Activos financieros:

A network is made of many different types of devices, and the operation of each is very closely related to the OSI layers. We are going to cover all of the devices you would normally find in a given network starting with layer 1 and working our way up the stack.

Remember that layer 1 is the physical layer – this is all getting signals from point A to point B across either some type of cable or perhaps wireless technology. We have already discussed that signal will always lose strength as it travels, and so the first device we encounter is a repeater – a device that simply amplifies a signal and forwards it on. There is very little intelligence in a repeater, but some are capable of cleaning up noise. Obviously cleaning up a digital signal will be far more effective than trying to clean an analog signal. A hub is simply a repeater with multiple ports, and is sometimes referred to as a concentrator because it connects multiple physical devices.

On layer 2 we find a couple of devices – bridges and switches. Now switches can actually work at layers 2, 3 and 4, but for now we will focus on layer 2 only. A bridge is connects LAN segments, and examines every frame that comes by. By examining the MAC address, a bridge is able to decide if the frame should be forwarded to another LAN or simply absorbed (not forwarded). On networks, a bridge

separates collision domains – it will not let frames by unless they are addressed to a computer on another network. However, since broadcast packets are a layer 3 thing, bridges do not interfere with them and therefore a bridge does not create separate broadcast domains. There are three types of bridges:

• Local – connects LANs within a local area, usually a building

• Remote – connects LANs over a MAN by using a telecommunication link

• Translation – connects LANs that use different protocols, for example Ethernet and Token Ring Bridges have to know how what port frames should be forwarded to based on the frame’s MAC address. Originally, this forwarding table had to be manually entered into each bridge, but this was replaced by transparent bridging. This is done by the bridge as it receives frames from each port – it will record the port and the MAC address that just came in, so when a request to send a frame with that MAC address is later received, the switch knows immediately which port it should be forwarded to. Eventually the bridge learns all frames that are on each network. Of course, to build this table the bridge must be able to figure out where a frame should go if it has not yet encountered the associated MAC address. To do this, it will send a query frame on all ports except for the one that the original frame came in on. The host having the MAC address will respond, and the bridge updates its forwarding table. Some bridges use the spanning tree algorithm (SPA), which makes sure that rogue frames do not circulate forever, assigns priorities to certain paths and calculates costs for paths. This results in a more efficient forwarding process.

Sometimes a computer will send out an explorer packet to a destination that will return the path it took, and the computer will insert instructions into header telling the bridge or router the exact path the frame or packet should travel. This is called source routing, and is very much frowned on – we should let the network devices figure out the best path instead of whoever is sending the frame or packet. In fact, attackers will sometimes try to use source routing to get around certain network devices – border routers and firewalls should be configured to discard any such traffic.

A switch is basically a hub combined with a bridge – it amplifies and cleans up signals, AND routes frames based on MAC addresses. However, a layer 2 switch adds a lot of extra intelligence by allowing routing rules to be implemented according to access control lists (ACLs) and supporting virtual LANs (VLANs). A VLAN allows an administrator to create virtual networks regardless of the physical location of each device. For example, 2 computers on the 2nd floor and 9 computers on the 10th floor can be combined into a single VLAN – as far as the computers can tell they are all physically connected to the same switch. This greatly enhances security as well as management of the network, not to mention scalability because we have just created a separate collision domain – fewer collisions means greater throughput.

In layer 3 we find routers, which know all about IP addresses. Remember that broadcast packets are implemented using special IP addresses, so we can create broadcast domains with a router. It can also have ACLs, but based on IP addresses instead of just MAC addresses. Remember all of the routing protocols we discussed before? Routers are the network devices that use them – RIP, OSPF, BGP, IGRP etc, and therefore router are able to do something switches can’t – calculate the best path for packets to take, and work around fluctuations in network congestion. Some networks require smaller packets than others (the maximum transmission size, or MTU), so if a packet needs to be fragmented, the router is the one who takes care of that. While a switch builds a list of MAC addresses and which port frames should be sent to based on the incoming MAC address, a router builds a table of IP addresses and which port a packet should be sent to.

When should we use each device? Here is a short list to help you decide:

• If you want to send a signal a long distance and don’t care about reducing collisions, use a repeater, hub or concentrator

• If you want to create a collision domain, use a bridge, switch or router

• If you want to create a virtual LAN or apply ACLs based on MAC addresses, use a switch • If you want to create a broadcast domain or apply ACLs based on IP addresses, use a router While we are still on layer 3, let’s return to switches. Originally switches were only layer 2 devices, as they dealt solely with MAC addresses. But overtime they increased in power and functionality to the point where they are multilayer devices – they can operate at layers 2, 3 and 4. So then, what is the difference between a router and layer 3 switch? A layer 3 switch moves all of the routing lookup logic to the hardware where it is much faster, inside an application-specific integrated circuit (ASIC).

Because it takes processing power to peel back OSI layers and take a peek at the contents, layer 3 and 4 switches have the ability to add multiprotocol label switching (MPLS) tags to packets. What this means in practical terms is that when a switch encounters a packet with an MPLS, it will dig in and extract everything it needs from the packet to make a decision on how it should be routed, and attach an MPLS tag representing the path it should take. The next switch will see the tag and route the packet accordingly without having to take the run-time hit of looking inside the packet. This will considerably speed up routing efficiency. Of course, this opens up a vulnerability, as an attacker could attach a tag to his own packet and trick the switches into forwarding the packet down the path the attacker prefers – this is called a double tagging attack. If an attacker understands the tagging values and protocols being used in a network, he can intercept traffic by pretending to be a switch – this is called a switch spoofing attack. VLAN hopping attacks occur when an attacker is able to gain access to traffic in another VLAN.

Amplifies Collision Domain Broadcast Domain VLAN MAC ACL IP Address ACL Repeater X Hub X Concentrator X Bridge X Switch X X X Router X X X Network Devices

Gateways

A gateway is a piece of software that connects two dissimilar environments. Most often it will translate between two different networking protocols, such as Ethernet/FDDI. A gateway can provide

functionality similar to a bridge or a router. For example, an electronic mail gateway manages communication between different mail server platforms.

PBXs

A PBX, or private branch exchange, is a private, company-owned telephone switch located on the company’s premises. All in-house telephone lines are services by the PBX, which is then connected with the public telephone network via a dedicated line. When looking for security vulnerabilities, many companies overlook PBXs, but these can be a significant vector for attacks as they are almost always connected to the internal network. To make things worse, PBXs often have an attached modem for service personnel to connect while servicing the PBX – this is called a hanging modem. These devices should always be disabled unless a service call is in-progress. Phone hackers (Phreakers) used to be very active, but not as much these days.

Firewalls

A firewall is a software package or appliance that examines incoming packets and applies makes decisions on how to handle each packet based on configurable rules. Modern firewalls blur the line between routers and firewalls, as by definition routers can do the same thing. The biggest difference is that primary function of a firewall is to protect networks as opposed to simply route packets.

Demilitarized zones (DMZs) are often setup around public servers using firewalls – incoming traffic first hits the external firewall, with some packets being forwarded to the servers in the DMZ. The DMZ servers will communicate with app server sitting behind another firewall. IDSs are a common appliance placed in the DMZ as well to watch out for malicious traffic that has gotten past the external firewall. There are 5 different types of firewalls that we will cover, and follow that up with a discussion of general firewall architectures.

Packet-Filtering

The first generation of firewalls were Packet-Filtering – they were capable of looking at layer 3 and 4 (network and transport) and either allowing the packet through or discarding it. The packet contents examined are:

• Source and destination IP addresses • Source and destination ports

• Protocols (TCP, UDP etc.)

Packet-Filtering is also called a stateless inspection because it only looks at individual packets – it does not look at the conversation the packets are involved in. For example, a stateful inspection would keep track of the packets exchanged at the socket level over time (remember a socket is the combination of an IP address and port). Therefore a stateful firewall keeps tracks of packets until the socket is closed. We’ll discuss this more in a just a bit.

Since Packet-Filtering firewalls are stateless, they are unable to detect suspicious behavior – all they can do is to apply their very limited ACLs and either deny or approve packets. As a result these devices are good at network-level filtering , but not so much when it comes to application-specific filtering. These devices are commonly found at the exterior edge of a network where the ‘junk’ can be stripped off before being passed through more comprehensive filtering. They have limited logging capabilities, usually do not support advanced authentication functions, and do not recognize packet fragmentation attacks or spoofed addresses.

Stateful

We have already mentioned stateful firewalls – these devices track socket conversations over time so they can apply a much deeper analysis of packets and catch behavioral attacks. Recall for a moment the 3-step handshake that every TCP connection requires of SYN, SYN/ACK, ACK – a specific TCP bit flag is flipped to ‘1’ to for both of the SYN and ACK values, but there are other flags as well. Now, while a Packet-Filtering firewall can reject anomalous things such as all TCP flags being set to 1 (which is highly suspect), when it sees a SYN/ACK come by, it has no idea if a SYN was already sent. A stateful firewall, on the other hand, can simply look back in its log for that socket and see if a SYN was previously sent, and if not discard the packet if a rule says to do so. There TCP states that a firewall tracks are (in order) LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN- WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT and CLOSED. Stateful firewalls will keep track of the overall state of the conversation until it has been closed and then discard all of the information it was tracking (log files usually will still retain some of this information). The current sequence number is also tracked – while packets out of sequence are a common occurrence, if the frequency for a given conversation is too high, the firewall may take action.

UDP packets must also be tracked, but since UDP is by-definition a connectionless protocol, a stateful firewall will have a tougher time detecting anomalies. Since there is not definitive end to a UDP

‘conversation’, the firewall will eventually simply decide the connection has timed out after a period of inactivity. While TCP has the ability for a computer to signal the sender to slow down, UDP has no such facility. Instead, the protocol uses ICMP to signal the sending computer to slow down. The firewall must be intelligent enough to allow ICMP packets through if they are associated with a UDP conversation. Stateful firewalls are pretty complicated beasts.

Since stateful firewalls must maintain ‘state’, it must be stored in memory somewhere, and that opens the device up to a vulnerability. An attacker can simply flood the firewall with all kinds of bogus information in an attempt to fill up its memory and cause it to either freeze or crash – this is a denial of service (DoS) attack.

Proxy

While both stateless and stateful firewalls simply allow or deny packets from coming in or out, a proxy firewall actually breaks the communication path and talks to each computer itself without allowing the computers to communicate directly with each other. Think of it as a person relaying messages between two people who are just out of ear-shot, but this ‘middle-man’ is continually looking out for lies or insults and making sure those messages are not relayed. The advantage of a proxy firewall is that it turns the security model upside down. Where packets going through a stateless or stateful firewall might

default to getting through if they do not match a rule, packets going through a proxy firewall must make sense to the proxy before it can be translated on the other side – this provides extra security.

Proxy firewalls only operate at the higher OSI layers (5-7). A circuit-level proxy works at layer 5 (the Session layer), and therefore cannot look too deeply into each packet since it does not understand anything above layer 5. Application-level proxies work at layer 7 (the Application layer) and have much more intelligence, but are also slower since they have to dig through more data that is available at layer 7. For example, a circuit-level proxy can inspect FTP packets but won’t be able to notice most issues, while an application-level proxy can tell the difference between a GET and PUT command.

Unfortunately, in addition to being slow, application-level proxies are more expensive to maintain since each can only monitor a single application-level protocol such as FTP, HTTP, SMTP, etc. Circuit-level proxies can handle just about any type of traffic, but lack in intelligence. SOCKS is one example of a circuit-level protocol, and is used to provide a secure channel between two computers. Because SOCKS is a circuit-level protocol, it is widely-supported and many applications communicate over this protocol.

Dynamic Packet-Filtering

When client computers connect to an external server, they will choose a random, high-numbered port that they will ask the external server to connect back to them on. For example, when you visit a web site from your laptop, it will randomly select a port such as 20,110 and then connect to the web server over port 80 – which is a well-known port for HTTP. Your computer will send not only your own IP address, but port 20,110 as well as the address the web server should return the web page to. When the web server has prepared the content to send back, it will establish a socket connection back to your computer over port 20,110.

However, if there is a firewall in-place, we would have to open up port 20,110 for this to work. To make matters worse, the firewall has no knowledge of which random port your computer will choose, so it would have to open up, let’s assume, ports 18,000 through 30,000. If we have to do this, then what is the point of a firewall - we just opened ourselves up to be attacked on those ports. Instead, a dynamic

packet-filtering firewall will keep these high-numbered ports closed until a computer within its network tries to use one. Then, the firewall will open the port up and monitor the connection – when the

connection has been closed, it will close the port as well. This allows any type of traffic outbound, while still limiting inbound traffic.

Kernel Proxy

There are many software firewall packages that can run on common operating systems such as Windows and Linux. However, the more complex a system, the more vulnerabilities it will have. Because firewalls are the first line of defense, they must be extremely stable and secure from attacks. Therefore most modern-day firewalls are implemented in appliances, dedicated hardware/software platforms that exist solely to create a firewall.

However, fifth-generation firewalls take it one step further and put the packet inspection intelligence inside of the kernel itself, providing a magnitude of speed increase over software whose packet

inspection is placed outside of the kernel. These systems are called kernel proxy firewall, and because of their speed boost can load virtual network stacks for each packet inspection process that is customized to the packet’s protocol. Kernel proxy firewalls provide the same level of features as the other firewalls we have already discussed.

Next-Generation

Next-generation firewalls (NGFWs) provide the best features of all firewalls we have discussed thus far, plus one huge advantage – they implement an Intrusion Prevention System (IPS) that can detect attacks or malicious behavior based on signatures, or detectable patterns that have been seen elsewhere. NGFWs update their signature list dynamically based on attacks other NGFWs from the same vendor

have reported. They also reduce the potential for misconfiguration by connecting to Active Directory, whitelists and blacklists, and policy servers. They are very expensive to purchase and maintain, but offer state of the art protection.

Firewall Architectures

Some companies place a firewall at the edge of their network and feel safe. Unfortunately, most

firewalls are relatively insecure at their default settings, and even when properly configured do not offer as much protection as many think. That is why defense in depth is so important – this is the

implementation of multiple layers of security. The idea is that if an attacker gets past one layer, they then have to content with another – the more layers of defense, the more secure a network is.