Created: Tue 14:35
|
|
- Virginia Goodwin
- 5 years ago
- Views:
Transcription
1 PF - PACKETFILTER FIREWALL - INTRODUCTION CARSTEN STROTMANN, SUN 00:00 Created: Tue 14:35 1 AGENDA Day 1 History of the PF rewall Types of rewalls PF Firewall basics Logging and rewall testing Tables and Anchors Simple IPv4- lter rules 2. 1
2 PF-FIREWALL pf (or paket lter) is the default rewall in OpenBSD pf is also available for NetBSD, FreeBSD, MacOS X and Solaris 11 NetBSD and FreeBSD offer alternative rewalls (npf, ipfw, ip lter, ) distributions of pf with commercial support exist (pfsense Firewall, OPNsense) in this training, we cover pf from FreeBSD 12 (OpenBSD 4.5) 3. 1 PF-HISTORY pf was created after a license change in the ipfilter (ipf) rewall in May 2001 rst shipped with OpenBSD 3.0 the original version was matching the function and con guration of ipfilter newer versions surpassed ip lter in function, and are not compatible to the ipfilter rule-set con guration anymore 4. 1
3 TYPES OF FIREWALLS (1) simple packet lter only look at the IP header (source / destination address) and UDP / TCP ports no state (every packet is evaluated) usually fast can be build with Access Control Lists (ACL) in router 5. 1 TYPES OF FIREWALLS (2) stateful inspection packet lter inspect the TCP connection setup, match packets against a state table can keep state for UDP and ICMP traf c usually very fast 6. 1
4 TYPES OF FIREWALLS (3) application level gateway (ALG) check the traf c on the application layer (by proxying the traf c) need support for all application layers (http, smtp, ftp ) and features need update if the application layer changes (example: EDNS0 in DNS) usually slow (latency) and can be brittle 7. 1 TYPES OF FIREWALLS (4) deep packet inspection rewall (DPI-FW) check the application layer data without proxying the connection can lter on traf c content resource hungry 8. 1
5 HOW DOES PF FIT IN? pf is a stateful inspection packet lter it keeps state for TCP, UDP and ICMP packets pf can be augmented with proxy components to build an ALG rewall (ftp, smtp, http ) 9. 1 TCP THREE WAY HANDSHAKE pf is tracking the state of TCP sessions (buildup and tear-down) incoming packets will be checked against the state table rst only if there is no match in the state table, the rule-set will be evaluated 10. 1
6 ENABLING THE FIREWALL the pf rewall must be included in the kernel (or loaded as a kernel module) pf is included in the stock OpenBSD kernel and enabled by default ENABLING THE PF FIREWALL 12. 1
7 TO DISABLE THE PF FIREWALL THE RULE-SET the rule-set is stored in a le named /etc/pf.conf the le location can be changed in the system con guration 14. 1
8 LOAD THE CURRENT RULE-SET A SIMPLE RULE-SET lets rst have a look at a simple rule-set: 16. 1
9 A SIMPLE RULE-SET (1) pf has a "pass all" default policy. We turn that into a "block all" policy only explicit permitted connection are allowed all blocked connection attempts will be logged A SIMPLE RULE-SET (2) Action: is either "pass" (allow) or "block" (disallow) 18. 1
10 A SIMPLE RULE-SET (3) Direction: is either "in" (entering the rewall) or "out" (leaving the rewall) "direction" is always relative to the rewall machine, not to any network! A SIMPLE RULE-SET (4) Interface: is either the name of a network interface (em1, fxp2, lo0) or the name of an interface group (a symbolic name for one of more network interfaces) 20. 1
11 A SIMPLE RULE-SET (5) Address family: is either inet (IPv4) or inet6 (IPv6) A SIMPLE RULE-SET (6) IP Protocol: the upper layer protocol on top of IP. Common values are TCP, UDP, ICMP or ICMP6 the whole list of supported protocol names and numbers can be found in the le /etc/protocols 22. 1
12 A SIMPLE RULE-SET (7) Source address: the source of the IP packet. Possible values: a single IP address ( , 2001:db8::1) a network block in CIDR notation ( /24, 2001:db8:1::/64) a range of addresses in the format "start-end" the keyword any (any address) the keyword self (all addresses on the rewall) DNS name, interface name or the name of an interface group more advanced selectors (later in this training) A SIMPLE RULE-SET (8) Destination address: the destination of the IP packet. The same values as for the source address are possible 24. 1
13 A SIMPLE RULE-SET (9) Port: the number or service name of the upper layer protocol. a list of service names can be found in the le /etc/services A SIMPLE RULE-SET (10) only the action part of a rule is mandatory, all other parts have defaults: Direction - both directions Interface - all interfaces Address family - IPv4 and IPv6 Protocol - all protocols Source Destination - any source or destination Service port - all services and ports 26. 1
14 STRUCTURING A RULE-SET FILE the pf rule-set le can be structured into multiple smaller les les can be included into the main "pf.conf" rule-set COMMENTS AND MULTIPLE LINES the hashmark starts a comment until the end of the line the "\" masks the line end (extends the current rule to the next line) 28. 1
15 QUIZ is the following con guration le valid? Answer: Yes, it is. The hash-mark comments out the whole line, and the line is continued TESTING A RULE-SET -n: test run (just parse the rule-set and print errors, but do not recon gure the rewall) -v: verbose, print the rules generated -f le: the rule-set le to load 30. 1
16 LOADING A RULE-SET there is no need to ush the rule-set before loading a new one! current connections (states) will not change, existing connections will continue to work unless the new rule-set blocks them LIST THE RUNNING RULE-SET the rules generated by pfctl from the rule-set might be slightly different from the content of /etc/pf.conf due to optimizations 32. 1
17 THE LAB NETWORK LOGIN TO THE FIREWALL 1 IPv4-Address: see Whiteboard Username: root Password: FreeBSD start "tmux" after login! 34. 1
18 DOES MY FIREWALL WORK? the "log" keyword con gures pf to write a log entry when a new connection is established using this rule all log information is written to the log interface device pflog THE LOG DEVICE the pflog0 device is a virtual network card sniffer tools can be used to read the data from the device tcpdump, wireshark etc 36. 1
19 PFLOGD - THE PF LOGGING DAEMON the pflogd process reads the log data from the p og device and writes it into a log le /var/log/pflog the log le is in pcap format (binary format) and can be read by common network snif ng tools (tcpdump, wireshark) LAB - FIREWALL LOGGING AND TROUBLESHOOTING open a new tmux console (CTRL-b+c) on rewall 1 use the tcpdump commands below to monitor your rewall rule-set (optional) install wireshark on your Laptop, copy the pflog le to your laptop and inspect it with wireshark 38. 1
20 PFLOGD SNAPLEN in the default con guration, pflogd stores 160 bytes (snaplen) from the packet in the log le 160 bytes is enough for the header, but often does not include the upper layer protocol information the snaplen can be changed in /etc/rc.conf a larger snaplen requires more disk space for the log le! PFTOP pftop displays the pf state-table in realtime (similar to the Unix top command) pftop is an optional package on FreeBSD 40. 1
21 MACROS to keep a pf rule-set concise and manageable, the pf rule-set le supports macros the macros work like shell scripting variables they need to be de ned before use macro names must begin with a letter, but can contain letters, numbers and underscores macro names can not have names of reserved words (log, pass, from ) MACRO EXAMPLES 42. 1
22 LISTS similar rules that only differ in the interface, protocol, source and destination or service port can be combined into one line in the rule-set using lists a list contains a comma separated list of entries in curly braces {} pfctl will expand a rule-line with lists into multiple rules EXAMPLE LIST this will expand to 44. 1
23 MORE LIST EXAMPLES how many rules will be created from this line? Answer: 60 rules NEGATION the exclamation mark can be used to indicate negation 46. 1
24 CAUTION: LISTS AND NEGATIONS be careful with lists and negations what is the effect of this rule? Answer: it prevents and to reach the webserver, but allows access from any. That is probably not the intend of the rewall admin LAB - MAKING CONTACT TO SERVER 1 Reaching server 1 adjust the rule-set on the rewall and on the server 1 to allow icmp, ssh (port 22), ftp (port 21) and http (port 80) connections set a route from your laptop to the server network segment ( /24) towards the external IP of your primary rewall test if you can login from your laptop to server 1 using secure shell (ssh) test if you can reach server 1 with a web-browser from your laptop 48. 1
25 RULE-SET EVALUATION pf evaluates the rule-set for every IP packet that has no prior state in the state table evaluation is from top to bottom of the rule-set the last rule that matches the packet will apply (last rule wins) pf will always evaluate all rules (except for quick rules) QUICK RULES the rewall operator can shortcut the rule-set evalutation on a rule with the quick keyword whenever a rule with a quick keyword is matching the current packet, this rule will be used and the remainder of the rule-set will not be evaluated connection heavy protocols (such as DNS) should use the quick keyword and be placed at the beginning of the rule-set 50. 1
26 DROP OR RETURN (1) by the default, the pf rewall drops blocked packets the sender will never know what happen, it must wait for a timeout this can lead to issues (esp. for internal machines) it is more polite to block with a return message, saying that the connection is administratively prohibited (esp. towards internal client machines) DROP OR RETURN (2) if the block policy is set to "return", pf will send a "RESET" (RST) for TCP connections send a ICMP unreachable for other connection types the block policy can be de ned on each block rule: 52. 1
27 DROP OR RETURN (3) the block policy can also be de ned globally: FILTERING ICMP due to errors in early TCP/IP stacks in desktop operating systems (in the 1990), rewall admins started to block ICMPv4 many of these security issues are long solved ICMP is used to communicating error messages between hosts the IETF has an (expired) Internet-Draft on how ICMP should be ltered ( draft-ietf-opsec-icmp- ltering) see RFC "ICMP Attacks against TCP" for current problems with ICMP 54. 1
28 FILTERING ICMPV4 the following ICMPv4 codes should be permitted to pass the rewall (RFC names used) ICMPv4-unreach-net ICMPv4-unreach-host ICMPv4-unreach-frag-needed ICMPv4-unreach-admin (rate-limit) ICMPv4-timed-ttl ICMPv4-timed-reass ICMPv4-req-echo-message (optional) ICMPv4-req-echo-reply (optional) FILTERING ICMPV4 RULE-SET ICMPv4 message code names for pf can be found in the icmp(4) man page 56. 1
29 TABLES sometimes a rewall rule-set requires a huge number of almost identical rules example: rules where only the from/to IP addresses change pf offers the table datastructure to optimize large rule-sets with almost idenical rules (> 10 almost identical rules) tables content is accessed using hashes which is much faster (and uses less memory) than evaluating separate rules CREATING TABLES tables are identi ed by angle brackets < > around their names tables can be dynamic or static (constant) can be de ned inline in pf.conf or through an external le can be dynamically changed using pfctl or by external tools (through an API) 58. 1
30 TABLE DEFINITION IN PF.CONF the above rule-set creates the table <client-machines> with two IP addresses and all IP addresses that can be resolved from DNS for host.domain.test when the rule-set is loaded(!) the table is dynamic and can be extended during runtime the table is used in a rule that permits all machines from the table to communicate with the outside world NON-DYNAMIC (STATIC) TABLES tables can be "locked" so that they cannot be extended during runtime they can only be changed by changing pf.conf and reloading the con guration 60. 1
31 PERSISTENT TABLES pf drops tables that become empty (to save memory) if we want to keep a table around (even if empty), it must be marked with the persist keyword ADDING ADDRESSES TO A TABLE pfctl can be used to add one or more address to a table the table name is given without the angle brackets external tools can add entries to a table through an API (the pf interface) 62. 1
32 LOADING THE TABLE CONTENT FROM A FILE (1/2) for large tables, the table content can be loaded from a le the le must contain the IP addresses, network de nitions or hostnames for the table, one line per address hostnames are resolved to all their addresses (IPv4 and IPv6) at the time the le is loaded because of DNS spoo ng, it is recommended not to use DNS name resolution in a rewall rule-set without DNSSEC validation LOADING THE TABLE CONTENT FROM A FILE (2/2) Example source le for a table de nition 64. 1
33 LOADING ADDRESSES FROM A FILE new table content can be added from a le REMOVING ENTRIES FROM A TABLE the pfctl subcommand "delete" is used to remove single entries from a table the command " ush" can be used to remove all entries from a table 66. 1
34 REMOVING A TABLE a table can be removed from the rewall with the "kill" command LAB - TABLES on Firewall 1 change the rule-set to create a table including all machines from the server and client network segment create a rule that permits ICMPv4 traf c from the client and server network segments to the rewall test using the ping tool from a server and a client VM towards the rewall if the rule-set works 68. 1
35 ANCHORS Anchors are containers of rewall rules similar to directories in a le system think of the main rule-set as the root-directory, and anchors are subdirectories anchors can contain anchors, rules and tables rules inside anchors can be changed during runtime (without the need to change and reload pf.conf) anchors are mostly used by software tools that dynamically change the rewall rule-set EXAMPLE RULE-SET WITH ANCHOR (1) Aim for this rule-set is to allow all internal clients to communicate out but we want to be able to "blacklist" (stop) abusers 70. 1
36 EXAMPLE RULE-SET WITH ANCHOR (2) the default policy is to block everything EXAMPLE RULE-SET WITH ANCHOR (3) an empty anchor named "blacklist" is de ned at this point in the rule-set, all rules that are in the anchor "blacklist" will be evaluated 72. 1
37 EXAMPLE RULE-SET WITH ANCHOR (4) this allows traf c from our client segment to leave the network (and the return traf c to pass back in) DEFINING THE ANCHOR CONTENT INLINE the content of an anchor can be de ned inline in pf.conf the anchor content is enclosed an curly braces "{ }" 74. 1
38 ANCHOR WITH FILTER anchor can use the same lter parameters as normal ltering rules if anchor lter are being used, the content of the anchor is only evaluated for matching packets this anchor blocks DNS traf c coming in on interface em LOADING ANCHOR CONTENT FROM A FILE the rules inside an anchor can be loaded from a le: the le /etc/pf-blacklist.conf can contain rewall rules, tables and other anchors 76. 1
39 CHANGING THE ANCHOR CONTENT FROM THE COMMANDLINE the above command pipes a new lter rule into pfctl for anchor "blacklist" "-f -" tells pfctl to read the new rule from stdin the echo command prints the new rule, which is piped into pfctl changing the rule-set this way will always remove all previous rules from the anchor before applying the new rule(s) LOADING ANCHOR CONTENT FROM A FILE DYNAMICALLY read and replace all rules in the named anchor (blacklist) with the rules in the le /etc/pf-blacklist.conf 78. 1
40 LIST THE ACTIVE RULES BELOW AN ANCHOR pfctl can be used to list all rules and sub-anchors below an anchor list sub-anchors below anchor with the name "blacklist" FLUSHING ALL RULES FROM AN ANCHOR to erase all rules from an anchor, use all ush (-F) commands can be applied to anchors 80. 1
41 LAB - ANCHORS de ne an anchor called protocol-blacklist the aim of this blacklist is to stop traf c from the client segment that is generated by unwanted protocols or should otherwise never leave the local network the blacklist should block: smtp (port 25), netbios ( ), mysql (3306), postgresql (5432), ms-sql (1433) test and make sure that these ports are blocked FTP AND FIREWALLS FTP (File Transfer Protocol, RFC 959, October 1985) is a rather ancient protocol that predates TCP/IP the original FTP (active mode) is using a control channel to port 21, and a data-backchannel from port 20 on the server to a random high port on the client the high port is negotiated inside the control-channel, invisible to the rewall a pure packet- lter rewall is not able to open the port for the data-channel some FTP clients and server support "passive" FTP, where the client opens both connections, but "passive" FTP is sometimes not available 82. 1
42 FTP AND THE PF FIREWALL the PF rewall has special support for FTP: ftp-proxy ftp-proxy is a special ALG (application layer gateway) component will observe the FTP communication between client and server can dynamically open the port for the data-channel FTP-PROXY DEBUG MODE to trace the operation of ftp-proxy, stop the running ftpproxy process and start the proxy in debug mode only do this for debugging purposes! 84. 1
43 PF RULE-SET FOR FTP-PROXY OPERATIONS (1) the anchor ftp-proxy/* will contain all dynamically created rules for the FTP data-channel PF RULE-SET FOR FTP-PROXY OPERATIONS (2) incoming FTP traf c (from client to outside server) will be diverted to port 8021 on the loopback address (where ftpproxy is listening) 86. 1
44 PF RULE-SET FOR FTP-PROXY OPERATIONS (3) rule to allow ftp traf c generated from the rewall itself (client FTP traf c going through ftp-proxy) to leave the rewall with this rule, all FTP traf c is going through the ftpproxy ALG TESTING THE FIREWALL WITH NMAP after writing a new rewall rule-set, test the rule-set testing should be automated if possible (like untit-tests) nmap is a popular port scanner that can be used to test the rewall and all networks controlled the rewall the rewall should be tested in all directions (outside-in and inside-out) 88. 1
45 LAB - TEST YOUR FIREWALL WITH NMAP install nmap on your laptop machines run nmap -v -A -PN [target] against the rewalls IP address, as well as against the server and client networks are the results expected? SEPARATING LOG INFORMATION Sometimes logging for speci c uses should be separated from the general output for debugging purposes to monitor traf c patterns pf can send log information to extra logging devices 90. 1
46 CREATING EXTRA LOG DEVICES extra p og devices can be created using ifconfig: or create the le /etc/hostname.pflog1 containing just the word "up" SENDING LOG INFORMATION example of sending the log information from two rules to device pflog
47 SPECIAL LOGGING the pf rewall supports keywords to ne-tune the log output log (all) will log all packets, not only the rst that creates the state. Use carefully, this can create HUGE amounts of log information log (matches) will log every subsequent rule that matches this packet, even if the rule itself does not have a log statement log (user) logs the user-id (UID) and process-id (PID) of the local process that sends or receives the packet. This only works for packets that terminate on the local machine TAGGING OF PACKETS pf supports the tagging of incoming packets each packet can have only one tag at a time lter rules can act on the tags on a packet tagging incoming packets can make the rule-set simpler (and a simple(r) rule-set is always good) 94. 1
48 SKIP FILTERING ON INTERFACES Sometimes it is desired not to lter traf c on a speci c interface common examples are the loopback interface (lo0) or pfsync interfaces the skip on keyword can be used to disable ltering on an interface it is recommended to list the skip on directive at the top of the rule-set LABEL TRAFFIC The keyword label can be used to create extra statistics counter inside the pf rewall. The statistic counters can be listed with pfctl 96. 1
49 ACCOUNTING TRAFFIC BY LABEL label can be used for traf c accounting: pfctl -vsl prints: times the rule have been evaluated number of packets passed number of bytes packets / bytes passed in packets / bytes passed out LAB - ADVANCED LOGGING create a new log device con gure a rule on the rewall to log all packets onto the new log device for all www communication between the client and server 1 use the text mode browser links to access the website on server 1 use tcpdump to inspect the traf c on the new p og device 98. 1
50 INTERFACE GROUP LABEL on operating systems that support the "group" function on network interfaces (OpenBSD, NetBSD, FreeBSD), pf rules can be speci ed by the interface group this can make the de nition of rules simpler group labels on interfaces are stable and do not change automatically (for example if the hardware NIC is replaced) EXAMPLE OF INTERFACE GROUP LABELS (1/2) interface group label can be set using ifconfig
51 EXAMPLE OF INTERFACE GROUP LABELS (2/2) Example rule with interface group label interface group label without a modi er resolve in all IP addresses (IPv4 and IPv6) on that interface INTERFACE GROUP MODIFIER (1) <interface-group>:0 - only resolve to the primary IP address of that interface (IPv4 or IPv6), ignore any alias addresses <interface-group>:network - resolve to the full network of the interface
52 INTERFACE GROUP MODIFIER (2) <interface-group:broadcast> - resolve to the IPv4 broadcast address of that interface group <interface-group:peer> - resolve to the peer address of the remote end of the connection END DAY
Created: Tue 14:30
PF - PACKETFILTER FIREWALL - ADVANCED CARSTEN STROTMANN, HTTPS://BLOG.DEFAULTROUTES.DE 2019-01-08 TUE 00:00 Created: 2019-01-08 Tue 14:30 1 ORDER OF PF-RULES (FOR FREEBSD OR OPENBSD
More informationIndex. ACK flag, 31 action, 29 activating PF, 5
/etc/authpf/authpf.allow, 128 /etc/authpf/authpf.conf, 126 /etc/authpf/authpf.message, 129 /etc/authpf/authpf.rules, 127, 131 /etc/authpf/banned/, 128 /etc/inetd.conf, 62 /etc/login.conf, 129, 130 /etc/pf.boot.conf,
More informationLab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology
Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives
More informationLab 1: Packet Sniffing and Wireshark
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber Security Practice 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer
More informationCOMS3200/7201 Computer Networks 1 (Version 1.0)
COMS3200/7201 Computer Networks 1 (Version 1.0) Assignment 3 Due 8pm Monday 29 th May 2017. V1 draft (hopefully final) Note that the assignment has three parts Part A, B & C, each worth 50 marks. Total
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker
More informationK2289: Using advanced tcpdump filters
K2289: Using advanced tcpdump filters Non-Diagnostic Original Publication Date: May 17, 2007 Update Date: Sep 21, 2017 Topic Introduction Filtering for packets using specific TCP flags headers Filtering
More informationCCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11
CCNA Semester 1 labs Part 2 of 2 Labs for chapters 8 11 8.1.4.6 Lab - Calculating IPv4 Subnets 8.1.4.8 Lab - Designing and Implementing a Subnetted IPv4 Addressing Scheme 8.2.1.5 Lab - Designing and Implementing
More informationLab - Troubleshooting ACL Configuration and Placement Topology
Topology 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway HQ G0/1 192.168.1.1
More informationCCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationTeacher s Reference Manual
UNIVERSITY OF MUMBAI Teacher s Reference Manual Subject: Security in Computing Practical with effect from the academic year 2018 2019 Practical 1: Packet Tracer - Configure Cisco Routers for Syslog, NTP,
More informationConfiguring Virtual Servers
3 CHAPTER This section provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE appliance. Note When you use the ACE CLI to configure named
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationExtended ACL Configuration Mode Commands
Extended ACL Configuration Mode Commands To create and modify extended access lists on a WAAS device for controlling access to interfaces or applications, use the ip access-list extended global configuration
More informationContext Based Access Control (CBAC): Introduction and Configuration
Context Based Access Control (CBAC): Introduction and Configuration Document ID: 13814 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information What Traffic Do
More informationLab - Using Wireshark to Examine TCP and UDP Captures
Topology Part 1 (FTP) Part 1 will highlight a TCP capture of an FTP session. This topology consists of a PC with Internet access. Topology Part 2 (TFTP) Part 2 will highlight a UDP capture of a TFTP session.
More informationHands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified 1-11-17 Objectives Describe the TCP/IP protocol stack Explain the basic concepts of IP addressing Explain the
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationICS 451: Today's plan
ICS 451: Today's plan ICMP ping traceroute ARP DHCP summary of IP processing ICMP Internet Control Message Protocol, 2 functions: error reporting (never sent in response to ICMP error packets) network
More informationJason Dixon DixonGroup Consulting. August 4, 2005
Failover Firewalls with OpenBSD and CARP Jason Dixon DixonGroup Consulting August 4, 2005 Introduction Firewalls are a mandatory network component Introduction Firewalls are a mandatory network component
More informationINF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi
INF5290 Ethical Hacking Lecture 3: Network reconnaissance, port scanning Universitetet i Oslo Laszlo Erdödi Lecture Overview Identifying hosts in a network Identifying services on a host What are the typical
More informationBSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario
BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic Topology Objectives Part 1: (Optional) Download and Install Wireshark Part 2: Capture and Analyze Local ICMP Data in Wireshark
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationFirewall Stateful Inspection of ICMP
The feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated
More informationDesign and Performance of the OpenBSD Stateful Packet Filter (pf)
Usenix 2002 p.1/22 Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.2/22 Introduction part of a firewall, working on IP packet
More informationLaboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing
Introduction Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing Static routing has the advantage that it is simple, requires no computing power in router for determining routes (this
More informationGuide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols
Guide to Networking Essentials, 6 th Edition Chapter 5: Network Protocols Objectives Describe the purpose of a network protocol, the layers in the TCP/IP architecture, and the protocols in each TCP/IP
More informationCCNA Security PT Practice SBA
A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done.
More informationn Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic
Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output
More informationHardening servers for the modern internet
Hardening servers for the modern internet Philip Paeps The FreeBSD Foundation SANOG32 7 August 2018 Dhaka, Bangladesh Session 1 (09:00 11:00) 1. Presentation: Introduction to the FreeBSD project (30 minutes)
More informationNetwork+ Guide to Networks, Seventh Edition Chapter 2, Solutions
Network+ Guide to Networks, Seventh Edition Chapter 2, Solutions Review Questions 1. Which part of a MAC address is unique to each manufacturer? A. The network identifier B. The OUI C. The device identifier
More informationLab Configuring and Verifying Extended ACLs Topology
Topology 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
More informationApplied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.
Applied IT Security System Security Dr. Stephan Spitz Stephan.Spitz@de.gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System
More informationCisco WAAS Software Command Summary
2 CHAPTER This chapter summarizes the Cisco WAAS 4.0.7 software commands. lists the WAAS commands (alphabetically) and indicates the command mode for each command. The commands used to access modes are
More informationWeek Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development
Weekly Tasks Week 5 Rich Macfarlane 2013 Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Aim: The aim of these labs are to further investigate the Snort, network IDS, and methods
More informationLab 8: Firewalls ASA Firewall Device
Lab 8: Firewalls ASA Firewall Device 8.1 Details Aim: Rich Macfarlane 2015 The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its stateful firewalling functionality,
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationSE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer
SE 4C03 Winter 2003 Final Examination Answer Key Instructor: William M. Farmer (1) [2 pts.] Both the source and destination IP addresses are used to route IP datagrams. Is this statement true or false?
More informationICS 351: Networking Protocols
ICS 351: Networking Protocols IP packet forwarding application layer: DNS, HTTP transport layer: TCP and UDP network layer: IP, ICMP, ARP data-link layer: Ethernet, WiFi 1 Networking concepts each protocol
More informationOverview of the Cisco NCS Command-Line Interface
CHAPTER 1 Overview of the Cisco NCS -Line Interface This chapter provides an overview of how to access the Cisco Prime Network Control System (NCS) command-line interface (CLI), the different command modes,
More informationECE 697J Advanced Topics in Computer Networks
ECE 697J Advanced Topics in Computer Networks Network Measurement 12/02/03 Tilman Wolf 1 Overview Lab 3 requires performance measurement Throughput Collecting of packet headers Network Measurement Active
More informationMaterial for the Networking lab in EITF25 & EITF45
Material for the Networking lab in EITF25 & EITF45 2016 Preparations In order to succeed with the lab, you must have understood some important parts of the course. Therefore, before you come to the lab
More informationPacket Sniffing and Spoofing
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Shared Networks Every network packet reaches every
More informationOperational Security Capabilities for IP Network Infrastructure
Operational Security Capabilities F. Gont for IP Network Infrastructure G. Gont (opsec) UTN/FRH Internet-Draft September 1, 2008 Intended status: Informational Expires: March 5, 2009 Status of this Memo
More informationConfiguration Examples
CHAPTER 4 Before using this chapter, be sure that you have planned your site s security policy, as described in Chapter 1, Introduction, and configured the PIX Firewall, as described in Chapter 2, Configuring
More informationConfiguring Health Monitoring
CHAPTER1 This chapter describes how to configure health monitoring on the ACE to track the state of a server by sending out probes. Also referred to as out-of-band health monitoring, the ACE verifies the
More informationConfiguring Commonly Used IP ACLs
Configuring Commonly Used IP ACLs Document ID: 26448 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration Examples Allow a Select Host to Access the Network Deny a
More informationWhen does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009
Packet Sniffers INFO 404 - Lecture 8 24/03/2009 nfoukia@infoscience.otago.ac.nz Definition Sniffer Capabilities How does it work? When does it work? Preventing Sniffing Detection of Sniffing References
More informationIntroduction to Computer Networks. CS 166: Introduction to Computer Systems Security
Introduction to Computer Networks CS 166: Introduction to Computer Systems Security Network Communication Communication in modern networks is characterized by the following fundamental principles Packet
More informationLAB THREE STATIC ROUTING
LAB THREE STATIC ROUTING In this lab you will work with four different network topologies. The topology for Parts 1-4 is shown in Figure 3.1. These parts address router configuration on Linux PCs and a
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationCounterACT 7.0 Single CounterACT Appliance
CounterACT 7.0 Single CounterACT Appliance Quick Installation Guide Table of Contents Welcome to CounterACT Version 7.0....3 Included in your CounterACT Package....3 Overview...4 1. Create a Deployment
More informationAN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM
1 AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM 2 Introduction (1/2) TCP provides a full duplex reliable stream connection between two end points A connection is uniquely defined by the quadruple
More informationch02 True/False Indicate whether the statement is true or false.
ch02 True/False Indicate whether the statement is true or false. 1. No matter what medium connects computers on a network copper wires, fiber-optic cables, or a wireless setup the same protocol must be
More informationConfiguring IP SLAs TCP Connect Operations
This module describes how to configure an IP Service Level Agreements (SLAs) TCP Connect operation to measure the response time taken to perform a TCP Connect operation between a Cisco router and devices
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Scanning CIT 480: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting CIT 480: Securing Computer
More informationImplementing Firewall Technologies
Implementing Firewall Technologies Network firewalls separate protected from non-protected areas preventing unauthorized users from accessing protected network resources. Technologies used: ACLs Standard,
More informationHP 6125G & 6125G/XG Blade Switches
HP 6125G & 6125G/XG Blade Switches Network Management and Monitoring Configuration Guide Part number: 5998-3162b Software version: Release 2103 and later Document version: 6W103-20151020 Legal and notice
More informationUsing ICMP to Troubleshoot TCP/IP Networks
Laura Chappell Using ICMP to Troubleshoot TCP/IP Networks Illustration: Norman Felchle Editor s Note: This article is based on Laura Chappell s upcoming book TCP/IP Analysis and Troubleshooting, which
More informationNetwork Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)
1 Network Security Kitisak Jirawannakool Electronics Government Agency (public organisation) A Brief History of the World 2 OSI Model vs TCP/IP suite 3 TFTP & SMTP 4 ICMP 5 NAT/PAT 6 ARP/RARP 7 DHCP 8
More informationChapter 6 Global CONFIG Commands
Chapter 6 Global CONFIG Commands aaa accounting Configures RADIUS or TACACS+ accounting for recording information about user activity and system events. When you configure accounting on an HP device, information
More informationNetwork+ Guide to Networks 6 th Edition. Chapter 4 Introduction to TCP/IP Protocols
Network+ Guide to Networks 6 th Edition Chapter 4 Introduction to TCP/IP Protocols Objectives Identify and explain the functions of the core TCP/IP protocols Explain the TCP/IP model and how it corresponds
More informationLoad Balancing Sage X3 ERP. Deployment Guide v Copyright Loadbalancer.org, Inc
Load Balancing Sage X3 ERP Deployment Guide v1.0.1 Copyright 2002 2017 Loadbalancer.org, Inc Table of Contents 1. About this Guide...3 2. Deployment...3 3. Initial Setup...3 Accessing the Loadbalancer.org
More informationHP 6125 Blade Switch Series
HP 6125 Blade Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-3162 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright
More informationObject Groups for ACLs
The feature lets you classify users, devices, or protocols into groups and apply these groups to access control lists (ACLs) to create access control policies for these groups. This feature lets you use
More informationRouter and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface
CCNA4 Chapter 5 * Router and ACL By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. *
More informationLab I: Using tcpdump and Wireshark
Objectives To get the student familiar with basic network protocol analyzer, tools and equipment used in later labs, including tcpdump and Wireshark. Lab Readings Go to http://www.tcpdump.org/tcpdump_man.html
More informationNetwork Tools. Contents. Saurabh Barjatiya Mon. 1 Port scanning (nmap) 2
Network Tools Saurabh Barjatiya 2012-03-19 Mon Contents 1 Port scanning (nmap) 2 2 Capturing packets at command line (tcpdump) 3 2.1 About tcpdump.......................... 3 2.2 Useful command line options..................
More informationLab 2: Creating Secure Architectures
Lab 2: Creating Secure Architectures A Challenge Our challenge is to setup MyBank Incorp, where each of you will be allocated a network and hosts to configure and get on-line (Figure 1). For this you will
More informationDKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK
DKT 224/3 DATA COMMUNICATION & NETWORK LAB 2 NETWORK PROTOCOL ANALYZER SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK Lab #2 2 Lab #2 : Network Protocol Analyzer (Sniffing and Identify Protocol used
More informationQUIZ: Longest Matching Prefix
QUIZ: Longest Matching Prefix A router has the following routing table: 10.50.42.0 /24 Send out on interface Z 10.50.20.0 /24 Send out on interface A 10.50.24.0 /22 Send out on interface B 10.50.20.0 /22
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More informationCCNA Security Instructor Packet Tracer Manual
1.0.1 Instructor Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use
More informationLab Configuring Dynamic and Static NAT (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway Gateway G0/1 192.168.1.1 255.255.255.0 N/A S0/0/1 209.165.201.18 255.255.255.252 N/A ISP S0/0/0 (DCE)
More informationLab 1: Creating Secure Architectures (Revision)
Lab 1: Creating Secure Architectures (Revision) A Challenge Our challenge is to setup MyBank Incorp, where each of you will be allocated a network and hosts to configure and get on-line (Figure 1). For
More informationThree interface Router without NAT Cisco IOS Firewall Configuration
Three interface Router without NAT Cisco IOS Firewall Configuration Document ID: 13893 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations
More informationThis material is based on work supported by the National Science Foundation under Grant No
Source: http://en.wikipedia.org/wiki/file:firewall.png This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations
More informationStudy Guide. Using ACLs to Secure Networks
CHAPTER 5 ACLs The Study Guide portion of this chapter uses a combination of matching, multiple-choice, and open-ended question exercises to test your knowledge of the various types of access control lists
More informationLAN Setup Reflection
LAN Setup Reflection After the LAN setup, ask yourself some questions: o Does your VM have the correct IP? o Are you able to ping some locations, internal and external? o Are you able to log into other
More informationGenie Snoop lab. Laboration in data communication GenieLab Department of Information Technology, Uppsala University
Genie Snoop lab Laboration in data communication GenieLab Department of Information Technology, Uppsala University Overview This lab deals with network layers, services and HTTP transactions as well as
More informationConfiguring Advanced Firewall Settings
Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule
More informationUIP1869V User Interface Guide
UIP1869V User Interface Guide (Firmware version 0.1.8 and later) Table of Contents Opening the UIP1869V's Configuration Utility... 3 Connecting to Your Broadband Modem... 5 Setting up with DHCP... 5 Updating
More informationVII. Corente Services SSL Client
VII. Corente Services SSL Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements...
More informationLab b Simple Extended Access Lists
Lab 11.2.2b Simple Extended Access Lists 1-7 CCNA 2: Simple Extended Access Lists v 3.1 - Lab 11.2.2b Copyright 2003, Cisco Systems, Inc. Objective Scenario In this lab, configuring extended access lists
More information1. Which OSI layers offers reliable, connection-oriented data communication services?
CCNA 1 Practice Final Exam Answers v4.0 100% 1. Which OSI layers offers reliable, connection-oriented data communication services? application presentation session transport network 2. Refer to the exhibit.
More informationLab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
More informationinside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN
THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 inside: SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN & The Advanced Computing Systems Association & The System Administrators
More informationUDP and TCP. Introduction. So far we have studied some data link layer protocols such as PPP which are responsible for getting data
ELEX 4550 : Wide Area Networks 2015 Winter Session UDP and TCP is lecture describes the two most common transport-layer protocols used by IP networks: the User Datagram Protocol (UDP) and the Transmission
More informationFirewall Stateful Inspection of ICMP
Firewall Stateful Inspection of ICMP Last Updated: March 26, 2012 The Firewall Stateful Inspection of ICMP feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages
More informationIP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia
IP - The Internet Protocol Based on the slides of Dr. Jorg Liebeherr, University of Virginia Orientation IP (Internet Protocol) is a Network Layer Protocol. IP: The waist of the hourglass IP is the waist
More informationIntroduction to Network. Topics
Introduction to Network Security Chapter 7 Transport Layer Protocols 1 TCP Layer Topics Responsible for reliable end-to-end transfer of application data. TCP vulnerabilities UDP UDP vulnerabilities DNS
More informationTerminal Services Commands translate lat
translate lat translate lat To translate a connection request to another protocol connection type when receiving a local-area transport (LAT) request, use the translate lat command in global configuration
More informationInstituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities
Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security Lab guide: Traffic analysis and TCP/IP Vulnerabilities Revised on 2016-10-18 Alpha version: This is an early version and
More informationComputer Networks Security: intro. CS Computer Systems Security
Computer Networks Security: intro CS 166 - Computer Systems Security A very easy network 3/14/16 Computer Networks: Intro 2 Two philosophers example Translator Language Translator Engineer Communication
More informationipfw & IP Filter Yung-Zen Lai 2004/10
ipfw & IP Filter Yung-Zen Lai (yzlai@tp.edu.tw) 2004/10 Agenda Network and Firewall Basics ipfw FreeBSD IP Firewall and Traffic Shaper Firewall Traffic Shaper IP Filter TCP/IP Firewall/NAT Software Firewall
More informationCCNA Semester 2 labs. Labs for chapters 2 10
CCNA Semester 2 labs Labs for chapters 2 10 2.2.2.5 Lab - Configuring IPv4 Static and Default Routes 2.3.2.4 Lab - Troubleshooting Static Routes 3.2.1.9 Lab - Configuring Basic RIPv2 5.2.2.9 Lab - Configuring
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationVPN Connection through Zone based Firewall Router Configuration Example
VPN Connection through Zone based Firewall Router Configuration Example Document ID: 112051 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configure
More informationHow to Configure a Remote Management Tunnel for an F-Series Firewall
How to Configure a Remote Management Tunnel for an F-Series Firewall If the managed NextGen Firewall F-Series cannot directly reach the NextGen Control Center, it must connect via a remote management tunnel.
More informationLab Configure Cisco IOS Firewall CBAC
Lab 3.8.3 Configure Cisco IOS Firewall CBAC Objective Scenario Topology Estimated Time: 50 minutes Number of Team Members: Two teams with four students per team. In this lab, students will complete the
More information