Network Security

CIA Triad

Parties (e.g., sender/receiver) need to be able to validate each other at any time (authentication)

Sender can (not?) refute/deny authorship of a message (non-repudiation)

Each action can be traced back to the originator (accountability)

Reconstruction or linkage of personal or factual data points practically

impossible (anonymization)or weaker pseudonymization, a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers. Still allows linkage of data points based on those artificial identifiers.

Can see traffic that passes by

*might* be able to manipulate traffic

Does not see traffic from either parties, but can communicate with them

• Spoofing

• Denial-of-Service

• No Confidentiality

• No Integrity

• Weak binding, missing liability

Sequence number, Acknowledgement are protections (somewhat, but weak) against forgery.

When sequence numbers are predictable, an attacker can take over an existing connection or insert own data between client and server (Session Hijacking) Sequence numbers can also be visible for an on-path attacker by monitoring the network.

Desynchronization of a connection through inserting of old sequence numbers.

Initial sequence number randomization

The server port is often obvious, but the client port might not.

“A "firewall" is an agent which screens network traffic in some way, blocking traffic it believes to be inappropriate, dangerous, or both.”[…] The introduction of a firewall and any associated tunneling or access negotiation facilities MUST NOT cause unintended failures of legitimate and standards-compliant usage that would work were the firewall not present.” (RFC2979)

“An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources

A packet filter is "... a product that is able to filter nework traffic based on defined rules, so that only desired network packets reach their destination."

various technologies, such as…

• Static packet filter

• Dynamic packet filter

• Firewalls with "stateful inspection"

• Proxy firewalls

• Intrusion Detection and Prevention systems

at least two (virtual) interfaces in different networks

functions as a router, meaning IP forwarding is enabled

TCP/UDP/IP packets are filtered using defined rules

Distinction between static and dynamic packet filters

used on routers

accept or reject IP packets based on their source and destination IP addresses

Two types of reject: a silent one (drop), and one that returns an error to the sender (e.g., “ICMP port unreachable”)

source and destination ports can also be used for filtering

ICMP message type can be used for filtering

Certain products support the evaluation of individual flags in the TCP

based on a set of rules

processed from top to bottom

until a rule either allows or denies

Default Policy/Catch-All Rule

a major weakness: they are stateless

A Connection requires two Rules (incoming, outgoing)

TCP Source Ports are Difficult to Restrict (client random number > 1023)

Weak protection against fragmentation attacks

Does no high-level abstraction

two set of rules for IPv4 and IPv6

The attacker splits the payload into several very small fragments.

As a result, the TCP header is divided across multiple fragments, making it impossible for static packet filters to analyze.

For example, port information can no longer be evaluated.

In the first fragment, the port number of the "attack packet" is changed to an "allowed" port.

The fragment offset of a subsequent packet is manipulated, partially overwriting the TCP header of the first packet (allowed port number) with that of the second packet during reassembly.

The assignment of response packets to existing (TCP) connections is done using the state table.

For ICMP, the message code is stored instead of the port.

The source address/port of the request becomes the destination address/port for the response.

After the connection is terminated (TCP Flags, ICMP Message), the entry is deleted from the table, for UDP there is a timeout

A connection requires only one rule.

There is no need to open entire port ranges for response packets.

Affected source ports are written into the state table.

Response packets are allowed only for the duration of the connection, or within the defined timeout in the case of UDP.

In general, there is a single connection between client and server that is terminated at the end.

“Dumb” Packet filters (without introspection, “deep inspection”) cannot securely filter protocols with multiple logical connections: .e.g., FTP, SIP

A firewall evaluates not only TCP/UDP header information but also extracts additional filter-relevant details from the payload data of certain application protocols.

Examples of such protocols include: FTP, MS-Exchange, H.323, or RPC applications that use the portmapper (which runs on port 111). The portmapper assigns an RPC program number to a port.

Stateful Inspection Firewalls expand their state table after isolating the relevant port number from the corresponding data stream.

Every protocol transferred over the firewall, must be implemented

New protocols and applications appear every day.

The proxy acts as an intermediary for the server, receiving connection requests from the client.

It then establishes a separate connection to the server.

Unlike traditional packet filters, a proxy is not transparent to the client/server application.

The client does not communicate directly with the target system, but with the proxy the connection→ is usually established to a different IP address and sometimes to a different port.

The proxy must have specific proxy functionality implemented for each defined protocol, so it can process the respective protocol.

With a proxy, Routing can be disabled, as it represents the endpoint on one side and the initiator of the connection on the other. This ensures that a client can never communicate directly with the associated server.

Better filtering capabilities, as the respective protocols are generally fully implemented.

Ensures protocol compliance: The proxy examines not only the IP/TCP/UDP header but also the payload, which contains the application protocol.

No direct connections between the internal and external network are possible.

For every protocol that runs through the proxy, a suitable match must be explicitly implemented.

For a new application, a new proxy function would need to be provided.

Therefore, it is mainly useful in scenarios where only a few, well-known protocols need to be filtered

Higher security compared to packet filters also results in higher resource consumption.

Every proxy, being a network service, is generally more vulnerable to attacks compared to a packet

filter, which is implemented in the kernel

The firewall logs, according to the logging policy, for example, unauthorized connection attempts.

In addition, a firewall may have alerting mechanisms (e.g., via email, SNMP...) and accounting mechanisms.

NAT functionality

Firewall as the tunnel endpoint for a VPN

Implementation of content security for certain protocols.

A packet filter controls access to the systems, protecting them from unauthorized access from the

internet or other networks.

Networks connected to this filter are called Demilitarized Zones (DMZ).

Typically, internet-accessible servers like mail relays, web servers, or DNS servers are operated in a

shared DMZ in internet firewalls.

Pre-filtering is done on the router via an access list, while the firewall controls communication between

networks.

Servers in the DMZ are therefore exposed to a higher level of risk.

It does not take dependencies into account. Dependencies can be

• Internal and external services

• Auxiliary and supporting services (e.g., DNS, RPC, …)

• Line connectivity and capacity

Tasks of the Management Component

• Storage of created objects, rule base, users, and properties.

• Translation of the rule base into a packet filter-compatible format.

• Management of log files.

Components

• Administration frontend (command line or GUI).

• Packet filter component for network traffic filtering (Enforcement Point).

• Management component.

Configuration and maintenance are done directly on the packet filter.

The packet filter serves as the enforcement point.

Packet filter management and packet filtering are logically separated.

Created rules and objects are stored on the management station.

Communication between the packet filter and the management station must be encrypted.

Authentication of the management station to the packet filters is required.

The number of network interfaces is often insufficient.

A physical interface is connected to the trunk port of a VLAN-enabled switch.

The firewall tags Ethernet frames according to the destination network.

The switch assigns the Ethernet frame to a subnet based on the VLAN tag.

The switch becomes a security-critical component: If an attacker gains control over the switch, they can bypass the firewall by altering the configuration.

Multiple logical firewalls on a single physical hardware unit.

Each virtual firewall has its own rules, state table, and user management.

Virtual firewalls are isolated from one another.

Primarily of interest to outsourcing providers.

Setup and implementation using VLAN tagging (similar to virtual interfaces).