SCSC 455 Computer Security

Network Security

Control access to system Access control mechanisms in specific network

programs e.g. 1, wu-FTP server support mulitple security directive

in /etc/ftpaccess e.g. 2, Apache server: /etc/httpd.conf

Control network traffic at network layer -- Firewall operates at the lowest level of the networking protocol

stack. examines and discards packets from unauthorized

systems before they have a chance to attack applications Use advanced routing techniques

IP masquerading “Hides” LAN clients from hackers on the Internet

Access control at different layers

Index

Linux firewall NAT and proxy Protect network traffic through encryption

Firewall

A firewall -- a packet filter access control operating at the lowest level of the

networking protocol stack Firewalls rely on rules

Rules: the configuration settings that define certain characteristics of an IP package and the action to take for packages meeting the specified criteria

Networking stacks in Linux are contained in the kernel gives Linux great control over network packet management

IP Chains The IP Chains are a list of rules for how packets are

handled Linux kernel includes three default chains

Input chains: packets coming from outside the system on which the rule is executed pass through

Forward chains: packets coming from outside the system on which the rule is executed and that need to be routed to another system pass through

Output chains: Packets coming from within the system on which the rule is executed and that are destined for other systems pass through

User defined chains can be added.

IP Chains

Options in IP Chains

Options in IP Chains

Append a new rule to a chain (-A). # ipchains -A input -s 127.0.0.1 -p icmp -j DENY

Insert a new rule at some position in a chain (-I).

# ipchains -I input 1 -j DENY Delete the first rule that matches in a chain (-D).

# ipchains -D input -s 127.0.0.1 -p icmp -j DENY

Emptying all rules out of a chain, using the `-F' command. # ipchains -F forward

List all the rules in a chain

# ipchains -L -n input

Options in IP Chains

-P: default policy for a chain when a packet hits the end of a built-in chain, the

policy of the chain determines the fate of the packet.

The policy can be any of the ACCEPT, DENY, REJECT or MASQ. MASQ is only valid for the `forward' chain.

E.g. # ipchains -P forward DENY

Options in IP Chains -j “jump to” target

ACCEPT allows the packet through. DENY drops the packet as if it had never been received. REJECT

drops the packet, but (if it's not an ICMP packet) generates an ICMP reply to the source to tell it that the destination was unreachable.

MASQ tells the kernel to masquerade the packet. For this to work, your kernel needs to be compiled with IP

Masquerading enabled. REDIRECT

tells the kernel to send a packet to a local port instead of wherever it was heading.

is only valid for packets traversing the input chain. RETURN which is identical to falling off the end of the chain

immediately

ipchains Example E.g.1

# ping 127.0.0.1

# ipchains -I input -s 127.0.0.1 -p icmp -j DENY

# ping 127.0.0.1

E.g. 2

#ipchains -A input –j DENY

#ipchains -A input –s 192.168.10.0/0 -j ACCEPT

Options in IP Chains

-i specifies the name of an interface to match. An interface is the physical device the packet came in on,

or is going out on. use the ifconfig command to list the interfaces which are `up'. What is lo interface?

The lo interface is usually called the loopback interface. If packets from a local process are destined for a local process,

they will go through the output chain with interface set to `lo', then return through the input chain with interface also `lo'.

-p specifies the protocol `TCP', `UDP' or `ICMP'.

Options in IP Chains

-s and –d specify the source and destination Representing in full name, such as `localhost' or

`www.linuxhq.com'. Representing in IP address such as `127.0.0.1'. Representing as a group of IP addresses, such as

`199.95.207.0/24' an extra argument indicating the TCP or UDP

port, or an (inclusive) range of ports

e.g., -p TCP -s 0.0.0.0/0 :1023

Options in IP Chains! (inversion)

flags can have their arguments preceded by `!' to match addresses NOT equal to the ones given.

E.g. 1, `-s ! localhost' matches any packet not coming from localhost.

E.g. 2 -p TCP -d 0.0.0.0/0 ! www to specify every TCP packet BUT a WWW packet,

How about the following?

-p TCP -d ! 192.168.1.1 www -p TCP -d 192.168.1.1 ! www -p TCP -d ! 192.168.1.1 ! www

What Not To Filter Out in ipchains

ICMP packets ICMP packets are used to indicate failure for other

protocols (such as TCP and UDP). Blocking these packets means that you will never get `Host

unreachable' or `No route to host' errors; any connections will just wait for a reply that never comes.

TCP Connections to DNS (nameservers) DNS doesn't always use UDP. If the reply from the server

exceeds 512 bytes, the client uses a TCP connection (still going to port number 53) to get the data.

Graphical Firewall Configuration Utilities

Linux supports several graphical tools that can be used to set up a firewall Red Hat Linux includes the lokkit program that walks you through

questions and establishes rules based on your security choices Red Hat Linux also includes the firewall-config program, which

allows the set up of complex firewall rules

Graphical Firewall Configuration Utilities – Lokkit (1)

Graphical Firewall Configuration Utilities – Lokkit (2)

Graphical Firewall Configuration Utilities – firewall-config (1)

Graphical Firewall Configuration Utilities – firewall-config (2)

NetFilter / IP Tables NetFilter

the new and improved Linux packet filtering system and uses a different architecture than IP Chains

provides hooks at five different points in packet processing A hook refers to the ability to connect another program

at that point The list of rules associated with the hooks are similar

to IP Chains and are called IP Tables

Using NetFilter / IP Tables NetFilter / IP Table provide:

The ability to act on packets based on their state – stateful packets filtering

Examination and alteration of just about any header field in a packet - packet mangling

Selection of packets to be logged based on the value of any header field

Passing of packets to regular Linux programs for further processing outside of the Linux kernel

Implementation of intelligent routing based on Quality of Service (QoS) features

Index

Linux firewall NAT and proxy Protect network traffic through encryption

Network Address Translation and IP masquerading

The IP Chains feature also provides a special routing functionality -- Network Address Translation (NAT)

NAT is a routing technique that alters address or other header information in a packet One popular type of NAT is IP masquerading

network address translation in which packets from many computers on a LAN appear as if they came from one computer.

IP masquerading

#ipchains -A forward -s 192.168.100.0/24 -j MASQ

NAT pros and cons NAT pros: Using NAT, a single IP can permit an

entire LAN to connect to the Internet. Behind the router, the same private IP addresses can be

reused on every LAN A remote computer cannot connect to a client within a

masqueraded LAN. The router effectively hides the entire LAN.

NAT cons: However, IP masquerading can make some network services (FTP, IRC, streaming audio) unworkable. Q: Why? To make these protocols work, additional kernel modules

for the specific protocols have to be installed.

Proxy Server A proxy server is very similar to IP masquerading,

but the proxy works at the application level, not the IP level must configure each client on the LAN so that it use a

special port for the proxy (instead of using the default port) E.g., “Squid” is a proxy server in LinuxClients use 8080 or 8008 instead of the default web port 80

A proxy server provides security against outside attacks by insulating clients. let you control the access to the outside system can cache the results (such as web pages) to improve

performance

Proxy server

Transparent proxy

Transparent proxy – IPchains or IPtables can redirect packet based on the port to which the packet is addressed Is an alternative to using a proxy server Do not need to configure the clients – the proxy

activity is “transparent” to the clients All clients’ requests packets must pass through a gateway to

reach the Internet. The router is configured to redirect some packets to a

particular port at the proxy server. The proxy server masquerades these packets and send them out.

The proxy server also processes the received packet from Internet and return them to a client.

Transparent Proxying

Index

Linux firewall NAT and proxy Protect network traffic through encryption

Encrypting Network TrafficWhat we have covered: The firewall restrict network traffic. The special routing techniques isolates clients in a LAN

from the Internet

However, the contents of packets in LAN or through Internet are visible to everyone. With network analysis tool (a sniffer), the hackers can

view the packets. The general strategy is encrypting the packets. Some solutions:

Secure shell (SSH) IPSec

( Note: IPsec operate at the network layer. more flexible, but more complex and with higher overhead )

The Secure Shell (SSH)

The Secure Shell (SSH) package is a client-server protocol similar to Telnet

A client program ssh and a server program sshd SSH replaces Telnet and rlogin for better security

SSH use the same encryption techniques as GPG1. Exchange asymmetric keys to establish the identity of a

user requesting a connection

2. Pass a symmetric session key securely

3. Encrypt all subsequent traffic by symmetric session key.

OpenSSH The OpenSSH implementation of the SSH is used

on most Linux distributions OpenSSH is available to other OSs, such as UNIX,

Windows, Macintosh, PalmOS, … A client program ssh & a server daemon sshd

$man ssh $man sshd

SSH connections use port 22 by default Make sure sshd daemon is running on the system to

which you want to connect. To check the status of the sshd daemon

$/etc/rc.d/init.d/sshd status Make sure no firewall is blocking traffic on port 22 between

your client and server computer

SSH1 & SSH2 OpenSSH support two versions:

SSH1 uses a public key encryption system to authenticate

connections But does NOT support strong symmetric encryption of

the subsequent traffic

SSH2 uses a more robust authentication process supports strong encryption of all network traffic, such

as AES (128-, 192-, or 256-bit), Blowfish, CAST128.

Different Ways to Authenticate in SSH

Method 1. To rely on the r-utilites files E.g., ~/.rhosts Insecure not recommended

Method 2. To use passwords authentication1. Login a ssh server by user name and password on the server

2. $ ssh –l username server

3. Then you are prompted for the password

4. This method is much better than the rhost method or unencrypted Telnet.

5. However, it does NOT provide public key authentication of the session.

Use public key authentication in SSHMethod 3. To use public key authentication is a more

secure way to authenticate a connection in SSH Must set up key pairs for your own user account

$ ssh-keygen -t rsa -b 2048-t specify a key type (either RSA or DSA)-b specify the key size (default is 1024 bits)

Your private key is stored in ~/.ssh/id_rsa and your public key is stored in ~/.ssh/id_rsa.pub

Enter a passphrase to protect your ssh key pair It is optional. You may choose to press Enter to leave the key pair

unprotected by a passphrase. This decision depends on who else is using your computer and

how you intend to use ssh to access your account on remote systems.

Use public key authentication in SSH (2)

Once a key pair generated on one account, you should place the public key from that account in the ~/.ssh/authorized_keys file on each system where you want to log in using ssh.

This can be done through scp, FTP, email or floppy disk

e.g., copy from Alice’s PC /home/alice/.ssh/id_rsa.pub

to Bob’s PC /home/bob/.ssh/authorized_keys

OpenSSH features

OpenSSH supports a number of useful features: Replace telnet and rlogin To secure connections for protocols not inherently secure

E.g., the X protocol for serving remote graphical applications

(The detailed steps on p505 are not required in this course.)

Port forwarding: Is a routing technique that allows encryption of many other

protocols over SSH connections E.g., SMTP, FTP, POP3, SWAT (The Samba Web

Administration Tool)

Example of Port forwarding in SSHA system administrator wants to use SWAT to manage manySamba servers on a large LAN from a single system client1. However, using in SWAT in a browser, none of the traffic

(including the password you must enter) is encrypted.

Other Tunneling Protocols

The concept behind using SSH port forwarding is that you can tunnel and insecure protocol inside a secure protocol

The Point-to-Point Tunneling Protocol (PPTP) is a standard for creating a virtual private network (VPN) Microsoft created PPTP PPTP uses two communication channels between a

client and a server a control channel and an encrypted data channel

Using stunnel section (P508 – 509) is NOT required in this course.

Tunneling an insecure protocol under a secure protocol