INFS 766 Internet Security Protocols Lecture 1 Firewalls

Prof. Ravi Sandhu

INTERNET INSECURITY
Internet insecurity spreads at Internet speed Morris worm of 1987 Password sniffing attacks in 1994 IP spoofing attacks in 1995 Denial of service attacks in 1996 Email borne viruses 1999 Distributed denial of service attacks 2000 Fast spreading worms and viruses 2003 Spam 2004 no end in sight Internet insecurity grows at super-Internet speed security incidents are growing faster than the Internet (which has roughly doubled every year since 1988)
Ravi Sandhu 2000-2004

SECURITY OBJECTIVES
CONFIDENTIALITY disclosure

INTEGRITY modification

AVAILABILITY access

Ravi Sandhu 2000-2004

USAGE-CONTROL purpose

SECURITY TECHNIQUES
Prevention
access control

Detection
auditing/intrusion detection incident handling

Acceptance
practicality
Ravi Sandhu 2000-2004

THREATS, VULNERABILITIES ASSETS AND RISK

THREATS are possible attacks VULNERABILITIES are weaknesses ASSETS are information and resources that need protection RISK requires assessment of threats, vulnerabilities and assets

Ravi Sandhu 2000-2004

RISK

Outsider Attack

insider attack

Insider Attack

Ravi Sandhu 2000-2004

outsider attack
6

PERSPECTIVE ON SECURITY
No silver bullets A process NOT a turn-key product Requires a conservative stance Requires defense-in-depth A secondary objective Absolute security does not exist Security in most systems can be improved
Ravi Sandhu 2000-2004

PERSPECTIVE ON SECURITY
absolute security is impossible does not mean absolute insecurity is acceptable

Ravi Sandhu 2000-2004

INTRUSION SCENARIOS

Ravi Sandhu 2000-2004

CLASSICAL INTRUSIONS SCENARIO 1

Insider attack
The insider is already an authorized user

Insider acquires privileged access

exploiting bugs in privileged system programs exploiting poorly configured privileges

Install backdoors/Trojan horses to facilitate subsequent acquisition of privileged access

Ravi Sandhu 2000-2004

10

CLASSICAL INTRUSIONS SCENARIO 2

Outsider attack Acquire access to an authorized account Perpetrate an insider attack

Ravi Sandhu 2000-2004

11

NETWORK INTRUSIONS SCENARIO 3

Outsider/Insider attack Spoof network protocols to effectively acquire access to an authorized account

Ravi Sandhu 2000-2004

12

DENIAL OF SERVICE ATTACKS

Flooding network ports with attack source masking TCP/SYN flooding of internet service providers in 1996

Ravi Sandhu 2000-2004

13

INFRASTRUCTURE ATTACKS
router attacks
modify router configurations

domain name server attacks internet service attacks

web sites ftp archives

Ravi Sandhu 2000-2004

14

INTERNET ARCHITECTURE AND PROTOCOLS

Ravi Sandhu 2000-2004

15

OSI REFERENCE MODEL

END USER A END USER B

Application Layer
higher level protocols

Application Layer End user functions Presentation Layer Session Layer Transport Layer Network functions Network Layer Data Link Layer Physical Layer
lower level protocols or network services higher level protocols

Presentation Layer Session Layer Transport Layer

lower level protocols or network services

Network Layer Data Link Layer Physical Layer

PHYSICAL MEDIUM
Ravi Sandhu 2000-2004

16

OSI REFERENCE MODEL

END USER A END USER B

higher level protocols

higher level protocols

lower level protocols or network services

lower level protocols or network services

SOURCE NODE
Ravi Sandhu 2000-2004

INTERMEDIATE NETWORK NODE

DESTINATION NODE

17

TCP/IP PROTOCOL STACK BASIC PROTOCOLS

layer 5-7

TELNET

FTP TCP

SMTP UDP IP

HTTP etc

Ethernet

Token-Ring ATM PPP etc

18

Ravi Sandhu 2000-2004

TCP/IP PROTOCOL STACK BASIC PROTOCOLS

IP (Internet Protocol)
connectionless routing of packets

UDP (User Datagram Protocol)

unreliable datagram protocol

TCP (Transmission Control Protocol)

connection-oriented, reliable, transport protocol
Ravi Sandhu 2000-2004

19

TCP/IP PROTOCOL STACK BASIC PROTOCOLS

TELNET: remote terminal FTP (File Transfer Protocol) TFTP (Trivial File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) RPC (Remote Procedure Call) HTTP (Hyper Text Transfer Protocol) and others
20

Ravi Sandhu 2000-2004

TCP/IP PROTOCOL STACK INFRASTRUCTURE PROTOCOLS

layer 5-7

TELNET
DNS

FTP TCP

SMTP UDP IP

HTTP etc
RIP EGP BGP

4 ICMP

ARP

RARP

Ethernet

Token-Ring ATM PPP etc

21

Ravi Sandhu 2000-2004

TCP/IP PROTOCOL STACK INFRASTRUCTURE PROTOCOLS

ICMP: Internet Control Message Protocol ARP: Address Resolution Protocol RARP: Reverse Address Resolution Protocol DNS: Domain Name Service RIP: Routing Information Protocol BGP: Border Gateway Protocol EGP: External Gateway Protocol
22

Ravi Sandhu 2000-2004

TCP/IP PROTOCOL STACK SECURITY PROTOCOLS

layer 5-7

TELNET
DNS SSL

FTP

SMTP UDP

HTTP
RIP EGP BGP

4 ICMP

TCP
IPSEC

IP Ethernet

ARP

RARP

Token-Ring ATM
23

Ravi Sandhu 2000-2004

INTERNET STANDARDS PROCESS

IETF: Internet Engineering Task Force Application Area General Area Internet Area Operational Requirements Area Routing Area Security Area Transport Area User Services Area 24

Ravi Sandhu 2000-2004

IETF SECURITY AREA ACTIVE WORKING GROUPS

An Open Specification for Pretty Good Privacy (openpgp) Authenticated Firewall Traversal (aft) Common Authentication Technology (cat) IP Security Policy (ipsp) IP Security Protocol (ipsec) IP Security Remote Access (ipsra) Intrusion Detection Exchange Format (idwg) Kerberized Internet Negotiation of Keys (kink) Kerberos WG (krb-wg) One Time Password Authentication (otp) Public-Key Infrastructure (X.509) (pkix) S/MIME Mail Security (smime) Secure Network Time Protocol (stime) Secure Shell (secsh) Securely Available Credentials (sacred) Security Issues in Network Event Logging (syslog) Simple Public Key Infrastructure (spki) Transport Layer Security (tls) Web Transaction Security (wts) XML Digital Signatures (xmldsig)

Ravi Sandhu 2000-2004

25

RFCs AND IETF DRAFTS

RFCs Standards Proposed Standard Draft Standard Internet Standard Informational Experimental Historic IETF drafts work in progress expire after 6 months
Ravi Sandhu 2000-2004

26

MUST, SHOULD, MAY

MUST
mandatory, required of compliant implementations

SHOULD
strongly recommended but not required

MAY
possibility even if not stated a may is always allowed unless it violates MUST NOT
Ravi Sandhu 2000-2004

27

TCP/IP VULNERABILITIES

Ravi Sandhu 2000-2004

28

BASIC TCP/IP VULNERABILITIES

many dangerous implementations of protocols
sendmail

many dangerous protocols

NFS, X11, RPC many of these are UDP based

Ravi Sandhu 2000-2004

29

BASIC TCP/IP VULNERABILITIES

solution
allow a restricted set of protocols between selected external and internal machines otherwise known as firewalls

Ravi Sandhu 2000-2004

30

IP PACKET
header data
carries a layer 4 protocol

TCP, UDP ICMP, IPSEC, IP IPX, Ethernet, PPP 31

or a layer 3 protocol

or a layer 2 protocol

Ravi Sandhu 2000-2004

TCP INSIDE IP

IP HEADER

TCP HEADER

Ravi Sandhu 2000-2004

32

IP HEADER FORMAT
version: 4bit, currently v4 header length: 4 bit, length in 32 bit words TOS (type of service): unused total length: 16 bits, length in bytes identification, flags, fragment offset: total 16 bits used for packet fragmentation and reassembly TTL (time to live): 8 bits, used as hop count Protocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP, IPX, PPP, Ethernet header checksum: 16 bit checksum source address: 32 bit IP address destination address: 32 bit IP address

Ravi Sandhu 2000-2004

33

IP HEADER FORMAT
options
source routing

enables route of a packet and its response to be explicitly controlled

route recording timestamping security labels

Ravi Sandhu 2000-2004

34

TCP HEADER FORMAT

source port number
source IP address + source port number is a socket: uniquely identifies sender

destination port number

destination IP address + destination port number is a socket : uniquely identifies receiver

SYN and ACK flags sequence number acknowledgement number

Ravi Sandhu 2000-2004

35

TCP 3 WAY HANDSHAKE

initiator
SYN(X)

responder

SYN(Y), ACK(X)

ACK(Y)

Ravi Sandhu 2000-2004

36

TCP SYN FLOODING ATTACK

TCP 3 way handshake
send SYN packet with random IP source address return SYN-ACK packet is lost this half-open connection stays for a fairly long time out period

Denial of service attack Basis for IP spoofing attack

Ravi Sandhu 2000-2004

37

IP SPOOFING
Send SYN packet with spoofed source IP address SYN-flood real source so it drops SYN-ACK packet guess sequence number and send ACK packet to target
target will continue to accept packets and response packets will be dropped
Ravi Sandhu 2000-2004

38

TCP SESSION HIJACKING

Send RST packet with spoofed source IP address and appropriate sequence number to one end SYN-flood that end send ACK packets to target at other end

Ravi Sandhu 2000-2004

39

SMURF ATTACK
Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN Each host will send a reply packet to the spoofed IP address leading to denial of service

Ravi Sandhu 2000-2004

40

ULTIMATE VULNERABILITY
IP packet carries no authentication of source address IP spoofing is possible
IP spoofing is a real threat on the Internet IP spoofing occurs on other packet-switched networks also, such as Novells IPX

Firewalls do not solve this problem Requires cryptographic solutions

Ravi Sandhu 2000-2004

41

FIREWALLS

Ravi Sandhu 2000-2004

42

WHAT IS A FIREWALL?

internal network

FIREWALL

external Internet

Ravi Sandhu 2000-2004

43

WHAT IS A FIREWALL?
all traffic between external and internal networks must go through the firewall
easier said than done

firewall has opportunity to ensure that only suitable traffic goes back and forth
easier said than done
Ravi Sandhu 2000-2004

44

ULTIMATE FIREWALL

internal network

Air Gap

external Internet

Ravi Sandhu 2000-2004

45

BENEFITS
secure and carefully administer firewall machines to allow controlled interaction with external Internet internal machines can be administered with varying degrees of care does work
Ravi Sandhu 2000-2004

46

BASIC LIMITATIONS
connections which bypass firewall services through the firewall introduce vulnerabilities insiders can exercise internal vulnerabilities performance may suffer single point of failure
Ravi Sandhu 2000-2004

47

TYPES OF FIREWALLS
Packet filtering firewalls
IP layer

Application gateway firewalls

Application layer

Circuit relay firewalls

TCP layer

Combinations of these
Ravi Sandhu 2000-2004

48

PACKET FILTERING FIREWALLS

IP packets are filtered based on
source IP address + source port number destination IP address + destination port number protocol field: TCP or UDP TCP protocol flag: SYN or ACK

Ravi Sandhu 2000-2004

49

FILTERING ROUTERS
internal network
packet filtering router

external Internet

mail gateway

i-nw-to-router router-to-i-nw
Ravi Sandhu 2000-2004

e-nw-to-router router-to-e-nw 50

PACKET FILTERING FIREWALLS

drop packets based on filtering rules static (stateless) filtering
no context is kept

dynamic (statefull) filtering

keeps context

Ravi Sandhu 2000-2004

51

PACKET FILTERING FIREWALLS

Should never allow packet with source address of internal machine to enter from external internet Cannot trust source address to allow selective access from outside

Ravi Sandhu 2000-2004

52

FILTERING ROUTERS
internal network 1

internal network 2

packet filtering router

external Internet

mail gateway (internal network 3)

Ravi Sandhu 2000-2004

53

FILTERING HOST

internal network

packet filtering firewall host

external router

external Internet

one can use a packet filtering firewall even if connection to Internet is via an external service provider
Ravi Sandhu 2000-2004

54

PACKET FILTERING FIREWALLS

packet filtering is effective for coarse-grained controls not so effective for fine-grained control
can do: allow incoming telnet from a particular host cannot do: allow incoming telnet from a particular user
Ravi Sandhu 2000-2004

55

APPLICATION GATEWAY FIREWALLS

internal network

application gateway firewall host

external router

external Internet

SIMPLEST CONFIGURATION
Ravi Sandhu 2000-2004

56

APPLICATION PROXIES
have to be implemented for each service may not be safe (depending on service)

Ravi Sandhu 2000-2004

57

CLIENT-SIDE PROXIES Internal-Client External-Server

allow outgoing http for web access to external machines from internal users requires some client configuration

Ravi Sandhu 2000-2004

58

SERVER-SIDE PROXIES External-Client Internal-Server

allow incoming telnet for access to selected internal machines from selected external users requires some cryptographic protection to thwart sniffing and IP spoofing becoming increasingly important for
electronic commerce VPN remote access security 59

Ravi Sandhu 2000-2004

FIREWALL ARCHITECTURES DUAL HOMED HOST

I n t r a n e t Router Router I n t e r n e t

Bastion Host (Application Gateway) Bastion Host (External Service)

Ravi Sandhu 2000-2004

60

FIREWALL ARCHITECTURES SCREENED SUBNET

I n t r a n e t Router Packet Filter Router I n t e r n e t

Bastion Host (External Service)

Ravi Sandhu 2000-2004

61

INTRUSION DETECTION

Ravi Sandhu 2000-2004

62

RELATED TECHNOLOGIES
Intrusion detection Vulnerability assessment Incident response Honey pots Sniffer probes

Ravi Sandhu 2000-2004

63

INTRUSION DETETCION TECHNIQUES

Policy detection (or knowledge-based)
default permit

attack-signature based detection also called misuse detection specification-based detection requires user profiling requires some learning capability in the system

default deny

Anomaly detection (or behavior-based)

Combinations of these
Ravi Sandhu 2000-2004

64

INTRUSION DETECTION DATA SOURCE

network-based intrusion detection
multiple sensor points

host-based intrusion detection

multi-host based

application-based intrusion detection combinations of these

Ravi Sandhu 2000-2004

65

ATTACKER
Outsider
easier

insider
harder

Ravi Sandhu 2000-2004

66

INTRUSION DETECTION ISSUES

effectiveness efficiency security inter-operability ease of use transparency
67

Ravi Sandhu 2000-2004

INTRUSION DETECTION CHALLENGES

False alarm rate Performance and scalability

Ravi Sandhu 2000-2004

68

BASE RATE FALLACY

Test for a disease is 99% accurate
100 disease-free people tested, 99 test negative 100 diseased people tested, 99 test positive

Prevalence of disease is 1 in 10,000 Alice tests positive What is probability Alice has the disease?

Ravi Sandhu 2000-2004

69

BASE RATE FALLACY

Test for a disease is 99% accurate
100 disease-free people tested, 99 test negative 100 diseased people tested, 99 test positive

Prevalence of disease is 1 in 10,000 Alice tests positive What is probability Alice has the disease? 1 in 100 False alarm rate: 99 in 100 !!!!!
Ravi Sandhu 2000-2004

70

BASE RATE FALLACY BAYES THEOREM

population: 1,000,000 diseased: 100 disease free: 999,900 false positive: 9,999 true positive: 99 Alices chance of disease: 99/(9,999+99) = 1/100
Ravi Sandhu 2000-2004

71

BASE RATE FALLACY 99.99% ACCURACY

population: 1,000,000 diseased: 100 disease free: 999,900 false positive: 99.99 true positive: 99.99 Alices chance of disease: 99.99/(99.99+99.99) = 1/2
Ravi Sandhu 2000-2004

72

NETWORK-BASED INTRUSION DETECTION SIGNATURES

port signatures header signatures string signatures

Ravi Sandhu 2000-2004

73

NETWORK-BASED INTRUSION DETECTION ADVANTAGES

Complements firewalls broad visibility into network activity no impact on network performance transparent installation

Ravi Sandhu 2000-2004

74

NETWORK-BASED INTRUSION DETECTION DISADVANTAGES

False positives miss new unknown attacks scalability with high-speed networks passive stance emergence of switched Ethernet

Ravi Sandhu 2000-2004

75

HOST-BASED INTRUSION DETECTION

host wrappers or personal firewalls
look at all network packets, connection attempts, or login attempts to the monitored machine

example, tcp-wrapper

host-based agents
monitor accesses and changes to critical system files and changes in user privilege

example, tripwire

Ravi Sandhu 2000-2004

76

INTRUSION DETECTION STANDARDS

None exist ongoing efforts
CIDF: common intrusion detection framework for sharing information IETF Intrusion Detection Working Group just started
77

Ravi Sandhu 2000-2004

INTRUSION DETECTION
Needs to integrate with other security technologies such as cryptography and access control one component of defense-in-depth layered security strategy incident-response and recovery are important considerations
Ravi Sandhu 2000-2004

78