comp3371 cyber security richard henson university of worcester december 2015
DESCRIPTION
Datagrams, Packets and the Transport Layer n Transport layer datagram… up to 64K long nIP layer & routing processes divide into smaller packets n The IP packets have to be physically routed around the network n It is the management of these that we will be concerned with in this lecture… n When the packets reach their destination, packets need to be reassembled at the transport layer into the original datagramTRANSCRIPT
COMP3371 COMP3371 Cyber SecurityCyber Security
Richard HensonRichard HensonUniversity of WorcesterUniversity of Worcester
DecemberDecember 20152015
Week 12: Securing Week 12: Securing the TCP/IP stackthe TCP/IP stack
Objectives:Objectives: Explain how stateless IP filtering can be a useful Explain how stateless IP filtering can be a useful
tool for protecting networks against hackerstool for protecting networks against hackers Discuss the limitations of stateless IP filtering and Discuss the limitations of stateless IP filtering and
explain how some of these are overcome by the explain how some of these are overcome by the use of stateful IP filteringuse of stateful IP filtering
Summarise the various other techniques that can Summarise the various other techniques that can be used to combat data security threatsbe used to combat data security threats
Datagrams, Packets and the Datagrams, Packets and the Transport LayerTransport Layer
Transport layer datagram… up to 64K longTransport layer datagram… up to 64K long IP layer & routing processes divide into smaller IP layer & routing processes divide into smaller
packetspackets The IP packets have to be physically The IP packets have to be physically
routed around the networkrouted around the network It is the management of these that we will be It is the management of these that we will be
concerned with in this lecture…concerned with in this lecture… When the packets reach their destination, When the packets reach their destination,
packets need to be reassembled at the packets need to be reassembled at the transport layer into the original datagramtransport layer into the original datagram
TCP and IP packetsTCP and IP packets
payload (data)head
TCP packet (up to 64K)
IP Packets (up to 768bytesExtra header fields
More about IP packetsMore about IP packets
payload (data)header
20 bytes Typically 768 bytes
Standard IP Packet HeaderStandard IP Packet Header Highly structured and organised into a Highly structured and organised into a
series of fields so it can be easily readseries of fields so it can be easily read LengthsLengths
» HeaderHeader» Whole packetWhole packet
Identification Identification Fragment #Fragment # TTLTTL Protocol (TCP or UDP)Protocol (TCP or UDP) Source IP AddressSource IP Address Destination IP AddressDestination IP Address Options (e.g. source routing method)Options (e.g. source routing method)
Stateless Packet FilteringStateless Packet Filtering
packet header is readpacket header is read» If source IP address is suspect, packet If source IP address is suspect, packet
is “dumped”is “dumped”» else packet is allowed throughelse packet is allowed through
can be done quickly, and the packet can be done quickly, and the packet body (or “payload”) doesn’t have to be body (or “payload”) doesn’t have to be processed in any wayprocessed in any way
Stateful Stateful Packet FiltersPacket Filters
Stateless filters just read the header and actStateless filters just read the header and act do not read the payloads of packetsdo not read the payloads of packets do not retain the current state of connections do not retain the current state of connections
within the sessionwithin the session can’t filter TCP port numbers higher than 1024can’t filter TCP port numbers higher than 1024
Stateful filters…Stateful filters… record session establishment inforecord session establishment info remember the state of connectionsremember the state of connections
Stateless Packet FiltersStateless Packet Filters Use the IP header onlyUse the IP header only
contains a lot of fields & their data contains a lot of fields & their data
A firewall can be configured to filter according A firewall can be configured to filter according to contents of various header fields:to contents of various header fields: Protocol typeProtocol type IP addressIP address TCP/UDP portTCP/UDP port Sourcing routing informationSourcing routing information Fragment numberFragment number
Filtering by “Protocol Type”?Filtering by “Protocol Type”? Four possible values:Four possible values:
UDPUDP TCPTCP ICMP – Internet Control Message ProtocolICMP – Internet Control Message Protocol IGMP – Internet Group Management ProtocolIGMP – Internet Group Management Protocol
Each protocol maps onto higher level Each protocol maps onto higher level protocolsprotocols filtering out one port can shut off a lot of services!filtering out one port can shut off a lot of services!
ConclusionConclusion Too general, not enough controlToo general, not enough control Advice: leave this field OPEN (no filtering)Advice: leave this field OPEN (no filtering)
Filtering by IP addressFiltering by IP address Normally focuses on the source IP address Normally focuses on the source IP address
field:field: can allow all IP addresses except…can allow all IP addresses except… or deny all IP addresses except…or deny all IP addresses except…
Latter an excellent way of safeguarding the Latter an excellent way of safeguarding the local network…local network… would be unpopular as far as surfing the web is would be unpopular as far as surfing the web is
concerned!concerned! More flexible firewalls allow IP addresses to More flexible firewalls allow IP addresses to
be restricted on a “per protocol” basis e.g.be restricted on a “per protocol” basis e.g. No IP address filtering on port 80No IP address filtering on port 80 Only local IP addresses can use port 23Only local IP addresses can use port 23
IP Filtering by TCP/UDP portIP Filtering by TCP/UDP port
Also known as “protocol filtering”Also known as “protocol filtering”
The Level 4 port field is a number, corresponding to The Level 4 port field is a number, corresponding to a higher level protocol namea higher level protocol name e.g port 21: FTPe.g port 21: FTP
Uused in the same way as IP address filtering Uused in the same way as IP address filtering (allow… deny…) (allow… deny…)
Problem: FragmentationProblem: Fragmentation
FragmentationFragmentation Large TCP packets are be broken into a series Large TCP packets are be broken into a series
of numbered IP fragmentsof numbered IP fragments Only the first fragment (numbered 0) has a Only the first fragment (numbered 0) has a
TCP/UDP port fieldTCP/UDP port field Rest of fragments therefore can’t be filtered by Rest of fragments therefore can’t be filtered by
protocolprotocol Earlier firewalls let them through because they Earlier firewalls let them through because they
are useless without the “parent” packetare useless without the “parent” packet however, instances whereby hackers have however, instances whereby hackers have
reassembled themreassembled them therefore higher fragment numbers in this category therefore higher fragment numbers in this category
should also be filteredshould also be filtered
IP Filtering by TCP/UDP portIP Filtering by TCP/UDP port Certain protocols are favourites for hackers Certain protocols are favourites for hackers
e.g:e.g: TelnetTelnet NetBIOSNetBIOS POP3POP3 NFSNFS Windows Terminal ServicesWindows Terminal Services
ShouldShould be blocked, unless being legitimately be blocked, unless being legitimately used to provide servicesused to provide services
Filtering by “Source Routing Filtering by “Source Routing Information”Information”
This field gives information about the route This field gives information about the route taken by the packettaken by the packet
Handled in two ways:Handled in two ways: Loose source routingLoose source routing
» only a small number of intermediate IP addressesonly a small number of intermediate IP addresses Strict source routingStrict source routing
» Provides an exact routeProvides an exact route However:However:
hackers can use source routing to confusehackers can use source routing to confuse no higher level protocols actually use source no higher level protocols actually use source
routing…routing…
Stateful IP filteringStateful IP filtering
Using this more exhaustive technique:Using this more exhaustive technique:the payload of a packet can also be readthe payload of a packet can also be read
» thus, the fingerprint of a virus or trojan thus, the fingerprint of a virus or trojan can be identifiedcan be identified
the firewall stores connection information in the firewall stores connection information in state tablesstate tables
TCP ports above 1024 can be read and TCP ports above 1024 can be read and filtered out if requiredfiltered out if required
Stateful Filtering Strategy…Stateful Filtering Strategy…
Use to filter entire communication Use to filter entire communication streamsstreams
Do not allow any TCP services through Do not allow any TCP services through EXCEPT:EXCEPT:those that are specifically allowed (e.g port those that are specifically allowed (e.g port
80)80)those that are part of connections that are those that are part of connections that are
sill in the state tablessill in the state tables» no entry in state table – drop packet!no entry in state table – drop packet!
Internal Network Address Internal Network Address Translation (NAT)Translation (NAT)
Another potential way in for IP hackersAnother potential way in for IP hackers external packets undergo protocol translation external packets undergo protocol translation
before they can travel along the local networkbefore they can travel along the local network this means a unfiltered port eg 8080 can be this means a unfiltered port eg 8080 can be
changed to a filter port eg 23 and then passed to a changed to a filter port eg 23 and then passed to a local server…local server…
Trojan Horses use this strategy to hack Trojan Horses use this strategy to hack through the firewall and get to the internal through the firewall and get to the internal networknetwork
Security-enhancing Security-enhancing use of NATuse of NAT
NAT defined by the IETF as RFC #1631NAT defined by the IETF as RFC #1631
Converts local private IP addresses into Converts local private IP addresses into globally unique public IP addresses than can globally unique public IP addresses than can be used on the Internetbe used on the Internet provides opportunities for trojan horsesprovides opportunities for trojan horses but… hides all TCP/IP information relating to the but… hides all TCP/IP information relating to the
internal network from would-be hackers or anyone internal network from would-be hackers or anyone else on the Internetelse on the Internet
More about NATMore about NAT Reduced the demand for IPv6 in the Reduced the demand for IPv6 in the
short termshort term IANA RFC #1918 particular IP address IANA RFC #1918 particular IP address
ranges for private use:ranges for private use:» 10.0.0.0 to 10.255.255.25510.0.0.0 to 10.255.255.255» 172.16.0.0 to 172.31.255.255172.16.0.0 to 172.31.255.255» 192.168.0.0 to 192.168.255.255192.168.0.0 to 192.168.255.255
single external IP address used for a 5000 single external IP address used for a 5000 computer network!computer network!
Masquerading NATMasquerading NAT Outbound packets are translated to the Outbound packets are translated to the
public/routable IP address of the firewallpublic/routable IP address of the firewall called "masquerading" because all outbound called "masquerading" because all outbound
connections appear to be originating on the connections appear to be originating on the firewall itselffirewall itself
An app may need to be given a different source An app may need to be given a different source port (if the original port is already in use on the port (if the original port is already in use on the firewall)firewall)
Inbound connections cannot be accepted Inbound connections cannot be accepted because the firewall doesn't know which because the firewall doesn't know which client to send them to client to send them to
Non-Masquerading NATNon-Masquerading NAT Each private IP address on a client has a Each private IP address on a client has a
corresponding public/routable IP address on corresponding public/routable IP address on the firewallthe firewall
NAT translation is done one-to-one between NAT translation is done one-to-one between pairs of public and private IP addressespairs of public and private IP addresses
Port numbers remain unchanged Port numbers remain unchanged Needed for protecting servers with the Logical Needed for protecting servers with the Logical
Firewall (and is the type you get for clients Firewall (and is the type you get for clients you've specified to the rule generator)you've specified to the rule generator)
Inbound connections to clients are accepted Inbound connections to clients are accepted via the client's public/routable IP address on via the client's public/routable IP address on the firewallthe firewall
Limitations of NATLimitations of NAT NOT a panaceaNOT a panacea
does make the internal network invisibledoes make the internal network invisible STATIC translation can still be hacked!STATIC translation can still be hacked!
Avoid masquerading NAT, if possibleAvoid masquerading NAT, if possible makes it look like the firewall itself is misbehaving if makes it look like the firewall itself is misbehaving if
one of its clients misbehavesone of its clients misbehaves increases the risk that the ISP will disconnect the increases the risk that the ISP will disconnect the
firewall rather than the offending client!firewall rather than the offending client! Using non-masquerading NAT allows the ISP to Using non-masquerading NAT allows the ISP to
identify and disconnect only the offending clientidentify and disconnect only the offending client
Summary of Security Summary of Security Technologies covered…Technologies covered…
Local authentication/logon and denial of Local authentication/logon and denial of access securityaccess security
Privacy/EncryptionPrivacy/Encryption PKI/Digital certificates/Secure Sockets PKI/Digital certificates/Secure Sockets
Layer/Virtual Private Networks Layer/Virtual Private Networks Global Authentication/Active Global Authentication/Active
Directory/DNS/Kerberos & Trusted Directory/DNS/Kerberos & Trusted NetworksNetworks
Network Protection/Firewalls/Packet Network Protection/Firewalls/Packet FilteringFiltering
Software Vulnerabilities and Software Vulnerabilities and strategies for managementstrategies for management All software should be thoroughly All software should be thoroughly
tested…tested… Takes time!Takes time! Time is money!!Time is money!! Short-cuts are taken!!!Short-cuts are taken!!!
Software Vulnerabilities and Software Vulnerabilities and ExploitationExploitation
Important for software bugs to be Important for software bugs to be announcedannouncedproblem: also informs black hatsproblem: also informs black hatssolution: announce fix/patch at the same solution: announce fix/patch at the same
timetime» all users should download & install all users should download & install
patchespatches» close the vulnerability close the vulnerability
Vulnerabilities and Vulnerabilities and ConsequencesConsequences
System crashes can be the result of:System crashes can be the result of:faulty componentsfaulty componentsdodgy, unpatched, softwaredodgy, unpatched, softwaresoftware and hardware compromised by software and hardware compromised by
malicious software (malware), attacks by malicious software (malware), attacks by hackers, or employer misusehackers, or employer misuse
Essential for backup system to kick in to provide a Essential for backup system to kick in to provide a service to customers while main system being fixedservice to customers while main system being fixed
Human VulnerabilitiesHuman Vulnerabilities All IT systems use humansAll IT systems use humans Therefore vulnerable to human frailty…Therefore vulnerable to human frailty…
e.g. accidental deletion of a file may cause e.g. accidental deletion of a file may cause system to become unstable!system to become unstable!
Training can help (a lot…) Training can help (a lot…) As can procedures and penalties for As can procedures and penalties for
infringement (even termination of infringement (even termination of contract)contract)
Best have a backup!Best have a backup! Memory… motherboard… disk Memory… motherboard… disk
controller… hard disk… applications… controller… hard disk… applications… CPU… even electricity supply!CPU… even electricity supply!
A backup for everything is expensive…A backup for everything is expensive…BUT…. businesses' need continuity BUT…. businesses' need continuity
(availability of IT systems nearly all the (availability of IT systems nearly all the time)time)» otherwise may become ex-businesses!otherwise may become ex-businesses!
Dress RehearsalDress Rehearsal
Only one way to see whether backups Only one way to see whether backups all work…all work…set up a disaster scenarioset up a disaster scenario
» If systems all backup up, recovery should If systems all backup up, recovery should be quickbe quick
» else… system won’t restartelse… system won’t restart» no service, no business?no service, no business?
Information Assurance (IA)Information Assurance (IA) Three components required:Three components required:
Effective infosec system (incl. monitoring)Effective infosec system (incl. monitoring)Controls… (or “take the risk”)Controls… (or “take the risk”)
» for all potential vulnerabilitiesfor all potential vulnerabilities» number needed depends on complexity number needed depends on complexity
of systemof systemEvidence that the controls are working… Evidence that the controls are working…
(established through auditing)(established through auditing) Controls may take many forms: Controls may take many forms:
hardware, software, management, userhardware, software, management, user
IA StandardsIA Standards Many availableMany available
different standards fit different usage of ITdifferent standards fit different usage of IT Assignment 2 PresentationAssignment 2 Presentation
choose an existing standardchoose an existing standardstate who it is aimed at and used by and state who it is aimed at and used by and
why appropriate for Partsfixwhy appropriate for Partsfixexplain the controls setexplain the controls setexplain the system that governs the explain the system that governs the
controls and adherence to laws and controls and adherence to laws and regulations over time…regulations over time…
give some idea of cost of implementing itgive some idea of cost of implementing it
AuditingAuditing Essential process that avoids an Essential process that avoids an
organisation pressurising an assessororganisation pressurising an assessorevidence, not talk, requiredevidence, not talk, requiredsystem needs to build in auditing on a system needs to build in auditing on a
regular basisregular basis» takes time!takes time!
May reveal “non-conformance” (NC)May reveal “non-conformance” (NC)No certification until most NCs identified No certification until most NCs identified
and turned into conformancesand turned into conformances
IA CertificationIA Certification
Awarded through:Awarded through:Auditing (ISO27001, IASME, PCI-DSS, Auditing (ISO27001, IASME, PCI-DSS,
etc.)etc.)Self-assessment (Cyber Essentials)Self-assessment (Cyber Essentials)
Why bother?Why bother?