Advanced Security and Forensic Computing

Similar documents
Advanced Security and Mobile Networks

Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

6 Network Security Elements

Prof. Bill Buchanan Room: C.63

Why Firewalls? Firewall Characteristics

CSC Network Security

7 Filtering and Firewalling

Configuring Commonly Used IP ACLs

Hands-On Activity. Firewall Simulation. Simulated Network. Firewall Simulation 3/19/2010. On Friday, February 26, we will be meeting in

Appendix B Policies and Filters

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

This document is a tutorial related to the Router Emulator which is available at:

Firewall Simulation COMP620

Web server Access Control Server

Chapter 8 roadmap. Network Security

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Implementing Firewall Technologies

SecBlade Firewall Cards NAT Configuration Examples

Extended ACL Configuration Mode Commands

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Implementing Traffic Filtering with ACLs

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

Computer Network Vulnerabilities

CSC 474/574 Information Systems Security

Antonio Cianfrani. Access Control List (ACL) Part I

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Context Based Access Control (CBAC): Introduction and Configuration

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Lab Configuring and Verifying Extended ACLs Topology

4. The transport layer

ROUTER COMMANDS. BANNER: Config# banner motd # TYPE MESSAGE HERE # - # can be substituted for any character, must start and finish the message

CCNA Discovery 3 Chapter 8 Reading Organizer

Computer Security and Privacy

Understanding Access Control Lists (ACLs) Semester 2 v3.1

IP Services Commands. Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services IP1R-157

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

CyberP3i Course Module Series

IP Services Commands. Network Protocols Command Reference, Part 1 P1R-95

Indicate whether the statement is true or false.

2002, Cisco Systems, Inc. All rights reserved.

Object Groups for ACLs

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Configuration Examples

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Lab Student Lab Orientation

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

1. Which OSI layers offers reliable, connection-oriented data communication services?

DOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Chapter 6 Global CONFIG Commands

Unit 4: Firewalls (I)

Object Groups for ACLs

NAT Examples and Reference

Information About NAT

Three interface Router without NAT Cisco IOS Firewall Configuration

NAT Examples and Reference

Lab - Troubleshooting ACL Configuration and Placement Topology

Information About NAT

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

IT 341: Introduction to System

Port Forwarding Setup (NB7)

Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

vserver vserver virtserver-name no vserver virtserver-name Syntax Description

Access Control Lists and IP Fragments

Using the Terminal Services Gateway Lesson 10

Internet Security: Firewall

Teacher s Reference Manual

Global Information Assurance Certification Paper

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Introduction to Firewalls using IPTables

Configure Basic Firewall Settings on the RV34x Series Router

20-CS Cyber Defense Overview Fall, Network Basics

Wireless-G Router User s Guide

Hands-On Ethical Hacking and Network Defense 3 rd Edition

The Applications and Gaming Tab - Port Range Forward

Object Groups for ACLs

ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example

CHAPTER 7 ADVANCED ADMINISTRATION PC

SE 4C03 Winter 2005 Network Firewalls

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Software. Linux. Squid Windows

How to Make the Client IP Address Available to the Back-end Server

CCNA Exploration Network Fundamentals. Chapter 3 Application Layer Functionality and Protocols

Inspection of Router-Generated Traffic

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

ipro-04n Security Configuration Guide

Global Information Assurance Certification Paper

Network Security and Cryptography. 2 September Marking Scheme

Cisco CCNA ACL Part II

COMPUTER NETWORK SECURITY

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Cisco ASA 5500 LAB Guide

INBOUND AND OUTBOUND NAT

Information about Network Security with ACLs

Transcription:

Advanced Security and Forensic Computing Unit 2: Network Security Elements Dr Dr Bill Buchanan, Reader, School of of Computing. >Unit 2: 2: Network Security Elements Advanced Security and Forensic Computing WJ Buchanan. ASFC (1)

Application Presentation Session Transport Network Data Link Physical OSI Application Transport Internet Internet model OSI and Internet models WJ Buchanan. ASFC (2)

Screening firewall. Filters packets, based on source/destination IP addresses and TCP ports Accesses are made through the proxy PIX firewall. Defines security rules. NAT device. Maps private to public addresses. Private IP addresses N N Proxy DMZ Our First Security Model WJ Buchanan. ASFC (3)

Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Screening firewall: Filters for source and destination TCP ports Screen firewall: Filters for source and destination IP addresses Application Transport Internet Internet model Firewalls WJ Buchanan. ASFC (4)

Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Screening firewall: Advantages: -Simple. - Low costs Disadvantages: - Complexity of rules. - Cost of managing firewall. - Lack of user-authentication. Application Transport Internet Internet model Firewalls and Proxies WJ Buchanan. ASFC (5)

Screening Firewalls WJ Buchanan. ASFC (6) Unit 2: Network Security Elements

For example the firewall may block FTP traffic going out of the network. A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number Router with firewall Screening Firewall WJ Buchanan. ASFC (7)

Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic. ACLs WJ Buchanan. ASFC (8)

Router# access-list access-list-value {permit deny} source source-mask Router# access-list 1 deny 156.1.1.10 0.0.0.0 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any Standard ACLs filter on the source IP address Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in Standard ACLs WJ Buchanan. ASFC (9)

E1 Traffic from any address rather than 156.1.1.0 can pass Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any E0 156.1.1.130 Match this part 156.1.1.2 161.10.11.12 161.10.11.13 Ignore this part Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in 156.1.1.2 Standard ACLs WJ Buchanan. ASFC (10)

156.1.1.2 156.1.1.2 Unit 2: Network Security Elements E0 156.1.1.130 161.10.11.12 161.10.11.13 interface Ethernet0 ip address 120.11.12.13 255.255.255.0 ip access-group 1 in access-list 1 deny 156.1.1.0 0.0.0.255 access-list 1 permit ip any any Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic Standard ACLs WJ Buchanan. ASFC (11)

Router# access-list access-list-value {permit deny} {test-conditions} Unit 2: Network Security Elements Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1 Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.192 Router (config-if)# ip access-group 100 in Extended ACLs WJ Buchanan. ASFC (12)

156.1.1.2 156.1.1.2 Unit 2: Network Security Elements E1 E0 156.1.1.130 161.10.11.12 161.10.11.13 Router(config)#access-list 100 deny ip host 156.1.1.2 70.1.2.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Denies traffic from 156.1.1.2 to the 70.1.2.0 network Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255 Router(config)#access-list 100 permit ip any any from to Denies traffic from any host on 156.1.1.0 to the 70.1.2.0 network Extended ACLs WJ Buchanan. ASFC (13)

All other traffic can flow Traffic blocked to the barred site 140.5.6.7 156.1.1.130 156.1.1.2 161.10.11.12 161.10.11.13 156.1.1.2 interface Ethernet0 ip address 156.1.1.130 255.255.255.0 ip access-group 100 in access-list 100 deny ip 156.1.1.0 0.0.0.255 140.5.6.7 0.0.0.255 access-list 100 permit ip any any Extended ACLs are applied as near to the source as possible, as they are more targeted Example of an Extended ACL WJ Buchanan. ASFC (14)

An extended ACLs can also filter for TCP/UDP traffic, such as: Router(config)#access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port access-list 101 deny tcp 156.1.1.0 0.0.0.255 eq any host 156.70.1.1 eq telnet access-list 101 permit ip any any E1 156.70.1.1 No Telnet Access to 156.70.1.1 E0 156.1.1.130 156.1.1.2 161.10.11.12 Optional field in brackets 161.10.11.13 Extended ACLs filtering TCP traffic WJ Buchanan. ASFC (15)

access-list 101 permit. access-list 101 deny ip any any E1 access-list 101 deny. access-list 101 permit ip any any E1 E0 156.1.1.130 A closed firewall, permits some things, and denies everything else E0 156.1.1.130 An open firewall, denies some things, and permits everything else 156.1.1.2 156.1.1.2 161.10.11.12 161.10.11.13 Open and closed firewalls WJ Buchanan. ASFC (16)

To block Napster traffic destined for port 8888: (config)# access-list 100 deny tcp 192.5.5.0 0.0.0.255 any eq 8888 log (config)# access-list 100 deny udp 192.5.5.0 0.0.0.255 any eq 8888 log (config)# interface e0 (config-if)# ip access-group 100 in or Kazaa (on port 1214): (config)# access-list 101 deny tcp 192.5.5.0 0.0.0.255 any eq 1214 log (config)# access-list 101 deny udp 192.5.5.0 0.0.0.255 any eq 1214 log (config)# interface e0 (config-if)# ip access-group 101 in Gnutella can be blocked with ports 6346 and 6347, while ICQ is blocked with 5190. For example blocking Kazza, Gnutella, Napster and ICQ WJ Buchanan. ASFC (17)

NAT WJ Buchanan. ASFC (18) Unit 2: Network Security Elements

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data PAT (Port address translation) Maps many addresses to one global address. N Network address translation WJ Buchanan. ASFC (19)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data N 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port 192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80 NAT router remembers the source and destination IP address and ports Network address translation WJ Buchanan. ASFC (20)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port 192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80 192.168.10.12:4445 168.10.34.21:5556 11.122.33.44:80 192.168.10.12:4446 168.10.34.21:5557 11.122.33.44:80 192.168.10.20:1234 168.10.34.21:5558 11.122.33.44:80 N 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data New connects in the table Network address translation WJ Buchanan. ASFC (21)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data Nat: Hides the network addresses of the network. Bars direct contact with a host. Increased range of address. Allow easy creation of subnetworks. Network address translation N 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data WJ Buchanan. ASFC (22)

Static translation. Each public IP address translates to a private one through a static table. Good for security/logging/traceabilty. Bad, as it does not hide the internal network. IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic. Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used a1.b1.c1.d1 a2.b2.c2.d2 Private address a1.b1.c1.d1 a2.b2.c2.d2 Private address N N w1.x1.y1.z1 w2.x2.y2.z2 Public address w.x.y.z w.x.y.z Public address NAT WJ Buchanan. ASFC (23)

a1.b1.c1.d1 Or a1.b1.c1.d1 Or an.bn.cn.dn a1.b1.c1.d1 a1.b1.c1.d1 an.bn.cn.dn Private address Server pool N NAT device selects the least used resource w.x.y.z Public address NAT - Load balancing WJ Buchanan. ASFC (24)

a1.b1.c1.d1 a2.b2.c2.d2 Private address N a1.b1.c1.d1 a2.b2.c2.d2 Private address w1.x1.y1.z1 w2.x2.y2.z2 Public address N NAT is good as we are isolated from the external public network, where our hosts make the initiate connections w.x.y.z Public address but what happens if we use applications which create connections in the reverse direction, such as with FTP and IRC?.. we thus need some form of backtracking of connections in the NAT device. NAT - Backtrack connections WJ Buchanan. ASFC (25)

Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping. Corporate WWW site a1.b1.c1.d1 N Dynamic NAT is good for security, as it hides the network. Unfortunately it has two major weaknesses: - Backtracking allows external parties to trace back a connection. - If the NAT device becomes compromised the external party can redirect traffic. w1.x1.y1.z1 Compromised NAT table causes the connection to point to the external intruder s WWW site Backtracking External Intruder s WWW site NAT - Weaknesses. WJ Buchanan. ASFC (26)

PIX firewall WJ Buchanan. ASFC (27) Unit 2: Network Security Elements

Perimeter router untrusted network E0 - outside Unit 2: Network Security Elements PIX E1 - inside trusted network E2 inf2 DMZ PIX WJ Buchanan. ASFC (28)

Proxies WJ Buchanan. ASFC (29) Unit 2: Network Security Elements

Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Proxy: Advantages: - User-oriented authentication. - User-oriented logging. - User-oriented accounting. Disadvantages: - Build specifically for each application (although the SOCKS protocol has been designed, which is an all-one proxy). Application Transport Internet Internet model Firewalls WJ Buchanan. ASFC (30)

E1 169.10.11.1 Data can be send to the proxy E0 Barred Barred 192.168.10.1 hostname myrouter interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip access-group 100 in interface Ethernet1 ip address 169.10.11.1 255.255.0.0 ip access-group 101 in access-list 100 permit ip 192.168.10.65 any access-list 100 deny any any access-list 101 permit ip any host 192.168.10.65 access-list 101 deny any any end 192.168.10.65 192.168.10.2 192.168.10.3 192.168.10.4 Access to proxy is allowed Everything else is barred Blocking the Incoming Traffic to Hosts WJ Buchanan. ASFC (31)

E1 169.10.11.1 Data can be sent from the proxy E0 Barred Barred 192.168.10.1 hostname myrouter interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip access-group 100 in interface Ethernet1 ip address 169.10.11.1 255.255.0.0 ip access-group 100 in access-list 100 permit ip 192.168.10.65 any access-list 100 deny any any access-list 101 permit ip any host 192.168.10.65 access-list 101 deny any any end 192.168.10.65 192.168.10.2 192.168.10.3 192.168.10.4 Blocking Outgoing Traffic from Hosts WJ Buchanan. ASFC (32)

Screened firewall only allows traffic to flow to and from the proxy Screened firewall only allows traffic between the hosts and the proxy An Improvement - Application Level Firewall WJ Buchanan. ASFC (33)

Access made to WWW site on Port 80 WJ Buchanan. ASFC (34) 192.168.10.65 WWW server HTTP goes out on TCP port 6588, to the proxy Proxy setup Unit 2: Network Security Elements

WWW server Access made to WWW site on Port 80 192.168.10.65 HTTP (web browsers) (port 6588) HTTPS (secure web browsers) (port 6588) SOCKS4 (TCP proxying) (port 1080) SOCKS4a (TCP proxying w/ DNS lookups) (port 1080) SOCKS5 (only partial support, no UDP) (port 1080) NNTP (usenet newsgroups) (port 119) POP3 (receiving email) (port 110) SMTP (sending email) (port 25) FTP (file transfers) (port 21) Proxy setup WJ Buchanan. ASFC (35)

192.168.10.65 Unit 2: Network Security Elements WWW server Only telnet, ftp, http and pop3 are allowed hostname myrouter interface Ethernet1 ip address 169.10.11.1 255.255.0.0 ip access-group 101 in access-list 101 permit tcp any any eq telnet host 192.168.10.65 access-list 101 permit tcp any any eq ftp host 192.168.10.65 access-list 101 permit tcp any any eq http host 192.168.10.65 access-list 101 permit tcp any any eq pop3 host 192.168.10.65 access-list 101 deny any any end Filtering incoming ports WJ Buchanan. ASFC (36)

192.168.10.65 Unit 2: Network Security Elements WWW server Only telnet, ftp, http and pop3 are allowed out hostname myrouter interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip access-group 100 in access-list 100 permit tcp host 192.168.10.65 any any eq telnet access-list 100 permit tcp host 192.168.10.65 any any eq ftp access-list 100 permit tcp host 192.168.10.65 any any eq http access-list 100 permit tcp host 192.168.10.65 any any eq pop3 access-list 100 deny any any end Filtering outgoing ports WJ Buchanan. ASFC (37)

WWW server Access made to WWW site on Port 80 192.168.10.65 03/06/2003 21:26:19.957: 3750332 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:21.620: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:23.232: 3773004 - HTTP Closing socket (2) 03/06/2003 21:26:23.863: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:26.527: 3773004 - HTTP Closing socket (2) 03/06/2003 21:26:26.737: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:29.091: 3773004 - HTTP Closing socket (2) 03/06/2003 21:26:29.371: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:29.431: 3750332 - HTTP Closing socket (2) 03/06/2003 21:26:30.453: 3773004 - HTTP Closing socket (1) 03/06/2003 21:26:31.644: 3750332 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:32.786: 3750332 - HTTP Closing socket (1) 03/06/2003 21:26:33.126: 3750332 - HTTP Client connection accepted from 192.168.0.20 Proxy logging WJ Buchanan. ASFC (38)

192.168.10.65 Unit 2: Network Security Elements WWW server The log will always show the address of the proxy. Proxy allows: The hosts to be hidden from the outside. Private addresses can be used for the internal network. Logging of data packets. User-level authentication, where users may require a username and a password. Isolation of nodes inside the network, as they cannot be directly contacted. Proxy logging WJ Buchanan. ASFC (39)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback