router architectures evolutionspaul_o/courses/filtering... · 2011. 10. 18. · – everything that...
TRANSCRIPT
Filtering An Introduction
Olivier Paul
RST department, TSP
Overview
• Introduction.
• The Network Level.
• The Circuit Level.
• The Application Level.
• Firewall Architectures.
Introduction
• Some history:
– 80s:
• Intense activity around system security.
– Security based on formal proofs.
– Classification based on amount code proved: Orange book.
– End of 80s:
• Changes in the computing world.
– Mainframe -> micro-computers.
– User have the control of their computing environment.
• Changes in the networking world.
– Centralized -> distributed.
– Telecommunication based protocols -> TCP/IP.
Introduction
Application
Architectures
Network
Circuit
Introduction
• Some history:
– End of 80s:
• Trust models revisited.
– Models based on formal proofs to expensives (D. Denning, 92):
» Development lasted years.
» By the time the OS was developed, the hardware was obsolete.
» Often insecurely managed.
– Result: Most systems do not use formally proved software.
– New notion of trust:
» Trust through simplicity (trust what you understand).
» Trust through wide use tests (trust what works).
– Not every computer can be trusted.
Introduction
Application
Architectures
Network
Circuit
Introduction
• Some history:
– Nor every computer can be trusted:
• TCP/IP protocols were not designed with security in mind.
• Most computers use OSes that have little care for security.
• Most users have little knowledge in term of security.
• Networked devices present a new alley for hackers.
– Protect weak devices.
• Improve security without changing:
– Users.
– OSes, Protocols.
• Notion of security perimeter.
– Trusted entities: Inside.
– Untrusted entities: Outside
Internet
Security perimeter
Firewall
Introduction
Application
Architectures
Network
Circuit
Introduction
• How to separate the outside from the inside ?
– Firewall (1990).
• Controls every traffic crossing the perimeter.
• Behavior must be incorruptible.
– First Filters:
• Packet filters (Jeff Mogul - DEC, 1989).
– Ability to control communications based on TCP/IP information.
– Packet based. Decision taken per packet.
– Implemented on Cisco devices in 1989.
Introduction
Application
Architectures
Network
Circuit
Introduction
• How to separate the outside from the inside ?
– First Filters:
• Circuit-level Proxy (Bill Cheswick- AT&T, 1990).
– Limitations for packet filters:
» Are not able to record information about connections.
» Either allow or deny external users to connect to internal devices.
– Must provide ability to connect while limiting ability for an attacker to take advantage.
– Associate authentication information with communication information.
– Splits TCP connections in two chunks.
» Proxy acts as a server for the client.
» Proxy acts as a client for the server.
– Maintains information about connections.
– Acts as an entry point with limited capabilities for external users.
– Ability to control communications based on TCP/IP information.
Introduction
Application
Architectures
Network
Circuit
Introduction
• How to separate the outside from the inside ?
– First Filters:
• Application level Proxy (Marcus Ranum, DEC, 1992).
– Limitations for proxies:
» Are not able to record information about applications.
» Are not able to manage security policy for internal applications.
» Are not able to detect application level vulnerabilities.
– Keep general scheme for proxies. (Two connections, record information, authentication)
– But add application specific processing:
» http-gw, telnet-gw, ftp-gw, …
» Each proxy requires an application specific policy.
Introduction
Application
Architectures
Network
Circuit
Introduction
• Type of filter/Default policy action:
– Everything that is not permitted is denied.
• Filtering policy allows what is known as legitimate traffic/behavior.
• Benefit:
– knowledge about what is legitimate can be partially obtained from specifications.
– No need to know existing attacks.
• Drawback:
– Implementations != specification.
– Legitimacy can sometimes not be determined.
– Everything that is not denied is permitted.
• Filtering policy blocks what is known as an attack/illegitimate behavior.
• Benefit:
– Often results in more simple implementations.
• Drawback:
– Requires a up-to-date knowledge of such behaviors.
Introduction
Application
Architectures
Network
Circuit
Defined
as
Legitimate
Defined
as
Attacks
True Attacks
Introduction
• Type of filter/Default policy action:
Introduction
Application
Architectures
Network
Circuit
Blocked
legitimate
Missed attack
Blocked
legitimate
Positive model Negative model
Missed attack
Introduction
• Type of filter/Stateful aspect:
– Stateless.
• Analyses data unit on the fly without consideration for what was received previously
• Benefits: Less resources needed/Immune to resource depletion attacks.
• Drawback:
– Impossible to implement policies where data to analyze is carried over several data units.
– Attackers can masquerade their actions.
– Stateful.
• Keeps information about data units received in the past in order to take a filtering decision.
• Benefits:
– Can solve data fragmentation issues.
– Can counter some masquerading attacks.
• Drawbacks: More resource needed.
Introduction
Application
Architectures
Network
Circuit
Introduction
• Type of filter/Stateful aspect:
Introduction
Application
Architectures
Network
Circuit
Filters
Stateless Statefull
blocking nonblocking
Network example
Introduction
Application
Architectures
Network
Circuit
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
157.159.226.11
Internet
Overview
• Introduction.
• The Network Level.
• The Circuit Level.
• The Application Level.
• Firewall Architectures.
Introduction
Application
Architectures
Network
Circuit
Network level Filter
• Overview
Introduction
Application
Architectures
Network
Circuit
Filter
Filtering
Policy
IP/Transport
Headers
Packet
Classification
Fragment
Manag.
PacketsAuthorized
PacketsInternal
Interface
External
Interface
Filtering Policy
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Action
1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit
2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit
3 Int In TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit
4 Int Out TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit
Introduction
Application
Architectures
Network
Circuit
Prefixes or addresses
Priority of the rule Action
Src Port Dst Port Action
>1024 1025 Permit
1025 >1024 Deny
Packet 1025,1025
Value or range
Fields in
IP packet
Permit access from
157.159.226.0/25 to HTTP server
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
157.159.226.11
Internet
Introduction
Application
Architectures
Network
Circuit
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Action
1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit
2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit
3 Int In TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit
4 Int Out TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit
So everything is permitted ?
Side effects
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
Telnet Server
157.159.226.6
Port 1048
Internet
Introduction
Application
Architectures
Network
Circuit
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Action
1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit
2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit
3 Int In TCP 157.159.226.132 157.159.226.0/25 80 >1024 Permit
4 Int Out TCP 157.159.226.0/25 157.159.226.132 >1024 80 Permit
Clients on HTTP server, port 80 can
talk to telnet server !
Limiting the problem with TCP flags
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
Telnet Server
157.159.226.6
Port 1048
Internet
Introduction
Application
Architectures
Network
Circuit
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Syn Permit
1.2 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Ack Permit
1.3 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Fin Permit
2.1 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Ack Permit
2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Fin Permit
Reducing Size of policy with deny
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
Telnet Server
157.159.226.6
Port 1048
Internet
Introduction
Application
Architectures
Network
Circuit
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 * Permit
2.1 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Ack Permit
2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Syn Deny
2.3 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 * Permit
Other filtering parameters
• Options IP
– RR, Timestamp: Expose network internal architecture.
– Source routing: Allows hackers to control path followed by packets.
• Flag combinations/ absence
– Used in several types of attacks to exploit vulnerabilities.
• ICMP type and code
– Redirect
• Fragmentation related
– Offset, total size, More Fragment, Don’t Fragment bits.
Introduction
Application
Architectures
Network
Circuit
IP Fragmentation Reminder
Introduction
Application
Architectures
Network
Circuit
IP
Data
MTU=596
Data Data
Total Length =1000
TL=1000
M=0
OFF=0
IP IP
ID=1234
TL=596
M=1
OFF=0
ID=1234
LT=444
M=0
OFF=72
ID=1234
Problems with fragmentation
IP
Src Port=80
Dst Port=1025
Flag = SYN
TCP
TL=1000
M=0
OFF=0
IP
ID=1234
TL=180
M=1
OFF=0
ID=1234
No TCP
Header
TCPIP
TL=40
M=0
OFF=20
ID=1234
Src Port=80
Dst Port=1025
Flag. = SYN
TCP
Introduction
Application
Architectures
Network
Circuit
• Missing Information
IP
Src Port=80
Dst Port=1025
TCP
TL=1000
M=0
OFF=0
IP
ID=1234
TL=180
M=1
OFF=0
ID=1234
Flag=SYN
TCPIP
TL=40
M=0
OFF=1
ID=1234
Src Port=80
Dst Port=1025
Flag. = SYN
TCP
In first fragment In non first fragment
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
2.1 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Ack Permit
2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Syn Deny
2.3 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 * Permit
Problems with fragmentation
IP
TL=1000
M=0
OFF=0
ID=1234
Src Port=80
Dst Port=1025
Flag. = SYN
TCP
Src Port=80
Dst Port=1025
Flag = ACK
TCPIP
TL=40
M=1
OFF=0
ID=1234
Flag. = SYN
TCPIP
TL=40
M=1
OFF=1
ID=1234
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
2.1 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Ack Permit
2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Syn Deny
2.3 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 * Permit
Introduction
Application
Architectures
Network
Circuit
• Inconsistent Reassembly Strategies
IP
TL=1000
M=0
OFF=0
ID=1234
Src Port=80
Dst Port=1025
Flag. = ACK
TCP
Src Port=80
Dst Port=1025
Flag = ACK
TCPIP
TL=40
M=1
OFF=0
ID=1234
Flag. = SYN
TCPIP
TL=40
M=1
OFF=1
ID=1234
Windows NT (called First) BSD (called BSD)
Overview
• Introduction.
• The Network Level.
• The Circuit Level.
• The Application Level.
• Firewall Architectures.
Introduction
Application
Architectures
Network
Circuit
Circuit level Filter
• Overview
Introduction
Application
Architectures
Network
Circuit
Filter
Transport level
Information
Normalization
Incomming
Packets
Authorized
PacketsInternal
Interface
External
Interface
State
Lookup
Filtering
Policy
State
Checking
Problems with static rules
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
Telnet Server
157.159.226.6
Port 1048
Internet
Introduction
Application
Architectures
Network
Circuit
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 * Permit
2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Ack Permit
2.2 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 Syn Deny
2.3 Ext Out TCP 157.159.226.132 157.159.226.0/25 80 >1024 * Permit
157.159.226.32 157.159.226.6
80 1048
ack
Dynamic packet filtering • Motivations
– Improve security
• Any static rule leaves a hole allowing an outsider to send information to
inside devices.
• The larger the hole, the easier it is to find it.
• A way to render the filtering process more restrictive is to base this
process (define the hole) on a knowledge only known to the two
communicating parties.
– Examples:
» Connection existence.
» State in the state automaton.
» TCP sequence number. Opened dynamically
Static rules Dynamic rules
Introduction
Application
Architectures
Network
Circuit
Circuit Level filtering
Introduction
Application
Architectures
Network
Circuit
• Motivations
– Improve ease of use
– Simplify rules expression
• Static filters requires good knowledge of IP subtleties.
• With dynamic packet filtering, the system takes care about subtleties.
• The first rule allows the connection to get recorded.
• The other possible packets are deduced
– from the content of previous packets and
– The initial rule.
– Simple rules means more secure filtering.
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Keep State Action
1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Yes Permit
Circuit Level filtering
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Keep State Action
1.1.1 Ext In TCP 157.159.226.6 157.159.226.132 1025 80 Permit
1.1.2 In Out TCP 157.159.226.6 157.159.226.132 1025 80 Permit
1.1.3 In In TCP 157.159.226.132 157.159.226.6 80 1025 Permit
1.1.4 Ext Out TCP 157.159.226.132 157.159.226.6 80 1025 Permit
1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Yes Permit
Introduction
Application
Architectures
Network
Circuit
• Motivations
– Simplify rules expression
• Before Packet #1
• After Packet #1
157.159.226.6 157.159.226.132
1025 80
syn
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Keep State Action
1.1 Ext In TCP 157.159.226.0/25 157.159.226.132 >1024 80 Yes Permit
Protocol Particularities
Introduction
Application
Architectures
Network
Circuit
• Inconsistent segments reassembly strategies.
GET «secret.html»
TL=44
TTL=4
IP
GET «
HTTP
Src Port=1024
Dst Port=80
Seq=4134
Ack=8520
Flag = ACK
TCP
TL=52
TTL=4
IP
secret.html»
HTTP
Src Port=1024
Dst Port=80
Seq=4130
Ack=8520
Flag = ACK, PSH
TCP
Src Port=1024
Dst Port=80
Seq=4133
Ack=8520
Flag = ACK
TCP
TL=52
TTL=4
IP
« public.html»
HTTP
GET «Public.html»
Solaris
(Called Last)
FreeBSD
(Called BSD)
Protocol Particularities
Introduction
Application
Architectures
Network
Circuit
• Other alternatives:
– Reaction to RST depending on sequence number.
• Some stacks accept out of window RSTs.
• Some others do not.
• Used to hide rest of connection.
– Use wrong checksums.
• Used to introduce data between two packets to invalidate application level signatures.
– Use particular flags combinations.
• Same story.
– Many others.
Topological particularities
Introduction
Application
Architectures
Network
Circuit
GET «secret.html»
TL=44
TTL=4
IP
GET «
HTTP
Src Port=1024
Dst Port=80
Seq=4134
Ack=8520
Flag = ACK
TCP
TL=52
TTL=3
IP
Public.html»
HTTP
Src Port=1024
Dst Port=80
Seq=4130
Ack=8520
Flag = ACK, PSH
TCP
Src Port=1024
Dst Port=80
Seq=4134
Ack=8520
Flag = ACK
TCP
TL=52
TTL=4
IP
secret.html»
HTTP
GET «Public.html»
• Inconsistent view between the filter and the destination.
– 3 hops between the filter and the destination.
Filter Destination
Application level particularities
Introduction
Application
Architectures
Network
Circuit
• Inconsistent view between the filter and the destination.
Without specific procedure
for Urgent Data
With specific procedure
for Urgent Data
GET «secret.html»
LT=44
IP
GET «
HTTP
Port Src=1024
Port Dst=80
Seq=4134
Ack=8520
Drap. = ACK, URG
Urg = 7
TCP
LT=46
IP
public
HTTP
Port Src=1024
Port Dst=80
Seq=4130
Ack=8520
Drap. = ACK, PSH
TCP
Port Src=1024
Port Dst=80
Seq=4140
Ack=8520
Drap. = ACK
TCP
LT=52
IP
secret.html»
HTTP
GET «publicsecret.html»
Fingerprinting
Introduction
Application
Architectures
Network
Circuit
• Fingerprinting:
– Use OS specificities to infer remote OS identity.
• Specificities:
– Some systems use specific TCP/IP protocol stacks.
– Most systems use specific TCP/IP protocol tuning.
• Once the OS is identified, hackers can restrict their attacks to target OS
specific vulnerabilities.
• Examples:
– Fragments reassembly strategy.
– Segment reassembly strategy.
– Reaction to RST (In/Out Sequence/Window).
Example
Introduction
Application
Architectures
Network
Circuit
• Active mapping: (Umesh Shankar, IEEE SSP, 2003)
OS Fragments Segments RST in Win RST out Win
AIX 4.3,8.9.3 BSD BSD Yes No
Cisco IOS Last BSD Yes No
FreeBSD BSD BSD Yes No
HP-UX 11.00 First BSD Yes Yes
IRIX64 6.4 BSD BSD Yes No
Linux 2.2.19-6.2.10smp linux BSD No No
Linux 2.4 (RedHat 7.1-7.3) linux BSD Yes No
MacOS (version unknown) First BSD Yes Yes
OpenBSD (version unknown) linux BSD No No
OpenVMS 7.1 BSD BSD Yes No
OS/2 (version unknown) BSD No result Yes Yes
OSF1 V4.0,5.0,5.1 BSD BSD Yes No
SunOS 4.1.4 BSD BSD Yes No
SunOS 5.5.1,5.6,5.7,5.8 First Last Yes No
Tru64 Unix V5.0A,V5.1 BSD BSD Yes No
Vax/VMS BSD BSD Yes No
Windows (95/98/NT4/W2K/XP) First BSD Yes No
Overview
• Introduction.
• The Network Level.
• The Circuit Level.
• The Application Level.
• Firewall Architectures.
Introduction
Application
Architectures
Network
Circuit
Application level Filter
• Overview
Introduction
Application
Architectures
Network
Circuit
Filter
Filtering
Policy
Application-Level
Information
Pattern
Matching
Incomming
Packets
Authorized
PacketsInternal
Interface
External
Interface
State
Lookup
State
Checking
Protocol Analysis
Normalization
Application protocol
specific policies
Example: HTTP.
– We can no longer determine field semantic through its location in the packet.
Introduction
Application
Architectures
Network
Circuit
Frame 4 (383 bytes on wire, 383 bytes captured)
Ethernet II, Src: 00:03:47:fa:f8:f6, Dst: 00:02:b3:af:d7:b5
Internet Protocol, Src Addr: 157.159.226.6, Dst Addr: 157.159.226.132
Transmission Control Protocol, Src Port: 2612, Dst Port: 80, Seq: 1, Ack: 1, Len: 329
Hypertext Transfer Protocol
GET / HTTP/1.0\r\n
Request Method: GET
Accept: image/gif, image/x-xbitmap, image/jpeg, */*\r\n
Accept-Language: fr\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)\r\n
Host: calvin:80\r\n
Connection: Keep-Alive\r\n
\r\n
Information
element semantic
Information
element value
Application protocol specific policy
• Example: HTTP.
– Regular expression conditions are used with text oriented protocols.
– Lower level protocols values can be obtained through socket interface.
R# Src Address Dst Address Src Port Dst Port Proto Method URI Action
1 * 157.159.226.132 >1024 80 HTTP POST * Deny
2 * 157.159.226.132 >1024 80 HTTP * *.htm| *.txt Permit
Introduction
Application
Architectures
Network
Circuit
Rule priority
Information
element semantic Method URI Action
POST * Deny
* *.htm, *.txt Permit
Information
element value
(regular expression)
Request: POST test.txt
Application protocol specific
vulnerabilities
• Example: HTTP.
– IIS v4,5
• By default allows remote execution of script files.
• By using particular request format, shell command can be executed.
• Example:
– GET http://www/scripts/file.bat+&+dir+c:/ HTTP/1.1
– Executes file.bat and dir c:/
– MS URLScan is a tool that checks URI values to determine if URI is safe.
• Safe URI: objects with extension *.htm, *.txt, *.jpg, *.html, *.gif, …
R#
Src
Address
Dst
Address Src Port Dst Port Proto Method URI Action
1 *
157.159.
226.132 >1024 80 HTTP GET
*.htm | *.txt | *.jpg | *.html |
*.gif | *.jpeg | *.asp | *.cdx Permit
2 *
157.159.
226.132 >1024 80 HTTP HEAD
*.htm | *.txt | *.jpg | *.html |
*.gif | *.jpeg | *.asp | *.cdx Permit
Introduction
Application
Architectures
Network
Circuit
Need for normalization
• Example: HTTP.
– URI standard definition.
• Every object can designated using several different URI
http://www/index.html
http://www.int-evry.fr/index.html
http://www.int-evry.fr/
http://www/%69%6E%64%65%78%2E%68%74%6D%6C
http://www/index.%68%74%6D%6C
…
– You don’t want to express all possibilities in an access control policy.
– Need to obtain a non ambiguous version of URIs.
Introduction
Application
Architectures
Network
Circuit
Limits for normalization (1)
• Example: HTTP.
– IIS v4,5.
• Doesn’t handle capitalization (not compliant with HTTP standards):
Test.bat = TEST.BAT = test.bat
– Other web servers
• Handle capitalization correctly.
– Problem/
• We want to protect file PASSWORD.TXT.
R# Src Address Dst Address Src Port Dst Port Proto Method URI Action
1 * 157.159.226.132 >1024 80 HTTP GET PASSWORD.TXT Deny
Introduction
Application
Architectures
Network
Circuit
• GET http://www/password.txt
R# Src Address Dst Address Src Port Dst Port Proto Method URI Action
1 * 157.159.226.132 >1024 80 HTTP GET
[Pp][Aa][Ss][Ss][[
Ww][Oo][Rr][Dd].[
Tt][Xx][Tt] Deny
Limits for normalization (2)
• Example: HTTP.
– IIS v4,5.
• Doesn’t handle normalization correctly (not compliant with HTTP standards):
GET /msadc/..%255c../..%255c../winnt/system32/cmd.exe?/c+dir.exe
GET /msadc/..%5c../..%5c../winnt/system32/cmd.exe?/c+dir.exe
GET /msadc/..\../..\../winnt/system32/cmd.exe?/c+dir.exe
Introduction
Application
Architectures
Network
Circuit
• Permits access to any file on the local file system.
Application level Filtering policies
limitations
• Layering/obfuscation.
– Developers/designers use layering to hide application behavior:
• E.g. SOAP over HTTP. From Microsoft documentation:
“Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to
pass through, you'll have no problem invoking SOAP endpoints from either side of a
firewall.”
• E.g. IP over DNS/HTTP/”Whatever is not blocked”
– Developers/designers use encryption to hide application data:
• E.g. SSL.
– If eavesdropping is so important why can you log-in with non ssl web servers with most
online merchants (try amazon or ebay).
– In 2006 annual FBI survey password sniffing accounts for 1% of the losses caused by
viruses.
Introduction
Application
Architectures
Network
Circuit
Application level Filtering policies
limitations
Introduction
Application
Architectures
Network
Circuit
• Lack of strong specification/Implementation diversity.
– How to determine the nature of transported data ?
• E.g. HTTP: get text.pdf
– text.pdf can be pdf format or any other format.
– Look at specific header fields (%PDF-1.X) but rest of data can be inconsistent.
– Some formats do not have document clear type indicators (e.g. Bitmap: “BM”).
– Some formats do not have fixed structures (e.g. streaming data).
– Most applications/data sources have no or non public specifications.
• E.g. MS word ?
– Some applications use anti analysis techniques to prevent users from
understanding their operations:
• E.g. Skype: From EADS analysis:
– Encrypted code, Anti debugger tests, function calls hidden.
– Uses RC4 for signaling, AES for VoIP packets.
Application level Filtering policies
limitations
• Computational complexity/decidability.
– In general, many answers to security related problems are not decidable.
• Is program x going to/not to access address 0x45852285 ?
• Is program x going to/not to overflow buffer y ?
• Does program x include a virus ?
• Is program x going to stop ?
– Even restricted sub-cases provide limited help:
• type safe languages (e.g. java):
– Type safety (data values are always manipulated by functions supporting them).
– Memory safety (memory access are performed at valid locations).
– Control flow safety (jumps or calls are always made at valid locations).
• Result:
– Safe java programs can be rejected as unsafe.
– Unsafe java programs can exploit vulnerabilities in JVM and be declared safe.
Introduction
Application
Architectures
Network
Circuit
Inter-layer relationships
• From upper layers to lower layers.
• Example: FTP.
– Control connection
• Established by the client (port >1024) to
the server (port 21).
– Data connection
• Established by the server (port 20) to
address and port provided by the client.
PORT A1, A2, A3, A4, P1, P2
Introduction
Application
Architectures
Network
Circuit
Address Port
157.159.226.128/25
157.159.226.131
Filter A
Filter B
157.159.226.0/25
SSH server
157.159.226.5
HTTP server
157.159.226.132
FTP Client, Port 1221
157.159.226.11
Internet
Inter-layer relationships
• Example: FTP.
• Network level Access Control Policy on filter A:
Introduction
Application
Architectures
Network
Circuit
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
1.1 Int In TCP 157.159.226.0/25 * >1024 21 Syn Permit
1.2 Int In TCP 157.159.226.0/25 * >1024 21 Ack Permit
1.3 Int In TCP 157.159.226.0/25 * >1024 21 Fin Permit
1.4 Int In TCP 157.159.226.0/25 * >1024 20 Ack Permit
1.5 Int In TCP 157.159.226.0/25 * >1024 20 Fin Permit
2.1 Int Out TCP * 157.159.226.0/25 21 >1024 Ack Permit
2.2 Int Out TCP * 157.159.226.0/25 21 >1024 Fin Permit
2.3 Int Out TCP * 157.159.226.0/25 20 >1024 Syn Permit
2.4 Int Out TCP * 157.159.226.0/25 20 >1024 Ack Permit
2.5 Int Out TCP * 157.159.226.0/25 20 >1024 Fin Permit
Allows any external device to open a connection to internal devices !
Inter-layer relationships
• Example: FTP.
– Analyze control connection to build network level policy.
– Initial access control policy.
– When receiving PORT A1, A2, A3, A4, P1, P2
R# Itf Dir Proto Src Addr. Dst Addr Src Port Dst Port Flag Action
1.1 Int In TCP 157.159.226.0/25 * >1024 21 Syn Permit
1.2 Int In TCP 157.159.226.0/25 * >1024 21 Ack Permit
1.3 Int In TCP 157.159.226.0/25 * >1024 21 Fin Permit
2.1 Int Out TCP * 157.159.226.0/25 21 >1024 Ack Permit
2.2 Int Out TCP * 157.159.226.0/25 21 >1024 Fin Permit
Introduction
Application
Architectures
Network
Circuit
1.4 Int In TCP A1, A
2, A
3, A
4 134.126.144.12 P1, P2 20 Ack Permit
1.5 Int In TCP A1, A
2, A
3, A
4 134.126.144.12 P1, P
2 20 Fin Permit
2.3 Int Out TCP 134.126.144.12 A1, A
2, A
3, A
4 20 P1, P
2 Syn Permit
2.4 Int Out TCP 134.126.144.12 A1, A
2, A
3, A
4 20 P1, P
2 Ack Permit
2.5 Int Out TCP 134.126.144.12 A1, A
2, A
3, A
4 20 P1, P
2 Fin Permit
Overview
• Introduction.
• The Network Level.
• The Circuit Level.
• The Application Level.
• Firewall Architectures.
Introduction
Application
Architectures
Network
Circuit
Need to control traffic
at multiple levels
• Upper level tools.
– Lower level tools are not able to analyze upper level protocols.
• Network level filters are unable to analyze application traffic…
• Lower level tools.
– Some lower level parameters are not available at upper levels.
• Incoming interface cannot be easily retrieved through socket layer.
– Lower level tools are usually more simple.
• Original packet filters included less than 1000 lines in C.
• Simple is Safe (the matchstick men).
– Lower level tools are usually more efficient.
• Usually implemented in the kernel (no memory replication).
• Mechanisms are more simple.
• Packet filtering ~ 100Gb, Proxying ~ 100Mb.
Introduction
Application
Architectures
Network
Circuit
Need to control traffic
at multiple levels
• Lower level tools.
– Upper level tools are not always able to handle all upper level protocols.
• Need for generic mechanisms.
– Need to base upper level analysis on sane information.
• Hackers can use lower level vulnerabilities to provide upper level tools with
• Example: Fragmentation slide.
– Redundancy improves security.
• Simple (trusted) tools can be used to protect more complex tools.
• Failsafe architecture.
– Failure/Subversion of a filtering component must lead to minimal benefits for the attacker.
Introduction
Application
Architectures
Network
Circuit
Basic architectures
• Terminology
Introduction
Application
Architectures
Network
Circuit
Internet
Packet filter
Screening router
157.159.226.0/26
SSH server
157.159.226.5157.159.226.11
157.159.227.0/26
SSH server
157.159.227.5157.159.227.11
Circuit/Application-level Proxy
Dual-Homed Gateway
Basic architectures
• Terminology
Introduction
Application
Architectures
Network
Circuit
Internet
Internal router
Screening router
157.159.226.128/25
SSH Server
157.159.226.135157.159.226.131
External router
Screening router
15
7.1
59
.22
6.0
/25
Bastion Host
Screened Subnet/DMZ
Some variations
• Merging
internal/external routers.
Internet
Internal/External router
Screening router
157.159.226.128/25
SSH Server
157.159.226.135157.159.226.131
15
7.1
59
.22
6.0
/25
Bastion Host
Screened Subnet/DMZ
Introduction
Application
Architectures
Network
Circuit
• Merging all filtering
devices.
Internet157.159.226.128/25
SSH Server
157.159.226.135157.159.226.131
Bastion Host
Screening router
Some variations
• Using helper servers.
Internet
Internal/External router
Screening router
157.159.226.128/25
HTTP client
157.159.226.135
Email Client
157.159.226.131
15
7.1
59
.22
6.0
/25
HTTP
Screened Subnet/DMZ
Anti-virus
Server
Introduction
Application
Architectures
Network
Circuit
Internet
Internal/External router
Screening router
157.159.226.128/25
HTTP client
157.159.226.135
Email Client
157.159.226.131
15
7.1
59
.22
6.0
/25
HTTP
Screened Subnet/DMZ
Authentication
Server
Filtering Incoming Traffic
• Using reverse proxy server.
Internet
Internal/External router
Screening router
157.159.226.128/25
HTTP Server
157.159.226.135
15
7.1
59
.22
6.0
/25
Reverse
HTTP Proxy
Screened Subnet/DMZ
HTTP Client
Introduction
Application
Architectures
Network
Circuit
Performance improvements
• Using application
specific proxies
Internet
Internal/External router
Screening router
157.159.226.128/25
SSH Server
157.159.226.135157.159.226.131
15
7.1
59
.22
6.0
/25
FTP
Screened Subnet/DMZ
HTTP
DNS
Introduction
Application
Architectures
Network
Circuit
• Using load balancing
Internet
Load Balancer
Screening router
157.159.226.128/25
SSH Server
157.159.226.135157.159.226.131
15
7.1
59
.22
6.0
/25
HTTP
Screened Subnet/DMZ
HTTP
HTTP
HTTP
Control improvements
• Access control distribution.
– Policy differentiation between sub-components.
– Internal communications control.
– Limits address spoofing possibilities.
Introduction
Application
Architectures
Network
Circuit
Internet
Working group perimeter
Site perimeter
End device perimeter
Existing products
• SSAC survey, September 07
– 42 vendors, 81 products.
IPv4 IPv6
Stateless packet filter 95% 29%
Circuit level filter 90% 24%
Application level filter 81% 17%
IPv4 SOHO SMB LE/SP
Stateless packet filter 93% 92% 100%
Circuit level filter 83% 92% 95%
Application level filter 74% 77% 93%
Introduction
Application
Architectures
Network
Circuit