Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Similar documents
Chapter 8 roadmap. Network Security

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

CSC 474/574 Information Systems Security

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Computer Networks. Wenzhong Li. Nanjing University

CSC 4900 Computer Networks: Network Layer

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

CSC 4900 Computer Networks: Security Protocols (2)

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Definition of firewall

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

CSC Network Security

Unit 4: Firewalls (I)

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Lecture 17: Network Layer Addressing, Control Plane, and Routing

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Chapter 4: Network Layer

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

CSE 565 Computer Security Fall 2018

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Internet Networking recitation #

CE Advanced Network Security

Advanced Security and Forensic Computing

Network Security. Thierry Sans

Why Firewalls? Firewall Characteristics

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Network Security Fundamentals

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Computer Security and Privacy

CSE 565 Computer Security Fall 2018

Router Architecture Overview

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Subnets. IP datagram format. The Internet Network layer. IP Fragmentation and Reassembly. IP Fragmentation & Reassembly. IP Addressing: introduction

History Page. Barracuda NextGen Firewall F

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

DDoS and Traceback 1

Chapter 4 Network Layer: The Data Plane

Internet Security: Firewall

Network Layer II. Getting IP addresses. DHCP client-server scenario. DHCP client-server scenario. C compiler. You writing assignment 2

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Introduction to Firewalls using IPTables

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

Application Firewalls

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Network Interconnection

Broadcast Infrastructure Cybersecurity - Part 2

Troubleshooting High CPU Utilization Due to the IP Input Process

COSC 301 Network Management

20-CS Cyber Defense Overview Fall, Network Basics

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Prof. Bill Buchanan Room: C.63

Cisco CCIE Security Written.

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Computer Networking Introduction

UDP NAT Traversal. CSCI-4220 Network Programming Spring 2015

ISA 674 Understanding Firewalls & NATs

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Prof. N. P. Karlekar Project Guide Dept. computer Sinhgad Institute of Technology

Implementing Firewall Technologies

Networking Potpourri: Plug-n-Play, Next Gen

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

Advanced Security and Mobile Networks

Lecture 4 - Network Layer. Transport Layer. Outline. Introduction. Notes. Notes. Notes. Notes. Networks and Security. Jacob Aae Mikkelsen

Lab - Troubleshooting ACL Configuration and Placement Topology

HP Load Balancing Module

COSC4377. TCP vs UDP Example Statistics

Firewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.

ipv6 hello-interval eigrp

IPV6 SIMPLE SECURITY CAPABILITIES.

Network Access Transla0on - NAT

Network and Security: Introduction

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Stateful Network Address Translation 64

HP High-End Firewalls

ICS 351: Networking Protocols

DDoS Testing with XM-2G. Step by Step Guide

Welcome to PHOENIX CONTACT Routing

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Cisco Network Address Translation (NAT)

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Implementing NAT-PT for IPv6

Access Control Lists and IP Fragments

Chapter 9. Firewalls

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Mapping of Address and Port Using Translation

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

internet technologies and standards

Transcription:

Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization s internal net from larger, owing some packets to pass, blocking others. privately administered 2 1

Firew goals: All traffic from outside to inside and vice-versa passes through the firew Only authorized traffic, as defined by local security policy, will be owed to pass Firew itself is immune to penetration 3 Firews: taxonomy 1. Traditional packet filters Filters often combined with router, creating a firew 2. Stateful filters 3. Application gateways Major firew vendors: Checkpoint Cisco PIX 4 2

Firew Firew == system that filters TCP/IP UDP/IP packets according to rules Either software on user machine or network router Rules Firew (Global IP addresses) router Rules 6 3

Traditional packet filters Analyzes each datagram going through it; makes drop decision based on: Source IP address Destination IP address Source port Destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firews often configured to block UDP Direction Is datagram leaving or entering internal network? Router interface Decisions can be different for different interfaces 7 Filtering rules - examples Policy No outside Web access. Outside connections to public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted Firew Setting Drop outgoing packets to any IP address, port 80 Drop incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop incoming UDP packets - except DNS and router broadcasts. Drop ICMP packets going to a broadcast address (e.g. 130.207.255.255). Drop outgoing ICMP unreachables 8 4

Access control lists Apply rules from top to bottom: action source address dest address proto source port dest port flag bit ow outside of TCP > 1023 80 any ow outside of TCP 80 > 1023 ACK ow outside of UDP > 1023 53 --- ow outside of UDP 53 > 1023 ---- deny 9 Access control lists Each router/firew interface can have its own ACL Most firew vendors provide both command-line and graphical configuration interface 10 5

Traditional packet filters Advantages One screening router can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even Linux boxes Disadvantages Can be penetrated Cannot enforce some policies. For example, permit certain users. Rules can get complicated and difficult to test 11 Network or host firew Network firew: Network firew protected network Host firew: host with firew 12 6

Example: iptables chain types Linux host w/ iptables protected network INPUT chain (to iptables host) Linux host w/ iptables protected network OUTPUT chain (from iptables host) Linux host w/ iptables protected network FORWARD chain 13 iptables: example command iptables A INPUT i eth0 s 232.16.4.0/24 j ACCEPT Sets a rule Accepts packets that enter from interface eth0 with source address in 232.16.4/24 Kernel applies rules in order First matching rule determines action for packet Append: -A Adds rule to bottom of existing rules 14 7

Stateful filters Stateless filters: any packet with ACK=1 and source port 80 gets through Attack with malformed packets: send ACK=1 segments Stateful filter: adds more intelligence to decision-making process Stateful = remember past packets Needs very dynamic state table 15 Stateful filters: example Log each TCP conn initiated through firew: SYN segment Timeout entries without activity after, e.g., 60 seconds source address dest address source port dest port 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80 Rule table indicates check of stateful table: see if there is a connection entry in stateful table Stateful filters can remember outgoing UDP segments 16 8

Stateful example 1) Pkt arrives from outside: src=37.96.87.123, src port=80, dst=222.22.1.7, dst port=12699, SYN=0, ACK=1 2) Check filter table check stateful table action source address dest address proto source port dest port flag bit check conn ow outside of TCP > 1023 80 any ow outside of TCP 80 > 1023 ACK x ow outside of UDP > 1023 53 --- ow outside of UDP 53 > 1023 ---- x deny 3) Connection is in connection table let packet through 17 Application gateways (aka proxy servers) App gateway between user (inside) and server (outside) User and server talk through proxy Allows fine grained/ sophisticated control Hinders protocol attacks E.g.: ftp server may not ow files >= size X gateway-to-remote host ftp session host-to-gateway ftp session application gateway 18 9

Mail servers and proxy Web servers Local mail server is application gateway Virus detection and removal So is Web proxy cache E.g.: virus detection and removal 19 Proxy gateways Advantages Can log connections, activity in connections Can provide caching Can do intelligent filtering based on content Simplifies service control Can perform user level authentication Simplifies firew rules Disadvantages Not services have proxied versions Need different proxy server for each service Requires modification of client Performance Hinders end-to-end encryption 20 10

Demilitarized Zone (DMZ) application gateway firew Internal network Web server FTP server DNS server Demilitarized zone Used for: gateways and public services Advantage: hacked server limited damage 21 IP traceback Problem: How do we determine where malicious packet came from? Why? Attackers can spoof source IP address Benefits: Determine attacker Determine zombie machine participating in DDoS attack Alternative: use ingress filtering 22 11

Methods for finding source Manual using current IP routing Link testing: how? Start from victim and test upstream links Recursively repeat until source is located Assume attack remains active until trace complete Link testing: problem Handle ISPs Located zombie Logging Automatic using marking algorithms 23 Logging: Key routers log packets (useful for forensics) Use data mining to find path Pros Post mortem works after attack stops Cons High resource demand: need to store and process tons of data 24 12

Marking algorithms Mark packets with router addresses Deterministicy or probabilisticy Trace attack using marked packets Strengths Independent of ISP management Little network overhead, traffic Trace distributed attacks, attacks post-mortem 25 Marking: assumptions Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable A 1 A 2 A 3 A 4 A 5 R 6 R 7 R 8 R 9 R 10 R 12 V 26 13

Marking: summary Can determine attack path with a relatively sm number of attack packets Need to include addresses, counter in IP datagram (e.g., via fragment fields) E.g.: Practical Network Support for IP Traceback by Savage et al. Status: Lots of RFCs But not?yet? deployed 27 Network address translation (NAT) Also known as Network masquerading IP masquerading Re-writes source and/or destination address as they pass through NAT gateway Why IPv4 address shortage Standard feature Some believe it enhances: privacy, security 14

Simple NAT (Public IP addresses) Main NAT (Private IP addresses) (Public IP addresses) 29 Multiple NAT 156.148.70.32 Main (Public IP addresses) 192.168.2.99 Home NAT ISP NAT Home network ISP network 192.168.2.12 (Private IP addresses) 10.0.0.12 30 15

NAT traversal: relay Relay S 2 Main 1 NAT NAT Local network 192.168.2.99 Local network 10.0.0.12 host B host A 31 NAT traversal: connection reversal rendezvous S 1 Main 2 NAT 1.1.1.4 Local network 192.168.2.99 3 host B host A 32 16

TURN protocol Protocol for UDP/TCP relaying behind NAT Data is bounced to a public TURN server No hole punching TURN works even behind symmetric NAT 33 Hole punching Technique to ow traffic from/to a host behind a firew/nat without collaboration of the NAT itself UDP: simple TCP: Berkeley sockets ows TCP socket to initiate an outgoing or listen for an incoming connections but not both Solution: bind multiple sockets to same local endpoint 17

STUN (RFC 3489) Defines operations and message formats to understand type of NAT Discovers presence and type of NAT and firews between them and Allows applications to determine their public NAT IP address 35 STUNT Simple Traversal of UDP Through NATs and TCP too (STUNT) Extends STUN to include TCP functionality 36 18

NAT traversal: cooperating NAT SOCKS Client server protocol Enables client (behind firew) to use server (in public ) Relays traffic Widely adopted, E.g.: Mozilla can use SOCKS SOCKS CONNECT server S 2. connect() Socks proxy 1. CONNECT NAT host A 38 19

SOCKS BIND server S 3. connect(33102) Socks proxy 2. Ok. Port=33102 1. BIND (localport=4445, S) NAT host A listening on 4445 39 NAT traversal: UPnP Defines: Gateway Device (IGD) protocol Enables: Learning of ones public (external) IP address Enumeration of existing port mappings Adding and removing port mappings Assigning lease times to mappings Applications to automaticy configure NAT routing 40 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback