Chapter 3i Flashcards
What is the definition of a Network Middlebox?
Any intermediary box, performing functions apart from standard functions of an IP router on the data path between a source host and destination host.
Includes filtering, inspection, and other functions, aside of packet forwarding.
Four main network middleboxes type: Firewalls, Intrusion Detection Systems, Network Address Translators,____
What do they each do?
HInt: “Provide one point of entry to a service, distribute requests to multiple instances of a service”
Load Balancers (LB)
FW:
* Filter traffic based on a set of rules defined by a network administrator
IDS:
* Monitor traffic and collect data for (offline) analysis for security anomalies
* Capable of more complex inspection that Firewalls
NAT:
* Allows multiple (private) hosts to share a single (public) IP address (example scenario: home network)
* Rewrites the source IP address and port of outgoing packets, memorizes changes in NAT table
* Incoming packets are rewritten if mapping exists in NAT table
- NAT has Firewall-like characteristics as a NAT implicitly blocks incoming traffic if no mapping exists.
But: is not a Firewall-type, is not a security tool! - Load balancers help to increase availability by distributing load.
The 3 Security Components
* Security Goals/Requirements: Define security goals; …
- Security Policy: …
- Security Mechanisms: …
Confidentiality, Data Integrity, Authenticity, Controlled Access, Availability, Accountability
“What do we want?”–> sender accountability/non-repudiation of all company-internal e-mails
Rules to implement the requirements;
“How to get there?”–> All eMails must be cryptographically signed, unsigned emails should not be delivered
Enforce the policy
“What tools do we use?” –> X.509 certificates + email signatures on client-side. Dropping of unsigned eMails by email server
What does the analogy of firewalls as medieval castle convey?
- Prevents attackers from getting close to other defenses
- Restricts people to enter and leave at one carefully controlled point
Firewalls protect the entire network, not only the local computer.
Incoming and Outgoing Packets– Network Firewalls: What are the different views?
View 1 (“outside view by admin of the LAN”)
* Incoming: from the Internet to the local network
* Outgoing: from the local network to the Internet
View 2 (“inside view from the firewall”)
* On each interface, there are incoming and outgoing packets
By default, FWs do nothing, they need to be configured.
For convenience:
* # ip link set eth1 name inet
* # ip link set eth0 name lan
Firewall Default Strategies
* Default deny strategy: meaning?
…
* Default permit strategy
….
* Best practice: Default deny
* Also possible: Default deny for inbound traffic, default permit for outbound traffic
DEFAULT DENY
- Everything not explicitly allowed (= whitelisted/allowlisted) is denied
- Increased security; you know what applications are allowed to communicate
- Users that use non-standard applications/protocols will complain
DEFAILT PERMIT
- Everything not explicitly blocked (= blacklisted/blocklisted) is permitted
- Less secure
- Less hassle with users
Example: Firewall Configuration using Default Deny Strategy
- A firewall is configured by a rulelist
- For every packet, the ruleset is processed sequentially from top to bottom until a matching rule is found
- A rule consists of: Match condition & Action
Configuring Firewalls
* A firewall is configured by a …
* For every packet, the ruleset is …
* A rule consists of
ruleset; rulelist
processed sequentially from top to bottom until a matching rule is found
- Match condition & Action
Rules
Actions
* Accept
* Drop (no answer at all; connection attempt times out)
* Reject (actively reject a connection; “more graceful drop”)
* Log accepted/dropped/rejected connections
* …
Explain the match conditions.
hint: Incoming, Layer, State, Geofence, advanced conditions
- Incoming interface (from firewall viewpoint)
- All layer 2-4 packet fields: MAC addresses, IP addresses, protocol, ports, flags, …
- Stateful matches: The firewall tracks connections for you; e.g. with the IP-5-tuple
- Geofence
E.g. allowlist/blocklist connections to the network that originate in country X (default deny/default permit)
Firewall uses knowledge which (source) IP ranges are used in which countries
Can be bypassed by a tunnel into the allowed country - Further advanced conditions:rate limiting, locally tagged packets, …
Details on Packet Fields
- Link Layer (l2) – Ethernet
- Network Layer (l3) – IPv4
Explain.
Link Layer (l2) – Ethernet * EtherType
* Usually: 0x0800 (IPv4)
* Handle other EtherTypes: e.g. Drop 0x86DD (IPv6)
* Ethernet MAC Address
* Easily spoofable!
* # ifconfig eth0 hw ether de:ad:be:ef:de:ad
Network Layer (l3) – IPv4
* IP addresses
* Transport protocol
* TCP, UDP, ICMP, …
* Flags: IP fragment
* Options: E.g. source routing
* Please drop source routing!
Transport Layer (l4) – TCP/UDP
Explain the ports and flags.
ports:
* Determine the communicating application/service
* Limited degree of confidence
flags:
* SYN, ACK, RST
* Application Protocol (l5-7)
- Deep Packet Inspection (DPI)
- usually
- easier to
- E.g.: web proxy of a company inspecting the payload of their employees web traffic
- Note: ….
not done by firewalls
realize in proxy systems
encryption prevents DPI
Connection tracking / Stateful matching
States (“conditions”) of a connection
* NEW: First packet of a connection (no state (meta data) in firewall yet)
* ESTABLISHED: All following packets (state (meta data) exists in firewall)
Explain how this state is generated. Further, explain how optional state tracking works, depending on your firewall.
What about UDP Connection tracking?
First packet of connection may generate state (“memorized meta data”) in the firewall
* State is the IP-5-tuple (Src IP, Dst IP, Proto, Src Port, Dst Port) which identifies “known” connections
* Keeping state/connection tracking simplifies firewalling
* Tearing down connection (FIN) clears state; alternatively timer runs out
Optional State tracking (depending on your firewall)
* TCP sequence and ack numbers
* ICMP sequence numbers and request/response tracking
* Idea: numbers must grow monotonously (till they wrap around)
UDP Connection tracking
* UPD is stateless, no connections exist
* Approximation of UDP connection tracking possible using a timer (new packet resets timer; state cleaned when timer runs out) an answer to a previous DNS query.
Example: LAN with Mail Server Discussion
- Internal hosts can establish connections to the Mailserver
- Can we prevent this?
- This subverts the security policy. Simple fix?
- No! The firewall cannot intercept these connections, attributable to the network topology.
- Simple fix 1: Check the security requirements, update the policy
- Simple fix 2: Replace the internal switch by a second firewall
Example: LAN with Mail Server Possible Weaknesses
- Is it possible to reach internal hosts other than the mail server from the outside via port 25?
- Yes! HOW?
… - Fix: make sure that only source ports > 1023 are allowed to establish a connection
- Assume an internal host sends out a TCP packet with source and destination port 25 to shadymail.example
- Rule B establishes state / a connection in the firewall.
- Now, for shadymail.example, using source port 25, the internal host is reachable on the well-known port 25!
LAN with Mail Server: Tuning
- Few packets will …
- Most packets will use an established connection →
…
What’s the best practice? Elaborate on performance and typical structure set.
- Changing the sequence of firewall rules can change the firewall’s semantics
- Moving C to the top has no effect as ESTABLISHED state can only be reached via rules A and B
- But: Moving rule D to the top would “shadow” all other rules, i.e., drop all connections
matched sequentially
establish a new connection
Moving rule C to the top optimizes rulelist processing
ESTABLISHED state can only be reached via rules A and B
“shadow” all other rules, i.e., drop all connections
What is Stateless Filtering?
A method where packets are treated individually without keeping track of previous packets. No state information is generated when processing a packet.
Stateless Filtering:
- Only operates on …
- Why? Keeping state is expensive and needs fast memory.
- Only few rules: stateless filtering may be…
- O(# rules)
- Many rules: stateful filtering may be faster
- Majority matches first rule, O(1) lookup
- Possible DOS attacks
- Stateless FW: …
- Stateful: …
- Many network boxes have stateless firewall features embedded
- Router access lists
- Some switches
- …
the rules and each individual packet.
faster
Send more packets than the FW can match, preferably such matched very late
Exhaust the FW’s memory with useless state
What is the difference between Stateful and Stateless Firewalls?
Stateful firewalls track the state of active connections while stateless firewalls do not.
Stateless = more complex to configure, so configuration errors are likelier
LAN with Mail Server (Stateless)
How should the configuration look like for the following security policy?
Always in rule-pairs.
Problems?
- We implicitly assume, that A1/B1 are for requests (connection establishment), A2/B2 for responses.
But in fact we do not differentiate between new or established connections - Rule B2 allows incoming connections to the network (e.g. the mail server) on port numbers > 1023
- Rule A2 allows the mailserver to respond from arbitrary port numbers
- Conclusion: The firewall is not configured well (especially the mailserver is endangered)
How to fix? (#1)
The ACK Flag
- approximate the …
- set in …
- Rule of thumb: ACK flag set ≈ not NEW
- Attacker could send SYN/ACK as initial packet. THEN?
- Protocols such as UDP don’t have state information
- Not possible to differentiate between initiator and responder.
- UDP has no ACK field: Always set ACK to *
Why do we need it?
* FW Improvement 2: Only permit traffic from src port 25 if it is related to an already established session, i.e. NOT new!
* But how!?
state of TCP connections
every TCP segment but the first one
- Passes the firewall; garbage traffic reaches host
- Hosts will ignore it if they don’t have a flaw in their network stack.
