Firewalls. Firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others /16.

Similar documents
Firewalls. Ahmad Almulhem March 10, 2012

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls P+S Linux Router & Firewall 2013

Chapter 8 Security Pt 2

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CIT 480: Securing Computer Systems. Firewalls

Introduction to Firewalls

Proxy Server, Network Address Translator, Firewall. Proxy Server

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

CIT 480: Securing Computer Systems. Firewalls

21.4 Network Address Translation (NAT) NAT concept

Chapter 8 Network Security

Chapter 7. Firewalls

Firewalls. Chien-Chung Shen

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Protecting and controlling Virtual LANs by Linux router-firewall

Introduction TELE 301. Routers. Firewalls

FIREWALL AND NAT Lecture 7a

Firewalls (IPTABLES)

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

CSCE 465 Computer & Network Security

Content Distribution Networks (CDN)

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Stateful Firewalls. Hank and Foo

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Network Security - ISA 656 Firewalls & NATs

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Implementing Secure Converged Wide Area Networks (ISCW)

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Security Technology: Firewalls and VPNs

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Cisco Configuring Commonly Used IP ACLs

CMPT 471 Networking II

VLAN und MPLS, Firewall und NAT,

Firewalls. Pehr Söderman KTH-CSC

- Introduction to Firewalls -

Definition of firewall

CS Computer and Network Security: Firewalls

Internet Security Firewalls

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

INTRODUCTION TO FIREWALL SECURITY

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Linux Network Security

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Internet Ideal: Simple Network Model

CS Computer and Network Security: Firewalls

CSCI Firewalls and Packet Filtering

CS5008: Internet Computing

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Internet Security Firewalls

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Strategies to Protect Against Distributed Denial of Service (DD

Firewalls 1 / 43. Firewalls

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewalls and System Protection

CSE543 - Computer and Network Security Module: Firewalls

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

CSC574 - Computer and Network Security Module: Firewalls

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Networking Basics and Network Security

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

COSC4377. Chapter 8 roadmap

Firewalls. Chapter 3

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Network Security Management

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Chapter 6: Network Access Control

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

co Characterizing and Tracing Packet Floods Using Cisco R

Firewalls, IDS and IPS

Firewall implementation and testing

Topics NS HS12 2 CINS/F1-01

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

DDoS Protection Technology White Paper

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

VPN. Date: 4/15/2004 By: Heena Patel

About Firewall Protection

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

A S B

CIS 433/533 - Computer and Network Security Firewalls

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Intranet, Extranet, Firewall

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

+ iptables. packet filtering && firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Introduction of Intrusion Detection Systems

Transcription:

Firewalls and NAT 1

Firewalls By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. Firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others. privately administered 222.22/16 Internet 2

Firewalls: Goals All traffic from outside to inside and vice-versa passes through the firewall Only authorized traffic, as defined by local security policy, will be allowed to pass Firewall itself is immune to penetration 3

Firewalls: Taxonomy 1. Traditional packet filters Filters often combined with router, creating a firewall 2. Stateful filters 3. Application gateways Major firewall vendors: Checkpoint Cisco PIX 4

Firewall Firewall == system that filters TCP/IP UDP/IP packets according to rules Either software on user machine or network router Rules

Firewall (Global IP addresses) router Rules 6

Traditional packet filters Analyzes each datagram going through it; makes drop decision based on: Source IP address Destination IP address Source port Destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firewalls often configured to block all UDP Direction Is datagram leaving or entering internal network? Router interface Decisions can be different for different interfaces 7

Filtering rules examples Policy No outside Web access. Outside connections to public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (e.g. 130.207.255.255). Drop all outgoing ICMP unreachables 8

Access control lists Apply rules from top to bottom: action source address dest address proto source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 9

Access control lists (2.) Each router/firewall interface can have its own ACL Most firewall vendors provide both command-line and graphical configuration interface 10

Traditional packet filters Advantages One screening router can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even Linux boxes Disadvantages Can be penetrated Cannot enforce some policies. For example, permit certain users. Rules can get complicated and difficult to test 11

Network or host firewall Network firewall: Internet Network firewall protected network Host firewall: Internet host with firewall 12

Example: Iptables chain types Internet Linux host w/ iptables protected network INPUT chain (to iptables host) Internet Linux host w/ iptables protected network OUTPUT chain (from iptables host) Internet Linux host w/ iptables protected network FORWARD chain 13

Iptables: Example command iptables A INPUT i eth0 s 232.16.4.0/24 j ACCEPT Sets a rule Accepts packets that enter from interface eth0 with source address in 232.16.4/24 Kernel applies rules in order First matching rule determines action for packet Append: -A Adds rule to bottom of existing rules 14

Stateful filters Stateless filters: Any packet with ACK=1 and source port 80 gets through Attack with malformed packets: send ACK=1 segments Stateful filter: Adds more intelligence to decision-making process Stateful = remember past packets Needs very dynamic state table 15

Stateful filters: Example Log each TCP conn initiated through firewall: SYN segment Timeout entries without activity after, e.g., 60 seconds source dest source dest address address port port 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80 Rule table indicates check of stateful table: See if there is a connection entry in stateful table Stateful filters can remember outgoing UDP segments 16

Stateful example: Example (2.) 1) Pkt arrives from outside: src=37.96.87.123, src port=80, dst=222.22.1.7, dst port=12699, SYN=0, ACK=1 2) Check filter table check stateful table action source address dest address proto source port dest port flag bit check conn allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK x allow 222.22/16 allow outside of 222.22/16 outside of 222.22/16 UDP > 1023 53 --- 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all 3) Connection is in connection table let packet through 17

Application gateways (aka proxy servers) App gateway between user (inside) and server (outside) User and server talk through proxy Allows fine grained/ sophisticated control Hinders protocol attacks E.g.: ftp server may not allow files >= size X gateway-to-remote host ftp session host-to-gateway ftp session application gateway 18

Mail servers and proxy Web servers Local mail server is application gateway Virus detection and removal So is Web proxy cache E.g.: virus detection and removal 19

Proxy gateways Advantages Can log all connections, activity in connections Can provide caching Can do intelligent filtering based on content Simplifies service control Can perform user level authentication Simplifies firewall rules Disadvantages Not all services have proxied versions Need different proxy server for each service Requires modification of client Performance Hinders end-to-end encryption 20

Demilitarized Zone (DMZ) application gateway firewall Internet Internal network Web server FTP server DNS server Demilitarized zone Used for: Gateways and public services Advantage: Hacked server limited damage 21

IP traceback Problem: How do we determine where malicious packet came from? Why? Attackers can spoof source IP address Benefits: Determine attacker Determine zombie machine participating in DDoS attack Alternative: Use ingress filtering 22

Methods for finding source Manual using current IP routing Link testing: how? Start from victim and test upstream links Recursively repeat until source is located Assume attack remains active until trace complete Link testing: problem Handle ISPs Located zombie Logging Automatic using marking algorithms 23

Logging Key routers log packets (useful for forensics) Use data mining to find path Pros Post mortem works after attack stops Cons High resource demand: need to store and process tons of data 24

Marking algorithms Mark packets with router addresses Deterministically or probabilistically Trace attack using marked packets Strengths Independent of ISP management Little network overhead, traffic Trace distributed attacks, attacks post-mortem 25

Marking: Assumptions Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable A 1 A 2 A 3 A 4 A 5 R 6 R 7 R 8 R 9 R 10 R 12 V 26

Marking: Summary Can determine attack path with a relatively small number of attack packets Need to include addresses, counter in IP datagram (e.g., via fragment fields) E.g.: Practical Network Support for IP Traceback by Savage et al. Status: Lots of RFCs But not?yet? deployed 27

Network address translation (NAT) Also known as Network masquerading IP masquerading Re-writes source and/or destination address as they pass through NAT gateway Why IPv4 address shortage Standard feature Some believe it enhances privacy, security,

Simple NAT (Public IP addresses) (Private IP addresses) Main Internet NAT (Public IP addresses) 29

Multiple NAT 156.148.70.32 Main Internet (Public IP addresses) 192.168.2.99 Home NAT ISP NAT Home network ISP network 192.168.2.12 (Private IP addresses) 10.0.0.12 30

NAT traversal: Relay Relay S 2 Main Internet 1 NAT NAT Local network 192.168.2.99 Local network 10.0.0.12 host B host A 31

NAT traversal: Connection reversal rendezvous S 1 Main Internet 2 NAT 1.1.1.4 Local network 192.168.2.99 3 host B host A 32

TURN protocol Protocol for UDP/TCP relaying behind NAT Data is bounced to a public TURN server No hole punching TURN works even behind symmetric NAT 33

Hole punching Technique to allow traffic from/to a host behind a firewall/nat without collaboration of the NAT itself UDP: simple J TCP: Berkeley sockets allows TCP socket to initiate an outgoing or listen for an incoming connections but not both Solution: bind multiple sockets to same local endpoint

STUN (RFC 3489) Defines operations and message formats to understand type of NAT Discovers presence and type of NAT and firewalls between them and Internet Allows applications to determine their public NAT IP address 35

STUNT Simple Traversal of UDP Through NATs and TCP too (STUNT) Extends STUN to include TCP functionality 36

NAT traversal: Cooperating NAT SOCKS Client server protocol Enables client (behind firewall) to use server (in public Internet) Relays traffic Widely adopted E.g.: Mozilla can use SOCKS

SOCKS CONNECT server S 2. connect() Socks proxy 1. CONNECT NAT host A 38

SOCKS BIND server S 3. connect(33102) Socks proxy 2. Ok. Port=33102 1. BIND (localport=4445, S) NAT host A listening on 4445 39

NAT traversal: UPnP Defines: Internet Gateway Device (IGD) protocol Enables: Learning of ones public (external) IP address Enumeration of existing port mappings Adding and removing port mappings Assigning lease times to mappings Applications to automatically configure NAT routing 40

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information