Firewalls

Evil Hackers

Firewall Your network

• Firewalls mitigate risk

• Block many threats

• They have vulnerabilities

Firewalls can be your connection to the Internet. As a prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

Typical Network Stack

• Application Layer (FTP, HTTP, SSH, etc.)

• Transport Layer (TCP, UDP, ICMP)

• Internet Layer (IP)

• Network Access Layer (Ethernet, FDDI, etc.)

(If you have a Novel or AppleShare network, the IP layer will be different.)

(Carrier Pigeon Network Layer: RFC1149 on 1 April 1990 defines the Avian Transport Protocol)

Packet Organization

Each layer’s packet organization has a header and data fields.

Each layer treats the information it gets from the layer above it as data, i.e. every layer adds a header.

Encapsulation

Application (FTP, HTTP, …)

Transport (TCP,UDP,…)

Internet (IP)

Network (Ethernet)

Data

Header

Header

Header

Ethernet Layer• Header:

– Packet Type, e.g. IP– Source Address

Original source or last router on path

– Destination Address• Final destination or next router• Maybe multicast or broadcast

– Addresses are Media Access Control (MAC)

• Data is an IP packet

IP Layer

• Header– IP Source Address, e.g. 35.9.20.20– IP Destination Address– IP Protocol Type, e.g. TCP, UDP, ICMP

• Data: TCP packet (or UDP, etc.)• Fragmentation

If (network max packet size < IP max size) split data into multiple packets (fragments)

TCP Layer

• Header– TCP Source Port (2-bytes)– TCP Destination Port– TCP Flags: designates packet type

• ACK, SYN, etc.

• Data: application data, e.g. FTP data

Multicast or Broadcast Source

• Legitimate use: DHCP request uses a broadcast source since it doesn’t have a valid address

• Illegitimate use: sending a broadcast source to a single destination will prompt a broadcast reply allowing you to use the destination as a broadcast source

• Since DHCP isn’t external (normally), block broadcast source

IP Fragmentation

Prevent fragmentation withpath MTU discovery– Maximum Transmission Unit (MTU)– Send message with “don’t fragment” set

If (error returned), decrease sizeelse increase size

Packet Filters & Fragmentation

• Solution: packet filter only first packet and let non-first packets throughIf you drop the first, a higher level protocol (TCP) will invalidate the rest.

• Problem #1: destination holds non-first packets waiting for the missing one (until timeout) resulting inDenial of Service!

Packet Filter & Fragmentation

• Problem #2: attacker carefully constructs overlapping fragments so that non-first packets contain useful information.Overlapping fragments may be reassembled into invalid packets causing the OS to crash.

Packet Filter & Fragmentation

• Problem #3: Attacker can get information to otherwise blocked ports by having valid TCP packets in non-first fragments which slip through.

Packet Filter & Fragmentation

Solutions• Fragment reassembly before filtering

Time consuming

• Reject all non-first fragmentsMay reject otherwise good connections,

but they will retransmit.

• Increased use of MTU is reducing fragmentation

TCP

TCP is reliable because it guarantees to the application layer:– Provide data in order it was sent– Provide all data sent– Will not provide duplicates

It will kill a connection before violating any.

Blocking TCP

• To block a TCP connection, simply block the first packet.

• The first packet is unique: ACK is not set– “start-of-connection” packet

• Can enforce a policy of only allowing connections to external servers, i.e. deny external connection requests to internal servers

TCP Options

• Common TCP Options:– ACK (acknowledgement) – SYN (synchronize)– RST (reset)– FIN (finish)

• 3-way handshake uses ACK & SYN

• RST & FIN are used to close connections

TCP Options

Firewalls use ACK and RST– ACK indicates first packet of connection– RST tells people to “shut up”

without providing a useful error message

TCP Sequence Numbers

• Sequence numbers allow reconstruction of correct order of packets

• Supposed to begin with a random number, but often is not random—vulnerability!

• How to hijack a TCP connection?

Hijacking a TCP Connection

Attackers needs• Ability to forge TCP/IP packets.• Initial sequence number• Knowledge that a TCP connection has started

(but not the ability to see it)• When the TCP connection started• Ability to redirect responses to you

OR continue the conversation without responses to you while achieving your goal

Thought to be too hard, but exists in the wild.

UDP

Since UDP does not guarantee reliability there is no uniquely identifiable first packet

ICMP

Examples– Echo Request: send by ping– Echo Response– Time exceeded (really hops exceeded)– Destination unreachable– Redirect (router redirected a packet and is

telling the sender that a better way exists)

ICMP“Destination Unreachable” has codes

to indicate reasonThe relevant ones are

“Fragmentation Needed” and“Don’t Fragment”used for path MTU discovery

Desirable to drop all other “unreachable” replies since they provide useful information to scanners.

Most firewalls do not allow discrimination on ICMP reason.

ICMP Attacks

• ICMP packets should be very small—large one indicate a problem so filter out large ones.

• For example, echo packets allow padding which could contain data. Not useful for cracking, but could be used to maintain a connection to a compromised site.

IP over IP

• Encapsulating IP over IP– Encrypted traffic– Mobile IP (movement with fixed IP)– Burying protocol

• Multicast over non-supporting networks• IPv6 over IPv4

– VPN: virtual private networks

• Problem: cannot see “actual” IP packet (encrypted) or may not look at it

Low-level attacks

• Port scanning– Send SYN without ACK;

receives SYN if open or RST if not– Send FIN

• “all options on” = Christmas tree (lights it up)• “all options off” = null• Either can crash a weak TCP/IP stack

Low-level Attacks

IP Spoofing: Apparent problem: reply not sent to attacker– Attacker can intercept reply– Attacker doesn’t care to see it (e.g. DoS)– Attacker doesn’t want reply: smurf attack

redirects response to attack while multiplying replies with broadcast source

Packet Filtering Pro/Con

• Pro– One filter can protect an entire network– Simple filtering is efficient– Widely available

• Con– Not perfect: hard to configure and test– Reduces router performance– Some security policies cannot be enforced,

e.g. block a user

Network Address Translation (NAT)

(Linux calls it masquerading)

Server

NAT

10.42.6.9 35.9.20.20

Client

NAT Pro/Con• Pro

– Enforces control over outbound connections– Dynamic translation is more restrictive

changed mapping increases attack difficulty– Conceals internal configuration

• Con– Dynamic translation requires maintaining state

(how long to keep connection open?)– Interferes with some encryption schemes– Dynamic translation interferes with logging– Dynamic translation of ports can interfere with filtering