COMP3371 COMP3371 Cyber SecurityCyber Security

Richard HensonRichard HensonUniversity of WorcesterUniversity of Worcester

DecemberDecember 20152015

Week 12: Securing Week 12: Securing the TCP/IP stackthe TCP/IP stack

Objectives:Objectives: Explain how stateless IP filtering can be a useful Explain how stateless IP filtering can be a useful

tool for protecting networks against hackerstool for protecting networks against hackers Discuss the limitations of stateless IP filtering and Discuss the limitations of stateless IP filtering and

explain how some of these are overcome by the explain how some of these are overcome by the use of stateful IP filteringuse of stateful IP filtering

Summarise the various other techniques that can Summarise the various other techniques that can be used to combat data security threatsbe used to combat data security threats

Datagrams, Packets and the Datagrams, Packets and the Transport LayerTransport Layer

Transport layer datagram… up to 64K longTransport layer datagram… up to 64K long IP layer & routing processes divide into smaller IP layer & routing processes divide into smaller

packetspackets The IP packets have to be physically The IP packets have to be physically

routed around the networkrouted around the network It is the management of these that we will be It is the management of these that we will be

concerned with in this lecture…concerned with in this lecture… When the packets reach their destination, When the packets reach their destination,

packets need to be reassembled at the packets need to be reassembled at the transport layer into the original datagramtransport layer into the original datagram

TCP and IP packetsTCP and IP packets

payload (data)head

TCP packet (up to 64K)

IP Packets (up to 768bytesExtra header fields

More about IP packetsMore about IP packets

payload (data)header

20 bytes Typically 768 bytes

Standard IP Packet HeaderStandard IP Packet Header Highly structured and organised into a Highly structured and organised into a

series of fields so it can be easily readseries of fields so it can be easily read LengthsLengths

» HeaderHeader» Whole packetWhole packet

Identification Identification Fragment #Fragment # TTLTTL Protocol (TCP or UDP)Protocol (TCP or UDP) Source IP AddressSource IP Address Destination IP AddressDestination IP Address Options (e.g. source routing method)Options (e.g. source routing method)

Stateless Packet FilteringStateless Packet Filtering

packet header is readpacket header is read» If source IP address is suspect, packet If source IP address is suspect, packet

is “dumped”is “dumped”» else packet is allowed throughelse packet is allowed through

can be done quickly, and the packet can be done quickly, and the packet body (or “payload”) doesn’t have to be body (or “payload”) doesn’t have to be processed in any wayprocessed in any way

Stateful Stateful Packet FiltersPacket Filters

Stateless filters just read the header and actStateless filters just read the header and act do not read the payloads of packetsdo not read the payloads of packets do not retain the current state of connections do not retain the current state of connections

within the sessionwithin the session can’t filter TCP port numbers higher than 1024can’t filter TCP port numbers higher than 1024

Stateful filters…Stateful filters… record session establishment inforecord session establishment info remember the state of connectionsremember the state of connections

Stateless Packet FiltersStateless Packet Filters Use the IP header onlyUse the IP header only

contains a lot of fields & their data contains a lot of fields & their data

A firewall can be configured to filter according A firewall can be configured to filter according to contents of various header fields:to contents of various header fields: Protocol typeProtocol type IP addressIP address TCP/UDP portTCP/UDP port Sourcing routing informationSourcing routing information Fragment numberFragment number

Filtering by “Protocol Type”?Filtering by “Protocol Type”? Four possible values:Four possible values:

UDPUDP TCPTCP ICMP – Internet Control Message ProtocolICMP – Internet Control Message Protocol IGMP – Internet Group Management ProtocolIGMP – Internet Group Management Protocol

Each protocol maps onto higher level Each protocol maps onto higher level protocolsprotocols filtering out one port can shut off a lot of services!filtering out one port can shut off a lot of services!

ConclusionConclusion Too general, not enough controlToo general, not enough control Advice: leave this field OPEN (no filtering)Advice: leave this field OPEN (no filtering)

Filtering by IP addressFiltering by IP address Normally focuses on the source IP address Normally focuses on the source IP address

field:field: can allow all IP addresses except…can allow all IP addresses except… or deny all IP addresses except…or deny all IP addresses except…

Latter an excellent way of safeguarding the Latter an excellent way of safeguarding the local network…local network… would be unpopular as far as surfing the web is would be unpopular as far as surfing the web is

concerned!concerned! More flexible firewalls allow IP addresses to More flexible firewalls allow IP addresses to

be restricted on a “per protocol” basis e.g.be restricted on a “per protocol” basis e.g. No IP address filtering on port 80No IP address filtering on port 80 Only local IP addresses can use port 23Only local IP addresses can use port 23

IP Filtering by TCP/UDP portIP Filtering by TCP/UDP port

Also known as “protocol filtering”Also known as “protocol filtering”

The Level 4 port field is a number, corresponding to The Level 4 port field is a number, corresponding to a higher level protocol namea higher level protocol name e.g port 21: FTPe.g port 21: FTP

Uused in the same way as IP address filtering Uused in the same way as IP address filtering (allow… deny…) (allow… deny…)

Problem: FragmentationProblem: Fragmentation

FragmentationFragmentation Large TCP packets are be broken into a series Large TCP packets are be broken into a series

of numbered IP fragmentsof numbered IP fragments Only the first fragment (numbered 0) has a Only the first fragment (numbered 0) has a

TCP/UDP port fieldTCP/UDP port field Rest of fragments therefore can’t be filtered by Rest of fragments therefore can’t be filtered by

protocolprotocol Earlier firewalls let them through because they Earlier firewalls let them through because they

are useless without the “parent” packetare useless without the “parent” packet however, instances whereby hackers have however, instances whereby hackers have

reassembled themreassembled them therefore higher fragment numbers in this category therefore higher fragment numbers in this category

should also be filteredshould also be filtered

IP Filtering by TCP/UDP portIP Filtering by TCP/UDP port Certain protocols are favourites for hackers Certain protocols are favourites for hackers

e.g:e.g: TelnetTelnet NetBIOSNetBIOS POP3POP3 NFSNFS Windows Terminal ServicesWindows Terminal Services

ShouldShould be blocked, unless being legitimately be blocked, unless being legitimately used to provide servicesused to provide services

Filtering by “Source Routing Filtering by “Source Routing Information”Information”

This field gives information about the route This field gives information about the route taken by the packettaken by the packet

Handled in two ways:Handled in two ways: Loose source routingLoose source routing

» only a small number of intermediate IP addressesonly a small number of intermediate IP addresses Strict source routingStrict source routing

» Provides an exact routeProvides an exact route However:However:

hackers can use source routing to confusehackers can use source routing to confuse no higher level protocols actually use source no higher level protocols actually use source

routing…routing…

Stateful IP filteringStateful IP filtering

Using this more exhaustive technique:Using this more exhaustive technique:the payload of a packet can also be readthe payload of a packet can also be read

» thus, the fingerprint of a virus or trojan thus, the fingerprint of a virus or trojan can be identifiedcan be identified

the firewall stores connection information in the firewall stores connection information in state tablesstate tables

TCP ports above 1024 can be read and TCP ports above 1024 can be read and filtered out if requiredfiltered out if required

Stateful Filtering Strategy…Stateful Filtering Strategy…

Use to filter entire communication Use to filter entire communication streamsstreams

Do not allow any TCP services through Do not allow any TCP services through EXCEPT:EXCEPT:those that are specifically allowed (e.g port those that are specifically allowed (e.g port

80)80)those that are part of connections that are those that are part of connections that are

sill in the state tablessill in the state tables» no entry in state table – drop packet!no entry in state table – drop packet!

Internal Network Address Internal Network Address Translation (NAT)Translation (NAT)

Another potential way in for IP hackersAnother potential way in for IP hackers external packets undergo protocol translation external packets undergo protocol translation

before they can travel along the local networkbefore they can travel along the local network this means a unfiltered port eg 8080 can be this means a unfiltered port eg 8080 can be

changed to a filter port eg 23 and then passed to a changed to a filter port eg 23 and then passed to a local server…local server…

Trojan Horses use this strategy to hack Trojan Horses use this strategy to hack through the firewall and get to the internal through the firewall and get to the internal networknetwork

Security-enhancing Security-enhancing use of NATuse of NAT

NAT defined by the IETF as RFC #1631NAT defined by the IETF as RFC #1631

Converts local private IP addresses into Converts local private IP addresses into globally unique public IP addresses than can globally unique public IP addresses than can be used on the Internetbe used on the Internet provides opportunities for trojan horsesprovides opportunities for trojan horses but… hides all TCP/IP information relating to the but… hides all TCP/IP information relating to the

internal network from would-be hackers or anyone internal network from would-be hackers or anyone else on the Internetelse on the Internet

More about NATMore about NAT Reduced the demand for IPv6 in the Reduced the demand for IPv6 in the

short termshort term IANA RFC #1918 particular IP address IANA RFC #1918 particular IP address

ranges for private use:ranges for private use:» 10.0.0.0 to 10.255.255.25510.0.0.0 to 10.255.255.255» 172.16.0.0 to 172.31.255.255172.16.0.0 to 172.31.255.255» 192.168.0.0 to 192.168.255.255192.168.0.0 to 192.168.255.255

single external IP address used for a 5000 single external IP address used for a 5000 computer network!computer network!

Masquerading NATMasquerading NAT Outbound packets are translated to the Outbound packets are translated to the

public/routable IP address of the firewallpublic/routable IP address of the firewall called "masquerading" because all outbound called "masquerading" because all outbound

connections appear to be originating on the connections appear to be originating on the firewall itselffirewall itself

An app may need to be given a different source An app may need to be given a different source port (if the original port is already in use on the port (if the original port is already in use on the firewall)firewall)

Inbound connections cannot be accepted Inbound connections cannot be accepted because the firewall doesn't know which because the firewall doesn't know which client to send them to client to send them to

Non-Masquerading NATNon-Masquerading NAT Each private IP address on a client has a Each private IP address on a client has a

corresponding public/routable IP address on corresponding public/routable IP address on the firewallthe firewall

NAT translation is done one-to-one between NAT translation is done one-to-one between pairs of public and private IP addressespairs of public and private IP addresses

Port numbers remain unchanged Port numbers remain unchanged Needed for protecting servers with the Logical Needed for protecting servers with the Logical

Firewall (and is the type you get for clients Firewall (and is the type you get for clients you've specified to the rule generator)you've specified to the rule generator)

Inbound connections to clients are accepted Inbound connections to clients are accepted via the client's public/routable IP address on via the client's public/routable IP address on the firewallthe firewall

Limitations of NATLimitations of NAT NOT a panaceaNOT a panacea

does make the internal network invisibledoes make the internal network invisible STATIC translation can still be hacked!STATIC translation can still be hacked!

Avoid masquerading NAT, if possibleAvoid masquerading NAT, if possible makes it look like the firewall itself is misbehaving if makes it look like the firewall itself is misbehaving if

one of its clients misbehavesone of its clients misbehaves increases the risk that the ISP will disconnect the increases the risk that the ISP will disconnect the

firewall rather than the offending client!firewall rather than the offending client! Using non-masquerading NAT allows the ISP to Using non-masquerading NAT allows the ISP to

identify and disconnect only the offending clientidentify and disconnect only the offending client

Summary of Security Summary of Security Technologies covered…Technologies covered…

Local authentication/logon and denial of Local authentication/logon and denial of access securityaccess security

Privacy/EncryptionPrivacy/Encryption PKI/Digital certificates/Secure Sockets PKI/Digital certificates/Secure Sockets

Layer/Virtual Private Networks Layer/Virtual Private Networks Global Authentication/Active Global Authentication/Active

Directory/DNS/Kerberos & Trusted Directory/DNS/Kerberos & Trusted NetworksNetworks

Network Protection/Firewalls/Packet Network Protection/Firewalls/Packet FilteringFiltering

Software Vulnerabilities and Software Vulnerabilities and strategies for managementstrategies for management All software should be thoroughly All software should be thoroughly

tested…tested… Takes time!Takes time! Time is money!!Time is money!! Short-cuts are taken!!!Short-cuts are taken!!!

Software Vulnerabilities and Software Vulnerabilities and ExploitationExploitation

Important for software bugs to be Important for software bugs to be announcedannouncedproblem: also informs black hatsproblem: also informs black hatssolution: announce fix/patch at the same solution: announce fix/patch at the same

timetime» all users should download & install all users should download & install

patchespatches» close the vulnerability close the vulnerability

Vulnerabilities and Vulnerabilities and ConsequencesConsequences

System crashes can be the result of:System crashes can be the result of:faulty componentsfaulty componentsdodgy, unpatched, softwaredodgy, unpatched, softwaresoftware and hardware compromised by software and hardware compromised by

malicious software (malware), attacks by malicious software (malware), attacks by hackers, or employer misusehackers, or employer misuse

Essential for backup system to kick in to provide a Essential for backup system to kick in to provide a service to customers while main system being fixedservice to customers while main system being fixed

Human VulnerabilitiesHuman Vulnerabilities All IT systems use humansAll IT systems use humans Therefore vulnerable to human frailty…Therefore vulnerable to human frailty…

e.g. accidental deletion of a file may cause e.g. accidental deletion of a file may cause system to become unstable!system to become unstable!

Training can help (a lot…) Training can help (a lot…) As can procedures and penalties for As can procedures and penalties for

infringement (even termination of infringement (even termination of contract)contract)

Best have a backup!Best have a backup! Memory… motherboard… disk Memory… motherboard… disk

controller… hard disk… applications… controller… hard disk… applications… CPU… even electricity supply!CPU… even electricity supply!

A backup for everything is expensive…A backup for everything is expensive…BUT…. businesses' need continuity BUT…. businesses' need continuity

(availability of IT systems nearly all the (availability of IT systems nearly all the time)time)» otherwise may become ex-businesses!otherwise may become ex-businesses!

Dress RehearsalDress Rehearsal

Only one way to see whether backups Only one way to see whether backups all work…all work…set up a disaster scenarioset up a disaster scenario

» If systems all backup up, recovery should If systems all backup up, recovery should be quickbe quick

» else… system won’t restartelse… system won’t restart» no service, no business?no service, no business?

Information Assurance (IA)Information Assurance (IA) Three components required:Three components required:

Effective infosec system (incl. monitoring)Effective infosec system (incl. monitoring)Controls… (or “take the risk”)Controls… (or “take the risk”)

» for all potential vulnerabilitiesfor all potential vulnerabilities» number needed depends on complexity number needed depends on complexity

of systemof systemEvidence that the controls are working… Evidence that the controls are working…

(established through auditing)(established through auditing) Controls may take many forms: Controls may take many forms:

hardware, software, management, userhardware, software, management, user

IA StandardsIA Standards Many availableMany available

different standards fit different usage of ITdifferent standards fit different usage of IT Assignment 2 PresentationAssignment 2 Presentation

choose an existing standardchoose an existing standardstate who it is aimed at and used by and state who it is aimed at and used by and

why appropriate for Partsfixwhy appropriate for Partsfixexplain the controls setexplain the controls setexplain the system that governs the explain the system that governs the

controls and adherence to laws and controls and adherence to laws and regulations over time…regulations over time…

give some idea of cost of implementing itgive some idea of cost of implementing it

AuditingAuditing Essential process that avoids an Essential process that avoids an

organisation pressurising an assessororganisation pressurising an assessorevidence, not talk, requiredevidence, not talk, requiredsystem needs to build in auditing on a system needs to build in auditing on a

regular basisregular basis» takes time!takes time!

May reveal “non-conformance” (NC)May reveal “non-conformance” (NC)No certification until most NCs identified No certification until most NCs identified

and turned into conformancesand turned into conformances

IA CertificationIA Certification

Awarded through:Awarded through:Auditing (ISO27001, IASME, PCI-DSS, Auditing (ISO27001, IASME, PCI-DSS,

etc.)etc.)Self-assessment (Cyber Essentials)Self-assessment (Cyber Essentials)

Why bother?Why bother?