csce 815 network security lecture 23 jails and such april 15, 2003
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 23 Lecture 23CSCE 815 Network Security CSCE 815 Network Security Lecture 23 Lecture 23
Jails and suchJails and such
April 15, 2003
– 2 – CSCE 815 Sp 03
Network Administrator ToolsNetwork Administrator Tools
Network Administration toolsNetwork Administration tools (MSDOS/Windows) ipconfig ifconfig netstat /etc/… not really tools as much as files /sbin/…
Find ethernet/IP addressesFind ethernet/IP addresses
More toolsMore tools http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid
=23
– 3 – CSCE 815 Sp 03
ARP Spoofing RevisitedARP Spoofing Revisited
Linux WorldLinux World
/sbin/sbin arp Iptables, ipchains, ipfwadm
Arp comand –print the tableArp comand –print the table
Ping somewhere then use arp to look at the table againPing somewhere then use arp to look at the table again
– 4 – CSCE 815 Sp 03
Firewall LimitationsFirewall Limitations
cannot protect from attacks bypassing itcannot protect from attacks bypassing it eg sneaker net, utility modems, trusted organisations,
trusted services (eg SSL/SSH)
cannot protect against internal threatscannot protect against internal threats eg disgruntled employee
cannot protect against transfer of all virus infected cannot protect against transfer of all virus infected programs or filesprograms or files because of huge range of O/S & file types
– 5 – CSCE 815 Sp 03
Firewalls – Packet FiltersFirewalls – Packet Filters
– 6 – CSCE 815 Sp 03
Firewalls – Packet FiltersFirewalls – Packet Filters
simplest of components simplest of components
foundation of any firewall system foundation of any firewall system
examine each IP packet (no context) and permit or deny examine each IP packet (no context) and permit or deny according to rules according to rules
hence restrict access to services (ports)hence restrict access to services (ports)
possible default policiespossible default policies that not expressly permitted is prohibited that not expressly prohibited is permitted
– 7 – CSCE 815 Sp 03
Firewalls – Packet FiltersFirewalls – Packet Filters
– 8 – CSCE 815 Sp 03
Firewalls with IPtables (Linux)Firewalls with IPtables (Linux)
IPtablesIPtables
IPchainsIPchains
NetfilterNetfilter
““10 minutes to an iptables-based Linux firewall”10 minutes to an iptables-based Linux firewall”by by Joshua DrakeJoshua Drake http://www.linuxworld.com/site-stories/2001/0920.ipchains.html
““Taming the Wild Netfilter”Taming the Wild Netfilter”September 01, 2001 by September 01, 2001 by David A. David A. BandelBandel http://www.linuxjournal.com/article.php?sid=4815
– 9 – CSCE 815 Sp 03
Firewalls with IPtables (Linux)Firewalls with IPtables (Linux)
[root@jd root]# /sbin/iptables -h[root@jd root]# /sbin/iptables -hiptables v1.2.1iptables v1.2.1Usage: iptables -[ADC] chain rule-specification [options]Usage: iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -P chain target [options] iptables -h (print this help information) iptables -h (print this help information)
Commands:Commands:Either long or short options are allowed.Either long or short options are allowed. --append -A chain Append to chain --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum --delete -D chain rulenum [...] [...]
– 10 – CSCE 815 Sp 03
Firewalls with IPtables (Linux)Firewalls with IPtables (Linux)
No incoming traffic (tcp connections)No incoming traffic (tcp connections) /sbin/iptables -A INPUT -p tcp --syn -j DROP
Accept incoming SSH (port 22) why?Accept incoming SSH (port 22) why? /sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --
destination-port 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --syn -j DROP
Add rule to allow a web server to the chainAdd rule to allow a web server to the chain /sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --
destination-port 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j
ACCEPT /sbin/iptables -A INPUT -p tcp --syn -j DROP
– 11 – CSCE 815 Sp 03
Chroot JailsChroot Jails
References:References: http://librenix.com/ general purpose security/Linux site http://www.gsyc.inf.uc3m.es/~assman/jail/index.html
chroot environment: chroot environment:
– 12 – CSCE 815 Sp 03
Chroot ImplementationChroot Implementation
– 13 – CSCE 815 Sp 03
User-mode Linux User-mode Linux
UML (binding problem)UML (binding problem) http://user-mode-linux.sourceforge.net/
creates a virtual Machine creates a virtual Machine
allows you to run multiple instances of Linux on the allows you to run multiple instances of Linux on the same system at the same time same system at the same time
designed for a variety of purposes, such as kernel designed for a variety of purposes, such as kernel debugging, testing applications debugging, testing applications
– 14 – CSCE 815 Sp 03
Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters
examine each IP packet in contextexamine each IP packet in context keeps tracks of client-server sessions checks each packet validly belongs to one
better able to detect bogus packets out of context better able to detect bogus packets out of context
– 15 – CSCE 815 Sp 03
Firewalls - Application Level Gateway (or Proxy)Firewalls - Application Level Gateway (or Proxy)
– 16 – CSCE 815 Sp 03
Firewalls - Application Level Gateway (or Proxy)Firewalls - Application Level Gateway (or Proxy)use an application specific gateway / proxy use an application specific gateway / proxy
has full access to protocol has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user
need separate proxies for each service need separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported
– 17 – CSCE 815 Sp 03
Firewalls - Circuit Level GatewayFirewalls - Circuit Level Gateway
– 18 – CSCE 815 Sp 03
Firewalls - Circuit Level GatewayFirewalls - Circuit Level Gateway
relays two TCP connectionsrelays two TCP connections
imposes security by limiting which such connections imposes security by limiting which such connections are allowedare allowed
once created usually relays traffic without examining once created usually relays traffic without examining contentscontents
typically used when trust internal users by allowing typically used when trust internal users by allowing general outbound connectionsgeneral outbound connections
SOCKS commonly used for thisSOCKS commonly used for this
– 19 – CSCE 815 Sp 03
Bastion HostBastion Host
highly secure host system highly secure host system
potentially exposed to "hostile" elements potentially exposed to "hostile" elements
hence is secured to withstand this hence is secured to withstand this
may support 2 or more net connectionsmay support 2 or more net connections
may be trusted to enforce trusted separation between may be trusted to enforce trusted separation between network connectionsnetwork connections
runs circuit / application level gateways runs circuit / application level gateways
or provides externally accessible services or provides externally accessible services
– 20 – CSCE 815 Sp 03
Firewall ConfigurationsFirewall Configurations
– 21 – CSCE 815 Sp 03
Firewall ConfigurationsFirewall Configurations
– 22 – CSCE 815 Sp 03
Firewall ConfigurationsFirewall Configurations
– 23 – CSCE 815 Sp 03
Access ControlAccess Control
given system has identified a user given system has identified a user
determine what resources they can accessdetermine what resources they can access
general model is that of access matrix withgeneral model is that of access matrix with subject - active entity (user, process) object - passive entity (file or resource) access right – way object can be accessed
can decompose bycan decompose by columns as access control lists rows as capability tickets
– 24 – CSCE 815 Sp 03
Access Control MatrixAccess Control Matrix
– 25 – CSCE 815 Sp 03
Trusted Computer SystemsTrusted Computer Systems
information security is increasingly important information security is increasingly important
have varying degrees of sensitivity of informationhave varying degrees of sensitivity of information cf military info classifications: confidential, secret etc
subjects (people or programs) have varying rights of access to subjects (people or programs) have varying rights of access to objects (information)objects (information)
want to consider ways of increasing confidence in systems to want to consider ways of increasing confidence in systems to enforce these rightsenforce these rights
known as multilevel securityknown as multilevel security subjects have maximum & current security level objects have a fixed security level classification
– 26 – CSCE 815 Sp 03
Bell LaPadula (BLP) ModelBell LaPadula (BLP) Model
one of the most famous security modelsone of the most famous security models
implemented as mandatory policies on system implemented as mandatory policies on system
has two key policies: has two key policies:
no read upno read up (simple security property) (simple security property) a subject can only read/write an object if the current security level
of the subject dominates (>=) the classification of the object
no write downno write down (*-property) (*-property) a subject can only append/write to an object if the current security
level of the subject is dominated by (<=) the classification of the object
– 27 – CSCE 815 Sp 03
Reference MonitorReference Monitor
– 28 – CSCE 815 Sp 03
Evaluated Computer SystemsEvaluated Computer Systems
governments can evaluate IT systemsgovernments can evaluate IT systems
against a range of standards:against a range of standards: TCSEC, IPSEC and now Common Criteria
define a number of “levels” of evaluation with define a number of “levels” of evaluation with increasingly stringent checkingincreasingly stringent checking
have published lists of evaluated productshave published lists of evaluated products though aimed at government/defense use can be useful in industry also
– 29 – CSCE 815 Sp 03
SummarySummary
have considered:have considered: firewalls types of firewalls configurations access control trusted systems
– 30 – CSCE 815 Sp 03
ReferencesReferences
Librenix: http://librenix.comfirewallsLibrenix: http://librenix.comfirewalls types of firewalls configurations access contro
Newsforge: http://newsforge.com/newsforgeNewsforge: http://newsforge.com/newsforge