Lesson 7

Firewalls, VPNs, and Modem SecurityFirewalls, VPNs, and Modem Security

Lesson 07

Filters and FirewallsFilters and Firewalls

Filter -- a software program or device that monitors incoming and outgoing packets on a computer network to determine whether the packets should be allowed to enter or leave a computer system.

Firewall -- a network monitor or collection of monitors placed between an organization’s internal network and the Internet or between two local area networks.

Junk E-Mail FiltersJunk E-Mail FiltersSome ISP’s attempt to filter junk email

extra load it places on serversannoyance factor

Attempts to eliminate junk e-mailCheck “From” field or IP address for known spammersCheck to see if it originated from mail delivery agent frequently used by spammers

All approaches potentially eliminate valid (non-spam) email

Junk e-mail filtersJunk e-mail filters

Bright Light Technologies developed SW thatSeeds Internet with 1000’s of email addressesAddresses picked up by spammer botsMessages sent to these email sent to Bright Light which then develops filter for it.

ISPs that allow spammers to use their site can find all mail originating from it (valid or spam) blocked in response.

UUNet and Compuserve both had this happen to them.

Mail Abuse Prevention System’sMail Abuse Prevention System’s

Maintains list of networks friendly to spammers.

Blackholing Due to Spam Origination (Then)The original focus of the Realtime Blackhole List (RBL) when it began operations in mid-1997 was on

identifying the sources of dedicated, professional spammers. Over time, the success of the RBL forced abusers to resort to other channels for distributing spam such as third party relaying and direct-to-MX contacts.These countermeasures to our defenses, as well as newly emerging sources of abuse have made it

necessary to modify our own strategies in response. We will describe the RBL strategies in its earliest days before discussing the more recent and more insidious forms of e-mail abuse MAPS is attempting to control.When a professional spammer gets a leased line, we find out about it when they start spamming us, and

we track down every network object they own and we blackhole all or nearly all of them. Mail servers, web servers, name servers, terminal servers, usenet servers -- everything. If a professional spammer owns it, we don't want it talking to us, no matter what the protocol. When an ISP sells dialup or leased line connectivity to a spammer, we try really hard to get them to

cancel the contract and strengthen their acceptable use policy (AUP) against future spammers. If they plead inability to break the contract (which is very common),but they are willing to tell us exactly which netblocks have been allocated to the spammers, we will blackhole only the spammer subnetblocks.

Mail Abuse Prevention System’sRealtime Blackhole ListMail Abuse Prevention System’sRealtime Blackhole List

Mail Abuse Prevention System’sRealtime Blackhole ListMail Abuse Prevention System’sRealtime Blackhole List

Blackholing Due to Spam Origination (Now)More recently, legitimate and respected businesses have stumbled into the spamming business. It is

even more important to address unsolicited bulk email (UBE) from the Fortune 500 than it is to challenge UBE promoting multi-level marketing schemes.When well-respected companies begin using UBE as part of their direct marketing campaigns, it is

almost always the result of the mistaken attempt to apply direct mail and telephone marketing principles to e-mail. In practice, this means that businesses should never presume to shift the costs of their advertising onto

their customers until they have been given explicit permission to do so. Would any respectable marketer even dream of using collect phone calls or postage due mailings to reach potential customers? Marketers wishing to use e-mail should consider the foregoing question carefully when preparing their

campaigns. Advertising based on permission marketing principles have proven to be extremely successful. Opt-in is a win-win strategy for both marketers and consumers.On the other hand, marketers who wish to insist on a so-called opt-out strategy -- in which they take it

upon themselves to send as much promotional material as they want to someone's e-mailbox until asked to stop -- are eligible for listing on the RBL The opt-out approach violates our fundamental principle: all communications must be consensual.

Problems with MAPSProblems with MAPSNetworkWorld, Sept 10,2001. “One Friday afternoon in January, Internet Billing Company – one ofthe five most visited business-to-business sites on the Web – suddenly found online transactionrequests from its customers were being blocked.The reason was that iBill’s name popped up on an antispam group’s blacklist that as many as halfof the ISPs in the U.S. use to block e-mail and IP traffic from alleged spammers.Amazingly, no one had ever accused iBill of sending spam. However, someone complained to theantispam group Mail Abuse Prevention System (MAPS) that one of iBill’s thousands of customershad spammed them. MAPS not only placed the accused spammer on its Realtime Blackhole List(RBL), it listed iBill’s entire block of 254 IP addresses as well.‘We didn’t know what was going on’ says Marty Essenburg, iBill’s CIO at the time, who estimatesthat the four-day blacklisting cost iBill $400,000 in lost revenue. “There was no warning, it was automatic and we had to sit back and play catch-up. They hurt our revenue stream, and they tell us how to do business.”

Black Ice Software CEO Jozsef Nemeth says MAPS contacted him in March 2000 requesting Black Icechange the way it conducts business with its customers. When someone downloads Black Ice software,the company sends an e-mail thanking the person and listing technical support information.Black Ice later sends periodic e-mail marketing materials to those customers, which includes a provisionthat lets recipients unsubscribe.MAPS told Black Ice it had to switch to an ‘opt in’ system or its e-mail would be considered spam and itWould be listed on the RBL…When Nemeth refused…his company was slapped on the RBL.”

Issues with spam filteringIssues with spam filtering

Add to the issue the error rate:A study showed that

– Brightmail, a for-profit blacklisting and filtering service blocks 94% of spam with 1% false positives.

– MAPS was found to block 24% of spam with 34% false positives. Also consider the following from Julian Haight, founder of

SpamCop“We list you immediately, and then we can talk about it.”They receive 50,000 complaints/day.

What is the implications in terms of a potential for a DoS attack?

Web FilteringWeb Filtering Used to “prevent certain materials from entering into

a system while users are browsing the Web.” Often offered as an alternative to legislative actions

such as the Communications Decency Act.Filtering at the receiving end does not inhibit free speech

The problem is that the filters are not completely accurate

numerous reports of “inappropriate” material not being filtered or valid info being blocked

Web FilteringWeb Filtering Net Shepherd Family Search filter returned only 1% of sites returned by

non-filtered search using Alta Vista -- even though search was on items such as “American Red Cross”, “Thomas Edison”, and “National Aquarium”.

One university’s filtering blocked the Edupage newsletter because of the sentence:

“The new bill is more narrowly focused than the CDA, and is targeted strictly at impeding the flow of commercial pornography on the World Wide Web.”

Cybersitter blocked sites for National Organization for Women, Godiva chocolates, and the teen website Peacefire.

Cyber Patrol allowed 6 of the first 16 sites listed on Yahoo’s category “Sex: Virtual Clubs”

Web FilteringWeb Filtering

World Wide Web Consortium approach to filtering based on assigned labels and ratings and is called the Platform for Internet Content Selection (PICS)

does not dictate labels, instead allows groups to establish their own.

European Commission proposed a similar rating scheme. Governments could develop site-rating systems and SW provided that would allow teachers and parents to filter unwanted info.

Another proposal is an adult only domain

Web Filtering - Net NannyWeb Filtering - Net Nanny

Web Filtering - Net NannyWeb Filtering - Net Nanny “Net Nanny 4 comes preloaded with a list of both appropriate (Can Go)

and objectionable (Can't Go) web sites. Our web site research team is constantly updating this list and it can be automatically updated to your computer - FREE of charge - at anytime. Of course, you have the full capability to scan our web site lists and easily modify them to meet your own family standards. Below are the different categories and criteria we use when determining which web site to add to our lists:”

Sexually ExplicitHateViolenceCrimeDrugs

Web Filtering - Super ScoutWeb Filtering - Super Scout

Firewalls(Firewalls: The complete reference by Strassberg et al.)

Firewalls(Firewalls: The complete reference by Strassberg et al.)

“The computer or computers that stand between trusted networks (such as internal networks) and untrusted networks (such as the Internet), inspecting all traffic that flows between them.”

Firewalls have the following attributes:All communications pass through the firewallThe firewall permits only traffic that is authorizedThe firewall can withstand attacks upon itself

FirewallsFirewalls Four architectures (???)

Rule processing on routers – earliest and simplestPacket Filtering – Also called packet screening: decide to allow or reject specific packets as they enter your networkStateful Inspection – looks at contents of packet not just headerApplication Level Gateway -- also known as proxy gateways, used to forward service-specific traffic (e.g. email).

– Proxies act as a middleman preventing direct connection, the proxy will take the request and, if allowed by the policy, will forward it.

– Proxy ‘understands’ the service and can make better filtering decisions (thus theoretically more secure) but less flexible and more time consuming

Circuit Level Gateway -- simply relays bytes from a port on one system to another on an external network.

– Connection appears to originate from firewall and not internal system No direct connection between internal and external systems – but not filtered

Hybrid Firewalls – e.g. filter some protocols, use application gateway on others

Packet FilteringPacket FilteringOperation source port destination port typediscard bad.host * * * *allow our.host 25 * * *discard 128.236.*.* >1023 our.host >1023 tcp

Operation source port destination port typeallow bad.host 25 our.host 25 *discard bad.host * * * *allow our.host 25 * * *discard 128.236.*.* >1023 our.host >1023 tcpallow * * * * *

Firewall ArchitecturesFirewall Architectures

Internet

Screening Router

Firewall ArchitecturesFirewall ArchitecturesInternet

Dual-homed host Architecture

Dual-homed host


Internet

X

Screened host Architecture

Bastion Host

Screening Router

Bastion HostsBastion Hosts

A specially ‘armored’ and protected host.May run special ‘secure’ or ‘stripped down’ version of OSOnly essential services are run on it.User accounts generally not permitted (admin only)

Machines inside of the firewall should not trust the Bastion Host.


Internet

Screened subnet Architecture

Internal Network

Perimeter Network

Exterior Router

Interior Router

Bastion host

So, what’s the difference between them?So, what’s the difference between them?

Screening routervery primitive, just a souped up router

Dual-homed host (firewall)Routing function turned off, external systems can’t communicate directly with

internal systems!Provides services through proxies

Screened Hostrouter provides routing and packet filtering functionsBastion provides single system to heavily secure.

Screened subnetno defenses between bastion and other systems in screened host firewall, thus if

bastion compromised, the internal network is vulnerable.Screened subnet adds another router to add another layer of protection. This router

can be configured to only allow certain services.


Internet

Bastion host

Multiple Exterior Routers

Interior Router

Internal Network

Perimeter Network

Exterior Router

Supplier Network

Exterior Router

Lab Network

Checkpoint Firewall Sample Rule Set

Cisco System PIX Firewall

Network Address Translation (NAT)Network Address Translation (NAT)

Firewalls can also provide NAT services Allows a LAN to use one set of addresses for

internal purposes and a second set for external traffic

Not all systems need a globally unique IP address– Saves on IP addresses which is a concern for IPv4

Shields internal addresses from public view

Network Address Translation (NAT)

• There are a limited number of IP addresses available and not every system needs one.

• NAT was developed to provide a means to translate private IP addresses into public IP addresses.– A device (typically a router or firewall) will accomplish this translation

process.

Source: 10.1.1.123Destination: 207.25.71.23

Source: 63.69.110.110Destination: 207.25.71.23

Source: 207.25.71.23 Destination: 10.1.1.123

Source: 207.25.71.23 Destination: 63.69.110.110

Firewall performs NAT

Emerging TechnologiesEmerging Technologies Consolidated Management Consoles – an attempt to

provide a single interface for the variety of security devices an administrator may face (e.g. firewall, ACL’s on routers)

Content vectoring – “shuffle” certain traffic off to ancillary internal or external handlers for additional inspection or processing.

Multifunction Devices – integration of multiple security products into single platform (e.g. IDS and Firewall, firewall with router, …)

Personal FirewallsPersonal Firewalls Designed to insulate vulnerable desktop OS from

attacks. Growth of residential and small-business broadband

Internet access also has increased the need for personal firewalls.

Spread of various Distributed Denial of Service attacks which take advantage of unprotected platforms has also helped to bring this issue forward.

Modem Security, Wardialing, and Telecomm Firewalls

Modem Security, Wardialing, and Telecomm Firewalls

Network Security TechnologiesHave Focused Almost Entirely on the TCP/IP

Network…

The Weakest Link is Now the Phone Network.

What is the Network?

There is a growing connectivity between the Data Network

and theTelephone Network

• One pipe• High speed• Thousands of connections• Controlled and monitored• One chokepoint

… your Internet connection is just a dedicated, high-speed telephone line.

The Data Network

• Thousands of pipes• Low speed• Uncontrolled• Unmonitored• No chokepoint

… think of your telephone network as thousands of low-speed internet connections.

Public Switched Telephone Network

(PSTN)

The Telephone Network

Firewall

IntrusionDetection

The TCP/IP Network

Users

WebServer

Attacker

Router

Internet

The Actual Network

Router

Firewall

Users

IntrusionDetection

Internet

WebServer

PBX

Public Telephone Network

RAS(Dial-in Servers)

Attacker

PBX

Security in The Actual Network


Router

Firewall

Users

IntrusionDetection

Internet

WebServer


Security in The Actual NetworkSecurity in The Actual Network

Attacker

PBX


Router

Firewall

Users

IntrusionDetection

Internet

WebServer


“2-4% of alltelephone lines have

active modems”

Unauthorized access to ISP’sUnauthorized access to ISP’s

PBX


Router

Firewall

Users

IntrusionDetection

Internet

WebServer


Virus protectionmechanisms canbe circumvented

Proprietary datacan be uploaded by

users

WardialersWardialers

Step 1, Phone number footprinting Public Domains Wardialers

ToneLocTHC

CommercialPhoneSweepTeleSweep Secure

War Dialing the ‘Bay’War Dialing the ‘Bay’

In ’97, Peter Shipley dialed the San Francisco Bay area looking for systems answered by a modem. He eventually finished the entire range but the final report hasn’t been published. Early results reported, however, included:

1.4 million numbers dialed– 500 an hour, 12,000 a day

14,000 of the lines dialed were reportedly modems

Some interesting results:Some interesting results: An East Bay medical facility gave unrestricted modem access to patient

records. An Internet company offering financial services did not require a

password to modify its modem-accessible firewall. A Fortune 100 company’s air conditioner and environmental control

units could be easily changed by modem allowing lights to be turned off or heating/air conditioning to be changed.

Only 3 of every 1000 modem lines he checked posted a warning banner (a requirement for gov. machines).

Some of the welcome banners gave the name of the operating system, release, and name of corporation.

Carrier ExploitationCarrier Exploitation

Once you have a number, now what?Check the wardialing log, you can get some clues, then dial back.

CONNECT 57600HP995-400:Expected a HELLO command. (CIERR 6057)

Many default sequences (e.g. HP MPE-XL systems)CONNECT 57600HP995-400: HELLO FIELD.SUPPORTPASSWORD=TeleSup

Default for pcAnywhere -- no password/useridand…you can always try brute force password guessing if nothing

else works!

The Current Prevention Approach

Policy

Scanning (ad hoc War Dialing)

Administrative Action

Current Scanning Challenge

Window of VisibilityTime / ScalabilityVulnerability MeasurementCost (Long Distance Charges)Data Collection and ConsolidationLogging / Reporting

Solution

A better approach than the ad-hoc wardialing, is to apply the same type of control that is found on the IP network to the telephone network.

Thus, the solution is a firewall for the telephone network

• Thousands of pipes• Low speed• Uncontrolled• Unmonitored• No chokepoint

… think of your telephone network as thousands of low-speed internet connections.


(PSTN)

The Telephone Network

• One virtual pipe• Controlled and monitored

… get your hands around the problem, and take control of the telephone network.


(PSTN)

A Firewall for Phone Lines

Remote Enterprise-wide Telecom Firewall Protection

PBX


Router

Firewall

Users

IntrusionDetection

Internet

WebServer


Telecom Firewall

•Detect•Log•Alarm•Block

Voice Modem Fax


PBX


Router

Firewall

Users

IntrusionDetection

Internet

WebServer


Telecom Firewall

Attacker


Voice Modem Fax

TeleWall Telecommunications Firewall

Protect Phone-to-Switch

Telephone fraud is a tremendous problem (1999: $5B)

Most PBX’s have a remote dial-up port for maintenance purposes.

Often protected with a numeric password The same device used to protect against attacks

to unauthorized modems can be used to protect the PBX as well.

PBX HackingPBX Hacking Dial-up connections are the most frequent means of

remotely managing a PBX. Also frequently used for vendor external support.

Just like computers with default passwords, PBX’s often have default access codes.

What companies should do is remove defaults and if a problem occurs, then provide access code to vendor, unfortunately…this seldom is done.


PBX


Router

Firewall

Users

IntrusionDetection

Internet

WebServer


Attacker

Telecom Firewall


DTMF Signaling Detection

User ConnectedModem (IP Phone)

Router

Internet

IP Telephony Security Issues

PSTN

PBX

GW 10/100

Telecommunication FirewallsTelecommunication Firewalls

Log call progress Characterize call traffic Enforce Security and Usage Policy Control remote maintenance facility and port access Report resource utilization Fraud detection/prevention Trunk line status and usage Emergency notification ROI Protection of VoIP

Extensions to Telecomm FirewallsExtensions to Telecomm Firewalls

Telephone bill reconciliation package. Secure Voice Secure VoIP Additional ‘password’ (DTMF signaling) for increased

security. Securing of SCADA (Supervisory Control and Data

Acquisition) systems.Roosevelt Dam in Arizona

Virtual Private Networks (VPN)Virtual Private Networks (VPN)

From WEBOPEDIA:a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

VPN’s – IP security issueVPN’s – IP security issue

IP Header Other Headers User Data

TCP/IP Packet

Which of these is needed for routing across the Internet?

VPN’s and TunnelingVPN’s and Tunneling Most VPNs use tunneling to create a private

network across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and transmitting it over a network. The protocol of the outer packet is understood by the network and both endpoints, called tunnel interfaces, where the packet enters and exits the network.

Firewalls, which can be used for NAT, can also perform VPN services: e.g. Cisco PIX

VPNVPN

SCADA systemsSCADA systems

Supervisory control and data acquisition (SCADA) is a system that allows an operator to monitor and control processes that are distributed among various remote sites. There are many processes that use SCADA systems: hydroelectric, water distribution and treatment utilities, natural gas, etc. SCADA systems allow remote sites to communicate with a control facility and provide the necessary data to control processes. For many of its uses, SCADA provides an economic advantage. As distance to remote sites increase and difficulty to access increases, SCADA becomes a better alternative to an operator or repairman’s visiting the site for adjustments and inspections. Distance and remoteness are two major factors for implementing SCADA systems

SCADA ElementsSCADA ElementsThere are four major elements to a SCADA system: the operator, master terminal unit (MTU), communications, and remote terminal unit (RTU).

RTU 1 RTU 2

MTU

RTU 3 RTU 4

SummarySummary

What is the Importance and Significance of this material?

How does this topic fit into the subject of “Voice and Data Security”?

Lesson 7

Documents

Transcript of Lesson 7