7002_١١٢٥٢٤.pdf

Full Transcript

7 1

Network Security
Dr. Abdullah Rashed
 Network Organization
1. Firewalls and Proxies 3. In the DMZ
1.1. Firewalls 3.1. DMZ Mail Server
1.2. Proxies. 3.2. DMZ WWW Server
3.3. DMZ DNS Server
2. Analysis of the Network
3.4. DMZ Log Server
Infrastructure
2.1. Outer Firewall Configuration
2.2. Inner Firewall Configuration
In the DMZ

DMZ Mail Server
DMZ WWW Server
 DMZ DNS Server
DMZ Log Server
 DMZ Mail Server
The mail server in the DMZ performs address and
content checking on all electronic mail messages.
The goal is to hide internal information from the
outside while being transparent to the inside. When
the mail server receives a letter from the Internet, it
performs the following steps.
The mail proxy reassembles the message into a set of
headers, a letter, and any attachments. The
attachments are assembled into their native form
(not the form used to transmit them through
 DMZ Mail Server
 This allows the mail server to work on the original
mail, as opposed to a packetized form of the letter. It
simplifies the checking.
The mail proxy scans the letter and attachments,
looking for any “bad” content. “Bad” content here is
defined as a computer virus or known malicious
logic. The attachments are then restored to the form
used to transmit them through electronic mail. The
headers, the letter, and the attachments are
rescanned for any violation of the SMTP
 DMZ Mail Server
 This is the basic content checking. Any binary data
(which might indicate a buffer overflow or other
attack) is weeded out, as are excessively long lines.
Although address lines are limited in length to 1,000
characters, the mail proxy will split them as needed
to keep lines less than 80 characters long. The
scanning also detects and eliminates known
malicious logic (computer viruses and worms, logic
bombs, and so forth). The analysis of content for
malicious logic uses standard techniques.
 DMZ Mail Server
 The mail proxy scans the recipient address lines. The
addresses that directed the mail to the Drib are
rewritten to direct the mail to the internal mail server.
The DMZ mail server then forwards the mail to the
internal mail server. This step forwards the mail to the
Drib’s internal network, on which it will be delivered.
Identification is by host name and not user name,
because the mail server determines the identity of
the correct host to forward the mail to on the basis of
host name, not user name.
 DMZ Mail Server
The procedure for sending mail out of the Drib is
similar. All outgoing mail comes from the internal mail
server. Steps 1 and 2 are the same (although the
content checking in step 2 may be enhanced to
detect keywords such as “proprietary”). But the
sanitization for step 3 is different.


 DMZ Mail Server
3. The mail proxy scans the header lines. All lines that
mention internal hosts are rewritten to identify the
host as “drib.org,” the name of the outside firewall.
All header lines must be checked. In addition to the
source address lines, any “Received” lines are to be
removed, and any destinations that name the Drib
must also be changed. Following this sanitization, the
letter is forwarded to the firewall for delivery. This step
forwards the mail to the Internet after hiding all
details of the Drib’s networks.
 DMZ Mail Server
 This idea comes from the principle of least privilege,
because those who do not need to know about the
internals of the Drib’s network do not get that
information.
The primary goals of the mail server are to handle
mail and to perform all needed checks and
sanitization. This way, the firewalls only need to
perform rudimentary checks (such as checks on line
length and character type) and leave the detailed
checking to the mail servers.
 DMZ Mail Server
 The DMZ mail server also runs an SSH server. This
server is configured to accept connections only from
the trusted administrative host in the internal network.
This allows the system administrators to configure and
maintain the DMZ mail host remotely (a great
convenience) without unnecessarily exposing that
host to compromise.

 DMZ WWW Server

The Web server accepts and services requests from
the Internet. It does not contact any servers or
information sources within the internal network. This
means that if the Web server is compromised, the
compromise cannot affect internal hosts. Although
the Web server runs CGI scripts, the scripts have
been checked for potential attacks and hardened
to prevent their success. The server itself contains
no confidential data.
 DMZ WWW Server

 The Web server also identifies itself as
“www.drib.org” and uses the IP address of the
outside firewall. This hides part of the DMZ
configuration in accordance with the principle of
least privilege (because people outside the
network need not know the address), and forces
external entities to send Web traffic to the firewall.

 DMZ WWW Server

 A system in the internal network known as the
“WWW-clone” is used to update the DMZ Web
server. People authorized to update the Drib’s
Web page can access this system. Periodically (or
on request), an administrator will copy the
contents of the WWW-clone to the DMZ Web
server (see Section 24.7.1). This follows from the
principle of separation of privilege, because any
unauthorized changes in the Web server are
 DMZ WWW Server

 Like the mail server, the WWW server also runs an
SSH server for maintenance and updating. The
server provides the cryptographic support
necessary to ensure confidentiality and data and
origin integrity.

 DMZ WWW Server

 The Drib accepts orders for its merchandise
through the Web. The data entered by the
consumer is saved to a file. After the user confirms
an order, the Web server invokes a simple program
that checks the format and contents of the file
and creates an enciphered version of the file using
the public key of a system on the internal customer
subnet. This file resides in a spooling area that is not
accessible to the Web server (see Exercise 3).
 DMZ WWW Server

 The program deletes the original file. This way,
even if the attacker can obtain the file, the
attacker cannot determine the order information
or credit card numbers associated with customers.
Indeed, because the customer names are in the
enciphered files, the attacker cannot even
determine the names.

 DMZ WWW Server

 Formally, not keeping valuable information online
and in the clear follows from the principle of least
privilege, because the users of that machine are
not authorized to read the data, and from the
principle of separation of privilege, because the
cryptographic key is needed to read the data.
Using public key cryptography means that only a
public key need be on the DMZ Web server.
 DMZ WWW Server

 This prevents an attacker from deciphering the
data on that system should it be compromised,
which is an application of the principle of fail-safe
defaults.
The internal trusted administrative server
periodically connects to the Web server using the
SSH protocol, uploads the enciphered order files,
and transmits them to the appropriate system on
the internal customer subnet.
 DMZ WWW Server

The SSH server on the Web server is configured to
reject connections from any host other than the
trusted internal administrative server, so an
attacker cannot connect from outside (assuming
the attacker is able to penetrate the outer
firewall). The principle of denying unknown
connections, rather than allowing them and then
authenticating them, follows the principle of fail-
safe defaults.
 DMZ WWW Server

 The Web server also identifies itself as
“www.drib.org” and uses the IP address of the
outside firewall. This hides part of the DMZ
configuration in accordance with the principle of
least privilege (because people outside the
network need not know the address), and forces
external entities to send Web traffic to the firewall.

 DMZ WWW Server

 A system in the internal network known as the
“WWW-clone” is used to update the DMZ Web
server. People authorized to update the Drib’s
Web page can access this system. Periodically (or
on request), an administrator will copy the
contents of the WWW-clone to the DMZ Web
server (see Section 24.7.1).
 DMZ WWW Server

 This follows from the principle of separation of
privilege, because any unauthorized changes in
the Web server are mitigated by the updates. Like
the mail server, the WWW server also runs an SSH
server for maintenance and updating. The server
provides the cryptographic support necessary to
ensure confidentiality and data and origin
integrity.

 DMZ WWW Server

 The Drib accepts orders for its merchandise
through the Web. The data entered by the
consumer is saved to a file. After the user confirms
an order, the Web server invokes a simple program
that checks the format and contents of the file
and creates an enciphered version of the file using
the public key of a system on the internal customer
subnet.
 DMZ WWW Server

 This file resides in a spooling area that is not
accessible to the Web server (see Exercise 3). The
program deletes the original file. This way, even if
the attacker can obtain the file, the attacker
cannot determine the order information or credit
card numbers associated with customers. Indeed,
because the customer names are in the
enciphered files, the attacker cannot even
determine the names.
 DMZ WWW Server

 Formally, not keeping valuable information online
and in the clear follows from the principle of least
privilege, because the users of that machine are
not authorized to read the data, and from the
principle of separation of privilege, because the
cryptographic key is needed to read the data.
Using public key cryptography means that only a
public key need be on the DMZ Web server.
 DMZ WWW Server

 This prevents an attacker from deciphering the
data on that system should it be compromised,
which is an application of the principle of fail-safe
defaults.
The internal trusted administrative server
periodically connects to the Web server using the
SSH protocol, uploads the enciphered order files,
and transmits them to the appropriate system on
the internal customer subnet.
 DMZ WWW Server

 The SSH server on the Web server is configured to
reject connections from any host other than the
trusted internal administrative server, so an
attacker cannot connect from outside (assuming
the attacker is able to penetrate the outer
firewall). The principle of denying unknown
connections, rather than allowing them and then
authenticating them, follows the principle of fail-
safe defaults.
 DMZ DNS Server

The DMZ DNS host contains directory name service
information about those hosts that the DMZ servers
must know. It contains entries for the following.
DMZ mail, Web, and log hosts
Internal trusted administrative host
Outer firewall
Inner firewall
Note that the DNS server does not know the
 DMZ DNS Server

 The inner firewall will forward mail to that server.
The DMZ mail server need only know the addresses
of the two firewalls (for mail transfers), and the
trusted administrative server. If the mail server
knows the address of the DNS server, it can obtain
these three addresses. This gives the internal
network the flexibility to rearrange its host
addressing. The DMZ DNS server must be updated
only if the address of the internal trusted
 DMZ Log Server

The log server performs an administrative function.
All DMZ machines have logging turned on. In the
event of a compromise (or an attempted
compromise), these logs will be invaluable in
assessing the method of attack, the damage (or
potential damage), and the best response.
However, attackers can delete logs, so if the logs
were on the attacked machines, they might be
tampered with or erased.
 DMZ Log Server

 The Drib has located a fourth server in the DMZ. All
other servers log messages by writing them to a
local file and then to the log server. The log server
also writes them to a file and then to write-once
media, which is a precaution in case some
attacker is able to overwrite log files on both the
target server and the log server. It is also an
application of the principle of separation of
privilege.
 DMZ Log Server

 The Drib has located a fourth server in the DMZ. All
other servers log messages by writing them to a
local file and then to the log server. The log server
also writes them to a file and then to write-once
media, which is a precaution in case some
attacker is able to overwrite log files on both the
target server and the log server. It is also an
application of the principle of separation of
privilege.
 DMZ Log Server

 The log system is placed in the DMZ to confine its
activity. It never initiates transfer to the inner
network. Only the trusted administrative host does
that, and then only if the administrators choose not
to read logs by reading the media on which the
logs reside.

 DMZ Log Server

 Like the other servers, the log server accepts
connections from the internal trusted administrative
host. Administrators can view the logs directly, or
they can replace the write-once media with
another instance of the media and read the
extracted media directly. The use of write-once
media is an example of applying the principle of
least privilege and fail-safe defaults, because the
media cannot be altered; they can only be
 Summary

Each server has the minimum knowledge of the
network necessary to perform its task. This follows
the principle of least privilege. Compromise of the
servers on these systems will restrict the transfer of
information, but will not lead to compromise of the
systems on the internal network.
Ideally, the operating systems of the server
computers should be very small kernels that provide
only the system support services necessary to run
 Summary

 In practice, the operating systems are trusted
operating systems (developed using assurance
techniques, or—more commonly—commercial
operating systems in which all unnecessary features
and services have been disabled. This minimizes the
operations that a server can perform on behalf of a
remote process. Hence, even if the server is
compromised, the attacker cannot use it to
compromise other hosts such as the inner firewall.
 Summary

 The use of proxies on the firewalls prevents direct
connections across the firewalls. Moreover, the
data passing through the firewalls can be checked
and, based on the content, filtered or blocked. The
only exception is the SSH connection from the
internal network to the DMZ. The inner firewall
checks the origination of the connection, to ensure
that it comes from the internal administrative host,
and the destination, to ensure that it goes to one of