Prof. Bill Buchanan Room: C.63

Similar documents
Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

7 Filtering and Firewalling

Prof. Bill Buchanan Room: C.63

Advanced Security and Forensic Computing

Advanced Security and Mobile Networks

Configuring IPv6 ACLs

Wireless LANs (CO72047)

Configuring Commonly Used IP ACLs

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Appendix B Policies and Filters

Creating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports

TCP /IP Fundamentals Mr. Cantu

IPv6 Access Control Lists

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports

Implementing Traffic Filtering with ACLs

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Chapter 8 roadmap. Network Security

Interconnecting Networks with TCP/IP

Understanding Access Control Lists (ACLs) Semester 2 v3.1

Wireless Filtering and Firewalling

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

HP High-End Firewalls

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

Information about Network Security with ACLs

Packet Header Formats

ECE4110 Internetwork Programming. Introduction and Overview

6 Network Security Elements

Object Groups for ACLs

How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

Introduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis

TSIN02 - Internetworking

Console Server. Con. Cisco Aironet Port Figure 1: Aironet configuration

Introduction to TCP/IP networking

2002, Cisco Systems, Inc. All rights reserved.

Object Groups for ACLs

TSIN02 - Internetworking

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Object Groups for ACLs

CSC Network Security

Implementing Firewall Technologies

Lab - Using Wireshark to Examine TCP and UDP Captures

OSI Transport Layer. objectives

TSIN02 - Internetworking

TSIN02 - Internetworking

Configuring Network Security with ACLs

Unit 6. Author: W.Buchanan. IP The Address (1)

Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Transport Layer. <protocol, local-addr,local-port,foreign-addr,foreign-port> ϒ Client uses ephemeral ports /10 Joseph Cordina 2005

History Page. Barracuda NextGen Firewall F

Network Model. Why a Layered Model? All People Seem To Need Data Processing

Module : ServerIron ADX Packet Capture

Configuring an IP ACL

Defining Networks with the OSI Model. Module 2

Configuring IP Session Filtering (Reflexive Access Lists)

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

EE 610 Part 2: Encapsulation and network utilities

CCNA Access List Questions

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

Introduction to Network. Topics

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

This document is a tutorial related to the Router Emulator which is available at:

Lab Configuring and Verifying Extended ACLs Topology

Hands-On Ethical Hacking and Network Defense

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

20-CS Cyber Defense Overview Fall, Network Basics

Extended ACL Configuration Mode Commands

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

Network Security. Thierry Sans

NAPIER UNIVERSITY SCHOOL OF COMPUTING

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

POS Example Exam. 1) 6b I-SUB-06-EX-0

ECE 650 Systems Programming & Engineering. Spring 2018

Networking Technologies and Applications

ch02 True/False Indicate whether the statement is true or false.

ICS 351: Networking Protocols

Network Security. Introduction to networks. Radboud University, The Netherlands. Autumn 2015

ACL Rule Configuration on the WAP371

Applied Networks & Security

Software Engineering 4C03 Answer Key

CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Lab - Troubleshooting ACL Configuration and Placement Topology

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

User Datagram Protocol

Configuration Examples

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

ACL & QoS Configuration Commands

Sirindhorn International Institute of Technology Thammasat University

CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

IP Protocols. ALTTC/Oct

Transcription:

Wireless LAN CO72047 Unit 7: Filtering Prof. Bill Buchanan Contact: w.buchanan@napier.ac.uk Room: C.63 Telephone: X2759 MSN Messenger: w_j_buchanan@hotmail.com WWW: http://www.dcs.napier.ac.uk/~bill http://buchananweb.co.uk

Module Descriptor

Week Date Academic Cisco Lab/Tutorial 1 1 Oct 1: Radio Wave Fundamentals 2 8 Oct 2: Wireless Fundamentals Intro to Wireless LANs Lab 1/2: Access Point Tutorial 1 (T) 3 15 Oct 3: Ad-hoc and Infrastructure Networks IEEE 802.11 and NICs Lab 3: Ad-hoc Networks 4 22 Oct 4: Encryption Wireless Radio Technology Lab 4: Infrastructure Networks 5 29 Oct 5: Authentication Wireless Topologies Lab 5: Remote Connections 6 5 Nov 6: Antennas Access Points Lab 6: Encryption/Authen 7 12 Nov 7: Filtering/8. VLANs Bridges Lab 7: Filter 8 19 Nov Napier Test (40%) Antennas Lab 8: VLAN 9 26 Nov Security Lab 9: VLAN/802.1Q 10 3 Dec Cisco Academy/Additional Material Applications Lab 10: IP Routing 11 10 Dec Cisco Academy /Additional Material Site Survey Lab 11: RADIUS 12 17 Dec Cisco Academy /Additional Material Troubleshooting Lab 12: SNMP Holidays 13 7 Jan Revision/Cram (Cisco Exam) Emerging Technologies Coursework/Practical (50%) 14 14 Jan Revision/Cram (Cisco Exam) Cisco Exam (10%) 15 21 Jan

Wireless connections which technology? Areas covered: Filtering. ACLs. MAC address filtering.

Background

E-mail E-mail application application program program Application Application Application program program makes makes contact contact with with network network application application for for e-mail e-mail Hello. Fred. Physical The The data data frame frame is is converted converted into into binary binary form form and and transmitted transmitted over over a a physical physical connection connection Start Start Start Presentation Convert Convert data data into into a a form form which which can can be be transmitted transmitted To: Fred From: Bert Hello. Fred. Addr Addr Addr Seg 1 Seg 2 Seg 3 Data link End End End Data Data packet packet converting converting into into a a form form which which can can be be transmitted transmitted over over the the network network Data encapsulation Session Contact Contact remote remote system system and and request request a a transmission transmission HELO sys.com FOR Fred To: Fred From: Bert Hello. Fred. Network Add Add source source and and destination destination addresses addresses Addr Addr Addr Transport Negotiate Negotiate data data transfer transfer and and split split data data into into segments segments Seg 1 Seg 2 Seg 3 Seg 1 Seg 2 Seg 3

Terms for each layer 1 2 Data segments (TCP) Data packets (IP) Internet Ethernet Data frame

IP and TCP... The Greatest of the Protocols!

IP and MAC Addresses MAC1, IP1 IP Src: IP1 IP Dest: IP8 MAC Src: MAC1 MAC Dest: MAC2 MAC2, IP2 The IP addresses stay the same but the MAC address changes MAC3, IP3 MAC4, IP4 IP Src: IP1 IP Dest: IP8 MAC Src: MAC3 MAC Dest: MAC4 MAC5, IP5 MAC6, IP6 MAC7, IP7 MAC8, IP8 IP Src: IP1 IP Dest: IP8 MAC Src: MAC5 MAC Dest: MAC6 IP Src: IP1 IP Dest: IP8 MAC Src: MAC7 MAC Dest: MAC8

IP and TCP IP address is used to route data around the Internet TCP part allows applications to communicate over the network Network Network Data Data Link Link Physical Physical

IP and MAC Addresses [Gateway is the port of the router] MAC1, IP1 MAC2, IP2 Each network segment determines MAC addresses of gateways by sending and ARP broadcast. MAC3, IP3 MAC4, IP4 MAC5, IP5 MAC6, IP6 MAC7, IP7 MAC8, IP8 ARP broadcasts

IP header IP IP TCP TCP Higher-level protocol/data Data Packet Version Header Header length length Type of of service Total length Identification 0 D M Fragment Offset Time-to-Live Header Checksum Source IP IP Address Destination IP IP Address Protocol 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Protocol (8 bits). Different transport protocols can be used on the datagram. The 8-bit protocol field defines the type to be used. E.g. 1 ICMP and 6 TCP.

Synchronization and acknowledgement Client Server Synchronize Negotiate connection Synchronize Acknowledgement Connection Connection established established Data transfer

Windowing Transmitter Window defined as three Receiver Data [S=1] Data [S=2] Data [S=3] Ack [R=4] Data [S=4] Data [S=5] Data [S=6] Ack [R=7]

TCP operation Client uses a unique local software port for the connection Client makes a connection with its own local port and the destination port of the server Server listens on a given port. Every client who wants this service connects to this port

TCP operation The binding of the local and destination port, and the local and destination addresses creates a unique socket Sockets allow application programs to send data to a socket interface

Example Port = 1000 Port = 80 (HTTP) WWW server

Example Port = 1000 Port = 1000 Port = 80 (HTTP) Port = 80 (HTTP) WWW server

Example Port = 1000 Port = 1001 Port = 80 (HTTP) Port = 1000 If the device communicates with the same server, it must create a new port (in this case, 1001) Port = 80 (HTTP) WWW server

Example Port = 1000 Port = 1001 Src port=1001 Dest port=80 Port = 80 (HTTP) Port = 1000 If the device communicates with the same server, it must create a new port (in this case, 1001) Port = 80 (HTTP) WWW server

Example Port = 1000 Port = 1001 Src port=80 Dest port=1001 Port = 80 (HTTP) Port = 1000 Port = 80 (HTTP) If the device communicates with the same server, it must create a new port (in this case, 1001) WWW server

TCP header IP IP Data offset TCP TCP Source port port Destination port port Sequence number Acknowledgement number Higher-level protocol/data Reserved/Flags Window Checksum UrgentPtr 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Data Packet Source and destination port number which are 16-bit values that identify the local port number (source number and destination port number or destination port).

TCP header IP IP Data offset TCP TCP Source port port Destination port port Sequence number Acknowledgement number Higher-level protocol/data Reserved/Flags Window Checksum UrgentPtr 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Data Packet Sequence number which identifies the current sequence number of the data segment. This allows the receiver to keep track of the data segments received. Any segments that are missing can be easily identified. The sequence number of the first data byte in this segment (except when SYN is present). If SYN is present the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.

TCP header IP IP TCP TCP Source port port Destination port port Sequence number Acknowledgement number Higher-level protocol/data Data Packet Acknowledgement number when the ACK bit is set, it contains the value of the next sequence number the sender of the packet is expecting to receive. This is always set after the connection is made. Data offset Reserved/Flags Window Checksum UrgentPtr 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

TCP header IP IP TCP TCP Source port port Destination port port Sequence number Acknowledgement number Higher-level protocol/data Data Packet Flags the flag field is defined as UAPRSF, where U is the urgent flag (URG), A the acknowledgement flag (ACK), P the push function (PSH), R the reset flag (RST), S the sequence synchronise flag (SYN) and F the end-oftransmission flag (FIN). Data offset Reserved/Flags Window Checksum UrgentPtr 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Examples of Data Exchange Originator Recipient 1. CLOSED LISTEN 2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED 3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED 4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED 5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED Originator Recipient 1. CLOSED LISTEN 2. SYN-SENT <SEQ=999><CTL=SYN> 3. (duplicate) <SEQ=900><CTL=SYN> 4. SYN-SENT <SEQ=100><ACK=901> <CTL=SYN,ACK> SYN-RECEIVED 5. SYN-SENT <SEQ=901><CTL=RST> LISTEN (packet 2 received) 7. SYN-SENT <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED 8. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED

SYN SYN, ACK ACK Client Server

SYN SYN SYN, ACK ACK Client Server

SYN, ACK SYN SYN, ACK ACK Client Server

ACK SYN SYN, ACK ACK Client Server

Filtering

Layer filtering Filtering Application Application Application Application Transport Transport Transport Transport TCP/UDP/ ICMP Internet Internet Internet Internet Internet Internet IP/IPX Network Network Network Network Network Network MAC Host A Intermediate system Host B

Firewalls Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Transport Screening firewall: Filters for source and destination TCP ports Internet Screen firewall: Filters for source and destination IP addresses Internet model

Firewalls and Proxies Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Transport Screening firewall: Advantages: -Simple. - Low costs Disadvantages: - Complexity of rules. - Cost of managing firewall. - Lack of user-authentication. Internet Internet model

Distribution Access Core Proxies/ Public access servers DMZ (Demilitarized Zone)

Core Proxies/ Public access servers PIX PIX firewall. firewall. Defines Defines security security rules rules DMZ (Demilitarized Zone) Distribution Access

Core Proxies/ Public access servers Screening Screening firewall. firewall. Filters Filters packets, packets, based based on on source/destination source/destination IP IP addresses addresses and and TCP TCP ports ports DMZ (Demilitarized Zone) Distribution Access

Core Proxies/ Public access servers DMZ (Demilitarized Zone) VLAN1 Distribution VLAN2 Access

Core Proxies/ Public access servers DMZ (Demilitarized Zone) Distribution VLANs. VLANs. MAC MAC filtering. filtering. IP IP filtering. filtering. TCP TCP filtering. filtering. NAT. NAT. Access

Screening Firewall

Screening Firewall For example the firewall may block FTP traffic going out of the network. Router with firewall A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number

ACLs MAC address. Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic.

MAC address filtering

Scope of MAC address filtering Defined by broadcast domain

access-list [<700-799> <1100-1199>] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: (config)# access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 (config)# access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff (config)# int d0 (config-if)# l2-filter bridge-group-acl (config-if)# bridge-group input-address-list 1101 0 D D0

Standard ACLs

Standard ACLs Router# access-list access-list-value {permit deny} source source-mask Router# access-list 1 deny 156.1.1.10 0.0.0.0 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any Standard ACLs filter on the source IP address Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in

Standard ACLs 156.1.1.2 156.1.1.2 E0 D0 156.1.1.130 Traffic from any address rather than 156.1.1.0 can pass 161.10.11.12 Match this part 161.10.11.13 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit any Ignore this part Router (config)# interface D0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in

Standard ACLs 156.1.1.2 156.1.1.2 156.1.1.130 161.10.11.12 161.10.11.13 E0! interface E0 ip address 120.11.12.13 255.255.255.0 ip access-group 1 in! access-list 1 deny 156.1.1.0 0.0.0.255 access-list 1 permit any Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic

(config)#ip access-list standard? <1-99> Standard IP access-list number <1300-1999> Standard IP access-list number (expanded range) WORD Access-list name where WORD is the name of the access-list is be defined. For example: (config)#ip access-list standard Test (config-std-nacl)#? Standard Access List configuration commands: deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward and to define a standard access-list: (config-std-nacl)#deny 156.1.1.0 0.0.0.255 (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address

(config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address (config-std-nacl)#permit any? log Log matches against this entry <cr> (config-std-nacl)#permit any It can then be applied with: (config)#int e0 (config-if)#ip access-group? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name (config-if)#ip access-group Test? in inbound packets out outbound packets (config-if)#ip access-group Test in

Extended ACLs

Extended ACLs Router# access-list access-list-value {permit deny} {test-conditions} Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1 Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.192 Router (config-if)# ip access-group 100 in

Extended ACLs 156.1.1.2 156.1.1.2 E0 D0 156.1.1.130 161.10.11.12 161.10.11.13 from to (config)#access-list 100 deny ip host 156.1.1.2 70.1.2.0 0.0.0.255 (config)#access-list 100 permit ip any any Denies traffic from 156.1.1.2 to the 70.1.2.0 network (config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255 (config)#access-list 100 permit ip any any Denies traffic from any host on 156.1.1.0 to the 70.1.2.0 network

Example of an Extended ACL Traffic blocked to the barred site 156.1.1.2 156.1.1.2 All other traffic can flow 156.1.1.130 161.10.11.12 161.10.11.13! interface D0 ip address 156.1.1.130 255.255.255.0 ip access-group 100 in! access-list 100 deny ip 156.1.1.0 0.0.0.255 140.5.6.7 0.0.0.255 access-list 100 permit ip any any 140.5.6.7 Extended ACLs are applied as near to the source as possible, as they are more targeted

Extended ACLs filtering TCP traffic An extended ACLs can also filter for TCP/UDP traffic, such as: Optional field in brackets Router(config)#access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port access-list 101 deny tcp 156.1.1.0 0.0.0.255 eq any host 156.70.1.1 eq telnet access-list 101 permit ip any any No Telnet Access to 156.70.1.1 156.1.1.2 E1 E0 156.1.1.130 156.70.1.1 161.10.11.12 161.10.11.13

Open and closed firewalls access-list 101 permit. access-list 101 deny ip any any 156.1.1.2 E0 D0 156.1.1.130 A closed firewall, permits some things, and denies everything else access-list 101 deny. access-list 101 permit ip any any 156.1.1.2 E0 D0 156.1.1.130 An open firewall, denies some things, and permits everything else 161.10.11.12 161.10.11.13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback