CIS 551 / TCOM 401
30 March 2006
Lecture 19: Firewalls (continued); Worms & Viruses
Scribed by Justin Waring
Today:
- Finish overview of firewalls
- Start talking about worms & viruses
Note:
Encouraged to start Project 3 early.
It may take a while to get it up to speed.
Questions on Project 3:
Q: It's on IP protocol. Are there other protocols to worry about?
A: The Internet is built on
IP. There are othesr on that layer in the suite, but IP is the
only one typically seen in the real world.
Q: Difference between TCP Stream and Protocol?
A: We're building a network
intrusion detection system (IDS). It's like a firewall in that it
monitors the network for patterns of bad behavior. Unlike a
firewall, an IDS actually looks at the contents of packets more
meaningfully. For the project there are (1) stream rules and (2)
protocol rules.
sequence of packets /----------\ rules
--------------------> | IDS | <-----------
\----------/
|
|
V
reports
A stream rule
asks you to look at a TCP stream to a particular port on this
host. To process a stream rule, you need to reconstruct the TCP
stream from the packet stream. You have to look at TCP info
(sequence numbers) to reconstruct the bytestream. Then, search
for a suspicious pattern.
We're doing an off-line version of a real-world IDS. You have the whole sequence of data; it's not real-time.
For the project, reconstruct the TCP stream as one big (reassembled) bytestream, and then run the ruleset against them.
For extra credit, you can try to do an incremental version (i.e., feed
one packet in at a time rather than one big bytestream) of the pattern
matching part.
For protocol rules,
you're watching a sequence of messages going between the monitored host
and the remote machine. You can monitor the protocol messages for
suspicious messages that we want to alert on. We assume that each
protocol message will fit in a single IP packet.
Next week, we'll talk about IDS.
Q: Is the rules file we use to test going to be graded on how well it alerts on exploits?
A: No, the graders will supply their own rules file.
Q: You can have multiple rules in one file, but the examples don't show any like that.
A: It's okay to scan the whole
file inefficiently, but extra credit is to do it fancier. Be sure
to comment and document well to make it easier for grading.
Note: Exams will be finished grading and returned on Tuesday.
Firewalls (continued)
Last time: when to filter?
+-----------------+
| |
| /---------\
| +----->| Router |<-----+
| | \---------/ |
| | | |
V | V |
/---------\ /--------------\
| Inside | | Outside |
\---------/ \--------------/
On Input or Output?
- Filtering on output can be more efficient since it can be combined with table lookup of the route.
- Some info is lost at the output stage (e.g. which physical input
port the packet arrived on). These may be useful to prevent
address spoofing.
- Filtering on input can protect the router itself.
Recommended: Filter ASAP
Let's you detect as soon as possible. The trade-off is loss of efficiency.
The example from the slide:
Action src port dest port comment
-------------------------------------------
block BAD * * * we don't trust them
allow * * GW 25 connect to our SMTP
allow GW 25 * * our reply packets
is preferred over
Action src port dest port comment
-------------------------------------------
block * * BAD * subtle difference
allow * * GW 25 connect to our SMTP
allow GW 25 * * our reply packets
Example of a Pitfall
- Filter output to allow incoming and outgoing mail, but prohibit all else.
[An example setting was shown on the slide here.]
- Apply this output filter set to both interfaces on the router. Does it work?
- Unintended consequence: allows all communication on high numbered ports!
- There are GUIs nowadays that make it easier for people less knowladgable to mess up.
Another problem with filtering
- Handling IP Fragments
- Possible for ACK and SYN flags in a TCP packet to end up in different IP fragments than the port number
- There are malicious tools that intentionally break up traffic like this.
- Fix: The problem is "tiny" initial IP
fragments, so require the initial IP fragment to be >16 bytes or
large enough for the whole TCP header.
Proxy-based Firewalls
+--------------+ +---------------+ +--------------+
| |
|
|
| |
| External | Ext TCP/HTTP | Firewall
| Int TCP/HTTP | Local |
| client | connection
| |
connection | web |
|
|<-----------------+->[Web Proxy]<-+-------------->|
server |
| |
|
|
| |
+--------------+
+---------------+
+--------------+
- Acts like both a client and a server
- Able to filter using application level info
- Can provide other services too
- Related to Network Intrusion Detection System (NIDS)
- "The Great Chinese Firewall" works like this with very strict
restrictions. There are lots of those in China who strive to get
around it with various techniques.
- For example, you can also tunnel one
protocol through another. Like SEAS has WebMail: you're
tunnelling SMTP through HTTP.
- There are also web servers and clients that
embed covert info in benign (to Chinese gov't) web pages. This
takes some collusion.
- Basically, firewalls are good but not perfect. There's more
than one interpretation of data. (E.g., what's supposed to be
(and looks like) pictures is actually HTML.)
A FreeBSD firewall config script example was shown.
Principles for Firewall Configuration
- Least privileges
- Turn off everything that is unnecessary.
- Fail-safe defaults
- Be default, you should reject. (Potential usability problems.)
- Egress filtering
- Filter outgoing packets too.
- You know the valid IP addresses for machine internal to the network, so drop invalid ones.
- This can help prevent DoS attacks on the
Internet. This is main way to stop DoS attacks; it requires
cooperation with lots of people on the network.
Benefits of Firewalls
- Increased security for internal hosts.
- Reduced amount of effort required to counter break-ins.
- Possible added convenience of operation. (E.g., running telnet
behind the firewall. Defense in depth is still a better practice.)
- Reduced legal and other costs associated with hacker activities, if you do egress filtering.
- We'll see that proxy-based firewalls are useful for intrustion dection systems.
Drawbacks of Firewalls
- Costs
- Hardware purchases and maintainence
- Software to develop or purchase
- Admin setup and training
- Lost business or inconvenience from broken gateway
- Loss of some services that an open connection supplies
- False sense of security
- Firewalls don't protect against viruses
- Can almost always tunnel one protocol on top of another
Worms & Viruses
Malicous Code
- Trapdoors
- Trojan Horses
- Worms
- Viruses
Examples of trapdoors/backdoors are debug code used by developers that
remains in fielded applications. You may be familiar with these
from games like where inputting the Konami Code gets you 30 lives.
Examples of Trojan Horses are phishing exploits and games or
executables that appear to be legitimate but have nefarious purposes.
The distinction between worms and viruses is somewhat fuzzy.
Worms
- Self-contained running program
- Unlike a virus, which needs a host
- Infection strategy is more active
- Exploit buffer overflows
- Exploit bad password choice
- Defenses:
- Filtering firewalls
- Monitor system resources
- Proper access control
Viruses
- A computer virus is a malicious program
- Creates (possibly modified) copies of itself
- Attaches to a host program or data
- Often has other effects (deleting files, "jokes", messages)
- Viruses cannot propagate without a "host"
- Typically require some user action to activate
Virus/Worm Writers' Goals
- Hard to detect
- Hard to destroy/deactivate
- Spreads infection widely/quickly
- Can reinfect a host
- Easy to create
- Machine/OS independent
Kinds of Virsues
- Boot Sector Viruses
- Historically important, but less common today
- Memory Resident Viruses
- Standard infected executable
- Macro Viruses (probably most common today)
Melissa Macro Virus
- Implementation
- VBA code associated with "document.open" method of MS-Word.
- Strategy
- E-mail message containing an infected Word doc attached
- Opening the Word doc triggers the virus (if macros are enabled)
- Sometimes included documents created by the victim
- Setup
- lowers the macro security settings
- permit all macros to run without warning
- checks registry for key value "... by Kwyjibo"
- HKEY_Current_User\Software\Microsoft\Office\Melissa?
- Propagation
- sends e-mail message to first 50 entries in MS Outlook MAPI address book
- infects Normal.doc template file
- "Joke"
- If minutes matches the day of the month, the
macro inserts message "Twenty-two points, plus triple-word-score, plus
fifty points for using all my letters. Game's over. I'm
outta here."
*** EOF ***