router architectures evolutionspaul_o/courses/filtering... · 2011. 10. 18. · – everything that...

Filtering An Introduction

Olivier Paul

RST department, TSP

Overview

• Introduction.

• The Network Level.

• The Circuit Level.

• The Application Level.

• Firewall Architectures.

Introduction

• Some history:

– 80s:

• Intense activity around system security.

– Security based on formal proofs.

– Classification based on amount code proved: Orange book.

– End of 80s:

• Changes in the computing world.

– Mainframe -> micro-computers.

– User have the control of their computing environment.

• Changes in the networking world.

– Centralized -> distributed.

– Telecommunication based protocols -> TCP/IP.

Introduction

Application

Architectures

Network

Circuit

Introduction

• Some history:

– End of 80s:

• Trust models revisited.

– Models based on formal proofs to expensives (D. Denning, 92):

» Development lasted years.

» By the time the OS was developed, the hardware was obsolete.

» Often insecurely managed.

– Result: Most systems do not use formally proved software.

– New notion of trust:

» Trust through simplicity (trust what you understand).

» Trust through wide use tests (trust what works).

– Not every computer can be trusted.

Introduction

Application

Architectures

Network

Circuit

Introduction

• Some history:

– Nor every computer can be trusted:

• TCP/IP protocols were not designed with security in mind.

• Most computers use OSes that have little care for security.

• Most users have little knowledge in term of security.

• Networked devices present a new alley for hackers.

– Protect weak devices.

• Improve security without changing:

– Users.

– OSes, Protocols.

• Notion of security perimeter.

– Trusted entities: Inside.

– Untrusted entities: Outside

Internet

Security perimeter

Firewall

Introduction

Application

Architectures

Network

Circuit

Introduction

• How to separate the outside from the inside ?

– Firewall (1990).

• Controls every traffic crossing the perimeter.

• Behavior must be incorruptible.

– First Filters:

• Packet filters (Jeff Mogul - DEC, 1989).

– Ability to control communications based on TCP/IP information.

– Packet based. Decision taken per packet.

– Implemented on Cisco devices in 1989.

Introduction

Application

Architectures

Network

Circuit

Introduction


– First Filters:

• Circuit-level Proxy (Bill Cheswick- AT&T, 1990).

– Limitations for packet filters:

» Are not able to record information about connections.

» Either allow or deny external users to connect to internal devices.

– Must provide ability to connect while limiting ability for an attacker to take advantage.

– Associate authentication information with communication information.

– Splits TCP connections in two chunks.

» Proxy acts as a server for the client.

» Proxy acts as a client for the server.

– Maintains information about connections.

– Acts as an entry point with limited capabilities for external users.

– Ability to control communications based on TCP/IP information.

Introduction

Application

Architectures

Network

Circuit

Introduction


– First Filters:

• Application level Proxy (Marcus Ranum, DEC, 1992).

– Limitations for proxies:

» Are not able to record information about applications.

» Are not able to manage security policy for internal applications.

» Are not able to detect application level vulnerabilities.

– Keep general scheme for proxies. (Two connections, record information, authentication)

– But add application specific processing:

» http-gw, telnet-gw, ftp-gw, …

» Each proxy requires an application specific policy.

Introduction

Application

Architectures

Network

Circuit

Introduction

• Type of filter/Default policy action:

– Everything that is not permitted is denied.

• Filtering policy allows what is known as legitimate traffic/behavior.

• Benefit:

– knowledge about what is legitimate can be partially obtained from specifications.

– No need to know existing attacks.

• Drawback:

– Implementations != specification.

– Legitimacy can sometimes not be determined.

– Everything that is not denied is permitted.

• Filtering policy blocks what is known as an attack/illegitimate behavior.

• Benefit:

– Often results in more simple implementations.

• Drawback:

– Requires a up-to-date knowledge of such behaviors.

Introduction

Application

Architectures

Network

Circuit

Defined

as

Legitimate

Defined

as

Attacks

True Attacks

Introduction

• Type of filter/Default policy action:

Introduction

Application

Architectures

Network

Circuit

Blocked

legitimate

Missed attack

Blocked

legitimate

Positive model Negative model

Missed attack

Introduction

• Type of filter/Stateful aspect:

– Stateless.

• Analyses data unit on the fly without consideration for what was received previously

• Benefits: Less resources needed/Immune to resource depletion attacks.

• Drawback:

– Impossible to implement policies where data to analyze is carried over several data units.

– Attackers can masquerade their actions.

– Stateful.

• Keeps information about data units received in the past in order to take a filtering decision.

• Benefits:

– Can solve data fragmentation issues.

– Can counter some masquerading attacks.

• Drawbacks: More resource needed.

Introduction

Application

Architectures

Network

Circuit

Introduction

• Type of filter/Stateful aspect:

Introduction

Application

Architectures

Network

Circuit

Filters

Stateless Statefull

blocking nonblocking

Network example

Introduction

Application

Architectures

Network

Circuit

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

157.159.226.11

Internet

Overview

• Introduction.





Introduction

Application

Architectures

Network

Circuit

Network level Filter

• Overview

Introduction

Application

Architectures

Network

Circuit

Filter

Filtering

Policy

IP/Transport

Headers

Packet

Classification

Fragment

Manag.

PacketsAuthorized

PacketsInternal

Interface

External

Interface

Filtering Policy

R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Action

1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit

2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit

3 Int In TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit

4 Int Out TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit

Introduction

Application

Architectures

Network

Circuit

Prefixes or addresses

Priority of the rule Action

Src Port Dst Port Action

>1024 1025 Permit

1025 >1024 Deny

Packet 1025,1025

Value or range

Fields in

IP packet

Permit access from

157.159.226.0/25 to HTTP server

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

157.159.226.11

Internet

Introduction

Application

Architectures

Network

Circuit


1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit


3 Int In TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit


So everything is permitted ?

Side effects

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

Telnet Server

157.159.226.6

Port 1048

Internet

Introduction

Application

Architectures

Network

Circuit


1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit


3 Int In TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit


Clients on HTTP server, port 80 can

talk to telnet server !

Limiting the problem with TCP flags

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

Telnet Server

157.159.226.6

Port 1048

Internet

Introduction

Application

Architectures

Network

Circuit

R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action

1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Syn Permit

1.2 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Ack Permit

1.3 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Fin Permit

2.1 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Ack Permit

2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Fin Permit

Reducing Size of policy with deny

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

Telnet Server

157.159.226.6

Port 1048

Internet

Introduction

Application

Architectures

Network

Circuit


1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 * Permit


2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Syn Deny

2.3 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 * Permit

Other filtering parameters

• Options IP

– RR, Timestamp: Expose network internal architecture.

– Source routing: Allows hackers to control path followed by packets.

• Flag combinations/ absence

– Used in several types of attacks to exploit vulnerabilities.

• ICMP type and code

– Redirect

• Fragmentation related

– Offset, total size, More Fragment, Don’t Fragment bits.

Introduction

Application

Architectures

Network

Circuit

IP Fragmentation Reminder

Introduction

Application

Architectures

Network

Circuit

IP

Data

MTU=596

Data Data

Total Length =1000

TL=1000

M=0

OFF=0

IP IP

ID=1234

TL=596

M=1

OFF=0

ID=1234

LT=444

M=0

OFF=72

ID=1234

Problems with fragmentation

IP

Src Port=80

Dst Port=1025

Flag = SYN

TCP

TL=1000

M=0

OFF=0

IP

ID=1234

TL=180

M=1

OFF=0

ID=1234

No TCP

Header

TCPIP

TL=40

M=0

OFF=20

ID=1234

Src Port=80

Dst Port=1025

Flag. = SYN

TCP

Introduction

Application

Architectures

Network

Circuit

• Missing Information

IP

Src Port=80

Dst Port=1025

TCP

TL=1000

M=0

OFF=0

IP

ID=1234

TL=180

M=1

OFF=0

ID=1234

Flag=SYN

TCPIP

TL=40

M=0

OFF=1

ID=1234

Src Port=80

Dst Port=1025

Flag. = SYN

TCP

In first fragment In non first fragment





Problems with fragmentation

IP

TL=1000

M=0

OFF=0

ID=1234

Src Port=80

Dst Port=1025

Flag. = SYN

TCP

Src Port=80

Dst Port=1025

Flag = ACK

TCPIP

TL=40

M=1

OFF=0

ID=1234

Flag. = SYN

TCPIP

TL=40

M=1

OFF=1

ID=1234





Introduction

Application

Architectures

Network

Circuit

• Inconsistent Reassembly Strategies

IP

TL=1000

M=0

OFF=0

ID=1234

Src Port=80

Dst Port=1025

Flag. = ACK

TCP

Src Port=80

Dst Port=1025

Flag = ACK

TCPIP

TL=40

M=1

OFF=0

ID=1234

Flag. = SYN

TCPIP

TL=40

M=1

OFF=1

ID=1234

Windows NT (called First) BSD (called BSD)

Overview

• Introduction.





Introduction

Application

Architectures

Network

Circuit

Circuit level Filter

• Overview

Introduction

Application

Architectures

Network

Circuit

Filter

Transport level

Information

Normalization

Incomming

Packets

Authorized

PacketsInternal

Interface

External

Interface

State

Lookup

Filtering

Policy

State

Checking

Problems with static rules

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

Telnet Server

157.159.226.6

Port 1048

Internet

Introduction

Application

Architectures

Network

Circuit


1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 * Permit




157.159.226.32 157.159.226.6

80 1048

ack

Dynamic packet filtering • Motivations

– Improve security

• Any static rule leaves a hole allowing an outsider to send information to

inside devices.

• The larger the hole, the easier it is to find it.

• A way to render the filtering process more restrictive is to base this

process (define the hole) on a knowledge only known to the two

communicating parties.

– Examples:

» Connection existence.

» State in the state automaton.

» TCP sequence number. Opened dynamically

Static rules Dynamic rules

Introduction

Application

Architectures

Network

Circuit

Circuit Level filtering

Introduction

Application

Architectures

Network

Circuit

• Motivations

– Improve ease of use

– Simplify rules expression

• Static filters requires good knowledge of IP subtleties.

• With dynamic packet filtering, the system takes care about subtleties.

• The first rule allows the connection to get recorded.

• The other possible packets are deduced

– from the content of previous packets and

– The initial rule.

– Simple rules means more secure filtering.

R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Keep State Action

1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Yes Permit

Circuit Level filtering


1.1.1 Ext In TCP 157.159.226.6 157.159.226.132 1025 80 Permit

1.1.2 In Out TCP 157.159.226.6 157.159.226.132 1025 80 Permit

1.1.3 In In TCP 157.159.226.132 157.159.226.6 80 1025 Permit

1.1.4 Ext Out TCP 157.159.226.132 157.159.226.6 80 1025 Permit


Introduction

Application

Architectures

Network

Circuit

• Motivations

– Simplify rules expression

• Before Packet #1

• After Packet #1

157.159.226.6 157.159.226.132

1025 80

syn



Protocol Particularities

Introduction

Application

Architectures

Network

Circuit

• Inconsistent segments reassembly strategies.

GET «secret.html»

TL=44

TTL=4

IP

GET «

HTTP

Src Port=1024

Dst Port=80

Seq=4134

Ack=8520

Flag = ACK

TCP

TL=52

TTL=4

IP

secret.html»

HTTP

Src Port=1024

Dst Port=80

Seq=4130

Ack=8520

Flag = ACK, PSH

TCP

Src Port=1024

Dst Port=80

Seq=4133

Ack=8520

Flag = ACK

TCP

TL=52

TTL=4

IP

« public.html»

HTTP

GET «Public.html»

Solaris

(Called Last)

FreeBSD

(Called BSD)

Protocol Particularities

Introduction

Application

Architectures

Network

Circuit

• Other alternatives:

– Reaction to RST depending on sequence number.

• Some stacks accept out of window RSTs.

• Some others do not.

• Used to hide rest of connection.

– Use wrong checksums.

• Used to introduce data between two packets to invalidate application level signatures.

– Use particular flags combinations.

• Same story.

– Many others.

Topological particularities

Introduction

Application

Architectures

Network

Circuit

GET «secret.html»

TL=44

TTL=4

IP

GET «

HTTP

Src Port=1024

Dst Port=80

Seq=4134

Ack=8520

Flag = ACK

TCP

TL=52

TTL=3

IP

Public.html»

HTTP

Src Port=1024

Dst Port=80

Seq=4130

Ack=8520

Flag = ACK, PSH

TCP

Src Port=1024

Dst Port=80

Seq=4134

Ack=8520

Flag = ACK

TCP

TL=52

TTL=4

IP

secret.html»

HTTP

GET «Public.html»

• Inconsistent view between the filter and the destination.

– 3 hops between the filter and the destination.

Filter Destination

Application level particularities

Introduction

Application

Architectures

Network

Circuit

• Inconsistent view between the filter and the destination.

Without specific procedure

for Urgent Data

With specific procedure

for Urgent Data

GET «secret.html»

LT=44

IP

GET «

HTTP

Port Src=1024

Port Dst=80

Seq=4134

Ack=8520

Drap. = ACK, URG

Urg = 7

TCP

LT=46

IP

public

HTTP

Port Src=1024

Port Dst=80

Seq=4130

Ack=8520

Drap. = ACK, PSH

TCP

Port Src=1024

Port Dst=80

Seq=4140

Ack=8520

Drap. = ACK

TCP

LT=52

IP

secret.html»

HTTP

GET «publicsecret.html»

Fingerprinting

Introduction

Application

Architectures

Network

Circuit

• Fingerprinting:

– Use OS specificities to infer remote OS identity.

• Specificities:

– Some systems use specific TCP/IP protocol stacks.

– Most systems use specific TCP/IP protocol tuning.

• Once the OS is identified, hackers can restrict their attacks to target OS

specific vulnerabilities.

• Examples:

– Fragments reassembly strategy.

– Segment reassembly strategy.

– Reaction to RST (In/Out Sequence/Window).

Example

Introduction

Application

Architectures

Network

Circuit

• Active mapping: (Umesh Shankar, IEEE SSP, 2003)

OS Fragments Segments RST in Win RST out Win

AIX 4.3,8.9.3 BSD BSD Yes No

Cisco IOS Last BSD Yes No

FreeBSD BSD BSD Yes No

HP-UX 11.00 First BSD Yes Yes

IRIX64 6.4 BSD BSD Yes No

Linux 2.2.19-6.2.10smp linux BSD No No

Linux 2.4 (RedHat 7.1-7.3) linux BSD Yes No

MacOS (version unknown) First BSD Yes Yes

OpenBSD (version unknown) linux BSD No No

OpenVMS 7.1 BSD BSD Yes No

OS/2 (version unknown) BSD No result Yes Yes

OSF1 V4.0,5.0,5.1 BSD BSD Yes No

SunOS 4.1.4 BSD BSD Yes No

SunOS 5.5.1,5.6,5.7,5.8 First Last Yes No

Tru64 Unix V5.0A,V5.1 BSD BSD Yes No

Vax/VMS BSD BSD Yes No

Windows (95/98/NT4/W2K/XP) First BSD Yes No

Overview

• Introduction.





Introduction

Application

Architectures

Network

Circuit

Application level Filter

• Overview

Introduction

Application

Architectures

Network

Circuit

Filter

Filtering

Policy

Application-Level

Information

Pattern

Matching

Incomming

Packets

Authorized

PacketsInternal

Interface

External

Interface

State

Lookup

State

Checking

Protocol Analysis

Normalization

Application protocol

specific policies

Example: HTTP.

– We can no longer determine field semantic through its location in the packet.

Introduction

Application

Architectures

Network

Circuit

Frame 4 (383 bytes on wire, 383 bytes captured)

Ethernet II, Src: 00:03:47:fa:f8:f6, Dst: 00:02:b3:af:d7:b5

Internet Protocol, Src Addr: 157.159.226.6, Dst Addr: 157.159.226.132

Transmission Control Protocol, Src Port: 2612, Dst Port: 80, Seq: 1, Ack: 1, Len: 329

Hypertext Transfer Protocol

GET / HTTP/1.0\r\n

Request Method: GET

Accept: image/gif, image/x-xbitmap, image/jpeg, */*\r\n

Accept-Language: fr\r\n

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)\r\n

Host: calvin:80\r\n

Connection: Keep-Alive\r\n

\r\n

Information

element semantic

Information

element value

Application protocol specific policy

• Example: HTTP.

– Regular expression conditions are used with text oriented protocols.

– Lower level protocols values can be obtained through socket interface.

R# Src Address Dst Address Src Port Dst Port Proto Method URI Action

1 * 157.159.226.132 >1024 80 HTTP POST * Deny

2 * 157.159.226.132 >1024 80 HTTP * *.htm| *.txt Permit

Introduction

Application

Architectures

Network

Circuit

Rule priority

Information

element semantic Method URI Action

POST * Deny

* *.htm, *.txt Permit

Information

element value

(regular expression)

Request: POST test.txt

Application protocol specific

vulnerabilities

• Example: HTTP.

– IIS v4,5

• By default allows remote execution of script files.

• By using particular request format, shell command can be executed.

• Example:

– GET http://www/scripts/file.bat+&+dir+c:/ HTTP/1.1

– Executes file.bat and dir c:/

– MS URLScan is a tool that checks URI values to determine if URI is safe.

• Safe URI: objects with extension *.htm, *.txt, *.jpg, *.html, *.gif, …

R#

Src

Address

Dst

Address Src Port Dst Port Proto Method URI Action

1 *

157.159.

226.132 >1024 80 HTTP GET

*.htm | *.txt | *.jpg | *.html |

*.gif | *.jpeg | *.asp | *.cdx Permit

2 *

157.159.

226.132 >1024 80 HTTP HEAD

*.htm | *.txt | *.jpg | *.html |

*.gif | *.jpeg | *.asp | *.cdx Permit

Introduction

Application

Architectures

Network

Circuit

Need for normalization

• Example: HTTP.

– URI standard definition.

• Every object can designated using several different URI

http://www/index.html

http://www.int-evry.fr/index.html

http://www.int-evry.fr/

http://www/%69%6E%64%65%78%2E%68%74%6D%6C

http://www/index.%68%74%6D%6C

…

– You don’t want to express all possibilities in an access control policy.

– Need to obtain a non ambiguous version of URIs.

Introduction

Application

Architectures

Network

Circuit

Limits for normalization (1)

• Example: HTTP.

– IIS v4,5.

• Doesn’t handle capitalization (not compliant with HTTP standards):

Test.bat = TEST.BAT = test.bat

– Other web servers

• Handle capitalization correctly.

– Problem/

• We want to protect file PASSWORD.TXT.


1 * 157.159.226.132 >1024 80 HTTP GET PASSWORD.TXT Deny

Introduction

Application

Architectures

Network

Circuit

• GET http://www/password.txt


1 * 157.159.226.132 >1024 80 HTTP GET

[Pp][Aa][Ss][Ss][[

Ww][Oo][Rr][Dd].[

Tt][Xx][Tt] Deny

Limits for normalization (2)

• Example: HTTP.

– IIS v4,5.

• Doesn’t handle normalization correctly (not compliant with HTTP standards):

GET /msadc/..%255c../..%255c../winnt/system32/cmd.exe?/c+dir.exe

GET /msadc/..%5c../..%5c../winnt/system32/cmd.exe?/c+dir.exe

GET /msadc/..\../..\../winnt/system32/cmd.exe?/c+dir.exe

Introduction

Application

Architectures

Network

Circuit

• Permits access to any file on the local file system.

Application level Filtering policies

limitations

• Layering/obfuscation.

– Developers/designers use layering to hide application behavior:

• E.g. SOAP over HTTP. From Microsoft documentation:

“Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to

pass through, you'll have no problem invoking SOAP endpoints from either side of a

firewall.”

• E.g. IP over DNS/HTTP/”Whatever is not blocked”

– Developers/designers use encryption to hide application data:

• E.g. SSL.

– If eavesdropping is so important why can you log-in with non ssl web servers with most

online merchants (try amazon or ebay).

– In 2006 annual FBI survey password sniffing accounts for 1% of the losses caused by

viruses.

Introduction

Application

Architectures

Network

Circuit


limitations

Introduction

Application

Architectures

Network

Circuit

• Lack of strong specification/Implementation diversity.

– How to determine the nature of transported data ?

• E.g. HTTP: get text.pdf

– text.pdf can be pdf format or any other format.

– Look at specific header fields (%PDF-1.X) but rest of data can be inconsistent.

– Some formats do not have document clear type indicators (e.g. Bitmap: “BM”).

– Some formats do not have fixed structures (e.g. streaming data).

– Most applications/data sources have no or non public specifications.

• E.g. MS word ?

– Some applications use anti analysis techniques to prevent users from

understanding their operations:

• E.g. Skype: From EADS analysis:

– Encrypted code, Anti debugger tests, function calls hidden.

– Uses RC4 for signaling, AES for VoIP packets.


limitations

• Computational complexity/decidability.

– In general, many answers to security related problems are not decidable.

• Is program x going to/not to access address 0x45852285 ?

• Is program x going to/not to overflow buffer y ?

• Does program x include a virus ?

• Is program x going to stop ?

– Even restricted sub-cases provide limited help:

• type safe languages (e.g. java):

– Type safety (data values are always manipulated by functions supporting them).

– Memory safety (memory access are performed at valid locations).

– Control flow safety (jumps or calls are always made at valid locations).

• Result:

– Safe java programs can be rejected as unsafe.

– Unsafe java programs can exploit vulnerabilities in JVM and be declared safe.

Introduction

Application

Architectures

Network

Circuit

Inter-layer relationships

• From upper layers to lower layers.

• Example: FTP.

– Control connection

• Established by the client (port >1024) to

the server (port 21).

– Data connection

• Established by the server (port 20) to

address and port provided by the client.

PORT A1, A2, A3, A4, P1, P2

Introduction

Application

Architectures

Network

Circuit

Address Port

157.159.226.128/25

157.159.226.131

Filter A

Filter B

157.159.226.0/25

SSH server

157.159.226.5

HTTP server

157.159.226.132

FTP Client, Port 1221

157.159.226.11

Internet


• Example: FTP.

• Network level Access Control Policy on filter A:

Introduction

Application

Architectures

Network

Circuit


1.1 Int In TCP 157.159.226.0/25 * >1024 21 Syn Permit

1.2 Int In TCP 157.159.226.0/25 * >1024 21 Ack Permit

1.3 Int In TCP 157.159.226.0/25 * >1024 21 Fin Permit



2.1 Int Out TCP * 157.159.226.0/25 21 >1024 Ack Permit

2.2 Int Out TCP * 157.159.226.0/25 21 >1024 Fin Permit

2.3 Int Out TCP * 157.159.226.0/25 20 >1024 Syn Permit



Allows any external device to open a connection to internal devices !


• Example: FTP.

– Analyze control connection to build network level policy.

– Initial access control policy.

– When receiving PORT A1, A2, A3, A4, P1, P2


1.1 Int In TCP 157.159.226.0/25 * >1024 21 Syn Permit





Introduction

Application

Architectures

Network

Circuit

1.4 Int In TCP A1, A

2, A

3, A

4 134.126.144.12 P1, P2 20 Ack Permit

1.5 Int In TCP A1, A

2, A

3, A

4 134.126.144.12 P1, P

2 20 Fin Permit

2.3 Int Out TCP 134.126.144.12 A1, A

2, A

3, A

4 20 P1, P

2 Syn Permit

2.4 Int Out TCP 134.126.144.12 A1, A

2, A

3, A

4 20 P1, P

2 Ack Permit

2.5 Int Out TCP 134.126.144.12 A1, A

2, A

3, A

4 20 P1, P

2 Fin Permit

Overview

• Introduction.





Introduction

Application

Architectures

Network

Circuit

Need to control traffic

at multiple levels

• Upper level tools.

– Lower level tools are not able to analyze upper level protocols.

• Network level filters are unable to analyze application traffic…

• Lower level tools.

– Some lower level parameters are not available at upper levels.

• Incoming interface cannot be easily retrieved through socket layer.

– Lower level tools are usually more simple.

• Original packet filters included less than 1000 lines in C.

• Simple is Safe (the matchstick men).

– Lower level tools are usually more efficient.

• Usually implemented in the kernel (no memory replication).

• Mechanisms are more simple.

• Packet filtering ~ 100Gb, Proxying ~ 100Mb.

Introduction

Application

Architectures

Network

Circuit

Need to control traffic

at multiple levels

• Lower level tools.

– Upper level tools are not always able to handle all upper level protocols.

• Need for generic mechanisms.

– Need to base upper level analysis on sane information.

• Hackers can use lower level vulnerabilities to provide upper level tools with

• Example: Fragmentation slide.

– Redundancy improves security.

• Simple (trusted) tools can be used to protect more complex tools.

• Failsafe architecture.

– Failure/Subversion of a filtering component must lead to minimal benefits for the attacker.

Introduction

Application

Architectures

Network

Circuit

Basic architectures

• Terminology

Introduction

Application

Architectures

Network

Circuit

Internet

Packet filter

Screening router

157.159.226.0/26

SSH server

157.159.226.5157.159.226.11

157.159.227.0/26

SSH server

157.159.227.5157.159.227.11

Circuit/Application-level Proxy

Dual-Homed Gateway

Basic architectures

• Terminology

Introduction

Application

Architectures

Network

Circuit

Internet

Internal router

Screening router

157.159.226.128/25

SSH Server

157.159.226.135157.159.226.131

External router

Screening router

15

7.1

59

.22

6.0

/25

Bastion Host

Screened Subnet/DMZ

Some variations

• Merging

internal/external routers.

Internet

Internal/External router

Screening router

157.159.226.128/25

SSH Server

157.159.226.135157.159.226.131

15

7.1

59

.22

6.0

/25

Bastion Host

Screened Subnet/DMZ

Introduction

Application

Architectures

Network

Circuit

• Merging all filtering

devices.

Internet157.159.226.128/25

SSH Server

157.159.226.135157.159.226.131

Bastion Host

Screening router

Some variations

• Using helper servers.

Internet


Screening router

157.159.226.128/25

HTTP client

157.159.226.135

Email Client

157.159.226.131

15

7.1

59

.22

6.0

/25

HTTP

Screened Subnet/DMZ

Email

Anti-virus

Server

Introduction

Application

Architectures

Network

Circuit

Internet


Screening router

157.159.226.128/25

HTTP client

157.159.226.135

Email Client

157.159.226.131

15

7.1

59

.22

6.0

/25

HTTP

Screened Subnet/DMZ

Email

Authentication

Server

Filtering Incoming Traffic

• Using reverse proxy server.

Internet


Screening router

157.159.226.128/25

HTTP Server

157.159.226.135

15

7.1

59

.22

6.0

/25

Reverse

HTTP Proxy

Screened Subnet/DMZ

HTTP Client

Introduction

Application

Architectures

Network

Circuit

Performance improvements

• Using application

specific proxies

Internet


Screening router

157.159.226.128/25

SSH Server

157.159.226.135157.159.226.131

15

7.1

59

.22

6.0

/25

FTP

Screened Subnet/DMZ

HTTP

Email

DNS

Introduction

Application

Architectures

Network

Circuit

• Using load balancing

Internet

Load Balancer

Screening router

157.159.226.128/25

SSH Server

157.159.226.135157.159.226.131

15

7.1

59

.22

6.0

/25

HTTP

Screened Subnet/DMZ

HTTP

HTTP

HTTP

Control improvements

• Access control distribution.

– Policy differentiation between sub-components.

– Internal communications control.

– Limits address spoofing possibilities.

Introduction

Application

Architectures

Network

Circuit

Internet

Working group perimeter

Site perimeter

End device perimeter

Existing products

• SSAC survey, September 07

– 42 vendors, 81 products.

IPv4 IPv6

Stateless packet filter 95% 29%

Circuit level filter 90% 24%

Application level filter 81% 17%

IPv4 SOHO SMB LE/SP

Stateless packet filter 93% 92% 100%

Circuit level filter 83% 92% 95%

Application level filter 74% 77% 93%

Introduction

Application

Architectures

Network

Circuit

router architectures evolutionspaul_o/courses/filtering... · 2011. 10. 18. · – everything that...

Documents