Packet Filtering CS-480 b Dick Steflik Stateless

Packet Filtering CS-480 b Dick Steflik

Stateless Packet Filters • A border router configured to pass or reject packets based on information in the header of each individual packet • can theoretically be configured to pass/reject based on any field • but usually done based on: – – – protocol type IP address TCP/UDP port Fragment number Source routing information

Protocol Filtering • Filtering based on the IP protocol field allows rejecting of entire protocol suites • • UDP TCP ICMP IGMP • This is almost too general • ex suppose you block UDP then any TCP based application won’t be able to convert host/domain to IP address • so it is seldom used.

IP Address Filtering • Pass/reject packets based on membership in a set of acceptable IP addresses • Usually not used to block specific hosts • oscar is frequently blocked so corporate users can use AIM • same for some disk backup services • Usually block source routed packets • big security hole (explained later) • If a hacker knows an address that the filter will pass they can easily forge a packet that will pass through the filter

Port Filtering • Most commonly used filtering method • can also be thought of as protocol filtering as most ports below 1024 relate to specific high level protocols • pass all but those specified • reject all but those specified • Important ports/protocol to block: • • telent Net. BIOS POP NFS X Windows Terminal Services pc. Anywhere and VNC

Source Route Filtering • Source routed packed should never be allowed into your network • Source routing was added to IP to accommodate debugging • Allows you to specify the path a packet will take through your network • Strict Source Routing – Specifies the exact path to be taken • Loose Source Routing – Indicates one or more hosts the packet must go through – A hacker can plug in their own address and force packets to travel through a machine that they can sniff

Loose Source Routing • A packet is given a list of hops to be taken • Each packet carries same source address, destination is whatever the next IP in the hop path is; the hop path is in the IP Option field 1 byte 1 byte 4 bytes Type Length offset IP 1 IP 2 ……… 131 • 131 is the type for Loose Source Routing • Length – total length of the option • Offset – byte offset to next IP to hop to

Loose Source Routed Example For example, if a packet was generated from 10. 1. 1. 1, with a final destination of 172. 16. 1. 1 via a hop to 192. 168. 1. 1, the intial packet would have a source of 10. 1. 1. 1, a dest of 192. 168. 1. 1, and an IP option with a length of 7, an offset of 4, and the IP address starting at byte 4 of 172. 16. 1. 1. If 192. 168. 1. 1 forwards LSR packets, it would re-emit the packet with a source of 10. 1. 1. 1, dest of 172. 16. 1. 1, offset of 8, and the IP address at offset 4 of 192. 168. 1. 1. 10. 1. 1. 1 Initial source=10. 1. 1. 1 dest. = 192. 168. 1. 1 IP Option 131, 7, 4, 172. 16. 1. 1 192. 168. 1. 1 172. 16. 1. 1 Initial source=10. 1. 1. 1 dest. = 172. 16. 1. 1 IP Option 131, 8, 4, 192. 168. 1. 1 Problem with loose source routing is that some stacks will reverse the source route when responding to a source routed packet, this would make it trivial for a hacker to spoof a packet coming from a trusted source and insert their own address in the source route. The hacker can then sniff on it; the unsuspecting victim would then send return traffic to the spoofed source but LSR it through the attacker

Fragmentation Filtering • Fragmentation was added to IP to facilitate passing through a network that only supports small packet sizes • Any router in the path can break a large packet up into smaller pieces • problem is that the port number is only in the first fragment meaning that filtering on TCP or UDP is lost

Problems with Stateless Filters • Effectiveness of stateless filters is limited due to: • They cannot check the payload of the packets • service related filtering can only be done by application level proxies • They do not retain the state of the connections

Stateful Packet Filtering • Record the state of all connections flowing through the firewall and use the connection state as the basis for dropping packets • create an in memory state table for the state of all Network and session layers • pass only packets relating to allowed (configured) ports that are currently in the state table. • Drop entries when the TCP close session happens or after a few minutes, this insures that the table stays “clean” and without holes in in it • Newer Firewalls all provide Stateful packet filtering • some also provide higher level protocol proxying

Hacking Through Packet Filters • The following exploits are common: • TCP can only be filtered in the 0 th fragment • setting the fragment number to 1 the packet will usually passe through the packet filter • Older packet filters only filter ports below 1024 • used to be that only HTTP used higher numbered ports for passing data back to web browsers, many new applications use ports above 1024 for normal communication • Public services must be forwarded • services like the updating of web pages via Netscape Composer must be controlled (possibly bt IP address) to limit public access • Trojan horses can defeat packet filters using NAT

Best Practices • Use a proxy • physically breaks the network path • Use Stateful Packet Filters • can’t be bypassed like stateless filters • Disable all Ports by Default • enable only what is absolutely needed • if a Trojan Horse get in it will most likely set up a server that the hacker can then attach to, it the port is blocked, this can’t happen • Secure the Base Operating System (Hardening) • apply all patches provided by vendor • check the vendor web site frequently • always use a hardened protocol stack

IP Chains • Stateless packet filter • optionally built into the Linux kernel • will pass or deny packets based on a rule set applied against IP header fields • used in v 2. 2 kernels, replaced by IPTables in 2. 4 kernels

IPChains Flow lo interface IP Packet checksum sanity Input Route Forward Output Chain Decision Chain DENY Local DENY Demasquerade ACCEPT

IPChains Command -A -D -I -R -F -L -N -X -P Description Add rule to chain Delete rule from chain Insert rule Replace rule Flush all rules List all rules Create new chain Delete user defined chain Set default targe

IPChains Command Option -s -d -i -p -j -y --icmp-type -l /var/log/messages Description Source address of packet Destination address of packet Interface packet is arriving from Protocol Target to send packet to For -p tcp. Packet is SYN packet. For -p icmp. Log the packet to syslog. Available in Red Hat 6. 0+ kernel

IPChains Targets System targets (policy) ACCEPT DENY REJECT MASQ REDIRECT RETURN Description Let packet through Deny packet and notify sender Forward chain masquerade Send to different port Handled by default targets

IPChains- Chain Types IP input chain IP output chain IP forwarding chain User defined chains (just give it a new name instead of the built-in names: input, output or forward)

IPChains Example # Flush Rules ipchains -F forward ipchains -F output ipchains -F input # Set default to deny all ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Add Rules # Accept packets from itself (localhost) (s)ource to itself (d)estination # Keeps system logging, X-Windows or any socket based service working. ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo # Deny and log (option -l) spoofed packets from external network (eth 0) which mimic internal IP addresses ipchains -A input -j REJECT -p all -s 192. 168. 10. 0/24 -i eth 0 -l # Accept requests/responses from/to your own firewall machine ipchains -A input -j ACCEPT -p all -d XXX -i eth 0 ipchains -A output -j ACCEPT -p all -s XXX -i eth 0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s 192. 168. 10. 0/24 -i eth 1 ipchains -A output -j ACCEPT -p all -s 192. 168. 10. 0/24 -i eth 1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth 0 -l ipchains -A forward -s 192. 168. 10. 0/24 -j MASQ ipchains -A forward -i eth 1 -j MASQ # Enable packet forwarding echo 1 > /proc/sys/net/ipv 4/ip_forward

IPTables Commands -A , --append -D , --delete -I , --insert -R , --replace -F , --flush -Z , --zero -L , --list -N , --new-chain -X , --delete-chain -P , --policy -E , --rename-chain Append rule to chain Delete rule from chain Insert rule at beginning or at specified sequence number in chain. Replace rule Flush all rules Zero byte counters in all chains List all rules. Add option --line-numbers for rule number. Create new chain Delete user defined chain Set default policy for a chain Rename a chain

IPTables Command Options -s , --source -d , --destination -I , --in-interface -o , --out-interface -p , --protocol -j , --jump -f , --fragment -c , --set-counters -m tcp , --match tcp -m state , --match state Source address of packet Destination address of packet Interface packet is arriving from Interface packet is going to Protocol: *tcp --sport[: port] --dport[: port] --syn *udp *icmp *mac Target to send packet to Fragment matching Set packet/byte counter *--source-port[: port] (port # or range #: #) *--destination-port[: port] *--tcp-flags --state *ESTABLISHED *RELATED *NEW *INVALID (Push content, not expected to recieve this packet. )

IPTables Defined Policies ACCEPT DROP REJECT RETURN MARK MASQUERADE LOG ULOG SNAT REDIRECT DNAT QUEUE Description Let packet through Deny packet with no reply Deny packet and notify sender Handled by default targets Used for error response. Use with option --reject-with type Used with nat table and DHCP. Log to file and specify message: °--log-level # °--log-prefix "prefix" °--log-tcp-sequence °--log-tcp-options °--log-ip-options Log to file and specify userpace logging messages Valid in PREROUTING chain. Used by nat. Used with nat table. Output. Valid in POSTROUTING chain. Output. Pass packet to userspace.

IPTables Example Simple firewall for the desktop Linux system: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer. ) Allow network input/output from self (lo).

…more # Allow loopback access. This rule must come before the rules denying port access!! iptables -A INPUT -i lo -p all -j ACCEPT - Rule for your computer to be able to access itself via the loopback iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000: 6009 -j DROP - Block X-Windows iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font server iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS iptables -A INPUT -p all -s localhost -i eth 0 -j DROP - Deny packets which claim to be from your loopback interface.