firewall policies and vpn configurations 2006 phần 3 pdf

■ Oil and energy ■ Engineering ■ Computer technology ■ Research medicine ■ Law Any company on the verge of a breakthrough that could result in large mone- tary rewards or worldwide recognition, should be aware of the possibility of espi- onage and take steps to guard against it. Phishing, the new information gathering technique, is spreading and becoming more sophisticated. Phishing e-mails either ask the victim to fill out a form or direct them to a Web page designed to look like a legitimate banking site.The victim is asked for personal information such as credit card numbers, social security number, or other data that can then be used for identity theft.There has been at least one insidious phishing scheme that uses a Secure Sockets Layer (SSL) certificate so that the data you give to the hacker is safely encrypted on the network. Notes from the Underground… “Cybercrime on the rise, survey finds. Criminal attacks online are on the upswing and they are getting stealthier,” according to Symantec. By Amanda Cantrell, CNNMoney.com staff writer March 7, 2006: 11:51 AM EST NEW YORK (CNNMoney.com) - Cybercrime is on the rise, and today’s attacks are often silent, hard to detect and highly targeted, according to a new survey. Danger in the ether Symantec (down $0.57 to $15.96, Research), which makes anti-virus software for businesses and consumers, found a notable increase in “cybercrime” threats to computer users, according to the latest installment of its semiannual Internet Security Threat Report. Cybercrime consists of criminal acts performed using a computer or the Internet. Symantec also found a rise in the use of “crime- ware,” or software used to conduct cybercrime. Cybercriminals are also getting more sophisticated. Attacks designed to destroy data have now given way to attacks designed to steal data outright, often for financial gain, according to the survey, which covers the six-month 80 Chapter 3 • Defining a Firewall 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 80 period from July 1, 2005 to December 31, 2005. Eighty percent of all threats are designed to steal personal information from consumers, intellectual property from corporations, or to control the end user’s machine, according to Symantec. Moreover, today’s attackers are abandoning large-scale attacks on corporate firewalls in favor of targets such as individual desktop computers, using Web applications that can capture personal, financial, and confidential information that can then be used for financial gain. That continues a trend Symantec found in its survey covering the first half of 2005.” Vengeful Hackers Hackers motivated by the desire for revenge are also dangerous. Vengeance seeking is usually based on strong emotions, which means that these hackers could go all-out in their efforts to sabotage your network. Examples of hackers or security saboteurs acting out of revenge include: ■ Former employees who are bitter about being fired or laid off, or who quit their jobs under unpleasant circumstances. ■ Current employees who feel mistreated by the company, especially those who are planning to leave soon. ■ Current employees who aim to sabotage the work of other employees due to internal political battles, rivalry over promotions, and the like. ■ Outsiders who have grudges against the company, such as dissatisfied cus- tomers or employees of competing companies who want to harm or embarrass the company ■ Outsiders who have personal grudges against someone who works for the company, such as employees’ former girlfriends or boyfriends, spouses going through a divorce, and other relationship-related problems Luckily, the intruders in this category are generally less technically talented than those in the other two groups, and their emotional involvement could cause them to be careless and take outrageous chances, which makes them easier to catch. Defining a Firewall • Chapter 3 81 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 81 Notes from the Underground… New Directions in Malware Kaspersky Labs reports on extortion scams using malware: “We’ve reported more than once on cases where remote malicious users have moved away from the stealth use of infected computers (stealing data from them, using them as part of zombie networks, and so forth) to direct blackmail, demanding payment from victims. At the moment, this method is used in two main ways: encrypting user data and corrupting system information. Users quickly understand that something has happened to their data. They are then told that they should send a specific sum to an e-payment account maintained by the remote malicious user, whether it be EGold, Webmoney or some other e-payment account. The ransom demanded varies significantly depending on the amount of money available to the victim. We know of cases where the malicious users have demanded $50, and of cases where they have demanded more than $2,000. The first such blackmail case was in 1989, and now this method is again gaining in popularity. In 2005, the most striking examples of this type of cybercrime were carried out using the Trojans GpCode and Krotten. The first of these encrypts user data; the second restricts itself to making a number of modifications to the victim machine’s system registry, causing it to cease functioning. Among other worms, the article discusses the GpCode.ac worm, which encrypts data using 56-bit Rivest, Shamir, & Adleman (RSA). The whole article is interesting reading. Posted on April 26, 2006 at 01:07 PM on www.schneier.com.” Hybrid Hackers The three categories of hacker can overlap in some cases.A recreational hacker who perceives himself as having been mistreated by an employer or in a personal relationship, could use his otherwise benign hacking skills to impose “justice,” or a vengeful ex-employee or ex-spouse might pay someone else to do the hacking. It is beneficial to understand the common motivations of network intruders because, although we might not be able to predict which type of hacker will decide to attack our networks, we can recognize how each operates and take steps to protect our networks from all of them. 82 Chapter 3 • Defining a Firewall 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 82 Even more important than the type of hacker in planning our security strategy, is the type of attack. In the next section, we examine specific types of network attacks and ways in which you can protect against them. NOTE Social engineering, also known as people hacking, is a means for obtaining security information from people by tricking them. The classic example is calling up a user and pretending to be a system adminis- trator. The hacker asks the user for his or her password to perform some important maintenance task. To avoid being hacked via social engineering, educate your user community that they should always confirm the identity of any person calling them, and that passwords should never be given to anyone over e-mail, instant messaging, or the tele- phone. It is beyond the scope of this book to address social engineering and ways to educate employees against it. However, SysAdmin, Audit, Network, Security (SANS) Institute (http://www.sans.org) has both full courses and step-by-step guides to help with this process. Back to Basics—Transmission Control Protocol/Internet Protocol Transmission Control Protocol/Internet Protocol (TCP/IP) is the network protocol that pushes data around the Internet. (Other protocols you may have heard of are Windows NETBeui, Mac Appletalk, and Novell IPX/XPS, however none of these concern us.) You don’t need to understand the intricacies of TCP/IP; however, a basic understanding will make your firewall deployment much easier. TCP/IP is based on the idea that data is sent in packets, similar to putting a letter in an envelope. Each packet contains a header that contains routing information concerning where the packet came from and where it is going (similar to the address and return address on an envelope), and the data itself (the letter contained in the envelope). Figure 3.1 illustrates a typical TCP/IP packet Defining a Firewall • Chapter 3 83 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 83 Figure 3.1 Layout of a Typical TCP/IP Packet ■ Version Indicates the version of IP currently used. ■ IP Header Length (IHL) Indicates the datagram header length in 32-bit words. ■ Type of Service Specifies how an upper-layer protocol wants a current datagram to be handled, and assigns various levels of importance to datagrams. ■ Total Length Specifies the length, in bytes, of the entire IP packet, including the data and header. ■ Identification Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments. ■ Flags Consists of a 3-bit field of which the two low-order (least signifi- cant) bits control fragmentation.The low-order bit specifies whether the packet can be fragmented.The middle-order bit specifies whether the packet is the last fragment in a series of fragmented packets.The third or high-order bit is not used. 84 Chapter 3 • Defining a Firewall 32 Bits Version IHL Total LengthType-of-Service Identification Flags Fragment Offset Header ChecksumProtocolTime-to-Live Source Address Destination Address Options (plus padding) Data (variable length) 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 84 ■ Fragment Offset Indicates the position of the fragment’s data relative to the beginning of the data in the original datagram, which allows the destination IP process to properly reconstruct the original datagram. ■ Time-to-live Maintains a counter that gradually decrements down to zero, at which point the datagram is discarded.This keeps packets from looping endlessly. ■ Protocol Indicates which upper-layer protocol receives incoming packets after IP processing is complete. ■ Header Checksum Helps ensure IP header integrity. ■ Source Address Specifies the sending node. ■ Destination Address Specifies the receiving node. ■ Options Allows IP to support various options, such as security. ■ Data Upper-layer information. TCP/IP Header The “envelope” or header of a packet contains a great deal of information, only some of which is of interest to firewall administrators, who are primarily interested in source and destination addresses and port numbers. Only application proxies deal with the data section. IP Addresses Source and destination addresses reference the exact machine a packet came from and the corresponding machine receiving the packet.These addresses are in the standard form of four sets of three-digit numbers separated by periods (i.e., the IP version 4 standard).Table 3.1 shows the various classes of IP addresses. Table 3.1 IP Address Classes Class Start Address Comment A 0.0.0.0 Standard internet addresses available to all users, except private 10.0.0.0 subnet B 128.0.0.0 Standard internet addresses available to all users, except private 172.16.0.0 – 172.31.255.255 range Defining a Firewall • Chapter 3 85 Continued 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 85 Table 3.1 continued IP Address Classes Class Start Address Comment C 192.0.0.0 Standard internet addresses available to all users, except private 192.168.0.0 subnet D 224.0.0.0 Multicast address class E 240.0.0.0 Research and limited broadcast class As noted in the table, there are three sets of addresses known as private addresses and there are three subnets designated as private: 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. By definition, these subnets, cannot be routed on the Internet. There is also a group of IP addresses known as self-assigned addresses, which range from 169.254.0.0 to 169.254.255.255.These addresses are used by the OS when no other address is available, making it possible to connect to a computer on a network that doesn’t automatically assign addresses (Dynamic Host Configuration Protocol [DHCP]), and there are no valid static IP addresses that can be typed into the network configuration. All routers, switches, firewalls, and other appliances are designed to stop these addresses. One address is reserved as the loopback address. Address 127.0.0.1 refers to the machine itself, and is generally used to confirm that the TCP/IP protocol is cor- rectly installed and functioning on the machine. Networks 224.0.0.0 to 254.255.255.255 are reserved for special testing and applications. While Internet-routable, the standard organization or individual does not generally use them.The Class D network provides multicast capabilities. A multicast is when a group of IP addresses is defined in such a way as to permit individual packets to have a destination address of all the machines, rather than a single machine. Class E is for research by particular organizations and has limited broadcast capabilities. A broadcast is when a single device sends out a packet that has no particular recipient. Instead, it goes to every machine on the subnet. On standard (non- Class E) networks, this is defined by address 255.255.255.255.The Class E network is different and is not accessible to devices on the other classes of networks. While there are legitimate uses for broadcasts (e.g., obtaining a DHCP address), we want to keep them to a minimum.To this end, all routers and firewalls block broadcasts by default.Too many broadcasts will slow network performance to a crawl. Every device on the Internet must have a unique IP address. If a device has a valid IP address (i.e., not a private, non-routable address or self-assigned address) and 86 Chapter 3 • Defining a Firewall 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 86 is not behind a firewall, it is available for connection to any other device on the Internet. A computer in Berlin can print to a printer in London. A mail server in Chicago can deliver e-mail directly to a machine in Singapore. This ubiquitous communication and ability to transfer data directly from one machine to another is what makes the Internet so powerful. It is also what makes it so dangerous. It is impossible to stress strongly enough that no machine on the public Internet is hidden. No machine is safe from detection. Firewalls are the only method of safely hiding a device on a private network, while still providing access to the Internet as a whole. Firewalls are able to hide a device by doing address translation. Address translation is when firewalls convert a valid Internet address to a private address on a private subnet. Almost all firewalls do this type of address translation, which has several advantages: ■ An Additional Layer of Security Without the firewall in place to do the translations, Internet addresses can’t communicate with the private network and vice versa. ■ Expansion of Available IP Addresses Not every device in your organization needs to be accessible from the Internet. User workstations require access to the Internet, but do not need to have incoming traffic originating on the Internet.They only require responses to inquiries sent out. Most firewalls handle this by converting every internal address to a single, Internet-routable address.This address is usually the address of the firewall itself, but does not necessarily have to be. ■ Ability to Completely Hide a Device from the Internet Is it neces- sary to have your printers available to the Internet? Does that Web server that is only available to employees at their desks, need to have an Internet address? The answer to both questions is probably “no.” With a firewall capable of address translation, both of these examples can be assigned a private address with no translation to the outside.The device is hidden from anyone on the public Internet and is completely inaccessible. IP Half-scan Attack Half scans, also called half-open scans or Finish Packet (FIN) scans, attempt to avoid detection by sending only initial or final packets rather than establishing a connection. Every IP connection starts with a Synchronous (SYN) packet from the con- necting computer.The responding computers respond with a SYN/Acknowledgement (ACK) packet, which acknowledges the original packet Defining a Firewall • Chapter 3 87 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 87 and establishes the communication parameters. SYN/ACK continues until the end of the communication when a FIN packet is sent and the connection is broken. A half scan starts the SYN/ACK process with a targeted computer but does not complete it. Software that conducts half scans, such as Jakal, is called a stealth scanner. Many port-scanning detectors are unable to detect half scans. IP Spoofing IP spoofing involves changing the packet headers of a message to indicate that it came from an IP address other than the true source.The spoofed address is normally a trusted port that allows a hacker to get a message through a firewall or router that would otherwise be filtered out. Modern firewalls protect against IP spoofing. Hackers use spoofing whenever it is beneficial for one machine to impersonate another. It is often used in combination with another type of attack (e.g., a spoofed address is used in the SYN flood attack to create a “half-open” connection.The client never responds to the SYN/ACK message, because the spoofed address is that of a computer that is down or doesn’t exist. Spoofing is also used to hide the true IP address of the attacker in ping of death, teardrop, and other attacks. IP spoofing can be prevented using source address verification on your firewall. Denial of Service Attacks In February 2000, massive DoS attacks brought down several of the biggest Web sites, including Yahoo.com and Buy.com. DoS attacks are a popular choice for Internet hackers who want to disrupt a network’s operations.The objective of DoS attackers is to bring down the network, thereby denying service to its legitimate users. DoS attacks are easy to initiate, because software is readily available from hacker Web sites and warez newsgroups that allow anyone to launch a DoS attack with little or no technical expertise. NOTE Warez is a term used by hackers and crackers to describe bootlegged software that has been “cracked” to remove copy protections and made available by software pirates on the Internet, or in its broader definition, to describe any illegally distributed software. The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that will crash the servers, overwhelm the routers, 88 Chapter 3 • Defining a Firewall 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 88 or otherwise prevent the network’s devices from functioning properly. DoS can be accomplished by tying up the server’s resources (e.g., by overwhelming the central processing unit (CPU) and memory resources. In other cases, a particular user or machine can be the target of DoS attacks that hang up the client machine and require it to be rebooted. NOTE DoS attacks are sometimes referred to in the security community as nuke attacks. Distributed DoS (DDoS) attacks use intermediary computers (called agents) on which programs (called zombies) have previously been sur- reptitiously installed, usually by a virus or Trojan (see below). The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs—which could potentially be on networks anywhere in the world—the hacker is able to conceal the true origin of the attack. It is important to note that DDoS attacks pose a two-layer threat. Not only could your network be the target of a DoS attack that crashes your servers and pre- vents incoming and outgoing traffic, but your computers could be used as the “inno- cent middlemen” to launch a DoS attack against another network or site. The Domain Name Server (DNS) DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network’s bandwidth is tied up by bogus DNS queries.The attacker uses the DNS servers as “amplifiers” to multiply the DNS traffic. The attacker begins by sending small DNS queries to each DNS server, which contain the spoofed IP address of the intended victim (see “IP Spoofing” in this chapter).The responses returned to the small queries are much larger in size, so if there are a large number of responses returned at the same time, the link will become congested and DoS will take place. One solution to this problem is for administrators to configure DNS servers to answer with a “refused” response (which is much smaller than a name resolution response) when they receive DNS queries from suspicious or unexpected sources. Defining a Firewall • Chapter 3 89 398_FW_Policy_03.qxd 8/25/06 11:00 AM Page 89 [...]... service TCP/UDP port 138 : NetBIOS datagram service TCP/UDP port 139 : NetBIOS session service TCP/UDP port 220: IMAPv3 TCP/UDP port 38 9: LDAP TCP/UDP port 4 43: HTTPS 39 8_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 93 Defining a Firewall • Chapter 3 TCP/UDP port 1 433 : Microsoft SQL TCP/UDP ports 6660-6669 and 7000: IRC (Internet Relay Chat [IRC]) Port Scanning A total of 65, 535 TCP ports and 65, 535 UDP ports are... Figure 3. 4) 101 39 8_FW_Policy_ 03. qxd 102 8/25/06 11:00 AM Page 102 Chapter 3 • Defining a Firewall Figure 3. 4 Example Positioning of an Application Proxy Firewall Router in the Corporate office Customer on laptop In Café Internet ` Client Computer behind the Corporate Router Application Proxy Firewall ECommerce Server In this example, the corporate offices have a direct connection to the Internet, and there... inspection firewalls also handle protocols such as Generic Route Encapsulation (GRE) and Protocol 47 used in VPN communications, and ICMP 107 39 8_FW_Policy_ 03. qxd 108 8/25/06 11:00 AM Page 108 Chapter 3 • Defining a Firewall All of these types of firewalls have the concept of “inside” versus “outside.” While there may be several insides that have various levels of security (private, users, DMZ, and so forth), there... application proxies and gateways.The firewall can block either specific ActiveX and/ or Java applets, or all such applets 39 8_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 111 Defining a Firewall • Chapter 3 ■ Network Address Translation (NAT) and Port Address Translation (PAT) Hides internal addressing from the Internet and makes more efficient use of private address space As stated above, this is the standard for gateways... through the firewall With a single authentication event, the firewall permits users to access file and print services that would otherwise be inaccessible outside the firewall ■ VPN Capable of handling mobile user access and site-to-site VPNs utilizing Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) methods.Thus, a mobile user creates an encrypted “tunnel” from his computer to... packet filters and stateful inspection firewalls.These differ in function and design and have different uses in network architecture Never try to have one type of firewall do the duty of another type It is better to have a well-run and securely configured firewall doing its intended job, than to have something doing a 39 8_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 99 Defining a Firewall • Chapter 3 job for which... Evaluate, Test, Evaluate, and Test Again I was offered the opportunity to evaluate a new application proxy firewall The marketers promised this would be the “golden bullet” that would solve all our problems and prevent zero-day attacks They also promised that their algorithms 39 8_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 1 03 Defining a Firewall • Chapter 3 were perfectly safe and compatible with the servers... compromised.Telnet and FTP are protocols that transmit both data and authentication credentials in clear text.Telnet is a remote command-line protocol and FTP is used to transfer files to and from servers Better choices are Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) both of which encrypt data and authentication Simple Message Block (SMB) file sharing, while not insecure in and of itself,... the standard for most network infrastructures While they are generic and can be used in any environment, they often provide good basic inspection of various IPs to maintain network integrity 39 8_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 115 Defining a Firewall • Chapter 3 Solutions Fast Track Threats and Attacks Physical access Network access Reconnaissance, Access, DoS attacks Hacking for fun and profit/Identity... need to be maintained and backed up in a secure manner 93 398_FW_Policy_ 03. qxd 94 8/25/06 11:00 AM Page 94 Chapter 3 • Defining a Firewall Other Protocol Exploits The attacks discussed so far involve exploiting some feature or weakness of the TCP/IP protocols Hackers can also exploit vulnerabilities of other common protocols, such as HTTP, DNS, Common Gateway Interface (CGI), and other common protocols . Figure 3. 1 illustrates a typical TCP/IP packet Defining a Firewall • Chapter 3 83 398_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 83 Figure 3. 1 Layout of a Typical TCP/IP Packet ■ Version Indicates. LDAP TCP/UDP port 4 43: HTTPS 92 Chapter 3 • Defining a Firewall 39 8_FW_Policy_ 03. qxd 8/25/06 11:00 AM Page 92 TCP/UDP port 1 433 : Microsoft SQL TCP/UDP ports 6660-6669 and 7000: IRC (Internet Relay Chat. NNTP TCP/UDP port 137 : NetBIOS name service TCP/UDP port 138 : NetBIOS datagram service TCP/UDP port 139 : NetBIOS session service TCP/UDP port 220: IMAPv3 TCP/UDP port 38 9: LDAP TCP/UDP port 4 43: HTTPS 92