Packet Filter Handling of Oracle SQLNet

Oracle SQL*Net is a dynamic protocol, where the client initially connects to a well-known listening port on the Oracle server. The server then redirects the client to a new, random server port, and the client reconnects to it and proceeds with the database management system (DBMS) session. This redirect is a message on the application layer. A packet filter cannot snoop on the client-server negotiation to see the redirect therefore opening of all high TCP ports to the server is necessary....

Introduction

Many-to-one translations, also known as PAT, allow preserving global addresses by using them for multiple internal hosts. In this case the PIX will extend the translation table by local-inside-port and global-inside-port. nat (if_name) id address netmask outside dns norandomseq timeout hh mm ss conn_limit em_limit global (if_name) nat_id global_ip netmask global_mask interface nat (inside) 1 10.1.1.0 255.255.255.0 nat (inside) 2 10.1.2.0 255.255.255.0 global (outside) 1 200.1.1.1 global...

Requirements

The main security risks seen by the hospital are Availability of mission critical data, including inside medical servers, and external (video streaming) servers Compromise of medical servers containing confidential information Confidentiality and availability of the voice network Access to medical information by non-medical personnel (maintenance personnel, administration) The following applications pass between the hospital network and outside networks Inbound HTTP to an exposed server...

Misconceptions about Firewall Functionality

Firewalls are often misunderstood, and false assumptions can be made about their capabilities. While it is true that firewalls would not be necessary if host application security could be made extremely robust, many organizations use firewalls as a replacement for host or application security. Such an attitude is extremely dangerous, as it can completely ignore host and application security even in extreme cases, such as connecting a sensitive server inside an Internet firewall. A cynical view...

Guidelines for uRPF

Unicast RPF is used in firewall environments to prevent IP address spoofing, which can be an indication of a DoS attack. Note that uRPF relies on the Forward Information Base to determine if the source address is valid or not. Additionally, RFC 1918 addresses and loopback networks should be manually filtered or routed to the null interface. Note that uRPF is generally an edge feature as this functionality should be close to possible spoofing sources. Practically, uRPF is configured on dial-up...

ALG Handling of SMTP

SMTP is one of the easiest protocols to relay on the application layer as almost any mail server is capable of acting as a SMTP mail router, as well as the mailbox server. A mail-relaying SMTP server acts as an ALG to pass mail between security perimeters. It accepts all messages for the trusted perimeter, and forwards all messages from the trusted perimeter. The DNS concept of mail exchanger (MX) host greatly simplifies redirecting mail addressed to a domain to a specific mail gateway. The...

Stateful Packet Filtering Definition

Stateful packet filtering is an application aware method of packet filtering that works on the connection (flow) level. A stateful packet filter (SPF) Maintains a state table (or connection table), where it keeps track of all the active sessions over the firewall Is application aware a SPF is able to recognize all session of a dynamic application The state table is part of the internal data structure of a SPF. It tracks all the sessions, and inspects all the packets passing over the SPF-based...

Network Topology Identification

Topology identification is used to establish network boundaries Identify internal topology and addressing Identify external network connections and addressing Identify redundancy requirements for internal or external connectivity Result Identify options for firewall placement 2003, Cisco Systems, Inc. All rights reserved. DPS 1.0 1-2-7 Topology identification is used to establish network boundaries Identify internal topology and addressing Identify external network connections and addressing...

When to use NAT

In the modern world, NAT is critical to mitigate the global Internet address depletion. Very often, private networks are assigned network numbers from the address blocks defined in RFC 1918. Because these addresses are intended for local use only, NAT is required to connect to the Internet. NAT is sometimes used to preserve an enterprise's inside addresses, for example, when changing the Internet Service Provider (ISP). Note The Cisco implementation of NAT can also be used for applications not...

VLANs and switches actually CAN stop some attacks

All rights reserved. DPP 1.0-4-1-12 Security of switch VLANs was, and still is, a constant topic in terms of its robustness for perimeter separation. The arguments for and against using them are as follows. There have not been many flaws found so far. VLANs were never designed and implemented as a security feature VLANs reduce broadcast domains, and a flaw in the code can enable an attacker to hop between VLANs. A lot of L2 switches fail-open to insecure (all ports in...

NAT unfriendly

H.323 is a complex protocol that has many modes of operation. The signaling channel uses the Q.931 H.225 protocols or, alternatively, the H.323 RAS protocol. H.323 can run directly between endpoints, for example, IP phones, or a third party can mediate it. The name for the signaling proxy, or third party, in H.323 is gatekeeper. This proxy can provide application-layer relaying of the signaling protocol between two media endpoints, enabling an organization to control and filter signaling...

Example

A network administrator needs to assign two classes of users different access rights in a network, which is inside a large campus switched network. Both classes of users connect to the same physical infrastructure, as it is not viable from the cost perspective to maintain two physically separate networks. Therefore, the network administrator needs to logically separate the user groups. Logical separation provides separate communication channels for different users over the same physical...

Example Scenario Limits of Reflexive ACLs

The new configuration is much more strict compared to classic packet filtering, the major improvement being DNS reply handling. Still, the configuration permits more than the policy allows. For example any inside high-port TCP applications can be accessed as consequence of FTP filtering. Remove the rules permitting FTP backconnections, and use FTP in passive mode to avoid this. Furthermore no flow-state is maintained. Any forged packet that is assumed to be related to the actual flow may enter...

Designing NAT in Active Active Load Balancing Using Routing Protocols

Using two PIX Firewalls in active-active setup, using routing protocols to load-balance traffic can a simple and effective method of balancing. However, symmetric traffic flow must be guaranteed at all times, to enable each PIX Firewall to see all packets of a session. You were called in to assist in firewall design, where such a load-balancing setup is required. The following picture shows the current implementation of the firewall system. Figure 1 Load sharing load balancing with dual NAT...

Firewall Limitations

In general, firewalls have the following limitations As firewalls are used in critical points of the network, their misconfiguration can have disastrous consequences. Firewalls are often a single-point-of-failure security wise, and a single mistake in either a configuration rule or firewall code can compromise the network access policy. Many of the modern applications are firewall-unfriendly, as they are difficult to inspect properly. Compromises in rule design and inspection depth have to be...

Example Scenario Basic Filter Design and Placement

When using pure packet filtering, the designer of the ruleset must exactly know, how the supported applications look like on the network, and design rulesets to permit outgoing and incoming traffic. In practice, the most difficult aspect of rule definition is the proper filtering of return (server-to-client) traffic, which often cannot be filtered securely (usually, when incoming sessions to random client ports are needed, such as with FTP). In this example, the outbound packet traffic will be...

Make sure you do both ingress and egress filtering

All rights reserved. In the context of a firewall, the firewall device should provide protection against spoofing on its interfaces. The two most common guidelines for deploying anti-spoofing rules are On each perimeter interface, disallow traffic entering the firewall to carry source addresses, which are reachable on another perimeter On each perimeter interface, filter out source addresses which should, by definition, not be present on that network, for example, the...

ALG Handling of HTTPS

The HTTP over SSL (HTTPS) protocol requires encryption between the client and the server, and can present problems when running over HTTP ALGs. The problem is the encryption of the session, which makes the proxy blind to all application data within the session. HTTPS is usually handled by application gateways in two different ways Using a simple TCP forwarding tool The tool patches the HTTPS session from the client to the server. This negates all benefits of application-layer relaying and only...

Topology Identification

The next step in identification of an organization's current situation is the identification of network topology. This will provide a detailed insight into the definition of network boundaries. Note Identification of network connections within the topology might identify connections that an organization is not aware of. From the security perspective, this is crucial to prevent any data leaks over backdoor connections between network perimeters. Topology identification can be broken down into...

First Level Security Measure

NAT is used as a first-level security measure, because it solves addressing problems, and also, by nature, hides inside addresses. Thus, an outside attacker who wants to harm hosts on the inside will not know the target addresses. Using PAT, the attacker will not know which combination of port number and IP address is currently assigned to a desired inside host. The NAT device drops any connection attempts to invalid sockets. Caution NAT PAT provides only weak security and sooner or later...

Task 1 Enterprise Firewall Redesign

Step 1 Identify weak points in firewall design and suggest improvements. Change the existing firewall design by integrating the new services (DECnet connectivity, dial-up VPN remote access) into it. You can assume that the existing firewall filter can have up to 4 new interfaces. Practice defense-in-depth, where appropriate. You SHOULD have incorporated the following features in your design Prevent direct inbound connections to inside DNS and mail servers (provide application-layer gateways...

ALG Handling of FTP

This figure illustrates an FTP ALG passing traffic over an ALG-based firewall. Step 1 The inside client starts an FTP session with the FTP ALG, authenticating and passing a request for a remote file. Step 2 The FTP ALG poses as the destination server to the client. After receiving the client request, the FTP ALG opens a new FTP session to the destination server, and proxies the client's request to it. Step 3 The destination server sends the file to the FTP ALG, which filters the response with,...

Active Standby Firewalls

Another FWLB configuration using full redundancy consists of redundant content switches and redundant active-standby firewalls. Both CSM and IOS SLB support this topology. Using the Content Services Switch (CSS), Virtual Router Redundancy Protocol (VRRP) is necessary as CSS box-to-box redundancy blocks inactive interfaces, which causes PIX failover issues. All default active firewall paths should go through the active HSRP switches. This setup requires 4 PIXes (2 active, 2 standby) to be fully...

The firewall enforces the access control policy

As loose as the firewall concept might be, this is easily understood as there are many policies, which need to be implemented using network access controls, hence the many definitions of a firewall. Firewalls mean different things to different organizations, and each organization has unique requirements. Nevertheless, all firewalls usually share some common properties. A firewall Must be resistant to attacks That is, compromise of the firewall system should be very unlikely, as it would enable...

Stateful Packet Filtering of IPSec Protocols

If an IPSec VPN needs to be integrated with a firewall system, the encrypted tunnels should ideally terminate at the firewall as to decrypt all traffic before it passes through the firewall for the most granular access control. This can be accomplished by either have the firewall filter (for example, the PIX Firewall) terminate IPSec, or a dedicated VPN system terminating it inside the firewall architecture. Passing IPSec through a firewall filter (for example, to the dedicated termination...

Pure GRE Connectivity Firewall Bypass

If GRE is desired for multiprotocol connectivity over a firewall (and the GRE endpoints are on networks with different levels of trust), ensure that IP unicast can never run through the GRE tunnel. Never run an IP routing protocol inside the GRE tunnel, as the routing protocol may attract unwanted traffic into the tunnel automatically, bypassing the firewall. Note Again, GRE can also be used inside IPSec tunnels to provide routing protocol functionality inside IPSec VPN tunnels. In such a...

SPF Handling of DNS Queries

SPFs remove the need for rules permitting return traffic, as they are flow and are application aware. A SPF on two levels usually handles DNS When a SPF firewall rule permits a DNS query it creates a connection entry in the state table. This connection entry permits all return traffic from the server back to the client. Normally, the connection entry will be closed when an idle timeout expires. Some SPF implementations such as the Cisco Secure PIX Firewall or IOS Firewall are more intelligent...

ASA Configuration

Older versions used conduits to set permissions between interfaces in an inbound direction. Newer versions of PIX OS can use access-lists to be configured like routers. The security levels of an interface are used to set permissions for access. Remember the defaults where everything from a higher-security interface to a lower-security interface is permitted. The opposite direction is denied by default. Almost everything within the PIX configuration is changeable. The firewall can be set to be...

Traceroute Refresher

The traceroute program attempts to determine the path between two network endpoints. There are two flavors of traceroute UNIX flavor A public domain program running on virtually all UNIX platforms. The UNIX flavor of traceroute works by sending User Datagram Protocol (UDP) packets to high destination ports (usually higher than 32000) in phases. Each phase has an increased TTL IP parameter, starting from 1 in the first phase. Routers along the path route the UDP packets and discard them as soon...

Proxy Chaining

Another method is to employ dedicated HTTP proxy servers and configure the content engine to forward HTTP requests to these proxies. This alternative is useful to make content scanning engines such as non-transparent virus scanners transparent to the applications. This cache forwarding or proxy chaining method can also be used as emulation for the Content Vectoring Protocol (CVP). CVP provides an asynchronous interface to server applications that scans file content for virus detection. Using...

Telnet and SSH

Telnet (TCP well-known port 23) and Secure Shell (SSH) (TCP well-known port 22) are two widely used protocols for remote terminal access. Firewall technology can easily filter both of them, as they are single-channel TCP sessions. Both telnet and SSH servers have traditionally been vulnerable, therefore be cautious when permitting inbound terminal sessions. Telnet and SSH are both ideally suited for insider tunneling to the inside. SSH has built-in features to forward any single-channel TCP...

Active Active Firewalls

One possibility for designing FWLB with full redundancy is to employ both redundant content switches and redundant active firewalls. The Content Switching Module (CSM) or IOS Server Load Balancing (SLB) with Hot Standby Router Protocol (HSRP) supports this topology. The Cisco CSM is a Catalyst 6500 line card that balances client traffic to farms of servers, firewalls, Secure Socket Layer (SSL) devices, or Virtual Private Network (VPN) termination devices. The CSM is able to track network...

Floodguard

The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources. If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order The aaa proxy-limit command enables you to manually...

Trust Identification

When network perimeters are identified, the trust level of those perimeters needs to be determined. The trust level is determined by the following factors How trusted are users inside the perimeter in question Is it likely that those users could compromise a computing resource on a more trusted perimeter How trusted is the infrastructure of the perimeter Is it physically secure enough not to allow confidentiality or integrity violation of transit data Is it possible that an attacker might...

Turbo ACLs

The Turbo ACL feature simple creates data tables for faster searching of elements within the table for ACL processing. Although taking more memory, it can significantly enhance the performance of the firewall. The minimum memory required for TurboACL is 2.1 MB and approximately 1 MB of memory is required for every 2000 ACL elements. Low-end PIXen, such as the 501 may be adversely affected by enabling this, as may other PIXen running other intense processes like PIX Device Manager 2.01 or later.

Static and Dynamic NAT

Standard NAT maps each inside local address to one inside global address for each connection. The pool of inside global addresses must be sufficiently large to handle the maximum number of outgoing connections with different source addresses. This mapping can be defined either statically or dynamically Static NAT Associates dedicated inside local addresses with dedicated inside global addresses. Dynamic NAT Selects addresses from an inside global address pool that has been configured in...

Example Static vs Dynamic NAT

Ip address 10.1.1.99 255.0.0.0 ip nat inside interface serial 0 ip address 193.9.9.254 255.255.255.0 ip nat outside ip address 10.1.1.99 255.0.0.0 ip nat inside ip address 193.9.9.254 255.255.255.0 ip nat outside 2003, Cisco Systems, Inc. All rights reserved. nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 193.9.9.254 255.255.255.0 ip address inside 10.1.1.99 255.255.255.0 static (inside,outside) 193.9.9.1 10.1.1.1

Example Scenario Security Analysis

This configuration example has several security flaws. First there is no prevention to access any inside TCP or UDP high-port application. Of course DNS and FTP filtering seems to be not a good idea, to mitigate it, you could only allow passive mode FTP, which only uses outgoing connections. Then simply filtering established patterns ultimately prevents all incoming connections. Theses simple ACLs do not maintain states for each established session. Thus non-session related packets might be...

Access Rules Inside PIX

Access rules on outside interface access-list OUTSIDE permit tcp any host 10.1.1.66 eq 80 access-list OUTSIDE permit tcp any host 10.1.1.66 eq 443 access-list OUTSIDE permit tcp host 172.30.4.2 host 172.30.11.2 eq 535 access-list OUTSIDE permit tcp host 172.30.2.2 host 10.1.1.65 eq 25 access-group OUTSIDE in interface outside Access rules on dmz-ebanking interface access-list DMZ-EBANKING permit tcp 172.30.11.2 host 10.1.1.67 eq 1521 access-group DMZ-EBANKING in interface dmz-ebanking Access...

ICMP Refresher

IP hosts and routers use the ICMP protocol to provide basic error signaling and notifications, such as Reachability information (echo, echo-reply, unreachable messages) Resource quality (source quench messages) Information (mask-request, mask-reply, timestamp messages) Generic error reporting (parameter problem messages) Usually, IP hosts do not rely on ICMP information and can, in most cases, operate with ICMP filtered out of the network. Many network administrators use the traceroute...

PAT Mechanism

Traffic originating at different local hosts, but translated to the same inside global address, is differentiated using the source port number. In the example both inside hosts (10.1.1.1 and 10.1.1.2) connect to the same outside server (65.38.12.9). Both connections appear on the outside as if they originated at the same source address (173.3.8.1), however, the port numbers (1034 and 2138) separate the sockets from each other. The TCP and UDP port number range allows up to 65,536 number per IP...

Practice

Q1) What is the security issue in classic packet filtering of active FTP sessions A) the control session cannot be adequately filtered B) allowing data sessions to the client opens up all the high ports on the client C) performance of data transfer is low D) allowing control sessions to the client opens up all the high ports on the client E) the established keyword cannot be used for control or data sessions Q2) How do packet filters handle IP fragments, when filtering on Layer 4 ports A) all...

ALG Handling of H323

An H.323 ALG is a combination of a H.323 gatekeeper and a H.323 proxy. Such an ALG presents the only visible media endpoint, and all other endpoints communicate with it to route calls to their final destinations. The ALG, especially the gatekeeper, may deploy filtering rules, specifying which functionality is allowed within the H.323 network. This is a solution that minimizes the exposure of a H.323 network and allows minimal connectivity from untrusted networks to the ALG itself. Depending on...