SCSC 455 Computer Security
2011 Spring
Network Security
Control access to system

Access control mechanisms in specific network
programs



Control network traffic at network layer -- Firewall



e.g. 1, wu-FTP server support mulitple security directive in
/etc/ftpaccess
e.g. 2, Apache server: /etc/httpd.conf
operates at the lowest level of the networking protocol
stack.
examines and discards packets from unauthorized
systems before they have a chance to attack applications
Use advanced routing techniques

IP masquerading “Hides” LAN clients from hackers on the
Internet
Access control at different layers
Index



Linux firewall
NAT and proxy
Protect network traffic through encryption
Firewall

A firewall -- a packet filter


access control operating at the lowest level of the
networking protocol stack
Firewalls rely on rules


Rules: the configuration settings that define certain
characteristics of an IP package and the action to take for
packages meeting the specified criteria
Networking stacks in Linux are contained in the
kernel

gives Linux great control over network packet management
IP Chains


The IP Chains are a list of rules for how packets are
handled
Linux kernel includes three default chains




Input chains: packets coming from outside the system on which
the rule is executed pass through
Forward chains: packets coming from outside the system on
which the rule is executed and that need to be routed to another
system pass through
Output chains: Packets coming from within the system on which
the rule is executed and that are destined for other systems pass
through
User defined chains can be added.
IP Chains
Options in IP Chains
Options in IP Chains

Append a new rule to a chain (-A).
# ipchains -A input -s 127.0.0.1 -p icmp -j DENY

Insert a new rule at some position in a chain (-I).
# ipchains -I input 1 -j DENY

Delete the first rule that matches in a chain (-D).
# ipchains -D input -s 127.0.0.1 -p icmp -j DENY

Emptying all rules out of a chain, using the `-F' command.
# ipchains -F forward

List all the rules in a chain
# ipchains -L -n input
Options in IP Chains

-P: default policy for a chain



when a packet hits the end of a built-in chain, the
policy of the chain determines the fate of the
packet.
The policy can be any of the ACCEPT, DENY,
REJECT or MASQ. MASQ is only valid for the
`forward' chain.
E.g. # ipchains -P forward DENY
Options in IP Chains

-j “jump to” target



ACCEPT allows the packet through.
DENY drops the packet as if it had never been received.
REJECT


MASQ



tells the kernel to masquerade the packet.
For this to work, your kernel needs to be compiled with IP
Masquerading enabled.
REDIRECT



drops the packet, but (if it's not an ICMP packet) generates an ICMP
reply to the source to tell it that the destination was unreachable.
tells the kernel to send a packet to a local port instead of wherever it
was heading.
is only valid for packets traversing the input chain.
RETURN which is identical to falling off the end of the chain
immediately
ipchains Example
E.g.1
# ping 127.0.0.1

# ipchains -I input -s 127.0.0.1 -p icmp -j DENY
# ping 127.0.0.1

E.g. 2
#ipchains -A input –j DENY
#ipchains -A input –s 192.168.10.0/0 -j ACCEPT
Options in IP Chains

-i specifies the name of an interface to match.

An interface is the physical device the packet came in on,
or is going out on.


use the ifconfig command to list the interfaces which are `up'.
What is lo interface?



The lo interface is usually called the loopback interface.
If packets from a local process are destined for a local process,
they will go through the output chain with interface set to `lo', then
return through the input chain with interface also `lo'.
-p specifies the protocol

`TCP', `UDP' or `ICMP'.
Options in IP Chains

-s and –d specify the source and destination




Representing in full name, such as `localhost' or
`www.linuxhq.com'.
Representing in IP address such as `127.0.0.1'.
Representing as a group of IP addresses, such as
`199.95.207.0/24'
an extra argument indicating the TCP or UDP
port, or an (inclusive) range of ports
e.g., -p TCP -s 0.0.0.0/0 :1023
Options in IP Chains
! (inversion)




flags can have their arguments preceded by `!' to
match addresses NOT equal to the ones given.
E.g. 1, `-s ! localhost'
matches any packet not coming from localhost.
E.g. 2 -p TCP -d 0.0.0.0/0 ! www
to specify every TCP packet BUT a WWW packet,
How about the following?



-p TCP -d ! 192.168.1.1 www
-p TCP -d 192.168.1.1 ! www
-p TCP -d ! 192.168.1.1 ! www
What Not To Filter Out in ipchains

ICMP packets



ICMP packets are used to indicate failure for other
protocols (such as TCP and UDP).
Blocking these packets means that you will never get `Host
unreachable' or `No route to host' errors; any connections
will just wait for a reply that never comes.
TCP Connections to DNS (nameservers)

DNS doesn't always use UDP. If the reply from the server
exceeds 512 bytes, the client uses a TCP connection (still
going to port number 53) to get the data.
Graphical Firewall Configuration
Utilities

Linux supports several graphical tools that can be used
to set up a firewall


Red Hat Linux includes the lokkit program that walks you through
questions and establishes rules based on your security choices
Red Hat Linux also includes the firewall-config program, which
allows the set up of complex firewall rules
Graphical Firewall Configuration
Utilities – Lokkit (1)
Graphical Firewall Configuration
Utilities – Lokkit (2)
Graphical Firewall Configuration
Utilities – firewall-config (1)
Graphical Firewall Configuration
Utilities – firewall-config (2)
NetFilter / IP Tables

NetFilter


the new and improved Linux packet filtering
system and uses a different architecture than IP
Chains
provides hooks at five different points in packet
processing


A hook refers to the ability to connect another program
at that point
The list of rules associated with the hooks are similar
to IP Chains and are called IP Tables
Using NetFilter / IP Tables

NetFilter / IP Table provide:





The ability to act on packets based on their state –
stateful packets filtering
Examination and alteration of just about any header
field in a packet - packet mangling
Selection of packets to be logged based on the value
of any header field
Passing of packets to regular Linux programs for
further processing outside of the Linux kernel
Implementation of intelligent routing based on Quality
of Service (QoS) features
Index



Linux firewall
NAT and proxy
Protect network traffic through encryption
Network Address Translation and IP
masquerading

The IP Chains feature also provides a special
routing functionality -- Network Address
Translation (NAT)

NAT is a routing technique that alters address or
other header information in a packet

One popular type of NAT is IP masquerading
network address translation in which packets from
many computers on a LAN appear as if they came
from one computer.
IP masquerading
#ipchains -A forward -s 192.168.100.0/24 -j MASQ
NAT pros and cons

NAT pros: Using NAT, a single IP can permit an
entire LAN to connect to the Internet.



Behind the router, the same private IP addresses can be
reused on every LAN
A remote computer cannot connect to a client within a
masqueraded LAN. The router effectively hides the entire
LAN.
NAT cons: However, IP masquerading can make
some network services (FTP, IRC, streaming
audio) unworkable.


Q: Why?
To make these protocols work, additional kernel modules
for the specific protocols have to be installed.
Proxy Server

A proxy server is very similar to IP masquerading,
but the proxy works at the application level, not the
IP level
must configure each client on the LAN so that it use a
special port for the proxy (instead of using the default port)
 E.g., “Squid” is a proxy server in Linux
Clients use 8080 or 8008 instead of the default web port 80


A proxy server provides security against outside
attacks by insulating clients.


let you control the access to the outside system
can cache the results (such as web pages) to improve
performance
Proxy server
Transparent proxy

Transparent proxy – IPchains or IPtables can
redirect packet based on the port to which the
packet is addressed


Is an alternative to using a proxy server
Do not need to configure the clients – the proxy
activity is “transparent” to the clients



All clients’ requests packets must pass through a gateway to
reach the Internet.
The router is configured to redirect some packets to a
particular port at the proxy server. The proxy server
masquerades these packets and send them out.
The proxy server also processes the received packet from
Internet and return them to a client.
Transparent Proxying
Index



Linux firewall
NAT and proxy
Protect network traffic through encryption
Encrypting Network Traffic
What we have covered:
 The firewall restrict network traffic.
 The special routing techniques isolates clients in a LAN
from the Internet

However, the contents of packets in LAN or through
Internet are visible to everyone.



With network analysis tool (a sniffer), the hackers can
view the packets.
The general strategy is encrypting the packets.
Some solutions:
 Secure shell (SSH)
 IPSec
( Note: IPsec operate at the network layer. more flexible, but more complex and
with higher overhead )
The Secure Shell (SSH)
The Secure Shell (SSH) package is a client-server
protocol similar to Telnet



A client program ssh and a server program sshd
SSH replaces Telnet and rlogin for better security
SSH use the same encryption techniques as GPG

1.
2.
3.
Exchange asymmetric keys to establish the identity of a
user requesting a connection
Pass a symmetric session key securely
Encrypt all subsequent traffic by symmetric session key.
OpenSSH

The OpenSSH implementation of the SSH is used
on most Linux distributions


OpenSSH is available to other OSs, such as UNIX,
Windows, Macintosh, PalmOS, …
A client program ssh & a server daemon sshd
$man ssh
$man sshd

SSH connections use port 22 by default
 Make sure sshd daemon is running on the system to
which you want to connect. To check the status of the
sshd daemon

$/etc/rc.d/init.d/sshd
status
Make sure no firewall is blocking traffic on port 22 between
your client and server computer
SSH1 & SSH2

OpenSSH support two versions:

SSH1



uses a public key encryption system to authenticate
connections
But does NOT support strong symmetric encryption of
the subsequent traffic
SSH2


uses a more robust authentication process
supports strong encryption of all network traffic, such
as AES (128-, 192-, or 256-bit), Blowfish, CAST128.
Different Ways to Authenticate in SSH
Method 1. To rely on the r-utilites files


E.g., ~/.rhosts
Insecure  not recommended
Method 2. To use passwords authentication
1.
2.
3.
4.
5.
Login a ssh server by user name and password on the server
$ ssh –l username server
Then you are prompted for the password
This method is much better than the rhost method or
unencrypted Telnet.
However, it does NOT provide public key authentication of the
session.
Use public key authentication in SSH
Method 3. To use public key authentication is a more
secure way to authenticate a connection in SSH

Must set up key pairs for your own user account
$ ssh-keygen -t rsa -b 2048
-t specify a key type (either RSA or DSA)
-b specify the key size (default is 1024 bits)

Your private key is stored in ~/.ssh/id_rsa and your public key is
stored in ~/.ssh/id_rsa.pub

Enter a passphrase to protect your ssh key pair
 It is optional. You may choose to press Enter to leave the key pair
unprotected by a passphrase.
 This decision depends on who else is using your computer and
how you intend to use ssh to access your account on remote
systems.
Use public key authentication in SSH (2)

Once a key pair generated on one account, you should
place the public key from that account in the
~/.ssh/authorized_keys file on each system where you
want to log in using ssh.
This can be done through scp, FTP, email or floppy
disk
e.g., copy from Alice’s PC /home/alice/.ssh/id_rsa.pub
to Bob’s PC
/home/bob/.ssh/authorized_keys

OpenSSH features
OpenSSH supports a number of useful features:


Replace telnet and rlogin
To secure connections for protocols not inherently secure
E.g., the X protocol for serving remote graphical applications
(The detailed steps on p505 are not required in this course.)

Port forwarding:


Is a routing technique that allows encryption of many other
protocols over SSH connections
E.g., SMTP, FTP, POP3, SWAT (The Samba Web
Administration Tool)
Example of Port forwarding in SSH
A system administrator wants to use SWAT to manage many
Samba servers on a large LAN from a single system client1.
 However, using in SWAT in a browser, none of the traffic
(including the password you must enter) is encrypted.
Other Tunneling Protocols

The concept behind using SSH port forwarding
is that you can tunnel and insecure protocol
inside a secure protocol

The Point-to-Point Tunneling Protocol (PPTP) is
a standard for creating a virtual private network
(VPN)


Microsoft created PPTP
PPTP uses two communication channels between a
client and a server
 a control channel and an encrypted data channel
Using stunnel section (P508 – 509) is NOT required in this course.
Tunneling an insecure protocol under
a secure protocol