Characterization and Measurement of TCP. TCP Traversal Through NATs. Firewalls
|
|
- Nora Washington
- 5 years ago
- Views:
Transcription
1 Characterization and Measurement of TCP Traversal Through s and Firewalls, Paul Francis Cornell University IMC 2005
2 P2P connectivity through s Bob New inbound flows cannot be routed
3 P2P connectivity through s?? Bob New inbound flows cannot be routed
4 P2P connectivity through s I am I am Bob Bob Basic solution for UDP
5 P2P connectivity through s Bob is :2 is : Bob Basic solution for UDP
6 P2P connectivity through s?? Bob Basic solution for UDP
7 P2P connectivity through s Bob Basic solution for UDP
8 P2P connectivity through s Bob Basic solution for UDP
9 P2P connectivity through s SYN?? Bob TCP establishment more complex
10 P2P connectivity through s SYNACK Bob TCP establishment more complex
11 Context for this work Invented traversal presumed impossible UDP traversal solved and standardized [Kegel] TCP traversal presumed impossible 04 TCP traversal solved (2 approaches) [Guha] 05 2 more approaches [Ford, Biggadike] Approaches evaluated [Guha] TCP traversal standardized
12 Context for this work 92 Invented 4 approaches traversal presumed impossible Many trade-offs UDP traversal solved - and sensitivity standardized [Kegel] Ease of Implementation TCP traversal presumed impossible - Ease of Deployment 04 TCP traversal solved (2 approaches) [Guha] 05 2 more approaches [Ford, Biggadike] Approaches evaluated [Guha] TCP traversal standardized
13 Context for this work 92 Invented Contributions: traversal presumed impossible - Characterization UDP traversal solved and standardized [Kegel] Measurements TCP traversal presumed impossible 04 TCP traversal solved -(2 Guidelines approaches) [Guha] 05 2 more approaches [Ford, Biggadike] - Standardization 05 Approaches evaluated [Guha] 06 TCP traversal standardized
14 Take away Results TCP can be established between ed peers Works an estimated 85% 90% of the time today 100% for certain popular, well-behaved s All s could standardize to this
15 P2P TCP Establishment Bob is :2 is : Bob Use Rendezvous Service
16 P2P TCP Establishment SYN?? Bob Use Rendezvous Service
17 P2P TCP Establishment time SYN?? Bob Punch hole using connect/close/bind/listen
18 P2P TCP Establishment time SYN?? Bob close() bind() listen() Punch hole using connect/close/bind/listen
19 P2P TCP Establishment time SYN?? Bob close() bind() listen() SYN Accept incoming connection
20 P2P TCP Establishment time SYN?? Bob close() bind() listen() SYN SYNACK ACK Accept incoming connection
21 P2P TCP Establishment time SYN?? Bob RST?? SYN What if: returns RST, closes hole
22 P2P TCP Establishment time SYN?? Bob SYN RST What if: rejects SYN through hole
23 P2P TCP Establishment time SYN (low TTL) Bob SYN (low TTL) Variation: low-ttl SYN
24 P2P TCP Establishment time SYN (low TTL) Bob SYN (low TTL) SYNACK SYNACK ACK Variation: low-ttl SYN, spoof SYNACK
25 P2P TCP Establishment time SYN (low TTL) Bob SYN (low TTL) SYNACK SYNACK ACK Variation: low-ttl SYN, RAW SYNACK
26 P2P TCP Establishment time SYN (low TTL) Bob SYN (low TTL) SYNACK SYNACK ACK What if: blocks outgoing SYNACK
27 Recap 4 approaches 16 variants (mix and match) Many trade-offs Some sensitive to s behavior Some hard to implement Some hard to deploy Measurement study to determine how well each works in practice
28 Methodology Implemented all approaches Lessons learned in the paper Cause of failure for 16 brands of s Linksys, DLink, Netgear, Belkin, axis of classification Classified ( 100) s in the wild Extrapolated for world-wide behavior Brand share market analysis
29 Axes of Classification Binding: Type Delta Hairpin Overloading Max Flows Predictable Preservation: Port Number Low High Dynamic Parity Sequential Packet Mangling: TCP Data ICMP Data TCP Sequence IP TTL Filters: SYN SYN SYN SYN ICMP2 SYN SYN ICMP11 SYNACK SYN (known IP) SYN RST SYN SYN SYNACK SYN ICMP2 SYNACK Estd. SYN SYN ICMP11 SYN SYN RST SYNACK SYN SYNACK Timers: SYN-SENT Established Timed-Wait RST
30 Axes of Classification Binding: Type Delta Hairpin Overloading Max Flows Predictable Preservation: Port Number Low High Dynamic Parity Sequential Packet Mangling: TCP Data ICMP Data TCP Sequence IP TTL Filters: SYN SYN SYN SYN ICMP2 SYN SYN ICMP11 SYNACK SYN (known IP) SYN RST SYN SYN SYNACK SYN ICMP2 SYNACK Estd. SYN SYN ICMP11 SYN SYN RST SYNACK SYN SYNACK Timers: SYN-SENT Established Timed-Wait RST
31 Port Prediction I am is :1 SYN Same Port? Bob Problem: What port did SYN come from?
32 Port Prediction Classification Port: 1037 Port: 6501 NB:Independent
33 Port Prediction Classification Port: 1037 Port: 6501 NB:Independent
34 Port Prediction Classification Port: 1037 Port: 6501 to Bob predicted: 6501 NB:Independent
35 Port Prediction Classification Port: 1037 Port: NB:Delta
36 Port Prediction Classification Port: 1037 Port: to Bob predicted: 6505 NB:Delta
37 Port Prediction Rob Classification Port: 1037 Port: to Bob wrongly predicted: 6505 NB:Delta
38 Port Prediction Classification Port: 1024 Port: NB:Random
39 Projected Success Race Cond. low-ttl No port pred. Port pred. No Race Success Rate (%) STUNT Spoof STUNT Plain Blaster P2P TCP traversal succeeds 85%-90% (estd.)
40 Projected Success Success Rate (%) STUNT Spoof STUNT Plain Blaster P2P 1. STUNT Spoof Hard to deploy 2. STUNT Plain Best Option 3. Blaster Fails on WinXP SP2 4. P2P Fails on WinXP and earlier
41 Software Traversal Library JAVA implementation available Encrypted tunnel application Classification software Windows, Linux versions available
42 Future Work Wide-scale testing Implement in bittorrent, swarmcast,... Standardize TCP Behavior IETF BEHAVE Working Group I-D: draft-hoffman-behave
43 Related Issues IPv6... Transition will require v4 v6 s Firewalls... Will persist even with IPv6 Universal Plug-and-Play (UPnP)... Off by default
44 Summary TCP Traversal works! 85%-90% today, 100% soon For P2P developers: Application guidelines TCP traversal library For vendors: Standards document checking software
On the Applicability of knowledge based NAT-Traversal for Home Networks
On the Applicability of knowledge based NAT-Traversal for Home Networks Andreas Müller, Andreas Klenk, and Georg Carle University of Tübingen, Computer Networks and Internet, Sand 13, 72076 Tübingen, Germany
More informationOn the Applicability of Knowledge Based NAT-Traversal for Home Networks
On the Applicability of Knowledge Based NAT-Traversal for Home Networks Andreas Müller, Andreas Klenk, and Georg Carle University of Tübingen, Computer Networks and Internet, Sand 13, 72076 Tübingen, Germany
More informationNetwork Address Translators (NATs) and NAT Traversal
Network Address Translators (NATs) and NAT Traversal Ari Keränen ari.keranen@ericsson.com Ericsson Research Finland, NomadicLab Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN
More informationCharacterization and Measurement of TCP Traversal through NATs and Firewalls
Characterization and Measurement of TCP Traversal through s and Firewalls Saikat Guha Paul Francis Department of Computer Science Cornell University Ithaca, NY 14853 {saikat,francis}@cs.cornell.edu Unpublished
More informationTCP Hole Punching Based on SYN Injection
TCP Hole Punching Based on Injection p@p Sebastian Holzapfel, Matthäus Wander, Arno Wacker, Torben Weis August 27, 2011 www.vs.uni-due.de Motivation Network Address Translation Outgoing packet sets up
More informationHow Practical Are TCP NAT Traversal Schemes?
How Practical Are TCP NAT Traversal Schemes? Chien-Chao Tseng and Chia-Liang Lin Abstract Peer-to-peer (P2P) communication has emerged as the mainstream of network applications. However, Network Address
More informationLatest Peer-to-Peer Technologies II Artjom Lind 1
Latest Peer-to-Peer Technologies II 25.11.2009 Artjom Lind 1 Outline Last presentation Intro Peer-to-Peer SIP TCP Traversal Conclusions 25.11.2009 Artjom Lind 2 Last Presentation P2P Systems Structured
More informationPeer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber
Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal R. Naber April 22, 2005 Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal Research Assignment
More informationCategory: Informational M.I.T. D. Kegel kegel.com March State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
Network Working Group Request for Comments: 5128 Category: Informational P. Srisuresh Kazeon Systems B. Ford M.I.T. D. Kegel kegel.com March 2008 Status of This Memo State of Peer-to-Peer (P2P) Communication
More informationNetwork Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example
Contents Network Address Translation (NAT) 13.10.2008 Prof. Sasu Tarkoma Overview Background Basic Network Address Translation Solutions STUN TURN ICE Summary What is NAT Expand IP address space by deploying
More informationNAT Traversal Techniques and Peer-to-Peer Applications
NAT Traversal Techniques and Peer-to-Peer Applications Zhou Hu Telecommunications Software and Multimedia Laboratory Helsinki University of Technology hzhou (at) cc.hut.fi Abstract Network Address Translation
More informationUDP NAT Traversal. CSCI-4220 Network Programming Spring 2015
UDP NAT Traversal CSCI-4220 Network Programming Spring 2015 What is NAT Traversal? NAT traversal means establishing a connection between two hosts when one or both is behind NAT. Many of today s network
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationFirewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense
FIREWALLS 3 Firewalls Firewall means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense administered network public Internet firewall
More informationLecture 10: TCP Friendliness, DCCP, NATs, and STUN
Lecture 10: TCP Friendliness, DCCP, NATs, and STUN TCP Friendliness Congestion Control TCP dynamically adapts its rate in response to congestion AIMD causes flows to converge to fair goodput But how do
More informationCongestion Control. Lecture 12: TCP Friendliness, DCCP, NATs, and STUN. Chiu Jain Phase Plots. Fair A=B. Responding to Loss. Flow B rate (bps) t 1 t 3
Congestion Control Lecture 12: TCP Friendliness, DCCP, s, and STUN TCP dynamically adapts its rate in response to congestion AIMD causes flows to converge to fair goodput But how do losses (e.g., bit errors)
More informationLecture 12: TCP Friendliness, DCCP, NATs, and STUN
Lecture 12: TCP Friendliness, DCCP, NATs, and STUN Congestion Control TCP dynamically adapts its rate in response to congestion AIMD causes flows to converge to fair goodput But how do losses (e.g., bit
More informationNetwork Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013
Network Address Translation (NAT) Background Material for Overlay Networks Course Jan, 2013 Prof. Sasu Tarkoma University of Helsinki, Department of Computer Science Contents Overview Background Basic
More informationANTS - A Framework for Knowledge based NAT Traversal
- A Framework for Knowledge based NAT Traversal Andreas Müller, Andreas Klenk and Georg Carle Chair for Network Architectures and Services Technische Universität München {mueller, klenk, carle}@net.in.tum.de
More informationResearch Article A Novel Solution based on NAT Traversal for High-speed Accessing the Campus Network from the Public Network
Research Journal of Applied Sciences, Engineering and Technology 7(2): 221-226, 2014 DOI:10.19026/rjaset.7.244 ISSN: 2040-7459; e-issn: 2040-7467 2014 Maxwell Scientific Publication Corp. Submitted: March
More informationComputer Security Spring Firewalls. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Firewalls Aggelos Kiayias University of Connecticut Idea: Monitor inbound/ outbound traffic at a communication point Firewall firewall Internet LAN A firewall can run on any
More informationNetwork Address Translation. All you want to know about
Network Address Translation All you want to know about (C) Herbert Haas 2005/03/11 Reasons for NAT Mitigate Internet address depletion Save global addresses (and money) Conserve internal address plan TCP
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationBachelor. Analysis of NAT approaches and explicit signaling for NAT traversal
Georg-August-Universität Göttingen Zentrum für Informatik ISSN 1612-6793 Nummer ZFI-BM-2006-09 Bachelor im Studiengang "Angewandte Informatik" Analysis of NAT approaches and explicit signaling for NAT
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Stephan Günther
More informationImplementing a NAT and Firewall traversal library
Distributed Information Systems Laboratory Implementing a NAT and Firewall traversal library Author: Damien Auroux Supervisors: Prof. Karl Aberer Nicolas Bonvin January 10, 2009 Contents Introduction 1
More informationExtended UDP Multiple Hole Punching Method to Traverse Large Scale NATs
Proceedings of the Asia-Pacific Advanced Network 2010 v. 30, p. 30-36. http://dx.doi.org/10.7125/apan.30.5 ISSN 2227-3026 Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs Kazuhiro
More informationIRVINE: DHT-BASED NAT TRAVERSAL 1. DHT-based NAT Traversal
IRVINE: DHT-BASED NAT TRAVERSAL 1 DHT-based NAT Traversal David Irvine MaidSafe.net, 72 Templehill, Troon, South Ayrshire, Scotland, UK. KA10 6BE. david.irvine@maidsafe.net First published September 2010.
More informationJunos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,
More informationFirewall and NAT Traversal for Peer-to-Peer Storage Nodes (SA )
Firewall and NAT Traversal for Peer-to-Peer Storage Nodes (SA-2006-23) by (muemarc@ee.ethz.ch) July 2006 Supervisors: Marcel Baur (marcel.baur@tik.ee.ethz.ch), Germano Caronni Professor: Prof. Bernhard
More informationAnatomy. 1. NAT Motivation. 2. NAT Operation. - A Look Inside Network Address Translators. Geoff Huston August 2004
Anatomy - A Look Inside Network Address Translators Geoff Huston August 2004 Over the past decade there have been a number IP-related technologies that have generated some level of technical controversy.
More informationConfiguring Advanced Firewall Settings
Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule
More informationCustomer Edge Switching & Realm Gateway Tutorial Session Day 2
Customer Edge Switching & Realm Gateway Tutorial Session Day 2 Jesus Llorente Santos jesus.llorente.santos@aalto.fi www.re2ee.org August 21 st, 2015 Outline Recap from yesterday Current Internet Model
More informationCisco CCIE Security Written.
Cisco 400-251 CCIE Security Written http://killexams.com/pass4sure/exam-detail/400-251 QUESTION: 193 Which two of the following ICMP types and code should be allowed in a firewall to enable traceroute?
More informationConfiguring Transparent Redirection for Standalone Content Engines
CHAPTER 6 Configuring Transparent Redirection for Standalone Content Engines This chapter discusses the following methods for transparently redirecting content requests to standalone Content Engines: Web
More informationIn This Issue. From The Editor
September 2004 Volume 7, Number 3 A Quarterly Technical Publication for Internet and Intranet Professionals In This Issue From the Editor...1 Anatomy...2 Letters to the Editor...33 Fragments...36 From
More informationInsight Guide into Securing your Connectivity
Insight Guide I Securing your Connectivity Insight Guide into Securing your Connectivity Cyber Security threats are ever present in todays connected world. This guide will enable you to see some of the
More informationNetwork Address Translator Traversal Using Interactive Connectivity Establishment
HELSINKI UNIVERSITY OF TECHNOLOGY Department of Communications and Networking S-38.3138 Networking Technology, Special Assignment Veera Andersson Network Address Translator Traversal Using Interactive
More informationModule 19 : Threats in Network What makes a Network Vulnerable?
Module 19 : Threats in Network What makes a Network Vulnerable? Sharing Unknown path Many points of attack What makes a network vulnerable? Unknown perimeter Anonymity Complexity of system Categories of
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationICS 451: Today's plan
ICS 451: Today's plan ICMP ping traceroute ARP DHCP summary of IP processing ICMP Internet Control Message Protocol, 2 functions: error reporting (never sent in response to ICMP error packets) network
More informationNetwork Address Translation
10 Network Address Translation This chapter introduces Network Address Translation (NAT) and looks at the issues and challenges involved in making SIP and other Internet communications protocols work through
More informationHP Load Balancing Module
HP Load Balancing Module Security Configuration Guide Part number: 5998-2686 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part
More information4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare
4.. Filtering Filtering helps limiting traffic to useful services It can be done based on multiple criteria or IP address Protocols (, UDP, ICMP, ) and s Flags and options (syn, ack, ICMP message type,
More informationLecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture
Lecture outline Internet Routing Security Issues Z. Morley Mao Lecture 3 Jan 14, 2003 Recap of last lecture, any questions? Existing routing security mechanisms - SBGP General threats to routing protocols
More informationConfiguring an IP ACL
9 CHAPTER This chapter describes how to configure IP access control lists (ACLs). This chapter includes the following sections: Information About ACLs, page 9-1 Prerequisites for IP ACLs, page 9-5 Guidelines
More informationCS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs
: Computer Networks Lecture 7: Apr 14, 2004 Firewalls and NATs Network security topics I m going to limit work security to three topic areas: Network access issues (user or host authentication, and VPNs)
More informationTCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6
TCP TCP/IP: TCP Network Security Lecture 6 Based on IP Provides connection-oriented, reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction
More informationNetwork Configuration Example
Network Configuration Example Configuring Active Flow Monitoring Version 9 Modified: 2017-01-18 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All
More informationInternet Protocol and Transmission Control Protocol
Internet Protocol and Transmission Control Protocol CMSC 414 November 13, 2017 Internet Protcol Recall: 4-bit version 4-bit hdr len 8-bit type of service 16-bit total length (bytes) 8-bit TTL 16-bit identification
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 3 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationFrameworks. Data Relay. Skype. Recap
Data Relay relaying (used in Skype) NATed client establishes connection to relay External client connects to relay relay bridges packets between to connections Traversal using Relay NAT (TURN) as IETF
More informationConfiguring IP Session Filtering (Reflexive Access Lists)
Configuring IP Session Filtering (Reflexive Access Lists) This chapter describes how to configure reflexive access lists on your router. Reflexive access lists provide the ability to filter network traffic
More informationStateless Firewall Implementation
Stateless Firewall Implementation Network Security Lab, 2016 Group 16 B.Gamaliel K.Noellar O.Vincent H.Tewelde Outline : I. Enviroment Setup II. Today s Task III. Conclusion 2 Lab Objectives : After this
More informationProtocol Overview. TCP/IP Performance. Connection Types in TCP/IP. Resource Management. Router Queues. Control Mechanisms ITL
Protocol Overview TCP/IP Performance E-Mail HTTP (WWW) Remote Login File Transfer TCP UDP ITL IP ICMP ARP RARP (Auxiliary Services) ATM Ethernet, X.25, HDLC etc. 2/13/06 Hans Kruse & Shawn Ostermann, Ohio
More informationMonitoring Active and Recent Connections
To monitor network sessions or connections, view the following pages from the BASIC tab: Active Connections Lists all of the open and established sessions on the appliance. Recent Connections Lists all
More informationA Configuration-only Approach to FIB Reduction. Paul Francis Hitesh Ballani, Tuan Cao Cornell
A Configuration-only Approach to FIB Reduction Paul Francis Hitesh Ballani, Tuan Cao Cornell Virtual Aggregation An approach to shrinking FIBs (and RIBs) In interface-card FIB, maybe control-card RIB Works
More informationDual-Stack lite. Alain Durand. May 28th, 2009
Dual-Stack lite Alain Durand May 28th, 2009 Part I: Dealing with reality A dual-prong strategy IPv4 reality check: completion of allocation is real Today Uncertainty IPv6 reality check: the IPv4 long tail
More informationICS 451: Today's plan. Sliding Window Reliable Transmission Acknowledgements Windows and Bandwidth-Delay Product Retransmission Timers Connections
ICS 451: Today's plan Sliding Window Reliable Transmission Acknowledgements Windows and Bandwidth-Delay Product Retransmission Timers Connections Alternating Bit Protocol: throughput tied to latency with
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationUser Datagram Protocol
Topics Transport Layer TCP s three-way handshake TCP s connection termination sequence TCP s TIME_WAIT state TCP and UDP buffering by the socket layer 2 Introduction UDP is a simple, unreliable datagram
More informationSingle Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking
1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate
More informationChapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP
Chapter 4: outline 4.1 introduction 4.2 virtual circuit and datagram networks 4.3 what s inside a router 4.4 IP: Internet Protocol datagram format IPv4 addressing ICMP 4.5 routing algorithms link state
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 9 Security Policies and Firewalls Overview Introduction: What does secure mean? Firewalls
More informationA quick theorical introduction to network scanning. 23rd November 2005
A quick theorical introduction to network ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) http://www.csrrt.org/ 23rd November 2005 IP protocol ACK Network is not exact science When
More informationOn the State of ECN and TCP Options on the Internet
On the State of ECN and TCP Options on the Internet PAM 2013, March 19, Hong Kong Mirja Kühlewind Sebastian Neuner Brian
More informationNetwork Address Translation Problem
Network Address Translation Problem A Decentralized Solution A Thesis Presented To Eastern Washington University Cheney, Washington In Partial Fulfillment of the Requirements for the Degree Master of Science
More informationIPtables and Netfilter
in tables rely on IPtables and Netfilter Comp Sci 3600 Security Outline in tables rely on 1 2 in tables rely on 3 Linux firewall: IPtables in tables rely on Iptables is the userspace module, the bit that
More informationMobile Transport Layer Lesson 10 Timeout Freezing, Selective Retransmission, Transaction Oriented TCP and Explicit Notification Methods
Mobile Transport Layer Lesson 10 Timeout Freezing, Selective Retransmission, Transaction Oriented TCP and Explicit Notification Methods 1 Timeout freezing of transmission (TFT) Used in situations where
More informationSecure Networking with NAT Traversal for Enhanced Mobility
Secure Networking with NAT Traversal for Enhanced Mobility Lubomir Cvrk 1, Vit Vrba 1 1 Brno University of Technology, Dept. of Telecommunications, Purkynova 118, 61200 Brno, Czech Republic {cvrk, vrba}@westcom.cz
More informationInternet Networking recitation #
recitation # UDP NAT Traversal Winter Semester 2013, Dept. of Computer Science, Technion 1 UDP NAT Traversal problems 2 A sender from the internet can't pass a packet through a NAT to a destination host.
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Scanning CIT 480: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting CIT 480: Securing Computer
More informationStacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services
Stacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services Geoff Huston, APNIC Labs 1 If working with one protocol has its problems 2 Then just how much damage can we do by joining
More informationStatus and Policy Entries
The following article provides a list of all available status types and policies of firewall processes. The status is displayed in the Details dialog of the selected firewall status accessible via the
More informationnetwork security s642 computer security adam everspaugh
network security s642 adam everspaugh ace@cs.wisc.edu computer security today Announcement: HW3 to be released WiFi IP, TCP DoS, DDoS, prevention 802.11 (wifi) STA = station AP = access point BSS = basic
More informationImproving TCP/IP Security Through Randomization Without Sacrificing Interoperability. Michael J. Silbersack. November 26th, 2005
Improving TCP/IP Security Through Randomization Without Sacrificing Interoperability Michael J. Silbersack November 26th, 2005 http://www.silby.com/eurobsdcon05/ What does that title mean? TCP was not
More informationGARR customer triggered blackholing
GARR customer triggered blackholing Silvia d Ambrosio, Nino Ciurleo Introduction From discussions with the GARR working group on "contrast to DDoS", we understood the importance of a collaboration between
More informationIPV6 SIMPLE SECURITY CAPABILITIES.
IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB. ABSTRACT The RFC which this presentation is based upon is focused on
More informationISA 674 Understanding Firewalls & NATs
ISA 674 Understanding & NATs Angelos Stavrou September 12, 2012 Types of Types of Schematic of a Firewall Conceptual Pieces Packet UDP Packet Dynamic Packet Application Gateways Circuit Relays Personal
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Chair for
More informationAccess Control List Enhancements on the Cisco Series Router
Access Control List Enhancements on the Cisco 12000 Series Router Part Number, May 30, 2008 The Cisco 12000 series router filters IP packets using access control lists (ACLs) as a fundamental security
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationExperimental Study of Skype. Skype Peer-to-Peer VoIP System
An Experimental Study of the Skype Peer-to-Peer VoIP System Saikat Guha (Cornell) Neil Daswani (Google) Ravi Jain (Google) IPTPS 2006 About Skype Voice over IP (VoIP) 50 million users Valued at $2.6 billion
More informationNetwork Address Translation
Network Address Translation All you want to know about (C) Herbert Haas 2005/03/11 Reasons for NAT Mitigate Internet address depletion Save global addresses (and money) Conserve internal address plan TCP
More informationConfigure Basic Firewall Settings on the RV34x Series Router
Configure Basic Firewall Settings on the RV34x Series Router Objective The primary objective of a firewall is to control the incoming and outgoing network traffic by analyzing the data packets and determining
More informationInternet Engineering Task Force (IETF) Request for Comments: 6146 Category: Standards Track. I. van Beijnum IMDEA Networks April 2011
Internet Engineering Task Force (IETF) Request for Comments: 6146 Category: Standards Track ISSN: 2070-1721 M. Bagnulo UC3M P. Matthews Alcatel-Lucent I. van Beijnum IMDEA Networks April 2011 Stateful
More informationNetwork Security Platform 8.1
8.1.7.91-8.1.7.44 Manager-Virtual IPS Release Notes Network Security Platform 8.1 Revision B Contents About this release New features Enhancements Resolved issues Installation instructions Known issues
More informationNetwork-Assisted MPTCP
IETF 98 th Network-Assisted IETF#98, Chicago, March 2017 M. Boucadair (Orange) C. Jacquenet (Orange) O. Bonaventure (Tessares) W. Henderickx (ALU/Nokia) R. Skog (Ericsson) D. Behaghel (OneAccess) S. Secci
More informationDaily Living with IPv6. Stan Barber
Daily Living with IPv6 Stan Barber Disclaimer The material here does not reflect the opinions of The Planet.Com Internet Services, Inc. ( The Planet ) Nothing in this presentation should be taken as a
More informationIPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.
IPv4 addressing, NAT http://xkcd.com/195/ Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley Some materials copyright 1996-2012 J.F Kurose and K.W. Ross, All Rights
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 642-541 Title : VPN and Security Cisco SAFE Implementation Exam (CSI) Vendors : Cisco
More informationEnd-to-End Architectures for the Internet Host Mobility: An Overview
Page 1 of 7 End-to-End Architectures for the Internet Host Mobility: An Overview Bilal Farooq Lahore University of Management Sciences Department of Computer Science bilalf@lums.edu.pk April 7 th, 2003
More informationTransport Layer Review
Transport Layer Review Mahalingam Mississippi State University, MS October 1, 2014 Transport Layer Functions Distinguish between different application instances through port numbers Make it easy for applications
More informationFirewall : Filter & NAT. Divisi Training PT UFOAKSES SUKSES LUARBIASA Jakarta
Firewall : Filter & NAT Divisi Training PT UFOAKSES SUKSES LUARBIASA Jakarta nux@ufoakses.co.id Firewall Rules or filter NAT (source nat and destination nat) Mangle Address List Service Ports Connection
More informationTCP/IP Performance ITL
TCP/IP Performance ITL Protocol Overview E-Mail HTTP (WWW) Remote Login File Transfer TCP UDP IP ICMP ARP RARP (Auxiliary Services) Ethernet, X.25, HDLC etc. ATM 4/30/2002 Hans Kruse & Shawn Ostermann,
More informationFirewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.
Network Security - ISA 656 & NATs Angelos Stavrou Types of Schematic of a Conceptual Pieces Packet UDP Types of Packet Dynamic Packet Application Gateways Circuit Relays Personal /or Distributed Many firewalls
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationSome of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewalls Chester Rebeiro IIT Madras Firewall Block unauthorized traffic flowing from one network to another
More information