Corporate and Network Security, Coursework Example

[Ch. 6, Thought Questions, nos. 1-3]—Refer to the ACL shown in Figure 6-10 of text:

Modify the ACL to permit externally initiated connections to an SNMP network management server, 60.47.3.103, and to allow both regular and SSL/TLS connections to the internal webserver 60.47.3.137 but not to the other webservers? 1)The default behavior is to drop all attempts to open a connection from the outside; 2) All ACL rules except for the last, give exceptions to the default behavior under specified circumstances; 3) The last rule applies the default behavior to all connection-opening attempts that are not allowed by earlier rules are executed by this last rule; 4) If TCP destination post=80 or TCP destination port=443, then allow connection [Permits connection to ALL internal webservers]; 5) If TCP destination port=25 and IP destination address=60.47.3.35, then allow the connection [Permits connections to A SINGLE internal mail server]; 6) Disallow ALL connections [Disallows all other externally initiated connections, this is the default behavior]

The ACL in Figure 6-10 is in effect. A packet containing a TCP SYN segment reaches a stateful packet inspection firewall from the outside. What actions will the SPI firewall take?

• Low Cost
• Most packets are not part of packet-opening attempts;
• These can be handled very simply and therefore inexpensively;
• Connection-opening attempt packets are more expensive process but are rare;
• Safety
• Attacks other than application-level attacks usually fail to get through SPI firewalls;
• In addition, SPI firewalls can use other forms of filtering when needed.
• Dominance
• The combination of high safety and low cost makes SPI firewalls extremely popular nearly all main border firewalls today use stateful packet inspections.

The ACL is Figure 6-10 is in effect. A packet containing a TCP ACK segment reaches a stateful packet inspection firewall from the outside. What actions will the SPI firewall take? Explain. A TCP ACK is not a connection opening request, so the SPI firewall will check the connection table to see if the TCP ACK matches an already open connection. If the connection is valid, the segment is passed. If the connection is not in the connection table, the segment is dropped and logged.

• TCP Half-Opening

Attacks

• Attacker send a TCP SYN segment to a port;
• The application program sends back a SYN/ACK segment and sets aside resources;
• The attacker never sends back an ACK, so the victim keeps the resources reserved;
• The victim soon runs out of resources and crashes or can no longer serve legitimate traffic.
• TCP Half

Opening Attacks

• Defenses
• Firewall intercepts the SYN from an external host;
• Firewall sends back an SYN/ACK without passing the segment on to the target host;
• Only if the firewall receives a timely ACK does it send the original SYN the destination host.

[Ch. 6, Thought Questions, no. 4]—Create an egress ACL for an SPI firewall if policy only forbids connections to external FTP servers.

There are several pieces of information logged:

• The action—permit or deny;
• The protocol—TCP,UDP, or ICMP;
• The source and destination addresses;
• For TCP and UDP—the source and destination port numbers;
• For ICMP—the message types

1. If TCP destination port = 21 or 22, then disallow;
2. Allow all connections;

[Ch. 6, Thought Questions, no. 5]—Contrast what sniffers can learn if a Being attacked uses NAT or an application proxy server.

Protections for Internal Clients against Malicious Webservers

• When a company uses NAT, a sniffer will only be able to see the translated IP address and port number of an internal host;
• When an application proxy server, the IP address of every packet going out is that of the application proxy server, so attackers can only learn the IP address of the application proxy server;
• URL blacklists for known attack sites;
• Protection against some or all scripts in WebPages;
• The disallowing of HTTP response messages with prohibited MIME types that indicate malware;

Protection against Misbehaving Internal Clients

• Disallowing the HTTP POST method, which can be used to send out sensitive files;
• The hiding of internal host IP addresses from sniffers;

Header destruction

• The data link, internet, and transport headers are discarded—along with any attacks they may have contained;

Protocol fidelity

• If the client or server does not follow the protocol of the indicated port number, communication with the firewall automatically breaks down;

[Ch. 6, Thought Questions, no. 6]—Most IP addresses are public, in the sense That they can appear on the public internet. However, a few IP addresses have been designated as private IP addresses. One private IP address range is 172.16.0.0 to 172.31.255.255 private IP addresses can only appear within a firm. In Figure 6-21 of the text, internal hosts have private IP addresses except for those in the DMZ, which use public IP addresses.

Explain this discrepancy if you can. 1) Host IP address hiding—when the host inside the trusted network sends an application request to the firewall and the firewall allows the request through to the outside internet, a sniffer just outside the firewall may sniff the packet and it will reveal the source IP address. The host then may be potential victim for attack. In IP address hiding, the firewall adds to the host packet its own IP header. So that the sniffer will only see the firewall’s IP address. So application firewalls then hide source IP addresses of hosts in the trusted network. 2) Header destruction—is an automatic protection that some application firewalls may use to destroy outgoing packet TCP, UDP, and IP headers and replace them with its own headers so that a sniffer outside the firewall will only see the firewall’s IP address. In fact, this action stops all types of TCP,UDP, an IP header attacks. 3) Protocol enforcement—Since it is common in packet inspection firewalls to allow packets through based on common port numbers, hackers have exploited this by port spoofing where the hackers penetrate a protected network host using commonly used and easily allowed port numbers. With application proxy firewalls this is not easy proxy acts as a server to each host and since it deals with only one application, it is able to stop any port spoofing activities.

1. Private IP addresses in general are hidden from the internet. This makes the use of private IP addresses ideal for internal hosts;
2. However, hosts within the DMZ must be accessible from the internet. Therefore, the must use IP addresses in the firm’s public IP address range.
3. [Thought Questions, no. 7]—Refer to the firewall policy database shown in the

Figure 6-25 of the text:

1. Describe Policy 5.

• Internetworking infrastructure under considerations is split into well-documented separate zones with various security levels.

1. Describe Policy 6.

• Each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined.

1. Describe Policy 7.

• For traffic that is not based on the concept of sessions(for example, IPsec Encapsulation Security Payload[ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa.

1. Describe Policy 8.

• The administrator must design the physical infrastructure.

1. Describe Policy 9.

• For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy.

[Ch. 6, Thought Questions, no. 8]—Read the text box “Reading Firewall Logs.” Sort the log file in Figure 6-26 by source IP address. What do you conclude from the analysis? The following can be concluded from the log file by sorting by IP address:

• IP address 14.173.139 was involved in 6 Echo Probe and 2 FTP attacks. This is the most likely an attacker or a zombie being controlled by an attacker;
• IP address 128.171.17.3 was involved in 3 forbidden webserver requests. This is either an automated attack or possibly a misconfigured host trying to connect with an incorrect destination;
• IP address 14.8.23.96.128.171.17.34 and 1.32.6.18 all conducted FTP attacks on the same server that the bad guy(14x 139) attacked. The initial attacker may not be attacking through bots;
• Two different IP addresses attacked the 60.32.29.102 host. This could be a bad sign and you need to look at what connections are or have been made to the 60.32.29.102 host. This could be a bad sign and you need to look at what connections are or have been made to the 60.32.29.102 host to determine if an attack was successful or is ongoing. This seems to be a sophisticated attack using bots;
• IP 1.124.82.6 attempted to ping the 60.x.x.68 host. Not enough information to tell if this is good or bad.

DMZ’s offer the following additional advantages to an organization:

• The creation of three layers of protection that segregate the protected network. So in order for an intruder to penetrate the protected network. He or she must crack three separate routers: 1) The outside firewall router; 2) The bastion firewall; and 3) The inside firewall router devices.
• Since the outside router advertises the DMZ network only to the internet, systems on the internet do not have routes to the protected network is “invisible,” and that only selected systems on the DMZ are known to the internet via routing table and the DNS information exchanges.

[Ch. 7, Thought Questions, nos. 1 and 2]—Why do you think companies often fail to harden their servers adequately? Since the inside router advertises the DMZ, networks only to the private network, systems on the private networks do not have direct routes to the internet. This guarantees that inside users must access the internet via the proxy services residing on the bastion host. Since the DMZ network is a different network from the private network, a Network Address Translator (NAT) can be installed on the bastion host to eliminate the need to re-number or re-subnet the private network.

• Companies may lack comprehensive security policies that include server hardening. They may not even know all of their servers. It is difficult, time-consuming, and inexpensive.
• There are many server operating systems and versions, each needing to be hardened in different ways.
• So many patches need to be applied that fixing vulnerabilities is extremely difficult.

[Ch. 7, Thought Questions, no. 3]—How is the diversity of UNIX offerings bad? How is it good?

How is the diversity of UNIX offerings bad?

• UNIX diversity is bad because each UNIX variant will have its own security limitations and vulnerabilities requiring separate hardening baselines for each version, making administration of numerous UNIX versions are very expensive.

How is it good?

• The diversity of UNIX offerings is good because it breeds competition, resulting in lower purchase costs and possibly improved security performance over time.

[Thought Questions, no. 4]—Why do you think UNIX has such a limited ability to assign permissions compared with Windows? Historically, UNIX is very old, and its permissions structure was built in early, when flexibility in assigning permissions was not too important. Later, there was no way to change the way that permissions were assigned across UNIX variants in a coordinated way.

Packet filtering is susceptible to IP spoofing. Hackers send arbitrary

Packets that fit ACL criteria and pass through the filter.

• Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters on TCP header information, all fragments after the first fragment are passed unconditionally.
• Complex ACL’s are difficult to implement and maintain correctly.
• Packet filters can’t dynamically filter certain services.
• Packets filter are stateless.

[Ch. 7, Thought Questions, no. 5]—Directory DunLaoghaire has several subdirectories. Each of these subdirectories has very sensitive information that should only be accessible to a single user. What permissions would you give in the top-level DunLaoghaire directory to the group all logged-in-users if you do not want to change the allow inheritable permissions from parent to propagate to this object box default in subdirectories? What would you then do in each subdirectory?

• Demilitarized Zone(DMZ)
• Submit for servers and application proxy firewalls accessible via the internet (Figure 6-22)
• Hosts in the DMZ must be especially hardened because they will be accessible to attackers on the internet.

1. For every sensitive information that should only be accessible to a single user, the “all logged in users: group should receive no permissions in Dunlaoghaire. This way they will not inherit any permissions in lower-level directories.
2. What would you do then in each subdirectory?

• In each subdirectory, I would assign appropriate permissions only to accounts and groups that need the in the directory.