network in linux security

7/28/2019 Network in Linux Security

http://slidepdf.com/reader/full/network-in-linux-security 1/67

www.nettech.inNettech Private Ltd.

Introduction to

Network/Linux Security

Prepared by :

Swapan PurkaitDirectorNettech Private [email protected]+ 91 93315 90003

For Summer Training on Computer Networkingvisit www.nettech.in




Overview

• What is network security?

• Kind of security services one might desire

• What kind of attacks should we try toprotect a network against?

• What are the available protectionstrategies available?

• What support can we expect from LINUX?




What is network security?

• A network is secure if you can depend onit and its nodes behave as you expect.

• If you do not know what you areprotecting, why you are protecting it, andwhat you are protecting it from, your task

will be rather difficult!




Kind of security one might desire

• Authentication

• Confidentiality (Privacy)

• Integrity

• Availability• Non-Repudation

• Auditing




Authentication

• Authentication is the process of reliablyverifying the identity of someone (orsomething) by means of:– A secret (password [one-time], ...)

– An object (smart card, ...)

– Physical characteristics (fingerprint, retina, ...)– Trust

• Do not mistake authentication forauthorization!




Integrity Vs Confidentiality

• Integrity– Protecting information from being deleted or altered in any

way without the permission of the owner of that information.

• Confidentiality– Protecting information from being read or copied by anyone

who has not been explicitly authorized by the owner of thatinformation.




Availability

If the system is unavailable when an

authorized user needs it, the result can

be as bad as having the information that

resides on the system deleted!




Non repudation

The ability of the receiver of something to

prove to a third party that the sender

really did send the message.




Auditing

The ability to record events that might

have some security relevance. In such

cases, you need to determine what was

affected. In some cases, the audit trailmay be extensive enough to allow “undo”

operations to help restore the system to a

correct state.




Kind of attacks to a Computer

What kind of attacks should we try toprotect a computer against ?

• Physical Security– Lockers, BIOS, weather, ...

• Personnel security

• Operating System security

• Network security




Some common network services

• DNS

• Apache

• NFS

• NIS/NIS+

• Samba• Telnet

• FTP

• Mail

• ... ... ...




Network Security:common attacks

• Interception

– Modification

• Intrusion– Modification, Fabrication

• Denial of service

– Interruption

• Information theft




Security tools

• Cryptography• Symmetric Vs Asymmetric (Certificates ...)

• Firewalls & Proxyes• Ipchains/Iptable ...

• TCP Wrappers + UDP Relayers

• Pluggable Authentication Module• It is a suite of shared libraries that enable the local system

administrator to choose how applications authenticate users

• Kernel Level Security

• Log files (/var/log/*)




Cryptography Model

Encryption Ke y, K

Plaintext , P

Plaintext , P

Decryption Key, K'

Encryp t ion , E

Decryption, D

Cyphe rtext, C




Basic Formula

C=EK(P)P=DK'(C)

DK'(E

K (P))=P

If K=K', it is symmetric key system,-also known as secret key key system

If K K', it is asymmetric key system-

commonly called public key system




Cryptography

Symmetric Vs Asymmetric

• Symmetric (also called private keyalgorithms)

– The same password is used to bothencrypt and decrypt

– Faster algorithms

– PROBLEM: key management is not easy

• Asymmetric (also called pubblic keyalgorithms)

– The password used to encrypt is differentfrom the one needed to decrypt

– More secure

– It allows to have non-repudiation




Secret Key System

A lic e B ob

DES K ey DES K ey




Data Encryption Standard (DES)

• It is a symmetric algorithm

• Designed by IBM for the U.S. Government in 1977

• It is based on a 128 bit key (earlier 64)

• Hardware Vs Software implementation

• How secure is DES?– How much would a Des-Breaking engine would cost?

– Is it possible to make DES harder to break in?

– How does it work?




Public Key System

A lic e B ob

Bob 'spubl ic Key

Bob 'spriv ate key




RSA Algorithm

• Rivest, Shamir & Adleman (1978), MIT

• Most widely used public key algorithm

• Based on principles of number theory

• Keys are calculated in the following way:

1. Choose two large (>10100

) primes, p and q

2. Compute n=p*q and z=(p-1)*(q-1)

3. Choose a number k' which is relatively prime to z

4. Find k such that k*k'=1 mod zC=P

k( mod n) and P=C

k'( mod n)




Example

Say p=3 and q=11 so that n=33 and z=20 A suitable value for k' is 7 (prime to 20)

k can be found by solving: 7*k=1 ( mod 20)

Thus, k=3

So encryption: C=P3 ( mod 33)

And Decryption: P=C7

( mod 33)

Say P=14, then C=143

( mod 33)=2744 ( mod 33)=5

Conversely, C7 ( mod 33)=78125 ( mod 33)=14=P




Digital Signature

• An important security strategy for E-Commerce

• The receiver can verify the claimed identity of the sender

(authenticated)

• The sender cannot later repudiate the contents of the

message

• The message cannot be concocted in transit

• Can be implemented using publ ic key cryptography




Security of cryptographic algorithms

• Let us define the lifetime of an information as the amount of time the information should be kept secret.

• An encryptioncan cab be considered secure if the time tobreak it (for ex. with a brute force attack) is reasonablylonger than the lifetime of the information contained in theplain text.

Length of the key on bits(estimated in 1995, Appl ied Cryptography)

Cost 40 56 64 80 112 128

$ 100K 2.00 s. 35 h. 1 y. 70,000 y. 1014 y. 1019 y.

$ 1M 0.20 s. 3.5 h 37 d. 7,000 y. 1013 y. 1018 y.

$ 10M 0.02 s. 21 min. 4 d. 700 y. 1012 y. 1017 y.




Secure Socket Layer (SSL)

• It is based on a public encryptionalgorithm

• It is a protocol developed by Netscape forsecure transactions across the Web

• It is stream- based consisting of three phases– 6In ini tial handshake phase, secure communications are

established

– In intermediate data transfer phase, application-to-

application dialog (with data encryption) occurs

– In closing handshake phase, connection is terminated

• There are free SSL implementations




Firewall

(Access Control)




What is a Firewall?

• A set of related programs that protectsthe resources of a private network fromusers from other networks.

• A mechanism for filtering networkpackets based on information contained

within the IP header.• Options available

– Commercial Firewall Devices (Watchguard,Cisco PIX)

– Routers (ACL Lists)

– Linux

– Software Packages (ZoneAlarm, Black Ice)

– Sneaker Net




Firewalls

• Routers: easy to say “allow everything but…”

• Firewalls: easy to say “allow nothing but…”

• This helps because we turn off access toeverything, then evaluate which services aremission-critical and have well-understood

risks

• Note: the only difference between a routerand a firewall is the design philosophy:

– do we prioritize security, or connectivity ?

• configurability, logging




Firewall setup

• Firewall ensures that the internal network

and the Internet can both talk to the DMZ,but usually not to each other

• The DMZ relays services at the applicationlevel, e.g. mail forwarding, web proxying

• The DMZ machines and firewall arecentrally administered by people focused onsecurity full-time (installing patches, etc.);

– it’s easier to secure 20 machines than 20,000

• Now the internal network is “safe” (but notfrom internal attacks, modems, etc.)




Typical firewall setup

DMZ

evil Internet

internal network




Downside of firewalls

• single point of failure

• difficult to integrate into a mesh network

• highlights flaws in network architecture

• can focus politics on the firewalladministrator




Firewallusing

Packet Filtering




Packet Filters .. “Firewalls”

• A “Firewall” can be atany layer between 3-5

• Application-levelgateways work atthe application layer

• Packet-filters work at

the network layer

User Applications

Application

Presentation

Session

Transport

Network

Data Link

Physical




Why Filter?

•Packets that are filtered increase security.•Prevent ousiders from using services on asystem.

•Prevent malicious attacks such as Denial of

Service (DoS) and ping flood attacks.

•Control the flow of information.

•Prevent internal system users from using certain

sites or types of protocols.




Packet Filtering

• Should arriving packet be allowed in? Should adeparting packet be let out?

• Filter packet-by-packet, making decisions toforward/drop a packet based on:– source IP address, destination IP address

– TCP/UDP source and destination port numbers– ICMP message type

– TCP SYN and ACK bits

– ...

Data




Packet “filtering”

• Packet filtering is not just “filtering”

• Changing Packets: Filters often able torewrite packet headers

• Examine/modify IP packet contents only?Or entire Ethernet frames?

• Monitor TCP state?




Packet Filtering Limitations

• Cannot Do: Allow only certain users in(requires application-specific information)

• Can do: Allow or deny entire services(protocols)

• Cannot Do: Allow, e.g., only certain files tobe ftp’ed




Packet Filtering in Linux History

• 1st generation: ipfw (from BSD)

• 2nd generation: ipfwadm (Linux 2.0)

• 3rd generation: ipchains (Linux 2.2)

• 4th generation: iptable (Linux 2.4, 2.6)




Packet Traversal in Linux

Input OutputLocal

Processes

ForwardRoutingDecision

Pre-Routing

Post-Routing




The Rules Chain Concept

•The most common method used by packet filtering for the organizationof the filters is the rules chain. A rule chain contains a listing of eachfilter, or rule, that has been configured on the local system.

•Linux uses four main chains:

•Input – packets traveling to the host

•Output – packets leaving from the host•Forward – packets received by the host and will be forwardedby the host

•User Defined – special type of chain created by the user thatreceives packets from the three main chains for processing

•Rules chains allow for complex filtering of data entering or leavinga system while making it easy to install and maintain the rules.




Linux Iptables/Netfilter

• In Linux kernel 2.4 and 2.6, we use thenetfilter package with i pt abl es

commands to setup the firewall.

• The old package called IPchains isdeprecated.

• http://www.netfilter.org/




Iptables: http://www.netfilter.org/

•What is iptables?

•iptables is the building block of a framework inside the Linux kernel. This framework enables packet filtering, network address translation(NAT), network port translation (NPT), and other packet mangling.

•iptables is a generic table structure for the definition of rulesets.Each rule with an IP table consists of a number of classifiers

(iptables matches) and one connection action (iptable target).•What can I do with iptables?

•build internet firewalls based on stateless and stateful packetfiltering

•use NAT and masquerading for sharing internet access

•use NAT to implement transparent proxies

•do further packet manipulation (mangling) like altering the bits of the IP header




iptables - Features (1)

• Stateful filtering of TCP & UDP traffic

– Ports opened & closed as clients use theInternet

– Presents a (mostly) “blank wall” to attackers

• “Related” option for complex applications– Active mode FTP

– Multimedia applications (Real Audio, etc.)

• Can filter on fragments




iptables - Features (2)

• Improved logging options– User-defined logging prefixes

– Log selected packets (e.g., handshake packets)

• Port Address Translation (PAT)

• Network Address Translation (NAT)– Inbound

• Redirect to DMZ web server, mail server, etc.

– Outbound

• Group outbound traffic and/or use static assignment




iPtables “chains”

• A chain is a sequence of filtering rules.

• Rules are checked in order. First matchwins. Every chain has a default rule.

• If no rules match the packet, chain policyis applied.

• Chains are dynamically inserted/ deleted.




Network Address

Translation (NAT)




Private Network

• Private IP network is an IP network that isnot directly connected to the Internet

• IP addresses in a private network can beassigned arbitrarily.

– Not registered and not guaranteed to be

globally unique

• Generally, private networks use addressesfrom the following experimental addressranges (non-routable addresses):

– 10.0.0.0 – 10.255.255.255– 172.16.0.0 – 172.31.255.255

– 192.168.0.0 – 192.168.255.255




Private Addresses




Network Address Translation (NAT)

• NAT is a router function where IPaddresses (and possibly port numbers) of IP datagrams are replaced at the boundaryof a private network

• NAT is a method that enables hosts onprivate networks to communicate withhosts on the Internet

• NAT is run on routers that connect privatenetworks to the public Internet, to replacethe IP address-port pair of an IP packetwith another IP address-port pair.




Basic operation of NAT

• NAT device has address translationtable

H1

private address: 10.0.1.2public address: 128.143.71.21

H5

Privatenetwork

Internet

Source =10.0.1.2Destination =213.168.112.3


public address: 213.168.112.3NATdevice

Source = 213.168.112.3

Destination = 128.143.71.21

Source =213.168.112.3

Destination =10.0.1.2

PrivateAddress

PublicAddress

10.0.1.2 128.143.71.21




Main uses of NAT

• Pooling of IP addresses

• Supporting migration between networkservice providers

• IP masquerading

• Load balancing of servers




Pooling of IP addresses

• Scenario: Corporate network has many hostsbut only a small number of public IP addresses

• NAT solution:

– Corporate network is managed with a privateaddress space

– NAT device, located at the boundary between thecorporate network and the public Internet, managesa pool of public IP addresses

– When a host from the corporate network sends an IPdatagram to a host in the public Internet, the NATdevice picks a public IP address from the addresspool, and binds this address to the private address of the host




Pooling of IP addresses




Supporting migrationbetween network service providers

• Scenario: In CIDR, the IP addresses in a corporate

network are obtained from the service provider.Changing the service provider requires changing allIP addresses in the network.

• NAT solution:

– Assign private addresses to the hosts of the corporatenetwork

– NAT device has static address translation entries which bindthe private address of a host to the public address.

– Migration to a new network service provider merely requiresan update of the NAT device. The migration is not noticeableto the hosts on the network.

Note:– The difference to the use of NAT with IP address pooling is

that the mapping of public and private IP addresses isstatic.

Supporting migration




Supporting migrationbetween network service providers

H1

private address: 10.0.1.2

public address: 128.143.71.21128.195.4.120


NAT

device

PrivateAddress

PublicAddress

10.0.1.2128.143.71.21

128.195.4.120

128.143.71.21

128.195.4.120


Source =128.195.4.120

Destination =213.168.112.3

ISP 2allocates address block128.195.4.0/24 to privat

network:

Privatenetwork

ISP 1allocates address block

128.143.71.0/24 to privatnetwork:




IP masquerading

• Also called: Network address and porttranslation (NAPT), port addresstranslation (PAT).

• Scenario: Single public IP address is

mapped to multiple hosts in a privatenetwork.

• NAT solution:

– Assign private addresses to the hosts of thecorporate network

– NAT device modifies the port numbers foroutgoing traffic




IP masquerading




Load balancing of servers

• Scenario: Balance the load on a set of identical servers, which are accessible from asingle IP address

• NAT solution:– Here, the servers are assigned private addresses

– NAT device acts as a proxy for requests to theserver from the public network

– The NAT device changes the destination IPaddress of arriving packets to one of the privateaddresses for a server

– A sensible strategy for balancing the load of theservers is to assign the addresses of the serversin a round-robin fashion.




Concerns about NAT

• Performance:– Modifying the IP header by changing the IP

address requires that NAT boxes recalculate theIP header checksum

– Modifying port number requires that NAT boxes

recalculate TCP checksum

• Fragmentation

– Care must be taken that a datagram that isfragmented before it reaches the NAT device, is

not assigned a different IP address or differentport numbers for each of the fragments.




Concerns about NAT

• End-to-end connectivity:– NAT destroys universal end-to-end reachability

of hosts on the Internet.

– A host in the public Internet often cannot

initiate communication to a host in a privatenetwork.

– The problem is worse, when two hosts that arein a private network need to communicate witheach other.




Concerns about NAT

• IP address in application data:

– Applications that carry IP addresses in thepayload of the application data generally donot work across a private-public network

boundary.– Some NAT devices inspect the payload of

widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload,

translate the address according to the addresstranslation table.




Configuring NAT in Linux

• Linux usesNetfilter/iptablepackage to addfiltering rules tothe IP module




Configuring NAT with iptable

• First example:

iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.143.71.21

• Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24

–j SNAT --to-source 128.128.71.0–128.143.71.30

• ISP migration:

iptables –t nat –R POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.195.4.0–128.195.4.254

• IP masquerading:

iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE

• Load balancing:

iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4



Connect with us at Facebook

Visit www.facebook.com/nettech.in

network in linux security

Documents