Operating System Fingerprinting Prevention

3,634 views
3,352 views

Published on

My Senior Design Project.

Published in: Technology
2 Comments
1 Like
Statistics
Notes
  • Great articale but given ip rule not working for Ubuntu
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Firewall Rules to prevent OS fingerprinting is not working in ubuntu
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
3,634
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Operating System Fingerprinting Prevention

  1. 1. THE DESIGN AND IMPLEMENTATION OF A NETWORK FIREWALL TO PREVENT THE USE OF OPERATING SYSTEM FINGERPRINTING BY DENNIS J. CALHOUN CHARMIN GREEN PROJECT ADVISOR: DR. MOHAMMAD BODRUZZAMAN CO-ADVISOR: MR. MATTHEW MURRAY
  2. 2. Overview <ul><li>Background </li></ul><ul><li>Problem Statement </li></ul><ul><li>Need Analysis </li></ul><ul><li>Objectives </li></ul><ul><li>Requirements </li></ul><ul><li>Alternative Solutions </li></ul><ul><li>Design Implementation </li></ul><ul><li>Testing and Analysis </li></ul><ul><li>Results and Recommendations </li></ul><ul><li>Questions </li></ul>
  3. 3. Nomenclature <ul><li>Transmission Control Protocol (TCP) </li></ul><ul><li>Internet Protocol (IP) </li></ul><ul><li>Internet Control Message Protocol (ICMP) </li></ul><ul><li>Media Access Control Address (MAC) </li></ul><ul><li>Network Address Translation (NAT) </li></ul><ul><li>Dynamic Host Control Protocol (DHCP) </li></ul><ul><li>Simple Mail Transfer Protocol (SMTP) </li></ul><ul><li>Operating System (OS) </li></ul><ul><li>Network Mapping (NMAP) </li></ul><ul><li>Request for Comment (RFC) </li></ul>
  4. 4. Background <ul><li>1/3 of all computer attacks originated in the United States. </li></ul><ul><li>Financial impact of virus attacks from 1995 -2006 increased from $500 million to $14.2 billion. </li></ul><ul><li>The average computer connected to the Internet will be hacked in about 8 hours. </li></ul><ul><li>University networks, with an unsecured computer system, being hacked in only about 45 minutes. </li></ul>
  5. 5. Operating System Fingerprinting <ul><li>The process of determining the identity of a remote hosts operating system. </li></ul><ul><li>This process consist of actively sending packets to the remote host and analyzing the responses. </li></ul><ul><li>Vulnerabilities are normally dependent on the operating system version. </li></ul>
  6. 6. Problem Statement <ul><li>If an operating system is detected then the security flaws (holes) of your system can be exploited, this may be a potential hazard. With the knowledge of these vulnerabilities it will be easier to access your network privileges. </li></ul>http://fyodor@dhp.com 18 October 2004.
  7. 7. Need Analysis <ul><li>There is a need to: </li></ul><ul><ul><li>Design a system to protect the identity of the OS implemented on the hosts and servers of a given network. </li></ul></ul><ul><ul><li>Design a system to deny access to specific computers that have been deemed malicious. </li></ul></ul>[10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.
  8. 8. Design Objectives <ul><li>Design a system that will prevent operating system fingerprinting for a small network. </li></ul><ul><li>Design a system to keep unwanted computers off a small network. </li></ul><ul><li>Design a network for a testing environment. </li></ul>
  9. 9. Specifications <ul><li>The system must be capable of examining MAC addresses. </li></ul><ul><li>The system must deny any responses to any testing sequence that involves sending standard and non standard tcp packets. </li></ul><ul><li>The system must deny any responses to any testing sequence that involves icmp response analysis. </li></ul><ul><li>The system must validate three way handshake process. </li></ul>[10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.
  10. 10. Contraints <ul><li>Reliability: The system should be a minimum of 90% accurate when blocking operating system fingerprinting. </li></ul><ul><li>Safety: The system should not create any threat to existing systems or networks. </li></ul><ul><li>Security: The system should protect the processes and functions specified by the developers. </li></ul><ul><li>Time: Two semesters </li></ul><ul><li>Social Impact: The system will aid in securing wired networks by mitigating OS Fingerprinting, Mac address and IP spoofing </li></ul>
  11. 11. Preliminary Alternatives <ul><li>Intrusion Detection System </li></ul><ul><li>Anti-Virus System </li></ul><ul><li>Behavior Blocking System </li></ul><ul><li>Firewall System </li></ul><ul><li>Network Analysis System </li></ul>
  12. 12. Alternative Solutions <ul><li>Alternative One : Packet Filtering </li></ul>
  13. 13. Alternative Solution <ul><li>Alternative Two : Multilayer Stateful Firewall </li></ul>
  14. 14. Decision Matrix
  15. 15. Design Theory <ul><li>Nefilter/IPtables </li></ul><ul><li>Predefined Tables: Network Address Translation (NAT), Mangle, Filter </li></ul><ul><li>Predefined Chains: Pre-routing, Input Forward, Output, Post-routing </li></ul>
  16. 16. Functional Block Diagram Pre Routing Input Forward Output Post Routing Internal network Filter Filter Filter NAT
  17. 17. Codes and Standards <ul><li>RFC 2647: Benchmarking Terminology for Firewall Performance. </li></ul><ul><li>RFC 791: Internet Protocol </li></ul><ul><li>RFC 792: Internet Control Message Protocol. </li></ul><ul><li>RFC 793: Transmission Control Protocol. </li></ul><ul><li>IEEE 802 Ethernet: Ethernet Header </li></ul>
  18. 18. TCP/IP Protocol Headers <ul><li>Ethernet </li></ul><ul><ul><li>Destination and Source MAC Address </li></ul></ul><ul><li>IP </li></ul><ul><ul><li>Destination and Source IP Address </li></ul></ul><ul><li>TCP </li></ul><ul><ul><li>Destination and Source Ports, TCP Flags </li></ul></ul><ul><li>ICMP </li></ul><ul><ul><li>Timestamp req./reply, Address Mask req./reply </li></ul></ul>
  19. 19. Design Theory <ul><li>TCP/IP Protocol header: Ethernet </li></ul>Full Ethernet Packet (46-1500 bytes) Destination MAC Address Type Data CRC Source MAC Address [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.
  20. 20. Design Theory <ul><li>TCP/IP Protocol headers: IP </li></ul>32 bits Ver. IHL TOS/DSCP/ECN Total Length Identification Flags Fragment Offset Header Checksum Protocol Time To Live Source Address Destination Address Options Padding Data
  21. 21. Design Theory <ul><li>TCP/IP Protocol headers: TCP </li></ul>32 bits Ver. Source Port Destination Port Sequence Number Acknowledgement Number Window Checksum Options Padding TCP Flags Res. Data off. Urgent Pointer Data
  22. 22. 3 WAY HANDSHAKE PROCESS [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. SYN SYN/ACK ACK Source Destination
  23. 23. Design Theory <ul><li>TCP/IP ICMP headers : information request/reply </li></ul>32 bits Type Code Checksum Identifier Sequence Number
  24. 24. Design Theory <ul><li>TCP/IP ICMP headers: Timestamp request/reply </li></ul>Total Length Flags Fragment Offset 32 bits Type Code Checksum Identifier Sequence Number Originate Timestamp Receive Timestamp Transmit Timestamp
  25. 25. Design Theory: [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. IPTABLES NAT MANGLE FILTER INPUT OUTPUT FORWARD INPUT OUTPUT POST-ROUT PRE- ROUT OUTPUT POST- ROUT
  26. 26. Rules <ul><li>OS Fingerprinting Rule Set </li></ul><ul><li>Input and Output </li></ul><ul><ul><li>Drops any ICMP Response analysis ( Timestamp req./reply, Address Mask req./reply). </li></ul></ul><ul><li>Input Forward and Output </li></ul><ul><ul><li>Drops any Packet performing TCP response analysis ( invalid bit combinations). </li></ul></ul>
  27. 27. Rules <ul><li>MAC Address Filtering </li></ul><ul><li>Input Output and Forward </li></ul><ul><ul><li>Drops any connections originating from an external computer specified by MAC Address via Black list. </li></ul></ul><ul><li>Input Output and Forward </li></ul><ul><ul><li>Accepts any connections from external computer specified by MAC Address Via White list </li></ul></ul>
  28. 28. Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (filtering invalid flag combinations): </li></ul><ul><li>$IPTABLES -A INPUT -p tcp -j CBF </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL FIN, URG, PSH -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL SYN, RST,ACK, FIN, URG -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL ALL -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags ALL NONE -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags SYN, RST SYN, RST -j CFLAG </li></ul><ul><li>$IPTABLES -A CBF -p tcp --tcp-flags SYN, FIN SYN, FIN -j CFLAG </li></ul>
  29. 29. Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (inbound traffic): </li></ul><ul><li>1. $IPTABLES -A INPUT -i EXTERNALIF -p icmp -j ICMPINBOUND </li></ul><ul><li>2. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j DDROP </li></ul><ul><li>3. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j DDROP </li></ul><ul><li>4. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j DDROP </li></ul><ul><li>5. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j DDROP </li></ul>
  30. 30. Overall System Implementation <ul><li>Firewall Rules to prevent OS fingerprinting (inbound traffic): </li></ul><ul><li>1. IPFILE=$BLACKLIST </li></ul><ul><li>if [ -f $BLACKLIST]; then </li></ul><ul><li>for IP in 'cat $IPFILE' </li></ul><ul><li>do </li></ul><ul><li> $IPTABLES -A INPUT -i $EXTERNALIF -m mac --mac-source $IP -j DDROP </li></ul><ul><li>done </li></ul><ul><li>fi </li></ul>
  31. 31. Testing Environment
  32. 32. Testing Environment Specifications <ul><ul><li>Vmware Workstation </li></ul></ul><ul><ul><li>Kernel version 2.6.18-1.2.798 </li></ul></ul><ul><ul><li>Minimum of 256 MB of RAM </li></ul></ul><ul><ul><li>Minimum of a 400 MHz Pentium 2 Processor or better </li></ul></ul><ul><ul><li>IP Class C </li></ul></ul>
  33. 35. IFConfig Results <ul><li>Charmin’s Computer </li></ul><ul><ul><li>192.168.171.129 - 00:0C:29:5F:A7:0F </li></ul></ul><ul><li>Dennis Computer </li></ul><ul><ul><li>192.168.171.128 - 00:0C:29:44:09:28 </li></ul></ul><ul><li>DHCP Server </li></ul><ul><ul><li>192.168.171.3 - 00:0C:29:FE:85:87 </li></ul></ul><ul><ul><li>10.51.16.90 </li></ul></ul><ul><li>Router for Firewall </li></ul><ul><ul><li>192.168.171.131 </li></ul></ul>
  34. 36. Testing and Analysis
  35. 38. Testing and Analysis <ul><li>Installing Firewall </li></ul><ul><li>Testing MAC address filtering capabilities </li></ul><ul><li>using external computer. </li></ul><ul><li>Testing OS fingerprinting capabilities using Nmap. </li></ul>
  36. 39. Nmap <ul><li>Uses TCP Response analysis. </li></ul><ul><ul><li>Invalid bit combinations (TCP Flags). </li></ul></ul><ul><li>Uses ICMP Response analysis. </li></ul><ul><ul><li>Timestamp req./reply, Address Mask req./reply </li></ul></ul>
  37. 40. Testing and Analysis <ul><li>Installation of Firewall </li></ul>
  38. 41. Testing and Analysis
  39. 44. Firewall Capabilities and Features <ul><li>Operate with router of 512MB RAM 8GB HD </li></ul><ul><li>Speed of 945 ms per packet. </li></ul><ul><li>Allows 5 packets per second per 10 connections. </li></ul><ul><li>Within a given network </li></ul><ul><ul><li>Denies specified MAC addresses </li></ul></ul><ul><ul><li>Prevents Operating system </li></ul></ul>
  40. 45. Results and Recommendations <ul><li>Accomplished Objectives </li></ul><ul><li>Implement a successful technique to prevent OS fingerprinting. </li></ul><ul><li>Implement a successful technique to deny network privileges to unwanted machines. </li></ul><ul><li>Implement and test Overall System </li></ul>
  41. 46. References <ul><li>Lockhart Andrew. Network Security Hacks . Sebastopol, CA: O'Rielly Media, Inc, 2004. </li></ul><ul><li>Kaeo, Merike. Designing Network Security (A practical guide to creating a secure network infrastructure) . Indianapolis Indiana: Cisco Press Cisco Systems Inc, 1999. </li></ul><ul><li>Meijer, Anton, Paul Peters. Computer Network Architectures (Computer Science Press) . Roseville MA: Computer Science Press Inc, 1983. </li></ul>
  42. 47. References <ul><li>Zwickey, Elizabeth, Simon Cooper, D. Brent Chapman. Build Internet Firewalls. 2nd Edition. Sebastopol, CA: O'Rielly Media, Inc, 2000. </li></ul><ul><li>Null, Lind, Julia Lobur. The Essentials of Computer Organization and Architecture. Sudbury, MA: 2003. </li></ul><ul><li>Corbet, Johnathan, Alessandro Rubini, Greg Kroah Hartman. Linux Device Drivers 3rd Edition. Sebastopol, CA: O'Rielly Media, Inc, 2005. </li></ul>
  43. 48. References <ul><li>Shash, Steve, Wale Soyinka. Linux Administration A Beginners Guide 4th Edition. Emeryville, CA: McGraw Hill, Inc, 2005. </li></ul><ul><li>Haby, Jeff. “What is the difference between Accuracy and Precision?” The Weather Prediction. http://www.theweatherprediction.com/habyhints/246/ 29 November 2006. </li></ul>
  44. 49. References <ul><li>Szor, Peter. The Art of Computer Virus Research and Defense. Crawfordsville, Indiana: Addison Wesley, May 2005. </li></ul><ul><li>Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. </li></ul><ul><li>http://www.ieee.org/portal/pages/about/whatis/code.html 9 September 2007. </li></ul>
  45. 50. Questions ?????

×