SECURING THE S T A C K WEB NETWORK OPERATING SYSTEM MEHUL SHARMA BOSTON UNIVERSITY
|
|
- Kathlyn Bennett
- 8 years ago
- Views:
Transcription
1 SECURING THE S T A C K WEB NETWORK OPERATING SYSTEM MEHUL SHARMA BOSTON UNIVERSITY
2 C A V E A T S
3 C A V E A T S Everything is based purely on linux -- no outside vendor / 3rd party software Standard kernel, iptables, posix acls, routing stack and bridge and related packages which means you can get support from the distro provider or upstream / mainstream kernel mailing lists. I am not a guru and definitely not good enough to be a student. so keep enough room for mistakes, and don t believe me if you don t want to. I am attempting to show you what is possible from my experience building & deploying appliances from high performance commodity hardware using my intellectual properties. If done right, it will change your perspective, not to mention reduce your TCO exponentially and give you extreme flexibility and performance -- you will not be enslaved any more.
4 TOPICS OF INTEREST
5 Substantially Reducing to Stopping Denial of Service Attacks & Data Mining towards the Web Infrastructure in an Automated Manner Building a Distributed, Secure, Ad-hoc & Automatic Converged Network System Posix ACLs for Heightened Compliance Control over Operating System Infrastructure
6 SECURING THE S T A C K W E B S E C U R I T Y
7 Aim of Accomplishment Reduce-to-Stop Flooding from a Single Connection / Flow Not allow more than a certain number of connections from a single source IP address Not allow a source IP address or a range of source IP addresses to use more than a defined amount of data transactions to part or parts of the web infrastructure Look for Data Mining attempts in an intelligent manner by looking only at PSH+ACK packets and take necessary action(s). Everything achieved by IP/EBTABLES at Layer 2 or Layer 3 or their combination
8 SECURING THE S T A C K -- WEB SECURITY Reduce-to-stop flooding from single connection / flow into FLOODGATED Restrict a defined number of connections from a single soure IP F L O O D G A T E S
9 SECURING THE S T A C K -- WEB SECURITY Check for aggresive IP behavior and send it to INUNDATED to be blocked & logged. If not, move on to MINERGATES to check for data miners C H A N N E L
10 SECURING THE S T A C K -- WEB SECURITY Check for data mining activity and send to MINERS for resetting TCP connection & logging. M I N E R G A T E S
11 SECURING THE S T A C K -- WEB SECURITY Give selected IP address ranges pre-defined bandwidth quotas B A N D W I D T H G A T E S F U L L H I G H M E D I U M L O W
12 SECURING THE S T A C K -- WEB SECURITY # Clean all rules and chains iptables -F iptables -X # Create the following chains: iptables -N FLOODGATES iptables -N CHANNEL iptables -N INUNDATED iptables -N MINERGATES iptables -N MINERS iptables -N BANDWIDTHGATES ## Drop fragmented, xmas and null packets iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP ## Create a FROZEN & MINER_FREEZE list - viewable via /proc/net/xt_recent/ iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds name FROZEN --rsource -j DROP iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds name MINER_FREEZE --rsource -j REJECT --reject-with tcp-reset ## Pass all TCP packets through FLOODGATES iptables -A INPUT -p tcp -m tcp --dport 80 -j FLOODGATES
13 SECURING THE S T A C K -- WEB SECURITY ######## FLOODGATES ######## ## Limit the pre-defined number of connections from a single source IP and reject the rest of them with TCP reset iptables -A FLOODGATES -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 --connlimit-mask 32 -j REJECT -- reject-with tcp-reset ## Check for the rate of defined TCP SYN packets per second and drop & block them for a pre-defined time if above the limit ## viewable via /proc/net/ipt_hashlimit/ iptables -A FLOODGATES -p tcp --syn -m hashlimit --hashlimit 10/sec --hashlimit-burst 3 --hashlimit-htable-expire hashlimit-mode srcip --hashlimit-name floodgated -j ACCEPT iptables -A FLOODGATES -j CHANNEL ######## CHANNEL ######## iptables -A CHANNEL -m recent --set --name AGGRESSION_CHECK ### Source IP matching 12 times in 100 seconds - send to INUNDATED iptables -A CHANNEL -m recent --update --seconds hitcount 12 --name AGGRESSION_CHECK --rsource -j INUNDATED ### Source IP matching 10 times in 20 seconds - send to INUNDATED iptables -A CHANNEL -m recent --update --seconds 20 --hitcount 10 --name AGGRESSION_CHECK --rsource -j INUNDATED iptables -A CHANNEL -p tcp -j MINERGATES
14 SECURING THE S T A C K -- WEB SECURITY ######## MINERGATES ######## ## Look for 3 way handshake -- # Client connects to the server by sending a SYN (Synchronization) packet. # Server responds with a SYN + ACK (Synchronize + Acknowledgment) packet. # Client responds with an ACK (Acknowledgment) packet and communication is is established. # Client sends its first PSH + ACK (Push + Acknowledgment) packet which contains the http header. iptables -A MINERGATES -m recent --set --name MINER_CHECK iptables -A MINERGATES -m recent -p tcp --tcp-flags PSH,SYN,ACK SYN,ACK --sport 80 --update iptables -A MINERGATES -m recent -p tcp --tcp-flags PSH,SYN,ACK ACK --dport 80 --update iptables -A MINERGATES -m recent -p tcp --tcp-flags PSH,ACK PSH,ACK --dport 80 --update --seconds 10 --hitcount 2 --name MINER_CHECK -m string --to 70 --algo bm --string "GET /search/?username-directory=1&query=" -j MINERS iptables -A MINERGATES -m recent -p tcp --tcp-flags PSH,ACK PSH,ACK --dport 80 --update --seconds 60 --hitcount 22 --name MINER_CHECK -m string --to 70 --algo bm --string "GET /index.html" -j MINERS iptables -A MINERGATES -p tcp -m tcp --dport 80 -j BANDWIDTHGATES
15 SECURING THE S T A C K -- WEB SECURITY #### INUNDATED #### ## Logging and dropping / resetting connections -- Loglevel 0 is emergency, 4 is warning and 7 is debug iptables -A INUNDATED -m limit --limit 5/min -j LOG --log-prefix "WEB SECURITY -- INUNDATED : " --log-level 7 iptables -A INUNDATED -m recent --set --name FROZEN --rsource -j DROP iptables -A INUNDATED -p tcp -m tcp --dport 80 -j BANDWIDTHGATES #### MINERS #### iptables -A MINERS -m limit --limit 5/min -j LOG --log-prefix "WEB SECURITY -- MINERS : " --log-level 7 iptables -A MINERS -p tcp -m recent --set --name MINER_FREEZE --rsource -j REJECT --reject-with tcp-reset ##It is better to do tcp-reset in this case instead of DROP as with PSH-ACK the connection is already established ##iptables -A MINERS -p tcp -m recent --set --name MINER_FREEZE --rsource -j DROP iptables -A MINERS -p tcp -m tcp --dport 80 -j BANDWIDTHGATES
16 SECURING THE S T A C K -- WEB SECURITY ######## BANDWIDTHGATES ######## ### /8 is for testing locally [other IP addresses can be given as virtual interfaces for testing within a system Eg eth0:1] ###iptables -A BANDWIDTHGATES -p tcp -s /8 --dport 80 -m quota --quota j ACCEPT iptables -A BANDWIDTHGATES -p tcp -s /8 --dport 80 -m quota --quota j ACCEPT ## Set a pre-defined bandwidth quota. ## 50 mbps for /24 iptables -A BANDWIDTHGATES -p tcp -s /24 --dport 80 -m quota --quota j ACCEPT ## 20 mbps for /16 iptables -A BANDWIDTHGATES -p tcp -s /16 --dport 80 -m quota --quota j ACCEPT ## 10 mbps for /8 iptables -A BANDWIDTHGATES -p tcp -s /8 --dport 80 -m quota --quota j ACCEPT ## 5 mbps for the rest of the IPs iptables -A BANDWIDTHGATES -p tcp --dport 80 -m quota --quota j ACCEPT ## When the quota is reached, the rule doesn't match any more and is dropped by the rule below. iptables -A BANDWIDTHGATES -p tcp --dport 80 -j DROP #Notes - the --update option restarts the timer on each receiving packet, where as --rcheck restarts timer only after a fixed amount of time # String search algorithms BM (Boyers Moore) is considered 2 to 6 times faster than KMP (Knuth Morris Pratt)
17 SECURING THE S T A C K N E T W O R K S E C U R I T Y
18 Aim of Accomplishment Distributed, Secure, Ad-hoc & Automatic Converged Network System Distributed - Locally (Eg. Boston - Worcester) - or Globally (Boston - San Francisco - Tokyo - Dublin - Bangalore - Beijing) Secure - Power and security of SSH - Furthermore, use of High Performance SSH especially for long distance high latency links with dynamic internal flow control buffers. Adhoc - Peer-to-Peer -- Can be connected in Ring, 2-D Torus & 3-D Hexagonal Torus Topologies, with a network diameter of up to 18 in one direction / dimension. Multiple directions / dimensions possible. Automatic - No trunking or configuring ports anymore at layer 2 / layer 3 / VLANs. Automatically bridges traffic at Layer 2 and automatically routes traffic at Layer 3 if the destination is in a different subnet / class of IP address. Converged - Acts automatically as a Switch, Router, VPN, NAC appliance, Load Balancer and more Network System -- End-to-end all-encompassing.
19 Aim of Accomplishment What I will not be addressing today (perhaps in another talk somewhere when possible) : How to make this existing setup into a NAC appliance with network key injection into traversing packets. How to also make this into a high performance distributed ad-hoc load balancer with auto gateway load balancing. How to logically combine different VLANS by bridging and routing them automatically at Layer 2 and Layer 3. How to tune / enhance the drivers, kernel, IP stack, bridge code, interrupts and affinities and related components to achieve line rate performance. How to route between heterogeneous physical interfaces like gigabit / 10 gigabit Ethernet and Infiniband / Scalable Coherent Interconnect Integration of Web Security methods defined before onto a layer 2 and layer 3 forwarding plane. Techniques in the Linux Kernel Networking stack to increase parallelism and performance: RSS: Receive Side Scaling RPS: Receive Packet Steering RFS: Receive Flow Steering Accelerated Receive Flow Steering XPS: Transmit Packet Steering
20 SECURING THE S T A C K -- NETWORK SECURITY Scenario 1 -- Converged Automatic Routing (layer 3) & Switching (layer2) SwitchR0 is a converged automatic switch & router which has 2 ethernet interfaces in a bridge swr0 swr swr0: /proc/sys/net/ipv4/conf/swr0/forwarding = 1 iptables -s /24 --table nat --append POSTROUTING --out-interface swr0 -j MASQUERADE iptables -s /24 --append FORWARD --in-interface swr0 -j ACCEPT There are 2 client machines client0 and client1 with one ethernet and one virtual interface interface each. client0 - eth eth0: connected to eth0 of SwitchR0 client 0 - default gw on eth0 set to client1 - eth eth0: connected to eth1 of SwitchR0 client0 pings [ on client1 ] succesfully -- layer 3 routing via SwitchR0 client0 pings [on client1 ] succesfully -- layer2 switching via SwitchR0 As long as swr0 has IP addresses that are present on your network, layer 3 routing will be automatically and transparently possible across all inter-class IPs, inter private address IPs and their subnets!
21 SECURING THE S T A C K -- NETWORK SECURITY Scenario 2 -- Distributed Converged Automatic Routing (layer 3) & Switching (layer2) SwitchR0 is a converged automatic switch & router which has 1 ethernet interface & 1 tap interface in a bridge swr0 Bridge swr0 has eth0 and tap0 eth1 is given a separate IP address reachable to eth of SwitchR1 swr swr0: /proc/sys/net/ipv4/conf/swr0/forwarding = 1 iptables -s /24 --table nat --append POSTROUTING --out-interface swr0 -j MASQUERADE iptables -s /24 --append FORWARD --in-interface swr0 -j ACCEPT Spanning Tree Protocol turned on swr0 to prevent network loops: brctl stp swr0 on SwitchR1 is a converged automatic switch & router which has 1 ethernet interface & 1 tap interface in a bridge swr1 Bridge swr1 has eth0 and tap0 swr eth1 is given a separate IP address Spanning Tree Protocol turned on swr1 to prevent network loops: brctl stp swr1 on
22 SECURING THE S T A C K -- NETWORK SECURITY Scenario 2 -- Distributed Converged Automatic Routing (layer 3) & Switching (layer2) ssh tunnel from bridge swr0 of SwitchR0 [ ] to swr1 [ ] of SwitchR1 ssh -o Tunnel=ethernet -f -N -w 0:0 root@ **Only change the following in /etc/ssh/sshd_config [as seen in Ubuntu]: PermitRootLogin yes PermitTunnel yes [ The above will create 2 tap interfaces (tap0 on SwitchR0 and SwitchR1) ] Same configuration of client machines as scenario 1 Client0 is connected to eth0 of SwitchR0 Client1 is connected to eth0 of SwitchR1 client0 pings [ on client1 ] succesfully -- layer 3 distributed secure routing via SwitchR0 and SwitchR1 [over ssh] client0 pings [on client1 ] succesfully -- layer2 distributed secure switching via SwitchR0 and SwitchR1 [over ssh]
23 SECURING THE S T A C K -- NETWORK SECURITY Scenario 3 -- Distributed Converged Automatic Routing (layer 3) & Switching (layer2) with Transparent Layer2 Auto Fail-over and Auto Fail-back Same setup and configuration as scenario 2 but now add SwitchR2 with a bridge swr2 and give it an IP eg: Connect eth0 of client0 to eth0 of SwitchR2 Connect eth0 of client1 to eth1 of SwitchR2 You may use an unmanaged switches to connect client[x] to SwitchR[X] or do link aggregation (802.3ad / bonding) for NIC failover / balancing OR do everything with virtual machines As soon as all the SwitchRs are connected, they will send out BPDUs and select a root bridge Start a ping from client0 to client1 Unplug the cable from Client0 to SwitchR0 -- do: brctl showstp swr0 [ and all the switches] you notice the designated root change, meaning a new root bridge will be selected. You will also see message with content like topology change detected propagating topology change detected, sending tcn bpdu
24 SECURING THE S T A C K -- NETWORK SECURITY Scenario 3 -- Distributed Converged Automatic Routing (layer 3) & Switching (layer2) with Transparent Layer2 Auto Fail-over and Auto Fail-back Plug the cable back in SwitchR0 and do similar observations as above Then unplug the cable from client 0 to SwitchR2 and make observations --you should get seamless transparent fail-over and fail-back The fail-over / fail-back will be instantaneous or could take up to a minute depending on your link latency and tuning of STP parameters on the bridge
25 SECURING THE S T A C K O P E R A T I N G S Y S T E M S E C U R I T Y
26 SECURING THE S T A C K -- OPERATING SYSTEM SECURITY Access to compliant resources by authorized users from heterogeneous groups There are thousands of users spread across heterogeneous groups. You need to give only a few users across these groups access to compliant & secure resources POSIX ACLs can do that for you providing you understand its complexity The code examples show you steps to achieve 2 different scenarios to bifurcate groups and users: 1) Adding a group to a file but not giving the group members read, write or execute permissions, then adding required users from that group as need be. 2) Adding a group to a file but this time giving the entire group read, write or execute permission, then restricting access to specific users
27 SECURING THE S T A C K -- OPERATING SYSTEM SECURITY Scenario 1 getfacl facltest getfacl shows the file access control list(s) # file: facltest # owner: root # group: root user::rwsetfacl -m g:mehuls:--- facltest setfacl sets the file access control list. -m (modify) [-x to remove] g:mehuls gives group mehuls access to the file. --- means no rwx access getfacl facltest # file: facltest # owner: root # group: root user::rwgroup::r-x group:mehuls:--- members of group mehuls will not be able r,w or x mask::r-x other::r--
28 SECURING THE S T A C K -- OPERATING SYSTEM SECURITY Lets try it: su mehuls cat facltest cat: facltest: Permission denied echo "this is from mehuls" >> facltest bash: facltest: Permission denied exit Exit and give read and write permissions to user mehuls: setfacl -m u:mehuls:rw- facltest u denotes user su mehuls ls -l facltest -rw-rwxr--+ 1 root root 0 Apr 3 15:26 facltest + denotes acls have been applied echo "this is from mehuls" >> facltest cat facltest this is from mehuls
29 SECURING THE S T A C K -- OPERATING SYSTEM SECURITY Scenario 2 setfacl -m u:mehuls:--- facltest here user does not have permissions ( --- ) setfacl -m g:mehuls:rwx facltest group has rwx getfacl facltest1 # file: facltest1 # owner: root # group: root user::rw- user:mehuls:--- group::r-- group:mehuls:rwx mask::rwx other::r-- Try it out: su mehuls cat facltest;./facltest cat: posixacltest: Permission denied bash:./facltest: Permission denied
30 SECURING THE S T A C K THANK YOU!
Bridgewalling - Using Netfilter in Bridge Mode
Bridgewalling - Using Netfilter in Bridge Mode Ralf Spenneberg, ralf@spenneberg.net Revision : 1.5 Abstract Firewalling using packet filters is usually performed by a router. The packet filtering software
More informationTrack 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT
Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?
More informationIntro to Linux Kernel Firewall
Intro to Linux Kernel Firewall Linux Kernel Firewall Kernel provides Xtables (implemeted as different Netfilter modules) which store chains and rules x_tables is the name of the kernel module carrying
More informationHow To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)
Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network
More informationPerformance Evaluation of Linux Bridge
Performance Evaluation of Linux Bridge James T. Yu School of Computer Science, Telecommunications, and Information System (CTI) DePaul University ABSTRACT This paper studies a unique network feature, Ethernet
More informationFirewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN
Firewall IPTables and its use in a realistic scenario FEUP MIEIC SSIN José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 Topics 1- Firewall 1.1 - How they work? 1.2 - Why use them? 1.3 - NAT
More informationLinux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users
Linux firewall Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users Linux firewall Linux is a open source operating system and any firewall
More informationChapter 7. Firewalls http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/security-guide/ch-fw.html
Red Hat Docs > Manuals > Red Hat Enterprise Linux Manuals > Red Hat Enterprise Linux 4: Security Guide Chapter 7. Firewalls http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/security-guide/ch-fw.html
More informationProtecting and controlling Virtual LANs by Linux router-firewall
Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia
More informationFirewalls. Chien-Chung Shen cshen@cis.udel.edu
Firewalls Chien-Chung Shen cshen@cis.udel.edu The Need for Firewalls Internet connectivity is essential however it creates a threat vs. host-based security services (e.g., intrusion detection), not cost-effective
More informationLinux: 20 Iptables Examples For New SysAdmins
Copyrighted material Linux: 20 Iptables Examples For New SysAdmins Posted By nixcraft On December 13, 2011 @ 8:29 am [ 64 Comments ] L inux comes with a host based firewall called
More informationChapter 3. Enterprise Campus Network Design
Chapter 3 Enterprise Campus Network Design 1 Overview The network foundation hosting these technologies for an emerging enterprise should be efficient, highly available, scalable, and manageable. This
More informationCSC574 - Computer and Network Security Module: Firewalls
CSC574 - Computer and Network Security Module: Firewalls Prof. William Enck Spring 2013 1 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire,
More information+ iptables. packet filtering && firewall
+ iptables packet filtering && firewall + what is iptables? iptables is the userspace command line program used to configure the linux packet filtering ruleset + a.k.a. firewall + iptable flow chart what?
More informationCS 5410 - Computer and Network Security: Firewalls
CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat
More informationCS 5410 - Computer and Network Security: Firewalls
CS 5410 - Computer and Network Security: Firewalls Professor Patrick Traynor Spring 2015 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire,
More informationLinux Networking Basics
Linux Networking Basics Naveen.M.K, Protocol Engineering & Technology Unit, Electrical Engineering Department, Indian Institute of Science, Bangalore - 12. Outline Basic linux networking commands Servers
More informationConfiguring IPS High Bandwidth Using EtherChannel Load Balancing
Configuring IPS High Bandwidth Using EtherChannel Load Balancing This guide helps you to understand and deploy the high bandwidth features available with IPS v5.1 when used in conjunction with the EtherChannel
More informationLab Objectives & Turn In
Firewall Lab This lab will apply several theories discussed throughout the networking series. The routing, installing/configuring DHCP, and setting up the services is already done. All that is left for
More informationNetworking and High Availability
TECHNICAL BRIEF Networking and High Availability Deployment Note Imperva appliances support a broad array of deployment options, enabling seamless integration into any data center environment. can be configured
More informationLinux Firewalls (Ubuntu IPTables) II
Linux Firewalls (Ubuntu IPTables) II Here we will complete the previous firewall lab by making a bridge on the Ubuntu machine, to make the Ubuntu machine completely control the Internet connection on the
More informationNComputing L-Series LAN Deployment
NComputing L-Series LAN Deployment Best Practices for Local Area Network Infrastructure Scope: NComputing s L-Series terminals connect to a host computer through an Ethernet interface and IP protocol.
More informationHow To Understand A Firewall
Module II. Internet Security Chapter 6 Firewall Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 6.1 Introduction to Firewall What Is a Firewall Types of Firewall
More informationLinux Firewall Wizardry. By Nemus
Linux Firewall Wizardry By Nemus The internet and your server So then what do you protect your server with if you don't have a firewall in place? NetFilter / Iptables http://www.netfilter.org Iptables
More informationA New Approach to Developing High-Availability Server
A New Approach to Developing High-Availability Server James T. Yu, Ph.D. School of Computer Science, Telecommunications, and Information Systems DePaul University jyu@cs.depaul.edu ABSTRACT This paper
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationNetwork Agent Quick Start
Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense
More informationLinux Routers and Community Networks
Summer Course at Mekelle Institute of Technology. July, 2015. Linux Routers and Community Networks Llorenç Cerdà-Alabern http://personals.ac.upc.edu/llorenc llorenc@ac.upc.edu Universitat Politènica de
More informationNetworking and High Availability
yeah SecureSphere Deployment Note Networking and High Availability Imperva SecureSphere appliances support a broad array of deployment options, enabling seamless integration into any data center environment.
More informationArchitecture. Dual homed box 10.45.7.1 10.45.7.2. Internet 10.45.7.0/8
Firewalls Sources: * C. Hunt. TCP/IP Networking (?) * Simson & Garfinkel. Practical Unix & Internet Security. * W. Stallings. Computer Networks. (?) * iptables man page * Brad Fisher: http://lists.netfilter.org/pipermail/netfilter-devel/2006-
More information1:1 NAT in ZeroShell. Requirements. Overview. Network Setup
1:1 NAT in ZeroShell Requirements The version of ZeroShell used for writing this document is Release 1.0.beta11. This document does not describe installing ZeroShell, it is assumed that the user already
More informationOutline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap
Outline Network Virtualization and Data Center Networks 263-3825-00 DC Virtualization Basics Part 2 Qin Yin Fall Semester 2013 More words about VLAN Virtual Routing and Forwarding (VRF) The use of load
More informationLoad Balancing Trend Micro InterScan Web Gateway
Load Balancing Trend Micro InterScan Web Gateway Deployment Guide rev. 1.1.7 Copyright 2002 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Loadbalancer.org Appliances Supported...
More informationMLAG on Linux - Lessons Learned. Scott Emery, Wilson Kok Cumulus Networks Inc.
MLAG on Linux - Lessons Learned Scott Emery, Wilson Kok Cumulus Networks Inc. Agenda MLAG introduction and use cases Lessons learned MLAG control plane model MLAG data plane Linux kernel requirements Other
More informationChapter 28 Denial of Service (DoS) Attack Prevention
Chapter 28 Denial of Service (DoS) Attack Prevention Introduction... 28-2 Overview of Denial of Service Attacks... 28-2 IP Options... 28-2 LAND Attack... 28-3 Ping of Death Attack... 28-4 Smurf Attack...
More informationPractical Network Forensics
BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe issg@securesystemssupport.co.uk www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.
More informationCSE543 - Computer and Network Security Module: Firewalls
CSE543 - Computer and Network Security Module: Firewalls Professor Trent Jaeger Fall 2010 1 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire,
More informationLoad Balancing McAfee Web Gateway. Deployment Guide
Load Balancing McAfee Web Gateway Deployment Guide rev. 1.1.4 Copyright 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org
More informationUnderstanding Virtual Router and Virtual Systems
Understanding Virtual Router and Virtual Systems PAN- OS 6.0 Humair Ali Professional Services Content Table of Contents VIRTUAL ROUTER... 5 CONNECTED... 8 STATIC ROUTING... 9 OSPF... 11 BGP... 17 IMPORT
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationQuick Start for Network Agent. 5-Step Quick Start. What is Network Agent?
What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationInternet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
More informationHow To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu 3.5.2 (Amd66) On Ubuntu 4.5 On A Windows Box
CSC-NETLAB Packet filtering with Iptables Group Nr Name1 Name2 Name3 Date Instructor s Signature Table of Contents 1 Goals...2 2 Introduction...3 3 Getting started...3 4 Connecting to the virtual hosts...3
More informationTRILL for Service Provider Data Center and IXP. Francois Tallet, Cisco Systems
for Service Provider Data Center and IXP Francois Tallet, Cisco Systems 1 : Transparent Interconnection of Lots of Links overview How works designs Conclusion 2 IETF standard for Layer 2 multipathing Driven
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationTHE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering
THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering ENG 224 Information Technology Laboratory 6: Internet Connection Sharing Objectives: Build a private network that
More informationZarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)
QUESTION NO: 8 David, your TestKing trainee, asks you about basic characteristics of switches and hubs for network connectivity. What should you tell him? A. Switches take less time to process frames than
More informationModule: Firewalls. Professor Patrick McDaniel Spring 2009. CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Firewalls Professor Patrick McDaniel Spring 2009 1 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed
More informationOptimisacion del ancho de banda (Introduccion al Firewall de Linux)
Optimisacion del ancho de banda (Introduccion al Firewall de Linux) Christian Benvenuti christian.benvenuti@libero.it Managua, Nicaragua, 31/8/9-11/9/9 UNAN-Managua Before we start... Are you familiar
More informationPolicy Based Forwarding
Policy Based Forwarding Tech Note PAN-OS 4.1 Revision A 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Security... 3 Performance... 3 Symmetric Routing... 3 Service Versus
More informationLoad Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide
Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways Deployment Guide rev. 1.4.9 Copyright 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Appliances
More informationTECHNICAL NOTES. Security Firewall IP Tables
Introduction Prior to iptables, the predominant software packages for creating Linux firewalls were 'IPChains' in Linux 2.2 and ipfwadm in Linux 2.0, which in turn was based on BSD's ipfw. Both ipchains
More informationJuniper / Cisco Interoperability Tests. August 2014
Juniper / Cisco Interoperability Tests August 2014 Executive Summary Juniper Networks commissioned Network Test to assess interoperability, with an emphasis on data center connectivity, between Juniper
More informationHirschmann. Simply a good Connection. White paper: Security concepts. based on EAGLE system. Security-concepts Frank Seufert White Paper Rev. 1.
Hirschmann. Simply a good Connection. White paper: Security concepts based on EAGLE system Security-concepts Frank Seufert White Paper Rev. 1.1 Contents Security concepts based on EAGLE system 1 Introduction
More informationObjectives. The Role of Redundancy in a Switched Network. Layer 2 Loops. Broadcast Storms. More problems with Layer 2 loops
ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Implement Spanning Tree Protocols LAN Switching and Wireless Chapter 5 Explain the role of redundancy in a converged
More informationFrequently Asked Questions
Frequently Asked Questions 1. Q: What is the Network Data Tunnel? A: Network Data Tunnel (NDT) is a software-based solution that accelerates data transfer in point-to-point or point-to-multipoint network
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationMain functions of Linux Netfilter
Main functions of Linux Netfilter Filter Nat Packet filtering (rejecting, dropping or accepting packets) Network Address Translation including DNAT, SNAT and Masquerading Mangle General packet header modification
More informationManagement Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version 1.0.0. 613-001339 Rev.
Management Software AT-S106 Web Browser User s Guide For the AT-GS950/48 Gigabit Ethernet Smart Switch Version 1.0.0 613-001339 Rev. A Copyright 2010 Allied Telesis, Inc. All rights reserved. No part of
More informationN5 NETWORKING BEST PRACTICES
N5 NETWORKING BEST PRACTICES Table of Contents Nexgen N5 Networking... 2 Overview of Storage Networking Best Practices... 2 Recommended Switch features for an iscsi Network... 2 Setting up the iscsi Network
More informationEXINDA NETWORKS. Deployment Topologies
EXINDA NETWORKS Deployment Topologies September 2005 :: Award Winning Application Traffic Management Solutions :: :: www.exinda.com :: Exinda Networks :: info@exinda.com :: 2005 Exinda Networks Pty Ltd.
More informationLoad Balancing Sophos Web Gateway. Deployment Guide
Load Balancing Sophos Web Gateway Deployment Guide rev. 1.0.9 Copyright 2002 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org
More informationCCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network
CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network Olga Torstensson SWITCHv6 1 Components of High Availability Redundancy Technology (including hardware and software features)
More informationAssignment 3 Firewalls
LEIC/MEIC - IST Alameda ONLY For ALAMEDA LAB equipment Network and Computer Security 2013/2014 Assignment 3 Firewalls Goal: Configure a firewall using iptables and fwbuilder. 1 Introduction This lab assignment
More informationLoad Balancing Clearswift Secure Web Gateway
Load Balancing Clearswift Secure Web Gateway Deployment Guide rev. 1.1.8 Copyright 2002 2016 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org
More informationD1.2 Network Load Balancing
D1. Network Load Balancing Ronald van der Pol, Freek Dijkstra, Igor Idziejczak, and Mark Meijerink SARA Computing and Networking Services, Science Park 11, 9 XG Amsterdam, The Netherlands June ronald.vanderpol@sara.nl,freek.dijkstra@sara.nl,
More informationHow To Configure A Vyatta 4.2.0 As A Ds Internet Connection Router/Gateway With A Web Server On A Dspv.Net 4.0.1 (Dspv) On A Network With A D
Open Informatics a An Information Technology Company Visit us on the web at www.openinformatics.net Tutorial Author: Zlatan Klebic Send Feedback: zklebic@openinformatics.net Configuring a Vyatta 4.0 release
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationLoad Balancing Bloxx Web Filter. Deployment Guide
Load Balancing Bloxx Web Filter Deployment Guide rev. 1.1.8 Copyright 2002 2016 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...4 Loadbalancer.org Appliances Supported...4 Loadbalancer.org
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationHow to Secure RHEL 6.2 Part 2
How to Secure RHEL 6.2 Part 2 Motivation This paper is part of a multi-part series on securing Redhat Enterprise Linux 6.2. This paper focuses on implementing IPtables as a host based firewall. If you
More informationLoad Balancing Smoothwall Secure Web Gateway
Load Balancing Smoothwall Secure Web Gateway Deployment Guide rev. 1.1.7 Copyright 2002 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org
More informationThe ABCs of Spanning Tree Protocol
The ABCs of Spanning Tree Protocol INTRODUCTION In an industrial automation application that relies heavily on the health of the Ethernet network that attaches all the controllers and computers together,
More informationBest Practices: Pass-Through w/bypass (Bridge Mode)
Best Practices: Pass-Through w/bypass (Bridge Mode) EdgeXOS Deployment Scenario: Bridge Pass-Through This document is designed to provide an example as to how the EdgeXOS appliance is configured based
More informationOptimizing Data Center Networks for Cloud Computing
PRAMAK 1 Optimizing Data Center Networks for Cloud Computing Data Center networks have evolved over time as the nature of computing changed. They evolved to handle the computing models based on main-frames,
More informationUnderstanding and Configuring NAT Tech Note PAN-OS 4.1
Understanding and Configuring NAT Tech Note PAN-OS 4.1 Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Scope... 3 Design Consideration... 3 Software requirement...
More informationServer Iron Hands-on Training
Server Iron Hands-on Training Training Session Agenda Server Iron L4 Solutions Server Iron L7 Solutions Server Iron Security Solutions High Availability Server Iron Designs 2 Four Key Reasons for Server
More informationInstallation of the On Site Server (OSS)
Installation of the On Site Server (OSS) rev 1.1 Step #1 - Initial Connection to the OSS Having plugged in power and an ethernet cable in the eth0 interface (see diagram below) you can connect to the unit
More informationBuilding a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )
Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables ) Michael Porkchop Kaegler mkaegler@nic.com http://www.nic.com/~mkaegler/ Hardware Requirements Any machine capable of
More informationLinux Firewall. Linux workshop #2. www.burningnode.com
Linux Firewall Linux workshop #2 Summary Introduction to firewalls Introduction to the linux firewall Basic rules Advanced rules Scripting Redundancy Extensions Distributions Links 2 Introduction to firewalls
More informationInterconnecting Cisco Networking Devices Part 2
Interconnecting Cisco Networking Devices Part 2 Course Number: ICND2 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: 640 816: ICND2 Course Overview This course
More informationDefinition of firewall
Internet Firewalls Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering
More informationLoad Balancing ContentKeeper With RadWare
Load Balancing ContentKeeper With RadWare The RadWare Fireproof may be used with ContentKeeper to provide load balanced and redundant Internet content filtering for your network. The RadWare FireProof
More informationAppliance Quick Start Guide. v7.6
Appliance Quick Start Guide v7.6 rev. 1.0.7 Copyright 2002 2015 Loadbalancer.org, Inc. Table of Contents Loadbalancer.org Terminology... 4 What is a Virtual IP Address?... 5 What is a Floating IP Address?...
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationBarracuda Link Balancer
Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.2 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.2-110503-01-0503
More informationCarrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable
Brocade Flow Optimizer Making SDN Consumable Business And IT Are Changing Like Never Before Changes in Application Type, Delivery and Consumption Public/Hybrid Cloud SaaS/PaaS Storage Users/ Machines Device
More informationNetwork Simulation Traffic, Paths and Impairment
Network Simulation Traffic, Paths and Impairment Summary Network simulation software and hardware appliances can emulate networks and network hardware. Wide Area Network (WAN) emulation, by simulating
More informationFirewall Tutorial. KAIST Dept. of EECS NC Lab.
Firewall Tutorial KAIST Dept. of EECS NC Lab. Contents What is Firewalls? Why Firewalls? Types of Firewalls Limitations of firewalls and gateways Firewalls in Linux What is Firewalls? firewall isolates
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationConfiguring Static and Dynamic NAT Translation
This chapter contains the following sections: Network Address Translation Overview, page 1 Information About Static NAT, page 2 Dynamic NAT Overview, page 3 Timeout Mechanisms, page 4 NAT Inside and Outside
More informationTechnical Note. ForeScout CounterACT: Virtual Firewall
ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...
More informationFirewalls P+S Linux Router & Firewall 2013
Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network
More informationOpenBSD in the wild...a personal journey
OpenBSD in the wild......a personal journey Avik Sengupta Chief Technology Officer Itellix Software Solutions Pvt Ltd 2006 Avik Sengupta. Licensed under Creative Commons by-nc-nd. 1 Agenda OpenBSD Why
More informationLAB THREE STATIC ROUTING
LAB THREE STATIC ROUTING In this lab you will work with four different network topologies. The topology for Parts 1-4 is shown in Figure 3.1. These parts address router configuration on Linux PCs and a
More informationChapter 7 Configuring Trunk Groups and Dynamic Link Aggregation
Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation This chapter describes how to configure trunk groups and 802.3ad link aggregation. Trunk groups are manually-configured aggregate links containing
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationADVANCED NETWORK CONFIGURATION GUIDE
White Paper ADVANCED NETWORK CONFIGURATION GUIDE CONTENTS Introduction 1 Terminology 1 VLAN configuration 2 NIC Bonding configuration 3 Jumbo frame configuration 4 Other I/O high availability options 4
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More information