IP numbers and Hosts Intranets CSC362, Information Security i. IP numbers denote interfaces rather than entities ii. a single router can connect several different networks iii. a single interface can be assigned to different hosts (at different times). (ii) (iii) Dynamic Host Configuration Protocol DHCP newly attached host is assigned IP address, default router (gateway), DNS server, etc. client- server model client: new host server: DHCP server (in subnet or known to subnet) Dynamic Host Configuration Protocol DHCP Discover origin: 0.0.0.0, 68 dest: 255.255.255.255, 67 DHCP Offer origin: DHCP server, 67 dest: 255.255.255.255, 68 DHCP Request origin: 0.0.0.0, 68 dest: 255.255.255.255, 67 DHCP ACK origin: DHCP server, 67 dest: 255.255.255.255, 68 1
Dynamic Host Configuration Protocol most DHCP servers assign a temporary lease on an IP number assignment when the lease expires, the host can negotiate a new IP assignment sporadic users do not require permanent IP numbers utilizes network numbers allocation more economically Network Address Translation RFCs 2663, 3022, 4008 all subnets under NAT assigned local addresses 10.0.0.0/24 inside the NAT subnet all packets generated are assigned local addresses outside the the NAT subnet all packets are assigned the source address of the NAT- enabled router Network Address Translation Network Address Translation Criticisms port numbers should signify processes and not hosts NAT- routers violate end- to- end principles external servers cannot get reliable information about hosts behind a NAT- router NAT- networks make p2p applications more difficult 2
networks are susceptible to a variety of attacks- - most are based on vulnerabilities in various network protocols one way to defend against these attacks is to block them firewalls offer a means of defending an intranet firewalls provide after the fact security by wrapping a filter on network traffic in and from an intranet goals all traffic to and from network section A and network section B must pass through the firewall(s) only authorized traffic (as specified by the established security policy) is allowed to pass the firewall should be immune to penetration approaches host control. restrict sending or receiving addresses service control. restrict TCP or UDP port numbers direction control. restrict based on the origin of the traffic (inside or outside) content control. restrict traffic based on application- level data (conforming vs. non- conforming) host control requires policing addresses service control depends on the nature of the service implied direction control usually treats inbound traffic differently from outbound content controls usually follow when a company decides that its resources are not being used properly 3
mechanisms packet filtering examine individual packets and make decisions individually session filtering establish a session based on socket addresses permit/deny based on session source keep track of session status application filtering reconstruct application layer data and filter based on data contents Packet Filtering operates at Layer- 3 in a router or hardware (HW) firewall accesses the IP header and/or application headers can block traffic based on source and destination addresses port numbers, application protocols does not reconstruct Layer- 4 PDU, so cannot perform sophisticated content analysis Session Filtering keeps track of packets exchanged between pairs of sockets (i.e., a pair of hosts using a specific pair of port numbers) some implementations perform circuit filtering creates a proxy TCP connection to transmit packets through the firewall stateful packet filters keep track of the progress of a connection allows the traffic to flow as long as the connection is operative Application Filtering the gateway examines the data in individual packets to determine whether to allow entry application proxy a software component that maintains a list of forbidden servers, URL, etc. can also manage specific application data, e.g., a mail transfer agent (MTA) especially equipped to examine incoming email data for spam, viruses, etc. can sanitize application- level traffic e.g., Javascript or ActiveX 4
Application Filtering Firewall Rules based on Policy MTA = mail transfer agent MDA = mail delivery agent MUA = mail users agent Firewall terminology Bastion Host a computer that is fully exposed to attack and is programmed to withstand specific kinds of attacks (i.e., hardened ) DMZ router a router that is separated from the intranet but serves as an entry point usually allows a wide assortment of software port connections Firewall Configurations single firewall, with optional Bastion Host three- legged firewall dual firewall 5
Single Firewall with Bastion Host Three- Legged Firewall Dual Firewall with DMZ Firewall Limitations firewalls are not impenetrable subject to specific attacks, e.g., IP- spoofing, tunneling, etc. unable to analyze encrypted traffic older, simpler firewall depend on port numbers for identifying service track IP addresses and not people are expensive to manage 6