ISA 674 Understanding Firewalls & NATs

Similar documents
Firewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.

CE Advanced Network Security

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Network Security - ISA 656 Intro to Firewalls

Chapter 8 roadmap. Network Security

Unit 4: Firewalls (I)

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Application Firewalls

Computer Security and Privacy

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Global Information Assurance Certification Paper

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

History Page. Barracuda NextGen Firewall F

Table of Contents. Cisco How NAT Works

Information About NAT

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CSC Network Security

20-CS Cyber Defense Overview Fall, Network Basics

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Prof. Bill Buchanan Room: C.63

Protection of Communication Infrastructures

Introduction to Firewalls using IPTables

Using NAT in Overlapping Networks

CSE 565 Computer Security Fall 2018

Computer and Network Security

Introduction to Network. Topics

CS 161 Computer Security

HP High-End Firewalls

Advanced Security and Forensic Computing

ipfw & IP Filter Yung-Zen Lai 2004/10

CSE 565 Computer Security Fall 2018

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

ICS 451: Today's plan

CyberP3i Course Module Series

Connectionless and Connection-Oriented Protocols OSI Layer 4 Common feature: Multiplexing Using. The Transmission Control Protocol (TCP)

Configuring Commonly Used IP ACLs

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

IT 341: Introduction to System

Network Security: Firewall, VPN, IDS/IPS, SIEM

Network Security. Thierry Sans

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Networking By: Vince

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Internet Networking recitation #

Configuring IP Session Filtering (Reflexive Access Lists)

Monitoring Active and Recent Connections

Transport: How Applications Communicate

Computer Network Vulnerabilities

Advanced Security and Mobile Networks

Configuring Advanced Firewall Settings

CS155b: E-Commerce. Lecture 3: Jan 16, How Does the Internet Work? Acknowledgements: S. Bradner and R. Wang

VG422R. User s Manual. Rev , 5

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

QUIZ: Longest Matching Prefix

Network and Security: Introduction

ch02 True/False Indicate whether the statement is true or false.

Context Based Access Control (CBAC): Introduction and Configuration

Network Control, Con t

Network Protocol Configuration Commands

Network Address Translation. All you want to know about

Implementing Firewall Technologies

Lecture (11) OSI layer 4 protocols TCP/UDP protocols

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

ipro-04n Security Configuration Guide

Configuring IP Services

Layered Networking and Port Scanning

EE 122: Network Security


Network Interconnection

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

RX3041. User's Manual

10 Defense Mechanisms

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

Lab - Troubleshooting ACL Configuration and Placement Topology

Configuring IP Services

Networking IP filtering and network address translation

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

COSC 301 Network Management

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

User Role Firewall Policy

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

A quick theorical introduction to network scanning. 23rd November 2005

Networking 101 By: Stefan Jagroop

CSC 4900 Computer Networks: Security Protocols (2)

Packet Header Formats

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

Network Security. Course notes. Version

Mapping of Address and Port Using Translation

Transcription:

ISA 674 Understanding & NATs Angelos Stavrou September 12, 2012

Types of Types of Schematic of a Firewall Conceptual Pieces Packet UDP Packet Dynamic Packet Application Gateways Circuit Relays Personal and/or Distributed Many firewalls are combinations of these types. Angelos Stavrou (astavrou@gmu.edu) 2 / 37

Schematic of a Firewall Types of Schematic of a Firewall Conceptual Pieces Packet Filter Filter UDP Inside Gateway(s) Outside DMZ Angelos Stavrou (astavrou@gmu.edu) 3 / 37

Conceptual Pieces Types of Schematic of a Firewall Conceptual Pieces Packet UDP An inside everyone on the inside is presumed to be a good guy An outside bad guys live there A DMZ (Demilitarized Zone) put necessary but potentially dangerous servers there Angelos Stavrou (astavrou@gmu.edu) 4 / 37

Packet Types of Schematic of a Firewall Conceptual Pieces Packet UDP Usually Router-based (and hence cheap). Individual packets are accepted or rejected; no context or connection information is used. Advanced filter rules are hard to set up; the primitives are often inadequate, and different rules can interact. Packet filters a poor fit for ftp and X11. Hard to manage access to dynamic services. Angelos Stavrou (astavrou@gmu.edu) 5 / 37

Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP We want to permit out-bound connections We have to permit reply packets For TCP, this can be done without state The very first packet of a TCP connection has just the SYN bit set All others have the ACK bit set Solution: allow in all packets with ACK turned on Angelos Stavrou (astavrou@gmu.edu) 6 / 37

Firewall Rules Setup Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP Action: - Permit (Pass) Allow the packet to proceed - Deny (Block) Discard the packet Direction: - Source (where the packet comes from) <IP Address, Port> or network - Destination (where the packet goes) <IP Address, Port> or network Protocol: - TCP - UDP Packet Flags: - ACK - SYN - RST - etc. Angelos Stavrou (astavrou@gmu.edu) 7 / 37

Sample Rule Set Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP We want to block a spammer, but allow anyone else to send email to our mail server. block: allow: Source IP Address = spammer Source IP Address = any and Source Port = any and Destination IP Address = our-mail and Destination Port = 25 Angelos Stavrou (astavrou@gmu.edu) 8 / 37

Incorrect Rule Set Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP We want to allow all TCP connection to mail servers. allow: Source IP Address = any and Source Port = 25 and Destination IP Address = any and Destination Port = any We don t control port number selection on the remote host. Any remote process on port 25 can call in. Angelos Stavrou (astavrou@gmu.edu) 9 / 37

The Right Choice Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP allow: Source IP Address = any and Source Port = 25 and Destination IP Address = any and Destination Port = any Flag (ACK) = Set Permit outgoing calls. Angelos Stavrou (astavrou@gmu.edu) 10 / 37

Your Own Filter Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP Your company has decided that web browsing is not permitted for the employees. It is your task to create a filter that denies web browsing for all the machines inside the company. Assume that all the company IP addresses are known. Outgoing packets to port 80, Web servers. Angelos Stavrou (astavrou@gmu.edu) 11 / 37

In-bound Packets Firewall Rules Setup Sample Rule Set Incorrect Rule Set The Right Choice Your Own Filter In-bound Packets UDP Outside Firewall DMZ Inside If you filter out-bound packets to the DMZ link, you can t tell where they came from. Angelos Stavrou (astavrou@gmu.edu) 12 / 37

UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules UDP Angelos Stavrou (astavrou@gmu.edu) 13 / 37

UDP UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules UDP has no notion of a connection. It is therefore impossible to distinguish a reply to a query which should be permitted from an intrusive packet. Address-spoofing is easy no connections At best, one can try to block known-dangerous ports. But that s a risky game. The safe solution is to permit UDP packets through to known-safe servers only. Angelos Stavrou (astavrou@gmu.edu) 14 / 37

UDP Example: DNS UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Accepts queries on port 53 Block if handling internal queries only; allow if permitting external queries What about recursive queries? Bind local response socket to some other port; allow in-bound UDP packets to it Or put the DNS machine in the DMZ, and run no other UDP services (Deeper issues with DNS semantics; stay tuned) Angelos Stavrou (astavrou@gmu.edu) 15 / 37

ICMP Problems UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Often see ICMP packets in response to TCP or UDP packets Important example: Path MTU response Must be allowed in or connectivity can break Simple packet filters can t match things up Angelos Stavrou (astavrou@gmu.edu) 16 / 37

The Problem with RPC UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules RPC services bind to random port numbers There s no way to know in advance which to block and which to permit Similar considerations apply to RPC clients Systems using RPC cannot be protected by simple packet filters Angelos Stavrou (astavrou@gmu.edu) 17 / 37

Incorrect Approach UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Block a range of UDP ports. astavrou@ise:[~]>rpcinfo -p ise.gmu.edu program vers proto port service 100000 4 tcp 111 rpcbind 100000 2 udp 111 rpcbind 390113 1 tcp 7937 100005 1 udp 32800 mountd 100005 3 tcp 32776 mountd 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100011 1 udp 36613 rquotad 100008 1 udp 36614 walld 100001 2 udp 36615 rstatd Angelos Stavrou (astavrou@gmu.edu) 18 / 37 The precise patterns are implementation-specific

FTP, SIP, et al. UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules FTP clients (and some other services) use secondary channels Again, these live on random port numbers Simple packet filters cannot handle this Trying to create rules simple, packet-based rules will NOT work Angelos Stavrou (astavrou@gmu.edu) 19 / 37

Saving FTP UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules By default, FTP clients send a PORT command to specify the address for an in-bound connection If the PASV command is used instead, the data channel uses a separate out-bound connection If local policy permits arbitrary out-bound connections, this works well Angelos Stavrou (astavrou@gmu.edu) 20 / 37

The Role of Packet UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Packet filters are not very useful as general-purpose firewalls However, they are very efficient and can be applied even in high capacity links (why?) Several special situations where they re perfect Can be used to drop connections we don t want to reach the more expensive application-level firewall Angelos Stavrou (astavrou@gmu.edu) 21 / 37

Application: Point UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Internet Web Server Allow in ports 80 and 443. Block everything else. This is a Web server appliance it shouldn t do anything else! But it may have necessary internal services for site administration. Angelos Stavrou (astavrou@gmu.edu) 22 / 37

Application: Address UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules At the border router, block internal IP addresses from coming in from the outside Similarly, prevent address spoofing (fake IP addresses) from going out Angelos Stavrou (astavrou@gmu.edu) 23 / 37

Sample Configuration UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Outside Firewall Inside: 10.0.0.0/16 DMZ: 192.168.42.0/24 Mail DNS Angelos Stavrou (astavrou@gmu.edu) 24 / 37

Sample Rules UDP UDP UDP Example: DNS ICMP Problems The Problem with RPC Incorrect Approach FTP, SIP, et al. Saving FTP The Role of Packet Application: Point Application: Address Sample Configuration Sample Rules Interface Action Addr Port Flags Outside Block src=10.0.0.0/16 Outside Block src=192.168.42.0/24 Outside Allow dst=mail 25 Outside Block dst=dns 53 Outside Allow dst=dns UDP Outside Allow Any ACK Outside Block Any DMZ Block src 192.168.42.0/24 DMZ Allow dst=10.0.0.0/16 ACK DMZ Block dst=10.0.0.0/16 DMZ Allow Any Inside Block src 10.0.0.0/16 Inside Allow dst=mail 993 Inside Allow dst=dns 53 Inside Block dst=192.168.42.0/24 Insde Allow Any Angelos Stavrou (astavrou@gmu.edu) 25 / 37

UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Angelos Stavrou (astavrou@gmu.edu) 26 / 37

UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Most common type of packet filter Solves many but not all of the problems with simple packet filters Requires per-connection state in the firewall Angelos Stavrou (astavrou@gmu.edu) 27 / 37

Keeping State UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison When a packet is sent out, record that in memory Associate in-bound packet with state created by out-bound packet Angelos Stavrou (astavrou@gmu.edu) 28 / 37

Problems Solved UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Can handle UDP query/response Can associate ICMP packets with connection Solves some of the in-bound/out-bound filtering issues but state tables still need to be associated with in-bound packets Still need to block against address-spoofing Angelos Stavrou (astavrou@gmu.edu) 29 / 37

Remaining Problems UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Still have problems with secondary ports Still have problems with RPC Still have problems with complex semantics (i.e., DNS) The amount of state we can keep is limited Angelos Stavrou (astavrou@gmu.edu) 30 / 37

Network Address Translators (NATs) UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Translates source address (and sometimes port numbers) Primary purpose: coping with limited number of global IP addresses Sometimes marketed as a very strong firewall is it? It s not really stronger than a stateful packet filter Angelos Stavrou (astavrou@gmu.edu) 31 / 37

Basic NAT operation UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Angelos Stavrou (astavrou@gmu.edu) 32 / 37

Basic NAT operation UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Angelos Stavrou (astavrou@gmu.edu) 33 / 37

Basic NAT operation UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Angelos Stavrou (astavrou@gmu.edu) 34 / 37

Basic NAT operation UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Angelos Stavrou (astavrou@gmu.edu) 35 / 37

Basic NAT operation UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Angelos Stavrou (astavrou@gmu.edu) 36 / 37

Comparison UDP Keeping State Problems Solved Remaining Problems Network Address Translators (NATs) Basic NAT operation Comparison Filter Out-bound Create state table entry. In-bound Look up state table entry; drop if not present. NAT Out-bound Create state table entry. Translate address. In-bound Look up state table entry; drop if not present. Translate address. The lookup phase and the decision to pass or drop the packet are identical; all that changes is whether or not addresses are translated. Angelos Stavrou (astavrou@gmu.edu) 37 / 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback