firewalls packet filtering recapitulation ipv4
play

Firewalls Packet Filtering Recapitulation: IPv4 Task of IP - PowerPoint PPT Presentation

Jan 14, 2024 •236 likes •725 views

IN3210 Network Security Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general): Packet forwarding incl. routing Properties: Connection-less Adressing: source + destination IP address No

  1. IN3210 – Network Security Firewalls – Packet Filtering

  2. Recapitulation: IPv4 ⚫ Task of IP (Network layer in general): − Packet forwarding incl. routing ⚫ Properties: − Connection-less − Adressing: source + destination IP address − No QoS − No acklowledgement − No protection of packet order − No protection from packet loss / duplication ⚫ Every single IP packet is transported independently through the network

  3. Security Properties of IP ⚫ No mechanisms for: − Confidentiality − Integrity − Non-repudiation − Anonymity ⚫ Authenticity?

  4. IP and Authenticity C ⚫ Problem: IP Address Spoofing B ⚫ Principle: A − Attacker (A) sends packet to B using source IP address of C ⚫ Variants: − Denial of Service on C − Tricking B (or C): ▪ Response not required (e.g. DNS spoofing) ▪ Response can be anticipated ▪ Response can still be read by A

  5. IP Spoofing – Diagram (simplified) Network Network 131.234.142.* 129.13.182.* IP Packet Communication Partner Source Destination 129.13.182.17 131.234.142.34 129.13.182.17 Data Router Router Victim 131.234.142.34

  6. IP Spoofing ⚫ „IP Authentication“ − Law enforcement authorities use IP Address to identify source of criminal network actions − IP address is used for authentication, e.g. if you access a digital library with a university IP address − IP address is used for geolocation, e.g. hiding certain videos on YouTube ⚫ How can the attack be fended … − if attacker and victim are in the same network? − if attacker and victim are not in the same network?

  7. IP Spoofing – Diagram (simplified) Network Network 131.234.142.* 129.13.182.* IP Packet Communication Partner Source Destination 129.13.182.17 131.234.142.34 129.13.182.17 Data Router Router Victim 131.234.142.34

  8. IP Spoofing – Diagram (simplified) Network Network 131.234.142.* 129.13.182.* IP Packet Communication Partner Source Destination 129.13.182.17 129.13.182.53 129.13.182.17 Data Router Router Victim 129.13.182.53

  9. Recapitulation: ICMP ⚫ ICMP: Internet Control Protocol ⚫ Communication of status and error message, e.g. − „ Fragmentation required “ − „Destination host unreachable” ⚫ Well-known example: − Ping command: ▪ Creates ICMP „Echo Request“ ▪ Destination host responses with ICMP „Echo Reply “

  10. ICMP: Security Issues (partly historical) ⚫ Sending „Destination unreachable“ → connection interrupted ⚫ Sending „fragmentation required“ → Increasing network load ⚫ Sending „ping -of- death“ − Sending large ICMP ping packet − Packet is fragmented during transport − Reassembling results in message with illegal message size (> 65.535 bytes) → Crash of target system ⚫ Sending „Redirect message“ → Router forward packets to other location

  11. Network Services ⚫ Example: network services on a desktop computer (Windows) Proto. Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTEN TCP 0.0.0.0:135 0.0.0.0:0 LISTEN TCP 0.0.0.0:445 0.0.0.0:0 LISTEN TCP 0.0.0.0:554 0.0.0.0:0 LISTEN TCP 0.0.0.0:623 0.0.0.0:0 LISTEN TCP 0.0.0.0:2869 0.0.0.0:0 LISTEN TCP 0.0.0.0:5357 0.0.0.0:0 LISTEN TCP 0.0.0.0:10243 0.0.0.0:0 LISTEN TCP 0.0.0.0:16992 0.0.0.0:0 LISTEN TCP 0.0.0.0:49152 0.0.0.0:0 LISTEN TCP 0.0.0.0:49153 0.0.0.0:0 LISTEN TCP 0.0.0.0:49154 0.0.0.0:0 LISTEN TCP 0.0.0.0:49155 0.0.0.0:0 LISTEN TCP 0.0.0.0:49157 0.0.0.0:0 LISTEN TCP 0.0.0.0:56238 0.0.0.0:0 LISTEN

  12. Firewalls: Introduction ⚫ Original: − Protection for a building / building part from fire and smoke ⚫ Network security: − No complete sealing − Controlling network traffic ⚫ Firewall: − Located between two networks − Investigates all network traffic between networks − Checks conformance to „ access control policy “ ▪ Forwarding allowed packets ▪ Droping / Rejecting denied packets

  13. Firewalls: Introduction ⚫ Common usage: Separating local (Intranet) and Internet ⚫ Required steps for buiding firewall: − Modelling security requirements − Knowledge on weaknesses and threats − Designing security strategy ⚫ No or limited protection from: − New attack patterns − Insider attacks

  14. Basic Security Policy Principles ⚫ „Default Permit“ − Default policy rule allows all incoming and outgoing traffic − Selectively block known attack communication patterns − Flexible regarding new services − No protection from new or disregarded attacks ⚫ „Default Deny“ − Default policy rule denies all traffic − Selectively allow required addresses/ports/applications − Provides better security − New service result in (expensive) policy changes

  15. Firewall inside the ISO/OSI Layer Model ⚫ Checking protocol headers of different layers: − Layer 3 + 4 (Packet Filter) − Layer 7 (Application Level Gateway) ⚫ Checking protocol content (typically not called firewall anymore) − Anti Virus Scanner − Checking content with regard to company export policy

  16. Packet Filter ⚫ Remarks − Typically implemented inside routers (but not required) – Network Packet Filters − Layer 2 information mostly not regarded (you can have though MAC Address Filtering when needed, mainly for end-points in an organization) − Does not inspect application layer protocol Application Layer Application Layer Transport Layer Transport Layer Packet Filter Network Layer Network Layer Data Link Layer Data Link Layer Physical Layer Physical Layer Network 1 Network 2

  17. Packet Filter ⚫ Possible Actions − Forwarding Packet − Dropping Packet − Rejecting Packet (and sending ICMP error message) − Logging (partly or completely) Packet ⚫ Information used in packet filter rules − Source and Destination IP Address − Transport protocol − Source and Destination port (from transport layer) − Specific flags (e.g. ACK bit from TCP) − Network interface − Action

  18. Example Scenario ⚫ Router uses Linux Netfilter/IPtables Image Source: http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html eth0 Local eth1 Internet Network SSH 10.0.0.56 131.234.142.33

  19. Security Requirements ⚫ Requirements for the sample scenario: − Clients from the local network can use all services on the Internet − The administrator can access the local network from his home office (131.234.142.33) − The SSH service on a server inside the local network (10.0.0.56) can be accessed from the Internet − All other connections shall be blocked!

  20. Stateful / Stateless Firewall ⚫ Stateless packet inspection: − Decision is solely based on current packet ⚫ Stateful packet inspection (SPI): − Current state is stored (e.g. „TCP connection established“) − Decision based on current packet and current state (Checks a table indicating the connections that have been established – faster) − More powerful than stateless inspection − However: ▪ Storing states consumes resources ▪ Denial-of-Service attacks possible ▪ Image the amount of packet per seconds transmitted in a contemporary Gigabit network!

  21. Filter Rules: iptables ⚫ Sample filter rules: iptables -P FORWARD – j DROP iptables -A FORWARD -m state --state NEW -i eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s 131.234.142.33 -j ACCEPT iptables -A FORWARD -p tcp – d 10.0.0.56 --dport 22 - j ACCEPT

  22. Explanation of iptables rules iptables -P FORWARD – j DROP ⚫ Definition of Default policy for FORWARD chain − DROP ▪ All packets are dropped (without informing the sender) − Alternatives: − REJECT ▪ All packets are rejected and the sender is informed (ICMP „Port Unreachable “) − ACCEPT ▪ All packets are accepted (=forwarded)

  23. Explanation of iptables rules iptables -A FORWARD -m state --state NEW -i eth0 -j ACCEPT ⚫ Loading extension for stateful inspection: − -m state ⚫ Rule … − --state NEW ⚫ … matches on packets that start a connection (e.g. TCP SYN) − -i eth0 ⚫ … matches on packets coming from interface eth0 (assuming this is the LAN interface) ⚫ Packets that match the condition are accepted − -j ACCEPT

  24. Explanation of iptables rules iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ⚫ Loading extension for stateful inspection: − -m state ⚫ Rule … − --state ESTABLISHED,RELATED ⚫ … matches on packets: − that are part of an established connection − that are related to a connection (e.g. ICMP messsages) ⚫ Packets that match the condition are accepted − -j ACCEPT

  25. Explanation of iptables rules iptables -A FORWARD -s 131.234.142.33 -j ACCEPT iptables -A FORWARD -p tcp – d 10.0.0.56 --dport 22 - j ACCEPT ⚫ All packets from source IP Address 131.234.142.33 are accepted ⚫ All packets using transport protocol and destination address 10.0.0.56 and destination port 22 are accepted

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) March 24, 2015 3:44pm 2015 Avinash Kak, Purdue University c Goals: Packet-filtering vs. proxy-server

828 views • 70 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for IP Packet Selection draft-ietf ietf- -psamp psamp-sample-tech-00.txt -sample-tech-00.txt draft- Tanja Zseby, FhG FOKUS Maurizio Molina, NEC

600 views • 12 slides
Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet Classification and Filtering Features 1. Supported Match Fields with Optional Masks Up to 500K exact-match and 2K wildcard rules, 20M/sec lookup rate, 200K

92 views • 6 slides
NETWORK LAYER (Functions of Layer, IPV4 Addressing, IP Packet Headers, IP Address

NETWORK LAYER (Functions of Layer, IPV4 Addressing, IP Packet Headers, IP Address

NETWORK LAYER (Functions of Layer, IPV4 Addressing, IP Packet Headers, IP Address Assignment-Functions of IANA, AFRINIC, KENIC and ISPs) ECE 422-Data Communication & Computer Networks Wednesday, 19 February 2020 WHERE ARE WE IN THE

519 views • 25 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul

Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul Emmerich, Alexander Kurtz, Krzysztof Lesiak

721 views • 29 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

533 views • 25 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure Article CITATIONS READS 3

Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure Article CITATIONS READS 3

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/266044195 Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure Article CITATIONS READS 3 109 4 authors , including:

195 views • 8 slides
Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler <bazsi@balabit.com> www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

590 views • 20 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

IPv6 IPv6, MPLS History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

506 views • 5 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Firewalls, IDS and Social Network Presenter: Yinzhi Cao Lehigh University Acknowledgement

Firewalls, IDS and Social Network Presenter: Yinzhi Cao Lehigh University Acknowledgement

CSE343/443 Lehigh University Fall 2015 Firewalls, IDS and Social Network Presenter: Yinzhi Cao Lehigh University Acknowledgement http://www.cs.northwestern.edu/~ychen/ classes/mitp-458/firewalls.ppt http://web.cse.ohio-state.edu/~xuan/

1.29k views • 81 slides
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as a server while talking with

365 views • 32 slides
Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion

Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion

Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion Detection and Prevention Firewalls and IPSes effective means of protecting LANs internet connectivity essential for organization and

343 views • 23 slides
Application Level Gateways Prof. Chuan-Ming Liu Computer Science and Information Engineering

Application Level Gateways Prof. Chuan-Ming Liu Computer Science and Information Engineering

Mobile Computing & Software Engineering Lab Mobile Computing & Software Engineering Lab Application Level Gateways Prof. Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Taipei,

239 views • 19 slides
Software Thinking Ryan Perry Synology Collaboration Collaborate anywhere with innovative file

Software Thinking Ryan Perry Synology Collaboration Collaborate anywhere with innovative file

Software Thinking Ryan Perry Synology Collaboration Collaborate anywhere with innovative file server Surveillance Smart video analysis, capturing the crucial Software Intellect moments Smart Life Anywhere Networking Safeguard cyber safety

823 views • 59 slides
NDN Managed Gateways and The NDN Testbed John DeHart Computer Science & Engineering

NDN Managed Gateways and The NDN Testbed John DeHart Computer Science & Engineering

NDN Managed Gateways and The NDN Testbed John DeHart Computer Science & Engineering Washington University www.arl.wustl.edu NDN Nodes Types of NDN Nodes Gatew ay Routers End User Application Nodes Gatew ay Router Nodes

552 views • 16 slides
A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA

A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA

Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA (1-3) , Marco FARGETTA (3,*) and Riccardo ROTONDO (2) (1) Department

362 views • 20 slides
Firewalls Session 20 INST 346 Technologies, Infrastructure and Architecture Review

Firewalls Session 20 INST 346 Technologies, Infrastructure and Architecture Review

Firewalls Session 20 INST 346 Technologies, Infrastructure and Architecture Review Homework 4 Lab 4 2 Muddiest Points CDMA GSM is actually now CDMA (in 3G) Loss reasons other than buffer overflow 3 Goals for Today

303 views • 17 slides

More recommend