in presence of firewalls
play

in Presence of Firewalls and Network Address Translation Knut - PowerPoint PPT Presentation

Jul 05, 2023 •256 likes •840 views

Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 1 About Knut Omang Knut Omang: PhD. from UiO Worked on network technology and network centric applications in industry for many

  1. Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 1

  2. About Knut Omang Knut Omang: • PhD. from UiO • Worked on network technology and network centric applications in industry for many years: – Dolphin, Sun, Scali, Fast, Paradial - now at Oracle • Associate Professor with DMMS at Ifi, UiO – 20% position) for > 10 years 2

  3. About Paradial • Founded in 2001 • Based in Oslo, 11 employees. • Software company: – RealTunnel: Firewall/NAT traversal – PANE: Network and firewall emulator • Acquired by Logitech in 2010 • http://www.paradial.com 3

  4. Today: RT multimedia and connectivity • Mobile users (roaming between devices) or mobile devices – Applications: ’’unified communications” – Common characteristics of unified communication demands • Firewalls and NAT – Firewalls and NAT characterization – Why and how this is a problem for RT multimedia • Efforts to aid in discovery and traversal – STUN (Simple Traversal Utilities for NAT) – TURN (Traversal Using Relays around NAT) – ICE (Interactive Connectivity Establishment) – Tunnelling – Modifying/involving the firewall • Example session management and flow – Simple SIP/SDP example – A more complex call scenario using SIP for setup • What about IPv6? – Firewalls: No doubt – NAT? 4

  5. ”Unified communications”... A A t t t t h h e e o o f f f f i i c c e e IP Telephony ISP - Initialization Failed IP Telephony ISP - Initialization Failed The port used by the service may be blocked by your firewall. Please make sure the following ports are open: o o Outgoing port: 5060 UDP H H y y b b r r i i d d n n e e t t w w o o r r k k s s Incoming port: 5060 UDP OK A A t t h h o o m m e e O O n n t t h h e e m m o o v v e e 5

  6. ”Unified communications” • Types of service – Voice – Video – Chat/presence – Application sharing • Protocols: – Session layer • SIP,H323,XMPP(Jabber),MSNP,IPsec(tunnel mode),Oscar(AIM),Skype – Transport layer • IPsec (ESP/AH) • Similar issues for all protocols and services! 6

  7. ”Unified communications” Characteristics: • Real-time properties needed • Multiple media flows • Not the usual client/server model • Want shortest/best path for media – Delay – Jitter – Resource usage 7

  8. A simple call example Assuming (simplified): • Per knows Ida’s network location (IP+port) • Only one type of communication needed User: per User: ida 8

  9. A simple call example Assuming: • Per knows Ida’s network location (IP+port) • Only one type of communication needed • But Ida is visiting a company network – with an open policy… User: per User: ida • Per can’t reach Ida • Ida can reach Per and Per can respond (over the same connection) 9

  10. A simple call example Assuming: • Per knows Ida’s network location (IP+port) • Only one type of communication needed • Ida is visiting a company network... • And so are Per... User: per User: ida • No communication possible by default • A 3rd party is needed 10

  11. A simple call example • Per and Ida gets help from Per: 192.168.0.81:5060 their registrar Ida: 192.168.20.10:4560 User: per User: ida 192.168.20.10 192.168.0.81 • Depending on firewall: – Direct communication may not be possible! 11

  12. A simple call example • Per and Ida’s firewalls perform NAT! This is a common case! Per: 100.20.30.40:34567 Ida: 120.30.40.50:62567 120.30.40.50 100.20.30.40 User: per User: ida 192.168.20.10 192.168.0.81 • NAT-devices alters the IP and TCP/UDP headers of packets • What if payload also contains addresses? 12

  13. Firewalls – Usually blocks all incoming traffic not on ESTABLISHED connections • All communication must be initiated from the inside! – May block certain protocols • UDP considered dangerous – May block a certain protocol with the exception of certain ‘well protected’ ports – May behave differently for different src/dst hosts/port combinations – May block everything except services considered safe – Everything blocked except a local web proxy – The web proxy may require authentication and only HTTPS may pass through... • A user may be behind multiple firewall/NAT devices... – Each adding to the complexity.. 13

  14. Network Address Translation (NAT) • Source NAT • Both sides require outbound traffic to create NAT binding – Only receiver can detect a sender’s port • May vary between destination hosts! – We don’t know the address/port allocation scheme.. (!) • Destination NAT • Specific addr:port pairs on the outside is bound to addr:port on the inside • Used for public services – not the problem here • Masquerade (often called ‘static nat’) • Destination + Source NAT • The sender may not know it’s public address(es)/port(s) – Different destination host:ports may see different sources for the same private address:port 14

  15. Firewalls and connection tracking • Connection tracking? – Need to keep track of communication initiated from inside – Also needed for NAT to map public addr:port pairs to a private addr:port • TCP: follows TCP states • UDP is connectionless? – A UDP communication path is said to have been ESTABLISHED if it has been responded to – But short timeout (eg.30 seconds..) • for security… • To reduce memory need for connection tracking • Implementations: Memory usage priority – NAT: Simple random port allocation scheme easier than trying to maintain any coherence seen from the outside.. – More on this later… • Timeouts means: Keepalive needed to keep firewall ’open’ 15

  16. Summary: The Connectivity Challenge • Firewall/NAT devices interfere and often block communications – Can’t send packets to a private address from the internet – Firewalls only accept outbound connections initiated from the inside Internet Internet – NAT: Packets from the same port may be seen with different src by different hosts! – Firewall ‘holes’ times out quickly! – Users normally do not know the Internet infrastructure between two points Most protocols for RT multimedia • Uses multiple ports for a single application • Puts address/port information in session setup packets – violated by NAT, blocked by firewall.. 16

  17. STUN (Session Traversal Utilities for NAT) • Client/server based protocol • Designed to allow detection of firewall/NAT properties: – Firewall characteristics • Can we use the desired protocol? • Can we communicate directly? – NAT • discover public addresses assigned to address/ports on the private network • Discover if the public address seen by one destination host/port can be used by another 17

  18. Some example ’course grained’ firewall ’classes’: • All TCP/UDP allowed + NAT – When initiated from inside – When not any ’dangerous’ ports… – Source NAT • All TCP allowed – UDP allowed, but only from addr:port sent to – no NAT • All TCP allowed – from inside – But all UDP blocked • All UDP/TCP blocked – except https initiated from inside • All direct access to outside forbidden – Internet access only via web proxy in DMZ – All web proxy traffic authenticated in proxy 18

  19. NAT characterization (UDP focus) Categorization of NAT devices into classes (RFC 4787 – revised from earlier attempts) - Endpoint independent mapping - A NAT mapping from one source addr:port to one destination addr:port can be reused by another destination addr:port - Address dependent mapping - A NAT mapping from one source addr:port can be reused by other destination ports on the same destination host - Address and port dependent mapping - Each (source addr:port,destination addr:port) tuple receives a unique public addr:port in the NAT (no reuse across ports/addresses) Note: Nothing prevents a NAT device from behaving differently depending on source or destination addresses or ports in question! Example: STUN ports for UDP: endpoint independent, other ports just blocked for UDP… 19

  20. Firewall/NAT characterization and TCP • Work in progress: https://www.guha.cc/saikat/stunt-results.php? • 269 lines as of April-2009 20

  21. NAT detection using STUN • Per and Ida’s firewalls are behind NAT – can they talk directly? Per: 100.20.30.41:47875 Per: 100.20.30.40:34567 Ida: 120.30.40.50:62567 Ida: 120.30.40.50:62567 STUN server 1: STUN server 2: 130.1.2.1:3478 130.1.2.2:3478 120.30.40.50 100.20.30.40-50 User: ida User: per src: 100.20.40.42:34444 dst: 120.30.40.50:62567 192.168.20.10 192.168.0.81 • Ida’s firewall has endpoint independent mappings • We are able to communicate directly if Per initiates • if we are lucky... 21

  22. NAT detection using STUN • Per and Ida’s firewalls are behind NAT – can they talk directly this time? Per: 100.20.30.41:47875 Per: 100.20.30.40:34567 Ida: 120.30.40.50:62567 Ida: 120.30.40.50:63245 STUN server 1: STUN server 2: 130.1.2.1:3478 130.1.2.2:3478 120.30.40.50 100.20.30.40-50 User: ida User: per 192.168.20.10 192.168.0.81 • Neither firewall has endpoint independent mappings • We are able to communicate using UDP, but only using relay 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin,

501 views • 34 slides
Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Firewalls Characteristics Types Locations Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08,

245 views • 23 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
Isotropic Intercategories Robert Par e (with Marco Grandis) Halifax August 2016 Robert

Isotropic Intercategories Robert Par e (with Marco Grandis) Halifax August 2016 Robert

Isotropic Intercategories Robert Par e (with Marco Grandis) Halifax August 2016 Robert Par e (Dalhousie University) Isotropic Intercategories Halifax August 2016 1 / 21 Intercategory A kind of lax

345 views • 21 slides
LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com) - Security engineer Working on

1.12k views • 89 slides
A Guide to Budgeted Tree Search Nathan R. Sturtevant University of Alberta Amii Fellow, CIFAR

A Guide to Budgeted Tree Search Nathan R. Sturtevant University of Alberta Amii Fellow, CIFAR

A Guide to Budgeted Tree Search Nathan R. Sturtevant University of Alberta Amii Fellow, CIFAR Chair Malte Helmert Universitt Basel Talk Overview Budgeted Tree Search (BTS) is a new algorithm with better worst-case guarantees than IDA*

1.37k views • 132 slides
WIDER Development Conference 13- 15 September 2018: Aid Policy Continuity or Change? Richard

WIDER Development Conference 13- 15 September 2018: Aid Policy Continuity or Change? Richard

WIDER Development Conference 13- 15 September 2018: Aid Policy Continuity or Change? Richard Manning Total ODA USD billion (2016 prices and exchange rates) (Source OECD) ODA as percentage of GNI 10% 15% 20% 25% 30% 35% 0% 5%

665 views • 29 slides
SAFE: Self Attentive Function Embedding for Binary Similarity Luca Massarelli PhD Student @

SAFE: Self Attentive Function Embedding for Binary Similarity Luca Massarelli PhD Student @

SAFE: Self Attentive Function Embedding for Binary Similarity Luca Massarelli PhD Student @ Sapienza University of Rome Who am I? Exploring how to leverage Artificial Intelligence to improve security! Reverse Engineering is painful

465 views • 32 slides
Workplace Wellbeing Produced by the design firm Team Number: IIDA Huntsman Architectural Group,

Workplace Wellbeing Produced by the design firm Team Number: IIDA Huntsman Architectural Group,

Workplace Wellbeing Produced by the design firm Team Number: IIDA Huntsman Architectural Group, this diagram illustrates new spaces and adjacencies in a future workplace Workplace Wellbeing Team Number: IIDA A mix of desking, casual

263 views • 5 slides
Univalent categories and the Rezk completion Benedikt Ahrens 1 , Krzysztof Kapulkin 2 , Michael

Univalent categories and the Rezk completion Benedikt Ahrens 1 , Krzysztof Kapulkin 2 , Michael

Univalent categories and the Rezk completion Benedikt Ahrens 1 , Krzysztof Kapulkin 2 , Michael Shulman 1 1 Institute for Advanced Study, Princeton 2 University of Pittsburgh, Pittsburgh TYPES 2013 3 kinds of sameness for categories Equality C =

444 views • 23 slides
Towards a realizability model of homotopy type theory Jonas Frey joint work (in progress) with

Towards a realizability model of homotopy type theory Jonas Frey joint work (in progress) with

Towards a realizability model of homotopy type theory Jonas Frey joint work (in progress) with Steve Awodey and Pieter Hofstra CT 2017 Vancouver 1 / 24 Overview Motivation : construct realizability model of homotopy type theory , to show

567 views • 24 slides

More recommend