Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

Similar documents
Prof. Bill Buchanan Room: C.63

Advanced Security and Forensic Computing

7 Filtering and Firewalling

Advanced Security and Mobile Networks

Wireless LANs (CO72047)

Prof. Bill Buchanan Room: C.63

6 Network Security Elements

Wireless Filtering and Firewalling

Console Server. Con. Cisco Aironet Port Figure 1: Aironet configuration

Configuring Commonly Used IP ACLs

CCNA Discovery 3 Chapter 8 Reading Organizer

Implementing Traffic Filtering with ACLs

Understanding Access Control Lists (ACLs) Semester 2 v3.1

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

2002, Cisco Systems, Inc. All rights reserved.

Object Groups for ACLs

Object Groups for ACLs

Object Groups for ACLs

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Implementing Firewall Technologies

Lab - Troubleshooting ACL Configuration and Placement Topology

Unit 4: Firewalls (I)

This document is a tutorial related to the Router Emulator which is available at:

Chapter 8 roadmap. Network Security

CCNA Access List Questions

Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

Appendix B Policies and Filters

CSC Network Security

Configuring IPv6 ACLs

Fundamentals of Network Security v1.1 Scope and Sequence

Lab c Simple DMZ Extended Access Lists

Lab b Simple DMZ Extended Access Lists

Lab Configuring and Verifying Extended ACLs Topology

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

Lab b Simple DMZ Extended Access Lists Instructor Version 2500

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

CCRI Networking Technology I CSCO-1850 Spring 2014

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Configuring IP Session Filtering (Reflexive Access Lists)

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Course Outline. Interconnecting Cisco Networking Devices Part 1 Lab.

Lab Configuring and Verifying Standard IPv4 ACLs Topology

Information about Network Security with ACLs

Teacher s Reference Manual

Antonio Cianfrani. Access Control List (ACL) Part I

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Table of Contents. Cisco Configuring IP Access Lists

ipro-04n Security Configuration Guide

DOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE

Access Control List Overview

Extended ACL Configuration Mode Commands

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Hands-On TCP/IP Networking

IPv6 Access Control Lists

Networking 101 By: Stefan Jagroop

Lab 8: Firewalls ASA Firewall Device

Configuration Examples

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Case Study. Routing & Switching. Cisco Networking Academy Routing and Switching: Scaling Network Case Study

IT Exam Training online / Bootcamp

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Networking By: Vince

"Charting the Course... Interconnecting Cisco Networking Devices Accelerated 3.0 (CCNAX) Course Summary

Object Groups for ACLs

NAPIER UNIVERSITY SCHOOL OF COMPUTING

Configuring Web Cache Services By Using WCCP

Cisco EXAM CCNA Cisco Certified Network Associate. Buy Full Product.

Indicate whether the statement is true or false.

Computer Network Vulnerabilities

CS 326e Lab 2, Edmondson-Yurkanan, Spring 2004 Router Configuration, Routing and Access Lists

CCNA Exploration Network Fundamentals

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Broadcast Infrastructure Cybersecurity - Part 2

Hands-On Activity. Firewall Simulation. Simulated Network. Firewall Simulation 3/19/2010. On Friday, February 26, we will be meeting in

ICND1 v2.0 Interconnecting Cisco Networking Devices Part 1 CCENT & Part of CCNA Rout/Switch

8 VLANs. 8.1 Introduction. 8.2 vlans. Unit 8: VLANs 1

CCNA. Course Catalog

Skills Assessment Student Training Exam

Configuring Authentication Proxy

Multihoming with BGP and NAT

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Access Rules. Controlling Network Access

Introduction p. 1 Self-Assessment p. 9 Networking Fundamentals p. 17 Introduction p. 18 Components and Terms p. 18 Topologies p. 18 LAN Technologies

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

Lab Configuring and Verifying Standard ACLs Topology

Three interface Router without NAT Cisco IOS Firewall Configuration

Cisco 3: Advanced Routing & Switching

Cisco CCNA (ICND1, ICND2) Bootcamp

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Lab Catalyst 2950 and 3550 Series Intra-VLAN Security

Configuring Authentication Proxy

Lab 1.3.2: Review of Concepts from Exploration 1 - Challenge

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

Interconnecting Cisco Networking Devices

CISCO EXAM QUESTIONS & ANSWERS

Introduction to Firewalls using IPTables

Cisco 1: Networking Fundamentals

Transcription:

Bill Buchanan, Reader, School of Computing. W.Buchanan (1)

Lab setup W.Buchanan (2)

W.Buchanan (3) Console Server Con Cisco Aironet 1200 192.168.1.100 Port 2001 Con Cisco Aironet 1200 192.168.1.100 Port 2002 Con Cisco Aironet 1200 192.168.1.100 Port 2003

W.Buchanan (4)

W.Buchanan (5) Wireless Network 192.168.0.2 192.168.0.1 APskills1 APskills2 APskills3 192.168.1.100 Port: 2001-2003 192.168.0.3 192.168.0.110 Console Server Con

W.Buchanan (6)

W.Buchanan (7)

W.Buchanan (8) Week Date Academic Cisco Lab/Tutorial 1 26 Sep 1: Radio Wave Fundamentals 2 3 Oct 2: Wireless Fundamentals Intro to Wireless LANs Access Point Tutorial 1 (T) 3 10 Oct 3: Wireless Infrastructures IEEE 802.11 and NICs Access Point Tutorial 2 (T) 4 17 Oct 4: Encryption Wireless Radio Technology Ad-hoc Networks (L) 5 24 Oct Wireless Topologies Infrastructure Networks (L) 6 31 Oct 5: Authentication Access Points Radio Configuration Settings (L) 7 7 Nov 6: Antennas Bridges Filtering (L) 8 14 Nov 7: Filtering Antennas Encryption (L) 9 21 Nov 8: GSM/3G Security Authentication/EAP (L) 10 28 Nov 9: Future Technologies Applications Configuring Services (L) 11 5 Dec 10: Site Surveys/ Troubleshooting Site Survey VLANs (L) 12 12 Dec 11: Location-finding Troubleshooting Proxy Mobile IP (L) Holidays 13 9 Jan Revision/Cram (Cisco Exam) Emerging Technologies Power Management (L) 14 16 Jan Revision (Napier Exam) Revision/Cram Coursework/Practical (50%) 15 23 Jan Napier Exam (40%) Cisco Exam (10%)

Coursework W.Buchanan (9)

Academic Professional Certification http://cisco.netacad.net On-line test: 40% On-line test: 10% Coursework test: 50% Demonstrates analytical and synthesis skills in defining the key stages in the development of a wireless solution from its specification and design to its evaluation. Provides an in-depth understanding of the key principles involved in the operation of a wireless system. Demonstrates key practical skills in the implementation, evaluation and debugging of wireless systems. Single mark submitted Academic/Professional Certification W.Buchanan (10)

W.Buchanan (11) Title: Secure Wireless Network Design Objective: To design a secure wireless network. Outline: The objective of this coursework is to design a secure wireless network which meets certain objectives, and to implement a prototype of the system. Submission: PDF document submitted to Web-CT by Monday, 16 January 2005, 12pm. Assessment: A grade will be assigned for the assessment, which will be returned to the student. This grade will then be converted to a mark for the module board.

W.Buchanan (12) Introduction. This should define the aims of the coursework, and provide background material. [5%] Design. This section should present a possible wireless design for an organisation network which supports up to 100 simultaneous users. This design should include encryption, authentication and the required firewalling/ filtering. Further details of the security constraints will be given in the lecture [25%] Implementation. This section should provide a prototype of the proposed wireless system including sample configurations, and an explanation of their operation. [35%] Conclusions. This should outline the main conclusions of the report. [15%] Presentation/references. This relates to the layout and format of the report. Any references should be given using the Harvard referencing standard. Do not copy any material directly from a source. [20%]

W.Buchanan (13) Production Sales Engineering

W.Buchanan (14) Three main groups: Sales, Production and Engineering. Each group has 60 users in each group. The standard network card is a Cisco Aironet 350, and the access point selected is a Cisco Aironet 1200. The physical span of the network is similar to the size of the Merchiston library. The Sales and Production departments should not be able to access the Web server on any access points, but Engineering can. The Sales department should not be able to ping any of the network, while the Production department can ping for the access point, while the Engineering department can ping any part of the network. The Engineering department should be able to access SNMP information on the access point and the router, but no other device. Sales and Production should not be able to access any SNMP information.

W.Buchanan (15) The department servers are located at: 10.0.0.1 (for the Sales department); 10.0.0.2 (for the Production department); and 10.0.0.3 (for the Engineering department). Access should be barred to the server which is not defined for the department. There is also a public access server at 10.0.0.5. External WWW access should only be allowed for the Sales department. An email server is located at 10.0.0.4. It supports most of the commonly used email protocols. Every user should be able to access it. The organisation has external access to a single router which has an external IP address of 172.16.1.1/24, and has at least three ports (but more can be added, as required). Users in Engineering should be allowed to log into any access points, in a secure way. Overall, the network should be fairly secure and robust, in case of failures.

Filtering W.Buchanan (16)

Filtering Application Application Application Application Transport Transport Transport Transport TCP/UDP/ ICMP Internet Internet Network Network Host A Internet Internet Network Network Intermediate system Internet Internet Network Network Host B IP/IPX MAC Example of encryption applied at the Network layer W.Buchanan (17)

Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Screening firewall: Filters for source and destination TCP ports Screen firewall: Filters for source and destination IP addresses Transport Internet Internet model Firewalls W.Buchanan (18)

Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Screening firewall: Advantages: -Simple. - Low costs Disadvantages: - Complexity of rules. - Cost of managing firewall. - Lack of user-authentication. Transport Internet Internet model Firewalls and Proxies W.Buchanan (19)

W.Buchanan (20) Core Proxies/ Public access servers DMZ (Demilitarized Zone) Distribution Access

W.Buchanan (21) Core Proxies/ Public access servers PIX PIX firewall. firewall. Defines Defines security security rules rules DMZ (Demilitarized Zone) Distribution Access

W.Buchanan (22) Core Proxies/ Public access servers Screening Screening firewall. firewall. Filters Filters packets, packets, based based on on source/destination source/destination IP IP addresses addresses and and TCP TCP ports ports DMZ (Demilitarized Zone) Distribution Access

W.Buchanan (23) Core Proxies/ Public access servers DMZ (Demilitarized Zone) VLAN1 Distribution VLAN2 Access

W.Buchanan (24) Core Proxies/ Public access servers DMZ (Demilitarized Zone) VLANs. VLANs. MAC MAC filtering. filtering. IP IP filtering. filtering. TCP TCP filtering. filtering. NAT. NAT. Distribution Access

NAT W.Buchanan (25)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data PAT (Port address translation) Maps many addresses to one global address. N Network address translation W.Buchanan (26)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data N 168.10.34.21:5555 168.10.34.21:5555 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port 192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80 NAT router remembers the source and destination IP address and ports Network address translation W.Buchanan (27)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port 192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80 192.168.10.12:4445 168.10.34.21:5556 11.122.33.44:80 192.168.10.12:4446 168.10.34.21:5557 11.122.33.44:80 192.168.10.20:1234 168.10.34.21:5558 11.122.33.44:80 N 168.10.34.21:5555 168.10.34.21:5555 Incoming data data New connects in the table Network address translation W.Buchanan (28)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data Nat: Hides the network addresses of the network. Bars direct contact with a host. Increased range of address. Allow easy creation of subnetworks. Network address translation N 168.10.34.21:5555 168.10.34.21:5555 Incoming data data W.Buchanan (29)

Static translation. Each public IP address translates to a private one through a static table. Good for security/logging/traceabilty. Bad, as it does not hide the internal network. a1.b1.c1.d1 a2.b2.c2.d2 N w1.x1.y1.z1 w2.x2.y2.z2 IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic. Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used Private address a1.b1.c1.d1 a2.b2.c2.d2 Private address N Public address w.x.y.z w.x.y.z Public address NAT W.Buchanan (30)

a1.b1.c1.d1 Or a1.b1.c1.d1 Or an.bn.cn.dn NAT device selects the least used resource w.x.y.z N a1.b1.c1.d1 a1.b1.c1.d1 an.bn.cn.dn Private address Server pool Public address NAT - Load balancing W.Buchanan (31)

a1.b1.c1.d1 a2.b2.c2.d2 Private address N w1.x1.y1.z1 w2.x2.y2.z2 Public address NAT is good as we are isolated from the external public network, where our hosts make the initiate connections a1.b1.c1.d1 a2.b2.c2.d2 Private address N w.x.y.z Public address but what happens if we use applications which create connections in the reverse direction, such as with FTP and IRC?.. we thus need some form of backtracking of connections in the NAT device. NAT - Backtrack connections W.Buchanan (32)

Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping. Dynamic NAT is good for security, as it hides the network. Unfortunately it has two major weaknesses: - Backtracking allows external parties to trace back a connection. - If the NAT device becomes compromised the external party can redirect traffic. Corporate WWW site a1.b1.c1.d1 N w1.x1.y1.z1 Compromised NAT table causes the connection to point to the external intruder s WWW site Backtracking External Intruder s WWW site NAT - Weaknesses. W.Buchanan (33)

Screening Firewall W.Buchanan (34)

For example the firewall may block FTP traffic going out of the network. A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number Router with firewall Screening Firewall W.Buchanan (35)

MAC address. Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic. ACLs W.Buchanan (36)

MAC address filtering W.Buchanan (37)

W.Buchanan (38)

W.Buchanan (39) Scope of MAC address filtering Defined by broadcast domain

W.Buchanan (40) access-list [<700-799> <1100-1199>] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: (config)# access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 (config)# access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff (config)# int d0 (config-if)# l2-filter bridge-group-acl (config-if)# bridge-group input-address-list 1101 0 D D0

Standard ACLs W.Buchanan (41)

Router# access-list access-list-value {permit deny} source source-mask Router# access-list 1 deny 156.1.1.10 0.0.0.0 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any Standard ACLs filter on the source IP address Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in Standard ACLs W.Buchanan (42)

156.1.1.2 156.1.1.2 E0 D0 156.1.1.130 Traffic from any address rather than 156.1.1.0 can pass Match this part 161.10.11.12 161.10.11.13 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit any Ignore this part Router (config)# interface D0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in Standard ACLs W.Buchanan (43)

156.1.1.2 156.1.1.2 156.1.1.130 E0 161.10.11.12 161.10.11.13! interface E0 ip address 120.11.12.13 255.255.255.0 ip access-group 1 in! access-list 1 deny 156.1.1.0 0.0.0.255 access-list 1 permit any Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic Standard ACLs W.Buchanan (44)

W.Buchanan (45) (config)#ip access-list standard? <1-99> Standard IP access-list number <1300-1999> Standard IP access-list number (expanded range) WORD Access-list name where WORD is the name of the access-list is be defined. For example: (config)#ip access-list standard Test (config-std-nacl)#? Standard Access List configuration commands: deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward and to define a standard access-list: (config-std-nacl)#deny 156.1.1.0 0.0.0.255 (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address

W.Buchanan (46) (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address (config-std-nacl)#permit any? log Log matches against this entry <cr> (config-std-nacl)#permit any It can then be applied with: (config)#int e0 (config-if)#ip access-group? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name (config-if)#ip access-group Test? in inbound packets out outbound packets (config-if)#ip access-group Test in

Extended ACLs W.Buchanan (47)

Router# access-list access-list-value {permit deny} {test-conditions} Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1 Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.192 Router (config-if)# ip access-group 100 in Extended ACLs W.Buchanan (48)

156.1.1.2 156.1.1.2 E0 D0 156.1.1.130 161.10.11.12 161.10.11.13 from (config)#access-list 100 deny ip host 156.1.1.2 70.1.2.0 0.0.0.255 (config)#access-list 100 permit ip any any to Denies traffic from 156.1.1.2 to the 70.1.2.0 network (config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255 (config)#access-list 100 permit ip any any Denies traffic from any host on 156.1.1.0 to the 70.1.2.0 network Extended ACLs W.Buchanan (49)

Traffic blocked to the barred site 156.1.1.2 156.1.1.2 All other traffic can flow 156.1.1.130 140.5.6.7 161.10.11.12 161.10.11.13! interface D0 ip address 156.1.1.130 255.255.255.0 ip access-group 100 in! access-list 100 deny ip 156.1.1.0 0.0.0.255 140.5.6.7 0.0.0.255 access-list 100 permit ip any any Extended ACLs are applied as near to the source as possible, as they are more targeted Example of an Extended ACL W.Buchanan (50)

An extended ACLs can also filter for TCP/UDP traffic, such as: Optional field in brackets Router(config)#access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port access-list 101 deny tcp 156.1.1.0 0.0.0.255 eq any host 156.70.1.1 eq telnet access-list 101 permit ip any any E1 156.70.1.1 No Telnet Access to 156.70.1.1 E0 156.1.1.130 156.1.1.2 161.10.11.12 161.10.11.13 Extended ACLs filtering TCP traffic W.Buchanan (51)

access-list 101 permit. access-list 101 deny ip any any 156.1.1.2 E0 D0 156.1.1.130 A closed firewall, permits some things, and denies everything else access-list 101 deny. access-list 101 permit ip any any E0 D0 156.1.1.130 An open firewall, denies some things, and permits everything else 156.1.1.2 161.10.11.12 161.10.11.13 Open and closed firewalls W.Buchanan (52)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback