CSE 127: Introduction to Security
Lecture 12: Network Defenses
Spring 2022
Copyright By PowCoder代写 加微信 powcoder
Material from , , , , and
Defending Networks
• Howdoyouhardenasetofsystemsagainstexternal attack?
• The more network services your machines run, the greater the risk (i.e., the attack surface is larger)
• Oneapproach:Turnoffunnecessarynetworkservices on each system
• Whyisthishard?
Defending Networks
• Howdoyouhardenasetofsystemsagainstexternal attack?
• The more network services your machines run, the greater the risk (i.e., the attack surface is larger)
• Oneapproach:Turnoffunnecessarynetworkservices on each system
• Whyisthishard?
• Requires knowing all the services that are running
• What if you have hundreds or thousands of systems?
• Systems may have different OSes, hardware, and users
Network Perimeter Defense
• Idea:Networkdefenseson“outside”oforganization (e.g. between org and Internet)
• Typicalelements:
• Firewalls
• Network Address Translation
• Application Proxies (e.g., Web Application Firewalls)
• Network Intrusion Detection Systems (NIDS)
https://wallpaperaccess.com/blue-desktop
– https://creativecommons.org/licenses/by-nc-nd/4.0/
• Problem:Protectingorisolatingonepartofthenetwork from other parts
• Typically: Protect your network from global Internet
• Sometimes: Protect Internet from infected machines in
your network
• Needtofilterorotherwiselimitnetworktraffic
• Questions:
• What kind of information do you want to filter?
• What are the examples of firewalls?
Kinds of Firewalls
• Personalfirewalls
• Run on end-hosts
• Has application/user-specific information
• Networkfirewalls
• Intercept communications from many hosts
Kinds of Firewalls • Personalfirewalls
• Run on end-hosts
• Has application/user-specific information
• Networkfirewalls
• Intercept communications from many hosts
• Filter-based
• Operates by filtering on packet headers
• Proxy-based
• Operates at the level of the application
• e.g. HTTP web proxy
Kinds of Firewalls
Personal (host-based) firewalls
Network firewalls
Network Firewalls
• Filtersprotectagainst“bad”communications.
• Protectservicesofferedinternallyfromoutsideaccess. • Provideoutsideservicestohostslocatedinside.
Access Control Policies
• Afirewallenforcesanaccesscontrolpolicy
• Who is talking to whom and accessing what service? • Distinguishbtwinboundandoutboundconnections
• Inbound: Attempts by external users to connect to services on internal machines
• Outbound: Internal users to external services
Access Control Policies
• Afirewallenforcesanaccesscontrolpolicy
• Who is talking to whom and accessing what service? • Distinguishbtwinboundandoutboundconnections
• Inbound: Attempts by external users to connect to services on internal machines
• Outbound: Internal users to external services
• Conceptuallysimpleaccesscontrolpolicy:
• Permit users inside to connect to any service
• External users are restricted
• Allow connections to services meant to be external
• Deny connections to services not meant to be external
Access Control Policies
How to treat traffic not mentioned in policy?
Default allow
• Permitallservices,shutoffforspecificproblems Default deny
• Permitonlyafewwell-knownservices
Access Control Policies
How to treat traffic not mentioned in policy?
Default allow
• Permitallservices,shutoffforspecificproblems Default deny
• Permitonlyafewwell-knownservices
In general, default deny is safer. Why?
• Conservativedesign
• Flawsindefaultdenygetnoticedmorequickly
Example Firewall Policy
• Configure:OnlyallowSSH.
#ufw default deny
# ufw allow from 100.64.0.0/24 #ufw allow ssh
• Status:OnlyallowSSH.
#ufwstatus Status: active To
A n y w h e r e
Action —— ALLOW ALLOW ALLOW
1 0 0 . 6 4 . 0 . 0 / 2 4 Anywhere (v6)
Packet Filtering Firewalls
• Definelistofaccess-controlrules
• Checkeverypacketagainstrulesandforwardordrop
• Packet-filteringfirewallscantakeadvantageofthe following information from network and transport layer headers:
• Source IP
• Destination IP
• Source Port
• Destination Port
• Flags (e.g. ACK)
Example packet filtering rules
• BlockincomingDNS(port53)exceptknowntrusted servers
• BlockincomingHTTPS(port443)excepttocompanyIP addresses
• Blockoutgoingpackeswithforgedinternaladdresses
Example packet filtering rules
• BlockincomingDNS(port53)exceptknowntrusted servers
• BlockincomingHTTPS(port443)excepttocompanyIP addresses
• Blockoutgoingpackeswithforgedinternaladdresses
Example packet filtering rules
• BlockincomingDNS(port53)exceptknowntrusted servers
• BlockincomingHTTPS(port443)excepttocompanyIP addresses
• Blockoutgoingpackeswithforgedinternaladdresses Some firewalls keep state about open TCP connections.
• Allowsconditionalfilteringrulesoftheform“ifinternal machine has established the TCP connection, permit inbound reply packets”.
Network Address Translation
https://wallpaperaccess.com/blue-desktop
– https://creativecommons.org/licenses/by-nc-nd/4.0/
Network Address Translation (NAT)
• Idea:IPaddressesdonotneedtobegloballyunique • NATsmapbetweentwodifferentaddressspaces.
• MosthomeroutersareNATsandfirewalls.
https://samy.pl/slipstream/
Private Subnets
10.0.0.0–10.255.255.255 172.16.0.0–172.31.255.255 192.168.0.0–192.168.255.255
Typical NAT Behavior
• NATmaintainsatableoftheform:
Typical NAT Behavior
• NATmaintainsatableoftheform:
• Outgoingpackets(onnon-NATport):
• Look for client IP address, client port in mapping table
• If found, replace client port with previously allocated
NAT ID (same size as port number)
• If not found, allocate a new NAT ID and replace source
port with NAT ID
• Replace source address with NAT address
Typical NAT Behavior
• NATmaintainsatableoftheform:
• Outgoingpackets(onnon-NATport):
• Look for client IP address, client port in mapping table
• If found, replace client port with previously allocated
NAT ID (same size as port number)
• If not found, allocate a new NAT ID and replace source
port with NAT ID
• Replace source address with NAT address
• Incomingpackets(onNATport)
• Look up destination port as NAT ID in port mapping table
• If found, replace destination address and port with client
entries from the mapping table
• If not found, the packet should be rejected
• Tableentriesexpireafter2–3minutesofnoactivityto allow them to be garbage collected
NAT Pros and Cons • Pros
• Only allows connections to the outside that are established from inside.
• Hosts from outside can only contact internal hosts that appear in the mapping table, and they’re only added when they establish the connection.
• Don’t need as large an external address space • i.e. 10 machines can share 1 IP address
• Breaks some protocols
• e.g., in FTP IP address appear in the content of the packet
• e.g., some streaming protocols have client invoke server
and then server opens a new connection to the client
• Vulnerable to NAT slipstream attack (https://samy.pl/slipstream/)
Application Proxies
https://wallpaperaccess.com/blue-desktop
– https://creativecommons.org/licenses/by-nc-nd/4.0/
Application Proxies
Idea: Control apps by requiring them to pass through proxy
• Proxyisapplication-levelman-in-the-middle • Enforcepolicyforspecificprotocols:
• SMTP: Scan for viruses, reject spam
• SSH: Log authentication, inspect encrypted text
• HTTP: Block forbidden URLs
Companies inspect outbound traffic, will install root certificates on employee workstations to monitor TLS traffic.
Application Proxies
• For high-level security, application proxy is the appliance of choice.
• Application proxies are high on performance.
• Some application proxies can be expensive to maintain.
• Some application proxies have shown to be easily hacked despite using SSL certificate.
Network Intrusion Detection System
https://wallpaperaccess.com/blue-desktop
– https://creativecommons.org/licenses/by-nc-nd/4.0/
Network Intrusion Detection Systems (NIDS)
• Idea:Passivelymonitornetworktrafficforsignsof attack (e.g., look for /etc/passwd)
Network Intrusion Detection Systems (NIDS)
• NIDShasatableofallactiveconnections,andmaintains state for each
• E.g., has it seen partial match of /etc/passwd
• Whatdoyoudowhenyouseeanewpacketnot associated with any known connection?
Network Intrusion Detection Systems (NIDS)
• NIDShasatableofallactiveconnections,andmaintains state for each
• E.g., has it seen partial match of /etc/passwd
• Whatdoyoudowhenyouseeanewpacketnot
associated with any known connection?
• Create a new connection: when NIDS starts, it doesn’t know what connections might be existing
Network Intrusion Detection Systems (NIDS)
• NIDShasatableofallactiveconnections,andmaintains state for each
• E.g., has it seen partial match of /etc/passwd
• Whatdoyoudowhenyouseeanewpacketnot
associated with any known connection?
• Create a new connection: when NIDS starts, it doesn’t know what connections might be existing
• Whereshouldyoudothedetection? • Network, host, or both?
Approach #1: Network-based Detection
Structure of FooCorp Web Services
2. GET /amazeme.exe?profile=xxx
Output of bin/amazeme
border router
Monitor sees a copy of incoming/outgoing
HTTP traffic
FooCorp Servers
Front-end web server
Remote client
• Lookatnetworktraffic,scanningHTTPrequests • E.g., look for /etc/password or . . / . . /
bin/amazeme -p xxx
Network-based Detection Pros and Cons
Benefits • Don’tneedtomodifyortrustendsystems • Covermanysystemswithsinglemonitor
• Centralizedmanagement
Network-based Detection Pros and Cons
Benefits • Don’tneedtomodifyortrustendsystems • Covermanysystemswithsinglemonitor
• Centralizedmanagement
Issues • Expensive: 10Gbps link ≈ 1M packets/second≈ ns/packet
Network-based Detection Pros and Cons
• Don’t need to modify or trust end systems • Covermanysystemswithsinglemonitor • Centralizedmanagement
• Expensive: 10Gbps link ≈ 1M packets/second ≈ ns/packet
• Vulnerabletoevasionattacks
Some evasions reflect incomplete analysis – E.g.,hexescapeor..///.///..////
-In principle, can deal with these with
implementation care
Some are due to imperfect observability
-E.g., what if what NIDS sees doesn’t exactly match what arrives at destination?
Understanding the Downsides
• Does/etc/passwdexistonallsystems?Doyouinclude rules for all OSes?
• Are all requests with . . / . . / necessarily bad?
• False positives: Sometimes seen in legit requests
• Whatifthetrafficisencrypted(HTTPS)?
• Need access to session key or decrypted text
• Why might you not want to give the NIDS your TLS keys?
Approach #2: Host-based Detection
Structure of FooCorp Web Services
Remote client
FooCorp’s border router
HIDS instrumentation added inside here
6. Output of bin/amazeme sent back
FooCorp Servers
Front-end web server 4. amazeme.exe?
profile=xxx bin/amazeme -p xxx
• Instrumentwebserver,scanargumentssentto back-end programs (and outbound requests)
• E.g., look for /etc/password or . . / . . /
Host-based Detection Pros and Cons
• Detect inconsistencies on a single host • Don’tneedtointerceptHTTPS
• Expensive:Addcodetoeachserver
• Stillhavetoconsidere.g.,UNIXfilename
semantics ..///.///..////
• Stillhavetoconsiderothersensitivefiles,
databases, etc.
• Only(kindof)helpswithwebserverattacks; what do you do about other end systems?
Idea: Deploy a sacrificial system that has no operational purpose (NIDS)
• Designedtolureattackers
• Anyaccessisbydefinitionnotauthorized,andiseither
an intruder or a mistake • Providesopportunityto:
• Identify intruders
• Study what they’re up to
• Divert them from legitimate targets
https://github.com/telekom-security/tpotce
Honeypots for automated attacks easier than building a convincing environment for dedicated attackers.
https://linux.die.net/man/8/arpwatch
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com