated ___________________ - In general, each interface has its own access-control list. - Rules allowing packets generally need a complementary rule on another interface to permit reply packets. - There is no link between these rule pairs. - It's even worse when there are more than two interfaces. Filtering UDP: UDP has no notion of a connection. It is therefore impossible to distinguish a reply to a query---which should be allowed---from an intrusive packet. At best, one can try to block known-dangerous ports (risky). The safe solution is to permit UDP packets through to known-safe servers only. Filtering DNS: How does one prevent DNS contamination? Mail can be rerouted, passwords captured, etc. We need separate DNS for inside and outside. Dynamic packet filters ______________________ - Standard technology for commercial firewalls. - Look at query/response pairs; allows in responses to outgoing queries. - One rule handles both directions; no interactions. - Can use higher-level semantics to handle things like FTP's data channel. - Virtually transparent to users and applications. Application gateways ____________________ - Gateway machine has a custom program for each application. - Facilities sometimes needed anyway (e.g., mail gateways). - A good choice for 'X11' relays or for controlling outbound traffic. Circuit relays: Messages are passed at the 'TCP' level. No semantic processing by the gateway. Applications must be converted but this isn't hard, especially if you have the source. More flexible than application gateways, but can be subverted. The free 'socks' package implements circuit relays. Tunnels: Tunnels are often useful, especially if cryptographically protected. How do you defend against tunnels? Any channel can carry traffic; a pair of channels can be used to form a tunnel. However, traffic characteristics for a tunnel differ from the norm. Application-level gateways with authenticated connections are the first line of defense. Traffic analysis, plus cryptographic analysis of the content, could be applied to all connections. Providing inbound services: Must allow some incoming traffic (mail, 'ftp', login, POP3, etc.). When possible, provide service for outside clients on an external machine. Use application gateways for pass-through services. High-security solutions, such as smart-card authentication and encrypted tunnels, are preferable. Living with firewalls _____________________ - Decide on a security policy. - Decide which services fit that policy. - Build/configure/tweak your firewall to permit those services. - Evaluate new services using the same criteria. - Block all others. Picking a security policy _________________________ 1. Decide explicitly what is allowed. - Are incoming calls allowed? To what services? - Are outgoing calls allowed? To what services? Can users export data? - Can users import files from the Internet? Source code? Executables? - Can insiders use the Internet to "dial in" when traveling? Under what conditions? 2. You always have a security policy if only by default. What firewalls won't do _______________________ - Guard against inside attacks. - Block all tunnels. - Secure other entry points, such as modems. - Protect against security holes at higher levels, such as mail-header problems. A few more words on the Domain Name System __________________________________________ - associates host names and IP addresses - without cyptographic authentication, DNS consistency is often used to provide weak authentication - DNS has _forward_ and _reverse_ records - consistency: forward map followed by reverse map is (essentially) the identity map (fred ==> 6 ==> fred) Do we trust the DNS? Suppose an attacker can "control" the response from an authoritative domain name server, i.e., he can lie about host ==> IP and/or IP ==> host. This will kill the trustworthiness of weak authentication. Another attack on DNS is called "cache poisoning". A server is allowed to add extra DNS records in response to a query. The extra records may be lies. Example: Attacker connects to victim (source IP 'xxx' available). Victim asks DNS for hostname. Attacker returns _two_ bogus DNS records: 1) xxx ---> niceguy.com 2) niceguy.com ---> xxx We allow the local DNS server to cache records for efficiency reasons. We first try to answer our question by looking in the cache. We queried the IP and got a hostname. Now, we check the cache for this hostname. We find it and the IP matches. We have been spoofed. Crypto is necessary to stop cache poisoning. Essentially, we must employ certificate authorities. The new system is called DNSsec. Firewall remark _______________ A firewall blocks incoming or outgoing network traffic. The types are easy to distinguish: - packet filter: bases all decisions on packet headers alone - proxy (applications-level): bases decisions on packet headers and packet content, at some level (e.g., could execute the packet stream of the connection) In the commercial world, we need to layer things. ------------------ Outer firewall Web server Mail server DNS server ------------------ Inner firewall corporate-data subnet customer-data subnet internal mail server internal DNS server development subnet The DMZ allows limited public access to various servers; the internal subnets are _not_ to be accessed by the public. The basic principle here is to limit the flow of information between the internal network and the DMZ. Example: External connections to the web server stay in the DMZ. If any information is to be transmitted from the web server to the internal network, the transmission is made separately, and not as part of a web transaction. Example: Suppose the outer firewall is proxy based. When an SMTP connection is initiated, the SMTP proxy on the firewall collects the mail. It then checks for malicious logic. If none is found, the proxy forwards the mail to the _DMZ_ mail server. Extra information on DNS is included in a separate message. Previous message: [soen321-f04] Thursday, November 11, 2004 Next message: [soen321-f04] more more stuff (Sunday) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the soen321-f04 mailing list