Chapter 3ii Flashcards
IP Spoofing: sending packets using a source IP address that is not yours
Often related to…
Outgoing & Incoming. What to allow and what not no?
DoS attacks (e.g. DNS amplification attack)
Outgoing (to the Internet):
* Only allow source IPs which belong to you
* Don’t be an operator who facilitates spoofed DOS attacks to the Internet!
Incoming (from the Internet)
* Only allow ‘valid’ source IPs
* For a varying definition of ‘valid’
* IPs which belong to you are not valid
* Local and special purpose IPs are not valid
* Rule of thumb: UNIV \ (Your IPs ∪ Special Purpose IPs)
Except filtering for special purpose IPs, it is only possible to filter spoofed packets close to sender or receiver. Why?
…
- Only “sender’s firewall” knows its local network’s IP range and can drop spoofed outgoing traffic
- Only “receiver’s firewall” know its local network’s IP range and can drop spoofed incoming traffic
- Other firewalls cannot differentiate!
Automatic Spoofing Protection
* The Linux kernel offers some spoofing protection for free: …
* Activate feature in: /proc/sys/net/ipv4/conf/all/rp_filter
* If a packet arrives at interface i, the kernel checks:
*2
* Only considers ….
reverse path filtering
- Is the source IP of the packet reachable through i?)
- If not, drop the packet
local routing and interface configuration
What Firewalls cannot do
A firewall
* cannot protect against …
* cannot protect against …
* cannot protect against …
* cannot …
* does not perform …
* cannot set itself up correctly
malicious insiders
connections that don’t go through it
completely new threats
fully protect against viruses
cryptographic operations, e.g. message authentication
“ Shadowing refers to the case where all the packets one rule intends to deny (accept) have been accepted (denied) by preceding rules”
look at examples from the slides//find more working examples on the internet to work through :)
Common Errors
* …
From the Internet? From the complete internal network?
Via telnet? Via UPnP?
* …
NetBIOS? NFS? RPC? Telnet?
Other ICMP than Unreachable, Fragmentation Needed, TTL Exceeded, Ping?
IP header options?
* …
Are the rule sets compliant?
* …
* Even private IP ranges or IP ranges that don’t belong to you?
* …
Author of security policies and the admin configuring the FW might have different viewpoints
How is your firewall management interface reachable?
What is allowed over the Internet?
IPv4 and IPv6?
Outbound rule ANY? (c.f. spoofing)
Policy’s vs. Firewalls understanding of Inbound and Outbound?
Definition and Purpose of a Bastion Host
Definition:
“A bastion host is a host that is more exposed to the hosts of an external network than the other hosts
of the network it protects.”
A bastion host may serve for different purposes:
* Packet filtering
* Providing proxy services
* A combination of both
* (Hosting of other services)
How to secure a bastion host?
Keep it simple: disable ssh password login, disable not needed user accounts, no services that are absolutely needed should run
Prepare for bastion host to be compromised–> regular backup of config files, don’t enable sniffing internal traffic
Monitor the bastion host closely by extensive and tamper-resistant logging (reboots, usage/load patterns, logins(from remote))
Reliable hardware configuration and physically secure location (availability)
Simple Packet Filter Architecture:
Dual-Homed Host Architecture:
A packet filtering router or firewall with two interfaces
- Dual-Homed: Host is part of two networks (has two NICs)
- Bastion Host is Firewall + Application Proxy
- Drawbacks
- Bastion Host is bottleneck
- Compromised Bastion Host is worst-case scenario
Screened Host Architecture
- Packet filter protects network and Bastion Host
- Bastion Host is Proxy (may be accessible from the Internet)
- Compromised Bastion Host compromises the internal network
- If you have a home server and configured port-forwarding on your router, this is probably your architecture
Screen Subnet Architecture - DMZ
