3 - Network- & Transport-Layer (Filtering) Flashcards
Whats filtering?
Protecting A Network
Filtering of malicious packets at an early stage prevents many attacks
- E.g. Internet DoS attacks can only be mitigated by the ISP with appropriate filtering
Barrier between “us” and “them”
Shrink the attack vector by exposing the minimal amount of services or computers to the public
Always expect the worst case to happen
Whats Firewalls?
A firewall is a collection of components placed between two networks that collectively should have the following properties:
- All traffic from inside to outside, and vice versa, must pass through the firewall
- Only authorized traffic, as defined by the local security policy, will be allowed to pass
- The firewall itself is immune to penetration
Common assumptions
- Everyone behind the firewall is presumed to be a good guy
- Attacks will only come from “outside”
Possible strategies
- Block all dangerous traffic types/destinations (blacklisting)
- Block everything; unblock things known to be both, safe and necessary (whitelisting)
Why Use Firewalls?
Firewalls enforce the partition of a network into separate security domains
- E.g. demilitarized zones (DMZ)
They help to enforce security policies and to distinguish privileged and ordinary network users
Most hosts have security flaws
- Server software is buggy
Firewalls are a response to host security problems
- Example: Land attacks targeted on certain vulnerable systems
The Evil Inside
Standard assumption: there are no bad guys behind the
firewall
Internal machines might be infected with malware
-Users download and execute malware
Malware could be used to steal sensitive information
Firewalls are not the ultimate protection, but they help
- E.g. Ingress Filtering helps avoiding IP spoofing
Ingress Filtering
Routers know IP ranges of networks connected to each port
- Check for plausible source address of any packet
Advantages
- Drastically reduces the success of IP address spoofing and therefore mitigates all attacks based on IP address spoofing (e.g. some DoS attacks)
Disadvantages
- Does not prevent attacks from the same network: still no data origin authentication!
- Can break services such as Mobile IP where originating traffic from the end point might intentionally use the “wrong” source address
Network-Layer Firewalls: Packet Filters
Packet filters typically have access to network-, transport- and application-layer data –> layering violation
Use packet header data and content to decide whether to accept or drop the packet based on a given set of rules
Simple and cheap
Disadvantages:
- Filter rules are hard to set up
- Different rules may interact which makes it hard to find mistakes
- Thus, maintenance is difficult/expensive
Two approaches
- Stateless: rules are applied to each packet independently
- Stateful: packet filter can remember information about sequences of packets, which for example allows to keep track of connections
Stateful vs. Stateless Firewalls
Stateless firewalls are memory-less
- don‘t keep track of events that happened before (Individual packets are accepted or denied)
- how to distinguish an intrusive packet from replies coming from the outside?
- We want to permit outbound connections
Stateful firewalls record outgoing packets and associate incoming packets with the state being created
Packet Filter Example: iptables/netfilter
Netfilter is a project that provides packet filtering capabilities to the Linux kernel since version 2.3
iptables is the user space tool to configure the packet filter
- Supports IPv4 only
- For other protocols there exist different programs which work similarly
nftables is the attempt to combine and replace all these tools
Netfilter Architecture
Linux kernel holds tables with rules for different purposes:
- filter: Default table for packet filtering
- nat: This table is consulted when a packet creates a new connection, i.e. TCP packets with SYN-flag set
- mangle: This table is used to alter packets
Tables consist of lists of rules (so called chains) for different packet processing stages and packets of certain classes
- There are built-in chains but users can define their own chains
- Examples: PREROUTING, POSTROUTING, INPUT, OUTPUT
Rules specify criteria for packets and so called targets
- If a packet matches the criteria of a rule, it is forwarded to the target of the rule
- Targets can be user-defined chains or actions like ACCEPT, DROP, REJECT, …
- If a packet does not match the criteria of a rule, the next rule in the chain is examined
iptables is used to set up, maintain, and inspect tables of IPv4 packet filter rules in the Linux kernel
Netfilter Usage Examples
Chains have a default policy, which is applied if no rules matches
Allow all outgoing traffic (blacklisting):
iptables –P OUTPUT ACCEPT
Discard all incoming packets (whitelisting):
iptables –P INPUT DROP
Each rule has its fixed position in the chain
- Packets traverse a chain from the beginning to the end
- In every step it is checked if a rule matches
Rules specify a condition and an action to take
- The action is called target
- A target can be another chain or one of the following
- ACCEPT: let packet through
- DROP: drop the packet
- QUEUE: send packet to a user space queue
- RETURN: stop traversing current chain and continue with next step in the calling chain; if there is no calling chain or the calling chain‘s end is reached apply default chain policy
As packets traverse the chain sequentially, the order of rules is important
- When a target is applied, the packet is not processed further in the chain (except for the RETURN target)
To allow all incoming TCP traffic we specify the rule
iptables –A INPUT –p tcp –dport 80 –j ACCEPT
Locking out traffic from an attacking network is pretty easy
iptables –A INPUT –p tcp –s 131.246.0.0/16 –dport 80 –j DROP
iptables Extensions
extensions for iptables that allow stateful filtering and much more
Example: The connection tracking module allows us to keep track of established and related connections: iptables –A INPUT –m conntrack --cstate RELATED,ESTABLISHED –j ACCEPT - This will accept all packets which belong to already established connections or to related connections
Newly spawned connections are related if they are a direct result of already established connections
- Example: FTP uses separate control and data connections
Once a file transfer is started, a new data connection is spawned on a random port
- The port might be blocked by the firewall, but the connection tracking module detects it as related to the control stream and lets it pass
Packet Filters: Limits
Packet filters are a powerful tool to defend against attacks on the network layer
However, they cannot protect against bugs in the upper layers
- Services itself might have bugs which allow an intruder to damage the system
Firewalls only help against attacks from the outside
Port-forwarding and tunneling make it possible to undermine a firewall
- Tunneling over encrypted channel (e.g. using SSH) makes it impossible for the firewall to look into packets
