1 firewall 1 references computer networking: a top down approach,chapters 1 and 8, 4 th edition. jim...
TRANSCRIPT
References
• Computer Networking: A Top Down Approach ,Chapters 1 and 8, 4th edition. Jim Kurose, Keith Ross, Addison-Wesley, July 2007.
• 資訊安全 – 網際網路安全與數位鑑識科學。王旭正、高大宇、 ICCL- 資訊密碼暨建構實驗室著。博碩文化。
2
5
Network Security (1/2)
• Attacks on Internet infrastructure– Infecting/attacking hosts by malware:
spyware, worms, unauthorized access (data stealing, user accounts)
– Denial of Service• Deny access to resources (servers, link
bandwidth) • Distributed Denial of Service (DDoS)
Network Security (2/2)
• Internet not originally designed with (much) security in mind– Original vision: “a group of mutually trusting
users attached to a transparent network” – Internet protocol designers playing “catch-up”– Security considerations in all layers!
• System bug and hole
• Social engineering
6
7
Malware (1/2)
• Spyware– Infection by downloading web page with spyware– Records keystrokes, web sites visited, upload info to
collection site
• Virus– Infection by receiving object (e.g., e-mail attachment),
actively executing– Self-replicating: propagate itself to other hosts, users
• Worm– Infection by passively receiving object that gets itself
executed– Self-replicating
9
Denial of Service (DoS)
• Attackers make resources (ex: servers, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic.– Weak attack– Bandwidth overload– Connection overload
target
Ex: UDP packets or TCP requests
Some Types of DoS
• Smurf attack– Ex: ping broadcasts (destination is
210.5.255.255)
• Mail bomb– SPAM
• Window system attack
• SYN flooding
• Buffer overflow – ping of death
11
Create A TCP Connection
Client Server
SYN=1Seq = 2000
SYN=1, ACK=1Seq = 4000
ACK # = 2001Window size
ACK=1 Seq = 2001ACK # = 4001 data
Step 1: client host sends TCP SYN segment to server
specifies initial seq #
no data
Step 2: server host receives SYN, replies with SYNACK segment
server allocates buffers
specifies server initial seq. #
Step 3: client receives SYN/ACK, replies with ACK segment, which may
contain data
12
Distributed DoS (DDoS)
• Attackers make resources (ex: servers, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic.
1. select target
2. break into hosts around the network (see malware)
3. send packets toward target from compromised hosts
target
1-13
Packet Sniffing
• Promiscuous network interface reads & records all packets passing by– Accept all broadcast media– Wireshark (Ethereal) is a packet-sniffer!– Sniff, modify, deletion your packets
Alice
Bob
C
src:B dest:A payload
14
IP Spoofing
• Send packet with false source address
• Require end-point authentication
A
B
C
src:B dest:A payload
15
• Record-and-playback
– Sniff sensitive information (e.g., password), and use later.
Masquerade as you (1/2)
A
B
C
src:B dest:A user: B; password: foo
16
Masquerade as you (2/2)
• Password holder is that user from system point of view
• Man-in-the-middle attack
A
B
later …..C
src:B dest:A user: B; password: foo
1-17
How to Provide Security?
• More throughout this course
• Cryptographic techniques: obvious uses and not so obvious uses
• Firewall
Firewalls
administerednetwork
publicInternet
firewall
Internet
• To isolate organization’s internal network from Internet, allowing some packets to pass, blocking others.
19
Goals of Firewalls
• Prevent denial of service attacks– SYN flooding: attacker establishes many bogus
TCP connections, no resources left for “real” connections
• Prevent illegal modification/access of internal data.– E.g., attacker replaces Central Intelligence Agency
’s homepage with something else
• Allow only authorized access to inside network (set of authenticated users/hosts)
21
Types of Firewalls
• Three types of firewalls:– Stateless packet filters– Stateful packet filters– Application gateways
22
Stateless Packet Filtering
• Router filters packet-by-packet, decision to forward/drop packet based on– Source IP address, destination IP address– TCP/UDP source and destination port numbers– ICMP message type– TCP SYN and ACK bits
Should arriving packet be allowed in? Departing packet let out?
router firewall
Internet
23
Stateless Packet Filtering Policy
• Example 1: Block incoming and outgoing datagrams with protocol number=17 and with either source or destination port=23.
– All incoming, outgoing UDP flows and telnet connections are blocked.
• Example 2: Block inbound TCP segments with ACK=0.– Prevents external clients from making TCP
connections with internal clients, but allows internal clients to connect to outside.
24
Policy Firewall SettingNo outside Web access. Drop all outgoing packets to
any IP address, port 80
No incoming TCP connections, except those for institution’s public Web server only.
Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80
Prevent Web-radios from eating up the available bandwidth.
Drop all incoming UDP packets - except DNS and router broadcasts.
Prevent your network from being used for a smurf DoS attack.
Drop all ICMP packets going to a “broadcast” address (eg 130.207.255.255).
Prevent your network from being tracerouted
Drop all outgoing ICMP TTL expired traffic
Policy & Firewall Setting
25
Access Control Lists
• Table of rules, applied to all packets
actionsourceaddress
destaddress
protocolsource
portdestport
flagbit
allow222.22/1
6outside of222.22/16
TCP > 1023 80any
allowoutside
of222.22/1
6
222.22/16TCP 80 > 1023 ACK
allow222.22/1
6outside of222.22/16
UDP > 1023 53 ---
allowoutside
of222.22/1
6
222.22/16UDP 53 > 1023 ----
deny all all all all all all
26
Question of Stateless Packet Filtering
• Heavy handed tool
• Admits packets that “make no sense,” e.g., destination port = 80, ACK bit set, even though no TCP connection established.action
sourceaddress
destaddress
protocolsourceport
destport
flagbit
allow outside of222.22/16
222.22/16TCP 80 > 1023 ACK
27
Source IP: 150.23.23.155 Destination IP: 222.22.0.2Source port:80 Destination port:12543
Stateful Packet Filtering
r Track status of every TCP connectionm Track connection setup (SYN), teardown (FIN): can
determine whether incoming, outgoing packets “makes sense”
m Timeout inactive connections at firewall: no longer admit packets
m ACL augmented to indicate need to check connection state table before admitting packet
28
Source IP: 150.23.23.155 Destination IP: 222.22.0.2Source port:80 Destination port:12543
Cisco Router Example
• 阻擋所有 IP 為 211.21.160.12 之主機的封包流入 network 168.95.35.0/24 。
R1e0
R2(config)#access-list 21 deny host 211.21.160.12
R2(config)#access-list 21 permit any
R2(config)#interface serial 1
R2(config-if)#ip access-group 21 in
211.21.160.12/24
R2
168.95.35.0/22
S0
S1
any= 0.0.0.0 255.255.255.255
deny ip any any 隱藏在清單中看不見。host 表特定主機,所以就不用再有 wildcard mask 。
e0
s1
10.5.3.0/24
actionsourceaddress
destaddress
protosource
portdestport
flagbit
check connectio
n
allow 222.22/16outside of222.22/16
TCP > 1023 80any
allow outside of222.22/16
222.22/16TCP 80 > 1023 ACK x
allow 222.22/16outside of222.22/16
UDP > 1023 53 ---
allow outside of222.22/16
222.22/16UDP 53 > 1023 ---- x
deny all all all all all all
ACL for Stateful Packet Filtering
8-30
Application Gateways
• Filters packets on application data as well as on IP/TCP/UDP fields.
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
31
32
Application Gateways Example
• Allow selected internal users to telnet outside.1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections3. Router filter blocks all telnet connections not originating from gateway.
Comparison
• Stateless/stateful filters– Operates on TCP/IP headers only– No correlation check among sessions
• Application gateways– Detect the application data– Intrusion detection system (IDS)
• Detect and alert if something wrong
– Intrusion prevention system (IPS)• Detect, alert and filter out
33
Intrusion Detection Systems (IDS)
• Deep packet inspection: look at packet contents – E.g., check character strings in packet against
database of known virus, attack strings
• Examine correlation among multiple packets– Port scanning– Network mapping– DoS attack
34
applicationgateway
Internet
internalnetwork
firewall
Webserver
FTPserver
DNSserver
demilitarized zone
IDS sensors
Multiple IDSs
• Different types of checking at different locations
35
Limitations of Firewalls (1/2)
• IP spoofing: router can’t know if data “really” comes from claimed source
• If multiple app’s. need special treatment, each has own app. gateway.
• Client software must know how to contact gateway.– e.g., must set IP address of proxy in Web
browser
36
37
Limitations of Firewalls (2/2)
• Filters often use all or nothing policy for UDP.
• Tradeoff: degree of communication with outside world, level of security
• Many highly protected sites still suffer from attacks.
Firewalls
administerednetwork
publicInternet
firewall
Internet
• To isolate organization’s internal network from Internet, allowing some packets to pass, blocking others.
39
Web Site Attack
42
弱點名稱 成因與攻擊方式 造成之影響
1 參數竄改程式設計者藉由隱藏欄位傳遞數值, 卻沒進行檢查,導致駭客可修改欄位數值傳送偽造資料。
駭客得以傳送偽造資料,變更網站交易行為。
2 跨站指令碼 (A1)網站程式允許使用者將輸入的資料顯示在網站上,卻沒有過濾輸入資料。
允許讓惡意攻擊者將惡意的 Javascript 程式碼塞入網站上,影響其他無辜的瀏覽者。
3 SQL 程式碼注入 (A2) 網頁程式沒有過濾特殊字元,駭客得以控制後端資料庫。
可將資料庫資料竊出,嚴重者可取得資料庫主機的控制權。
4 跨目錄存取網頁程式沒有過濾特殊字元,駭客得以輸入特殊跳脫字串,瀏覽檔案。
可瀏覽 Web 主機檔案,嚴重者可因此取得系統控制權。
5 指令插入 (A2)網頁程式沒有過濾特殊字元,駭客得以輸入特定字元加上命令,對伺服器下達指令。
可針對 Web 主機下達指令,嚴重者可因此取得系統控制權。
6 目錄瀏覽 伺服器設定不當,駭客可列出網站目錄下的所有檔案。
可能將目錄下的機密檔案列出。
網際網路網際網路
ID=A123456789Passwd=1234
SELET * FROM member WHERE UID = 'A123456789' AND Passwd='1234'
Normal Connection
43
SQL Injection Attack
InternetInternet
ID=Admin' --Passwd=1234
SELECT * FROM member WHERE UID = 'Admin' --' AND Passwd= '1234’ ## 避過 Passwd 檢查
44
Cross Site Scripting (XSS)
• Sever does not detect the page parameters.
• Sever does not detect the data upload (ex: YouTube).
• Web page is attached with bad script.– Ex: JavaScript 、 VBScript
45
網站有 XSS 漏洞
Hackers Computer
XSS Case 1: 竊取 cookie
快快樂樂上網
反彈 cookies 值至駭客端
發現 XSS 漏洞張貼惡意文章
耐心等待魚兒上鉤了
登入後瀏覽惡意文章
利用取得身分作壞事
哭哭…我什麼也沒做阿!!
46
入口網站 A 有 XSS 漏洞
Hackers Computer
XSS Case 2: 掛馬
快快樂樂上網
發現 XSS 漏洞
發送包含惡意連結信件
收到惡意郵件
先睡一覺去
小心確認 domain 是網站 A放心點下去
Hackers Server下載惡意程式
又中了!買樂透也沒這麼準…
你是我的肉雞 . 你是我的 Baby
駭客取得遠端控制權限
47
Web Application Firewall (1/2)
• Reverse proxy acts as an intermediary between a client browser and Web server.
48
ClientWebAP Server
Application
Transport
Internet
Network Interface
CWAF Transparent
Proxy
HTTP
Mo
nito
r/An
alysis
Accep
t / Blo
ck