1 / 56

Firewalls, VPNs, and Modem Security

Firewalls, VPNs, and Modem Security. Lesson 07. Filters and Firewalls. Filter -- a software program or device that monitors incoming and outgoing packets on a computer network to determine whether the packets should be allowed to enter or leave a computer system.

woods
Télécharger la présentation

Firewalls, VPNs, and Modem Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls, VPNs, and Modem Security Lesson 07

  2. Filters and Firewalls • Filter -- a software program or device that monitors incoming and outgoing packets on a computer network to determine whether the packets should be allowed to enter or leave a computer system. • Firewall -- a network monitor or collection of monitors placed between an organization’s internal network and the Internet or between two local area networks.

  3. Junk E-Mail Filters • Some ISP’s attempt to filter junk email • extra load it places on servers • annoyance factor • what if it is not junk? • Attempts to eliminate junk e-mail • Check “From” field or IP address for known spammers • Check to see if it originated from mail delivery agent frequently used by spammers • All approaches potentially eliminate valid (non-spam) email

  4. Web Filtering • Used to “prevent certain materials from entering into a system while users are browsing the Web.” • Often offered as an alternative to legislative actions such as the Communications Decency Act. • Filtering at the receiving end does not inhibit free speech • The problem is that the filters are not completely accurate • numerous reports of “inappropriate” material not being filtered or valid info being blocked

  5. Web Filtering • Net Shepherd Family Search filter returned only 1% of sites returned by non-filtered search using Alta Vista -- even though search was on items such as “American Red Cross”, “Thomas Edison”, and “National Aquarium”. • One university’s filtering blocked the Edupage newsletter because of the sentence: • “The new bill is more narrowly focused than the CDA, and is targeted strictly at impeding the flow of commercial pornography on the World Wide Web.” • Cybersitter blocked sites for National Organization for Women, Godiva chocolates, and the teen website Peacefire. • Cyber Patrol allowed 6 of the first 16 sites listed on Yahoo’s category “Sex: Virtual Clubs”

  6. Web Filtering • World Wide Web Consortium approach to filtering based on assigned labels and ratings and is called the Platform for Internet Content Selection (PICS) • does not dictate labels, instead allows groups to establish their own. • European Commission proposed a similar rating scheme. Governments could develop site-rating systems and SW provided that would allow teachers and parents to filter unwanted info. • Another proposal is an adult only domain

  7. Firewalls(Firewalls: The complete reference by Strassberg et al.) • “The computer or computers that stand between trusted networks (such as internal networks) and untrusted networks (such as the Internet), inspecting all traffic that flows between them.” • Firewalls have the following attributes: • All communications pass through the firewall • The firewall permits only traffic that is authorized • The firewall can withstand attacks upon itself

  8. Firewalls • Four architectures (???) • Rule processing on routers – earliest and simplest • Packet Filtering – Also called packet screening: decide to allow or reject specific packets as they enter your network • Stateful Inspection – looks at contents of packet not just header • Application Level Gateway -- also known as proxy gateways, used to forward service-specific traffic (e.g. email). • Proxies act as a middleman preventing direct connection, the proxy will take the request and, if allowed by the policy, will forward it. • Proxy ‘understands’ the service and can make better filtering decisions (thus theoretically more secure) but less flexible and more time consuming • Circuit Level Gateway -- simply relays bytes from a port on one system to another on an external network. • Connection appears to originate from firewall and not internal system • No direct connection between internal and external systems – but not filtered • Hybrid Firewalls – e.g. filter some protocols, use application gateway on others

  9. Packet Filtering Operation source port destination port type discard bad.host * * * * allow our.host 25 * * * discard 128.236.*.* >1023 our.host >1023 tcp Operation source port destination port type allow bad.host 25 our.host 25 * discard bad.host * * * * allow our.host 25 * * * discard 128.236.*.* >1023 our.host >1023 tcp allow * * * * *

  10. Firewall Architectures Internet Screening Router

  11. Firewall Architectures Dual-homed host Architecture Internet Dual-homed host

  12. Firewall Architectures Screened host Architecture Internet X Screening Router Bastion Host

  13. Bastion Hosts • A specially ‘armored’ and protected host. • May run special ‘secure’ or ‘stripped down’ version of OS • Only essential services are run on it. • User accounts generally not permitted (admin only) • Machines inside of the firewall should not trust the Bastion Host.

  14. Firewall Architectures Screened subnet Architecture Internet Bastion host Exterior Router Perimeter Network Interior Router Internal Network

  15. So, what’s the difference between them? Screening router very primitive, just a souped up router Dual-homed host (firewall) Routing function turned off, external systems can’t communicate directly with internal systems! Provides services through proxies Screened Host router provides routing and packet filtering functions Bastion provides single system to heavily secure. Screened subnet no defenses between bastion and other systems in screened host firewall, thus if bastion compromised, the internal network is vulnerable. Screened subnet adds another router to add another layer of protection. This router can be configured to only allow certain services.

  16. Firewall Architectures Multiple Exterior Routers Supplier Network Internet Bastion host Exterior Router Exterior Router Perimeter Network Interior Router Lab Network Internal Network

  17. Checkpoint Firewall Sample Rule Set

  18. Cisco System PIX Firewall

  19. Network Address Translation (NAT) • Firewalls can also provide NAT services • Allows a LAN to use one set of addresses for internal purposes and a second set for external traffic • Not all systems need a globally unique IP address • Saves on IP addresses which is a concern for IPv4 • Shields internal addresses from public view

  20. Network Address Translation (NAT) • There are a limited number of IP addresses available and not every system needs one. • NAT was developed to provide a means to translate private IP addresses into public IP addresses. • A device (typically a router or firewall) will accomplish this translation process. Source: 63.69.110.110Destination: 207.25.71.23 Source: 10.1.1.123Destination: 207.25.71.23 Firewall performs NAT Source: 207.25.71.23 Destination: 63.69.110.110 Source: 207.25.71.23 Destination: 10.1.1.123

  21. Emerging Technologies • Consolidated Management Consoles – an attempt to provide a single interface for the variety of security devices an administrator may face (e.g. firewall, ACL’s on routers) • Content vectoring – “shuffle” certain traffic off to ancillary internal or external handlers for additional inspection or processing. • Multifunction Devices – integration of multiple security products into single platform (e.g. IDS and Firewall, firewall with router, …)

  22. Personal Firewalls • Designed to insulate vulnerable desktop OS from attacks. • Growth of residential and small-business broadband Internet access also has increased the need for personal firewalls. • Spread of various Distributed Denial of Service attacks which take advantage of unprotected platforms has also helped to bring this issue forward.

  23. Modem Security, Wardialing, and Telecomm Firewalls

  24. What is the Network? There is a growing connectivity between the Data Network and the Telephone Network Network Security TechnologiesHave Focused Almost Entirely on the TCP/IP Network… The Weakest Link is Now the Phone Network.

  25. The Data Network • One pipe • High speed • Thousands of connections • Controlled and monitored • One chokepoint Cat V … your Internet connection is just a dedicated, high-speed telephone line.

  26. The Telephone Network Public Switched Telephone Network (PSTN) • Thousands of pipes • Low speed • Uncontrolled • Unmonitored • No chokepoint … think of your telephone network as thousands of low-speed internet connections.

  27. Attacker IntrusionDetection Firewall The TCP/IP Network Internet Router WebServer Users

  28. The Actual Network Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  29. Attacker Security in The Actual Network Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  30. Attacker “2-4% of all telephone lines have active modems” Security in The Actual Network Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  31. Proprietary data can be uploaded by users Virus protection mechanisms can be circumvented Unauthorized access to ISP’s Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  32. Wardialers • Step 1, Phone number footprinting • Public Domains Wardialers • ToneLoc • THC • Commercial • PhoneSweep • TeleSweep Secure

  33. War Dialing the ‘Bay’ • In ’97, Peter Shipley dialed the San Francisco Bay area looking for systems answered by a modem. He eventually finished the entire range but the final report hasn’t been published. Early results reported, however, included: • 1.4 million numbers dialed • 500 an hour, 12,000 a day • 14,000 of the lines dialed were reportedly modems

  34. Some interesting results: • An East Bay medical facility gave unrestricted modem access to patient records. • An Internet company offering financial services did not require a password to modify its modem-accessible firewall. • A Fortune 100 company’s air conditioner and environmental control units could be easily changed by modem allowing lights to be turned off or heating/air conditioning to be changed. • Only 3 of every 1000 modem lines he checked posted a warning banner (a requirement for gov. machines). • Some of the welcome banners gave the name of the operating system, release, and name of corporation.

  35. Carrier Exploitation Once you have a number, now what? Check the wardialing log, you can get some clues, then dial back. CONNECT 57600 HP995-400: Expected a HELLO command. (CIERR 6057) Many default sequences (e.g. HP MPE-XL systems) CONNECT 57600 HP995-400: HELLO FIELD.SUPPORT PASSWORD=TeleSup Default for pcAnywhere -- no password/userid and…you can always try brute force password guessing if nothing else works!

  36. The Current Prevention Approach • Policy • Scanning (ad hoc War Dialing) • Administrative Action

  37. Current Scanning Challenge • Window of Visibility • Time / Scalability • Vulnerability Measurement • Cost (Long Distance Charges) • Data Collection and Consolidation • Logging / Reporting

  38. Solution A better approach than the ad-hoc wardialing, is to apply the same type of control that is found on the IP network to the telephone network. Thus, the solution is a firewall for the telephone network

  39. The Telephone Network Public Switched Telephone Network (PSTN) • Thousands of pipes • Low speed • Uncontrolled • Unmonitored • No chokepoint … think of your telephone network as thousands of low-speed internet connections.

  40. A Firewall for Phone Lines Public Switched Telephone Network (PSTN) Phone Firewall • One virtual pipe • Controlled and monitored … get your hands around the problem, and take control of the telephone network.

  41. Voice Modem Fax • Detect • Log • Alarm • Block Telecom Firewall Remote Enterprise-wide Telecom Firewall Protection Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  42. Attacker Voice Modem Fax • Detect • Log • Alarm • Block TelecomFirewall Remote Enterprise-wide Telecom Firewall Protection Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  43. TeleWall Telecommunications Firewall

  44. Protect Phone-to-Switch • Telephone fraud is a tremendous problem (1999: $5B) • Most PBX’s have a remote dial-up port for maintenance purposes. • Often protected with a numeric password • The same device used to protect against attacks to unauthorized modems can be used to protect the PBX as well.

  45. PBX Hacking • Dial-up connections are the most frequent means of remotely managing a PBX. Also frequently used for vendor external support. • Just like computers with default passwords, PBX’s often have default access codes. • What companies should do is remove defaults and if a problem occurs, then provide access code to vendor, unfortunately…this seldom is done.

  46. Attacker DTMF Signaling Detection • Detect • Log • Alarm • Block Telecom Firewall Remote Enterprise-wide Telecom Firewall Protection Internet Public Telephone Network Router WebServer IntrusionDetection Firewall RAS(Dial-in Servers) Users PBX

  47. GW 10/100 PBX PSTN IP Telephony Security Issues Router Internet User Connected Modem (IP Phone)

  48. Telecommunication Firewalls • Log call progress • Characterize call traffic • Enforce Security and Usage Policy • Control remote maintenance facility and port access • Report resource utilization • Fraud detection/prevention • Trunk line status and usage • Emergency notification • ROI • Protection of VoIP

  49. Extensions to Telecomm Firewalls • Telephone bill reconciliation package. • Secure Voice • Secure VoIP • Additional ‘password’ (DTMF signaling) for increased security. • Securing of SCADA (Supervisory Control and Data Acquisition) systems. • Roosevelt Dam in Arizona

  50. Virtual Private Networks (VPN) • From WEBOPEDIA: • a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

More Related