Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | albert-douberly |
View: | 225 times |
Download: | 4 times |
11
Topic 2 – Lesson 4Topic 2 – Lesson 4Packet FilteringPacket Filtering
Part IPart I
22
Basic QuestionsBasic Questions What is packet filtering?What is packet filtering? What elements are inside an IP header? What is the size for What elements are inside an IP header? What is the size for
each such element?each such element? What elements are inside a TCP header? What is the size for What elements are inside a TCP header? What is the size for
each such element?each such element? Assume client A with (5.6.7.8:1078) wants to establish a TCP Assume client A with (5.6.7.8:1078) wants to establish a TCP
connection with server B (1.2.3.4: 80), explain the TCP 3-Way connection with server B (1.2.3.4: 80), explain the TCP 3-Way Shake process step-by-step.Shake process step-by-step.
Compare TCP with UDPCompare TCP with UDP Discuss Example 1:Discuss Example 1:
Explain Figure 2-5Explain Figure 2-5 Explain the 4 policy rules one-by-oneExplain the 4 policy rules one-by-one Explain the 6 firewall rules one-by-oneExplain the 6 firewall rules one-by-one
33
What is packet filtering?What is packet filtering?
Blocks/filters traffic from and to the internal Blocks/filters traffic from and to the internal networknetwork
Hardware can be called: Screening RouterHardware can be called: Screening Router Firewall accepts or blocks data based on Firewall accepts or blocks data based on
packet headerpacket header Network Layer!Network Layer! Does NOT scan contentDoes NOT scan content Firewall Policy describes rules for Firewall Policy describes rules for
allowing/rejecting packetsallowing/rejecting packets
44
What elements are inside an IP header? What What elements are inside an IP header? What is the size for each such element?is the size for each such element?
The 4 info: The 4 info: Source IP: source hotel building street addressSource IP: source hotel building street address Source port: room number Source port: room number Dest Ip: dest hotel Dest Ip: dest hotel Dest port: room number Dest port: room number
Source / Dest IP (both 32 bits)Source / Dest IP (both 32 bits) Protocol (8bits) (TCP? UDP?)Protocol (8bits) (TCP? UDP?) Protocol can also be ICMPProtocol can also be ICMP
55
What elements are inside a TCP header? What elements are inside a TCP header? What is the size for each such element?What is the size for each such element?
Source / Dest Ports (16bits)Source / Dest Ports (16bits) Contain ACK/SYN flags (1bit each)Contain ACK/SYN flags (1bit each)
66
How to establish a TCP connection How to establish a TCP connection between two ports?between two ports?
A TCP connectionA TCP connection Step 1: establish the Step 1: establish the
connectionconnection Step 2: send the Step 2: send the
messages back and forthmessages back and forth Step 3: terminate the Step 3: terminate the
connection connection
A phone call sessionA phone call session Step 1: Dial the phone Step 1: Dial the phone
numbernumber Step 2: do talkingStep 2: do talking Step 3: hang upStep 3: hang up
Step 1 includes three sub-steps! The three sub-steps are called the TCP 3-way handshake.
77
TCP 3-way handshakeTCP 3-way handshake
.
.
.
.A B
ACK=0SYN=1
ACK=1SYN=1
ACK=1SYN=0
IP #Port #
IP #Port #
Note: A and Bare two programs
88
Assume client A with (5.6.7.8:1078) wants to Assume client A with (5.6.7.8:1078) wants to establish a TCP connection with server B establish a TCP connection with server B
(1.2.3.4: 80), explain the TCP 3-Way Shake (1.2.3.4: 80), explain the TCP 3-Way Shake process step-by-step.process step-by-step.
11stst Step: Connection request by client A : Contains source Step: Connection request by client A : Contains source IP(5.6.7.8), source port(1078), and destination IP (1.2.3.4), IP(5.6.7.8), source port(1078), and destination IP (1.2.3.4), destination Port(80) . Also has SYN flag is set to 1, ACK is 0destination Port(80) . Also has SYN flag is set to 1, ACK is 0
22ndnd Step: the ip 1.2.3.4 will acknowledge by sending ACK flag Step: the ip 1.2.3.4 will acknowledge by sending ACK flag (set to 1).(set to 1). Source 1.2.3.4 destination is 5.6.7.8Source 1.2.3.4 destination is 5.6.7.8
33rdrd Step: the original IP of 5.6.7.8 sends back to 1.2.3.4 ACK 1 Step: the original IP of 5.6.7.8 sends back to 1.2.3.4 ACK 1 SYN 0.SYN 0.
Additional comments: SYN flag is used to setup TCP Additional comments: SYN flag is used to setup TCP connection, ACK flag is used to acknowledge receipt of a connection, ACK flag is used to acknowledge receipt of a packet.packet.
99
Compare TCP with UDPCompare TCP with UDP
header information exactly sameheader information exactly same UDP connectionless, no flagsUDP connectionless, no flags Unlike TCP, UDP has no way of checking if Unlike TCP, UDP has no way of checking if
packet successfully transmittedpacket successfully transmitted Block all packets in order to block UDP Block all packets in order to block UDP
sessionsession UDP= User Datagram ProtocolUDP= User Datagram Protocol
1010
Explain Figure 2-5Explain Figure 2-5
Telnet service can go out except for one userTelnet service can go out except for one user No UDP packets allowedNo UDP packets allowed Incoming Telnet packets allowed from Incoming Telnet packets allowed from
external servers to internal clientsexternal servers to internal clients Who is inside and who is outside?Who is inside and who is outside? Inside network=above firewallInside network=above firewall
1111
Figure 2-5Figure 2-5
Internet
Internet
132.28.6.4Server(telnet listens on 23)
Incoming packets
Outgoing packets
Firewall
1212
Explain the 4 policy rules one-by-oneExplain the 4 policy rules one-by-one(Example 1)(Example 1)
1. No incoming telnet service (request) should 1. No incoming telnet service (request) should be processedbe processed
2. Outgoing telnet requests are OK2. Outgoing telnet requests are OK 3. Computer 132.28.6.4 cannon do Telnet3. Computer 132.28.6.4 cannon do Telnet 4. UDP packets are not allowed4. UDP packets are not allowed
1313
The 6 Packet Filtering RulesThe 6 Packet Filtering Rules
1414
Explain the 6 firewall rules one-by-oneExplain the 6 firewall rules one-by-one(Example 1)(Example 1)
Rule A: Denies any incoming TCP packets that attempt to Rule A: Denies any incoming TCP packets that attempt to open a Telnet connectionopen a Telnet connection
Rule B: Denies any outgoing Telnet packets from internal Rule B: Denies any outgoing Telnet packets from internal client 132.28.6.4 to external telnet server.client 132.28.6.4 to external telnet server.
Rule C: Denies incoming packets from external telnet serves Rule C: Denies incoming packets from external telnet serves (internal host server)(internal host server)
Rule D and E: Someone from inside firewalls can telnet out, Rule D and E: Someone from inside firewalls can telnet out, but no one from the outside can telnet in. Connection is but no one from the outside can telnet in. Connection is established starting from the inside established starting from the inside What’s the difference between telnet in and telnet out?What’s the difference between telnet in and telnet out? Telnet in= Internet client to Telnet server on network internallyTelnet in= Internet client to Telnet server on network internally Telnet out= Client on the network; the server is on the InternetTelnet out= Client on the network; the server is on the Internet
Rule F: Denies any incoming UDP packetsRule F: Denies any incoming UDP packets Firewall rules are processed sequentiallyFirewall rules are processed sequentially
1515
How to enforce policy rule 1How to enforce policy rule 1
Policy rule 1: no incoming telnet servicePolicy rule 1: no incoming telnet service We can enforce this policy rule by a single packet filtering rule We can enforce this policy rule by a single packet filtering rule
which has the following field:which has the following field: RULE #: RULE ARULE #: RULE A FIELD 1: source addressFIELD 1: source address
External IP (outside IP)External IP (outside IP) Field 2Field 2: destination: destination
Inside IP (the IP of the internal telnet server)Inside IP (the IP of the internal telnet server) F3: directionF3: direction
inboundinbound F4: source port -- any port (no restriction)F4: source port -- any port (no restriction) F5: dest port -- 23 (telnet server)F5: dest port -- 23 (telnet server) F6: protocol -- TCPF6: protocol -- TCP F7: ACK -- 0 F7: ACK -- 0 F8: Action -- denyF8: Action -- deny
1616
Policy rule 2: outgoing telnet Policy rule 2: outgoing telnet requests OKrequests OK
To enforce this policy rule, we need TWO packet To enforce this policy rule, we need TWO packet filtering rulesfiltering rules We need two rules because even if an internal employee We need two rules because even if an internal employee
telnets out, he needs to receives packets from the outside telnets out, he needs to receives packets from the outside telnet servertelnet server
Rule D: permit outgoing packets to the outside telnet serverRule D: permit outgoing packets to the outside telnet server So the source IP must be an internal IP; the dest IP must be an outside So the source IP must be an internal IP; the dest IP must be an outside
IP; the source port can be any; but the dest port must 23; IP; the source port can be any; but the dest port must 23; Dir4ection: outboundDir4ection: outbound Protocol: TCPProtocol: TCP ACK: 0 or 1 -- we need to allow both otherwise the telnet connection ACK: 0 or 1 -- we need to allow both otherwise the telnet connection
can NOT be established. can NOT be established. Rule E: permit incoming packets from the outside telnet serverRule E: permit incoming packets from the outside telnet server
1717
Policy rule 2 – cont’dPolicy rule 2 – cont’d
Rule E: permit incoming packets from the outside telnet Rule E: permit incoming packets from the outside telnet serverserver Source IP: outside Source IP: outside Dest IP; insideDest IP; inside Direction: incoming - inboundDirection: incoming - inbound TCPTCP Source port: 23 (***)Source port: 23 (***) Dest port (internal telnet client): anyDest port (internal telnet client): any PermitPermit ACK: 1 (********)ACK: 1 (********)
ACK canNOT be 0 because we do NOT allow an outside telnet server to ACK canNOT be 0 because we do NOT allow an outside telnet server to initiate a connection; actually a Telnet server should NEVER initiate a initiate a connection; actually a Telnet server should NEVER initiate a connectionconnection
1818
Rule A vs. Rule ERule A vs. Rule E
Rule A : no incoming telnet service requestRule A : no incoming telnet service request Rule E: allow incoming telnet packets from an Rule E: allow incoming telnet packets from an
outside telnet serveroutside telnet server
1919
Policy Rule 3: Why is Rule C Policy Rule 3: Why is Rule C Redundant?Redundant?
Rule B already specifies host is not able to establish Rule B already specifies host is not able to establish telnet session, so no incoming traffic from a telnet telnet session, so no incoming traffic from a telnet server.server.
If hacker spoofs a packet, and rule C is removed then If hacker spoofs a packet, and rule C is removed then the packet goes throughthe packet goes through
Will this packet be a problem for the network?Will this packet be a problem for the network? NoNo packet like a car, without rule c, packet will get in, packet packet like a car, without rule c, packet will get in, packet
will die there, packet will not be processed because no will die there, packet will not be processed because no telnet session is established. No damagetelnet session is established. No damage
2020
Policy rule 4: Do you think Rule F is Policy rule 4: Do you think Rule F is enough to block all UDP Packets?enough to block all UDP Packets?
Not enough, resources inside can cause damage to Not enough, resources inside can cause damage to outside, if an internal resource gets hacked, it can outside, if an internal resource gets hacked, it can cause problems for another network. Have to block cause problems for another network. Have to block all UDP going out to be safe.all UDP going out to be safe.
UDP same header information as TCP, there is no UDP same header information as TCP, there is no way to tell if it is a response or if it is from a session way to tell if it is a response or if it is from a session already in progress.already in progress.
UDP no 3 way handshakeUDP no 3 way handshake Worm Slammer- Worm show malicious UDP packets Worm Slammer- Worm show malicious UDP packets
can be sent from inside out to outside computerscan be sent from inside out to outside computers
2121
Rule A and Rule E conflict, how so?Rule A and Rule E conflict, how so?
Rule A doesn’t give a port number, but Rule E Rule A doesn’t give a port number, but Rule E uses port 23.uses port 23.
Process rules in order, fail Rule A first before Process rules in order, fail Rule A first before it gets to E.it gets to E.
Rule A blocks incoming requests to create a Rule A blocks incoming requests to create a new TCP session, where Rule E allows already new TCP session, where Rule E allows already established sessions to continueestablished sessions to continue
Look at ACK flagLook at ACK flag
2222
Rule B and Rule D conflict, how so?Rule B and Rule D conflict, how so?
B denies all outgoing telnet packets from an internal B denies all outgoing telnet packets from an internal server, D does the oppositeserver, D does the opposite
If D allows outgoing telnet sessions and B denies the If D allows outgoing telnet sessions and B denies the outgoing session through the host, is there a point to outgoing session through the host, is there a point to having written rule B?having written rule B?
B trumps D. Rule B will kill packet, if not from the B trumps D. Rule B will kill packet, if not from the host it will go through rule B.host it will go through rule B.
Why is the ACK permitting anything, and in Rule B Why is the ACK permitting anything, and in Rule B ACK is set to 1 or 0?ACK is set to 1 or 0?
Writing 0 or 1 can be replaced by the *Writing 0 or 1 can be replaced by the *
2323
Rule C and Rule E conflict, how so?Rule C and Rule E conflict, how so?
E allows incoming packets, but C denies incoming E allows incoming packets, but C denies incoming packetspackets
Order doesn’t matter, need both for it to be true, but Order doesn’t matter, need both for it to be true, but only 1 to be false to deny packetonly 1 to be false to deny packet
is there a reason to have D and E since they allow is there a reason to have D and E since they allow everything?everything?
Yes, you want to specify what you allow. Packets that Yes, you want to specify what you allow. Packets that go through rule set are denied by default. Depends on go through rule set are denied by default. Depends on how the firewalls are setup.how the firewalls are setup.