Solution03 Network Security
Solution03 Network Security
Task 1 Terminology
a) What are the three security components as defined in the chapter ‘Firewalls and Security Policies’?
Security Requirements
Security Policy
Security Mechanisms
Rule Iface Src IP Dst IP Protocol Src Port Dst Port State Action
A eth0 * * TCP * * New Permit
B * Zone 2 Zone 1 * * * New Permit
C eth0 * * TCP * 22 New Drop
D * * * * * * Est Permit
Table 1: Flawed firewall rules.
Rule A: The source address is not specified. Your IP range is 192.168.1.0/24, however, your clients
might spoof arbitrary IPs.
Rule B: The interface is not specified. The Internet can send arbitrary spoofed packets to your
Zone 1.
Rule C: This rule is completely shadowed by rule A. Thus, SSH is allowed by rule A.
Rule D: There is no problem with the correctness of rule D, although placing it at the top of the
firewall configuration might result in better performance. This is the case if a majority of the traffic
1
is exchanged in established connections, as matched by the rule D, and the no other rules in the table
need to be processed before matching.
Finally, a default rule at the end is missing. It should obviously ‘deny everything that did not match’
in this scenario.
Zone 1: 192.168.1.0/24
Task 3 Firewalls
You want to configure a firewall for your home network. Figure 1 shows the configuration you want
to achieve. In Zone 2, you’ve got one Web server (131.159.20.1) on TCP ports 80 and 443, and one
mail server (131.159.20.2) on TCP port 25. Your home users reside in Zone 1.
Your security policy is as follows:
1. Your home users may freely access any Web service, anywhere, on ports 80 and 443, but only
if they initiate the connection themselves (i.e. they are allowed to browse the Web). No one
outside Zone 1 can initiate connections to Zone 1, on any port.
2. Everyone, including the Evil Internet, can access the web server (both ports) and mail server in
Zone 2. However, no host in Zone 2 can initiate connections anywhere else.
3. Your web server should only be reachable on TCP ports 80 and 443 and your mail server should
only be reachable on port 25.
4. Home users can access the servers in Zone 2 via SSH, too. They can also use SSH to hosts
on the Evil Internet. However, for port 22, hosts in Zone 2 can only be contacted by hosts in
Zone 1.
a) The policy has some ambiguities and conflicts. Find them and resolve them with common sense
by deciding which rule should take precedence.
• Rule 1 implies that Zone 1 can access the mail server on ports 80 and 443. Contradicts rule 3.
Rule 3 should take precedence.
• Rule 4 directly contradicts rule 3. We assume that rule 4 is an exception to rule 3. Rule 4
should take precedence.
2
In reality, with this setup, most users will be helpless because we don’t allow DNS. Furthermore, a
mail server which is not allowed to initiate connections to other mail servers can not send but only
receive mails. We will not solve this issues here.
You can use zone names instead of IP ranges. Use ‘Ext’ if you want to refer to the Evil Internet,
‘Zone 1’ if you want to refer to Zone 1 etc. Use * to indicate ‘all’. You may match on multiple ports
in one rule.
Make sure you drop spoofed packets.
b) Draw and complete a table to define a statefull firewall configuration for the given scenario (as we
did in the lecture). Hint: I needed 8 rules.
c) Based on the above, do the same again to define a stateless firewall configuration. Hint: I needed
14 rules (it is possible to do with 12). Don’t forget about interfaces and spoofing protection.
Table 2 shows the solution for the stateful case.
Table 3 shows the solution for the stateless case. Note the three rules we needed to implement G
stateless. You could merge C2 and E2 to one single rule, likewise D2 and F2.
Rule Iface Src IP Dst IP Protocol Src Port Dst Port State Action
A * * * * * * Est Permit
B eth0 Zone 1 Ext TCP ≥ 1024 80, 443 New Permit
C eth0 Zone 1 131.159.20.1 TCP ≥ 1024 80, 443 New Permit
D eth2 Ext 131.159.20.2 TCP ≥ 1024 25 New Permit
E eth2 Ext 131.159.20.1 TCP ≥ 1024 80, 443 New Permit
F eth0 Zone 1 131.159.20.2 TCP ≥ 1024 25 New Permit
G eth0 Zone 1 * TCP ≥ 1024 22 New Permit
H * * * * * * Any Deny
Table 2: Solution for stateful filtering. Est = Established.
Rule Iface Src IP Dst IP Protocol Src Port Dst Port ACK Action
B1 eth0 Zone 1 Ext TCP ≥ 1024 80, 443 Any Permit
B2 eth2 Ext Zone 1 TCP 80, 443 ≥ 1024 Yes Permit
C1 eth0 Zone 1 131.159.20.1 TCP ≥ 1024 80, 443 Any Permit
C2 eth1 131.159.20.1 Zone 1 TCP 80, 443 ≥ 1024 Yes Permit
D1 eth2 Ext 131.159.20.2 TCP ≥ 1024 25 Any Permit
D2 eth1 131.159.20.2 Ext TCP 25 ≥ 1024 Yes Permit
E1 eth2 Ext 131.159.20.1 TCP ≥ 1024 80, 443 Any Permit
E2 eth1 131.159.20.1 Ext TCP 80, 443 ≥ 1024 Yes Permit
F1 eth0 Zone 1 131.159.20.2 TCP ≥ 1024 25 Any Permit
F2 eth1 131.159.20.2 Zone 1 TCP 25 ≥ 1024 Yes Permit
G1 eth0 Zone 1 * TCP ≥ 1024 22 Any Permit
G2 eth1 Zone 2 Zone 1 TCP 22 ≥ 1024 Yes Permit
G3 eth2 Ext Zone 1 TCP 22 ≥ 1024 Yes Permit
H * * * * * * Any Deny
Table 3: Solution for stateless filtering.
3
Task 4 Intrusion Detection Systems
Consider again the scenario in Figure 1.
a) Where would you place a NIDS? Justify your answer with a possible attack that would be detected
by the NIDS.
A NIDS could be placed in Zone 1 to look over the protected network.
Assuming that the NIDS would be connected to the network switch, it could detect a compromised
workstation wich performs port scans or sends payloads, containing predefined signatures.
b) Would you add a HIDS to the Web and Mail server? What would be the trade-offs?
One HIDS could be running on the Web Server and another one on the Mail Server.
The HIDS could monitor the machines for attacks that compromise configuration integrity on the
server itself. However, running a HIDS would add performance drawbacks by real-time monitoring of
the host activity.
c) Describe the difference between a false positive error and false negative error in context of intrusion
detection. Describe two intrusion detection methods and highlight their relation to binary classification
errors.
False positive ⇒ An alarm was raised but no intrusion took place
False negative ⇒ No alarm was raised although an intrusion took place
Misuse Detection: Knowledge-based scanning for predefined signatures. Fast detection of known
attacks. False positive error rate typically very low.
Anomaly Detection: Behaviour-driven comparison between a predefined normal system state and the
current state. System is able to detect new attacks but typically has a higher false positive error rate.
PS: Here are some beef tacos for you. Yours, Bob.