SANS Network Security 2000 - Nyxsrbrown/firewall/sans_ns2000.pdf · 8 SANS Network Security 2000 8...

1

SANS Network Security 2000

Cost Effective Methods forSecuring Small Networks

An Open Source Solution

http://www.nyx.net/~srbrown/firewall/sans_ns2000.pdf

Sean BrownApplied Geographics, [email protected]://www.nyx.net/~srbrown

2

versus

3

SANS Network Security 2000 3

Table of ContentsIntroduction 6Case Study: (Applied Geographics, Inc.) 8Objectives 12Firewall 14Encryption 19Intrusion Detection 23Conclusions 27References 31

4


What this Presentation IS…

• A case study in Open Source firewalls• An introduction and summary to Open

Source tools• A reference for further inquiry

5


What this PresentationIS NOT...

• A beginners guide to computer security• A firewalling HOWTO• A detailed guide for configuring a linux

firewall

6


Introduction and Problem

• Inexpensive high bandwidth accesseases Internet connectivity for smallbusinesses→Efficient access to Internet resources→Email, web, ftp services run locally→Easy access to internal resources when

away from office

Notes:• As high bandwidth Internet access becomes more readily

available at lower cost, many small companies are leveragingthe Internet to expand their market share and grow theirbusiness.

• High Bandwidth access allows internal users fast and easyaccess to resources on the Internet.

• Likewise, telecommuters, clients, and remote users are ableto gain access to local files and resources required fromremote support.

7


Introduction and Problem

• Security of local network resourcessacrificed for expediency and cost→Internal resources open to unauthorised

access→No means for detecting intrusion attempts

Notes:• Companies choosing to connect their internal LANS to the

Internet often sacrifice the security of local network resourcesfor the sake of expediency and cost.

• Additionally, a lack of knowledge often allows small businessowners to be easily lulled into a false sense of security afterinstalling the latest and greatest <insert favorite buzzwordhere> without any real understanding of their existingvulnerabilities.

• Resources are often opened for <World> access since this isthe easiest way to resolve permissions problems.

• Intrusion detection is non-existent.

8


Case Study: Applied Geographics, Inc. (Before)

• Minimal (or no) firewall protection• 50+ hosts• 10/100 switched ethernet• 416 Kbps SDSL• Network services hosted internally, i.e.

Email, Web, FTP

Notes:• Applied Geographics, Inc. (AGI) is a small, highly visible

Geographic Information Systems (GIS) consulting firm in Boston,Massachusetts. Primary business goals include providingsoftware and network consulting services to companies andmunicipal governments wishing to "Internet Enable" their GISmapping and data warehousing applications. A secondaryservice is to provide hosting services for these applications onAGI's network. This scenario is not uncommon in today's digitaleconomy and necessitates a secure environment so as to protectboth AGI and its clients.

• Network Description• The AGI network consists of approximately 50 network

hosts.• The network topology is 10/100 switched Ethernet with one

host per port.• Internet services are provided through a 416 Kbs SDSL

circuit to our ISP.• All network services except for external DNS are provided

within AGI's internal network, i.e. Email, Web, FTP.

9



• Linux firewall/router (2.0.34)• Open telnet access to firewall• Open anonymous ftp access

(upload/download)• Microsoft IIS web server with numerous

open ports and vulnerable services

Notes:• When I joined AGI, I was not surprised at the state of internal and

external network security.• The existing network configuration allowed users to telnet into the

"firewall" from remote sites and use it as a platform for gainingaccess to files on the internal network as needed for performingtheir jobs.

• No packet filtering• The firewall also acted as the ftp server allowing unregulated

anonymous ftp transfers, both uploads and downloads.• IIS Web server was located outside the firewall with numerous

unnecessary services running and no additional hardeningperformed (1), i.e.

• Removal of unused/exploitable services• Removal of sample applications and default virtual directories• Installation of latest patches and hotfixes

--(1) Multiple sites have information on hardening NT and IIS. I use

the following: http://www.microsoft.com/technet/security/iischk.aspand http://www.securityfocus.com/data/library/auscert_win.html

10



• Intranet with directory browsing enabled(open to external access)

• Email server not preventing spam relay• Logfiles unmonitored• Root passwords widely known

Notes:

• An intranet was configured on an internal Windows NTServer which allowed directory browsing of sensitivecompany files.

• This intranet server was also opened to outside accessthrough a web proxy on the firewall allowing externalbrowsers to access these files with plain text authentication.

• Email server not configured to prevent spam relay

• System logfiles on all servers were not centralised andunmonitored

• Root passwords were widely know by users (an example ofallowing world access if there are permissions problems withsome resources).

11



Router

C OL-AC T-ST A-

12 34 5 67 8 91 0111 2H S1 H S2 OK 1O K2 P S

C O NSO LE

10/100 EthernetSwitch

EmailWWW FTP

AGI NetworkSummary(Before)

TelnetIMAP

Local BrowsingAnonymous U/D FTP

Internet

"Firewall"

416 Kbps SDSL

12


Objectives

• Firewall - configured to properly secureinternal network resources

• Encrypted Authentication - eliminateplain text authentication for remoteaccess

• Intrusion Detection - detectunauthorised access attempts andmaintain system integrity

Notes:• I immediately established three primary goals vis-a-vis securing our

network without sacrificing accessibility and usability byauthenticated, authorised users.

• Firewall• Filter all network traffic between trusted and untrusted

network interfaces• Eliminate exposure to untrusted networks using a packet

filtering firewall, proxies for common network services, andmasquerading internal hosts

• Prevent unauthorised mail relay.• Encrypted Authentication

• Eliminate plain text transmissions over untrusted networkinterfaces including authentication, remote access, remoteterminal sessions, file transfers, and sensitive webtransactions.

• Intrusion Detection• Detect all unauthorised access to trusted network resources

by installing and configuring intrusion detection and loganalysis software

• Scan for backdoors, open vulnerable ports, and DDoS attacksoftware.

13


Objectives

• Solutions needed to be based oninexpensive or easily obtainablehardware, and software withunrestrictive licensing1, e.g. GNU GPL,public domain, etc.

Notes:Since cost is a factor in many small businesses, AGI

notwithstanding, solutions needed to be based oninexpensive or easily obtainable hardware, and software withnon-restrictive licensing such as GNU GPL open sourceprojects or public domain applications.

• GNU and EFF maintain much information on softwarelicensing for open source projects.

• End users are permitted to modify source code andredistribute under certain specified guidelines

14


Firewall<Hardware>

• Pentium 100MHz w/96MB RAM• Red Hat Linux2 v6.1 (Hardened)

→Remove references in /etc/inetd.conf→Enable TCP wrappers: /etc/hosts.deny and

/etc/hosts.allow→Only install apps necessary on firewall→Run Bastille Linux 1.13

Notes:• Firewall System• Spare outdated hardware

• Pentium 100MHz• 96MB RAM• 2GB IDE Hard Drive• 3 Intel 10/100 Pro NICs

• Operating System• Red Hat Linux 6.1 hardened to remove unnecessary

services and restrict access• Remove references in /etc/inetd.conf• Enable TCP wrappers: /etc/hosts.deny and

/etc/hosts.allow• Only install apps necessary on firewall• Run Bastille Linux 1.1

• Other OS options included OpenBSD and DebianLinux. Red Hat was chosen since it is the Linuxdistribution with which I am most familiar and I ownstock in the company ;-)

15


Firewall<Packet Filtering>

• IPChains4

→Latest Linux kernel5 (2.2.16) compiled withfirewall options

→IPChains application for configuringrulesets

Notes:Packet Filtering• Latest stable kernel (2.2.16) recompiled to enable firewall

options and remove unneeded overhead.• Config_firewall = Y• Config_IP_Firewall = Y

• Installed packet filtering software including:• IPChains - configure and manage packet filter rulesets• IPMASQADM - enable and manage NAT• IPFWD - enable arbitrary protocol forwarding (needed for

VPN configuration)

16


Firewall<Proxy Services>

• Trusted Information Systems FirewallToolkit (FWTK)6

→Proxy applications for email, web services,ftp, nntp

→Patches7 available for preventing spamrelay and enabling spam filtering

Notes:Proxies• Trusted Information Systems' Firewall Tool Kit (FWTK)• Proxy services for Email allow internal email servers to be

isolated from external connections• Proxies are also available for http, ftp, nntp, and arbitrary port

forwarding• FWTK is an open source application with wide end user

support in the form of patches to the FWTK base sourcecode. The patches enable a variety of added functionalityincluding spam and mail relay control

• FWTK has a restrictive license which among other things:• Prohibits redistribution of the source code• Does not allow use outside your organization• Prohibits commercial use and/or support of FWTK

outside your organization

17


Firewall<Masquerading and NAT>

• IP subnetting configured using reservedprivate addresses, i.e. 10.x.x.x/8,172.16.x.x/12, 192.168.x.x/16 (RFC1597)8

• Enable masquerading of internal hostsusing IPChains

Notes:• Internal network design uses RFC1597 reserved IP address

space for hosts on the LAN• Masquerading of internal hosts is enabled in the Linux kernel

on the firewall and controlled through the IPChains program

18


Firewall<Masquerading and NAT>

• Enable Network Address Translation(NAT) for necessary services→TCP/80: HTTP→TCP/143: IMAP→TCP/443: SSL→TCP/1723: PPTP→IP Protocol 47: GRE

• NAT enabled and managed throughIPMASQADM and IPFWD

Notes:• To enable external connections to specific internal network

resources, i.e. web and vpn servers, it is necessary to portforward specific ports:

• TCP/80: http services on numerous internal webservers

• TCP/443: ssl• TCP/1723: pptp control connection• TCP/143: IMAP• IP protocol 47: GRE

• IPMASQADM and IPFWD are used to manage NAT. Theymust be downloaded and installed before they can be used.

19


Encryption<Remote Access>

• Microsoft PPTP MSCHAPv2 to enableremote access through VPN9

→Adequate performance→Builtin to the OS or a free add-on→Documented vulnerabilities exist10

→Users need to weigh security needs vs.potential risks

Notes:• Remote access capabilities were a priority for the users at

AGI. As a consulting firm our employees travel extensivelyand require simple, secure access to AGI network files andresources.

• VPN configuration using PPTP and MSCHAPv2• Inexpensive (built into the OS or free add-on)• Performance is adequate to the needs at hand• Better than completely open transmissions.

• Numerous shortcomings in the PPTP and MSCHAPv2implementation and design

• Explore IPSEC options for client/server VPN connections.• Decision makers need to weigh both the cost of purchasing

and implementing an alternative VPN solution vs. potentialbenefits to added security. In AGI's case, the existingMicrosoft solution was sufficient for our needs.

20


Encryption<Terminal Sessions>

• OpenSSH11

→Configure for key and/or passwordauthentication

→Restricted to administrative use only (Me)

Notes:• Remote terminal sessions were unnecessary for normal

usage. However, it was necessary for administrative accessto the firewall.

• OpenSSH installed to allow secure terminal access• sshd configured to require the use of either a 1024-bit key

pair or the local user password• Restricted to administrative use only (Me)

21


Encryption<Authentication>

• SSL enabled Email and Web sessions→OpenSSL12 configured for self signed

certificates→Self signed CA certificates installed on

remote client laptops enabling trusted SSLserver authentication

Notes:• Authentication for additional services• OpenSSL installed to create a company-wide CA (Certificate

Authority)• Most web sites available for public access use a third-

party CA like Verisign or RSA Data Security to certifytheir SSL certificates.

• Self signing provides an easy way to certify your ownprivate access services without paying for the privilege.

• Company-wide root CA used to sign SSL digital certificatesfor AGI internal use

• AGI root CA certificate installed as a trusted authority on allcompany laptops and employee home systems

• Certifies that AGI web servers with certificates signedby the AGI root CA are in fact AGI web servers

• Avoids error messages when trying to access an AGIsite with an SSL certificate

22


Encryption<Authentication>

• 128-bit SSL enabled IMAP4 required foremail access→Outlook Express IMAP4 client→Netscape Messenger IMAP4 client

• 128-bit SSL required for Outlook WebAccess13

Notes:• 128-bit SSL enabled on all web servers where access to

sensitive data is required• All directory browsing is disabled• SSL configured for use with IMAP. This will allow users to

obtain their Email using a standard IMAP enabled Emailclient while encrypting the authentication

• SSL enabled for web access to email

23


IDS<Software>

• Tripwire v2.2.114

→Firewall system integrity→Soon to be an Open Source project for

Linux• Psionic Logcheck15

→System log processing and reporting→Works with TIS Firewall Toolkit log format→Rulesets easily configured for general

system auditing

Notes:• Intrusion Detection software installed to provide a means for

detecting unauthorised network traffic and maintaining system integrity.• System Integrity

• Tripwire v2.2.1 used for monitoring changes to firewall andcritical systems

• **Show Sample report• Policy and database files are encrypted• Policies for integrity checking are easily managed and

modified• Can be used to obtain a snapshot of your system after an

attack or system compromise• Tripwire is being Open Sourced (GPL) for the Linux OS

• Logcheck provides system log processing capabilities• System logs are parsed and irregularities or security issues

are extracted, formatted and emailed on a user configurablebasis

• Entries are extracted based on user configurable rulesets• Default rulesets are designed for use with the FWTK but are

easily configured for general system monitoring

24


IDS<Software>

• NTSyslog16

→Send Windows NT event log messages toa central syslog server

→Powerful monitoring tool used inconjunction with Psionic’s Logcheck

• SNORT17

→Open Source tool for realtime trafficanalysis and packet logging

→Multi-platform support

Notes:• System Integrity, cont.

• NTSyslog allows NT to send it's event logs to a centralsyslog server.

• Allows for centralised logging• A powerful monitoring tool when used in

conjunction with Logcheck on your syslog server• Packet Sniffing

• Snort is an Open Source project providing real-timenetwork traffic analysis and packet logging

• Snort is extremely configurable through rulesets• There is a high level of end user support for using and

writing your own rulesets

25


IDS<Prevention>

• Strong password policy→Six character minimum→Mix of case and special characters→Verify password strength with auditing

tools− L0phtcrack18 for NT auditing− Crack19 for Unix /etc/passwd auditing

Notes:• Password Policies• Algorithms used by password crackers like L0phtcrack are

extremely effective at brute forcing bad passwords.• At AGI, I recommend…

• Six character minimum• Mix of alphanumeric and special characters, e.g. @$&(,

etc• Password strength can be verified by using password

auditing tools• L0phtcrack against NT Domain registry• Crack against Unix passwd file

26


IDS<Prevention>

• TCP/UDP open port auditing→NMAP20 to verify open TCP/UDP ports on

firewall→PortSentry21 1.0 to detect and block

portscans

Notes:TCP/IP Port Auditing• Regular administrative portscans• Identify unknown open ports• Used in conjunction with good system logging• Provide signatures to help identify unauthorised portscans• Recognise deficiencies in your system logging• Tools for auditing open ports

• NMAP has many command-line options for testing yourlogging

• Stealth, xmas, null, syn, fin, spoofed,fragmented...you get the picture

• Widely available and commonly used makes it agood tool for obtaining portscan signatures

• PortSentry can listen for connects on user definedports and block future access attempts by automaticallyadding rules to packet filter rulesets, e.g. IPChains,Netfilter, and Ipfwadm (DON’T DO THIS!!)

27


Original Objectives

• Firewall - configured to properly secureinternal network resources

• Encrypted Authentication - eliminateplain text authentication for remoteaccess

• Intrusion Detection - detectunauthorised access attempts andmaintain system integrity

Notes:The solutions implemented at AGI have successfully addressed each

of these goals while keeping costs at a minimum.• Firewall

• Filter all network traffic between trusted and untrusted networkinterfaces

• Eliminate exposure to untrusted networks using a packetfiltering firewall, proxies for common network services, andmasquerading internal hosts

• Prevent unauthorised mail relay.• Encrypted Authentication

• Eliminate plain text transmissions over untrusted networkinterfaces including authentication, remote access, remoteterminal sessions, file transfers, and sensitive webtransactions.

• Intrusion Detection• Detect all unauthorised access to trusted network resources by

installing and configuring intrusion detection and log analysissoftware

• Scan for backdoors, open vulnerable ports, and DDoS attacksoftware.

28


Case Study: Applied Geographics, Inc. (After)

Router

CO L-AC T-ST A-

1 2 34 56 7 89 101 112H S1 HS 2 OK 1O K2 PS

CO NS OL E

10/100 EthernetSwitch

FTPEmail WWW VPN

AGI NetworkSummary

(After)

SSHSSL IMAP

VPNControlled FTP

Internet

"Firewall"

416 Kbps SDSL

29


Cost Summary

Component Approximate CostFirewall (hardware) $200Firewall (OS) $0Firewall (Proxy/Packet Filter SW) $0SSH (Server/Client SW) $0SSL (CA & Server Certificate) $0VPN (Server/Client SW) $0Password Auditing SW $0IDS (Tripwire, Logcheck, & Snort) $0Port Scanning Tools $0

Total Cost $200

Notes:• Overall hardware and software costs for the security

upgrades amounted to the cost of the Pentium system usedfor the firewall (approx. $200). Since the work was done in-house, the implementation and configuration was carried outas part of my job as System Administrator rather than hiringoutside consultants.

30


Brevity is the soul of wit…

- Shakespeare

31


References1. GNU General Public License,

http://www.gnu.org/philosophy/license-list.html2. Red Hat Linux Version 6.1, Red Hat Software,

Inc., http://www.redhat.com3. Bastille Linux 1.1.0, http://www.bastille-linux.org/4. IPChains Version 1.3.9,

http://netfilter.kernelnotes.org/ipchains5. Linux Kernel 2.2.16, http://www.kernel.org6. Firewall Toolkit (FWTK) Version 2.1, Trusted

Information Systems, http://www.fwtk.org7. Miscellaneous user developed patches for the TIS

FWTK 2.1 package,http://www.fwtk.org/fwtk/patches

8. Internet Engineering Task Force Request forComments, http://www.ietf.org/rfc.html

32


References9. Microsoft VPN Solutions, Microsoft, Inc.

http://www.microsoft.com/ISN/whitepapers.asp10.Schneier, Bruce and Mudge, "Cyptanalysis of

Microsoft's PPTP Authentication Extensions (MS-CHAPv2)", October 1999,http://www.counterpane.com/pptpv2-paper.html

11.OpenSSH Version 2.1.1, The OpenBSD Project,http://www.openssh.com

12.OpenSSL Version 0.9.5a, The OpenSSL Project,http://www.openssl.org

13.Outlook Web Access for Microsoft Exchange ServerVersion 5.5,http://www.microsoft.com/exchange/en/55/help/default.asp

33


References14.Tripwire Version 2.2.1, Tripwire, Inc.,

http://www.tripwire.com15.Logcheck Version 1.1.1, Psionic Software, Inc.

http://www.psionic.com/abacus/logcheck/16.NTSyslog Version 1.5, Sabernet.net

http://www.sabernet.net/software/ntsyslog.html17.Snort Version 1.6.2.2, Marty Roesch,

http://www.snort.org18.L0phtcrack Version 2.52, L0pht Heavy Industries,

Inc. http://www.l0pht.com/l0phtcrack19.Miscellaneous Unix Authentication tools,

Computer Incident Advisory Capability (CIAC),http://ciac.llnl.gov/ciac/ToolsUnixAuth.html

34


References20.NMAP Version 2.52, Fyodor

http://www.nmap.org/nmap/index.html21.Psionic Portsentry Version 1.0, Psionic Software,

Inc. http://www.psionic.com/abacus/portsentry

Date post:	19-Jun-2020
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

SANS Network Security 2000 - Nyxsrbrown/firewall/sans_ns2000.pdf · 8 SANS Network Security 2000 8...

Documents