Middleboxes NAT and Firewall

Similar documents
Internet Ideal: Simple Network Model

Middleboxes. Firewalls. Internet Ideal: Simple Network Model. Internet Reality. Middleboxes. Firewalls. Globally unique idenpfiers

Firewalls P+S Linux Router & Firewall 2013

FIREWALL AND NAT Lecture 7a

1. Firewall Configuration

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 8 Security Pt 2

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Компјутерски Мрежи NAT & ICMP

A S B

INTRODUCTION TO FIREWALL SECURITY

- Introduction to Firewalls -

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Chapter 3

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

IP addressing. Interface: Connection between host, router and physical link. IP address: 32-bit identifier for host, router interface

CMPT 471 Networking II

Firewall Firewall August, 2003

Chapter 11 Cloud Application Development

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

IP addressing and forwarding Network layer

Names & Addresses. Names & Addresses. Hop-by-Hop Packet Forwarding. Longest-Prefix-Match Forwarding. Longest-Prefix-Match Forwarding

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

CS5008: Internet Computing

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Solution of Exercise Sheet 5

Polycom. RealPresence Ready Firewall Traversal Tips

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

About Firewall Protection

Cryptography and network security

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

enetworks TM IP Quality of Service B.1 Overview of IP Prioritization

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Address Translation (NAT)

co Characterizing and Tracing Packet Floods Using Cisco R

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

VLAN und MPLS, Firewall und NAT,

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Source-Connect Network Configuration Last updated May 2009

Linux MDS Firewall Supplement

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Firewalls 1 / 43. Firewalls

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Internet Control Protocols Reading: Chapter 3

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 8 Network Security

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

21.4 Network Address Translation (NAT) NAT concept

Network Security TCP/IP Refresher

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How To Understand The Power Of The Internet

Network Security - ISA 656 Firewalls & NATs

Chapter 4 Firewall Protection and Content Filtering

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

IP Subnetting and Addressing

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Edge Configuration Series Reporting Overview

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewall Implementation

Network Address Translation (NAT) Adapted from Tannenbaum s Computer Network Ch.5.6; computer.howstuffworks.com/nat1.htm; Comer s TCP/IP vol.1 Ch.

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Seminar Computer Security

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Lecture 23: Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Protecting and controlling Virtual LANs by Linux router-firewall

Chapter 4 Firewall Protection and Content Filtering

CSE543 - Computer and Network Security Module: Firewalls

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

20. Switched Local Area Networks

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

NAT and Firewall Traversal with STUN / TURN / ICE

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

BroadCloud PBX Customer Minimum Requirements

Network Security in Practice

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Firewalls. Network Security. Firewalls Defined. Firewalls

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Content Distribution Networks (CDN)

Datagram-based network layer: forwarding; routing. Additional function of VCbased network layer: call setup.

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

AS/400e. TCP/IP routing and workload balancing

UIP1868P User Interface Guide

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

10 Configuring Packet Filtering and Routing Rules

Linux Network Security

Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001

Transcription:

CE443 Computer Networks Middleboxes NAT and Firewall Behnam Momeni Computer Engineering Department Sharif University of Technology Acknowledgments: Lecture slides are from Computer networks course thought by Jennifer Rexford at Princeton University. When slides are obtained from other sources, a reference will be noted on the bottom of that slide. A full list of references is provided on the last slide.

Network Address Translation 7

History of NATs IP address space depletion Clear in early 90s that 2 32 addresses not enough Work began on a successor to IPv4 In the meantime Share addresses among numerous devices without requiring changes to existing hosts Meant to provide temporary relief Intended as a short-term remedy Now, NAT are very widely deployed much more so than IPv6 8

Active Component in the Data Path NAT outside inside 9

IP Header Translators Local network addresses not globally unique E.g., private IP addresses (in 10.0.0.0/8) NAT box rewrites the IP addresses Make the inside look like a single IP address and change header checksums accordingly Outbound traffic: from inside to outside Rewrite the source IP address Inbound traffic: from outside to inside Rewrite the destination IP address 10

Using a Single Source Address 10.0.0.1 138.76.29.7 NAT outside 10.0.0.2 inside 11

What if Both Hosts Contact Same Site? Suppose hosts contact the same destination E.g., both hosts open a socket with local port 3345 to destination 128.119.40.186 on port 80 NAT gives packets same source address All packets have source address 138.76.29.7 Problems Can destination differentiate between senders? Can return traffic get back to the correct hosts? 12

Port-Translating NAT Map outgoing packets Replace source address with NAT address Replace source port number with a new port number Remote hosts respond using (NAT address, new port #) Maintain a translation table Store map of (source address, port #) to (NAT address, new port #) Map incoming packets Consult the translation table Map the destination address and port number Local host receives the incoming packet 13

Network Address Translation Example 2: NAT router changes datagram source addr from 10.0.0.1, 3345 to 138.76.29.7, 5001, updates table 2 NAT translation table WAN side addr LAN side addr 138.76.29.7, 5001 10.0.0.1, 3345 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 10.0.0.4 S: 10.0.0.1, 3345 D: 128.119.40.186, 80 1 1: host 10.0.0.1 sends datagram to 128.119.40.186, 80 10.0.0.1 10.0.0.2 138.76.29.7 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 3 3: Reply arrives dest. address: 138.76.29.7, 5001 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4 10.0.0.3 4: NAT router changes datagram dest addr from 138.76.29.7, 5001 to 10.0.0.1, 3345 14

Maintaining the Mapping Table Create an entry upon seeing a packet Packet with new (source addr, source port) pair Eventually, need to delete the map entry But when to remove the binding? If no packets arrive within a time window then delete the mapping to free up the port #s At risk of disrupting a temporarily idle connection Yet another example of soft state I.e., removing state if not refreshed for a while 15

Where is NAT Implemented? Home router (e.g., Linksys box) Integrates router, DHCP server, NAT, etc. Use single IP address from the service provider and have a bunch of hosts hiding behind it Campus or corporate network NAT at the connection to the Internet Share a collection of public IP addresses Avoid complexity of renumbering end hosts and local routers when changing service providers 16

Practical Objections Against NAT Port #s are meant to identify sockets Yet, NAT uses them to identify end hosts Makes it hard to run a server behind a NAT 10.0.0.1 138.76.29.7 NAT Requests to 138.76.29.7 on port 80 10.0.0.2 Which host should get the request??? 17

Running Servers Behind NATs Running servers is still possible Admittedly with a bit more difficulty By explicit configuration of the NAT box E.g., internal service at <dst 138.76.29.7, dst-port 80> mapped to <dst 10.0.0.1, dst-port 80> More challenging for P2P applications Especially if both peers are behind NAT boxes Though solutions are possible here as well Existing work-arounds (e.g., in Skype) Ongoing work on NAT traversal techniques 18

Principled Objections Against NAT Routers are not supposed to look at port #s Network layer should care only about IP header and not be looking at the port numbers at all NAT violates the end-to-end argument Network nodes should not modify the packets IPv6 is a cleaner solution Better to migrate than to limp along with a hack Thatʼs what you get when you design a network that puts power in the hands of end users! 19

Firewalls 20

Firewalls Isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public Internet firewall 21

Internet Attacks: Denial of Service Denial-of-service attacks Outsider overwhelms the host with unsolicited traffic with the goal of preventing any useful work Example: attacks by botnets Bad guys take over a large collection of hosts and program these hosts to send traffic to your host Leading to excessive traffic Motivations for denial-of-service attacks Malice (e.g., just to be mean) Revenge (e.g., for some past perceived injustice) Greed (e.g., blackmailing) 22

Internet Attacks: Break-Ins Breaking in to a host Outsider exploits a vulnerability in the end host with the goal of changing the behavior of the host Example Bad guys know a Web server has a buffer-overflow bug and, say, send an HTTP request with a long URL Allowing them to run their own code Motivations for break-ins Take over the machine to launch other attacks Steal information stored on the machine Modify/replace the content the site normally returns 23

Packet Filtering Should arriving packet be allowed in? Departing packet let out? Internal network connected to Internet via firewall Firewall filters packet-by-packet, based on: Source IP address, destination IP address TCP/UDP source and destination port numbers TCP SYN and ACK bits 24

Packet Filtering Examples Block all packets with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows blocked All Telnet connections are blocked Block inbound TCP packets with SYN but no ACK Prevents external clients from making TCP connections with internal clients But allows internal clients to connect to outside Block all packets with TCP port of Doom3 25

Firewall Configuration Firewall applies a set of rules to each packet To decide whether to permit or deny the packet Each rule is a test on the packet Comparing IP and TCP/UDP header fields and deciding whether to permit or deny Order matters Once the packet matches a rule, the decision is done 26

Firewall Configuration Example Alice runs a network in 222.22.0.0/16 Wants to let Bob s school access certain hosts Bob is on 111.11.0.0/16 Alice s special hosts on 222.22.22.0/24 Alice doesn t trust Trudy, inside Bob s network Trudy is on 111.11.11.0/24 Alice doesn t want any other traffic from Internet Rules #1: Don t let Trudy s machines in Deny (src = 111.11.11.0/24, dst = 222.22.22.0/24) #2: Let rest of Bob s network in to special dsts Permit (src=111.11.0.0/16, dst = 222.22.22.0/24) #3: Block the rest of the world Deny (src = 0.0.0.0/0, dst = 0.0.0.0/0) 27

A Variation: Traffic Management Permit vs. deny is too binary a decision Maybe better to classify the traffic based on rules and then handle the classes of traffic differently Traffic shaping (rate limiting) Limit the amount of bandwidth for certain traffic E.g., rate limit on Web or P2P traffic Separate queues Use rules to group related packets And then do round-robin scheduling across the groups E.g., separate queue for each internal IP address 28

Firewall Implementation Challenges Per-packet handling Must inspect every packet Challenging on very high-speed links Complex filtering rules May have large # of rules May have very complicated rules Location of firewalls Complex firewalls near the edge, at low speed Simpler firewalls in the core, at higher speed 29

Clever Users Subvert Firewalls Example: filtering outside access to a server Firewall rule based on source IP addresses and the server IP address and port number Problem: users may log in to another machine in Sharif E.g., connect from outside to another host in Sharif and then onward to the blocked server Example: filtering P2P based on port #s Firewall rule based on TCP/UDP port numbers E.g., allow only port 80 (e.g., Web) traffic Problem: software using non-traditional ports E.g., write P2P client to use port 80 instead 30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information