1 CMPT 471 Networking II Filtering, Wrappers, Proxies © Janice Regan, 2006-2013

1

CMPT 471Networking II

Filtering, Wrappers, Proxies

© Janice Regan, 2006-2013

2© Janice Regan, 2006-2013

Packet Filtering A basic technique for providing network security Most often done by the router or multi-homed

host connecting the local network to the outside world (the internet). Security provided at one location. Router may be implemented on a linux host using

ipchains or iptables (software in the host) Router may also be a dedicated piece of hardware

with onboard software


Packet Filtering Normally a router

examines the IP destination address and determines where to forward each packet

Runs software that updates and maintains the routing tables on which forwarding is based

A packet filtering router also examines the packet headers to determine if they are consistent with the security policies If it is consistent the packet is forwarded If it is not consistent the packet is dropped (logged)


Packet Filtering Router Allows you to determine the type of packets that

should be passed between the internet and your internal network based on information in each packet’s headers MAC header (transport layer):

source and destination Ethernet addresses, arriving and departing interface, protocol type

IP header(network layer), source and destination IP address IP options


Summary: Linux Packet Filtering

Arrivingpackets

routing Outgoingpackets

Forwardchain

Inputchain

Outputchain

routingLocal

processes


Packet Filtering Router Allows you to determine the type of packets that

should be passed between the internet and your internal network based on information in each packet’s headers ICMP UDP TCP IGMP headers,

message types, source and destination port numbers, TCP control flags …


Filtering a Packet When a filter is applied to a packet the packet

may cause one or more of the following actions to occur Forwarded the packet to the destination Drop the packet without notifying the sender Drop the packet with a notifying error message

returned to the sender Log information about the packet (for possible later

analysis) Notify an administrator about the packet (for

potentially dangerous packets


Filtering a Packet The filtering of a packet may also cause

Modification of the packet (e.g.Translate addresses for NAT)

Sending of the packet to a destination other than that given in its header (e.g to proxy rather than to final destination)

Sending of the packet to one of a list of destinations (servers) for load balancing

Modification of filtering rules (e.g. accept replies to a sent UDP packet, but not to general UDP packets, or deny all traffic from an address that sent the filtering router a hostile packet)


What to Filter? Some examples Remove suspicious packets that may be a

danger to the network behind the filters. For example Packets arriving from outside the network with a

source address inside the local network. (Forged or due to leak)

Limit contacts (usually IP addresses, ethernet addresses also used) Limit the addresses that can be contacted from within

the network Limit the addresses from which packets can gain

access into the network Limit protocols available


What to Filter? Some examples Allow/Disallow IP options (more expensive to

screen individual options) Source routing or traceroute can be used to gain

information about your private network and can be a large security hole

Fragmentation can be used to attack a system Screen which services you make available to

those outside your firewall and within your firewall Services using specific ports can be blocked by

filtering out all packets to the designated ports. May want to block “dangerous” services like TFTP,

XWindows, remote login services.


Limiting contacts Limit the addresses that can be contacted from

within the network Allow only particular blocks of addresses, only attach

to needed sites Disallow contact to inappropriate sites

Limit the addresses from which packets can gain access into the network Block troublesome sites (spammers … ) Allow only trusted sites


Limiting contacts: problems These contact limiting filters, based on source

(or destination) address are not foolproof. Remember that it is possible to spoof (make it

appear the packet is coming from an acceptable IP address) All that is needed is some software to custom build

packets. A sender from a host you have filtered out can

still get packets into your system by making them appear to come from a host you trust.


Limiting contacts: addressing problems

The only way to be sure the packets are really coming from where they indicate they are coming from and have not been changed or created on route is to require that the packets be authenticated.

Authentication along with address filtering is more effective than address filtering alone

Note that we can filter on destination or source but not on user, user is not a property stored in the headers.


Limiting Protocols: protocol checking You may disallow protocols that use particular well know

ports by filtering out any packets bound for those ports (about to be sent or received)

You may allow some protocols by opening or leaving open the well know ports they use it is possible to write an application that uses a well

know port for a purpose other than the protocol normally assigned to it.

It is possible to send malformed packets to the ports. This is a component of some well known attacks.

Should filter to remove packets destined for well know open ports that do not conform to the format for the expected protocol.


Fragmentation and filtering Only the first packet of a fragmented IP

datagram contains the TCP, or UDP header Cannot filter other fragments using rules based on

port numbers (no TCP or UDP header, no port numbers)

Since an IP stack will throw away packets unless all fragments are received. Filter first packet and rely on IP to throw away the rest May work for incoming packets Not always sufficient for protecting outgoing packets.


Fragmentation and filtering Consider outgoing packets. They can have two

sources A legitimate internal user sending packet out through

your firewall. This is a very difficult way to get data out for a

malicious internal user, there are many easier ways, you cannot protect against this

A hacker who has managed to send a packet into your system that has requested a large packet be returned In this second case the correct approach is to

protect the system against the request packet.


Fragmentation and filtering If a hacker does manage to get your system to

send a large packet that must be fragmented Perhaps a copy of a password database! all of a large packet except the first fragment will

be passed through the packet filter. All fragments but the first are passed through the

firewall to the internet The hacker can capture the fragments and

compromise the networks security by accessing the contents of the fragments


Other problems with fragments In normal operation fragments will not

overlap Attackers (and sometimes bugs) may

purposely send fragments that do overlap OS’s react differently to overlapping

fragments, many of them react very badly Denial of service attacks: overlapping fragments

slowing or crashing the OS Hiding of damaging data that would otherwise be

filtered.


Solving problems with fragments Easiest approach: Do not allow fragmentation

Can cause connection to fail when a fragmented packet is sent/received (difficult to debug)

Preferred approach: Have the firewall hold the fragments and reassemble them before forwarding (re-fragmentation may then be necessary) Leaves the firewall open to denial of service attacks

when attacker send large number of fragments to saturate the firewall


Solving problems with fragments It is usually not possible for the firewall to

predict what the final reassembled packet will be in the cases where the fragments overlap In regions where fragments overlap the final

contents of the reassembled packet is OS implementation dependent. The contents may be taken from the first fragment that

arrived, the last fragment that arrived, the earliest fragment in the packet, or the latest fragment in the packet

Prediction before forwarding is not practical


Source Routing May provide information about your private

network you do not wish to publish. Allows for information to be extracted from your network. Spoofing will not do it, you can get information in, but

you have lied about your address so you will not get any replies

However, Source Routing can be used to conceal the identity of the true sender


Source Routing If you construct a source routing packet, with your

address as one of the intermediate addresses in the source route, and the acceptable address as the source of the source route, you may be able to intercept the resulting packet on the way back.

IPv6 prohibits this by preventing the return of packets along a source route unless the source of those packets has been authenticated


Suppose hosts F and T are friendly, and host H is a hacker trying to attack host F.

A packet is sent from H which H claims comes from T. .r indicates the receiving interface, .t the transmitting interface

Src Dst LIST

F R3.r R1.t, H.t, T

packet transmitted from H

F T R1.t, H.t, R3.t

rewrite as packet leaves R3

Source Routing Example


When T receives the packet it will construct the reply using source routing, with the source route order reversed

Src Dst LIST

T R3.t H.t, R1.t, F

return packet as transmitted from F

T H.t R3.r, R1.t, F

rewrite as packet leaves R1

H intercepts the packet and does not forward it

Source Routing Example


Summary: Linux Packet Filtering

Arrivingpackets

routing Outgoingpackets

Forwardchain

Inputchain

Outputchain

routingLocal

processes


Built in linux filtering function There are three built in ‘chains’, INPUT, FORWARD, and

OUTPUT where you can place packet filtering rules The iptables command is used to administer each chain

Rules in the INPUT chain are applied to packets that are destined for processes running on the local host

Rules in the OUTPUT chain are applied to packets that are generated by processes running on the local host

Rules in the FORWARD chain are applied to packets that arrive at this host and wll be immediately forwarded to another host


Advantages of Packet Filtering One screening router can be used to

protect a whole network The simplest filters are extremely efficient

in comparison to alternate solutions like proxies

Many applications and filtering systems easily available, both commercial and freeware


Disadvantages of Packet Filtering

Filtering rules can be difficult to configure Filtering rules can be hard to test Filtering rules can interact with each other and produce

unexpected results Not all protocols can be intercepted with filtering Not all policies can be implemented using filtering Packet filtering reduces router performance Failures in filtering packages or sets of filtering rules

may cause security breaches that do not cause failure of the filtering application.


Wrappers: 1 Filtering works using the header information only. To

use further information (application level contents) use a wrapper to encase the application

Rather than executing the application directly, the wrapper is executed Checks commands and parameters being passed Looks for ‘dangerous’ inputs or outputs,

Check inputs to check for buffer overflow attacks Check outputs to prevent sending of proprietary data from

your site

May log traffic


Wrappers When convinced the packet is safe the wrapper

calls the application and passes on the packet If the application wants to send a reply the reply

packet will be sent to the wrapper The wrapper will check and send the packet on

Wrappers can also be used to Probe for more information about the client Log requests and replies Provide messages informing potential clients of

alternate available methods of communincation


Example: Why use wrappers Preventing buffer overflow attacks

Simple approach Some character sequences can be expanded to very large

blocks of characters. These large blocks may overflow a buffer corrupting the

stack frame beyond the end of the buffer

More sophisticated approach Direct the attack, make the buffer overrun overwrite the

return address of a subroutine. When the subroutine returns it will return to the attackers

code rather than the original intended code


Proxies

Protected Network

PROXYclient server

FIREWALL

user INTERNETINTERNET


A prospective client contacts the proxy agent The proxy agent repackages the client's request. The

resulting request appears to originate from the proxy agent. The proxy agent sends the message to the server The server's reply returns to the proxy agent The proxy agent again repackages the message and sends it

to the original client

From the client's point of view the proxy looks like the server From the server's point of view the proxy looks like the client

How a proxy works


Approaches to Proxying: 1 Proxy aware user procedures

The client programs is unaware that it is talking to a proxy rather than directly to the server

Requires users to execute extra steps to use the proxy User must connect to the proxy User must then instruct the proxy to make

a connection to the server


Approaches to Proxying: 2 Proxy aware client (application software):

Client is modified to understand how to deal with a proxy (for external and sometimes internal)

User of the application does not need to know if the client is modified (except possibly for installation). To the user the client will appear the same as an unmodified client

If modified clients are available this is the easiest and most robust approach to proxying

Some commonly available examples include web browsers, ftp, telnet (only some applications and platforms)


Approaches to Proxying: 3 Proxy aware operating system

Modified system calls: Replace the network programming libraries with

modified libraries that support proxies This may also require some changes to the clients

(modified calls) May cause problems with

Statically linked software Software using custom dynamically linked libraries Software that attempts to modify connections


Approaches to Proxying: 4 Proxy aware router

Transparent Proxying (transparent to client) Hybrid Proxying (like filtering + proxy) packet interception and diversion Packets are filtered as they pass some

choke point in the network. Some types of packets are diverted to a

proxy (based on addresses, ports …) Has similar problems to packet filtering


Types of Proxies Application Specific Proxies:

Allows the application to provide additional services like Monitoring of protocol exchanges Control based on protocol actions

May be required by applications that exchange IP addresses or port information (not using the IP header)


Types of Proxies

Generic Proxies: Do not understand the

applications they proxy Provide basic packet relay

functionality, address and port mapping

Provides logging


Using Proxies Generally used to allow hosts in a local network to the

access external servers on the Internet. Straightforward to use proxies for services that run over

TCP connections using well know ports Possible to use proxies for services that run over UDP

connections using well know ports More difficult (may require application specific proxies)

to use proxies for services that use transparent ports, and/or combinations of TCP and UDP


TCP proxy using well known port

Internal machine connecting to external TCP server contacts the internal machine running the proxies. The internal machine sees the proxy as the server

Proxy checks the request from the internal machine and modifies it as necessary (e. g. replacing the source address with the address of the proxy)

Proxy machine sends the request to the server


TCP proxy using well known port Server replies to the proxy. The server sees the

proxy as the destination of its connection Proxy receives reply, modifies it as necessary

and forwards it to the internal client machine. The proxy maintains the connections between

the internal client and the external server


UDP proxy

Additional complications: UDP is connectionless

Packets can be lost Reply’s may not arrive UDP packets not associated with the application

may also arrive in the same time window must match responses to requests

Not usually possible for a generic proxy May simply use a time window and pass all UDP

packets received (risks here)


Generic Proxy: Modified system calls

SOCKS: handles TCP and UDP by substituting the standard socket library with the SOCKS library.

RFC 1928 SOCKSv5 also provides authentication of

the client by the server


Advantages of proxying Can log activity of the server or client

Can keep critical command packets only Can provide caching of information sent/received

Can improve performance, reducing retransmission of data

Can authenticate users Easier than with packet filtering

Can provide filtering Looking at specific types of connections May be able to filter more specifically and effectively


Disadvantages of proxying May need protocol or application specific proxies

This increases installation and maintenance May require modifications to clients and

applications Added work May not be possible for proprietary applications

May not be available for most up to date versions of protocols or applications May cause delay in your site being able to offer new

services

Documents

1 CMPT 471 Networking II Filtering, Wrappers, Proxies © Janice Regan, 2006-2013