1 / 44

Network and System Security Risk Assessment

In this article, we discuss the potential risks associated with network and system security and review the importance of using firewalls. Topics covered include sniffing, stateful firewall, iptables, and examples of firewall configurations.

garagon
Download Presentation

Network and System Security Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network and System Security Risk Assessment Firewall

  2. Review • Last week, we have talked about sniffer and firewall • Sometimes, sniffer can sniff users’ private information • http, telnet…. • Wireshark sniffing on the network • Firewall can control a computer/network communication • Iptables, ufw

  3. Review • Stateful firewall • Traditional: to allow outgoing website visiting and to drop other communication • To allow input tcp with source port 80 and ack • Can’t visit websites on ports other than 80 • To use stateful firewall • State tracking

  4. Review • Iptables examples • Disable to be pinged, enable to ping • To limit the number of pings • To change the source IP of a ping packet sent out from our machine

  5. Review • Iptables Examples • Prevent a machine from telneting to other machines • Prevent a telnet server from being connected by other machines • Prevent inner network from connecting a social network

  6. Review • Iptables example • To force redirect • 1. to change the output packet to a specific website • 2. to change the incoming packet to a specific server or port

  7. Review • Iptables example • the secure version of telnet: ssh • Besides encryption, ssh has another function: port forwarding • Using ssh port forwarding, firewall rules can be bypassed

  8. Review • Iptables example • ftp server: only allows localhost ftp service • Also demonstrate ftp data and control connections • On the server, ftp is blocked • On the client, we try to do ssh port forwarding

  9. Review • Iptables example • Support squid to act as a web proxy • iptables -t nat -A PREROUTING  -p tcp --dport 80 -j REDIRECT --to-ports 3128

  10. MAKEFILE

  11. Makefiles • Provide a way for separate compilation. • Describe the dependencies among the project files. • The makeutility.

  12. Using makefiles Naming: • makefile or Makefile are standard • other name can be also used Running make make make –f filename – if the name of your file is not “makefile” or “Makefile” make target_name – if you want to make a target that is not the first one

  13. Sample makefile target : dependencies TAB commands #shell commands • Makefiles main element is called a rule: Example: my_prog : eval.o main.o g++ -o my_prog eval.o main.o eval.o : eval.c eval.h g++ -c eval.c main.o : main.c eval.h g++ -c main.c _________________________ # -o to specify executable file name # -c to compile only (no linking)

  14. Variables C = g++ OBJS = eval.o main.o HDRS = eval.h my_prog : eval.o main.o $(C) -o my_prog $(OBJS) eval.o : eval.c $(C) –c –g eval.c main.o : main.c $(C) –c –g main.c $(OBJS) : $(HDRS) The old way (no variables) A new way (using variables) Defining variables on the command line: Take precedence over variables defined in the makefile. make C=cc my_prog : eval.o main.o g++ -o my_prog eval.o main.o eval.o : eval.c eval.h g++ -c –g eval.c main.o : main.c eval.h g++ -c –g main.c

  15. Implicit rules • Implicit rules are standard ways for making one type of file from another type. • There are numerous rules for making an .o file – from a .c file, a .p file, etc. make applies the first rule it meets. • If you have not defined a rule for a given object file, make will apply an implicit rule for it. Example: Our makefile The way make understands it my_prog : eval.o main.o $(C) -o my_prog $(OBJS) $(OBJS) : $(HEADERS) my_prog : eval.o main.o $(C) -o my_prog $(OBJS) $(OBJS) : $(HEADERS) eval.o : eval.c $(C) -c eval.c main.o : main.c $(C) -c main.c

  16. Defining implicit rules %.o : %.c $(C) -c –g $< C = g++ OBJS = eval.o main.o HDRS = eval.h my_prog : eval.o main.o $(C) -o my_prog $(OBJS) $(OBJS) : $(HDRS) Avoiding implicit rules - empty commands target: ; #Implicit rules will not apply for this target.

  17. Automatic variables target : dependencies TAB commands #shell commands Automatic variables are used to refer to specific part of rule components. eval.o : eval.c eval.h g++ -c eval.c $@ - The name of the target of the rule (eval.o). $< - The name of the first dependency (eval.c). $^ - The names of all the dependencies (eval.c eval.h). $? - The names of all dependencies that are newer than the target

  18. Makefile for a basic kernel module obj-m += hello-1.o all: make -C /lib/modules/$(shell uname -r)/build \ M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build \ M=$(PWD) clean

  19. Giving your Linux more pop since 1995 Kernel Modules

  20. History • Introduced in Linux version 1.2 (1995) • At the time, drivers were already designed to be somewhat modular, so not a lot of work was needed to revamp one driver for use as a LKM. There are a lot of drivers, though... • By 2000, most drivers and “module-able” things are converted.

  21. What are Modules • A Module is a object file that contains code to extend the functionality of the base kernel. • Modules are used to add support for new hardware and file systems. • Also used to add new system calls and executable interpreters.

  22. Why are they Important? • If modules did not exist then adding new features to the kernel would be nearly impossible.

  23. Pros and Cons • Pros: • Time savings • Portability • Memory savings • Security (PAM) • Cons • No safeguards • Security (rootkits)

  24. Modules vs. Applications • Modules are really a part of the kernel and so run in kernel space. • Apps just do their tasks and end. Modules sit in the kernel space waiting to be run. • Apps can be linked to outside libraries; modules can only "see" in the kernel and other loaded modules.

  25. Module Loading • Kernel Symbol Table: references kernel functions that modules can use. • When loaded, unresolved symbols in module are linked to system table • EXPORT_SYMBOL() allows specified symbol to be used by kernel and other modules. • Use cat /proc/kallsyms to get a list of all exported kernel symbols.

  26. Image from: http://www.xml.com/ldd/chapter/book/ch02.html

  27. Module HOW-TO • Some useful commands • insmod insert module into kernel • rmmod remove kernel module • lsmod show currently loaded modules • The above work, but are dumb. Instead, use modprobe [-r] which is aware of module dependencies and config settings. • Use depmod to find module dependencies. File location: /lib/modules/version/modules.dep

  28. Writing a Kernel Module • Kernel modules have two basic functions: • a "start" (initialization) function called init_module(), is called when the module is insmoded into the kernel • an "end" (cleanup) function called cleanup_module(), is called just before it is rmmoded. • Since kernel 2.3.13, you can use whatever name you like for the start and end functions of a module • Module license

  29. NETFILTER

  30. Netfilter • A framework for packet mangling in kernel • Built in Linux 2.4 kernel or higher version • Independent of network protocol stack • Provide an easy way to do firewall setting or packet filtering, network address translation and packet mangling

  31. Netfilter II—how it works • Defines a set of hooks • Hooks are well defined point in the path of packets when these packets pass through network stack • The protocol code will jump into netfilter framework when it hits the hookpoint. • Registers Kernel functions to these hooks: • Called when a packet reaches at hook point • Can decide the fate of the packets • After the functions, the packet could continue its journey

  32. Netfilter Hooks • Each protocol family can have different hooks • IPv4 defines 5 hooks Upper layer IP_output IP_input NF_IP_LOCAL_OUT NF_IP_LOCAL_IN Route Route NF_IP_FORWARD NF_PRE_ROUTING NF_IP_POSTROUTING Network driver device

  33. Netfilter hook points • NF_IP_PRE_ROUTING: • After sanity checks, before routing decision • NF_IP_LOCAL_IN: • After routing decisions, if the packet destines for this host • NF_IP_FORWARD: • Packets are not destined for this host but need to be forwarded to another interface • NF_IP_LOCAL_OUT: • All packets created from local host would come here before it is been sent out • NF_IP_POST_ROUTING: • All packets have been routed and ready to hit the wire

  34. Netfilter hook functions • Multiple functions could register to the same hook point • Need to set priority • The corresponding packet will path the hook points • Each function registered for that hook point is called in the order of priority and is free to manipulate the packet • What to do in hook functions • The function could do anything it wants • But need to tell netfilter to return one of the five values: • NF_ACCEPT • NF_DROP • NF_STOLEN • NF_QUEUE • NF_REPEAT

  35. Netfilter Hook implementation • Steps • Fill out the nf_hook_ops structure • Write a hook function: • It has specific format • Register to system • Compile and load the modules • Example: • Iptables –t filter –A INPUT –p tcp –j DROP Drop all the incoming tcp packet

  36. Netfilter Hook implementation (I) • Fill in a netfilter hook operation structure • Data type: (in include/linux/netfilter.h)

  37. Example static struct nf_hook_ops localin_ops; localin_ops.hook = localin_handler; localin_ops.pf = PF_INET; localin_ops.hooknum =NF_IP_LOCAL_IN; localin_ops.priority=NF_IP_PRI_FIRST;

  38. Netfilter Hook implementation II • Format: must be of function type nf_hookfn Unsigned int nf_hookfn(hooknum,struct sk_buff**skb,in_dev,out_dev,int(*okfn)(struct sk_buff*))) • Hooknum: the hook point where the function registered • skb: a reference to the packet • In_dev,outdev: net device this packet is from/to • Hook function returns one of the following: NF_ACCEPT,NF_DROP,NF_STOLEN NF_QUEUE,NF_REPEAT

  39. Example unsigned int localin_handler (unsigned int hook, struct sk_buff **skb, const struct net_device *indev, const struct net_device *outdev, int (*okfn) (struct sk_buff *)) { struct iphdr *iphead = skb->nh.iph; if ((iphead->protocol)== IPPROTO_TCP) //Drop all TCP packet return NF_DROP; }

  40. Netfilter Hook implementation III • Call this function to register at the hook • int nf_register_hook(struct nf_hook_ops *reg) • void nf_unregister_hook(struct nf_hook_ops *reg) #include … static int __init init (void){ return nf_register_hook (&localin_ops); } static void __exit fini (void){ return nf_unregister_hook (&localin_ops); } module_init (init); module_exit (fini); • Compile it and insmod

  41. Conclusion • Netfilter is a glue code between the protocol hooks and the kernel function modules • Iptables is useful to set our firewall • Provide a simple way to hack packet

  42. References • The Linux Kernel Module Programming Guide http://www.faqs.org/docs/kernel/ • Wikipedia: Linux Kernel http://en.wikipedia.org/wiki/Linux_kernel • Wikipedia: Linux Modules http://en.wikipedia.org/wiki/Module_(Linux) • Linux Device Drivers: Building and Running Modules http://www.xml.com/ldd/chapter/book/ch02.html • Linux Loadable Kernel Module HOWTO http://www.tldp.org/HOWTO/Module-HOWTO/ • Linux PAM page http://www.kernel.org/pub/linux/libs/pam/whatispam.html • Linux Kernel Development. Ch. 16: Modules. pp.279-289 • Linux Kernel Cross-Reference http://lxr.linux.no/ https://www.redhat.com/mirrors/LDP/LDP/lkmpg/2.6/html/lkmpg.html

More Related