Packet Filtering. Packet Filtering

Similar documents
CMPT 471 Networking II

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls. Network Security. Firewalls Defined. Firewalls

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Security Technology: Firewalls and VPNs

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

allow all such packets? While outgoing communications request information from a

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Cisco Configuring Commonly Used IP ACLs

co Characterizing and Tracing Packet Floods Using Cisco R

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Overview. Firewall Security. Perimeter Security Devices. Routers

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Flow Analysis Versus Packet Analysis. What Should You Choose?

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Types of Firewalls E. Eugene Schultz Payoff

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

CSCE 465 Computer & Network Security

Lecture 23: Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

12. Firewalls Content

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Introduction of Intrusion Detection Systems

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FIREWALLS & CBAC. philip.heimer@hh.se

Chapter 11 Cloud Application Development

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Fig : Packet Filtering

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewalls. Chapter 3

Classification of Firewalls and Proxies

ECE 578 Term Paper Network Security through IP packet Filtering

Cisco Secure PIX Firewall with Two Routers Configuration Example

Firewalls. Ahmad Almulhem March 10, 2012

Solution of Exercise Sheet 5

CSCI Firewalls and Packet Filtering

Security threats and network. Software firewall. Hardware firewall. Firewalls

Linux Network Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Linux MDS Firewall Supplement

Guideline on Firewall

Proxies. Chapter 4. Network & Security Gildas Avoine

Firewalls, IDS and IPS

Firewall Implementation

Internet Security Firewalls

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Intro to Firewalls. Summary

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Design Principles

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

The methodology. Interne. 1 Introduction

Firewall implementation and testing

INTRODUCTION TO FIREWALL SECURITY

Internet Security Firewalls

Networking for Caribbean Development

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Implementing Network Address Translation and Port Redirection in epipe

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

A Study of Technology in Firewall System

IP Filter/Firewall Setup

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Network Defense Tools

FIREWALL AND NAT Lecture 7a

10 Configuring Packet Filtering and Routing Rules

Firewalls P+S Linux Router & Firewall 2013

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Step-by-Step Configuration

Transport Layer Protocols

Introduction to Computer Security Benoit Donnet Academic Year

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Firewalls. Chien-Chung Shen

Firewalls & Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Abstract. Introduction. Section I. What is Denial of Service Attack?

Polycom. RealPresence Ready Firewall Traversal Tips

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

CS5008: Internet Computing

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Linux MPS Firewall Supplement

DNS Best Practices. Mike Jager Network Startup Resource Center

1. Firewall Configuration

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Transcription:

Packet Filtering Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. The basic device that interconnects IP networks is called a router. May be a dedicated piece of hardware that has no other purpose, or it may be a piece of software that runs on a general-purpose computer running Unix, Windows NT etc.. Packets traversing an internetwork (a network of networks) travel from router to router until they reach their destination. A router has to make a routing decision about each packet it receives; it has to decide how to send that packet on towards its ultimate destination. 1 Packet Filtering A packet carries no information to help the router in its routing decision, other than the IP address of the packet's ultimate destination. Some unusual packets do contain routing information about how they are to reach their destination using the source route IP Option - called source-routed packets In determining how to forward a packet towards its destination, a normal router looks only at a normal packet's destination address and asks only "How can I forward this packet?" A packet filtering router also considers the question "Should I forward this packet? " 2 1

Packet Filtering Routers The packet filtering router answers this question according to the security policy programmed into the router via the packet filtering rules. You should be able to achieve anything you want to with packet filtering all of the information that crosses the Internet has to go into a packet at some point! However, some things are very much easier to do than others. - Operations requiring detailed protocol knowledge or prolonged tracking of past events are easier to do in proxy systems. - Operations that are simple but need to be done fast and on individual packets are easier to do in packet filtering systems. 3 Packet Filtering Routers The main advantage of packet filtering is leverage: it allows you to provide, in a single place, particular protections for an entire network EG : If you disallow Telnet by turning off the Telnet server on all your hosts, you still have to worry about someone installing a new machine (or reinstalling an old one) with the Telnet server turned on. However, if Telnet is not allowed by your filtering router, such a new machine would be protected right from the start, regardless of whether or not its Telnet server was actually running. A router is a chokepoint for all traffic entering a network! 4 2

Packet Filtering Routers Certain protections can be provided only by filtering routers, when they are deployed in particular locations in your network. EG: Reject all external packets that have internal source addresses. Such packets are usually part of address-spoofing attacks. Decision-making of this kind can be done only in a filtering router at the perimeter of your network. Such a router can evaluate the source address and whether the packet came from the the internal network connection or the the external network connection. 5 Basic Packet Filtering The most straightforward kind of packet filtering lets you control (allow or disallow) data transfer based on: The Address the data is supposedly coming from The address the data is going to The session and application ports being used to transfer the data Note however that basic packet filtering systems don t do anything based on the data itself; they don t make contentbased decisions. 6 3

Basic Packet Filtering Straightforward packet filtering will let you say e.g.: Don t let anybody use the port used by Telnet (an application protocol) to log in from the outside. (TCP Port 23) Let everybody send us data over the port used for electronic mail / SMTP (another application protocol). (TCP Port 25) That machine can send us data over the port used by SMTP, but no other machines can do so. 7 Basic Packet Filtering Straightforward packet filtering will NOT let you say e.g.: This user can Telnet in from outside, but no other users can do so. ( username isn t some thing a basic packet filtering system can identify) You can transfer these files but not those files. ( file also isn t something a basic packet filtering system can identify). Only allow people to send us electronic mail over the port used by SMTP. (a basic packet filtering system looks only at the port being used; it can t tell whether the data is good data that conforms to the protocol that s supposed to use that port, or whether somebody is using the port for some other purpose) 8 4

Advanced Packet Filtering More advanced packet filtering systems will let you look further into the data of a packet. Instead of basing decisions on packet header data, they also understand the data structures used by higher-level protocols, so they can make more detailed decisions. 9 Stateful or Dynamic Packet Filtering More advanced packet filtering systems offer state tracking and/or protocol checking for some well-known protocols. State tracking allows you to make rules like the following: Let incoming UDP packets through only if they are responses to outgoing UDP packets you have seen. Or Accept TCP packets with SYN set only as part of TCP connection initiation. It is stateful packet filtering because the packet filter has to keep track of the state of transactions. It is also dynamic packet filtering because the behaviour of the system changes depending on the traffic it sees. 10 5

State Tracking State tracking provides the ability to do things that you can't do otherwise, but it adds complications. E.G. the router has to keep track of state - This increases the load on the router - It opens the router to a number of denial of service attacks - If the router reboots, packets may be denied when they should have been accepted. - Also, if a packet may go through redundant routers, they all need to have the same state information. - Not Trivial! 11 State Tracking Another issue is that the router has to keep track of state without any guarantee that there's ever going to be a response packet. (Not all UDP packets have responses.) At some a point, the router's going to have to give up and get rid of the rule that will allow the response. If the router gives up early, packets that should have been accepted are denied delays and unneeded network traffic. If the router keeps the rule too long, the load on the router will be unnecessarily high. Also, there's an increased chance that packets will be accepted when they should have been ii denied 12 6

State Tracking State tracking filtering is also vulnerable to address forging State tracking may validate that packets are responses based on their source addresses, so an attacker who intercepts an outgoing packet can forge the appropriate source address and return an accept-able "reply" (or, depending on the implementation, a whole bunch of packets all of which will be accepted as replies). Nonetheless state tracking filters provide a reasonable degree of security for some UDP-based protocols that would otherwise be extremely difficult to protect. 13 Protocol Checking Allows the administrator to form rules like : Let in packets bound for the DNS port, but only if they are formatted like DNS packets. It can also help avoid some attacks that involve sending misformatted packets to perfectly genuine servers. These packet filters have to have a deep understanding of the application protocol. In general, they can provide this level of control only for a popular well-defined protocols. There is a significant cost to provide it, since they have access larger amounts of data. It is still however possible to circumvent this type of control. (EG: I can get material off a web-site without using HTTP at all). 14 7

What should the Router do with Packets? At a basic level it has two choice: (1) Pass the packet (like a normal router). (2) Drop the packet (if it fails to meet filtering criteria). Logging Actions Regardless of whether the packet is forwarded or dropped you might want the router to log the action that has been taken. Particularly if you drop the packet because it fails your packet filtering rules. You may like to know what has been tried that isn't allowed. 15 Packet Filtering: Logging Probably inefficient to log all packets. Most packet filtering takes place on dedicated routers which rarely have significant hard disk space to dedicate to log files. For example, log start-of-connection TCP packets, so that you can keep track of incoming and outgoing TCP connections. 16 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information