bill's blog

Just another WordPress weblog

Browsing Posts tagged firewall

A bastion host is a computer on the internal network that is intentionally exposed to attack (vconlinecourses.com, 2009). The host may be internal to your network but it is also forward facing. It is intentionally placed in ‘harm’s’ way, exposed so that the hosts that actually provide the service can remain protected. The Bastion host provides a layer of protection that other devices such as a firewall or an intrusion detection system do not… It is the focus of attack. A firewall should provide rules that keep the attacker at bay while the IDS will warn and in some cases thwart attacks. BUT the Bastion host WILL be attacked. It’s only a matter of time.

Just because the Bastion host doesn’t mean that it should be put out there unprotected. The host still needs to be hardened! There are many things one can do to protect the Bastion host.

DMZ

Putting all of your Bastion hosts into a protected network is your first line of defense. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder was to succeed (wikipedia.org, 2009). At no time should a Bastion host have direct access to your protected resources! Internal (or protected) computers should only have access out to the Bastion host. As part of properly configured DMZ, routers/firewalls must be configured with ACLs (or Access Control Lists) so that only those events you (as the administrator) deemed acceptable are allowed to happen. Destination and source addresses need to be evaluated and rules need to be set in place to allow or deny access. Additionally, services ports need to be looked at as well. It may be acceptable for a source address to access port 80 (http) but not port 22 (ssh).

OS & Patches & ACLs

One thing to keep in mind when running a Bastion host is the box itself needs to be hardened. The OS needs to be kept up to date. Many vendors progressively secure their OS through security update. This may or may not be the right move. Vendors often roll multiple fixes into their updates… Sometimes it’s best to compile your own binary to install thus addressing the one service that may be affected by the vulnerability. Services that are not being used by the host should be disabled (or better yet) not installed… certain OS’s provide for this (Linux) others don’t (Apple). If the host has a host based firewall… turn it on configure it… block services that must run but could compromise the safety of the host. Secure the box through the use of ACLs (both user based as well as service based). It is usually up to the system administrator to determine through testing what ACLs they need to modify to lock down the network application as thoroughly as possible without disabling the very features that make is a useful tool (sans.org, 2009).

Base-lining

Tools like Tripwire and Nessus all play a part in base-lining your system. Tripwire is an excellent tool for determining the state of a file system. In broad strokes, it does this through the use of MD5 checksums. In theory, no two files (or disk images) will have the same exact checksum. Any changes, will result in a different checksum being produced. File integrity monitoring helps IT ensure the files associated with devices and applications across the IT infrastructure are secure, controlled, and compliant by helping IT identify improper changes made to these files, whether made maliciously or inadvertently (tripwire.com. 2009). So if an administrator, runs md5sum against a file system and then goes back a week later, if the checksums don’t match either he’s not on top of change control OR the system has been compromised! Nessus is a penetration-testing tool. In the case of Nessus, it looks at a database of know vulnerabilities and compares them with versions of software running on your host. When it finds a version of software running on your host that has been compromised, it will alert you to that fact. Should you find a software defect on your system it is imperative that you address the vulnerability through OS or patching and re-baseline.

Log Files

Syslog servers and log analyzers play an important role. Network monitoring solutions fit into this category as well! Logs are a vital part of understanding how your system is running. During the course of a few days or weeks massive amounts of information can be collected. Log files can tell you who tried to log in and when (or perhaps more importantly who failed to log in). It can tell you which files were accessed and by whom! It can tell you when a binary is having problems, either through miss-configuration or perhaps a bug (Heese, 2009). A wonderful tool for analyzing your data/log files is Splunk. It’s fast and allows you the ability to drill down through your log files in a very intuitive manner. Splunk can be configured to send alerts when certain criteria have been met. Sure you could do all this through shell scripts BUT you’d only be looking at the log files on one host! Because Splunk has the ability to act as a warehouse for all you system logs to can be set to look at multiple events across various systems and when combined can give you a true picture of your network/hosts.

Summary

You don’t become strong if you don’t learn! Systems that are exposed to the world need to be monitored. If you don’t, compromises will happen and you may not even know about it. A compromise host is not a matter of ‘if’ but rather ‘when’. Learning how your host was compromised can lead to better methods of securing it. Why leave it unprotected. Monitoring systems are essential to the well being of your systems. Why not take advantage of these automated systems. Spend the time to tune them. The more effort you put into it, the better the result will be, and the less false positives your IDS will flag! Know when an event is happening puts you back in control!

Resources:

Dillard, K., (2009), Intrusion Detection FAQ: What is a bastion host? Retrieved on March 16th 2009 from http://www.sans.org/resources/idfaq/bastion.php

Heese, B., (2009, March 11), Log Management, Retrieved on March 17th 2009 from http://weblog.randomdog.net/?m=20090312

Unknown, (2009), Bastion Hosts, Retrieved on March 17th 2009 from http://www.vconlinecourses.com/ec/dcs/DocView.learn?CourseID=3272624&47=5440807&dt=3%2F17%2F2009+9%3A06%3A50+PM&DocID=18645971&DocCollab_PK=19010583&Name=%22Bastion+Hosts.pdf%22

Unknown, (2009), File Integrity Monitoring with Tripwire, Retrieved on March 17th 2009 from http://www.tripwire.com/solutions/security/file-integrity-monitoring.cfm

Various, (2009, March 11), DMZ (computing), Retrieved on March 17th 2009 from http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

Apple’s has had ipfw (ipfirewall) since version 1.2 of OSX. ipfw is the Mac OS X built-in kernel-level IP firewall. Unfortunately, it was tucked away in directories that Apple tried to keep hidden from its users. Originally, Apple felt they were going to be able to shield end-users from the ugliness of the UNIX command line. Apple’s claim to fame has always been its GUI (the Finder), which by the way has yet to be open sourced. Editing the appropriate files with a text editor was not something Mac users were very comfortable doing. Early adopters of OSX had to either delve into the UNIX underpinnings or do without. This caused many users not to make use of ipfw. Fortunately, a graphical user interface was finally added in version 10.2. Unfortunately, the interface was not very robust.

One nice feature to be included in Leopard’s (OSX 10.5) firewall is the addition of an Adaptive Firewall. This allows you the ability to setup firewall rules based on an application rather that a particular port. What this really means for an administrator is, now you don’t have to hunt down which ports to open for say iChat. In the past you had to know UDP ports 5060, 5190, 5297, 5298, 5678, 16384 through 16403 had to be open to allow full functionality; miss one of them and you may spend a day trying to figure out why the video chat doesn’t work. Now all you have to do is specify that you want to allow iChat and the firewall knows which ports to open for you. Apple has a great Knowledge Base article of which ports to open if you’re using a hardware firewall. The article can be found at http://support.apple.com/kb/HT1507. Configuring the firewall has been moved to the Security Preference Pane. Please note: In versions of OSX prior to 10.5 it was found in the Sharing Preference Pane.

figure1Figure 1

The image in figure 1 shows the Application firewall configuration sheet. It is a bit cryptic and needs some explaining. “Allow all incoming connections“ is the same thing as having the firewall turned off. “Allow only essential services” setting turns the firewall on but limits the ports that are opened to a certain few system services, one example being zero-conf. This setting will block file sharing and remote access even though they are turned on! In an article published for Macworld online Rich Mogull explains,

“You should use this option only if you really want to block everything. I use this option when I’m on potentially hostile networks, such as those in hotels or public hotspots, and don’t want to bother with manually turning off all my shared services.” (Mogull, 2008)

The last option is “Set Access for Specific Services And Applications”. This gives you access to OSX’s Application Firewall. The basic configuration here is to select an application and then determine if you want to allow or block the network traffic going it. The Application Firewall then determines which ports to open (see figure 2). This provides for broad strokes rather than precise cuts. This is good for the casual user but not if you want or need finer control. If that is the case, you’ll need to configure ipfw using a third party application (discussed latter in this section).

figure2

Figure 2

There are two more features that should be turned on. They can be found by selecting the “Advanced…” button (see figure 2).

figure3Figure 3

The sheet that is presented when you select the “Advanced…” button allows for the enabling of logging and stealth mode (figure 3). Logging should be selected. As you start to secure your machine, you will come across situations where your firewall isn’t performing the way it should. It is a really great place to start looking for problems with your rule base. The logs detail out which rule was triggered, where (destination) the rule was triggered from, and which service was trying to be accessed. Additionally, after your firewall is properly configured it is essential to monitor this log. It will tell you where your machine is being attacked/probed and from where. Once you have this information you can tighten up firewall rules even further by enabling rule that block the attacker IP address or IP range.

Stealth mode should be enabled! But what is Stealth mode? IP based data communications can be broken down into 3 main areas.

1. TCP (or Transmission Control Protocol) is a connection based IP protocol.
2. UDP (or User Datagram Protocol) is a connectionless protocol
3. ICMP (or Internet Control Message Protocol)

Stealth mode deals specifically with one and three. They are both connection based and because of this the IP stack creates what is called a handshake between the two hosts that are trying to communicate. This handshake can be used by an attacker to probe a target machine to see which services are being run. Once this is done the attacker can then start executing attackers against the service with know vulnerabilities. Stealth mode drops the connection so that it appears to the attacker that your machine isn’t even there. The attacker sees nothing and hopefully will move onto easier prey.

One interesting thing to note with regard to the OSX 10.5’s implementation of its Application Firewall is that it creates digital signatures of the application allow using “Set Access for Specific Services and Applications”. This can present a significant problem with applications that write data back into the .app folder. One application that comes to mind is Skype.

As mentioned before the Application Firewall is great for the average user but what if you want more control? Over the years, many software developers have tried to recreate the wheel and distribute their own firewalls. These applications for the most part made setting up a firewall much more Mac like but at the cost of network performance. These third party firewalls sat on top of the networking stack rather than tying directly into ipfw. Other software developers concentrated on developing a better interface over the top of ipfw. Mac OSX’s firewall is built in as part of the core UNIX system software, so it’s a secure and efficient firewall implementation that, when enabled, won’t negatively affect network performance (White, 2008). One such third party front-end application is WaterRoof written by Hany El Imam. WaterRoof lets you add and remove rules with a simple interface. You can also set some network options and you can backup configuration and install a startup script. You can see logs and create simple or graphic statistics (El Imam, 2007).

Another nice feature of ipfw is that they can be used to both limit the network traffic trying to get to a host as well as limit what types of traffic the host can send. In corporate environments, more often than not usage of the Internet is dictated by policies. Some of these policies may and often do restrict the FTP’ing from a users desktop out onto the Internet. Trying to configure this with OSX’s built in graphic tools can be a bit restrictive. You can block an application but not necessarily the ports that that application uses to communicate with other servers on. Understanding that this is a fine line, this is where third party applications come into play. WaterRoof make that very simple. It has a built in wizard that guides you through the process.

figure4Figure 4

In figure 4, rule 1000 reads: deny ip from me to any dst-port 21,20. Translated out into English the rule is deny my machine (me) from making a connection on port 21,20 (the ports used by FTP) to anyone else (any dst). So let’s test this. In the Terminal output below, is a telnet session to an ftp server located at ip address 192.168.25.75. Normally one should see this:

mission-control:~ billheese$ telnet 192.168.25.75 21
Trying 192.168.25.75...
Connected to 192.168.25.75.
Escape character is '^]'.
220- -----------------------------------------------------------------
220- Conair's Creative FTP Server - Unauthorized Access is Prohibited!
220- The local time is Thu Jul 10 16:00:11 2008.
220- You are connected from 192.168.25.215.
220- -----------------------------------------------------------------
220- ftpcreative.st.conair.com FTP server (Version: Mac OS X Server 10.3.9 003 - +GSSAPI) ready.

But when the rule is activated you see this:

mission-control:~ billheese$ telnet 192.168.25.75 21
Trying 192.168.25.75...
telnet: connect to address 192.168.25.75: Permission denied
telnet: Unable to connect to remote host

Side Note: This administrator didn’t do such a good job at securing this host. The last line of the FTP banner clearly states which operating system the server is running and which options were compiled into the version of the FTP software the system is running. It is this information that an attacker can use to target a particular exploit against this host.

One last thing of extreme importance when dealing with configuring your firewall… Think twice before committing any change to a firewall on a remote host! If the configuration is not done properly you could lock yourself out with the only way of getting back in is through the console.

Resources:

El Imam, H., (2007), WaterRoof IPFW firewall frontend, Retrieved on Feb 2, 2009 from http://www.hanynet.com/waterroof/index.html

Mogull, R., (2008, Mar 20), How to configure Leopard’s firewall, Retrieved on Feb 3, 2009 from http://www.macworld.com/article/132558/2008/03/connect2504.html?t=234

White, K.M., (2008), Apple Training Series: Mac OS X Support Essentials (2nd Edition), Berkeley, CA: Peach Pit Press

One thing that every network administrator needs to keep in mind is without computers and end users there would be no need for your network. Why do I say this? Unfortunately over the years we’ve seen a proliferation of target attacks on companies that get perpetrated using the Internet. Money can be gotten by attacking corporate networks looking for credit card information and then selling the information for profit. In fact, the term Cyber-Warfare is no longer in the realm of science fiction. In May of 2007, Russia launched a DDOS attack against government and banking computers. The Estonian government says its state and commercial websites – including a number of banks – are being bombarded by mass requests for information – overwhelming their computer servers (bbc.uk.co, 2007).

So what are we to do? We do what man has done since the beginning of time. We build layer of defenses to thwart our attackers. We need to understand what (the data) we are trying to protect. We also need to understand what is considered normal so that when things become ‘odd’ we understand that something is not right. According to a 2005 survey conducted by the FBI, 87% of those polled have conducted security audits to serve as a baseline for a meaningful security program (fbi.gov, 2005). Baselines should be taken of end-users computers to make sure that virus and backdoors have not been infected. Servers for the same thing as well as which services are being run. Network traffic so that you have an understanding of how a healthy network should look like under normal conditions. Once baselines are completed, checks must be preformed at regular intervals to insure that no unauthorized changes have occurred. Unfortunately, in many organizations this is where things break down. In today’s economic climate, dollar and resources are scarce. Following up on procedures often take a back seat to more imminent problems of the daily break fix routine.

Once the baselines are established, rules can be entered into security device with a clear understanding of the trade-offs that will be required to secure your environment. Firewall rules can get very complicated. Many appliance-based devices try to make understanding your rules easier but others miss hitting the mark terribly. Simply put, firewall rules are a series of allow or deny statements. These statements contain criteria through which the firewall knows which to let the packet pass or stop it in its tracks. One important thing to keep in mind is whether the allow statement takes precedence over the deny statement or vice-versa. Different firewalls handle this very differently. Be sure you know how your firewall handles this otherwise you’ll find no packets getting through.

SO what do these rule look like?

Priority Action Service Source Destination Time Day
1 Deny Any * LAN * *
2 Allow Any LAN * * *
3 Deny Any 129.33.82.0/24 * * *
4 Deny FTP 192.168.1.55 WAN 9:00 - 17:00 M,T,W,TH,F
5 Allow SSH 69.0.54.198 192.168.1.45 17:00 - 9:00 *

So what does this all mean? This firewall is a deny/allow-based system. Let’s take a look at the rules one at a time:

Rule 1: Denies all access from everywhere to anywhere on the LAN. This is a pretty generic rule. It covers the network administrators it case they miss setting up an explicit rule for a service.

Rule 2: ALLOWS all users on the LAN to access any thing on the outside world. In other words LAN users can go anywhere.

Rule 3: Is an explicit rule. It stipulates that any one from the 129.33.82.0/24 network is DENIED access to ANY service even those allowed on this network.

Rule 4: Is an explicit rule that DENIES the computer using 192.168.1.55 from accessing FTP servers outside of the LAN. This rule is in effect during business hours, Monday thru Friday. (Seems this user might be abusing something).

Rule 5: Is an explicit rule that ALLOWS access to the SSH server outside of business hours. This is one way to help protect and minimize your exposure. Additionally, they cold have access an IP address to ALLOW access from thereby minimizing their exposure even more.

These rules are fairly simple and easy to follow. However in a true environment, they can get quite complex. In many corporations, firewalls are used as a means of restricting access for troublesome or abusive individuals. Unfortunately, this puts the network administrator in the role of having to deal with HR issues, rather than Human Resources dealing with the issue more directly.

Resources:

Unknown, (2005, July 25), Headline Archives, Retrieved Feb. 27, 2007 from
http://www.fbi.gov/page2/july05/cyber072505.htm

Unknown, (2007, May 17), Estonia hit by ‘Moscow cyber war’ Retrieved on January, 17, 2009 from http://news.bbc.co.uk/2/hi/europe/6665145.stm