Professional Documents
Culture Documents
Methods of Attack
It is necessary to understand the nature of potential attacks on computer security. Some methods of attacks are: Unauthorized Access Exploitation of known weaknesses in programs Denial of service Spoofing Eavesdropping
IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service and IP spoofing attacks.
2
What Is a Firewall?
A firewall is a secure and trusted machine that sits between a private network and a public network. The firewall machine is configured with a set of rules that determine which network traffic will be allowed to pass and which will be blocked or refused.
Internet
Firewall Network
Server
Firewall
Firewall Implementation
Hardware Firewall: Dedicated Hardware Box (Cisco PIX, Netscreen, ISS Proventia ) Software Firewall: Installable on a Server ( ) Host OSs (Windows XP/Linux) also provide software firewall features to protect the host
These days Firewalls provide IDS/IPS (Intrusion Detection System/Intrusion Prevention System) services also.
6
Linux Security
LINUX Firewall
Use GUI (Applications ->System Settings-> Security Level) to activate the firewall Allow standard services and any specific port based application All other services and ports are blocked
Linux Security
LINUX Firewall
Firewall classification
Stateful Stateless A nonstateful firewall usually performs some packet filtering based solely on the IP layer (layer 3) of the OSI model, though sometimes higher-layer protocols are involved in this type of firewall. An example of this type of device might include a border router that sits at the edge of a network and implements one or more access lists to prevent various types of malicious traffic from entering the network.
9
Firewall classification
As opposed to a stateless firewall, a stateful firewall is one that keeps track of the packets previously seen within a given session and applies the access policy to packets based on what has already been seen for the given connection
10
Types of firewalls
Packet filter Application gateway Circuit level gateway Proxy server
11
Packet
A packet is a series of digital numbers basically, which conveys these things: The data, acknowledgment, request or command from the originating system The source IP address and port The destination IP address and port Information about the protocol (set of rules) by which the packet is to be handled Error checking information Usually, some sort of information about the type and status of the data being sent
13
Packet filtering
Disadvantages Address information in a packet can potentially be falsified or "spoofed" by the sender The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access. An advantage of packet filtering is its relative simplicity and ease of implementation.
16
17
19
20
21
ALG Cont
It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions. Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities. A disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway. An application gateway is normally implemented on a separate computer on the network whose primary function is to provide proxy service
23
Circuit-Relay
Also called a "Circuit Level Gateway," this is a firewall approach that validates connections before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may for examples be based upon: destination IP address and/or port source IP address and/or port time of day protocol user password Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open.
24
Proxy server
Intercepts all massages entering and leaving the network. The proxy server effectively hides the true network address
25
Features of Proxies
A proxy may cache a copy of the information for future requests. Proxies support user authentication Advanced logging can provide audit trails as to everything that is done on the network.
27
IP Masquerading
IP Masquerading- The internal source address are different like 10.0.0.111 but the external interface to the world is the proxy servers address something like 141.22.11. so the proxy server keeps a list of which internal address is expecting which packet from the external network and forwards it. This is ip masquerading
28
Internet
203.10.23.1 ppp
192.168.1.3
Masqueraded request From: 203.10.23.1 port 1035 Original reply To: 203.10.23.1 port 1035
Original request From: 192.168.1.3 port 1234 Demasqueraded reply To: 192.168.1.3 port 1234
29
31
Firewall Facts
A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network.
A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep intruders out, but usually also needs to let authorized users in and out.
33
34
36
Netfilter& IP Tables
It is a generalized framework of hooks in the network stack. Any kernal module can plug into one or more of these hooks and will receive each packet traversing this hookNetfilter is the linux kernal space program code to implement a firewall within the Linux Kernal, either compiled directly into the kernal or included as a set of modules. Iptables is the userland program used for 39 administration of the Netfilter firewall
What Is Netfilter?
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
40
Netfilter
Software commonly associated with netfilter is iptables .Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems
41
42
43
Ipchains
Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter/firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfwadm, but was replaced by iptables in the 2.4 series.
44
45
Ipchain
All packets arriving on an interface were filtered against the input chain. If the packet was accepted, it was passed to the routing module. The routing function determined whether the packet was to be delivered locally or forwarded to another outgoing interface.
46
Ipchain
If forwarded, the packet was filtered a second time against the forward chain. If the packet was accepted, it was passed to the output chain Both locally generated outgoing packets and forwarded packets were passed to the output chain. If the packet was accepted, it was sent out the interface
47
Ipchain
Received and sent local (loopback) packets passed through two filters. Forwarded packets passed through three filters. The loopback path involved two chains. each loopback packet passed through the output filter before going "out" the loopback interface, where it was then delivered to the loopback's input interface. Then the input filter was applied
48
49
Iptables
iptables is the user space command line program used to configure the Linux 2.4.x and 2.6.x Iptables can be used
listing the contents of the packet filter ruleset adding/removing/modifying rules in the packet filter ruleset
50
51
52
If a locally destined packet is accepted by the INPUT chain's rules, the packet is delivered locally. If a remotely destined packet is accepted by the FORWARD chain's rules, the packet is sent out the appropriate interface. Outgoing packets from local processes are passed to the OUTPUT chain's rules. If the packet is accepted, it is sent out the appropriate interface. Thus, each packet is filtered once (except for loopback packets, which are filtered twice).
53
Iptables
Three tables Filter Nat Mangle
54
Filter
The filter table is the default table. It contains the actual firewall filtering rules. The built-in chains include these: INPUT OUTPUT FORWARD
55
Nat
nat The nat table contains the rules for Source and Destination Address and Port Translation. These rules are functionally distinct from the firewall filter rules. The built-in chains include these: PREROUTING OUTPUT POSTROUTING
56
mangle
The mangle table contains rules for setting specialized packet-routing flags. These flags are then inspected later by rules in the filter table. The built-in chains include these: PREROUTING (routed packets) INPUT (packets arriving at the firewall but after the PREROUTING chain) FORWARD (changes packets being routed through the firewall) POSTROUTING (changes packets just before they leave the firewall, after the OUTPUT chain) OUTPUT (locally generated packets)
57
58
59
60
61
62
63
Example
To disallow TCP connections from a internal host use: ip tables A INPUT -p TCP -s 192.168.1.1 --syn DROP Note: -syn The SYN flag must be set as an initial connection request.
64
Examples of Iptables
To create a simple personal firewall that blocks all incoming ICMP traffic, you issue the following command: iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j DROP To block ICMP traffic from only the 10.100.100.0/24 network, you issue this command: iptables -A INPUT -p icmp -s 10.100.100.0/24 -d 0/0 -j DROP Lets add the rule to allow incoming tcp connections on 22:
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
65
Examples
# iptables -F FORWARD # iptables -P FORWARD DROP # iptables -A FORWARD -m tcp p tcp s 0/0 --sport 80 -d 172.16.1.0/24 / --syn -j DROP # iptables -A FORWARD -m tcp p tcp s 172.16.1.0/24 / -sport / 80 -d 0/0 -j ACCEPT # iptables -A FORWARD -m tcp p tcp d 172.16.1.0/24 --dport 80 -s 0/0 -j / ACCEPT
66
Intranet
Intra2(win2003)
SW
SW
SW
IDS
IDS
Honeypot
IDS
Intra1 (XP)
67
Intranet
Intra2(win2003)
SW
SW
SW
IPS Inner
Intra1 (XP)
IDS
68
Intranet
Intra2(XP)
SW
SW
SW
IPS Inner
Intra1 (XP)
IDS
69
DMZ
DeMilitarized Zone: a portion of a network that separate a purely internal network from an external network. Guard (Firewall): a host that mediates access to a network, allowing/disallowing certain types of access on the basis of a configured policy.
70
71
72
Booting sequence
1. 2. 3. 4. 5. 6. Tern on CPU jump to address of BIOS (0xFFFF0) BIOS runs POST (Power-On Self Test) Find bootale devices Loads and execute boot sector form MBR Load OS
73
BIOS on board
BIOS on screen
74
BIOS
The Basic Input/Output System (BIOS) typically resides in ROM on the motherboard and is the first program run when a system is powered on.
When you turn on your computer and the microprocessor tries to execute its first instruction, it has to get that instruction from somewhere. It cannot get it from the operating system because the operating system is located on a hard disk, and the microprocessor cannot get to it without some instructions that tell it how. The BIOS provides those instructions. Some of the other common tasks that the BIOS performs include:
75
76
This ROM chip is usually an EEPROM (Electrically Erasable Programmable ROM. Also known Flash ROM) , which allows it to be electrically erased and reprogrammed, like when you upgrade or "flash", your BIOS.
77
BIOS
It is responsible for testing hardware devices using a process called Power-On Self Test (POST). The BIOS also loads the operating system from various media, including hard disks, floppy disks, and usually CD-ROMs. Your BIOS will usually provide you with a way to tell it about the different hardware that is attached. These settings are stored in the CMOS(Complimentary Metal Oxide Semiconductor ) which uses a battery to maintain it's contents(. hold
the date, time, and system setup parameters.)
78
BIOS Interaction
The Power On Self Test (POST): During the POST, a computer will test its memory and verify that it has all the necessary hardware, such as a keyboard and a mouse. This information is used by the BIOS to control all aspects of the boot process.
79
If it does not find the proper files on a device, the startup process will halt. If you have ever left a disk when you restarted your computer, you have probably seen this message.
80
81
A boot loader, also called a boot manager, is a small program that places the operating system (OS) of a computer into memory. When a computer is powered-up or restarted, the basic input/output system (BIOS) performs some initial tests, and then transfers control to the Master Boot Record (MBR) where the boot loader resides. Boot loader could be more aptly called the kernel loader. The task at this stage is to load the Linux 82 kernel
Boot loader
Boot loader
For Linux, the two most common boot loaders are known as LILO (LInux LOader) and LOADLIN (LOAD LINux). An alternative boot loader, called GRUB (GRand Unified Bootloader), is used with Red Hat Linux. LILO is the most popular boot loader among computer users that employ Linux as the main, or only, operating system. The primary advantage of LILO is the fact that it allows for fast boot-up. LOADLIN is preferred by some users whose computers have multiple operating systems, and who spend relatively little time in Linux. LOADLIN is sometimes used as a backup boot loader for Linux in case LILO fails. GRUB is preferred by many users of Red Hat Linux, because it is the default boot loader for that distribution.
83
86
87
Depending on the boot loader, additional files may be stored and read from a partition on the hard drive. After this step the boot loader begins to start the operating system, and is not used again until the next boot.
89
Kernel
The kernel is the central part in most computer operating systems because of its task, which is the management of the system's resources and the communication between hardware and software components Kernel is always store on memory until computer is tern off
At this point, the BIOS has selected the boot device and it's boot sector has been loaded. The boot manager nows loads the kernel image and possibly an initial RAM disk image. Once loaded into RAM, the kernel is executed and the setup code runs. The kernel must initialize any devices the system has. Even devices that have been initialized by the BIOS must be reinitialized. This provides portability and robustness by ensuring that each system has been initialized in a similar fashion, independent of the BIOS.
90
The setup code now loads the compressed kernel and calls the decompress_kernel() function. It is at this point that you will see the "Uncompressing Linux..." message printed on the screen. The decompressed kernel now takes over and begins to set up the execution environment for the first Linux process. The kernel will now begin printing a large number of messages on the screen as it initializes the scheduler, irqs, console, hardware, etc. The kernel_thread() function is called next to start init.
91
Task of kernel
Process management Memory management Device management System call
92
Init process
After the kernel is loaded and the system can talk to its peripherals the initialization begins. The first thing the kernel does is to execute init program Init is the root/parent of all processes executing on Linux The /etc/inittab file tells the system what to start up, the first is usually rc.sysinit.
Upon shutdown, init controls the sequence and
93
rc.sysinit
Starts logging Sets the hostname Prepares the network for startup Checks the clock Sets up the host computer hardware Sets up and mounts the filesystem
94
Runlevels
A runlevel is a software configuration of the system which allows only a selected group of processes to exist The processes spawned by init for each of these runlevels are defined in the /etc/inittab file Init can be in one of eight runlevels: 0-6
95
Linux bootup
Depending on the run level that the system is to run to, different rc files will be executed.
Run level 0 is shutdown Run level 1 is single user Run level 2 is multiuser, no NFS Run level 3 is ready to use full multiuser Run level 4 is unused at present Run level 5 is GUI Run level 6 is reboot
96
97