P. 1
aix_security

aix_security

|Views: 2,499|Likes:
Published by thomas926

More info:

Published by: thomas926 on Mar 16, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/28/2013

pdf

text

original

There are a number of ways to make Check Point FireWall-1 more secure. We
recommend that you enable SYNDefender and IP spoofing protection, but do
not use Fast Mode TCP. We also recommend that you consider implementing
Intrusion Detection. Each of these is described in the following sections.

3.3.6.1 SYNDefender

The SYN attack falls under the category of denial of service attack. Before
going into the details of the SYN attack, we need to cover how a typical TCP
connection is established as follows:

1. A client attempting to connect to a server sends a SYN packet (TCP
packet with the SYN bit set) to the server.

2. The server replies with a SYN/ACK packet.

3. The client receives the SYN/ACK packet from the server and sends an
ACK packet back.

This is known as a 3-way handshake, and, upon successful completion, the
connection is considered established. (Note that with stateful inspection, the
firewall will monitor this handshake process as an active onlooker.)

Here is how the SYN attack works:

1. The attacker uses a forged and non-reachable IP address and sends
several SYN packets to the server.

2. The server responds with the appropriate SYN/ACK packets, but, since
the sender’s IP is a non-reachable address, the 3-way handshake cannot
complete.

3. The connections remain pending and will not be cleared for the duration of
the TCP timeout (unless the clear_partial_conns network option is set at

# perl ./fwtable.pl

---- FW-1 CONNECTIONS TABLE ---

Src_IP Src_Prt Dst_IP Dst_Prt IP_prot Kbuf Type Flags Timeout

9.12.0.50 32782 9.12.0.50 53

6

0 16385 ffff0400 3176/3600

9.12.0.50 32780 9.12.0.18 23

6

0 16385 ffff0600 2440/3600

9.12.0.50 846 9.12.0.50 755 6

0 16385 ffff0600 3433/3600

9.12.0.50 784 9.12.0.50 755 6

0 16385 ffff0600 3484/3600

9.12.2.168 1971 9.12.0.50 23

6

0 16385 ffffff00 3600/3600

38 Additional Security Tools for AIX Systems

the OS level), which effectively prevents legitimate clients from connecting
to the server on that service port.

The key to the SYN attack is that the source IP must not be reachable. If it is,
the server sending the SYN/ACK will get an RST packet in return. This is
because the legitimate client (whose IP address has been stolen) will detect
that the SYN/ACK packet is not in response to a SYN packet that it had sent,
and will reply with an RST packet to reset the server connection (which
defeats the attack). For an in-depth description of the attack, go to

www.fc.net/phrack/files/p48/p48-13.html.

Check Point FireWall-1 has two built-in defenses against SYN attacks. They
are the SYNDefender Gateway and the SYNDefender Passive Gateway. You
can set them on the SYNDefender tab of the Properties Setup menu (see
Figure 8 on page 39). For the following explanations, assume the server is
behind the firewall, and the client is in front of it.

SYNDefender Gateway Mode works as follows:

1. The client sends the SYN packet to the server.

2. The server sends the SYN/ACK packet back to the client.

3. FireWall-1 sends the ACK packet to the server on behalf of the client.

4. The client sends the ACK packet to the server, but it is absorbed by
FireWall-1.

5. The connection between client and server is established.

6. If the client does not send the ACK packet (event 4) within the timeout
period configured in FireWall-1 (Figure 8), the firewall sends an RST
packet to the server to tear down the connection. This is the
recommended method to protect against SYN attacks.

SYNDefender Passive SYN Gateway works as follows:

1. The client sends the SYN packet to the server.

2. The server sends the SYN/ACK packet back to the client, but it is
intercepted by FireWall-1.

3. FireWall-1 resends the SYN/ACK packet to client.

4. The client sends the ACK packet back to server.

5. The connection between the client and server is established.

6. If the client does not send the ACK packet (event 4) to the server within
the timeout period configured in FireWall-1 (see Figure 8 on page 39), the
firewall sends an RST packet to the server to close its pending connection.

Chapter 3. Check Point FireWall-1 39

During the timeout period, the pending connection table on the server still
has this connection in it. In other words, from the server’s point of view, the
3-way handshake has never completed.

Figure 8 shows the SYNDefender tab in the Properties Setup screen.

Figure 8. SYNDefender tab in the Properties Setup screen

3.3.6.2 IP spoofing protection

Anti-spoofing protects against forged packets that claim to have originated
from an internal IP address (a spoofed IP packet). Anti-spoofing ensures that
the packets are coming or going on the correct network interfaces. For
example, packets with a source IP address from the internal network should
be coming into the firewall from the network card on the internal interface. If
packets carrying the source IP address from the internal network come into
the firewall from the Internet, it is likely due to a spoofed packet from
someone trying to attack your network.

You need to know which networks are reachable from which interface. You
then need to associate each group of addresses with the appropriate network

40 Additional Security Tools for AIX Systems

interface. Perform the following steps to set up IP spoofing protection in
FireWall-1 (refer to Figure 9 on page 40):

1. From Network Objects, select firewall.

2. Select the Interfaces tab.

3. Select an interface (in our case, the tr0 interface is the external interface).

4. From Spoof tracking, select Log or Alert.

5. From Valid Addresses, select This net, Others, or Specific, depending on
how your network is configured, as shown in Figure 9. (More information
follows.)

Figure 9. Setting up IP spoofing

The Valid Addresses selection specifies which addresses are allowed to be
on the chosen interface. In other words, IP addresses that are not considered
to be spoofed. The option you choose depends on whether or not you are
using network address translation (NAT) at the firewall.

Chapter 3. Check Point FireWall-1 41

If you are not using NAT, use the following for your Valid Addresses selections
as shown in Table 1.

Table 1. Valid Addresses without NAT

If you are using NAT, use the following for your Valid Addresses selections as
shown in Table 2.

Table 2. Valid Addresses with NAT

In the case of NAT and an Internal Interface, you have to specify a group of
addresses for Specific. For the servers on the internal network, use the IP
address for the internal network, and the NAT IP addresses for the servers on
that network. For example, Figure 10 on page 42 illustrates a with NAT
enabled for Web Server 1 (Public Server 1), Web Server 2 (Public Server 2),
and Mail Server (Public Server 3). The real IP address (configured on the
network card on the server) and the NAT IP address (publicly known IP
address) are listed in the figure. When using NAT, the group for Specific
consists of the internal network address (172.16.30.0) and the public IP
addresses 203.12.12.1, 203.12.12.2, and 203.12.12.3.

Interface

Valid addresses

External (facing Internet)

Others

Internal

This net

Interface

Valid addresses

External (facing Internet)

Others

Internal

Specific

42 Additional Security Tools for AIX Systems

Figure 10. Illustrating IP spoofing with NAT

3.3.6.3 Fast Mode TCP

For faster throughput, the Fast Mode TCP option can be used. We do not
recommend that you do this. Fast Mode works by allowing all
non-SYN/NO-ACK packets through the firewall. The firewall assumes that all
such packets are part of an established TCP connection and does no further
checks on them. The assumption is that if these packets are not part of an
established TCP connection, the end servers will drop the packets anyway
because they are out of sequence. SYN packets are still checked with the
rulebase, but successful connections are not logged into the connections
table (removing the stateful inspection). This reduces the security awareness
of the firewall and should not be used.

To check the Fast Mode setting, from the main menu bar, select Manage,
then, under Services, select TCP (as shown in Figure 11 on page 43). Notice
that Fast Mode only applies to the TCP protocol.

Real IP

NAT IP

Web Server 1 172.16.30.1 203.12.12.1

Web Server 2 172.16.30.2 203.12.12.2

Mail Server 172.16.30.3 203.12.12.3

Firewall

External Network

Internal Network

Public Server 1
172.16.30.1

Public Server 2
172.16.30.2

Public Server 3
172.16.30.3

Router to ISP

Public Server 4
172.16.30.4

Chapter 3. Check Point FireWall-1 43

Figure 11. Fast Mode TCP

3.3.6.4 Intrusion detection on Check Point FireWall-1

There is a very good article on how to implement intrusion detection on
Check Point FireWall-1 at www.enteract.com/~lspitz/intrusion.htm. We will not
be discussing it further here.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->