Network Security
This is a big problem. A Real Big
problem.
It can be classified into two broad areas:
- Computer security in a networked context. In today's lecture,
we concentrate on this problem.
- Computer system is subject to attack originating from the
network
- Extends well known security approaches adopted for protection
of
non-networked systems and adds network-specific mechanisms
- No general solutions: any solution which provides perfect
security seriously degrades usefulness of network...
- Security of information in transit across the network. This is
covered in the next lecture.
- Problem is largely due to the bad guys' ability to observe
(capture) packets travelling across the network, and possibly an
ability to introduce spurious packets.
- Solution is usually in some form of encryption.
The Nature Of Attacks
Most attacks on system security have at least some of the
following goals:
- To obtain unauthorised access to private, or secret,
information
stored on the compromised system. Such access can be obtained by a
wide variety of means. This is probably the most important type of
attack.
- To use the compromised system as a start point for attacks on
other, more interesting, systems.
- Denial of service attacks attempt to use up system
resources to
inconvenience the users. A classic example is to send vast
megabytes of electronic mail to a target host in an attempt to
exhaust its disk space.
- A variation of the denial-of-service attack is where a bad guy
actually attempts to cause damage to the compromised system, for
example, by removing important files, changing configurations,
etc.
- etc, etc...
Internet Security
Most interest in security issues is in connecting to the Internet
in a secure way. Recall:
- An Internet-connected system uses the TCP/IP protocol suite.
The TCP/IP model of communications is based on server processes
waiting (at well-known ports) for remote sites to establish
connections.
- A server process has very little information Ð usually only a
reverse DNS lookup Ð about the identity of a remote host which is
attempting to connect. Even reverse lookups can be compromised by
manipulation of DNS tables or by IP Spoofing, where a
remote host
generates IP packets that look as though they came from some other
system.
- Servers which generally accept all connections without any
(initial) security checks (such as finger and sendmail) can be
vulnerable to various forms of attack, such as attempted buffer
over-running.
- A major problem is the whether the sysadmin can trust
the server programs to be bug free...
Firewall Security
A Firewall is a dedicated network box (usually a router)
situated
between the Internet and an organisation's private network,
thus:

There are three classes of Firewall:
- Packet filtering firewalls
- Application gateways
- Circuit level gateways
Of these, the packet filtering type is the most common. They are
generally implemented in the main router used in an organisation
to provide its Internet access.
Because the firewall is not a general- purpose host, it does not
itself run any vulnerable server processes.
Packet Filtering Firewalls
These only permit selected traffic to pass between the "inside"
and "outside" networks.
The decision to forward a packet or to discard it is made by
looking deep into its contents, usually at either the IP source or
destination address. More rarely, the TCP or UDP port numbersin
the packet can also be used.
Most packet filtering firewalls keep little "state" information,
and provide very little logging of activity, due to memory and CPU
constraints.
TCP (and UDP) level filtering is more complex. and requires the
firewall router to keep much more "state" information. For
example, a particular site may allow outgoing TCP
connections for
some services, but prohibit most incoming TCP
connections. This
can be (theoretically) achieved by examining the ACK bit in the
TCP header: it is cleared in the first connection request segment,
and is set in all subsequent segments. Needless to say, this is a
very difficult problem, because the router must keep track of IP
addresses and port numbers of every current, valid, TCP
connection.
In addition, analysing every packet at this level is very CPU
intensive, which can place severe constraints on router
performance.
Packet Filtering Configuration
As an example of how access based on packet filtering can be
configured, consider the approach taken in Cisco(tm) routers.
An access list is used to define permisible packet flows through
the router. The general form of an access list entry is:
{ permit | deny } address [mask]
The entries have meaning thus:
- permit | deny
- indicates whether this entry allows
or blocks traffic from the specified address.
- address
- gives the source IP address.
- mask
- this (optional) field is interpreted as a
"bitmap" which
defines the significance of each bit in the preceding address
field. Every bit in the mask which has a "1" value indicates a
"don't care" bit in the address, whereas every "0" bit indicates a
bit in the address which must match exactly.
The access list for each interface can have many entries of the
above form.
In addition, an access list can be specified to restrict either
incoming or outgoing packets on the particular interface.
More Complex Firewall Configurations
A more common structure nowadays uses a de-militarised
zone
between the internal LAN and the Internet, thus:

Both of the routers in this diagram are configured as packet
filtering firewalls.
The DMZ is also called a "stub network". Note that the DMZ is, of
necessity, a separate subnet.
There are many options for the level of filtering in the routers,
and for the functionality of the bastion host. These are examined
in the next slides.
Application Gateways
In this configuration, the only system which has access to the
outside Internet is the bastion host. In turn, the systems on the
internal LAN (nowadays often referred to as the "Intranet") can
only contact the bastion host, or gateway. Both of these
conditions are configured using IP address-based packet filtering
in the routers.
If users connected to the internal LANs wish to use the services
of the outside Internet, they can (eg) telnet to the gateway, and
then use standard tools running on it to access the rest of the
Internet.
An example of such a structure is provided by an electronic mail
gateway. Typically, a mail gateway in the DMZ receives messages
addressed to an alias address, such as:
Phil.Scott@latrobe.edu.au
and delivers the message to an appropriate system and person
within the organisation. The MX type in the DNS is used to support
such mail gateway systems.
Circuit Level Gateways
These operate at the level of the TCP connection (or
circuit). In
effect, the application gateway transfers a copy of
application-level data between the internal network and the
outside Internet instead of the IP packets themselves.
Such a structure might be used where an internal host wishes to,
for example, fetch a WWW page from a server in the external
Internet. The client web browser establishes a connection to a
server which is running on the gateway host. The gateway server in
turn establishes a second connection to the actual WWW
server on
the external Internet, and passes the incoming HTML document back
to the internal browser process. Such a server (running on the
gateway, or bastion, host) is called a proxy.
One of the advantages of a proxy server is the possibility of
caching external web pages, thereby potentially reducing
traffic
on the connection to the outside Internet.
La Trobe University uses such a structure for student dial-in
access to the Internet.
Real Life Firewall Systems
Most installations combine both circuit level and application
gateways, using the DMZ model of the previous slides. As
mentioned, this implies the use of routers which can be configured
to do packet filering on IP addresses.
The bastion host normally runs, for example, the organisation's
WWW server, its FTP server (if applicable) and any other public
information services. It also usually acts as an email gateway.
The WWW server usually is configured as a proxy for the
hosts
connected to the internal LANs (the Intranet). It may also perform
a similar function for other services such as FTP.
This type of structure can be very effective, combining many of
the best characteristics of all of the other types. However, the
gateway system must usually be a general-purpose timeshared (and
therefore Unix - don't talk to me about NT!) system, which raises
doubts about the safety and reliability of the proxy software
processes. This is not a solved problem, for obvious reasons.
Although... Highly secure versions of Unix for just such
applications are now said to be available.
Other Issues
Important undiscussed (and firewall related) issues in network
security include:
- The importance of logging system activity in tracking break in
attempts, and the use of log files in subsequent court actions.
- Legal and ethical issues, both from the perspective of the
system manager and in relation to the crooks.
- Passwords - their general applicability, the tendency of people
to share them around and the sacrosanct nature of /etc/passwd
- Security within Unix (and other environments), and the use of
tools such as cops and crack.
- Network security analysis tools, including the notorious satan.
- The entirely unresolved philosophical and ethical question as
to whether it is nobler to discuss issues like all of these in a
full and frank way, or to hide them and hope the students and
other potential bad guys don't hear about them...
If you are interested, there are various Firewall-related
sites on the Web with much more information than can be provided here.
This lecture is also available in PostScript format.
The tutorial for this lecture is Tutorial #16.
[Previous Lecture]
[Lecture Index]
[Next Lecture]
Phil Scott