You are on page 1of 67

For Summer Training on Computer Networking visit www.nettech.

in

Introduction to Network/ Linux Security

Prepared by : Swapan Purkait Director Nettech Private Limited swapan@nettech.in + 91 93315 90003

Nettech Private Ltd.

www.nettech.in

Overview

What is network security? Kind of security services one might desire What kind of attacks should we try to protect a network against? What are the available protection strategies available? What support can we expect from LINUX?

Nettech Private Ltd.

www.nettech.in

What is network security?

A network is secure if you can depend on it and its nodes behave as you expect.

If you do not know what you are protecting, why you are protecting it, and what you are protecting it from, your task will be rather difficult!

Nettech Private Ltd.

www.nettech.in

Kind of security one might desire

Authentication Confidentiality (Privacy) Integrity Availability Non-Repudation Auditing

Nettech Private Ltd.

www.nettech.in

Authentication
Authentication is the process of reliably verifying the identity of someone (or something) by means of:
A secret (password [one-time], ...) An object (smart card, ...) Physical characteristics (fingerprint, retina, ...) Trust

Do not mistake authentication for authorization!

Nettech Private Ltd.

www.nettech.in

Integrity Vs Confidentiality

Integrity
Protecting information from being deleted or altered in any way without the permission of the owner of that information.

Confidentiality
Protecting information from being read or copied by anyone who has not been explicitly authorized by the owner of that information.

Nettech Private Ltd.

www.nettech.in

Availability

If the system is unavailable when an authorized user needs it, the result can be as bad as having the information that resides on the system deleted!

Nettech Private Ltd.

www.nettech.in

Non repudation

The ability of the receiver of something to prove to a third party that the sender really did send the message.

Nettech Private Ltd.

www.nettech.in

Auditing

The ability to record events that might have some security relevance. In such cases, you need to determine what was affected. In some cases, the audit trail may be extensive enough to allow undo operations to help restore the system to a correct state.

Nettech Private Ltd.

www.nettech.in

Kind of attacks to a Computer

What kind of attacks should we try to protect a computer against ? Physical Security
Lockers, BIOS, weather, ...

Personnel security Operating System security Network security

Nettech Private Ltd.

www.nettech.in

Some common network services

DNS Apache NFS NIS/NIS+ Samba Telnet FTP Mail ... ... ...

Nettech Private Ltd.

www.nettech.in

Network Security: common attacks

Interception
Modification

Intrusion
Modification, Fabrication

Denial of service
Interruption

Information theft

Nettech Private Ltd.

www.nettech.in

Security tools
Cryptography
Symmetric Vs Asymmetric (Certificates ...)

Firewalls & Proxyes


Ipchains/Iptable ...

TCP Wrappers + UDP Relayers Pluggable Authentication Module


It is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users

Kernel Level Security Log files (/var/log/*)

Nettech Private Ltd.

www.nettech.in

Cryptography: the solution for privacy

The security is based on the secrecy of the key and sometimes of the alghoritms too.

Nettech Private Ltd.

www.nettech.in

Cryptography Model
Encryption Key, K

Plaintext, P

Encryption, E
Cyphertext, C

Plaintext, P

Decryption, D

Decryption Key, K'


Nettech Private Ltd. www.nettech.in

Basic Formula

C=EK(P) P=DK'(C)
DK'(EK(P))=P

If K=K', it is symmetric key system,also known as secret key key system If KK', it is asymmetric key systemcommonly called public key system

Nettech Private Ltd.

www.nettech.in

Cryptography

Symmetric Vs Asymmetric
Symmetric (also called private key algorithms) The same password is used to both encrypt and decrypt Faster algorithms PROBLEM: key management is not easy Asymmetric (also called pubblic key algorithms) The password used to encrypt is different from the one needed to decrypt More secure It allows to have non-repudiation
Nettech Private Ltd. www.nettech.in

Secret Key System

DES Key

DES Key

Alice
Nettech Private Ltd.

Bob
www.nettech.in

Data Encryption Standard (DES)

It is a symmetric algorithm Designed by IBM for the U.S. Government in 1977 It is based on a 128 bit key (earlier 64) Hardware Vs Software implementation How secure is DES?
How much would a Des-Breaking engine would cost? Is it possible to make DES harder to break in? How does it work?

Nettech Private Ltd.

www.nettech.in

Public Key System

Bob's public Key

Bob's private key

Alice
Nettech Private Ltd.

Bob
www.nettech.in

RSA Algorithm
Rivest, Shamir & Adleman (1978), MIT Most widely used public key algorithm Based on principles of number theory Keys are calculated in the following way:

1. 2. 3. 4.

Choose two large (>10100) primes, p and q Compute n=p*q and z=(p-1)*(q-1) Choose a number k' which is relatively prime to z Find k such that k*k'=1 mod z C=Pk (mod n) and P=Ck' (mod n)
www.nettech.in

Nettech Private Ltd.

Example

Say p=3 and q=11 so that n=33 and z=20 A suitable value for k' is 7 (prime to 20) k can be found by solving: 7*k=1 (mod 20) Thus, k=3 3 So encryption: C=P (mod 33) 7 And Decryption: P=C (mod 33)

Say P=14, then C=143 (mod 33)=2744 (mod 33)=5 7 Conversely, C (mod 33)=78125 (mod 33)=14=P

Nettech Private Ltd. www.nettech.in

Digital Signature

An important security strategy for E-Commerce The receiver can verify the claimed identity of the sender (authenticated) The sender cannot later repudiate the contents of the message The message cannot be concocted in transit
Can be implemented using public key cryptography

Nettech Private Ltd.

www.nettech.in

Public Key Signature

Say, A wants to send a signed message P to B We know that P=DK'[EK(P)] holds It is assumed that P=EK[DK'(P)] also holds A computes C=EK'A(P) using his private key and sends it to B openly B then decrypts C by KA as: DKA(C)=P B, decrypting the message with A's public key, knows that A generated the message Later A cannot deny having sent C because it can be opened by KA only and K'A is private to A

Nettech Private Ltd. www.nettech.in

Security of cryptographic algorithms


Let us define the lifetime of an information as the amount of time the information should be kept secret. An encryptioncan cab be considered secure if the time to break it (for ex. with a brute force attack) is reasonably longer than the lifetime of the information contained in the plain text.
Length of the key on bits (estimated in 1995, Applied Cryptography) 56 35 h. 3.5 h 64 1 y. 37 d. 4 d. 80 70,000 y.

Cost

40 2.00 s. 0.20 s. 0.02 s.

112 1014 y. 1013 y. 1012 y.

128 1019 y. 1018 y. 1017 y.

$ 100K
$ 1M $ 10M

7,000 y. 700 y.

21 min.

Nettech Private Ltd.

www.nettech.in

Secure Socket Layer (SSL) It is based on a public encryption algorithm It is a protocol developed by Netscape for secure transactions across the Web It is stream-based consisting of three phases
6In initial handshake phase, secure communications are established In intermediate data transfer phase, application-toapplication dialog (with data encryption) occurs In closing handshake phase, connection is terminated

There are free SSL implementations


Nettech Private Ltd. www.nettech.in

Firewall (Access Control)

Nettech Private Ltd.

www.nettech.in

What is a Firewall? A set of related programs that protects the resources of a private network from users from other networks. A mechanism for filtering network packets based on information contained within the IP header. Options available
Commercial Firewall Devices (Watchguard, Cisco PIX) Routers (ACL Lists) Linux Software Packages (ZoneAlarm, Black Ice) Sneaker Net
Nettech Private Ltd. www.nettech.in

Firewalls Routers: easy to say allow everything but Firewalls: easy to say allow nothing but This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risks Note: the only difference between a router and a firewall is the design philosophy:
do we prioritize security, or connectivity ?
configurability, logging

Nettech Private Ltd.

www.nettech.in

Firewall setup Firewall ensures that the internal network and the Internet can both talk to the DMZ, but usually not to each other The DMZ relays services at the application level, e.g. mail forwarding, web proxying The DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.);
its easier to secure 20 machines than 20,000

Now the internal network is safe (but not from internal attacks, modems, etc.)
Nettech Private Ltd. www.nettech.in

Typical firewall setup


evil Internet

DMZ internal network

Nettech Private Ltd.

www.nettech.in

Downside of firewalls

single point of failure difficult to integrate into a mesh network highlights flaws in network architecture can focus politics on the firewall administrator

Nettech Private Ltd.

www.nettech.in

Firewall using Packet Filtering

Nettech Private Ltd.

www.nettech.in

Packet Filters .. Firewalls

A Firewall can be at any layer between 35 Application-level gateways work at the application layer Packet-filters work at the network layer

User Applications Application Presentation Session Transport Network Data Link Physical

Nettech Private Ltd.

www.nettech.in

Why Filter?
Packets that are filtered increase security. Prevent ousiders from using services on a system. Prevent malicious attacks such as Denial of Service (DoS) and ping flood attacks. Control the flow of information. Prevent internal system users from using certain sites or types of protocols.

Nettech Private Ltd.

www.nettech.in

Packet Filtering
Should arriving packet be allowed in? Should a departing packet be let out? Filter packet-by-packet, making decisions to forward/drop a packet based on:
source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits ...

Data

Nettech Private Ltd.

www.nettech.in

Packet filtering

Packet filtering is not just filtering Changing Packets: Filters often able to rewrite packet headers Examine/modify IP packet contents only? Or entire Ethernet frames? Monitor TCP state?

Nettech Private Ltd.

www.nettech.in

Packet Filtering Limitations

Cannot Do: Allow only certain users in (requires application-specific information) Can do: Allow or deny entire services (protocols) Cannot Do: Allow, e.g., only certain files to be ftped

Nettech Private Ltd.

www.nettech.in

Packet Filtering in Linux History

1st generation: ipfw (from BSD) 2nd generation: ipfwadm (Linux 2.0) 3rd generation: ipchains (Linux 2.2) 4th generation: iptable (Linux 2.4, 2.6)

Nettech Private Ltd.

www.nettech.in

Packet Traversal in Linux

PreRouting

Routing Decision

Forward

PostRouting

Input

Local Processes

Output

Nettech Private Ltd.

www.nettech.in

The Rules Chain Concept


The most common method used by packet filtering for the organization of the filters is the rules chain. A rule chain contains a listing of each filter, or rule, that has been configured on the local system. Linux uses four main chains: Input packets traveling to the host Output packets leaving from the host Forward packets received by the host and will be forwarded by the host User Defined special type of chain created by the user that receives packets from the three main chains for processing Rules chains allow for complex filtering of data entering or leaving a system while making it easy to install and maintain the rules.

Nettech Private Ltd.

www.nettech.in

Linux Iptables/Netfilter

In Linux kernel 2.4 and 2.6, we use the netfilter package with iptables commands to setup the firewall. The old package called IPchains is deprecated. http://www.netfilter.org/

Nettech Private Ltd.

www.nettech.in

Iptables: http://www.netfilter.org/
What is iptables? iptables is the building block of a framework inside the Linux kernel. This framework enables packet filtering, network address translation (NAT), network port translation (NPT), and other packet mangling. iptables is a generic table structure for the definition of rulesets. Each rule with an IP table consists of a number of classifiers (iptables matches) and one connection action (iptable target). What can I do with iptables? build internet firewalls based on stateless and stateful packet filtering use NAT and masquerading for sharing internet access use NAT to implement transparent proxies do further packet manipulation (mangling) like altering the bits of the IP header
Nettech Private Ltd. www.nettech.in

iptables - Features (1)

Stateful filtering of TCP & UDP traffic


Ports opened & closed as clients use the Internet Presents a (mostly) blank wall to attackers

Related option for complex applications


Active mode FTP Multimedia applications (Real Audio, etc.)

Can filter on fragments

Nettech Private Ltd.

www.nettech.in

iptables - Features (2)

Improved logging options


User-defined logging prefixes Log selected packets (e.g., handshake packets)

Port Address Translation (PAT) Network Address Translation (NAT)


Inbound
Redirect to DMZ web server, mail server, etc.

Outbound
Group outbound traffic and/or use static assignment

Nettech Private Ltd.

www.nettech.in

iPtables chains

A chain is a sequence of filtering rules. Rules are checked in order. First match wins. Every chain has a default rule. If no rules match the packet, chain policy is applied. Chains are dynamically inserted/ deleted.

Nettech Private Ltd.

www.nettech.in

Built-in chains

1. INPUT: packets for local processes


1. No output interface

2. OUTPUT: packets produced by local processes


1. No input interface 2. All packets to and from lo (loopback) interface traverse input and output chains

3. FORWARD: for all transiting packets


1. Do not traverse INPUT or OUTPUT 2. Has input and output interface

4. PREROUTING 5. POSTROUTING

Nettech Private Ltd.

www.nettech.in

Network Address Translation (NAT)

Nettech Private Ltd.

www.nettech.in

Private Network Private IP network is an IP network that is not directly connected to the Internet IP addresses in a private network can be assigned arbitrarily.
Not registered and not guaranteed to be globally unique

Generally, private networks use addresses from the following experimental address ranges (non-routable addresses):
10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
Nettech Private Ltd. www.nettech.in

Private Addresses

Nettech Private Ltd.

www.nettech.in

Network Address Translation (NAT)

NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network NAT is a method that enables hosts on private networks to communicate with hosts on the Internet NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair.
Nettech Private Ltd. www.nettech.in

Basic operation of NAT


Private network
Source = 10.0.1.2 Destination = 213.168.112.3 private address: 10.0.1.2 public address: 128.143.71.21

Internet

Source = 128.143.71.21 Destination = 213.168.112.3

NAT device

public address:

213.168.112.3

H1
Source = 213.168.112.3 Destination = 10.0.1.2 Source = 213.168.112.3 Destination = 128.143.71.21

H5

Private Address 10.0.1.2

Public Address 128.143.71.21

NAT device has address translation table


Nettech Private Ltd. www.nettech.in

Main uses of NAT

Pooling of IP addresses Supporting migration between network service providers IP masquerading Load balancing of servers

Nettech Private Ltd.

www.nettech.in

Pooling of IP addresses
Scenario: Corporate network has many hosts but only a small number of public IP addresses NAT solution:
Corporate network is managed with a private address space NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host

Nettech Private Ltd.

www.nettech.in

Pooling of IP addresses

Nettech Private Ltd.

www.nettech.in

Supporting migration between network service providers Scenario: In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. NAT solution:
Assign private addresses to the hosts of the corporate network NAT device has static address translation entries which bind the private address of a host to the public address. Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network. Note: The difference to the use of NAT with IP address pooling is that the mapping of public and private IP addresses is static.
Nettech Private Ltd. www.nettech.in

Supporting migration between network service providers

Source = 128.143.71.21 Destination = 213.168.112.3 Source = 10.0.1.2 Destination = 213.168.112.3 private address: public address: 10.0.1.2 128.143.71.21 128.195.4.120

128.143.71.21

ISP 1 allocates address block 128.143.71.0/24 to private network:

NAT device
128.195.4.120

H1 Private network

Source = 128.195.4.120 Destination = 213.168.112.3

ISP 2 allocates address block 128.195.4.0/24 to private network:

Private Address 10.0.1.2

Public Address 128.143.71.21 128.195.4.120

Nettech Private Ltd.

www.nettech.in

IP masquerading Also called: Network address and port translation (NAPT), port address translation (PAT). Scenario: Single public IP address is mapped to multiple hosts in a private network. NAT solution:
Assign private addresses to the hosts of the corporate network NAT device modifies the port numbers for outgoing traffic
Nettech Private Ltd. www.nettech.in

IP masquerading

Nettech Private Ltd.

www.nettech.in

Load balancing of servers Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address NAT solution:
Here, the servers are assigned private addresses NAT device acts as a proxy for requests to the server from the public network The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion.
Nettech Private Ltd. www.nettech.in

Load balancing of servers

Nettech Private Ltd.

www.nettech.in

Concerns about NAT Performance:


Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum Modifying port number requires that NAT boxes recalculate TCP checksum

Fragmentation
Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.

Nettech Private Ltd.

www.nettech.in

Concerns about NAT

End-to-end connectivity:
NAT destroys universal end-to-end reachability of hosts on the Internet. A host in the public Internet often cannot initiate communication to a host in a private network. The problem is worse, when two hosts that are in a private network need to communicate with each other.

Nettech Private Ltd.

www.nettech.in

Concerns about NAT

IP address in application data:


Applications that carry IP addresses in the payload of the application data generally do not work across a private-public network boundary. Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the applicationlayer header or the application payload, translate the address according to the address translation table.

Nettech Private Ltd.

www.nettech.in

Configuring NAT in Linux

Linux uses Netfilter/iptable package to add filtering rules to the IP module

Nettech Private Ltd.

www.nettech.in

Configuring NAT with iptable


First example: iptables t nat A POSTROUTING s 10.0.1.2 j SNAT --to-source 128.143.71.21 Pooling of IP addresses: iptables t nat A POSTROUTING s 10.0.1.0/24 j SNAT --to-source 128.128.71.0128.143.71.30 ISP migration: iptables t nat R POSTROUTING s 10.0.1.0/24 j SNAT --to-source 128.195.4.0128.195.4.254 IP masquerading: iptables t nat A POSTROUTING s 10.0.1.0/24 o eth1 j MASQUERADE Load balancing: iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4

Nettech Private Ltd.

www.nettech.in

Connect with us at Facebook Visit www.facebook.com/nettech.in

Nettech Private Ltd.

www.nettech.in