1 / 43

SCSC 455 Computer Security 2011 Spring

SCSC 455 Computer Security 2011 Spring. Network Security. Control access to system. Access control mechanisms in specific network programs e.g. 1, wu-FTP server support mulitple security directive in /etc/ftpaccess e.g. 2, Apache server: /etc/httpd.conf

trilby
Download Presentation

SCSC 455 Computer Security 2011 Spring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SCSC 455 Computer Security2011 Spring Network Security

  2. Control access to system • Access control mechanisms in specific network programs • e.g. 1, wu-FTP server support mulitple security directive in /etc/ftpaccess • e.g. 2, Apache server: /etc/httpd.conf • Control network traffic at network layer -- Firewall • operates at the lowest level of the networking protocol stack. • examines and discards packets from unauthorized systems before they have a chance to attack applications • Use advanced routing techniques • IP masquerading “Hides” LAN clients from hackers on the Internet

  3. Access control at different layers

  4. Index • Linux firewall • NAT and proxy • Protect network traffic through encryption

  5. Firewall • A firewall -- a packet filter • access control operating at the lowest level of the networking protocol stack • Firewalls rely on rules • Rules: the configuration settings that define certain characteristics of an IP package and the action to take for packages meeting the specified criteria • Networking stacks in Linux are contained in the kernel • gives Linux great control over network packet management

  6. IP Chains • The IP Chains are a list of rules for how packets are handled • Linux kernel includes three default chains • Input chains: packets coming from outside the system on which the rule is executed pass through • Forward chains: packets coming from outside the system on which the rule is executed and that need to be routed to another system pass through • Output chains: Packets coming from within the system on which the rule is executed and that are destined for other systems pass through • User defined chains can be added.

  7. IP Chains

  8. Options in IP Chains

  9. Options in IP Chains • Append a new rule to a chain (-A). # ipchains -A input -s 127.0.0.1 -p icmp -j DENY • Insert a new rule at some position in a chain (-I). # ipchains -I input 1 -j DENY • Delete the first rule that matches in a chain (-D). # ipchains -D input -s 127.0.0.1 -p icmp -j DENY • Emptying all rules out of a chain, using the `-F' command. # ipchains -F forward • List all the rules in a chain # ipchains -L -n input

  10. Options in IP Chains • -P: default policy for a chain • when a packet hits the end of a built-in chain, the policy of the chain determines the fate of the packet. • The policy can be any of the ACCEPT, DENY, REJECT or MASQ. MASQ is only valid for the `forward' chain. • E.g. # ipchains -P forward DENY

  11. Options in IP Chains • -j “jump to” target • ACCEPT allows the packet through. • DENY drops the packet as if it had never been received. • REJECT • drops the packet, but (if it's not an ICMP packet) generates an ICMP reply to the source to tell it that the destination was unreachable. • MASQ • tells the kernel to masquerade the packet. • For this to work, your kernel needs to be compiled with IP Masquerading enabled. • REDIRECT • tells the kernel to send a packet to a local port instead of wherever it was heading. • is only valid for packets traversing the input chain. • RETURN which is identical to falling off the end of the chain immediately

  12. ipchains Example • E.g.1 # ping 127.0.0.1 # ipchains -I input -s 127.0.0.1 -p icmp -j DENY # ping 127.0.0.1 • E.g. 2 #ipchains -A input –j DENY #ipchains -A input –s 192.168.10.0/0 -j ACCEPT

  13. Options in IP Chains • -i specifies the name of an interface to match. • An interface is the physical device the packet came in on, or is going out on. • use the ifconfig command to list the interfaces which are `up'. • What is lo interface? • The lo interface is usually called the loopback interface. • If packets from a local process are destined for a local process, they will go through the output chain with interface set to `lo', then return through the input chain with interface also `lo'. • -p specifies the protocol • `TCP', `UDP' or `ICMP'.

  14. Options in IP Chains • -s and –d specify the source and destination • Representing in full name, such as `localhost' or `www.linuxhq.com'. • Representing in IP address such as `127.0.0.1'. • Representing as a group of IP addresses, such as `199.95.207.0/24' • an extra argument indicating the TCP or UDP port, or an (inclusive) range of ports e.g., -p TCP -s 0.0.0.0/0 :1023

  15. Options in IP Chains ! (inversion) • flags can have their arguments preceded by `!' to match addresses NOT equal to the ones given. • E.g. 1, `-s ! localhost' matches any packet not coming from localhost. • E.g. 2 -p TCP -d 0.0.0.0/0 ! www to specify every TCP packet BUT a WWW packet, • How about the following? • -p TCP -d ! 192.168.1.1 www • -p TCP -d 192.168.1.1 ! www • -p TCP -d ! 192.168.1.1 ! www

  16. What Not To Filter Out in ipchains • ICMP packets • ICMP packets are used to indicate failure for other protocols (such as TCP and UDP). • Blocking these packets means that you will never get `Host unreachable' or `No route to host' errors; any connections will just wait for a reply that never comes. • TCP Connections to DNS (nameservers) • DNS doesn't always use UDP. If the reply from the server exceeds 512 bytes, the client uses a TCP connection (still going to port number 53) to get the data.

  17. Graphical Firewall Configuration Utilities • Linux supports several graphical tools that can be used to set up a firewall • Red Hat Linux includes the lokkit program that walks you through questions and establishes rules based on your security choices • Red Hat Linux also includes the firewall-config program, which allows the set up of complex firewall rules

  18. Graphical Firewall Configuration Utilities – Lokkit (1)

  19. Graphical Firewall Configuration Utilities – Lokkit (2)

  20. Graphical Firewall Configuration Utilities – firewall-config (1)

  21. Graphical Firewall Configuration Utilities – firewall-config (2)

  22. NetFilter / IP Tables • NetFilter • the new and improved Linux packet filtering system and uses a different architecture than IP Chains • provides hooks at five different points in packet processing • A hook refers to the ability to connect another program at that point • The list of rules associated with the hooks are similar to IP Chains and are called IP Tables

  23. Using NetFilter / IP Tables • NetFilter / IP Table provide: • The ability to act on packets based on their state – stateful packets filtering • Examination and alteration of just about any header field in a packet - packet mangling • Selection of packets to be logged based on the value of any header field • Passing of packets to regular Linux programs for further processing outside of the Linux kernel • Implementation of intelligent routing based on Quality of Service (QoS) features

  24. Index • Linux firewall • NAT and proxy • Protect network traffic through encryption

  25. Network Address Translation and IP masquerading • The IP Chains feature also provides a special routing functionality -- Network Address Translation (NAT) • NAT is a routing technique that alters address or other header information in a packet • One popular type of NAT is IP masquerading network address translation in which packets from many computers on a LAN appear as if they came from one computer.

  26. IP masquerading #ipchains -A forward -s 192.168.100.0/24 -j MASQ

  27. NAT pros and cons • NAT pros: Using NAT, a single IP can permit an entire LAN to connect to the Internet. • Behind the router, the same private IP addresses can be reused on every LAN • A remote computer cannot connect to a client within a masqueraded LAN. The router effectively hides the entire LAN. • NAT cons: However, IP masquerading can make some network services (FTP, IRC, streaming audio) unworkable. • Q: Why? • To make these protocols work, additional kernel modules for the specific protocols have to be installed.

  28. Proxy Server • A proxy server is very similar to IP masquerading, but the proxy works at the application level, not the IP level • must configure each client on the LAN so that it use a special port for the proxy (instead of using the default port) • E.g., “Squid” is a proxy server in Linux Clients use 8080 or 8008 instead of the default web port 80 • A proxy server provides security against outside attacks by insulating clients. • let you control the access to the outside system • can cache the results (such as web pages) to improve performance

  29. Proxy server

  30. Transparent proxy • Transparent proxy – IPchains or IPtables can redirect packet based on the port to which the packet is addressed • Is an alternative to using a proxy server • Do not need to configure the clients – the proxy activity is “transparent” to the clients • All clients’ requests packets must pass through a gateway to reach the Internet. • The router is configured to redirect some packets to a particular port at the proxy server. The proxy server masquerades these packets and send them out. • The proxy server also processes the received packet from Internet and return them to a client.

  31. Transparent Proxying

  32. Index • Linux firewall • NAT and proxy • Protect network traffic through encryption

  33. Encrypting Network Traffic What we have covered: • The firewall restrict network traffic. • The special routing techniques isolates clients in a LAN from the Internet • However, the contents of packets in LAN or through Internet are visible to everyone. • With network analysis tool (a sniffer), the hackers can view the packets. • The general strategy is encrypting the packets. • Some solutions: • Secure shell (SSH) • IPSec ( Note: IPsec operate at the network layer. more flexible, but more complex and with higher overhead )

  34. The Secure Shell (SSH) • The Secure Shell (SSH) package is a client-server protocol similar to Telnet • A client program ssh and a server program sshd • SSH replaces Telnet and rlogin for better security • SSH use the same encryption techniques as GPG • Exchange asymmetric keys to establish the identity of a user requesting a connection • Pass a symmetric session key securely • Encrypt all subsequent traffic by symmetric session key.

  35. OpenSSH • The OpenSSH implementation of the SSH is used on most Linux distributions • OpenSSH is available to other OSs, such as UNIX, Windows, Macintosh, PalmOS, … • A client program ssh & a server daemon sshd $man ssh $man sshd • SSH connections use port 22 by default • Make sure sshd daemon is running on the system to which you want to connect. To check the status of the sshd daemon $/etc/rc.d/init.d/sshd status • Make sure no firewall is blocking traffic on port 22 between your client and server computer

  36. SSH1 & SSH2 • OpenSSH support two versions: • SSH1 • uses a public key encryption system to authenticate connections • But does NOT support strong symmetric encryption of the subsequent traffic • SSH2 • uses a more robust authentication process • supports strong encryption of all network traffic, such as AES (128-, 192-, or 256-bit), Blowfish, CAST128.

  37. Different Ways to Authenticate in SSH Method 1. To rely on the r-utilites files • E.g., ~/.rhosts • Insecure  not recommended Method 2. To use passwords authentication • Login a ssh server by user name and password on the server • $ ssh –l username server • Then you are prompted for the password • This method is much better than the rhost method or unencrypted Telnet. • However, it does NOT providepublic key authentication of the session.

  38. Use public key authentication in SSH Method 3. To use public key authentication is a more secure way to authenticate a connection in SSH • Must set up key pairs for your own user account $ ssh-keygen -t rsa -b 2048 -t specify a key type (either RSA or DSA) -b specify the key size (default is 1024 bits) • Your private key is stored in ~/.ssh/id_rsa and your public key is stored in ~/.ssh/id_rsa.pub • Enter a passphrase to protect your ssh key pair • It is optional. You may choose to press Enter to leave the key pair unprotected by a passphrase. • This decision depends on who else is using your computer and how you intend to use ssh to access your account on remote systems.

  39. Use public key authentication in SSH (2) • Once a key pair generated on one account, you should place the public key from that account in the ~/.ssh/authorized_keys file on each system where you want to log in using ssh. • This can be done through scp, FTP, email or floppy disk e.g., copy from Alice’s PC /home/alice/.ssh/id_rsa.pub to Bob’s PC /home/bob/.ssh/authorized_keys

  40. OpenSSH features OpenSSH supports a number of useful features: • Replace telnet and rlogin • To secure connections for protocols not inherently secure E.g., the X protocol for serving remote graphical applications (The detailed steps on p505 are not required in this course.) • Port forwarding: • Is a routing technique that allows encryption of many other protocols over SSH connections • E.g., SMTP, FTP, POP3, SWAT (The Samba Web Administration Tool)

  41. Example of Port forwarding in SSH A system administrator wants to use SWAT to manage many Samba servers on a large LAN from a single system client1. • However, using in SWAT in a browser, none of the traffic (including the password you must enter) is encrypted.

  42. Other Tunneling Protocols • The concept behind using SSH port forwarding is that you can tunnel and insecure protocol inside a secure protocol • The Point-to-Point Tunneling Protocol (PPTP) is a standard for creating a virtual private network (VPN) • Microsoft created PPTP • PPTP uses two communication channels between a client and a server • a control channel and an encrypted data channel Using stunnel section (P508 – 509) is NOT required in this course.

  43. Tunneling an insecure protocol under a secure protocol

More Related