CSIS 4490 Firewall Security Peter Kruszka

1
CSIS 4490Firewall SecurityPeter Kruszka

• High level security issue survey
• Expert recommendations
• Discussion of ipchains

2
Security Breeches

• Security is a people issue
• Internal security issues account for 75
• Deliberate
• Accidental
• Physical access
• Top secret keep physically separate
• Physical floppies, etc, can be carried out
• Deliberate logical assaults from external sources
• Firewalls are implemented to protect against
  unwanted intrusions from external sources

3
Simple Firewall Architecture
4
Complex Firewall configuration
5
General Vulnerabilities

• Top 20 logical vulnerabilities http//www.sans.org
  /top20.htm
• G1 - Default installs of operating systems and
  applications
• G2 - Accounts with No Passwords or Weak Passwords
• G3 - Non-existent or Incomplete Backups
• G4 - Large number of open ports
• G5 Not filtering packets for correct incoming
  and outgoing addresses
• G6 - Non-existent or incomplete logging
• G7 - Vulnerable CGI Programs

6
Windows Vulnerabilities

• W1 - Unicode Vulnerability (Web Server Folder
  Traversal)
• W2 - ISAPI Extension Buffer Overflows
• W3 - IIS RDS exploit (Microsoft Remote Data
  Services)
• W4 - NETBIOS - unprotected Windows networking
  shares
• W5 - Information leakage via null session
  connections
• W6 - Weak hashing in SAM (LM hash)

7
Unix Vulnerabilities

• U1 - Buffer Overflows in RPC Services
• U2 - Sendmail Vulnerabilities
• U3 - Bind Weaknesses
• U4 - R Commands
• U5 - LPD (remote print protocol daemon)
• U6 sadmind and mountd
• U7 - Default SNMP Strings

8
Chains and Rules

• Firewall security encompasses filtering incoming
  packets
• Unix firewalls filter packets based on CHAINS and
  RULES
• Chains
• 1 Input
• 2 Output
• 3 Forward
• 4 User defined
• Rules specify criteria for a packet and a target
• Instruct the kernel what to look for in the
  packet header
• There can be many rules
• If no rules, consult policy (accept / reject)
• /sbin/ipchains -- administers Unix IP firewall
  rules
• /etc/sysconfig/ipchains -- rule database

9
Packet filter criteria

• packet header information
• - source address
• - destination address
• - protocol
• - source port
• - destination port
• - packet length
• - connection state information  
• packet payload (message content)

10
Recommended Packet Filtering

• http//www.cert.org/tech_tips/packet_filtering.htm
  l
• Carnegie Mellon University. CERT?/CC Computer
  Emergency Response Team.
• DNS zone transfers socket 53 (TCP)
• tftpd socket 69 (UDP)
• link socket 87 (TCP) (commonly used by
  intruders)
• SunRPC NFS socket 111 and 2049 (UDP and TCP)
• BSD UNIX "r" cmds sockets 512, 513, and 514
  (TCP)
• lpd socket 515 (TCP)
• uucpd socket 540 (TCP)
• openwindows socket 2000 (UDP and TCP)
• X windows socket 6000 (UDP and TCP)

11
top

• 459pm up 16 min, 3 users, load average
  0.62, 0.51, 0.34
• 57 processes 53 sleeping, 3 running, 0 zombie, 1
  stopped
• CPU states 16.8 user, 2.6 system, 0.0 nice,
  80.4 idle
• Mem 94460K av, 91244K used, 3216K free,
  0K shrd, 1924K buff
• Swap 192740K av, 0K used, 192740K free
  45672K cached
• PID USER PRI NI SIZE RSS SHARE STAT CPU
  MEM TIME COMMAND
• 1407 root 15 0 13948 13M 12068 R 10.4
  14.7 031 kdeinit
• 441 root 15 0 1028 1028 828 R 3.0
  1.0 009 top
• 1292 root 15 0 12772 12M 11176 S 1.1
  13.5 019 kdeinit
• 1089 root 15 0 17868 13M 3280 S 0.5
  14.2 029 X
• 1 root 15 0 472 472 416 S 0.0
  0.4 004 init
• 2 root 15 0 0 0 0 SW 0.0
  0.0 000 keventd
• 3 root 15 0 0 0 0 SW 0.0
  0.0 000 kapmd
• 570 root 15 0 0 0 0 SW 0.0
  0.0 000 eth0
• 572 root 16 0 664 664 576 S 0.0
  0.7 000 dhcpcd
• 650 root 15 0 544 544 456 S 0.0
  0.5 000 syslogd ? /etc/syslog.conf
• 655 root 15 0 440 440 380 S 0.0
  0.4 000 klogd ? logs packet events
• 675 rpc 15 0 556 556 472 S 0.0
  0.5 000 portmap

12
/etc/sysconfig/ipchainsFirewall set for high
security

• Firewall configuration written by lokkit
• Manual customization of this file is not
  recommended.
• Note ifup-post will punch the current
  nameservers through the
• firewall such entries will not be
  listed here.
• input ACCEPT
• forward ACCEPT
• output ACCEPT
• -A input -s 0/0 6768 -d 0/0 6768 -p udp -i eth0
  -j ACCEPT
• -A input -s 0/0 6768 -d 0/0 6768 -p udp -i eth1
  -j ACCEPT
• -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
• -A input -p tcp -s 0/0 -d 0/0 01023 -y -j REJECT
• -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
• -A input -p udp -s 0/0 -d 0/0 01023 -j REJECT
• -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
• -A input -p tcp -s 0/0 -d 0/0 60006009 -y -j
  REJECT
• -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

13
ipchains explained

• -A input -s 0/0 6768 -d 0/0 6768 -p udp -i eth0
  -j ACCEPT
• -A input -s 0/0 6768 -d 0/0 6768 -p udp -i eth1
  -j ACCEPT
• -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
• -A input -p tcp -s 0/0 -d 0/0 01023 -y -j
  REJECT DNS xfr, lpd, uucp
• -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
• -A input -p udp -s 0/0 -d 0/0 01023 -j REJECT
• -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
• -A input -p tcp -s 0/0 -d 0/0 60006009 -y -j
  REJECTXwindows
• -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

-A Append -i Interface
-s Source -j Jump
-d Destination -y stops incoming TCP but permits outgoing
-p Protocol -l Activate logging
14
Additional ipchain examples

• spoofing protection
• /sbin/ipchains -A input -i eth0 -s !
  192.168.1.0/255.255.255.0 -j DENY
• /sbin/ipchains -A input -i ! eth0 -s
  192.168.1.0/255.255.255.0 -j DENY
• Default policy
• /sbin/ipchains -P input DENY

15
Editing utilities

• Via command line /sbin/ipchains
• Utilities
• Lokkit
• Source code from www.sourceforge.com
• Devil-Linux
• Firestarter - GUI

16
www references

• www.interhack.net/pubs/fwfaq
• www.tldp.org/HOWTO/Firewall-HOWTO.html
• http//tldp.org/HOWTO/IPCHAINS-HOWTO.html
• http//www.linux-firewall-tools.com/linux/
• http//www.sans.org/top20.htm
• http//www.cert.org/tech_tips/packet_filtering.htm
  l