3 - Network- & Transport-Layer (Filtering) Flashcards

1
Q

Whats filtering?

A

Protecting A Network

Filtering of malicious packets at an early stage prevents many attacks
- E.g. Internet DoS attacks can only be mitigated by the ISP with appropriate filtering

Barrier between “us” and “them”

Shrink the attack vector by exposing the minimal amount of services or computers to the public

Always expect the worst case to happen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Whats Firewalls?

A

A firewall is a collection of components placed between two networks that collectively should have the following properties:

  • All traffic from inside to outside, and vice versa, must pass through the firewall
  • Only authorized traffic, as defined by the local security policy, will be allowed to pass
  • The firewall itself is immune to penetration

Common assumptions

  • Everyone behind the firewall is presumed to be a good guy
  • Attacks will only come from “outside”

Possible strategies

  • Block all dangerous traffic types/destinations (blacklisting)
  • Block everything; unblock things known to be both, safe and necessary (whitelisting)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why Use Firewalls?

A

Firewalls enforce the partition of a network into separate security domains
- E.g. demilitarized zones (DMZ)

They help to enforce security policies and to distinguish privileged and ordinary network users

Most hosts have security flaws
- Server software is buggy

Firewalls are a response to host security problems
- Example: Land attacks targeted on certain vulnerable systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The Evil Inside

A

Standard assumption: there are no bad guys behind the
firewall

Internal machines might be infected with malware
-Users download and execute malware

Malware could be used to steal sensitive information

Firewalls are not the ultimate protection, but they help
- E.g. Ingress Filtering helps avoiding IP spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Ingress Filtering

A

Routers know IP ranges of networks connected to each port
- Check for plausible source address of any packet

Advantages
- Drastically reduces the success of IP address spoofing and therefore mitigates all attacks based on IP address spoofing (e.g. some DoS attacks)

Disadvantages

  • Does not prevent attacks from the same network: still no data origin authentication!
  • Can break services such as Mobile IP where originating traffic from the end point might intentionally use the “wrong” source address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Network-Layer Firewalls: Packet Filters

A

Packet filters typically have access to network-, transport- and application-layer data –> layering violation

Use packet header data and content to decide whether to accept or drop the packet based on a given set of rules

Simple and cheap

Disadvantages:

  • Filter rules are hard to set up
  • Different rules may interact which makes it hard to find mistakes
  • Thus, maintenance is difficult/expensive

Two approaches

  • Stateless: rules are applied to each packet independently
  • Stateful: packet filter can remember information about sequences of packets, which for example allows to keep track of connections
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Stateful vs. Stateless Firewalls

A

Stateless firewalls are memory-less

  • don‘t keep track of events that happened before (Individual packets are accepted or denied)
  • how to distinguish an intrusive packet from replies coming from the outside?
  • We want to permit outbound connections

Stateful firewalls record outgoing packets and associate incoming packets with the state being created

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Packet Filter Example: iptables/netfilter

A

Netfilter is a project that provides packet filtering capabilities to the Linux kernel since version 2.3

iptables is the user space tool to configure the packet filter

  • Supports IPv4 only
  • For other protocols there exist different programs which work similarly

nftables is the attempt to combine and replace all these tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Netfilter Architecture

A

Linux kernel holds tables with rules for different purposes:

  • filter: Default table for packet filtering
  • nat: This table is consulted when a packet creates a new connection, i.e. TCP packets with SYN-flag set
  • mangle: This table is used to alter packets

Tables consist of lists of rules (so called chains) for different packet processing stages and packets of certain classes

  • There are built-in chains but users can define their own chains
  • Examples: PREROUTING, POSTROUTING, INPUT, OUTPUT

Rules specify criteria for packets and so called targets

  • If a packet matches the criteria of a rule, it is forwarded to the target of the rule
  • Targets can be user-defined chains or actions like ACCEPT, DROP, REJECT, …
  • If a packet does not match the criteria of a rule, the next rule in the chain is examined

iptables is used to set up, maintain, and inspect tables of IPv4 packet filter rules in the Linux kernel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Netfilter Usage Examples

A

Chains have a default policy, which is applied if no rules matches
Allow all outgoing traffic (blacklisting):
iptables –P OUTPUT ACCEPT
Discard all incoming packets (whitelisting):
iptables –P INPUT DROP

Each rule has its fixed position in the chain

  • Packets traverse a chain from the beginning to the end
  • In every step it is checked if a rule matches

Rules specify a condition and an action to take

  • The action is called target
  • A target can be another chain or one of the following
  • ACCEPT: let packet through
  • DROP: drop the packet
  • QUEUE: send packet to a user space queue
  • RETURN: stop traversing current chain and continue with next step in the calling chain; if there is no calling chain or the calling chain‘s end is reached apply default chain policy

As packets traverse the chain sequentially, the order of rules is important
- When a target is applied, the packet is not processed further in the chain (except for the RETURN target)

To allow all incoming TCP traffic we specify the rule
iptables –A INPUT –p tcp –dport 80 –j ACCEPT

Locking out traffic from an attacking network is pretty easy
iptables –A INPUT –p tcp –s 131.246.0.0/16 –dport 80 –j DROP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

iptables Extensions

A

extensions for iptables that allow stateful filtering and much more

Example: The connection tracking module allows us to keep track of established and related connections:
iptables –A INPUT –m conntrack --cstate RELATED,ESTABLISHED –j ACCEPT
- This will accept all packets which belong to already established connections or to related connections

Newly spawned connections are related if they are a direct result of already established connections
- Example: FTP uses separate control and data connections
Once a file transfer is started, a new data connection is spawned on a random port
- The port might be blocked by the firewall, but the connection tracking module detects it as related to the control stream and lets it pass

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Packet Filters: Limits

A

Packet filters are a powerful tool to defend against attacks on the network layer

However, they cannot protect against bugs in the upper layers
- Services itself might have bugs which allow an intruder to damage the system

Firewalls only help against attacks from the outside

Port-forwarding and tunneling make it possible to undermine a firewall
- Tunneling over encrypted channel (e.g. using SSH) makes it impossible for the firewall to look into packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly