The document describes the design and implementation of a network firewall to prevent operating system fingerprinting. Key aspects include: - The firewall uses iptables rules to drop packets attempting TCP or ICMP response analysis that could reveal the operating system. - It also implements MAC address filtering to block specific external computers deemed malicious. - Testing showed the firewall successfully prevented operating system fingerprinting via Nmap and restricted access based on MAC addresses as designed.

1. THE DESIGN AND IMPLEMENTATION OF A NETWORK FIREWALL TO PREVENT THE USE OF OPERATING SYSTEM FINGERPRINTING BY DENNIS J. CALHOUN CHARMIN GREEN PROJECT ADVISOR: DR. MOHAMMAD BODRUZZAMAN CO-ADVISOR: MR. MATTHEW MURRAY

2. Overview Background Problem Statement Need Analysis Objectives Requirements Alternative Solutions Design Implementation Testing and Analysis Results and Recommendations Questions

3. Nomenclature Transmission Control Protocol (TCP) Internet Protocol (IP) Internet Control Message Protocol (ICMP) Media Access Control Address (MAC) Network Address Translation (NAT) Dynamic Host Control Protocol (DHCP) Simple Mail Transfer Protocol (SMTP) Operating System (OS) Network Mapping (NMAP) Request for Comment (RFC)

4. Background 1/3 of all computer attacks originated in the United States. Financial impact of virus attacks from 1995 -2006 increased from $500 million to $14.2 billion. The average computer connected to the Internet will be hacked in about 8 hours. University networks, with an unsecured computer system, being hacked in only about 45 minutes.

5. Operating System Fingerprinting The process of determining the identity of a remote hosts operating system. This process consist of actively sending packets to the remote host and analyzing the responses. Vulnerabilities are normally dependent on the operating system version.

6. Problem Statement If an operating system is detected then the security flaws (holes) of your system can be exploited, this may be a potential hazard. With the knowledge of these vulnerabilities it will be easier to access your network privileges. http://fyodor@dhp.com 18 October 2004.

7. Need Analysis There is a need to: Design a system to protect the identity of the OS implemented on the hosts and servers of a given network. Design a system to deny access to specific computers that have been deemed malicious. [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.

8. Design Objectives Design a system that will prevent operating system fingerprinting for a small network. Design a system to keep unwanted computers off a small network. Design a network for a testing environment.

9. Specifications The system must be capable of examining MAC addresses. The system must deny any responses to any testing sequence that involves sending standard and non standard tcp packets. The system must deny any responses to any testing sequence that involves icmp response analysis. The system must validate three way handshake process. [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.

10. Contraints Reliability: The system should be a minimum of 90% accurate when blocking operating system fingerprinting. Safety: The system should not create any threat to existing systems or networks. Security: The system should protect the processes and functions specified by the developers. Time: Two semesters Social Impact: The system will aid in securing wired networks by mitigating OS Fingerprinting, Mac address and IP spoofing

11. Preliminary Alternatives Intrusion Detection System Anti-Virus System Behavior Blocking System Firewall System Network Analysis System

12. Alternative Solutions Alternative One : Packet Filtering

13. Alternative Solution Alternative Two : Multilayer Stateful Firewall

14. Decision Matrix

15. Design Theory Nefilter/IPtables Predefined Tables: Network Address Translation (NAT), Mangle, Filter Predefined Chains: Pre-routing, Input Forward, Output, Post-routing

16. Functional Block Diagram Pre Routing Input Forward Output Post Routing Internal network Filter Filter Filter NAT

17. Codes and Standards RFC 2647: Benchmarking Terminology for Firewall Performance. RFC 791: Internet Protocol RFC 792: Internet Control Message Protocol. RFC 793: Transmission Control Protocol. IEEE 802 Ethernet: Ethernet Header

18. TCP/IP Protocol Headers Ethernet Destination and Source MAC Address IP Destination and Source IP Address TCP Destination and Source Ports, TCP Flags ICMP Timestamp req./reply, Address Mask req./reply

19. Design Theory TCP/IP Protocol header: Ethernet Full Ethernet Packet (46-1500 bytes) Destination MAC Address Type Data CRC Source MAC Address [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005.

20. Design Theory TCP/IP Protocol headers: IP 32 bits Ver. IHL TOS/DSCP/ECN Total Length Identification Flags Fragment Offset Header Checksum Protocol Time To Live Source Address Destination Address Options Padding Data

21. Design Theory TCP/IP Protocol headers: TCP 32 bits Ver. Source Port Destination Port Sequence Number Acknowledgement Number Window Checksum Options Padding TCP Flags Res. Data off. Urgent Pointer Data

22. 3 WAY HANDSHAKE PROCESS [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. SYN SYN/ACK ACK Source Destination

23. Design Theory TCP/IP ICMP headers : information request/reply 32 bits Type Code Checksum Identifier Sequence Number

24. Design Theory TCP/IP ICMP headers: Timestamp request/reply Total Length Flags Fragment Offset 32 bits Type Code Checksum Identifier Sequence Number Originate Timestamp Receive Timestamp Transmit Timestamp

25. Design Theory: [10] Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. IPTABLES NAT MANGLE FILTER INPUT OUTPUT FORWARD INPUT OUTPUT POST-ROUT PRE- ROUT OUTPUT POST- ROUT

26. Rules OS Fingerprinting Rule Set Input and Output Drops any ICMP Response analysis ( Timestamp req./reply, Address Mask req./reply). Input Forward and Output Drops any Packet performing TCP response analysis ( invalid bit combinations).

27. Rules MAC Address Filtering Input Output and Forward Drops any connections originating from an external computer specified by MAC Address via Black list. Input Output and Forward Accepts any connections from external computer specified by MAC Address Via White list

28. Overall System Implementation Firewall Rules to prevent OS fingerprinting (filtering invalid flag combinations): $IPTABLES -A INPUT -p tcp -j CBF $IPTABLES -A CBF -p tcp --tcp-flags ALL FIN, URG, PSH -j CFLAG $IPTABLES -A CBF -p tcp --tcp-flags ALL SYN, RST,ACK, FIN, URG -j CFLAG $IPTABLES -A CBF -p tcp --tcp-flags ALL ALL -j CFLAG $IPTABLES -A CBF -p tcp --tcp-flags ALL NONE -j CFLAG $IPTABLES -A CBF -p tcp --tcp-flags SYN, RST SYN, RST -j CFLAG $IPTABLES -A CBF -p tcp --tcp-flags SYN, FIN SYN, FIN -j CFLAG

29. Overall System Implementation Firewall Rules to prevent OS fingerprinting (inbound traffic): 1. $IPTABLES -A INPUT -i EXTERNALIF -p icmp -j ICMPINBOUND 2. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j DDROP 3. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j DDROP 4. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j DDROP 5. $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j DDROP

30. Overall System Implementation Firewall Rules to prevent OS fingerprinting (inbound traffic): 1. IPFILE=$BLACKLIST if [ -f $BLACKLIST]; then for IP in 'cat $IPFILE' do $IPTABLES -A INPUT -i $EXTERNALIF -m mac --mac-source $IP -j DDROP done fi

31. Testing Environment

32. Testing Environment Specifications Vmware Workstation Kernel version 2.6.18-1.2.798 Minimum of 256 MB of RAM Minimum of a 400 MHz Pentium 2 Processor or better IP Class C

35. IFConfig Results Charmin’s Computer 192.168.171.129 - 00:0C:29:5F:A7:0F Dennis Computer 192.168.171.128 - 00:0C:29:44:09:28 DHCP Server 192.168.171.3 - 00:0C:29:FE:85:87 10.51.16.90 Router for Firewall 192.168.171.131

36. Testing and Analysis

38. Testing and Analysis Installing Firewall Testing MAC address filtering capabilities using external computer. Testing OS fingerprinting capabilities using Nmap.

39. Nmap Uses TCP Response analysis. Invalid bit combinations (TCP Flags). Uses ICMP Response analysis. Timestamp req./reply, Address Mask req./reply

40. Testing and Analysis Installation of Firewall

41. Testing and Analysis

44. Firewall Capabilities and Features Operate with router of 512MB RAM 8GB HD Speed of 945 ms per packet. Allows 5 packets per second per 10 connections. Within a given network Denies specified MAC addresses Prevents Operating system

45. Results and Recommendations Accomplished Objectives Implement a successful technique to prevent OS fingerprinting. Implement a successful technique to deny network privileges to unwanted machines. Implement and test Overall System

46. References Lockhart Andrew. Network Security Hacks . Sebastopol, CA: O'Rielly Media, Inc, 2004. Kaeo, Merike. Designing Network Security (A practical guide to creating a secure network infrastructure) . Indianapolis Indiana: Cisco Press Cisco Systems Inc, 1999. Meijer, Anton, Paul Peters. Computer Network Architectures (Computer Science Press) . Roseville MA: Computer Science Press Inc, 1983.

47. References Zwickey, Elizabeth, Simon Cooper, D. Brent Chapman. Build Internet Firewalls. 2nd Edition. Sebastopol, CA: O'Rielly Media, Inc, 2000. Null, Lind, Julia Lobur. The Essentials of Computer Organization and Architecture. Sudbury, MA: 2003. Corbet, Johnathan, Alessandro Rubini, Greg Kroah Hartman. Linux Device Drivers 3rd Edition. Sebastopol, CA: O'Rielly Media, Inc, 2005.

48. References Shash, Steve, Wale Soyinka. Linux Administration A Beginners Guide 4th Edition. Emeryville, CA: McGraw Hill, Inc, 2005. Haby, Jeff. “What is the difference between Accuracy and Precision?” The Weather Prediction. http://www.theweatherprediction.com/habyhints/246/ 29 November 2006.

49. References Szor, Peter. The Art of Computer Virus Research and Defense. Crawfordsville, Indiana: Addison Wesley, May 2005. Tony Bautts, Terry Dawson, Gregor N. Purdy. Linux Network Administration Guide 3rd Edition. Sebastopol, CA: O’Reilly Media, Inc., 2005. http://www.ieee.org/portal/pages/about/whatis/code.html 9 September 2007.

50. Questions ?????