Lecture 29
Fall 2002

• Project 3 is due today.
• Project 4 will be available on the web site this afternoon.
• Homework 3 will be handed out on
Wednesday.
CSE331 Fall 2002 2

• Access Control (Authorization)
– Access Control Matrix
– Access Control Lists
• Today
– Capability Lists
– Firewalls
CSE331 Fall 2002 3

A[s][o] Obj
1
Subj
1
Obj
2
{r,w,x} {r,w}
Subj
2
…
{w,x}
…
{}
…
Subj
M
{x} {r,w,x}
…
…
…
…
…
Obj
N
{}
{r}
…
{r,w,x}
For each subject, store a list of (Object x Rights) pairs.
CSE331 Fall 2002 4

• A capability is a (Object, Rights) pair
– Used like a movie ticket (“Harry Potter”, {view})
• Should be unforgeable
– Otherwise, subjects could get illegal access
• Authentication takes place when the capabilities are granted (not needed at use)
• Harder to do revocation (must find all tickets)
– Capabilities can be passed from subject to subject
• Easy to audit a subject, hard to audit an object
CSE331 Fall 2002 5

• Must be able to name objects
• Unique identifiers
– Must keep map of UIDs to objects
– Must protect integrity of the map
– Extra level of indirection to use the object
– Generating UIDs can be difficult
• Pointers
– Name changes when the object moves
– Remote pointers in distributed setting
– Aliasing possible
CSE331 Fall 2002 6

• Special hardware: tagged words in memory
– Can’t copy/modify tagged words
• Store the capabilities in protected address space
• Could use static scoping mechanism of safe programming languages.
– Java’s “private” fields
• Could use cryptographic techniques
– OS kernel could sign (Object, Rights) pairs using a private key
– Any process can verify the capability
CSE331 Fall 2002 7

Filter Filter
Inside Gateway Outside
• Filters protect against “bad” packets.
• A gateway machine restores needed services.
• Protect services offered internally from outside access.
• Provide outside services to hosts located inside.
CSE331 Fall 2002 8

Hosts
Routers
Networks
Gateway
DMZ “Demilitarized Zone”
Internal
Network
Filtering Routers
External
Network
CSE331 Fall 2002 9

• Increased security for internal hosts.
• Reduced amount of effort required to counter break ins.
• Possible added convenience of operation within firewall (with some risk).
• Reduced legal and other costs associated with hacker activities.
CSE331 Fall 2002 10

• Hardware purchase and maintenance
• Software development or purchase, and update costs
• Administrative setup and training, and ongoing administrative costs and troubleshooting
• Lost business or inconvenience from broken gateway
• Loss of some services that an open connection would supply.
CSE331 Fall 2002 11

• Filtering: operates by filtering based on packet headers
• Circuit: operates at the level of TCP
• Application: operates at the level of the application
CSE331 Fall 2002 12

• Filtering can take advantage of the following information from network and transport layer headers:
– Source
– Destination
– Source Port
– Destination Port
– Flags (e.g. ACK)
CSE331 Fall 2002 13

• IPv4 (Version field set to “4”)
Version Hlen TOS Length
Ident Flags Offset
TTL Protocol Checksum
SourceAddr
DestinationAddr
Options(variable length) Pad
Other Headers and Payload
CSE331 Fall 2002 14

• Protocols support O.S. “port numbers”:
UDP
SrcPort DstPort
Checksum Length
Other Headers and Payload
TCP
SrcPort DstPort
SequenceNum
Acknowledgment
HL 0 Flags Advert.Wind.
Checksum UrgPtr
Options (variable)
Other Headers and Payload
CSE331 Fall 2002 15

CSE331 Fall 2002 16

CSE331 Fall 2002 17

• Ports are used to distinguish applications and services on a machine.
• Low numbered ports are often reserved for server listening.
• High numbered ports are often assigned for client requests.
• Port 7 (UDP,TCP): echo server
• Port 13 (UDP,TCP): daytime
• Port 20 (TCP): FTP data
• Port 21 (TCP): FTP control
• Port 23 (TCP): telnet
• Port 25 (TCP): SMTP
• Port 79 (TCP): finger
• Port 80 (TCP): HTTP
• Port 123 (UDP): NTP
• Port 2049 (UDP): NFS
• Ports 6000 to 6xxx (TCP):
X11
CSE331 Fall 2002 18

Action ourhost port theirhost block * * BAD allow GW 25 * port comment
* untrusted host
* allow our SMTP port
Apply rules from top to bottom with assumed default entry:
Action ourhost port theirhost block * * * port
* comment default
Bad entry intended to allow connections to SMTP from inside:
Action ourhost port theirhost allow * * * port comment
25 connect to their SMTP
This allows all connections from port 25, but an outside machine can run anything on its port 25!
CSE331 Fall 2002 19

Permit outgoing calls to port 25.
Action src allow {our hosts} allow * port dest port flags comment
* * 25 * their SMTP
25 * * ACK their replies
This filter doesn’t protect against IP address spoofing.
The bad hosts can “pretend” to be one of {our hosts}.
CSE331 Fall 2002 20

Router
Inside
Outside
CSE331 Fall 2002 21

• Filtering on output can be more efficient since it can be combined with table lookup of the route.
• However, some information is lost at the output stage
– e.g. the physical input port on which the packet arrived.
– Can be useful information to prevent address spoofing.
• Filtering on input can protect the router itself.
CSE331 Fall 2002 22

Action src block BAD port dest port comment
* * * we don’t trust them allow * * allow GW 25
GW
*
25
* connect to our SMTP our reply packets
Is preferred over:
Action src block * port dest port comment
* BAD * subtle difference allow * * allow GW 25
GW
*
25
* connect to our SMTP our reply packets
CSE331 Fall 2002 23

• Filter output to allow incoming and outgoing mail, but prohibit all else.
Action allow allow block
*
* dest
* port
25
>= 1024
* comment incoming mail outgoing responses nothing else
• Apply this output filter set to both interfaces of the router. Does it work?
• Unintended consequence: allows all communication on high numbered ports!
CSE331 Fall 2002 24