network control
play

Network Control As usual, thanks to Vern Paxson and David Wagner 1 - PowerPoint PPT Presentation

Apr 03, 2024 •588 likes •1.03k views

Network Control As usual, thanks to Vern Paxson and David Wagner 1 Focus of This Lecture Begin discussion of approaches for controlling network traffic: Firewalls: restricting allowed communication NATs: Network Address

  1. Network Control As usual, thanks to Vern Paxson and David Wagner 1

  2. Focus of This Lecture • Begin discussion of approaches for controlling network traffic: – Firewalls: restricting allowed communication – NATs: Network Address Translators 2

  3. Network Control: Firewalls • Motivation: How do you harden a set of systems against external attack? – Key Observation: • The more network services your machines run, the greater the risk – Due to larger attack surface • One approach: on each system, turn off unnecessary network services – But you have to know that it’s running them – And sometimes some trusted remote users still require access • Plus key question of scaling – What happens when you have to secure 100s/1000s of systems? – Which may have different OSs, hardware & users – Which may in fact not all even be identified 3

  4. Taming Management Complexity • Possibly more scalable defense: Reduce risk by blocking in the network outsiders from having unwanted access your network services – Interpose a firewall that the traffic to/from the outside must traverse – Chokepoint can cover 1000s of hosts • Where in everyday experience do we see security chokepoints? Internal Internet Network 4

  5. Selecting a Security Policy • Effectiveness of firewall relies on deciding what policy it should implement: – Who is allowed to talk to whom, accessing what service? • Distinguish between inbound & outbound conns – Inbound: attempts by external users to connect to services on internal machines – Outbound: internal users to external services • Conceptually simple access control policy : – Permit inside users to connect to any service – External users restricted: • Permit connections to services meant to be externally visible • Deny connections to services not meant for external access 5

  6. How To Treat Traffic Not Mentioned in Policy? • Default Allow : start off permitting external access to services – Shut them off as problems recognized • Default Deny : start off permitting just a few known, well- secured services – Add more when users complain (and mgt. approves) • Pros & Cons? – Flexibility vs. conservative design – Flaws in Default Deny get noticed more quickly / less painfully • (Which do you think UCB uses?) – Default Allow: institute’s mission thrives on flexibility • (Which do you think UR uses?) In general, use Default Deny 6

  7. UR Firewalls • Internet connection: – inbound: default deny – outbound: default allow (with the exception of IRC) • Why no IRC? • Internally, 3 networks: Millhiser (data center), Richmond, Fine Arts – All three are default deny – Also special subnets for payroll, facilities, etc. All default deny 7

  8. UR Firewalls • No Peer-to-peer traffic – So no Kazaa, Gnutella, Bit Torrent • Some rate throttling 8

  9. Packet Filters • Most basic kind of firewall is a packet filter – Router with list of access control rules – Router checks each received packet against security rules to decide to forward or drop it – Each rule specifies which packets it applies to based on a packet’s header fields • Specify source and destination IP addresses, port numbers, and protocol names, or wild cards • Each rule specifies the action for matching packets: ALLOW or DROP <ACTION> <PROTO> <SRC:PORT> -> <DEST:PORT> – First listed rule has precedence 9

  10. Examples of Packet Filter Rules allow tcp 4.5.5.4:1025 -> 3.1.1.2:80 • States that the firewall should permit any TCP packet that’s: – from Internet address 4.5.5.4 and – using a source port of 1025 and – destined to port 80 of Internet address 3.1.1.2 deny tcp 4.5.5.4:* -> 3.1.1.2:80 • States that the firewall should drop any TCP packet like the above, regardless of source port deny tcp 4.5.5.4:* -> 3.1.1.2:80 allow tcp 4.5.5.4:1025 -> 3.1.1.2:80 • In this order , the rules won’t allow any TCP packets from 4.5.5.4 to port 80 of 3.1.1.2 allow tcp 4.5.5.4:1025 -> 3.1.1.2:80 deny tcp 4.5.5.4:* -> 3.1.1.2:80 • In this order , the rules allow only TCP packets from 4.5.5.4 to port 80 of 3.1.1.2 if they come from source port 1025 10

  11. Expressing Policy with Rulesets • Goal: prevent external access to Windows SMB (TCP port 445) – Except for one special external host, 8.4.4.1 • Ruleset: – allow tcp 8.4.4.1:* -> *:445 – drop tcp *:* -> *:445 – allow * *:* -> *:* • Problems? – No notion of inbound vs outbound connections • Drops outbound SMB connections from inside users – This is a default-allow policy!! 11

  12. Expressing Policy with Rulesets, con’t • Want to allow: – Inbound mail connections to our mail server ( 1.2.3.4:25 ) – All outbound connections from our network, 1.2.3.0/24 • 1.2.3/24 = “any address for which the top 24 bits match 1.2.3.0 ” • So it ranges from 1.2.3.0 , 1.2.3.1 , … , 1.2.3.255 – Nothing else • Consider this ruleset: allow tcp *:* -> 1.2.3.4:25 allow tcp 1.2.3.0/24:* -> *:* drop * *:* -> *:* • This policy doesn't work … – TCP connections are bidirectional – 3-way handshake: send SYN , receive SYN+ACK , send ACK , send DATA w/ ACK bit set 12

  13. Problem: Outbound Connections Fail 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.drop * *:* -> *:* • Inside host opens TCP connection to port 80 on external machine: – Initial SYN packet passed through by rule 2 – SYN+ACK packet coming back is dropped • Fails rule 1 (not destined for port 25) • Fails rule 2 (source not inside host) • Matches rule 3 ⇒ DROP • Fix? – In general, we need to distinguish between 2 kinds of inbound pkts • Allow inbound packets associated with an outbound connection • Restrict inbound packets associated with an inbound connection – How do we tell them apart? • Approach #1: remember previous outbound connections (takes state ) • Approach #2: leverage details of how TCP works 13

  14. Inbound vs. Outbound Connections • Key TCP feature: ACK bit set on all packets except first – Plus: TCP receiver disregards packets with ACK set if they don’t belong to an existing connection • Solution ruleset: 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* – Rules 1 and 2 allow traffic in either direction for inbound connections to port 25 on machine 1.2.3.4 – Rules 2 and 3 allow outbound connections to any port 14

  15. How This Ruleset Protects 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* • Suppose external attacker tries to exploit vulnerability in SMB (TCP port 445): = Attempts to open an inbound TCP connection to internal SMB server • Attempt #1: Sends SYN packet to server – Packet lacks ACK bit ⇒ no match to Rules 1-3, dropped by Rule 4 • Attempt #2: Sends SYN+ACK packet to server – Firewall permits the packet due to Rule 3 – But then dropped by server’s TCP stack (since ACK bit set, but isn’t part of existing connection) 15

  16. Network Control: NATs • To conserve global Internet addresses, network operators often give their systems private addresses – Usually numbered out of 10.0.0.0/8 or 192.168.0.0/16 – These addresses will not work for reaching the hosts from external Internet locations • Internet routers lack paths for them • Hosts communicate externally by having their traffic go through a Network Address Translator (NAT) – Active, in-path network element • The NAT translates (maps) private addresses to a public address – Also maps TCP/UDP ports 16

  17. Multiple Private Addresses Using One Public Address via NAT 138.76.29.7 10.0.0.1 outside NAT inside 10.0.0.2 17

  18. NAT Translation Table NAT translation table 1: host 10.0.0.1 2: NAT router Public side addr LAN side addr sends packet to changes packet 138.76.29.7, 5001 10.0.0.1, 3345 128.119.40.186, 80 source addr from …… …… 10.0.0.1, 3345 to S: 10.0.0.1, 3345 138.76.29.7, 5001, 10.0.0.1 D: 128.119.40.186, 80 updates table 1 S: 138.76.29.7, 5001 2 10.0.0.4 D: 128.119.40.186, 80 10.0.0.2 138.76.29.7 S: 128.119.40.186, 80 4 D: 10.0.0.1, 3345 S: 128.119.40.186, 80 3 10.0.0.3 D: 138.76.29.7, 5001 4: NAT router 3: Reply arrives changes packet dest. address: dest addr from 138.76.29.7, 5001 138.76.29.7, 5001 to 10.0.0.1, 3345 18

  19. Security Implications of NAT • If an external packet arrives for which the NAT doesn’t have a mapping in its table, it (necessarily) discards it – Thus, as a side effect a NAT prevents probing of services offered by internal systems – (Unless operator explicitly sets up an exception) • NATs change IP headers (addresses) and transport headers (ports) – Thus, any mechanism we might use to ensure layer 3/4 packet integrity will complain that packet has been meddled with – ( ⇒ operator convenience from using NAT is at odds with providing basic security guarantees) 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SLAC Control Network SLAC Control Network Campaign 1 12/13/01,12/17/01 01/18/02 Purpose

SLAC Control Network SLAC Control Network Campaign 1 12/13/01,12/17/01 01/18/02 Purpose

SLAC Control Network SLAC Control Network Campaign 1 12/13/01,12/17/01 01/18/02 Purpose Purpose To tie SLAC control points to existing coordinate system &amp; datum. (ie. NAD 83 CA State Plane Zone 3, UTM Zone 10, WGS84) Network

372 views • 14 slides
Network Layer: Control Plane Goal: understand principles behind network control plane

Network Layer: Control Plane Goal: understand principles behind network control plane

Network Layer: Control Plane Goal: understand principles behind network control plane traditional (intra-domain) routing algorithms SDN controllers and their instantiation, implementation in the Internet: OSPF, RIP, OpenFlow, ODL

1.31k views • 75 slides
Eliminating Adverse Control Plane Interactions in Independent Network Systems Matthew K.

Eliminating Adverse Control Plane Interactions in Independent Network Systems Matthew K.

Eliminating Adverse Control Plane Interactions in Independent Network Systems Matthew K. Mukerjee Computer Science PhD Thesis Defense May 1st, 2018 Network Control CDN server selection Routing Congestion Control VM migration Network

1.71k views • 131 slides
CONTROL YOUR CARGO. CONTROL YOUR NETWORK. CONTROL YOUR BRAND. APRIL 2019

CONTROL YOUR CARGO. CONTROL YOUR NETWORK. CONTROL YOUR BRAND. APRIL 2019

CONTROL YOUR CARGO. CONTROL YOUR NETWORK. CONTROL YOUR BRAND. APRIL 2019 annika@sensortransport.com THE PROBLEM Status of Cargo Status of Shipment $100 BILL LOST ANNUALLY FROM DAMAGE Manual Delivery AND THEFT THE SOLUTION A

2.74k views • 9 slides
Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control Systems Research Philipp Mieden &amp; Rutger Beltman, 2020 Supervisor: Bartosz Czaszynski, Deloitte Industrial Network VS Corporate Network 2

379 views • 35 slides
The Gas Network Control Problem and How to Approach It Felix Hennings Combinatorial Optimization

The Gas Network Control Problem and How to Approach It Felix Hennings Combinatorial Optimization

The Gas Network Control Problem and How to Approach It Felix Hennings Combinatorial Optimization @ Work 2020 The Gas Network Control Problem General description Optimization of short-term transient gas network control of large real-world

917 views • 39 slides
Tiny%Packet%Programs% for%low4latency%network%control% Vimal %

Tiny%Packet%Programs% for%low4latency%network%control% Vimal %

Tiny%Packet%Programs% for%low4latency%network%control% Vimal % Mohammad%Alizadeh,%Yilong%Geng,%Changhoon%Kim,%David%Mazires% Timescales%of%Network%FuncFons% Network% Load%Balancing% Virtual%Network% CongesFon% Forwarding%% Provisioning%

567 views • 29 slides
Session #4: Transport Network Control (ASON, Session #4: Transport Network Control (ASON, GMPLS

Session #4: Transport Network Control (ASON, Session #4: Transport Network Control (ASON, GMPLS

I nternational Telecom m unication Union ITU-T Session #4: Transport Network Control (ASON, Session #4: Transport Network Control (ASON, GMPLS and Control plane management) GMPLS and Control plane management) Highlights &amp; Conclusions

420 views • 7 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
Management of ASON- -capable capable Management of ASON Network and its Control Plane Network

Management of ASON- -capable capable Management of ASON Network and its Control Plane Network

I nternational Telecom m unication Union ITU-T Management of ASON- -capable capable Management of ASON Network and its Control Plane Network and its Control Plane H. Kam LAM Lucent Technologies I TU-T W orkshop NGN and its Transport

449 views • 28 slides
Ground Control to Major Faults: Towards Fault Tolerant and Adaptive SDN Control Network Liron

Ground Control to Major Faults: Towards Fault Tolerant and Adaptive SDN Control Network Liron

Ground Control to Major Faults: Towards Fault Tolerant and Adaptive SDN Control Network Liron Schiff (Tel Aviv University) Stefan Schmid (TU Berlin, Germany &amp; Aalborg University, Denmark) Marco Canini (Universit catholique de Louvain)

524 views • 28 slides
KYTCs Real Time Network and its role in GPS Machine Control Machine Control Pilot Project

KYTCs Real Time Network and its role in GPS Machine Control Machine Control Pilot Project

KYTCs Real Time Network and its role in GPS Machine Control Machine Control Pilot Project Evaluate use of RTN in place of on site GPS Base Station Additional Cost Downtime for setup Communication Issues Accuracy Comparison

635 views • 21 slides
Evaluation of TCP BBR v2 Congestion Control Using Network Emulation Intermediate talk for the

Evaluation of TCP BBR v2 Congestion Control Using Network Emulation Intermediate talk for the

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of TCP BBR v2 Congestion Control Using Network Emulation Intermediate talk for the Masters Thesis by Juliane Aulbach advised by

591 views • 18 slides
Network Control CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Network Control CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Network Control CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 10, 2011 1 Network Control: Firewalls Motivation: How do you harden a

838 views • 35 slides
Control Protocol and OAM in MPLS-TP Network UTStarcom Inc. Broadband Business Unit System

Control Protocol and OAM in MPLS-TP Network UTStarcom Inc. Broadband Business Unit System

Control Protocol and OAM in MPLS-TP Network UTStarcom Inc. Broadband Business Unit System Architect, Senior Manager Dr. Wang Yong MPLS Japan 2008 1 Agenda 1. MPLS-TP Based Metro Network 2. Functions of Control Protocol and OAM 3.

641 views • 20 slides
Video Services Update Ben Fineman, Internet2 Internet2 Network Border Control Call Control

Video Services Update Ben Fineman, Internet2 Internet2 Network Border Control Call Control

Video Services Update Ben Fineman, Internet2 Internet2 Network Border Control Call Control Bridging Switching Transcoding Border Control Call Control Bridging Resource Abstraction Why bother with video? Isnt Skype good

605 views • 27 slides
Stefano Chessa Wireless Sensor Networks Issues WSN: a typical configuration User Internet,

Stefano Chessa Wireless Sensor Networks Issues WSN: a typical configuration User Internet,

Stefano Chessa Wireless Sensor Networks Issues WSN: a typical configuration User Internet, Satellite Network, Sink etc.. where Each sensor : Low power, low cost system Small Autonomous Sensors equipped with:

2.22k views • 163 slides
Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics The network layer IP V4 BOOTP &amp; DHCP IP V6 Common IP countermeasures Dr.

1.88k views • 152 slides
Internet Routing Dr. Miled M. Tezeghdanti May 8, 2012 Dr. Miled M. Tezeghdanti () Internet

Internet Routing Dr. Miled M. Tezeghdanti May 8, 2012 Dr. Miled M. Tezeghdanti () Internet

Internet Routing Dr. Miled M. Tezeghdanti May 8, 2012 Dr. Miled M. Tezeghdanti () Internet Routing May 8, 2012 1 / 71 Introduction Networks may be interconnected using Repeaters Work at the Physical layer Bridges Work at the Data-Link

997 views • 84 slides
Computer Networks 1 (Mng My Tnh 1) Lectured by: Nguyn c Thi 1 Lecture 7:

Computer Networks 1 (Mng My Tnh 1) Lectured by: Nguyn c Thi 1 Lecture 7:

Computer Networks 1 (Mng My Tnh 1) Lectured by: Nguyn c Thi 1 Lecture 7: Network Layer in the Internet Reference : Chapter 5 - Computer Networks , Andrew S. Tanenbaum, 4th Edition, Prentice Hall, 2003. 2 The Network

453 views • 31 slides
Protocolos em Redes de Dados Vizinhan cas An uncios Aula 06 Interliga c ao com o

Protocolos em Redes de Dados Vizinhan cas An uncios Aula 06 Interliga c ao com o

Protocolos em Redes de Dados Lu s Rodrigues Sum ario Introdu c ao Protocolos em Redes de Dados Vizinhan cas An uncios Aula 06 Interliga c ao com o BGP: Introdu c ao IGP Filtragem de rotas Instabilidade

765 views • 48 slides
MVPN Extranet First, a little background: MVPN Effort that began in 2004 culminated in the

MVPN Extranet First, a little background: MVPN Effort that began in 2004 culminated in the

MVPN Extranet First, a little background: MVPN Effort that began in 2004 culminated in the set of RFCs 6511-6517 in 2012! (Well, really finished in 2010, mostly) Left a few loose ends, including wild cards and extranet

621 views • 17 slides
Welcome!! All AGM Meeting documents are at UNEPFI 2018 AGM by-Webinar www.unepfi.org/

Welcome!! All AGM Meeting documents are at UNEPFI 2018 AGM by-Webinar www.unepfi.org/

Welcome!! All AGM Meeting documents are at UNEPFI 2018 AGM by-Webinar www.unepfi.org/ extranet/ password: unepfi Please use the chat box to pose your questions/ comments. Alternativel, email yuki.yasui@un.org during and after the

775 views • 60 slides
Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs ! 3 properties ... Confidentiality (including personal data) Integrity Availability 2 -Sminaire LIRIMA: Cyber security: current

876 views • 64 slides

More recommend