SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in...
-
Upload
regina-carter -
Category
Documents
-
view
226 -
download
7
Transcript of SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in...
SCSC 455 Computer Security
Network Security
Control access to system Access control mechanisms in specific network
programs e.g. 1, wu-FTP server support mulitple security directive
in /etc/ftpaccess e.g. 2, Apache server: /etc/httpd.conf
Control network traffic at network layer -- Firewall operates at the lowest level of the networking protocol
stack. examines and discards packets from unauthorized
systems before they have a chance to attack applications Use advanced routing techniques
IP masquerading “Hides” LAN clients from hackers on the Internet
Access control at different layers
Index
Linux firewall NAT and proxy Protect network traffic through encryption
Firewall
A firewall -- a packet filter access control operating at the lowest level of the
networking protocol stack Firewalls rely on rules
Rules: the configuration settings that define certain characteristics of an IP package and the action to take for packages meeting the specified criteria
Networking stacks in Linux are contained in the kernel gives Linux great control over network packet management
IP Chains The IP Chains are a list of rules for how packets are
handled Linux kernel includes three default chains
Input chains: packets coming from outside the system on which the rule is executed pass through
Forward chains: packets coming from outside the system on which the rule is executed and that need to be routed to another system pass through
Output chains: Packets coming from within the system on which the rule is executed and that are destined for other systems pass through
User defined chains can be added.
IP Chains
Options in IP Chains
Options in IP Chains
Append a new rule to a chain (-A). # ipchains -A input -s 127.0.0.1 -p icmp -j DENY
Insert a new rule at some position in a chain (-I).
# ipchains -I input 1 -j DENY Delete the first rule that matches in a chain (-D).
# ipchains -D input -s 127.0.0.1 -p icmp -j DENY
Emptying all rules out of a chain, using the `-F' command. # ipchains -F forward
List all the rules in a chain
# ipchains -L -n input
Options in IP Chains
-P: default policy for a chain when a packet hits the end of a built-in chain, the
policy of the chain determines the fate of the packet.
The policy can be any of the ACCEPT, DENY, REJECT or MASQ. MASQ is only valid for the `forward' chain.
E.g. # ipchains -P forward DENY
Options in IP Chains -j “jump to” target
ACCEPT allows the packet through. DENY drops the packet as if it had never been received. REJECT
drops the packet, but (if it's not an ICMP packet) generates an ICMP reply to the source to tell it that the destination was unreachable.
MASQ tells the kernel to masquerade the packet. For this to work, your kernel needs to be compiled with IP
Masquerading enabled. REDIRECT
tells the kernel to send a packet to a local port instead of wherever it was heading.
is only valid for packets traversing the input chain. RETURN which is identical to falling off the end of the chain
immediately
ipchains Example E.g.1
# ping 127.0.0.1
# ipchains -I input -s 127.0.0.1 -p icmp -j DENY
# ping 127.0.0.1
E.g. 2
#ipchains -A input –j DENY
#ipchains -A input –s 192.168.10.0/0 -j ACCEPT
Options in IP Chains
-i specifies the name of an interface to match. An interface is the physical device the packet came in on,
or is going out on. use the ifconfig command to list the interfaces which are `up'. What is lo interface?
The lo interface is usually called the loopback interface. If packets from a local process are destined for a local process,
they will go through the output chain with interface set to `lo', then return through the input chain with interface also `lo'.
-p specifies the protocol `TCP', `UDP' or `ICMP'.
Options in IP Chains
-s and –d specify the source and destination Representing in full name, such as `localhost' or
`www.linuxhq.com'. Representing in IP address such as `127.0.0.1'. Representing as a group of IP addresses, such as
`199.95.207.0/24' an extra argument indicating the TCP or UDP
port, or an (inclusive) range of ports
e.g., -p TCP -s 0.0.0.0/0 :1023
Options in IP Chains! (inversion)
flags can have their arguments preceded by `!' to match addresses NOT equal to the ones given.
E.g. 1, `-s ! localhost' matches any packet not coming from localhost.
E.g. 2 -p TCP -d 0.0.0.0/0 ! www to specify every TCP packet BUT a WWW packet,
How about the following?
-p TCP -d ! 192.168.1.1 www -p TCP -d 192.168.1.1 ! www -p TCP -d ! 192.168.1.1 ! www
What Not To Filter Out in ipchains
ICMP packets ICMP packets are used to indicate failure for other
protocols (such as TCP and UDP). Blocking these packets means that you will never get `Host
unreachable' or `No route to host' errors; any connections will just wait for a reply that never comes.
TCP Connections to DNS (nameservers) DNS doesn't always use UDP. If the reply from the server
exceeds 512 bytes, the client uses a TCP connection (still going to port number 53) to get the data.
Graphical Firewall Configuration Utilities
Linux supports several graphical tools that can be used to set up a firewall Red Hat Linux includes the lokkit program that walks you through
questions and establishes rules based on your security choices Red Hat Linux also includes the firewall-config program, which
allows the set up of complex firewall rules
Graphical Firewall Configuration Utilities – Lokkit (1)
Graphical Firewall Configuration Utilities – Lokkit (2)
Graphical Firewall Configuration Utilities – firewall-config (1)
Graphical Firewall Configuration Utilities – firewall-config (2)
NetFilter / IP Tables NetFilter
the new and improved Linux packet filtering system and uses a different architecture than IP Chains
provides hooks at five different points in packet processing A hook refers to the ability to connect another program
at that point The list of rules associated with the hooks are similar
to IP Chains and are called IP Tables
Using NetFilter / IP Tables NetFilter / IP Table provide:
The ability to act on packets based on their state – stateful packets filtering
Examination and alteration of just about any header field in a packet - packet mangling
Selection of packets to be logged based on the value of any header field
Passing of packets to regular Linux programs for further processing outside of the Linux kernel
Implementation of intelligent routing based on Quality of Service (QoS) features
Index
Linux firewall NAT and proxy Protect network traffic through encryption
Network Address Translation and IP masquerading
The IP Chains feature also provides a special routing functionality -- Network Address Translation (NAT)
NAT is a routing technique that alters address or other header information in a packet One popular type of NAT is IP masquerading
network address translation in which packets from many computers on a LAN appear as if they came from one computer.
IP masquerading
#ipchains -A forward -s 192.168.100.0/24 -j MASQ
NAT pros and cons NAT pros: Using NAT, a single IP can permit an
entire LAN to connect to the Internet. Behind the router, the same private IP addresses can be
reused on every LAN A remote computer cannot connect to a client within a
masqueraded LAN. The router effectively hides the entire LAN.
NAT cons: However, IP masquerading can make some network services (FTP, IRC, streaming audio) unworkable. Q: Why? To make these protocols work, additional kernel modules
for the specific protocols have to be installed.
Proxy Server A proxy server is very similar to IP masquerading,
but the proxy works at the application level, not the IP level must configure each client on the LAN so that it use a
special port for the proxy (instead of using the default port) E.g., “Squid” is a proxy server in LinuxClients use 8080 or 8008 instead of the default web port 80
A proxy server provides security against outside attacks by insulating clients. let you control the access to the outside system can cache the results (such as web pages) to improve
performance
Proxy server
Transparent proxy
Transparent proxy – IPchains or IPtables can redirect packet based on the port to which the packet is addressed Is an alternative to using a proxy server Do not need to configure the clients – the proxy
activity is “transparent” to the clients All clients’ requests packets must pass through a gateway to
reach the Internet. The router is configured to redirect some packets to a
particular port at the proxy server. The proxy server masquerades these packets and send them out.
The proxy server also processes the received packet from Internet and return them to a client.
Transparent Proxying
Index
Linux firewall NAT and proxy Protect network traffic through encryption
Encrypting Network TrafficWhat we have covered: The firewall restrict network traffic. The special routing techniques isolates clients in a LAN
from the Internet
However, the contents of packets in LAN or through Internet are visible to everyone. With network analysis tool (a sniffer), the hackers can
view the packets. The general strategy is encrypting the packets. Some solutions:
Secure shell (SSH) IPSec
( Note: IPsec operate at the network layer. more flexible, but more complex and with higher overhead )
The Secure Shell (SSH)
The Secure Shell (SSH) package is a client-server protocol similar to Telnet
A client program ssh and a server program sshd SSH replaces Telnet and rlogin for better security
SSH use the same encryption techniques as GPG1. Exchange asymmetric keys to establish the identity of a
user requesting a connection
2. Pass a symmetric session key securely
3. Encrypt all subsequent traffic by symmetric session key.
OpenSSH The OpenSSH implementation of the SSH is used
on most Linux distributions OpenSSH is available to other OSs, such as UNIX,
Windows, Macintosh, PalmOS, … A client program ssh & a server daemon sshd
$man ssh $man sshd
SSH connections use port 22 by default Make sure sshd daemon is running on the system to
which you want to connect. To check the status of the sshd daemon
$/etc/rc.d/init.d/sshd status Make sure no firewall is blocking traffic on port 22 between
your client and server computer
SSH1 & SSH2 OpenSSH support two versions:
SSH1 uses a public key encryption system to authenticate
connections But does NOT support strong symmetric encryption of
the subsequent traffic
SSH2 uses a more robust authentication process supports strong encryption of all network traffic, such
as AES (128-, 192-, or 256-bit), Blowfish, CAST128.
Different Ways to Authenticate in SSH
Method 1. To rely on the r-utilites files E.g., ~/.rhosts Insecure not recommended
Method 2. To use passwords authentication1. Login a ssh server by user name and password on the server
2. $ ssh –l username server
3. Then you are prompted for the password
4. This method is much better than the rhost method or unencrypted Telnet.
5. However, it does NOT provide public key authentication of the session.
Use public key authentication in SSHMethod 3. To use public key authentication is a more
secure way to authenticate a connection in SSH Must set up key pairs for your own user account
$ ssh-keygen -t rsa -b 2048-t specify a key type (either RSA or DSA)-b specify the key size (default is 1024 bits)
Your private key is stored in ~/.ssh/id_rsa and your public key is stored in ~/.ssh/id_rsa.pub
Enter a passphrase to protect your ssh key pair It is optional. You may choose to press Enter to leave the key pair
unprotected by a passphrase. This decision depends on who else is using your computer and
how you intend to use ssh to access your account on remote systems.
Use public key authentication in SSH (2)
Once a key pair generated on one account, you should place the public key from that account in the ~/.ssh/authorized_keys file on each system where you want to log in using ssh.
This can be done through scp, FTP, email or floppy disk
e.g., copy from Alice’s PC /home/alice/.ssh/id_rsa.pub
to Bob’s PC /home/bob/.ssh/authorized_keys
OpenSSH features
OpenSSH supports a number of useful features: Replace telnet and rlogin To secure connections for protocols not inherently secure
E.g., the X protocol for serving remote graphical applications
(The detailed steps on p505 are not required in this course.)
Port forwarding: Is a routing technique that allows encryption of many other
protocols over SSH connections E.g., SMTP, FTP, POP3, SWAT (The Samba Web
Administration Tool)
Example of Port forwarding in SSHA system administrator wants to use SWAT to manage manySamba servers on a large LAN from a single system client1. However, using in SWAT in a browser, none of the traffic
(including the password you must enter) is encrypted.
Other Tunneling Protocols
The concept behind using SSH port forwarding is that you can tunnel and insecure protocol inside a secure protocol
The Point-to-Point Tunneling Protocol (PPTP) is a standard for creating a virtual private network (VPN) Microsoft created PPTP PPTP uses two communication channels between a
client and a server a control channel and an encrypted data channel
Using stunnel section (P508 – 509) is NOT required in this course.
Tunneling an insecure protocol under a secure protocol