Date post: | 30-Nov-2015 |
Category: |
Documents |
Upload: | faizulemizal |
View: | 42 times |
Download: | 2 times |
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objectives
Introduction of NAT
Application Layer Gateways
Defining: VPN, IDS
Packet Filtering
Packet Filtering Approaches
Filtering by TCP/UDP Port Number
Filtering ACK flags
Filtering Packet Contents
Proxy servers
Authentication Process
Authentication Process Types
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
NAT
Packet Filtering
Approaches
Packet Filtering
Approaches
Authentication
Process TypesProxy servers
Authentication
Process
Filtering by TCP/UDP
Port NumberFiltering ACK Flags
Packet Filtering IDS
Application Layer
Gateways VPN
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Network Address Translation
Conceals the TCP/IP information of hosts in the network
Functions as a network layer proxy making requests on behalf of all internal hosts over the network
Converts IP address of internal hosts to IP address of the firewall
NAT-equipped firewall receives the request and replaces the genuine IP address
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
NAT
11.0.0.5
11.0.0.4
Request comesfrom 11.0.0.3
11.0.0.2
11.0.01
Firewall 24.44.8.0
Router
Server gets request from 24.44.8.0
Private Network
11.0.0.6
Internet
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Application Layer Gateways
Also known as ‘proxy server’ that operates at the application layer of the OSI model
Controls network access by establishing proxy services
Inspects the content in the packet header to decide whether to grant/deny access
Security Techniques:
•Load balancing:
–Divides the traffic load and enables firewalls to monitor the traffic
•IP address mapping:
–Maps static IP address with private IP address of a computer
•Filtering content:
–Blocks files, file name, keyword, e-mail attachment or content type
•URL Filtering:
–Blocks a site’s DNS name
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Application Proxies
Acts on behalf of a host that handles requests, rebuilds and forwards the request to the intended location
Compatible with dual-homed host or screened host system
Dual-Homed Host:
• Lies between the internal LAN and the Intern et
• Proxy server software makes requests and forwards packets from the Internet
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Packet Filtering
Blocks or allows transmission of packets on the basis of port, IP address and protocol
Common rules for packet filtering are:
• Drop all inbound connections
• Eliminate packets destined for all ports unavailable to the Internet
• Filter ICMP redirect and echo messages
• Drop all packets using the IP header source routing feature
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Packet Filtering : Devices
Routers:
• Common packet filters preventing unauthorized traffic intruding the network
Operating Systems:
• Windows and Linux have build-in utilities that performs packet filtering on the TCP/IP stack
Software Firewalls:
• Check Point Firewall-1 performs stateful filtering
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Packet Filtering: Approaches
Stateless (static) Packet Filtering:
• Reviews packet header contents and decides whether to allow or discard the packets
• Blocks traffic from a subnet or other traffic
Stateful Packet Filtering (Stateful Inspection):
• Maintains connection status, while performing all functions of stateful packet filtering
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Stateless Packet Filtering
Without considering whether connection is established or not, itdetermines the if data transfer is to flow or to be blocked
Used to completely block the traffic
Configuration:
• IP header information
• TCP/ UDP port number in use
• The ICMP message type
• Fragmentation flags (the ACK, SYN)
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Based On IP Header
Compares header data against rule base and forwards packets that match the criteria on the basis of:
• Packet’s source IP address
• Destination or target IP address
• Protocol for the host requesting access
• IP protocol and ID field in the header
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
TCP Flags in a Packet Header
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Based On TCP/UDP Port Number
Also called as port filtering or protocol filtering
Filters a wide variety of information like:
• SMTP and POP e-mail messages
• NetBIOS sessions
• DNS requests
• Network News Transfer Protocol (NNTP) newsgroup sessions
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Based On Fragmentation Flags
Fragmenting the packets allow them to traverse the network with ease despite their size
Only the first frame carries the port number
Down side of fragmentation:
• Modifying IP header of packet to start with number 1 makes them to pass through the network
Measure to avoid the fragments to traverse the network:
• Employ a firewall to reassemble the fragments and to pass the complete packets to the network
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Based On ICMP Message Type
ICMP enables network to handle communication problems
Hackers exploit ICMP packets to crash computers on the network
ICMP packets have no authentication method to verify the authenticity of the packet
Firewall/packet filter determines the authenticity of the ICMP packet
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Based On ICMP Message Type
ICMP Type Name Possible Cause
0 Echo reply Normal cause to a ping
3 Destination unreachable Destination unreachable
3 code 6 Destination network unknown
Destination network unknown
3 code 7 Destination host unknown Destination host unknown
4 Secure quench Router receiving too much traffic
5 Redirect Faster route located
8 Echo request Normal ping request
11 Time exceeded Too many hops to destination
12 Parameter problem There is a problem with parameter
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering based On ACK flags
ACK flag:
• Indicates either connection request or connection establishment
• Hacker can set ACK flag to 1
Configure firewall to allow access to ports and to specify the direction of data flow in the ports with the ACK flag is set to 1
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Suspicious Inbound packets
Firewall alerts the arrival of a packets from external network consisting of a internal network’s IP address
Firewalls allow user to set the permitting or denying of packets:
• Case-by-case basis
• Automatically, by setting rules
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Suspicious Inbound packets
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Suspicious Inbound packets
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Stateful Packet Filtering
Maintains records of the state of the connection
Maintains a state table that maintains the list of current connections
Consults the state table and the rule base when a packet is encountered
Permits packets based on previously accepted packets
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Stateful Packet Filtering
Internet
Router
Ethernet
1. Host attempts to connect www.course.com
2. Router checks for state table and sees that no coneection
exists, state entry created and request passed to rule base
3. Rule that internal hosts access TCP/80 exists; packets are
allowed to pass through
4. Packets received by course.com Web server; SYN/ACK
reply sent to firewall
5. Packets received state table entry referenced
6. Packets allowed to pass
State TableSource IP: www.course.com
Source port: 70Destination IP: 10.0.0.6Destination port: 1087
Transport: TCP
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filtering Based On Packet Contents
Stateful Inspection:• Examines the contents of packets and headers to
ensure reliability
Proxy Gateway:• Examines the data in a packet and evaluates which
application should handle it
Specialty Firewall:• Examines the body of e-mail messages or Web pages
for identifying malicious content
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Overview of Proxy Servers
Other Names:• Proxy services
• Application-level gateways
• Application proxies
Scans and act on the data part of an IP packet
Working:• Intercepts a request from
internal network computer and transmits to the destination computer on the Internet
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Proxy Server Vs Packet Filtering
Scan complete data part of IP packets and create elaborate log file listings
Restructure packet with new source of IP information which protects internal users from outsiders
Server on the Internet and an internal host are never directly connected to one another
More vital to network communications
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Goals of Proxy Servers
Conceals Internal Clients
• Hides internal clients from external clients who try to gain access to internal networks
Blocks URLs
• Prevents employees from visiting websites that offer content regarded as inappropriate by the management
Blocks and Filters Content
• Scans the packets for contents that can cause troubles
Protects E-mail Proxy
• Protects users surfing the Internet including e-mails
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Goals of Proxy Servers (Cont)
Improves Performance
• Decreases the access time for documents requested frequently
Ensures Security
• Provides a reliable checkpoint to monitor network activity
Provides user authentication
• Enhances security when used in combination with authentication
Redirects URLs
• Scans specific parts of the data part of an HTTP packet and redirects it to specific location
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Proxy Server Based Firewalls
Transparent Proxies• Can be configured to be completely invisible
to the end users
Nontransparent Proxies• Requests client software to be configured to
use the server software
SOCKS-Based Proxies• SOCKS Protocol:
– Enables the establishment of generic proxy applications
• SOCKS Features:– Has security-related advantages
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewall:Authentication Process
Process of identifying users and providing network services based on their identity
Types of authentication:
• Basic authentication
– Server does matching of username-password pair supplied by the client
• Challenge-response authentication
– Firewall generates a random code or number termed as challenge
• Centralized authentication service
– Centralized server handles the three practices :
– Authentication
– Authorization
– Auditing
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls Implementing The Authentication Process
Client sends a request to access a resourceFirewall interrupts the request and prompts the user for name and passwordUser submits information to the firewallUser is authenticatedRequest is verified against the firewall’s rule baseIf request matches existing allow rule, user is granted accessUser accesses the required resources
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls : Types Of Authentication Process
User Authentication:• Basic type of authentication where user is
given access to resources by verifying username and password
Client authentication:• Identical to user authentication with the
addition of usage restrictions
Session authentication:• Requests for authentication whenever a
client establishes a session to connect to a network resource
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
NAT hides the TCP/IP information of hosts in the network and converts IP addresses of host to that of firewalls and vice-versa
Proxy servers limits network access by setting proxy services
Application proxies are compatible with dual-homed host or screened host system to handle requests of intended clients
VPN connections are limited to machines with specific IP addresses
IDS alerts administrator against attacks