Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN



Similar documents
Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Defaults and Some Basic Rules

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Security Technology: Firewalls and VPNs

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Chapter 4 Firewall Protection and Content Filtering

Chapter 4 Firewall Protection and Content Filtering

Firewalls. Chapter 3

Chapter 4 Security and Firewall Protection

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls, IDS and IPS

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

About Firewall Protection

CS5008: Internet Computing

Firewall Firewall August, 2003

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 4: Security of the architecture, and lower layer security (network security) 1

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

INTRODUCTION TO FIREWALL SECURITY

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

FIREWALLS & CBAC. philip.heimer@hh.se

Lab Configuring Access Policies and DMZ Settings

Multi-Homing Dual WAN Firewall Router

allow all such packets? While outgoing communications request information from a

CSCE 465 Computer & Network Security

Introduction of Intrusion Detection Systems

12. Firewalls Content

Solution of Exercise Sheet 5

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Chapter 8 Security Pt 2

Chapter 11 Cloud Application Development

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Chapter 15. Firewalls, IDS and IPS

CMPT 471 Networking II

Chapter 8 Network Security

Source-Connect Network Configuration Last updated May 2009

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Linux Network Security

Cisco Secure PIX Firewall with Two Routers Configuration Example

Guideline on Firewall

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

EXPLORER. TFT Filter CONFIGURATION

Networking for Caribbean Development

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Implementing Network Address Translation and Port Redirection in epipe

UIP1868P User Interface Guide

VLAN und MPLS, Firewall und NAT,

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Proxies. Chapter 4. Network & Security Gildas Avoine

21.4 Network Address Translation (NAT) NAT concept

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

IP Ports and Protocols used by H.323 Devices

DMZ Network Visibility with Wireshark June 15, 2010

Polycom. RealPresence Ready Firewall Traversal Tips

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Firewalls. Network Security. Firewalls Defined. Firewalls

Innominate mguard Version 6

Chapter 7. Address Translation

Protecting and controlling Virtual LANs by Linux router-firewall

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Network Defense Tools

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Testing Network Security Using OPNET

Network Security CS 192

Protecting the Home Network (Firewall)

Chapter 4 Firewall Protection and Content Filtering

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Load Balance Router R258V

Multi-Homing Gateway. User s Manual

Content Distribution Networks (CDN)

GregSowell.com. Mikrotik Security

Figure 41-1 IP Filter Rules

Firewall. User Manual

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Security. TestOut Modules

Proxy Server, Network Address Translator, Firewall. Proxy Server

Network Configuration Settings

Configuring Security for FTP Traffic

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Computer Networks. Secure Systems

Chapter 12 Supporting Network Address Translation (NAT)

Cornerstones of Security

Internet Security Firewalls

Transcription:

Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts packets Three scenarios Host-to-host tunnel Host-to-router tunnel Router-to-router tunnel VPN VPN Packets tunnelled between routers Security parameters negotiated when the link is brought up 10.1.0.1 10.2.0.1 IPsec Internet IPsec IPSec IPSec Router 183.17.16.9 98.65.32.3 Internet 1

VPN IPSec SSL/TLS PPTP L2TP/IPSec Network Address Translation References KR3 p 339 C4 chap 20 T4 p444 CISCO: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat60 00/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/nat.htm Network address translation To help with shortage of IPv4 addresses Set up a network using private addresses NAT router has one or more global IPv4 addresses Traffic from inside the local network is relabelled with a global IP address Traffic from outside is routed inside based on IP address and possibly port number Basic NAT Outgoing packet: Look up internal IP address external IP address or assign new external IP address Replace source address in packet with external Incoming packet: Look up external IP address internal IP destination address Replace destination address in packet with internal IP address Address reuse: assignments expire 2

Basic NAT Web browser 1326 :1326 to 149.22.35.11:80 192.168.0.1 ~137.111.11.26 149.22.35.11:80 to :1326 192.168.0.32 149.22.35.11 137.111.11.25 137.111.11.26 Web server 80 137.111.11.26:1326 to 149.22.35.11:80 149.22.35.11:80 to 137.111.11.26:1326 The Internet PAT NAT Outgoing packet: Look up source (IP, port) external port number or assign new external port number Replace source address and port number Incoming packet: Look up destination external port (IP, port) Replace destination address and port number in packet Port number reuse: assignments expire NAT: Port address translation NAT: Basic and PAT Web browser 1326 :1326 to 149.22.35.11:80 192.168.0.1 :1326 my port 9723 149.22.35.11:80 to :1326 192.168.0.32 149.22.35.11 9723 137.111.11.26 Web server 80 137.111.11.26:9723 to 149.22.35.11:80 149.22.35.11:80 to 137.111.11.26:9723 The Internet Basic NAT Limits number of computers One IP per computer Internal machine must contact outside to assign IP address External machines can then initiate communication PAT NAT Computers share a single IP Internal machine must contact outside to assign port number External machines cannot initiate communication Well known ports can be permanently assigned to internal servers 3

PAT NAT: Server setup PAT NAT limitations Web server 80 192.168.0.1 Ext port 80 to 149.22.35.11:3582 to :80 :80 to 149.22.35.11:3582 192.168.0.32 137.111.11.26 Web browser 3582 149.22.35.11 149.22.35.11:3582 to 137.111.11.26:80 137.111.11.26:80 to 149.22.35.11:3582 The Internet Only supports TCP and UDP uses port number External machine can only contact forwarded ports Internal origin Well known port configured to internal server Default DMZ host to receive unassigned ports Can help ensure security PAT NAT limitations (cont) Protocols that open additional ports may fail across PAT NAT Port number is sent in a message on another port the port number must be modified across the NAT box. FTP client opens port but server cannot access it Use FTP in passive mode SIP RTP Games and P2P applications Firewalls have the same problem they need to know which ports should be open Newer protocols must be designed for NAT DNS and NAT (CISCO) DNS replies may be modified as they cross a NAT box A user inside queries a DNS server outside for a machine that happens to be inside also user ftp.cisco.com 10.1.0.17 NAT 209.165.201.10 Reply: 10.1.0.17 Query: ftp.cisco.com DNS Reply: 209.165.210.10 4

Firewall references C4 chap 32 KR3 section 8.6 Packet filtering Packets are filtered by IP header and router interface IP source IP destination Protocol Source port Destination port Block spoofed IP Block broadcast Block ICMP Rules are checked in sequence: first matching rule is used Packet filtering Filtering incoming packets also blocks outgoing connections Reply packets come from outside Destination port is not a well-known server Solution: bastion host acts as proxy for internal clients Alternative: Stateful packet inspection tracks active connections and allows reply packets Bastion host Acts as proxy for internal clients (e.g. web proxy) Provides services to external clients Only admit: packets to bastion host (clients or services) Corporate network Only admit: packets from bastion host Bastion host Internet 5

Application gateway User connects to gateway, authorises, gateway connects externally. telnet firewall.mysite.com Login with user name and password Now telnet to remote site and login there Stateful packet inspection Maintains connection state Simplifies inspection of packets belonging to known connections Does not need to apply firewall rules repeatedly Allows detection of denial of service attacks SYN flood, UDP flood, ICMP flood, etc Allows intrusion detection Port scanning SPI connection filtering rules SPI connection filtering rules 6

DMZ External & internal hosts may access DMZ DMZ hosts may only access external hosts Internal hosts DMZ hosts via PAT Soho DMZ not true DMZ - unprotected Firewall (from Wikipedia) DMZ Internet router Deep packet inspection Inspects packet contents not just headers Can recognise packets not conforming to higher-level protocol E.g. non-http on port 80 Can recognise attacks within protocols Merged IDS functionality E.g. SMTP VRFY command Drop connection before damage can happen http://www.securityfocus.com/infocus/1716 Difficult protocols SIP & RTP firewall problem Involve additional connections May convey port numbers in an existing connection FTP Passive mode SIP & RTP http://www.ikr.uni-stuttgart.de/content/vff_ikr_workshop_2006/ VoIP_Firewall_Signaling.pdf 7

SIP & RTP firewall problem Remove firewall? HTTP tunnel? Insecure solutions SIP decoder in packet filter Cannot handle path differences Application layer gateways Media path forced to follow signalling path SIP & RTP firewall problem Firewall control protocol messages Open pinhole for RTP Who is in control? Path-coupled: messages follow future path RSVP IETF NSIS (Next Steps in Signalling) Problem: secure and efficient signalling message authorization Path-decoupled Current research: SIMCO protocol SIP & RTP firewall signalling Multiple connections Firewalls on each external connection must implement the same access rules Otherwise, the least restrictive rules can be used to gain access Corporate network Internet 8

Monitoring and logging Active firewall notifies manager of event when it occurs Passive firewall writes information to log manager can review it Periodic analysis to detect trends Investigation of security events after they occur what led up to them VPN Risk VPN makes PC that is outside part of inside Encrypted VPN packets cannot be inspected by firewall unless firewall is tunnel endpoint Corporate network Internet 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information