Professional Documents
Culture Documents
o m
.i c
o b
o
MikroTik Router OS Network Threats and Countermeasures
s Location:
Date:
Wroclaw, Poland
1st of March
o m
● Operate an ISP in the centre of Ireland.
.i c
b
● Good Infrastructure Expertise.
o
● Certified MikroTik Partners
o
– Training
h
– Certified OEM Integrators
a
– Consultants
s
– Distributor & Value Added Reseller
o m
c
Ireland
Have been working in Industry since 2000
.i
●
b
– Server Infrastructure Engineer
o
– Systems / Network Administrator
o
– IS Architect
h
– Internet Security Consultant
a
st
●
1 MikroTik Certified Trainer in June 2007 in Ireland
o m
.i c
support of MikroTik Powered Appliances
● Ogma Connect's name comes from the Ancient God of
b
Communications and eloquence who's name was Oghma
o
Oghma was credited with the invention of the written
●
o
language Ogham which is found carved in stones that mark
h
the land of ancient tribes throughout the once vast Celtic
world in northern & western Europe
●
s a
We want people to be able to connect with each other
eloquently efficiently and elegantly
o m
c
Outline what a firewall can and can not do
.i
●
b
Strategies
o
● Structure the Firewall
o
In a security centric manner
–
ah
Create policy based rule sets
Protocol Specific Filtering
s
●
o m
c
OWASP http://owasp.org
.i
●
o b
CIS Centre for Internet Security – http://cisecurity.org/
o
●
h
● NIST Computer Security http://csrc.nist.gov/
a
● Open BSD – http://OpenBSD.org/
s
● Spamhaus.org – http://spamhaus.org
● nmap.org – http://nmap.org
● ha.ckers.org – http://ha.ckers.org/
http://wirelessconnect.eu/ Copyright 2007 -2010 6
Firewall Systems
● One or more systems combined to achieve a desired
o m
c
security objective
There are multiple ways firewall systems handle traffic
.i
●
b
– Routing
o
– NATing
o
– Bridging
h
– Proxying
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 7
Firewall Design Objectives
● To implement a security policy by classifying, validating,
o m
c
logging and ultimately reacting to traffic
Flowing to the system
.i
–
b
– Flowing through the system
o
– Flowing from the system
o
● Legitimate / useful traffic for users and systems should:
h
– Not be Blocked
a
– Not be Corrupted
s
– Not be Slowed or Hampered Beyond Strict Tolerances
● Protect the users / systems behind it and Itself
o m
c
– Entry interface
.i
– Exit interface
– Source Address (Source Address List)
b
– Destination Address (destination Address List)
o
– Address Types
– Protocol type (number)
o
– Protocol port (source and destination
– Message type (ICMP)
h
– State of the Connection
a
– IP V4 Options
– TCP Flags
s
– Number of Concurrent Connections
– Packet Rate
– Packet Size
– Packet Fragmentation
– Layer 7 Packet Matching (unencrypted)
o m
c
Protocol Validation / Filtration
.i
–
b
2.5KB of data in the stream
o
– Inspection of encrypted data streams such as
o
● Ssh sessions
h
● Https
Ipsec
a
●
s
●
o m
c
Proxies allow fine control over specific protocols :)
.i
●
damage limitation.
o b
For unsafe protocols proxies help can provide some
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 11
o m
Proxy .i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 12
What is a Proxy
● It a service that accepts connections from a client and in
o m
c
turn makes a request to another server.
2 Connections for each Accepted Request
.i
●
b
– Client to the proxy
o
– Proxy to the Server
o
● 1 Connection for each Rejected Request
h
● HTTP Firewall (understands http)
a
– RFC Compliance Checking
s
– Blocking non http protocols running on port 80
– Disable Certain Dangerous Requests
– Block Content
o m
c
However one can use Stunnel to decrypt the SSL Traffic
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 14
Example Http Reverse Proxy
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 15
Web Client Makes Https Request
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 16
Stunnel Decrypts the Request & forwards to
Reverse Proxy
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 17
Reverse Proxy Analyses Request
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 18
Proxy Accepts & Relays Request
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 19
m
Http Server Responds to Proxy Request
.i c o
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 20
Proxy forwards Response to Stunnel
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 21
Client receives the Webpage
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 22
What if the Proxy Says No?
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 23
Proxy Sends Error Msg To Stunnel
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 24
Client Recieves Error Message
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 25
Http Proxy / Reverse Http Proxy
● Identical
o m
c
Http Proxy serves to protect clients
.i
●
o b
Http Proxy can access any Server from a few clients
Http Reverse Proxy can access few servers and is
o
●
a
Resolution.
h
Http Proxy Utilises External DNS Servers for Name
s
Http Proxy uses a local DNS for Name Resolution
o m
c
Changes
Proxy Listens on Port 80 (or redirect to proxy port)
.i
●
b
● Static local DNS entries are setup on reverse proxy
o
● External DNS servers point protected hostnames at the
o
external IP of the Reverse Proxy
h
● Proxy is heavily firewalled, usual precautions apply
a
Firewall Rules, no outbound connections allowed except for
●
–
s
Http tcp port 80 to your webserver Network
Syslog udp port 514
NTP Server Requests udp port 123
http://wirelessconnect.eu/ Copyright 2007 -2010 27
Http Firewall
● Proxy access list provides option to filter
o m
c
DNS names
.i
–
– Urls
b
– Filetypes
o
– Url paths designed to hack http servers
o
– Ports
h
– IP address
a
● You can make redirect to specific pages
●
●
s
Home page of your website
Custom Error Pages giving as much or as little information
as you require
http://wirelessconnect.eu/ Copyright 2007 -2010 28
Http Firewall Building Aproach
● Block Unwanted Requests for telnet, smtp, ftp ports
o m
c
Block Unwanted / Unrequired Http Methods
.i
●
h
● Deny access to dissalowed ports
a
● Deny Proxying access to Local Networks
s
● Deny Proxying access to any other system.
o m
c
– HEAD
.i
– GET
b
– POST
o
● Block potentially dangerous Types of HTTP Methods
o
– TRACE
– CONNECT
h
– DELETE
a
– PUT
s
– OPTIONS
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 31
Path Rule Example
● http://example.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 32
Web Proxy Access Rule
● Add an access rule as follows
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 33
m
Protecting sensitive files in
poorly configued Servers
● Deny access to following url paths
– Any “.” Files in linux
.i c o
– /etc/
/etc/shadow
o b
o
–
/var/mysql/
h
–
/var/log
a
–
s
– /system32
– /sysWOW
– /WinNT /Winnt
o m
c
by webservers
e.g. ros.php =%2F%72%6F%73%2E%70%68%70
.i
●
b
● http://example.com/ros.php
o
● =
o
http://example.com%2F%72%6F%73%2E%70%68%70
●
● =
ah
s
● http://example.com/72%6F%73.%70h%70
● Solution use Regular expressions :)
o m
c
against a infamous flaw in IIS a few years ago.
.i
● http://poorlyimplementedserver.com/../../WINNT/System32/CMD.exe
b
● We need to block .. and any ascii character codes for the
o
same
o
● Required Expression= (\.|%2E)(\.|%2E)
h
● Regular Expressions are denoted in MTROS by entering a
a
preceeding “:”
s
● Path to block = :(\.|%2E)(\.|%2E)
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 37
Characters required for attacks
● The Following Characters can be used in attacks against
o m
c
web servers
< > ( ) ; ^ , $ “
.i ` ' ~ * | \ # ! :
–
b
– “ Double Quotes
o
– ' Single Quotes
o
– ` Grave Accent
h
– %0A Line Feed
a
– %0D Carrige Return
s
●
o m
c
attacks against the web servers
@@
.i
–
b
– --
o
– ://
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 39
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 40
IP Address Obfuscation
● Wirelessconnect.eu IP address can be represented in the
o m
c
following ways
Decimal –
.i 89.184.47.93
–
b
– Dword Address – 1505242973
o
– Hex Address – 0x59.0xb8.0x2f.0x5d
o
– Octal Representation – 0131.0270.0057.0135
h
– Why Does this Work? – 89.0xb8.0057.0x5d
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 41
Combating IP Obfuscation
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 42
White Listing Example
● We want to allow GET, POST & HEAD to the webserver
o m
c
wirelessconnect.eu
.i
●
b
●
o
●
o
●
ah
s
● Remember to always put url path filtering rules above the
host whitelist rules
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 44
POST HTTP Method Analysis
● Not Possible with MT HTTP Proxy
o m
c
Need web application knowledge.
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 45
Modular Firewall System Example
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 46
Firewall hardening
● Some of the checks may be duplicated, this is ok, belt and
o m
c
braces.
Check for unusual TCP Flags and drop.
.i
●
b
● Drop packets with invalid connection state
o
● Your Effort will complement and bolster your networking
o
operating software provider's efforts to maintain security
h
● Ultimately you are responsible for your networks security
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 47
Firewall Best Practices
● Populate a Router with the Maximum RAM Configuration
o m
c
Use Connection Tracking to achieve state-full packet
.i
●
b
● Disable Administration interfaces from External Interfaces
o
● Try where possible to use in interfaces rather than source
o
ip address for establishing the level of trust that you have
h
for the
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 48
Firewall System Best Practices
● Run as few network services on the firewall hardware as
o m
c
possible
Turn off all Administration services that are not needed
.i
●
b
● Do not use un-encrypted administration protocols
o
● Shore up un-encrypted services with IPSEC policies
SNMP
o
–
ah
DNS (internal use not for customer use)
Http fetch
●
s
Shore up weak encrypted protocols with IPSEC policies
o m
c
If a service has a vulnerability your firewall can be
.i
●
b
● Administration Services are particularly risky as they allow
o
for the change of firewall configuration
o
● DNS Server services should be offloaded to a Hardened
h
DNS Box
a
● NTP Server services should be offloaded to a Hardened
s
NTP Box
o m
c
Can allow an attacker who can view the traffic to harvest
.i
●
b
● IPSEC can eliminate this risk by securing the traffic with the
o
best available FIPS grade cryptography protocols
o
● IPSEC can be used to increase confidence if encryption
h
quality of an administration service is unknown.
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 51
More RAM – More Connections
● NSA Security Guide for Routers suggests that Perimeter
o m
c
routers /firewalls be configured with the maximum available
.i
RAM
b
● The More RAM you have the harder the device is to Crash
due to memory exhaustion (DOS / DDOS attacks)
●
Attacks.
o o
MT ROS Devices are Optimised against RAM Exhaustion
ah
The firewall can cope better in busy periods.
s
● Ogma Connect Routers are always Sold with the maximum
Supported RAM available :)
● Wireless Connect Customers can avail of RAM upgrades
for RB1000 & the New and Improved RB1100 :)
http://wirelessconnect.eu/ Copyright 2007 -2010 52
m
Hardware with multiple Physical
Interfaces
● The More Interfaces the more you can isolate multiple
untrusted interfaces.
.i c o
●
o b
For Clients who require higher levels of Secuity assurance.
o
● Please Check Out my colleague Wardner Maia's
h
Presentation on Layer 2 Threats and Countermeasures.
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 53
Hardware fit for the Job :)
● As you have seen from the My colleague and Friend Patrik
o m
.i c
Schaub's presentation on Mikrotik Datacentre products.
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 54
RB 1100
● 13 Interfaces :) so greater control of your network
o m
.i c
●
o b
Available from Wireless Connect Shortly.
o
●
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 55
Ogma Connect 2500
● 11 GBE Interfaces by Default
o m
c
Up to 19 GBE with Expansion Cards
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 56
Connection Tracking
● ConTrack carries out the following essential tasks
o m
c
It monitors the state of all connections / requests flowing
.i
–
in the firewall
b
– Allows the firewall to dynamically open / close ports
according to the connection state in the firewall
–
o o
Performs IP Packet Reassembly before inspection
(prevents IP Fragment Attacks)
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 57
Filter Administration Services
● Minimise Risk from outside attacks
o m
c
Allow Flexibility of management internally
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 58
Firewall Setup Strategy
● Turn on connection tracking
o m
c
Break down the security policy into functional groups
.i
●
o b
Granularly control settings within the chains /groups
Make use of Address lists group hosts together
o
●
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 59
List Objectives (policies)
● We want to
o m
c
Detect / Block Traffic to / from Invalid Addresses
.i
–
b
– Detect / Block Traffic that has unusual characteristics
o
– Detect / Block Traffic from Port Scanners
o
– Detect / Block Traffic from Brute Force Hackers
h
– Once Traffic has been inspected don't keep reprocessing the
same connection.
–
–
s a
Analyse Traffic originating from and Leaving router
Protect Traffic Entering and destined for the router.
Update some Rules dynamically (Self Defending Networks)
o m
c
–
.i
– Remove (Special Purpose Allocated Addresses)
● Allocated Special Purpose:
b
– Multicast Addresses (source addresses only) 224.0.0.0/4
o
● Broadcast Addresses 255.255.255.255
o
Connected Network Broadcast addresses such as
●
h
– 192.168.0.255 if the router has an ip address of 192.168.0.x/24
a
– 192.168.0.127 if the router has an ip address of 192.168.0.x/25
s
● Private IP Addresses
● Test IP Addresses 192.0.2.0/24
● Loopback Addresses 127.0.0.0/8
http://wirelessconnect.eu/ Copyright 2007 -2010 61
Block invalid packets with IP
Broadcast source address
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 62
Blocking IP Directed broadcast
● In forward chain create a rule with “destination address
o m
c
type” = Broadcast.
Example of IP Directed broadcast 192.168.1.255
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 63
Blocking IP Directed Broadcast
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 64
m
Block Bad People Dynamic
updates
● Reference Spamhaus DROP List (Dont Route or Peer)
updated Weekly
.i c o
b
Reference SANS ISC Top 10 – 10000(optional if you wish)
●
every month
o o
Bogons (un allocated not special Purpose) Updated a circa
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 65
m
Updating Address Lists
automatically
● Use a combination of Scheduler and Scripting tools, and
Fetch.
.i c o
b
Fetch is very good because of the ability to use DNS
●
o
Addresses for ease of management.
o
● Security Concerns...Updates traversing untrusted networks
h
Use IPSEC Policy for fetch tool,
–
a
ensure DNS Requests don't traverse untrusted networks
–
–
s or
Use Static DNS
:global totalbogoncount;
.i c o
b
/ip firewall address-list set comment="oldbogons" [/ip firewall address-list find list=bogons_address_list]
:set oldbogoncount [ip firewall address-list print count-only value-list where list=bogons_address_list];
o
/tool fetch mode=http url="http://wirelessconnect.eu/store/images/bogonsnoprivate.rsc"
o
import bogonsnoprivate.rsc
h
:set totalbogoncount [ip firewall address-list print count-only value-list where list=bogons_address_list];
:if ($oldbogoncount < $totalbogoncount) do {/ip firewall address-list remove [/ip firewall address-list find comment="oldbogons"] }
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 67
Block Packets with Large Size
● Block Packets larger than 1500 bytes to protect legacy
o m
c
clients.
b .i
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 68
Block Un-needed IP Options
● Strict Source Route
o m
c
Loose Source Route
.i
●
● Route Record
● Timestamp
Router Alert (if not using
o b
o
●
RSVP)
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 69
Block Port Scanners
● Detect Nmap Scan types (TCP)
o m
c
Christmas Tree
.i
–
– SYN FIN
b
– FIN
o
– ALL
– SYN/RST
●
Detect TCP
h o
Detect using MT Port Scan
a
Detect and drop scans using
●
s
ICMP Messages out bound
– (Port Unavailable)
– Communications Prohibited
o m
c
Directly
UDP Scans indirectly
.i
●
b
● Drop UDP Scans /
o
Results of UDP
Scans (ICMP)
●
h o
Add big offenders to
Port Scanners
a
blocking list
o m
c
obvious UDP
.i
Scanners
b
● Limit the speed of a
scan for 120 ports
per minute
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 72
Blocking the UDP Attacker
● Use Add Dst Address
o m
c
to Address List action
b .i
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 73
Brute Force Detection
● Depends on server disconnection after failed authentication
o m
c
attempts.
.i
Requires that any one administration session is maintained
●
b
as continuous established connection.
o
● Based on some cool ideas from the MT User Community
o
– On First Connection ( First authentication attempt) add src to
h
Management Light Grey List
On Second Connection add src to Management Grey List
a
–
s
– On Third Connection add src to Management Dark Grey List
– On Fourth Connection add src to Management Black List
● Then insert Rule to Block members of the Management
Black List this List on the Router
http://wirelessconnect.eu/ Copyright 2007 -2010 74
m
Sending Protocols to bruteforce check
o
● Send selected protocols to the Brute Force Check Chain
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 75
Brute Force Detection
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 76
Last Rule in Detection Chain
● Accept new connection as long as Src Address is not in the
o m
c
management Black List
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 -2010 77
Further Reading
● For more information on firewall rules click on
o m
c
Http://wirelessconnect.eu/layer3_subscriptions
.i
Sign up for an account and we will send you instructions for
●
b
setting up the firewalls and Proxies when they are publicly
released after the MUM
● http://wiki.mikrotikl.com
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 -2010 78