How to bypass the firewall Guo, Pei November 06, 2006
Transcription
How to bypass the firewall Guo, Pei November 06, 2006
How to bypass the firewall Guo, Pei November 06, 2006 Why do we need the firewall ? What is the firewall ? How to bypass the firewall ? Seminar "Computer Security" November 06, 2006 2 Part I Why do we need the firewall ? Seminar "Computer Security" November 06, 2006 3 Why do we need the firewall ? The internet is only research-oriented when it occurs and its communication protocols were designed for a more benign and safe environment than now. There have had over one million computer networks and well over one billion users by the end of the last century, but the internet is twisted steadily from the initial one and its environment is much less trustworthy. It contains all the dangerous situations, nasty people, and risks that we can find in the true-life society as a whole. When a network is connected to the outside, the communication between them are bi-directional. Therefore, it is very important for the users to protect their local system from the spiteful attack from the outside. Seminar "Computer Security" November 06, 2006 4 Part II What is the firewall ? Seminar "Computer Security" November 06, 2006 5 Terminology of the firewall In our common sense, the term "fire wall" originally meant, and still means, a fireproof wall intended to prevent the spread of fire from one room or area of a building to another. In computer science, the term “fire wall” is a kind of gateway that restricts and controls the flow of traffic between networks, typically between an internal network and the Internet. It is inserted between your network and the outside network to build up a controlled link and an outer security wall. Seminar "Computer Security" November 06, 2006 6 Characteristics of the firewall All the traffics between the inside and outside network must pass through and be checked by the firewall. Only authorized traffics, as defined in the local security policy, are allowed to pass the firewall. The firewall itself is immune to penetration. Seminar "Computer Security" November 06, 2006 7 Capabilities of the firewall A firewall should keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. A firewall should provide a location for monitoring, auditing and alarming security-related events. A firewall should be a convenient platform for some Internet functions that are not security related. These included a network address translator, which maps local address to Internet address, and a network management function that audits or logs Internet usage. Seminar "Computer Security" November 06, 2006 8 Limitations of the firewall The firewall can NOT protect against these attacks that bypass the firewall. The firewall can NOT protect against the internal threats. The firewall can NOT protect against the transfer of virus-infected programs or files. Seminar "Computer Security" November 06, 2006 9 Generations of the firewall The technology of firewall is presented in the late 1980s when the Internet still was a fairly new technology in terms of its global use and connectivity. Generations: - Packet filtering: the first paper on it published in 1988 - Stateful inspection: in early 1990s - Circuit-level gateway: 1980 - 1990 - Application-level gateway: in 1990s - Other generations: Any or all of the above can be combined Seminar "Computer Security" November 06, 2006 10 Some knowledge related to the firewall OSI model: Seminar "Computer Security" November 06, 2006 11 The common types of the firewall Type 1: Packet-filtering router Network layer firewall Original and the most basic firewall Control the flow of data by the information in the packet header: Private network - Source Address - Destination Address - Protocol used for transferring the data Direct connection between the internal network and outside network Seminar "Computer Security" November 06, 2006 12 The common types of the firewall Type 1: Packet-filtering router PROS: - Transparency and high performance - Easy implementation and maintain - Application Independence CONS: - Low security - No screening above network layer (No 'state' or application-context information) Seminar "Computer Security" November 06, 2006 13 The common types of the firewall Type 2: Stateful inspection Also knows as dynamic packet filtering Adds stateful inspection modules between the data-link layer and network layer Private network Extracts some state-related information required for security decisions from the application layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts. Direct connection between the inside and outside network Seminar "Computer Security" November 06, 2006 14 The common types of the firewall Type 2: Stateful inspection PROS: - Higher security than packet filtering router - Extensibility, transparency and high performance CONS: - No application level security is provided - Do not look at the packets as close as application-level gateway Seminar "Computer Security" November 06, 2006 15 The common types of the firewall Type 3: Circuit-level gateway Transport layer firewall Creates a circuit (connection) Private network between the internal host and the outside server by acting as an agent without interpreting the application level information More like a packet filter with the ability to hide the client Seminar "Computer Security" November 06, 2006 16 The common types of the firewall Type 3: Circuit-level gateway PROS: - Higher security than packet filtering router - Higher performance than application-level gateway - Can be implemented with a large number of protocols as no need to comprehend the information at the protocol level CONS: - Once a connection is established it is always possible to send malicious data in the packets. Seminar "Computer Security" November 06, 2006 17 The common types of the firewall Type 4: Application-level gateway Application layer firewall Performs all the basic functions of the circuit-level gateway with better traffic monitoring Comprehend information at Private network the higher levels in the TCP/IP stack up to the application layer Not allow direct connections between an internal host and an external server under any circumstances Seminar "Computer Security" November 06, 2006 18 The common types of the firewall Type 4: Application-level gateway PROS: - Good security - Full application-layer awareness CONS: - Poor Performance - Limited Application Support - Poor Scalability (Breaks client/server model) Seminar "Computer Security" November 06, 2006 19 Part III How to bypass the firewall ? Seminar "Computer Security" November 06, 2006 20 How to bypass the firewall ? “Legal” ways: - IP address spoofing - Source routing - Tiny fragments “Illegal” ways: - Rootkit - Trojan Seminar "Computer Security" November 06, 2006 21 Terminology of IP address spoofing IP address spoofing can be defined as an intentional misrepresentation of the source IP address in an IP packet in order to conceal the identity of the sender or to impersonate another computing system. In IP address spoofing, the user gains unauthorized access to a computer or a network by making it appear that the message comes from a trusted machine by “spoofing” the IP address of that machine. Seminar "Computer Security" November 06, 2006 22 Theory of IP address spoofing Internet protocol (IP) is a network protocol operating at network layer of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. The basic unit of data transfer in a packet network is called an IP packet. IP packet header: Seminar "Computer Security" November 06, 2006 23 Theory of IP address spoofing Transmission control protocol (TCP) is operating at transport layer of the OSI model. Unlike IP, TCP uses a connection-oriented design. It means that the users in a TCP session must build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK). TCP packet header: Seminar "Computer Security" November 06, 2006 24 Theory of IP address spoofing The TCP/IP protocol suite uses numeric identifiers called IP addresses to uniquely identify computers on a network. Because some systems rely on source IP addresses as a means of authentication. Access to a system or services provided by a system is decided based on the claimed source IP address contained in the packet. Using some kinds of tools, the users can easily modify these addresses, specifically the “source address” field, to make them to bypass the firewall. Seminar "Computer Security" November 06, 2006 25 Theory of IP address spoofing A impersonates C (trusted machine) to spoof B: B A C: Seminar "Computer Security" November 06, 2006 26 Terminology of source routing Source routing is a technique that the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the "destination IP address" and choose the next hop to forward the packet. In source routing, the "source" (i.e. the sender) makes some or all of these decisions. Seminar "Computer Security" November 06, 2006 27 Theory of source routing A: Sender F: Destination To bypass the firewall, the sender A specific the routing: A -> B -> C -> D -> E -> F E E A CF D B C Seminar "Computer Security" November 06, 2006 28 Terminology of tiny fragment Tiny fragments is a means that the user uses the IP fragmentation to create extremely small fragments and force the TCP header information into a separate packet fragment. This way is designed to bypass the filtering rules that depend on TCP header information. The users hopes that only the first fragment is examined by the filtering router and the remaining fragments are passed through. Seminar "Computer Security" November 06, 2006 29 Theory of tiny fragment IP-3arojiobok: MF=1, Fragment Offset=0 Source Port Destination Port TCP header information Sequence Number (SN) IP-3arojiobok: MF=0, Fragment Offset=1 Acknowledgment Sequence Number (ACK SN)=0 Date reserved - - Offset - - S - Windows Y N Checksum Urgent Options Seminar "Computer Security" Pointer=0 Padding November 06, 2006 30 Concrete example bypassing firewall - SSH Prerequisites: A computer at home that you can leave connected to the Internet when you're at work. The Internet connection at home should be fast, usually cable or DSL. (Technically, this can work with a dialup modem connection, but it may cause problems and it's really slow.) Linux, Unix, Microsoft Windows NT, 2000, or XP installed on your computer at home. Linux, Unix or any flavor of Windows on your computer at work. Seminar "Computer Security" November 06, 2006 31 Concrete example bypassing firewall - SSH Run an SSH server on your computer at home. Use an SSH client on your computer at work to create a secure tunnel between your home and work computers. Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy. Configure Internet Explorer to use a SOCKS Proxy for network traffic instead of connecting directly. Seminar "Computer Security" November 06, 2006 32 Concrete example bypassing firewall - SSH Using an SSH tunnel with Dynamic Forwarding: Seminar "Computer Security" November 06, 2006 33 Rootkit Rootkit (also written as “Root kit”) is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkit is known to exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows. Seminar "Computer Security" November 06, 2006 34 Trojan In the computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Often the term is shortened to simply Trojan. Seminar "Computer Security" November 06, 2006 35 Part VI Conclusion Seminar "Computer Security" November 06, 2006 36 Review The needs and origin the firewall The essentials of the firewall - The definition, characteristics, and capabilities/limitation of the firewall - The generation and types of the firewall The principles on how to bypass the firewall - “Legal” ways - “Illegal” ways Seminar "Computer Security" November 06, 2006 37 Thanks, all you!!! Seminar "Computer Security" November 06, 2006 38