Network Security - ISA 656 Firewalls & NATs



Similar documents
Firewalls 1 / 43. Firewalls

Network Security - ISA 656 Application Firewalls

FIREWALL AND NAT Lecture 7a

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Chapter 3

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Internet Ideal: Simple Network Model

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

CSCI Firewalls and Packet Filtering

Firewalls, IDS and IPS

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Security Technology: Firewalls and VPNs

Firewalls P+S Linux Router & Firewall 2013

Firewall Defaults and Some Basic Rules

Network Security - ISA 656 Intro to Firewalls

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Chapter 15. Firewalls, IDS and IPS

CSCE 465 Computer & Network Security

Chapter 3 Security and Firewall Protection

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Cryptography and network security

Cisco Configuring Commonly Used IP ACLs

Overview. Firewall Security. Perimeter Security Devices. Routers

INTRODUCTION TO FIREWALL SECURITY

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Innominate mguard Version 6

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. Pehr Söderman KTH-CSC

Application Firewalls

Polycom. RealPresence Ready Firewall Traversal Tips

Chapter 8 Network Security

allow all such packets? While outgoing communications request information from a

Solution of Exercise Sheet 5

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Technical Support Information

Chapter 8 Security Pt 2

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

1. Firewall Configuration

Firewalls. Network Security. Firewalls Defined. Firewalls

Chapter 11 Cloud Application Development

CS Computer and Network Security: Firewalls

Firewalls. Ahmad Almulhem March 10, 2012

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

+ iptables. packet filtering && firewall

A S B

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

The information in this document is based on these software and hardware versions:

About Firewall Protection

Stateful Firewalls. Hank and Foo

Firewall Firewall August, 2003

Linux Routers and Community Networks

Middleboxes. Firewalls. Internet Ideal: Simple Network Model. Internet Reality. Middleboxes. Firewalls. Globally unique idenpfiers

Internet Security Firewalls

CS Computer and Network Security: Firewalls

Lecture 23: Firewalls

Firewalls (IPTABLES)

Proxy Server, Network Address Translator, Firewall. Proxy Server

ECE 578 Term Paper Network Security through IP packet Filtering

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Firewall Design Principles

Packet filtering and other firewall functions

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Content Distribution Networks (CDN)

- Introduction to Firewalls -

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

CMPT 471 Networking II

Source-Connect Network Configuration Last updated May 2009

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Firewall implementation and testing

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. CS461/ECE422 Spring 2012

Network Security CS 192

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Transcription:

Network Security - ISA 656 & NATs Angelos Stavrou Types of Schematic of a Conceptual Pieces Packet UDP Types of Packet Dynamic Packet Application Gateways Circuit Relays Personal /or Distributed Many firewalls are combinations of these types. September 3, 2007 2 / 37 Schematic of a Conceptual Pieces Types of Schematic of a Conceptual Pieces Packet UDP Inside Filter Gateway(s) Filter Outside Types of Schematic of a Conceptual Pieces Packet UDP An inside everyone on the inside is presumed to be a good guy An outside bad guys live there A DMZ (Demilitarized Zone) put necessary but potentially dangerous servers there DMZ 3 / 37 4 / 37

Packet Types of Schematic of a Conceptual Pieces Packet UDP Usually Router-based ( hence cheap). Individual packets are accepted or rejected; no context or connection information is used. Advanced filter rules are hard to set up; the primitives are often inadequate, different rules can interact. Packet filters a poor fit for ftp X11. Hard to manage access to dynamic services. Rule Set In-bound UDP We want to permit out-bound connections We have to permit reply packets For TCP, this can be done without state The very first packet of a TCP connection has just the SYN bit set All others have the ACK bit set Solution: allow in all packets with ACK turned on 5 / 37 6 / 37 Rule Set Rule Set In-bound UDP Action: - Permit (Pass) Allow the packet to proceed - Deny (Block) Discard the packet Direction: - Source (where the packet comes from) <IP Address, Port> or network - Destination (where the packet goes) <IP Address, Port> or network Protocol: - TCP - UDP Packet Flags: - ACK - SYN - RST - etc. 7 / 37 Rule Set In-bound UDP We want to block a spammer, but allow anyone else to send email to our mail server. block: allow: Source IP Address = spammer Source IP Address = any Source Port = any Destination IP Address = our-mail Destination Port = 25 8 / 37

Rule Set In-bound UDP We want to allow all TCP connection to mail servers. allow: Source IP Address = any Source Port = 25 Destination IP Address = any Destination Port = any We don t control port number selection on the remote host. Any remote process on port 25 can call in. Rule Set In-bound UDP allow: Permit outgoing calls. Source IP Address = any Source Port = 25 Destination IP Address = any Destination Port = any Flag (ACK) = Set 9 / 37 10 / 37 In-bound Rule Set In-bound Your company has decided that web browsing is not permitted for the employees. It is your task to create a filter that denies web browsing for all the machines inside the company. Assume that all the company IP addresses are known. Rule Set In-bound Outside DMZ UDP Outgoing packets to port 80, Web servers. UDP Inside If you filter out-bound packets to the DMZ link, you can t tell where they came from. 11 / 37 12 / 37

UDP UDP UDP UDP UDP UDP UDP has no notion of a connection. It is therefore impossible to distinguish a reply to a query which should be permitted from an intrusive packet. Address-spoofing is easy no connections At best, one can try to block known-dangerous ports. But that s a risky game. The safe solution is to permit UDP packets through to known-safe servers only. 13 / 37 14 / 37 UDP UDP Accepts queries on port 53 Block if hling internal queries only; allow if permitting external queries What about recursive queries? Bind local response socket to some other port; allow in-bound UDP packets to it Or put the DNS machine in the DMZ, run no other UDP services (Deeper issues with DNS semantics; stay tuned) UDP UDP Often see ICMP packets in response to TCP or UDP packets Important example: Path MTU response Must be allowed in or connectivity can break Simple packet filters can t match things up 15 / 37 16 / 37

UDP UDP services bind to rom port numbers There s no way to know in advance which to block which to permit Similar considerations apply to clients Systems using cannot be protected by simple packet filters UDP UDP Block a range of UDP ports. astavrou@ise:[~]>rpcinfo -p ise.gmu.edu program vers proto port service 100000 4 tcp 111 rpcbind 100000 2 udp 111 rpcbind 390113 1 tcp 7937 100005 1 udp 32800 mountd 100005 3 tcp 32776 mountd 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100011 1 udp 36613 rquotad 100008 1 udp 36614 walld 100001 2 udp 36615 rstatd 17 / 37 The precise patterns are implementation-specific 18 / 37 UDP UDP FTP clients ( some other services) use secondary channels Again, these live on rom port numbers Simple packet filters cannot hle this Trying to create rules simple, packet-based rules will NOT work UDP UDP By default, FTP clients send a PORT comm to specify the address for an in-bound connection If the PASV comm is used instead, the data channel uses a separate out-bound connection If local policy permits arbitrary out-bound connections, this works well 19 / 37 20 / 37

UDP UDP Packet filters are not very useful as general-purpose firewalls However, they are very efficient can be applied even in high capacity links (why?) Several special situations where they re perfect Can be used to drop connections we don t want to reach the more expensive application-level firewall UDP UDP Internet Web Server Allow in ports 80 443. Block everything else. This is a Web server appliance it shouldn t do anything else! But it may have necessary internal services for site administration. 21 / 37 22 / 37 UDP UDP At the border router, block internal IP addresses from coming in from the outside Similarly, prevent address spoofing (fake IP addresses) from going out UDP UDP Outside Inside: 10.0.0.0/16 DMZ: 192.168.42.0/24 Mail DNS 23 / 37 24 / 37

UDP UDP Interface Action Addr Port Flags Outside Block src=10.0.0.0/16 Outside Block src=192.168.42.0/24 Outside Allow dst=mail 25 Outside Block dst=dns 53 Outside Allow dst=dns UDP Outside Allow Any ACK Outside Block Any DMZ Block src 192.168.42.0/24 DMZ Allow dst=10.0.0.0/16 ACK DMZ Block dst=10.0.0.0/16 DMZ Allow Any Inside Block src 10.0.0.0/16 Inside Allow dst=mail 993 Inside Allow dst=dns 53 Inside Block dst=192.168.42.0/24 Insde Allow Any UDP 25 / 37 26 / 37 UDP Most common type of packet filter Solves many but not all of the problems with simple packet filters Requires per-connection state in the firewall UDP When a packet is sent out, record that in memory Associate in-bound packet with state created by out-bound packet 27 / 37 28 / 37

UDP Can hle UDP query/response Can associate ICMP packets with connection Solves some of the in-bound/out-bound filtering issues but state tables still need to be associated with in-bound packets Still need to block against address-spoofing UDP Still have problems with secondary ports Still have problems with Still have problems with complex semantics (i.e., DNS) The amount of state we can keep is limited 29 / 37 30 / 37 UDP Translates source address ( sometimes port numbers) Primary purpose: coping with limited number of global IP addresses Sometimes marketed as a very strong firewall is it? It s not really stronger than a stateful packet filter UDP 31 / 37 32 / 37

UDP UDP 33 / 37 34 / 37 UDP UDP 35 / 37 36 / 37

UDP Filter Out-bound Create state table entry. In-bound Look up state table entry; drop if not present. NAT Out-bound Create state table entry. Translate address. In-bound Look up state table entry; drop if not present. Translate address. The lookup phase the decision to pass or drop the packet are identical; all that changes is whether or not addresses are translated. 37 / 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information