Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

12 Problems with Packet Filters

advertisement 
Problems with Packet Filters
Spoofing and Source Routing
Spoofing means sending a packet that is addressed with false
information, so it appears to come from somewhere other than where it
did.
If your defense isn't set up correctly and the packet gets through.
it's possible that an internal host could believe the packet came from a
"trusted" host that has rights to private information, and could in turn
reply to the spoofed address.
You might be asking yourself, "If the packet appeared to come from a
station other than the one that sent it, where will the response go?"
Spoofing and Source Routing
Well, the answer in typical TCP/IP communication is to the real host.
Which wouldn't know what to do with the packet, and would drop it and
send a reset to the originator.
if source routing is enabled, the imposter packet could carry source-
routing information that would allow it to tell the station where it needs
to be sent to go home.
Source routing allows a packet to carry information that tells a router
the "correct" or a better way for it to get back to where it came from,
allowing it to override the router's prescribed routing rules for the
packet.
Spoofing and Source Routing
This could allow a devious user to guide return traffic wherever he
wants.
For this reason, it is imperative to have source routing disabled. It is
easily disabled in a Cisco router with the following command typed at
the global configuration prompt:
router(config)#no ip source-route
Fragments
Many of the great fragmenting attacks were originally designed to
defeat packet-filtering technology.
Originally, some packet-filtering technologies allowed all fragments to
pass, which wasn't good.
After this was recognized as a security concern, many systems began
checking the first fragment to verify that the header information passed
the tests set forth by the ACLs.
If this initial fragment failed the test and didn't pass through the router,
the rest of the fragments could never be reformed at the other side, in
theory solving the problem.1
Fragments
Because of the way packet filtering examines the header information, it
could be defeated by splitting up the packet into such small pieces that
the header containing TCP or UDP port information was divided.
Because the first fragment was often the only fragment that many
popular packet-filtering systems checked and that the IP address
information would pass, the entire reassembled packet would be passed.
In addition, packet filtering was discovered to be vulnerable to other
fragmenting attacks.
Fragments
including attacks that allowed a second fragment to overlap a seemingly
harmless TCP or UDP port in the initial fragment with deviously chosen
port information.2
Many clever ways were determined that could bypass the packet filter's
inspection capabilities.
As time went by, packet-filtering product manufacturers advanced their
technology, and solutions were proposed to many of the common
fragment attack methods.
RFC 1858 defined methods to deter fragment flow, including dropping
initial fragments that were smaller than a defined size or dropping a
second fragment based on information found in it.
Fragments
The most important point on using a packet-filtering defense to protect
your network from fragment attacks is to verify that you have the latest
firmware and security patches (or in the case of Cisco routers, the latest
IOS software).
For more complete fragment protection, some firewall technologies
include methods such as fragment reassembly before packets are ruled
on, the forming of tables that track decisions regarding initial fragments,
and the basing of outcome of no initial fragments on their predecessors.
 These technologies are not inherent in packet-filtering systems, and
they must be checked for when purchasing an individual product.
Fragments
Cisco access lists can disallow fragmented traffic using the following
access list as the first in an ACL series:
router(config)# access-list 111 deny ip any any fragments
This access list disallows any non initial fragments that have matching IP
address information, but it allows non-fragments or initial fragments to
continue to the next access list entry because of the fragments keyword
at the end of the ACL.
The initial fragments or non-fragments are denied or allowed based on
the access lists that follow the preceding example.
Fragments
However, fragmented traffic is a normal part of some environments, and
a statement like the previous example would deny this normal traffic, as
well as maliciously fragmented traffic.
This example would only be used in an environment that warrants the
highest security to fragmentation attacks, without fear of the loss of
potential usability.
Opening a "Hole" in a Static Packet Filter
One of the great flaws of static packet filtering is that to allow a protocol
into a network, you need to open a "hole."
It is referred to as a hole because no additional checking takes place of
the type of traffic allowed in or out based on more intelligent methods
of detection.
All you can do is open an individual port on your protective wall; as with
a bullet hole through a three-foot wall, you can't shoot anywhere else on
the other side, but you can fire straight through the existing hole
repeatedly.
Opening a "Hole" in a Static Packet Filter
The importance of this analogy is that something must be on the other
side at the port in question; otherwise, you won't be able to hit it.
It is recommended when opening a port using an access list of this type
that you limit the target hosts as much as possible with the access list.
Then, if you have a secured server with all patches and no vulnerabilities
(found as often as elves and four leaf clovers) that you are allowing to
service this port, this isn't such a bad thing.
If your host system is exploitable through whatever port number you
have open, it is possible that any traffic can be sent through that "hole,"
not just the protocol that was running on the host inside.
Two-way Traffic and the established Keyword
When we communicate with another host, it's not just us connecting to
the host, but also the host connecting to usa two-way connection.
This presents a problem when it comes to preventing unwanted access
with a packet filter. If we try to block all incoming traffic, we prevent the
return connection from hosts we are trying to contact.
How can we allow only return traffic? The original answer that Cisco
came up with was the established keyword for extended access lists.
With the word established added to an access list, any traffic, other than
return traffic, is blocked.
Two-way Traffic and the established Keyword
Theoretically. The established keyword checks to see which flags are set
on incoming packets.
Packets with the ACK flag set (or RST flag) would pass, and only response
traffic of the type specified could ever get through, right? Wrong! The
combination of certain pieces of software and sneaky, nefarious users
results in what's known as a crafted packet, which is a packet that the
communicating host does not create in the normal way, but builds
Frankenstein-style from software residing on a host. Users can set any
flag they want.
Two-way Traffic and the established Keyword
What happens if a packet that was crafted with malicious intent appears
with the ACK flag set in an attempt to sneak by the router's filters?
The established keyword access list lets it go through, which isn't good.
The good news is that an internal system that is listening for a new
connection (initiated by a SYN packet) would not accept the ACK packet
that is passed.
It would be so offended by the packet that it would send a reset back to
the originator, telling it to try again.
Two-way Traffic and the established Keyword
This sounds like a good thing, but it has two flaws.
First, it proves that a station exists at the address to which the packet
was sent. If a station didn't exist there, a reset packet wouldn't be
returned. This scanning technique works and is pretty stealthy as well.
Second, because it is eliciting a response from a private system, this
technique might be used successfully for a denial of service attack.
Internal systems could be repeatedly hit with scores of ACK packets,
causing those systems to attempt reply after reply with RST packets.
Two-way Traffic and the established Keyword
This is further accentuated by spoofing the source address on the ACK
packets, so the targeted network would be feverishly firing resets back
to another innocent network.
Fortunately, the innocent network does not respond to the resets,
preventing a second volley from being thrown at the target network.
Despite the drawbacks of the established keyword, it is one of the only
static means by which a Cisco router can allow only return traffic back in
to your network. The following is an example of an established access
list:
router(config)#access-list 101 permit tcp any any est log
Two-way Traffic and the established Keyword
This basic extended access list allows any TCP traffic that has the ACK bit
set, meaning that it allows only return traffic to pass.
It is applied inbound on the outside router interface, and it can log
matches with the appended log keyword.
It also allows RST packets to enter (by definition) to help facilitate proper
TCP communication. A more secure version of this same list would be
given ahead
Two-way Traffic and the established Keyword
router(config)#access-list 101 permit tcp any eq 80 192.168.1.0 0.0.0.255
gt 1023 est log
router(config)#access-list 101 permit tcp any eq 23 192.168.1.0 0.0.0.255
gt 1023 est log
router(config)#access-list 101 permit tcp any eq 25 192.168.1.0 0.0.0.255
gt 1023 est log
router(config)#access-list 101 permit tcp any eq 110 192.168.1.0 0.0.0.255
gt 1023 est log
Two-way Traffic and the established Keyword
In this case, the inside network address is 192.168.1.0255.
These access lists are applied inbound on the external router interface.
By writing your access list this way, you allow traffic only from approved
protocol port numbers (web traffic, Telnet, email, and so on) to your
internal network addresses, and only to ephemeral ports on your
systems.
However, an access list of this type still has problems. It would not
support FTP.
The established Keyword and the Problem of DNS
Remember that the previous ACL did not allow UDP traffic or ICMP
traffic.
The established (or est) keyword is only valid for TCP access lists.
Access lists allow needed ICMP and UDP traffic, which would have to be
included along side of this established access list, to form a
comprehensive filter set.
Without UDP, outside DNS is a real problem, disabling Internet
functionality. This shows one of the biggest flaws of the est keyword as
an effective defense mechanism.
The established Keyword and the Problem of DNS
To facilitate Internet access with the est keyword, a UDP access list must
be included, allowing any DNS return traffic.
Remember that return traffic is coming to a randomly chosen port above
1023, which means that to effectively allow any DNS responses, you
need an access list like this:
access-list 101 permit udp host 192.168.1.1 eq 53 172.16.100.0 0.0.0.255
gt 1023 log
The established Keyword and the Problem of DNS
 This ACL assumes that the external DNS server's address is 192.168.1.1
and that your internal network is 172.16.100.0255.
By adding this line to your existing access list 101, you allow DNS
responses to your network.
However, you also leave yourself open to outside access on ports greater
than 1023 from that external DNS server.
Your security red alert should be going off about now! This would be a
great argument for bringing DNS inside your perimeter; however, that
DNS server would then need to be able to access outside DNS servers for
queries and zone transfers.
The established Keyword and the Problem of DNS
To allow the DNS server to make outbound DNS queries, a similar access
list would need to be added to the router:
access-list 101 permit tcp any host 172.16.100.3 eq 53
access-list 101 permit udp any host 172.16.100.3 eq 53
 This allows all traffic through port 53 to your inside (and hopefully well-
hardened) DNS server. Ideally, such a public access server would be on a
separate screened subnet for maximum security.
Remember that neither solution provides for additional UDP or ICMP
support. If access to either is needed in your specific environment, more
"holes" have to be opened.
Protocol Problems: Extended Access Lists and FTP
File Transfer Protocol (FTP) is a popular means to move files back and
forth between remote systems.
You need to be careful of outside FTP access because it could allow a
malicious user to pull company information or server information
(including password files) from inside servers.
A user could upload files in an attempt to fill a hard drive and crash a
server, upload a Trojan, or overwrite important server configuration files
with ones that allow compromise of the server.
Protocol Problems: Extended Access Lists and FTP
FTP is also one of the more complicated services to secure because of
the way it works.
Securing (or blocking) an incoming connection is relatively easy, but
securing outgoing FTP connections is considerably more difficult.
Let's take a look at a trace that shows standard FTP communication
between a client and a server.
Protocol Problems: Extended Access Lists and FTP
First is the outgoing connection with TCP/IP's three-way handshake:
client.com.4567 > server.com.21: S 1234567890:1234567890(0)
server.com.21 > client.com.4567: S 3242456789:3242456789(0) ack
1234567890
client.com.4567 > server.com.21: . ack 1
Next is the incoming connection when establishing data channel:
server.com.20 > client.com.4568: S 3612244896:3612244896(0)
client.com.4568 > server.com.20: S 1810169911:1810169911(0) ack
3612244896
server.com.20 > client.com.4568: . ack 1
Protocol Problems: Extended Access Lists and FTP
 One way to get around this problem is to use passive (PASV) FTP.
PASV FTP works like standard FTP until the data connection. Instead of
connecting to the client from port 20 to a random port greater than
1023, the FTP server tells the client (through the port that the client last
used to connect to it) what greater-than 1023 port it wants to use to
transfer data.
With this port number, the client establishes a connection back to the
FTP server. Now let's look at a trace of our previous example's data
connection, this time using PASV FTP:
Protocol Problems: Extended Access Lists and FTP
client.com.4568 > server.com.3456: S 1810169911: 1810169911(0)
server.com.3456 > client.com.4568: S 3612244896:3612244896(0) ack
1810169911
client.com.4568 > server.com.3456: . ack 1
 Using an ACL like the following example would be one way to handle
inbound return PASV FTP traffic:
router(config)#access-list 101 permit tcp any gt 1023 192.168.1.0
0.0.0.255 gt 1023 est log
Related documents
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Summer Review Packet for Students Entering Algebra 1
Summer Review Packet for Students Entering Algebra 1
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Sportfolio Criteria - JCB Physical Education
Sportfolio Criteria - JCB Physical Education
Warriors of the Net Questions:
Warriors of the Net Questions:
File
File
Summer Review Packet for Students Entering Algebra 2 Honors
Summer Review Packet for Students Entering Algebra 2 Honors
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Download
advertisement