Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions



Similar documents
Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Internet Protocol: IP packet headers. vendredi 18 octobre 13

LECTURE 4 NETWORK INFRASTRUCTURE

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Chapter 12 Supporting Network Address Translation (NAT)

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Protecting and controlling Virtual LANs by Linux router-firewall

Network Defense Tools

Chapter 7. Firewalls

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security Technology: Firewalls and VPNs

Scaling the Network: Subnetting and Other Protocols. Networking CS 3470, Section 1

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Cisco Which VPN Solution is Right for You?

Linux Routers and Community Networks

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Virtual Private Networks

HOST AUTO CONFIGURATION (BOOTP, DHCP)

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

+ iptables. packet filtering && firewall

Wireless Networks: Network Protocols/Mobile IP

Firewalls. Chien-Chung Shen

VLAN und MPLS, Firewall und NAT,

Pre-lab and In-class Laboratory Exercise 10 (L10)

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

NETWORK SECURITY (W/LAB) Course Syllabus

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

A DHCP Primer. Dario Laverde, 2002 Dario Laverde

TECHNICAL NOTES. Security Firewall IP Tables

21.4 Network Address Translation (NAT) NAT concept

Definition of firewall

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

Galileo International. Firewall & Proxy Specifications

CSC574 - Computer and Network Security Module: Firewalls

FIREWALL AND NAT Lecture 7a

ELEN 689: Topics in Network Security: Firewalls. Ellen Mitchell Computing and Information Services 20 April 2006

DHCP Server. Heng Sovannarith

CS Computer and Network Security: Firewalls

Network Access Security. Lesson 10

Introduction to Firewalls

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Topics NS HS12 2 CINS/F1-01

Firewalls. Ahmad Almulhem March 10, 2012

Chapter 4 Security and Firewall Protection

CS Computer and Network Security: Firewalls

About Firewall Protection

Network Security Exercise 10 How to build a wall of fire

CIT 480: Securing Computer Systems. Firewalls

Firewalls P+S Linux Router & Firewall 2013

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Chapter 8 Security Pt 2

Outline (Network Security Challenge)

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

2. IP Networks, IP Hosts and IP Ports

Firewalls. October 23, 2015

Configuring Network Address Translation (NAT)

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

INTRODUCTION TO FIREWALL SECURITY

Internet Privacy Options

CSE543 - Computer and Network Security Module: Firewalls

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

GPRS / 3G Services: VPN solutions supported

CIS 433/533 - Computer and Network Security Firewalls

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Firewalls. Chapter 3

How To Configure Apple ipad for Cyberoam L2TP

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

GregSowell.com. Mikrotik Security

Netfilter / IPtables

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Creating a VPN Using Windows 2003 Server and XP Professional

Connecting with Computer Science, 2e. Chapter 5 The Internet

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

IPv6 Fundamentals: A Straightforward Approach

Компјутерски Мрежи NAT & ICMP

Intro to Linux Kernel Firewall

Guideline for setting up a functional VPN

Efficient Addressing. Outline. Addressing Subnetting Supernetting CS 640 1

Manuale Turtle Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Application Protocols for TCP/IP Administration

Transcription:

Lecture Objectives Wireless Networks and Mobile Systems Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs Describe the role of nomadic services in mobile networking Describe the objectives and operation of IP virtual private networks (VPNs) Describe the objectives and operation of the Dynamic Host Configuration Protocol (DHCP) Describe the objectives and operation of network address translation (NAT) Describe firewall and packet filter functions, especially as related to NAT Provide some high-level background in web services, especially for a wireless hot spot service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 2 Nomadic services Nomadic Services Nomadic services support hosts that attach to different networks, but where host reconfiguration is acceptable Compare to mobile services where hosts can move to a different network without reconfiguring Functions Changing the host s IP address to that of the current network to which it is attached DHCP Limited number of public Internet addresses available in the current network (or any network) NAT Lack of trust of the current network (or any network) VPN A wireless hot spot usually combines DHCP, NAT, and firewall functions Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 3 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 4 Nomadic Services Functions Private Network VPN endpoint Public Network Secure Data, Public Address DHCP NAT Address via DHCP VPN endpoint Private Network Secure Data, Private Address Nomadic Node Nomadic services Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 5 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 6

Virtual Private Networks (1) Enable end-to-end security (authentication and, optionally, privacy) for a single (mobile) host connecting to a private network over untrusted (public) intermediate networks Enable security for private network-to-network communication over untrusted intermediate networks Support quality-of-service and other attributes of a service level agreement over a shared network for network-tonetwork connectivity Virtual Private Networks (2) General Host Private Network VPN Server Public Network Secure Tunnel Tunneling protocols Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tuneling Protocol (L2TP) IP Security (IPSec) VPN Client Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 7 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 8 Point-to-Point Tunneling Protocol PPTP is an extension of the Point-to-Point Protocol (PPP) to support tunneling Can carry IP and non-ip packets Layer 2 Tunneling Protocol Resulted from the IETF s merger of PPTP and the Layer 2 Forwarding Protocol (L2FP) Can carry IP and non-ip packets over IP and other networks Layer 2 Header IP Header GRE Header PPP Packet PPP Frames L2TP Data Messages (unreliable) L2TP Control Messages L2TP Data Channel (unreliable) L2TP Control Channel (unreliable) Packet Transport (UDP, FR, ATM, etc.) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 9 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 10 IP Security VPN References IPSec has two main components Authentication Header (AH) Encapsulating Security Payload (ESP) Two modes Transport mode Tunnel mode Tunnel Mode IP Header AH (or ESP) Inner IP Header IP Payload W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter, Layer Two Tunneling Protocol L2TP, RFC 2661, Aug. 1999. D. Fowler, Virtual Private Networks, Morgan-Kaufmann Publishers, 1999. Original IP Datagram Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 11 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 12

Nomadic services DHCP DHCP provides all necessary configuration information to allow a stationary node to become a viable Internet host Applications To simplify system administration in traditional networks To improve utilization of IP address space To allow mobile hosts to obtain collocated care-of addresses on foreign networks R. Droms, Dynamic Host Configuration Protocol, RFC 2131, March 1997. C. E. Perkins, Mobile IP: Design Principles and Practices, Addison-Wesley, Reading, MA, 1998 (Chapter 9). Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 13 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 14 DHCP: Client-Server Model (1) DHCP adheres to a client-server model Client requests service Server provides response Request and reply must be sent without the benefit of the client being an Internet host DHCP Server request DHCP Client 1 DHCP Client 2 DHCP: Client-Server Model (2) Client broadcasts request to network Broadcast received by server or relay If a relay is used, it forwards request with other information to the server Server responds with configuration information Client acknowledges receipt Server reserves IP address (for some lease time) and notifies client that address is reserved Client must renew the lease reply Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 15 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 16 DHCP Initialization (1) Client broadcasts a discover message (DHCPDISCOVER) Sent via UDP to port 67 Received by one or more DHCP servers (or relays) Responding servers Determine configuration Send an offer message (DHCPOFFER) to the client Client selects a configuration that it wants Sends a request message (DHCPREQUEST) to the selected server Sends the same request message to servers not selected so they can release reserved IP address DHCP Initialization (2) Selected server Commits configuration Replies with an acknowledge message (DHCPACK) to complete initialization Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 17 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 18

DHCP Initialization (3) Server 1 (selected) DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK Client DHCPDISCOVER DHCPOFFER DHCPREQUEST Server 2 (not selected) Lease and Renewals (1) Server grants use of the IP address for a limited time, the lease time Client should renew the lease about after about twothirds of the lease time has expired Lease renewal Client sends DHCPREQUEST message to the original selected server via unicast Server responds with DHCPACK message If no response from the server, client must start again with DHCP initialization Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 19 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 20 Lease and Renewals (2) Server Client DHCPREQUEST DHCPACK Graceful Shutdown Client can perform a graceful shutdown by sending a DHCP release message (DHCPRELEASE) to the server Allows server to release reserved IP address Often, clients just shutdown and IP address is released after the lease time expires Server Client DHCPRELEASE Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 21 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 22 DHCP Options DHCP servers can provide optional information beyond the assigned IP address Default router Subnet mask Network Time Protocol (NTP) servers Service Location Protocol (SLP) servers Domain Name System (DNS) servers Local domain name Host name Request in discover or request message Response in offer or acknowledge message Type, Length, Value (TLV) option Nomadic services Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 23 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 24

Network Address Translation NAT mangles a packet s addressing headers as it passes through a router to change either the source or destination address Most common form of NAT: Network and port address translation A.k.a. IP Masquerading Linux A.k.a. Port Address Translation (PAT) Cisco What is Masquerading? One-to-many translation The process of routing Internet-bound traffic from a private network through a gateway router that modifies the traffic to look like its own On the return, the router, demultiplexes the traffic back to the appropriate hosts by source/destination port/address pairs (remembered from transmission) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 25 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 26 Example Configuration Packet Trace Internal Network 192.168.1.xxx Host1.2 External Network eth0 192.168.1.254.3 Host2 Router eth1 12.34.56.78 Host3.4 Packet sent to HTTP server at google.com Interface Src IP Dest IP Src Prt Host1:eth0 192.168.1.2 216.239.39.101 4356 Router:eth0 192.168.1.2 216.239.39.101 4356 NAT Router:eth1 12.34.56.78 216.239.39.101 65013* routing Google.com 12.34.56.78 216.239.39.101 65013* Dest Prt Trace a packet from Host1 to google.com IP address: 216.239.39.101 *Note: Masquerading changes the source port as well as source address for assured demultiplexing. Value depends on implementation. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 27 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 28 Packet Trace (2) Implementation of Masquerading Returning packet Interface Src IP Dest IP Src Prt Dest Prt Linux built into kernel firewall Resident for years ipfwadm, ipchains, iptables Google.com 216.239.39.101 12.34.56.78 65013 Windows Internet Connection Sharing routing Router:eth1 NAT 216.239.39.101 12.34.56.78 65013 Partially with Microsoft Windows 98SE and Windows ME (only share certain interfaces) Full implementation in Microsoft Windows 2000 and Windows XP (share any interface) Router:eth0 216.239.39.101 192.168.1.2 4356 Host1:eth0 216.239.39.101 192.168.1.2 4356 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 29 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 30

Nomadic services Firewalls Routers with attitude Process packets based on rules Rules based on any packet characteristics or attributes Source and destination addresses and ports (e.g., source port 1234 from host 10.0.3.23) Protocol flags (e.g., TCP SYN, TCP ACK) Protocol types (e.g., ICMP, UDP) Connection status (e.g., new or established) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 31 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 32 Firewall Services Types of Firewalls (1) Application-specific proxy, Application-specific filter Gateway, User Filter Port map, Port filter, Address map, Address filter Address map, Address filter, Protocol filter Address filter, Protocol filter Application Presentation Session Transport Network Data Link Physical Two types Stateful Stateless Stateless Simple, less secure than stateful Makes decisions based on individual packet information Does not maintain any connection status Allow all traffic inbound with destination port Deny all traffic from 192.168.1.0/24 on the external interface Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 33 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 34 Types of Firewalls (2) Stateful All the attributes of a stateless firewall plus Connection status (context for decisions) Watches traffic for SYN, ACK, and FIN packets Knows connection status (established, initiating) More complex, better security Deny all ICMP Echo Reply packets not associated with an Echo Request Deny all TCP sessions not initiated from the inside network Firewall Implementations Implementations Hardware and software Hardware (network devices) Cisco PIX, Sonicwall, Watchguard Firebox Software (applications) Windows ZoneAlarm, Norton Personal Firewall, BlackICE Unix and variants ipfw, ipchains, iptables, ipf Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 35 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 36

iptables (1) iptables (2) Linux firewall (and more) Present with the 2.4 series kernel Part of the netfilter project http://www.netfilter.org/ Consists of two parts Firewall code in the kernel User space iptables executable to manipulate kernel code Three parts Rules Chains Tables Oskar Andreasson, Iptables Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 37 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 38 Rule iptables (3) Lowest-level (most basic) entity in firewalling A single tuple of what to do (action) and packets to which to apply the action (filter) Filter identifies packets to which the rule applies Addresses, ports, status Action what to do with the packet (stream) Accept, reject (drop, but reply with ICMP error message), drop, redirect, masquerade, go to another chain, and more iptables (4) Chains An ordered list of rules Traversed in order The first matching rule in the chain is selected Important predefined chains in FILTER table INPUT all incoming packets go here FORWARD packets to be routed OUTPUT all outgoing packets go here Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 39 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 40 iptables (5) Tables Separate different types of operations Three built-in tables FILTER general filtering NAT dealing with network address translation MANGLE other packet changes Each contain multiple chains Incoming packet traversal Typical Firewall Functions iptables (6) Network Local Mangle INPUT Filter INPUT Mangle PREROUTING Routing Decision Typical Firewall Functions Setting DSCP Nat PREROUTING Non-Local Mangle FORWARD Filter FORWARD Redirecting Application *to output* Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 41 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 42

iptables (7) iptables (8) Outgoing packet traversal Application Routing Decision Mangle OUTPUT IP Masquerading Network Rule placement Rule type specifies table Address translation and IP masquerading map to the NAT table Simple packet filtering maps to the filter table Rule stage specifies chain Prerouting versus postrouting Traffic from local application versus forwarded traffic Nat OUTPUT *from non-local input* Nat POSTROUTING Typical Firewall Functions Filter OUTPUT Mangle POSTROUTING Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 43 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 44 Firewall Comments Good firewall rules are difficult to write Must consider all possible traffic Only allow what should pass Stateful firewalls are more secure (and more complex) than stateless firewalls Stepping forward Intrusion Detection System (IDS) smarter stateful firewall Nomadic services Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 45 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 46 Web-Based Authentication Consider a wireless LAN hot spot service This will require consideration and use of DHCP Firewalling Authentication IP masquerading (NAT) Authentication is commonly done using a web-based scheme here is one approach The first attempt to access any web page is redirected to an authentication page for the service A script or program must perform authentication and updates the configuration to allow access, if appropriate HTML HyperText Markup Language (HTML) Web page language (content) Currently in version 4.01 Maintained by the World Wide Web Consortium (W3C) http://www.w3c.org Uses tags : <begin_tag>text</end_tag> Formatting language Take data and add formatting, pictures, input, and/or links Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 47 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 48

HTML (2) Many extensions and add-ons Responsible for rich web content Tags interpreted by web browser; no server processing involved May be edited by hand or with a WYSWYG editor By hand: notepad, emacs, vi WYSWYG: MS Frontpage, Dreamweaver Web Programming Common Gateway Interface (CGI) A way for web servers to interact with standard programs to generate dynamic web content Input typically HTML form data Output dynamic content (web pages) Can be written using C++, Perl, Fortran, or PHP Can do many functions with the appropriate library Web Browser (1) URL, param (5) HTML, text, HTTP Server (2) CGI (4) HTML, text, Gateway Program (3) Process Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 49 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 50 Web Programming (2) Model Client request Server reference Server processing (CGI, SSI, PHP) Request sent to client Browser processing (JavaScript, HTML, CSS) No Experience? PHP suggested for those with no experience with web programming PHP code is embedded in HTML code No compilation Quick editing Familiar syntax Borrows syntax look and feel from Java, Perl, and C++ Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 51 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 52 A Test Network Configuration Nomadic services Public Internet Brief comments on a wireless hot spot service DHCP server Public Private Private Network Firewall IP masquerading Web-based authentication Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 53 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 54

Summary Nomadic services enable Internet access Security, addressing, filtering VPNs provide authentication and privacy for nomadic users and protect private networks DHCP allows nomadic users to obtain an IP address and other configuration information NAT conserves addresses in private networks, allowing support for nomadic hosts provide security and enable access control can be used to authenticate nomadic users for a hot spot service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 55

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information