INFS 766Internet Security Protocols
Lecture 1Firewalls
Prof. Ravi Sandhu
2© Ravi Sandhu 2000-2004
INTERNET INSECURITY
Internet insecurity spreads at Internet speedMorris worm of 1987Password sniffing attacks in 1994IP spoofing attacks in 1995Denial of service attacks in 1996Email borne viruses 1999Distributed denial of service attacks 2000Fast spreading worms and viruses 2003Spam 2004… no end in sight
Internet insecurity grows at super-Internet speedsecurity incidents are growing faster than the Internet (which has roughly doubled every year since 1988)
3© Ravi Sandhu 2000-2004
SECURITY OBJECTIVES
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGE-CONTROLpurpose
4© Ravi Sandhu 2000-2004
SECURITY TECHNIQUES
Preventionaccess control
Detectionauditing/intrusion detectionincident handling
Acceptancepracticality
5© Ravi Sandhu 2000-2004
THREATS, VULNERABILITIESASSETS AND RISK
THREATS are possible attacksVULNERABILITIES are weaknessesASSETS are information and resources that need protectionRISK requires assessment of threats, vulnerabilities and assets
6© Ravi Sandhu 2000-2004
RISK
Outsider Attack• insider attack
Insider Attack• outsider attack
7© Ravi Sandhu 2000-2004
PERSPECTIVE ON SECURITY
No silver bulletsA process NOT a turn-key productRequires a conservative stanceRequires defense-in-depthA secondary objectiveAbsolute security does not exist
Security in most systems can be improved
8© Ravi Sandhu 2000-2004
PERSPECTIVE ON SECURITY
absolute security is impossible does not mean absolute insecurity is acceptable
9© Ravi Sandhu 2000-2004
INTRUSION SCENARIOS
10© Ravi Sandhu 2000-2004
CLASSICAL INTRUSIONS SCENARIO 1
Insider attackThe insider is already an authorized user
Insider acquires privileged accessexploiting bugs in privileged system programsexploiting poorly configured privileges
Install backdoors/Trojan horses to facilitate subsequent acquisition of privileged access
11© Ravi Sandhu 2000-2004
CLASSICAL INTRUSIONS SCENARIO 2
Outsider attackAcquire access to an authorized accountPerpetrate an insider attack
12© Ravi Sandhu 2000-2004
NETWORK INTRUSIONS SCENARIO 3
Outsider/Insider attackSpoof network protocols to effectively acquire access to an authorized account
13© Ravi Sandhu 2000-2004
DENIAL OF SERVICE ATTACKS
Flooding network ports with attack source maskingTCP/SYN flooding of internet service providers in 1996
14© Ravi Sandhu 2000-2004
INFRASTRUCTURE ATTACKS
router attacksmodify router configurations
domain name server attacksinternet service attacks
web sitesftp archives
15© Ravi Sandhu 2000-2004
INTERNET ARCHITECTUREAND PROTOCOLS
16© Ravi Sandhu 2000-2004
OSI REFERENCE MODEL
higherlevel
protocols
lowerlevel
protocolsor
networkservices
higherlevel
protocols
lowerlevel
protocolsor
networkservicesPhysical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
END USER A END USER B
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
PHYSICAL MEDIUM
Enduser
functions
Networkfunctions
17© Ravi Sandhu 2000-2004
OSI REFERENCE MODEL
END USER A END USER B
higherlevel
protocols
lowerlevel
protocolsor
networkservices
higherlevel
protocols
lowerlevel
protocolsor
networkservices
SOURCE NODE DESTINATION NODEINTERMEDIATENETWORK NODE
18© Ravi Sandhu 2000-2004
layer5-7
4
3
2
TCP/IP PROTOCOL STACK BASIC PROTOCOLS
TELNET FTP SMTP HTTP etc
TCP UDP
IP
Ethernet Token-Ring ATM PPP etc
19© Ravi Sandhu 2000-2004
TCP/IP PROTOCOL STACK BASIC PROTOCOLS
IP (Internet Protocol)connectionless routing of packets
UDP (User Datagram Protocol)unreliable datagram protocol
TCP (Transmission Control Protocol)connection-oriented, reliable, transport protocol
20© Ravi Sandhu 2000-2004
TCP/IP PROTOCOL STACK BASIC PROTOCOLS
TELNET: remote terminalFTP (File Transfer Protocol)TFTP (Trivial File Transfer Protocol)SMTP (Simple Mail Transfer Protocol)RPC (Remote Procedure Call)HTTP (Hyper Text Transfer Protocol)and others
21© Ravi Sandhu 2000-2004
TELNET FTP SMTP HTTP etc
TCP UDP
IP
Ethernet Token-Ring ATM PPP etc
layer5-7
4
3
2
TCP/IP PROTOCOL STACK INFRASTRUCTURE PROTOCOLS
ICMP
ARP RARP
DNS RIP EGPBGP
22© Ravi Sandhu 2000-2004
TCP/IP PROTOCOL STACK INFRASTRUCTURE PROTOCOLS
ICMP: Internet Control Message ProtocolARP: Address Resolution ProtocolRARP: Reverse Address Resolution ProtocolDNS: Domain Name ServiceRIP: Routing Information ProtocolBGP: Border Gateway ProtocolEGP: External Gateway Protocol
23© Ravi Sandhu 2000-2004
TELNET FTP SMTP HTTP
TCP UDP
IP
Ethernet Token-Ring ATM
layer5-7
4
3
2
TCP/IP PROTOCOL STACK SECURITY PROTOCOLS
ICMP
ARP RARP
DNS RIP EGPBGP
IPSEC
SSL
24© Ravi Sandhu 2000-2004
INTERNET STANDARDS PROCESS
IETF: Internet Engineering Task ForceApplication AreaGeneral AreaInternet AreaOperational Requirements AreaRouting AreaSecurity AreaTransport AreaUser Services Area
25© Ravi Sandhu 2000-2004
IETF SECURITY AREA ACTIVE WORKING GROUPS
An Open Specification for Pretty Good Privacy (openpgp) Authenticated Firewall Traversal (aft) Common Authentication Technology (cat) IP Security Policy (ipsp) IP Security Protocol (ipsec) IP Security Remote Access (ipsra) Intrusion Detection Exchange Format (idwg) Kerberized Internet Negotiation of Keys (kink) Kerberos WG (krb-wg) One Time Password Authentication (otp) Public-Key Infrastructure (X.509) (pkix) S/MIME Mail Security (smime) Secure Network Time Protocol (stime) Secure Shell (secsh) Securely Available Credentials (sacred) Security Issues in Network Event Logging (syslog) Simple Public Key Infrastructure (spki) Transport Layer Security (tls) Web Transaction Security (wts) XML Digital Signatures (xmldsig)
26© Ravi Sandhu 2000-2004
RFCs AND IETF DRAFTS
RFCsStandards
• Proposed Standard• Draft Standard• Internet Standard
InformationalExperimentalHistoric
IETF draftswork in progressexpire after 6 months
27© Ravi Sandhu 2000-2004
MUST, SHOULD, MAY
MUSTmandatory, required of compliant implementations
SHOULDstrongly recommended but not required
MAYpossibilityeven if not stated a may is always allowed unless it violates MUST NOT
28© Ravi Sandhu 2000-2004
TCP/IP VULNERABILITIES
29© Ravi Sandhu 2000-2004
BASIC TCP/IP VULNERABILITIES
many dangerous implementations of protocols
sendmail
many dangerous protocolsNFS, X11, RPCmany of these are UDP based
30© Ravi Sandhu 2000-2004
BASIC TCP/IP VULNERABILITIES
solutionallow a restricted set of protocols between selected external and internal machinesotherwise known as firewalls
31© Ravi Sandhu 2000-2004
IP PACKET
headerdata
carries a layer 4 protocol• TCP, UDP
or a layer 3 protocol• ICMP, IPSEC, IP
or a layer 2 protocol• IPX, Ethernet, PPP
32© Ravi Sandhu 2000-2004
TCP INSIDE IP
IPHEADER
TCPHEADER
33© Ravi Sandhu 2000-2004
IP HEADER FORMAT
version: 4bit, currently v4header length: 4 bit, length in 32 bit wordsTOS (type of service): unusedtotal length: 16 bits, length in bytesidentification, flags, fragment offset: total 16 bits used for packet fragmentation and reassemblyTTL (time to live): 8 bits, used as hop countProtocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP, IPX, PPP, Ethernetheader checksum: 16 bit checksumsource address: 32 bit IP addressdestination address: 32 bit IP address
34© Ravi Sandhu 2000-2004
IP HEADER FORMAT
optionssource routing
• enables route of a packet and its response to be explicitly controlled
route recordingtimestampingsecurity labels
35© Ravi Sandhu 2000-2004
TCP HEADER FORMAT
source port numbersource IP address + source port number is a socket: uniquely identifies sender
destination port numberdestination IP address + destination port number is a socket : uniquely identifies receiver
SYN and ACK flagssequence numberacknowledgement number
36© Ravi Sandhu 2000-2004
TCP 3 WAY HANDSHAKE
initiator responderSYN(X)
SYN(Y), ACK(X)
ACK(Y)
37© Ravi Sandhu 2000-2004
TCP SYN FLOODING ATTACK
TCP 3 way handshakesend SYN packet with random IP source addressreturn SYN-ACK packet is lostthis half-open connection stays for a fairly long time out period
Denial of service attackBasis for IP spoofing attack
38© Ravi Sandhu 2000-2004
IP SPOOFING
Send SYN packet with spoofed source IP addressSYN-flood real source so it drops SYN-ACK packetguess sequence number and send ACK packet to target
target will continue to accept packets and response packets will be dropped
39© Ravi Sandhu 2000-2004
TCP SESSION HIJACKING
Send RST packet with spoofed source IP address and appropriate sequence number to one endSYN-flood that endsend ACK packets to target at other end
40© Ravi Sandhu 2000-2004
SMURF ATTACK
Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LANEach host will send a reply packet to the spoofed IP address leading to denial of service
41© Ravi Sandhu 2000-2004
ULTIMATE VULNERABILITY
IP packet carries no authentication of source addressIP spoofing is possible
IP spoofing is a real threat on the InternetIP spoofing occurs on other packet-switched networks also, such as Novell’s IPX
Firewalls do not solve this problemRequires cryptographic solutions
42© Ravi Sandhu 2000-2004
FIREWALLS
43© Ravi Sandhu 2000-2004
WHAT IS A FIREWALL?
internalnetwork
FIRE-WALL
externalInternet
44© Ravi Sandhu 2000-2004
WHAT IS A FIREWALL?
all traffic between external and internal networks must go through the firewall
easier said than donefirewall has opportunity to ensure that only suitable traffic goes back and forth
easier said than done
45© Ravi Sandhu 2000-2004
ULTIMATE FIREWALL
internalnetwork
externalInternet
AirGap
46© Ravi Sandhu 2000-2004
BENEFITS
secure and carefully administer firewall machines to allow controlled interaction with external Internetinternal machines can be administered with varying degrees of caredoes work
47© Ravi Sandhu 2000-2004
BASIC LIMITATIONS
connections which bypass firewallservices through the firewall introduce vulnerabilitiesinsiders can exercise internal vulnerabilitiesperformance may suffersingle point of failure
48© Ravi Sandhu 2000-2004
TYPES OF FIREWALLS
Packet filtering firewallsIP layer
Application gateway firewallsApplication layer
Circuit relay firewallsTCP layer
Combinations of these
49© Ravi Sandhu 2000-2004
PACKET FILTERING FIREWALLS
IP packets are filtered based onsource IP address + source port numberdestination IP address + destination port numberprotocol field: TCP or UDPTCP protocol flag: SYN or ACK
50© Ravi Sandhu 2000-2004
FILTERING ROUTERS
internalnetwork packet
filteringrouter
externalInternet
i-nw-to-router
router-to-i-nw
e-nw-to-router
router-to-e-nw
mailgateway
51© Ravi Sandhu 2000-2004
PACKET FILTERING FIREWALLS
drop packets based on filtering rulesstatic (stateless) filtering
no context is kept
dynamic (statefull) filteringkeeps context
52© Ravi Sandhu 2000-2004
PACKET FILTERING FIREWALLS
Should never allow packet with source address of internal machine to enter from external internetCannot trust source address to allow selective access from outside
53© Ravi Sandhu 2000-2004
FILTERING ROUTERS
internalnetwork 1
packetfilteringrouter
externalInternet
mail gateway(internal network 3)
internalnetwork 2
54© Ravi Sandhu 2000-2004
FILTERING HOST
internalnetwork
externalrouter
externalInternet
packetfilteringfirewall
host
one can use a packet filtering firewall even if connection to Internet is via an external service provider
55© Ravi Sandhu 2000-2004
PACKET FILTERING FIREWALLS
packet filtering is effective for coarse-grained controlsnot so effective for fine-grained control
can do: allow incoming telnet from a particular hostcannot do: allow incoming telnet from a particular user
56© Ravi Sandhu 2000-2004
APPLICATION GATEWAY FIREWALLS
internalnetwork
externalrouter
externalInternet
applicationgatewayfirewall
host
SIMPLEST CONFIGURATION
57© Ravi Sandhu 2000-2004
APPLICATION PROXIES
have to be implemented for each servicemay not be safe (depending on service)
58© Ravi Sandhu 2000-2004
CLIENT-SIDE PROXIESInternal-Client External-Server
allow outgoing http for web access to external machines from internal usersrequires some client configuration
59© Ravi Sandhu 2000-2004
SERVER-SIDE PROXIESExternal-Client Internal-Server
allow incoming telnet for access to selected internal machines from selected external usersrequires some cryptographic protection to thwart sniffing and IP spoofingbecoming increasingly important for
electronic commerceVPNremote access security
60© Ravi Sandhu 2000-2004
FIREWALL ARCHITECTURESDUAL HOMED HOST
Bastion Host(Application
Gateway)
Router RouterIntranet
Internet
Bastion Host(ExternalService)
61© Ravi Sandhu 2000-2004
FIREWALL ARCHITECTURESSCREENED SUBNET
Packet Filter
Router RouterIntranet
Internet
Bastion Host(ExternalService)
62© Ravi Sandhu 2000-2004
INTRUSION DETECTION
63© Ravi Sandhu 2000-2004
RELATED TECHNOLOGIES
Intrusion detectionVulnerability assessmentIncident responseHoney potsSniffer probes
64© Ravi Sandhu 2000-2004
INTRUSION DETETCION TECHNIQUES
Policy detection (or knowledge-based)default permit
• attack-signature based detection• also called misuse detection
default deny• specification-based detection
Anomaly detection (or behavior-based)• requires user profiling• requires some learning capability in the system
Combinations of these
65© Ravi Sandhu 2000-2004
INTRUSION DETECTION DATA SOURCE
network-based intrusion detectionmultiple sensor points
host-based intrusion detectionmulti-host based
application-based intrusion detectioncombinations of these
66© Ravi Sandhu 2000-2004
ATTACKER
Outsidereasier
insiderharder
67© Ravi Sandhu 2000-2004
INTRUSION DETECTION ISSUES
effectivenessefficiencysecurityinter-operabilityease of usetransparency
68© Ravi Sandhu 2000-2004
INTRUSION DETECTION CHALLENGES
False alarm ratePerformance and scalability
69© Ravi Sandhu 2000-2004
BASE RATE FALLACY
Test for a disease is 99% accurate100 disease-free people tested, 99 test negative100 diseased people tested, 99 test positive
Prevalence of disease is 1 in 10,000Alice tests positiveWhat is probability Alice has the disease?
70© Ravi Sandhu 2000-2004
BASE RATE FALLACY
Test for a disease is 99% accurate100 disease-free people tested, 99 test negative100 diseased people tested, 99 test positive
Prevalence of disease is 1 in 10,000Alice tests positiveWhat is probability Alice has the disease?
1 in 100False alarm rate: 99 in 100 !!!!!
71© Ravi Sandhu 2000-2004
BASE RATE FALLACYBAYE’S THEOREM
population: 1,000,000diseased: 100disease free: 999,900false positive: 9,999true positive: 99Alice’s chance of disease: 99/(9,999+99) = 1/100
72© Ravi Sandhu 2000-2004
BASE RATE FALLACY99.99% ACCURACY
population: 1,000,000diseased: 100disease free: 999,900false positive: 99.99true positive: 99.99Alice’s chance of disease: 99.99/(99.99+99.99) = 1/2
73© Ravi Sandhu 2000-2004
NETWORK-BASED INTRUSION DETECTION SIGNATURES
port signaturesheader signaturesstring signatures
74© Ravi Sandhu 2000-2004
NETWORK-BASED INTRUSION DETECTION ADVANTAGES
Complements firewallsbroad visibility into network activityno impact on network performancetransparent installation
75© Ravi Sandhu 2000-2004
NETWORK-BASED INTRUSION DETECTION DISADVANTAGES
False positivesmiss new unknown attacksscalability with high-speed networkspassive stanceemergence of switched Ethernet
76© Ravi Sandhu 2000-2004
HOST-BASED INTRUSION DETECTION
host wrappers or personal firewallslook at all network packets, connection attempts, or login attempts to the monitored machine
• example, tcp-wrapper
host-based agentsmonitor accesses and changes to critical system files and changes in user privilege
• example, tripwire
77© Ravi Sandhu 2000-2004
INTRUSION DETECTION STANDARDS
None existongoing efforts
CIDF: common intrusion detection framework for sharing informationIETF Intrusion Detection Working Groupjust started
78© Ravi Sandhu 2000-2004
INTRUSION DETECTION
Needs to integrate with other security technologies such as cryptography and access controlone component of defense-in-depth layered security strategyincident-response and recovery are important considerations