THE DESIGN AND IMPLEMENTATION OF A NETWORK FIREWALL  TO PREVENT THE USE OF OPERATING SYSTEM FINGERPRINTING BY DENNIS J. CA...
Overview <ul><li>Background </li></ul><ul><li>Problem Statement </li></ul><ul><li>Need Analysis </li></ul><ul><li>Objectiv...
Nomenclature <ul><li>Transmission Control Protocol (TCP) </li></ul><ul><li>Internet Protocol (IP) </li></ul><ul><li>Intern...
Background <ul><li>1/3 of all computer attacks originated in the United States. </li></ul><ul><li>Financial impact of viru...
Operating System Fingerprinting <ul><li>The process of determining the identity of a remote hosts operating system. </li><...
Problem Statement <ul><li>If an operating system is detected then the security flaws (holes) of your system can be exploit...
Need Analysis <ul><li>There is a need to: </li></ul><ul><ul><li>Design a system to protect the identity of the OS implemen...
Design Objectives <ul><li>Design a system that will prevent operating system fingerprinting for a small network. </li></ul...
Specifications <ul><li>The system must be capable of examining MAC addresses. </li></ul><ul><li>The system must deny any r...
Contraints <ul><li>Reliability:  The system should be a minimum of 90% accurate when blocking operating system fingerprint...
Preliminary Alternatives <ul><li>Intrusion Detection System </li></ul><ul><li>Anti-Virus System </li></ul><ul><li>Behavior...
Alternative Solutions <ul><li>Alternative One : Packet Filtering </li></ul>
Alternative Solution  <ul><li>Alternative Two : Multilayer Stateful Firewall </li></ul>
Decision Matrix
Design Theory <ul><li>Nefilter/IPtables </li></ul><ul><li>Predefined Tables:  Network Address Translation (NAT), Mangle, F...
Functional Block Diagram Pre Routing Input Forward Output Post Routing Internal network Filter Filter Filter NAT
Codes and Standards <ul><li>RFC 2647: Benchmarking Terminology for Firewall Performance. </li></ul><ul><li>RFC 791: Intern...
TCP/IP Protocol  Headers <ul><li>Ethernet  </li></ul><ul><ul><li>Destination and Source MAC Address </li></ul></ul><ul><li...
Design Theory <ul><li>TCP/IP Protocol header: Ethernet </li></ul>Full Ethernet Packet (46-1500 bytes) Destination MAC Addr...
Design Theory <ul><li>TCP/IP Protocol headers: IP </li></ul>32 bits Ver. IHL TOS/DSCP/ECN Total Length Identification Flag...
Design Theory <ul><li>TCP/IP Protocol headers: TCP </li></ul>32 bits Ver. Source Port Destination Port Sequence Number Ack...
3 WAY HANDSHAKE PROCESS [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. S...
Design Theory <ul><li>TCP/IP ICMP headers : information request/reply </li></ul>32 bits Type Code Checksum Identifier Sequ...
Design Theory <ul><li>TCP/IP ICMP headers: Timestamp request/reply </li></ul>Total Length Flags Fragment Offset 32 bits Ty...
Design Theory: [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol...
Rules <ul><li>OS Fingerprinting Rule Set </li></ul><ul><li>Input and Output  </li></ul><ul><ul><li>Drops any ICMP Response...
Rules <ul><li>MAC Address Filtering </li></ul><ul><li>Input Output and Forward  </li></ul><ul><ul><li>Drops any connection...
Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (filtering invalid flag combinations): <...
Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (inbound traffic): </li></ul><ul><li>1. ...
Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (inbound traffic): </li></ul><ul><li>1. ...
Testing Environment
Testing Environment Specifications <ul><ul><li>Vmware Workstation </li></ul></ul><ul><ul><li>Kernel version 2.6.18-1.2.798...
 
 
IFConfig Results <ul><li>Charmin’s Computer  </li></ul><ul><ul><li>192.168.171.129  -  00:0C:29:5F:A7:0F </li></ul></ul><u...
Testing and Analysis
 
Testing and Analysis <ul><li>Installing Firewall </li></ul><ul><li>Testing MAC address filtering capabilities </li></ul><u...
Nmap <ul><li>Uses TCP Response analysis. </li></ul><ul><ul><li>Invalid bit combinations (TCP Flags). </li></ul></ul><ul><l...
Testing and Analysis <ul><li>Installation of Firewall  </li></ul>
Testing and Analysis
 
 
Firewall Capabilities and Features <ul><li>Operate with router of 512MB RAM 8GB HD </li></ul><ul><li>Speed of 945 ms per p...
Results and Recommendations <ul><li>Accomplished Objectives </li></ul><ul><li>Implement a successful technique to prevent ...
References <ul><li>Lockhart Andrew.  Network Security Hacks . Sebastopol, CA: O'Rielly Media, Inc, 2004. </li></ul><ul><li...
References <ul><li>Zwickey, Elizabeth, Simon Cooper, D. Brent Chapman.  Build Internet Firewalls. 2nd Edition.  Sebastopol...
References <ul><li>Shash, Steve, Wale Soyinka.  Linux Administration A Beginners Guide 4th Edition.  Emeryville, CA: McGra...
References  <ul><li>Szor, Peter.  The Art of Computer Virus Research and Defense.  Crawfordsville, Indiana: Addison Wesley...
Questions ?????
Upcoming SlideShare
Loading in...5
×

Operating System Fingerprinting Prevention

2,753

Published on

My Senior Design Project.

Published in: Technology
2 Comments
0 Likes
Statistics
Notes
  • Great articale but given ip rule not working for Ubuntu
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Firewall Rules to prevent OS fingerprinting is not working in ubuntu
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
2,753
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
2
Likes
0
Embeds 0
No embeds

No notes for slide

Operating System Fingerprinting Prevention

  1. 1. THE DESIGN AND IMPLEMENTATION OF A NETWORK FIREWALL TO PREVENT THE USE OF OPERATING SYSTEM FINGERPRINTING BY DENNIS J. CALHOUN CHARMIN GREEN PROJECT ADVISOR: DR. MOHAMMAD BODRUZZAMAN CO-ADVISOR: MR. MATTHEW MURRAY
  2. 2. Overview <ul><li>Background </li></ul><ul><li>Problem Statement </li></ul><ul><li>Need Analysis </li></ul><ul><li>Objectives </li></ul><ul><li>Requirements </li></ul><ul><li>Alternative Solutions </li></ul><ul><li>Design Implementation </li></ul><ul><li>Testing and Analysis </li></ul><ul><li>Results and Recommendations </li></ul><ul><li>Questions </li></ul>
  3. 3. Nomenclature <ul><li>Transmission Control Protocol (TCP) </li></ul><ul><li>Internet Protocol (IP) </li></ul><ul><li>Internet Control Message Protocol (ICMP) </li></ul><ul><li>Media Access Control Address (MAC) </li></ul><ul><li>Network Address Translation (NAT) </li></ul><ul><li>Dynamic Host Control Protocol (DHCP) </li></ul><ul><li>Simple Mail Transfer Protocol (SMTP) </li></ul><ul><li>Operating System (OS) </li></ul><ul><li>Network Mapping (NMAP) </li></ul><ul><li>Request for Comment (RFC) </li></ul>
  4. 4. Background <ul><li>1/3 of all computer attacks originated in the United States. </li></ul><ul><li>Financial impact of virus attacks from 1995 -2006 increased from $500 million to $14.2 billion. </li></ul><ul><li>The average computer connected to the Internet will be hacked in about 8 hours. </li></ul><ul><li>University networks, with an unsecured computer system, being hacked in only about 45 minutes. </li></ul>
  5. 5. Operating System Fingerprinting <ul><li>The process of determining the identity of a remote hosts operating system. </li></ul><ul><li>This process consist of actively sending packets to the remote host and analyzing the responses. </li></ul><ul><li>Vulnerabilities are normally dependent on the operating system version. </li></ul>
  6. 6. Problem Statement <ul><li>If an operating system is detected then the security flaws (holes) of your system can be exploited, this may be a potential hazard. With the knowledge of these vulnerabilities it will be easier to access your network privileges. </li></ul>http://fyodor@dhp.com 18 October 2004.
  7. 7. Need Analysis <ul><li>There is a need to: </li></ul><ul><ul><li>Design a system to protect the identity of the OS implemented on the hosts and servers of a given network. </li></ul></ul><ul><ul><li>Design a system to deny access to specific computers that have been deemed malicious. </li></ul></ul>[10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.
  8. 8. Design Objectives <ul><li>Design a system that will prevent operating system fingerprinting for a small network. </li></ul><ul><li>Design a system to keep unwanted computers off a small network. </li></ul><ul><li>Design a network for a testing environment. </li></ul>
  9. 9. Specifications <ul><li>The system must be capable of examining MAC addresses. </li></ul><ul><li>The system must deny any responses to any testing sequence that involves sending standard and non standard tcp packets. </li></ul><ul><li>The system must deny any responses to any testing sequence that involves icmp response analysis. </li></ul><ul><li>The system must validate three way handshake process. </li></ul>[10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.
  10. 10. Contraints <ul><li>Reliability: The system should be a minimum of 90% accurate when blocking operating system fingerprinting. </li></ul><ul><li>Safety: The system should not create any threat to existing systems or networks. </li></ul><ul><li>Security: The system should protect the processes and functions specified by the developers. </li></ul><ul><li>Time: Two semesters </li></ul><ul><li>Social Impact: The system will aid in securing wired networks by mitigating OS Fingerprinting, Mac address and IP spoofing </li></ul>
  11. 11. Preliminary Alternatives <ul><li>Intrusion Detection System </li></ul><ul><li>Anti-Virus System </li></ul><ul><li>Behavior Blocking System </li></ul><ul><li>Firewall System </li></ul><ul><li>Network Analysis System </li></ul>
  12. 12. Alternative Solutions <ul><li>Alternative One : Packet Filtering </li></ul>
  13. 13. Alternative Solution <ul><li>Alternative Two : Multilayer Stateful Firewall </li></ul>
  14. 14. Decision Matrix
  15. 15. Design Theory <ul><li>Nefilter/IPtables </li></ul><ul><li>Predefined Tables: Network Address Translation (NAT), Mangle, Filter </li></ul><ul><li>Predefined Chains: Pre-routing, Input Forward, Output, Post-routing </li></ul>
  16. 16. Functional Block Diagram Pre Routing Input Forward Output Post Routing Internal network Filter Filter Filter NAT
  17. 17. Codes and Standards <ul><li>RFC 2647: Benchmarking Terminology for Firewall Performance. </li></ul><ul><li>RFC 791: Internet Protocol </li></ul><ul><li>RFC 792: Internet Control Message Protocol. </li></ul><ul><li>RFC 793: Transmission Control Protocol. </li></ul><ul><li>IEEE 802 Ethernet: Ethernet Header </li></ul>
  18. 18. TCP/IP Protocol Headers <ul><li>Ethernet </li></ul><ul><ul><li>Destination and Source MAC Address </li></ul></ul><ul><li>IP </li></ul><ul><ul><li>Destination and Source IP Address </li></ul></ul><ul><li>TCP </li></ul><ul><ul><li>Destination and Source Ports, TCP Flags </li></ul></ul><ul><li>ICMP </li></ul><ul><ul><li>Timestamp req./reply, Address Mask req./reply </li></ul></ul>
  19. 19. Design Theory <ul><li>TCP/IP Protocol header: Ethernet </li></ul>Full Ethernet Packet (46-1500 bytes) Destination MAC Address Type Data CRC Source MAC Address [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.
  20. 20. Design Theory <ul><li>TCP/IP Protocol headers: IP </li></ul>32 bits Ver. IHL TOS/DSCP/ECN Total Length Identification Flags Fragment Offset Header Checksum Protocol Time To Live Source Address Destination Address Options Padding Data
  21. 21. Design Theory <ul><li>TCP/IP Protocol headers: TCP </li></ul>32 bits Ver. Source Port Destination Port Sequence Number Acknowledgement Number Window Checksum Options Padding TCP Flags Res. Data off. Urgent Pointer Data
  22. 22. 3 WAY HANDSHAKE PROCESS [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. SYN SYN/ACK ACK Source Destination
  23. 23. Design Theory <ul><li>TCP/IP ICMP headers : information request/reply </li></ul>32 bits Type Code Checksum Identifier Sequence Number
  24. 24. Design Theory <ul><li>TCP/IP ICMP headers: Timestamp request/reply </li></ul>Total Length Flags Fragment Offset 32 bits Type Code Checksum Identifier Sequence Number Originate Timestamp Receive Timestamp Transmit Timestamp
  25. 25. Design Theory: [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. IPTABLES NAT MANGLE FILTER INPUT OUTPUT FORWARD INPUT OUTPUT POST-ROUT PRE- ROUT OUTPUT POST- ROUT
  26. 26. Rules <ul><li>OS Fingerprinting Rule Set </li></ul><ul><li>Input and Output </li></ul><ul><ul><li>Drops any ICMP Response analysis ( Timestamp req./reply, Address Mask req./reply). </li></ul></ul><ul><li>Input Forward and Output </li></ul><ul><ul><li>Drops any Packet performing TCP response analysis ( invalid bit combinations). </li></ul></ul>
  27. 27. Rules <ul><li>MAC Address Filtering </li></ul><ul><li>Input Output and Forward </li></ul><ul><ul><li>Drops any connections originating from an external computer specified by MAC Address via Black list. </li></ul></ul><ul><li>Input Output and Forward </li></ul><ul><ul><li>Accepts any connections from external computer specified by MAC Address Via White list </li></ul></ul>
  28. 28. Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (filtering invalid flag combinations): </li></ul><ul><li>$IPTABLES -A INPUT -p tcp -j CBF </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL FIN, URG, PSH -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL SYN, RST,ACK, FIN, URG -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL ALL -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL NONE -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags SYN, RST SYN, RST -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags SYN, FIN SYN, FIN -j CFLAG </li></ul>
  29. 29. Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (inbound traffic): </li></ul><ul><li>1. $IPTABLES -A INPUT -i EXTERNALIF -p icmp -j ICMPINBOUND </li></ul><ul><li>2. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j DDROP </li></ul><ul><li>3. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j DDROP </li></ul><ul><li>4. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j DDROP </li></ul><ul><li>5. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j DDROP </li></ul>
  30. 30. Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (inbound traffic): </li></ul><ul><li>1. IPFILE=$BLACKLIST </li></ul><ul><li>if [ -f $BLACKLIST]; then </li></ul><ul><li>for IP in 'cat $IPFILE' </li></ul><ul><li>do </li></ul><ul><li> $IPTABLES -A INPUT -i $EXTERNALIF -m mac --mac-source $IP -j DDROP </li></ul><ul><li>done </li></ul><ul><li>fi </li></ul>
  31. 31. Testing Environment
  32. 32. Testing Environment Specifications <ul><ul><li>Vmware Workstation </li></ul></ul><ul><ul><li>Kernel version 2.6.18-1.2.798 </li></ul></ul><ul><ul><li>Minimum of 256 MB of RAM </li></ul></ul><ul><ul><li>Minimum of a 400 MHz Pentium 2 Processor or better </li></ul></ul><ul><ul><li>IP Class C </li></ul></ul>
  33. 35. IFConfig Results <ul><li>Charmin’s Computer </li></ul><ul><ul><li>192.168.171.129 - 00:0C:29:5F:A7:0F </li></ul></ul><ul><li>Dennis Computer </li></ul><ul><ul><li>192.168.171.128 - 00:0C:29:44:09:28 </li></ul></ul><ul><li>DHCP Server </li></ul><ul><ul><li>192.168.171.3 - 00:0C:29:FE:85:87 </li></ul></ul><ul><ul><li>10.51.16.90 </li></ul></ul><ul><li>Router for Firewall </li></ul><ul><ul><li>192.168.171.131 </li></ul></ul>
  34. 36. Testing and Analysis
  35. 38. Testing and Analysis <ul><li>Installing Firewall </li></ul><ul><li>Testing MAC address filtering capabilities </li></ul><ul><li>using external computer. </li></ul><ul><li>Testing OS fingerprinting capabilities using Nmap. </li></ul>
  36. 39. Nmap <ul><li>Uses TCP Response analysis. </li></ul><ul><ul><li>Invalid bit combinations (TCP Flags). </li></ul></ul><ul><li>Uses ICMP Response analysis. </li></ul><ul><ul><li>Timestamp req./reply, Address Mask req./reply </li></ul></ul>
  37. 40. Testing and Analysis <ul><li>Installation of Firewall </li></ul>
  38. 41. Testing and Analysis
  39. 44. Firewall Capabilities and Features <ul><li>Operate with router of 512MB RAM 8GB HD </li></ul><ul><li>Speed of 945 ms per packet. </li></ul><ul><li>Allows 5 packets per second per 10 connections. </li></ul><ul><li>Within a given network </li></ul><ul><ul><li>Denies specified MAC addresses </li></ul></ul><ul><ul><li>Prevents Operating system </li></ul></ul>
  40. 45. Results and Recommendations <ul><li>Accomplished Objectives </li></ul><ul><li>Implement a successful technique to prevent OS fingerprinting. </li></ul><ul><li>Implement a successful technique to deny network privileges to unwanted machines. </li></ul><ul><li>Implement and test Overall System </li></ul>
  41. 46. References <ul><li>Lockhart Andrew. Network Security Hacks . Sebastopol, CA: O'Rielly Media, Inc, 2004. </li></ul><ul><li>Kaeo, Merike. Designing Network Security (A practical guide to creating a secure network infrastructure) . Indianapolis Indiana: Cisco Press Cisco Systems Inc, 1999. </li></ul><ul><li>Meijer, Anton, Paul Peters. Computer Network Architectures (Computer Science Press) . Roseville MA: Computer Science Press Inc, 1983. </li></ul>
  42. 47. References <ul><li>Zwickey, Elizabeth, Simon Cooper, D. Brent Chapman. Build Internet Firewalls. 2nd Edition. Sebastopol, CA: O'Rielly Media, Inc, 2000. </li></ul><ul><li>Null, Lind, Julia Lobur. The Essentials of Computer Organization and Architecture. Sudbury, MA: 2003. </li></ul><ul><li>Corbet, Johnathan, Alessandro Rubini, Greg Kroah Hartman. Linux Device Drivers 3rd Edition. Sebastopol, CA: O'Rielly Media, Inc, 2005. </li></ul>
  43. 48. References <ul><li>Shash, Steve, Wale Soyinka. Linux Administration A Beginners Guide 4th Edition. Emeryville, CA: McGraw Hill, Inc, 2005. </li></ul><ul><li>Haby, Jeff. “What is the difference between Accuracy and Precision?” The Weather Prediction. http://www.theweatherprediction.com/habyhints/246/ 29 November 2006. </li></ul>
  44. 49. References <ul><li>Szor, Peter. The Art of Computer Virus Research and Defense. Crawfordsville, Indiana: Addison Wesley, May 2005. </li></ul><ul><li>Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. </li></ul><ul><li>http://www.ieee.org/portal/pages/about/whatis/code.html 9 September 2007. </li></ul>
  45. 50. Questions ?????

×