Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IP
Split TCP header info over several tiny packets Either discard or reassemble before check
Degradation
depends on number of rules applied at any point Order rules so that most common traffic is dealt with first Correctness is more important than speed
Dr MAhdi NetSec
Port Numbering
TCP Permanent
Server port is number less than 1024 Client port is number between 1024 and 16383
connection
Ports <1024 assigned permanently 20,21 for FTP 23 for Telnet 25 for server SMTP 80 for HTTP
assignment
Variable
Ports >1024 must be available for client to make any connection This presents a limitation for stateless packet filtering If client wants to use port 2048, firewall must allow
incoming traffic on this port
NetSec
use
Dr MAhdi
the outgoing request passes our filter, then all the related responses should be automatically allowed through the filter. Traditional packet filters do not examine higher layer context
i.e. matching return packets with outgoing flow
Stateful
packet filters address this need They examine each IP packet in context
Keep track of client-server sessions Check each packet validly belongs to one
Hence
Dr MAhdi
Stateful Filtering
Session Filtering
Packet
decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table
Dr MAhdi
NetSec
Session Filtering
Screens ALL attempts, Protects All applications Extracts & maintains state information Makes an intelligent security / traffic decision
Applications Applications Presentations Sessions Transport Network DataLink Physical DataLink Physical Presentations Sessions Transport Network Applications Presentations Sessions Transport Network DataLink Physical
Telnet
Telnet Server Telnet Client
23 Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets. Server acknowleges.
1234
34 2 1 T R PO
ACK
Dr MAhdi
NetSec
Example: Telnet
Format:
access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>] The following allows user to telnet from an IP address (172.168.10.11) to any destination, but not vice-versa: access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets out to remote Telnet servers access-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows returning packets to come back in. It verifies that the ACK bit is set interface Ethernet 0 access-list 100 out ! Apply the first rule to outbound traffic access-list 101 in ! Apply the second rule to inbound traffic !
FTP
FTP Server
FTP Client
20 Data Client opens command channel to server; tells server second port number. Server acknowleges. Server opens data channel to clients second port. Client Acknowledges.
21 Command
5150
5151
51 1 5 T R PO
OK
DATA C HANNE L
TCP ACK
Dr MAhdi
NetSec
Proxy Firewalls
Firewall
Proxies filter incoming, outgoing packets All incoming traffic directed to firewall All outgoing traffic appears to come from firewall
Policy
Circuit-level gateways/proxies
Working on TCP level
Dr MAhdi NetSec
Application Gateways
Understands
specific applications
intensive
Dr MAhdi
NetSec
Application Gateways
Block
Has
user requests service from proxy proxy validates request as legal then actions request and returns result to user
Need
E.g., SMTP (E-Mail) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol Must write a new proxy application
to
Application Gateway
Circuit-Level Gateways
Support
Hard
to handle protocols like FTP Clients must be aware they are using a circuit-level proxy Protect against fragmentation problem
Dr MAhdi NetSec
Dr MAhdi
NetSec
two TCP connections Imposes security by limiting which such connections are allowed Once created usually relays traffic without examining contents Typically used when trust internal users by allowing general outbound connections SOCKS commonly used for this
Dr MAhdi
NetSec
Comparison
Sec Pe urit rfo y rm an ce Packet Filter Session Filter Circuit GW App. GW
Dr MAhdi
Service Support
3 2 2 1
1 2 3 4
No dynamic w/o holes Dependent on vendor for dynamic support Typically < 20
Comparison
Modify Client Applications? Packet Filter Session Filter Circuit GW App. GW No No Typical, SOCKS-ify client applications Unless transparent, client application must be proxy-aware & configured
NetSec
Dr MAhdi
common Provide good administrators protection and full transparency Network given full control over traffic Captures semantics of a connection
Dr MAhdi
NetSec
1.2.3.4
5.6.7.8
1.2.3.4
5.6.7.8
Firewall
Intended connection from 1.2.3.4 to 5.6.7.8 Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
Dr MAhdi NetSec 21
Application Proxy
1.2.3.4
5.6.7.8
10.11.12.13
5.6.7.8
Firewall
Intended connection from 1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
NetSec 22
Dr MAhdi
Dr MAhdi
NetSec