Linux Utility Module for Security

advertisement
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
Overview Of Firewall Concepts:A system designed to prevent unauthorized access to or from a private network. firewalls
can be implemented in both hardware and software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from accessing private
networks connected to the Internet, especially intranets. All messages entering or leaving
the intranet pass through the firewall, which examines each message and blocks those
that do not meet the specified security criteria. firewalls could also be used as the last line
of defense for an internal security breech where sensitive data is being reported from
within the network of a company to parties outside or as the first line of defense if the
scenario is reversed.
There are several types of firewall techniques: ·
Network Layer Firewalls:
Packet filter:(Layer 3 Firewall) Looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and
transparent to users, but it is difficult to configure. In addition, it is susceptible to IP
spoofing.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is
established. Once the connection has been made, packets can flow between the hosts
without further checking.
Application gateway: Applies security mechanisms to specific applications, such as FTP
and Telnet servers. This is very effective, but can impose performance degradation.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server
effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert.
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
A firewall is considered a first line of defense in protecting private information. For
greater security, data can be encrypted if the attack is being carried out from the outside.
Application level firewalls provide a high level of intelligence. However, there is a tradeoff for this high functionality, in that application or gateway firewalls operate slower than
stateful inspection firewalls. They also present greater complexity when adding new
applications. One thing that is an important distinction about many network level
firewalls is that they route traffic directly through them. Meaning they scan for source
and destination information and allow or disallow packets based on this information.
Network firewalls are typically used when speed is essential. Since packets are not passed
to the application layer and the contents of the packet are not being analyzed, packets can
be processed quicker. This can be advantageous for firewalls that scan for connections to
web and email servers, especially ones that have high amounts of traffic. This is due to
the fact that latency is your enemy when it comes to people accessing your site. This
offers a layer of protection to your network and does not impede connectivity. They
depend on an access control list and thus can only detect the connection on the basis of
source and destination pairs and not the contents of the packets like in application level
gateways.
A general architecture of network protocols is given below. It is based on the OSI model.
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
SCOPE OF THE PROJECT:
On the bastion host would be running our firewall. To forward packets from the external
router to out bastion host we would be using the linux application ipwafdm. There are 2
possible ways depending on the configuration of this application that ipwafdm will
forward packets to our bastion host.
1) Either by modifying the IP in the IP header.(however this way we lose the information
about the destination) and this approach would be workable with a single destination of a
particular application( for example if there is only one FTP server running on the network
then this approach would be workable).
2) The application puts the MAC address of our bastion host in the packet so that the
packet is automatically forwarded to our machine. This way no information is lost and
there is no limit on the number of servers running in the network.(we might need to
develop a sniffer to gather these packets).
The packet would be passed all the way up to the application layer in the bastion host
where certain necessary attributes of the packet would be appropriately logged. If a
packet needs to be dropped according to the security policy we would drop it here.
Otherwise it would be appropriately forwarded it. In forwarding it the machine in the
intranet we would have to resolve the IP address to the MAC address preferably using
ARP. This packet would be forwarded to the internal router and this would to take control
thereafter.
We would keep our security policy in a database so that It could be reusable by firewalls
being used within the network. This would be there to keep the application scalable.
Our application running on the bastion host would be programmed in JAVA and C++.
We would also use the following libraries:
1)Libpcap
2)GTK
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
we would also provide the functionality to filter outbound packets. There would be 2
options for this. One of them would restrict the packets from reaching a particular
destination. The other would scrap the packet if there is something in the data portion of
the packet and if that literal is defined as prohibited for leaving the network.
HARDWARE REQUIRED:
2 routers(basically 2 mochines with 2 NIC(network identification cards))
1 machine
USAGE OF HARDWARE:
one of the hardware would be used as the external router. This would be connected to the
1
external world(the internet) on one of the NIC and to the intermediate network on the
other NIC. This router would forward all the data which we want to monitor to our
bastion host where we would monitor the data, and forward it as appropriate. The
forwarded data would in effect go through the other router to forward it.
This is the screened subnet architecture.
1
We have codenamed the project LUMS. It’s a recursive definition for LUMS utility
module for security.
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
The other machine would work as the bastion host. Bastion Host sits on the internal
network. The packet filtering on the screening router is set up in such a way that the
bastion host is the only system on the internal network that hosts on the Internet can open
connections to. The bastion host thus needs to maintain a high level of host security.
This implementation depends on the hardware availability of 2 machines with 2 NIC
cards. However if we are able to requisition only one machine with 2 NIC’s we would be
forced to go for the second ( much less secure option) which is the Screened Host
Architecture.
SCREENED HOST ARCHITECTURE:
Fig. Screened Host Architecture
Screened Host is the only host on the private network that can be accessed from the
Internet and usually will run proxy programs for the allowed services. The other hosts on
the private network must communicate with the Internet through proxy servers located on
the Screened Host.
Bastion Host sits on the internal network. The packet filtering on the screening router is
set up in such a way that the bastion host is the only system on the internal network that
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
hosts on the Internet can open connections to. The bastion host thus needs to maintain a
high level of host security.
The packet filtering configuration in the screening router may either allow other internal
hosts to open connections to hosts on the Internet for certain services or disallow all
connections from internal hosts forcing those hosts to use proxy services via the bastion
host.
The architecture is more flexible than that of Dual-Homed Host with proxy services,
because some secure services for which proxy software does not exist can be allowed to
pass through Screening Router directly to a host on the private network.
Screened Host Architecture
This architecture consists of the Screening Router and Screened Host. Screened Host
Architecture provides services from a host that is attached to only the internal network,
using a separate router. Packet filtering provides the primary security in this architecture.
Packet filtering prevents people from going around proxy servers to make direct
connections. Screening Router is placed between the Private Network and the Internet
which contributes in blocking all the traffic between those two networks but the one that
originates on the Internet and goes to the Screened Host or the one that originates on the
Screened Host and goes to the Internet. That’s how the Screening Router stops all the
attempts to setup direct communication between host on the private network and the host
on the Internet.
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
WORK BREAKDOWN STRUCTURE:
Dec 23
Developing Project Plan
Omer
Research and Data
Omer/Ali
Jan 10
Jan 20
Jan30
Feb 7
Collection
Project Management & Omer
Scheduling
Risk Mitigation Plan
Omer
Environment Setup
Ali
Software
Ali
Integration/Development
Preliminary
Omer/Ali
Implementation
Testing/Debuging
Omer/Ali
Result Analysis
Omer/Ali
Final
Omer/Ali
Report/Demonstration
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Destination
Internet
External router
Bastion Host
Internal router
Source within the local network
Syed Ali Abbas Gardezi
(2003-02-0194)
Packets Leaving
the Network
Omer Shaukat Malik
(2003-02-0148)
LUMS
Linux Utility Module for Security
Syed Ali Abbas Gardezi
(2003-02-0194)
Source
Internet
External router
Packets Entering
the Network
Bastion Host
Internal router
Destination within the local network(if it is approved according to the rules)
Download