• No results found

Firewalls P+S Linux Router & Firewall 2013

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Firewalls P+S Linux Router & Firewall 2013"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Firewalls

(2)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 2

Firewall Techniques

§ What is a firewall?

§ A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.

§ Types of operation

§ Simple packet filter

§ Stateful filter

§ Application layer/

proxy based

O Attack

Attack O

(3)

Firewall Rules

§ Filtering

§ Ingress: Filter incoming traffic

§ Egress: Filter outgoing traffic

§ Default Policy

§ Accept all versus reject all

§ Deny Access

§ Drop - silently drop packet

§ Reject - drop packet and inform sender

§ Addressing Transparency

§ Firewall and network fingerprinting

(4)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 4

Firewall Rule Processing

NIC = Network Interface Card

(5)

Stateless Firewall - Packet Filter

Functionality

§

Examine a packet at the network layer.

§

Decision based on header in packet.

Pros

§

Application independent

§

Good performance and scalability

Cons

§

No state or application context

Source: CheckPoint

(6)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 6

Stateful Firewall

Functionality

§

Keep track of the state of the network connections.

§

Decision based on session state.

Pros

§

Easier to specifiy rules Cons

§

State explosion

§

State for UDP?

(7)

Application Layer Firewall

Functionality

§ Take application state into security decision.

Pros

§ Application layer awareness.

Cons

§ Supported application protocols.

§ Performance, scalability

(8)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 8

Web Application Firewall (WAF)

§ Protect web-based applications from malicious requests

§ Response to trend towards Software as a Service (SaaS)

§ Instance of an application layer firewall

§ Request filtering

§ Request patterns (signatures)

- Forceful browsing, SQL injection, cross-site scripting, buffer overflow attempts, checking number of form parameters, ...

§ Static or dynamic blacklisting / whitelisting

§ False positive problem

§ Implementation often as a reverse proxy

(9)

Organizational Challenges

§ Extensive Rulesets

§ Firewall rulesets are complex and grow over time, with thousands of rules on a single firewall.

§ Rulesets are hard to manage and understand (do they really reflect your security policy?).

§ Big Organizations

§ Tools needed to manage hundreds of firewalls securely.

§ What is the process to change rulesets?

§ Conflicting goal: networking vs. security staff

§ Networking staff: Paid for providing connectivity, blamed for disruptions.

§ Security staff: Paid to protect and disrupt connectivity

(10)

P+S Linux Router & Firewall 2013

Network Address Translation (NAT)

“A small man’s firewall”

(11)

NAT Network Adress Translation

Host A

10.0.0.1

Host B

18.181.0.31

Public Internet Home network

NAT device

155.99.25.11

One way to the Internet – ubiquitously deployed in home networks

Hosts „behind NAT device“

Hosts in the public Internet

Host B

10.0.0.2

Host C

10.0.0.3

Initiate communiation

Initiate communiation

(12)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 12

Network Address Translation

§ Enable multiple hosts on a private network to access the Internet using a single public IP address.

§ Re-writing of source and/or destination addresses of IP packets as they pass through a router or firewall.

§ Benefits

§ Prevents malicious activity initiated by outside hosts.

§ Saves address space.

§ Drawbacks

§ No true end-to-end connectivity.

§ Some protocols can be disrupted (IPsec, SIP, ftp, ..)

(13)

NAT Concept

§ Session

§ A session endpoint for TCP or UDP is a pair {IP address, port number}.

§ A particular session is uniquely identified by its two session endpoints (local IP:port, remote IP:port)

§ The direction of a session is normally the flow direction of the packet that initiates the session:

- the initial SYN packet for TCP - the first user datagram for UDP.

(14)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 14

NAT Modes

§ Asymmetric bridge between private and public network.

§ Allows only outbound sessions to traverse NAT.

§ 1. Basic NAT

§ Translates IP addresses only, keeps port numbers.

§ One public IP for each internal host needed (one to one)

§ 2. Network Address and Port Translation NAPT

§ Translate entire session endpoints.

§ Many internal host can share public IPs (many to one)

(15)

NAT Operation

NAT Binding

10.0.0.1:4321- 155.99.25.11:6200 Host A

10.0.0.1

Host B

18.181.0.31

Src: 18.181.0.31:1234

Dst: 10.0.0.1:4321

Src:18.181.0.31:1234

Dst:155.99.25.11:6200 Src: 10.0.0.1:4321

Dst: 18.181.0.31:1234

Src: 155.99.25.11:6200

Dst: 18.181.0.31:1234

Internet Private Network

NAT Device

155.99.25.11

(16)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 16

Peer to Peer through NAT

§ Peer A tries to contact Peer B but is blocked by router B

§ Peer B tries to contect Peer A but is blocked by router A

§ No communication can be established

Ø NAT hole punching techniques

A‘s NAT Router

Peer A Peer B

B‘s NAT Router

Public Internet

(17)

NAT UDP Hole Punching - 1

§

Hole punching assumes that the clients A and B already

have active UDP sessions with a rendezvous server S

§

Server S records the clients‘

private and public session endpoints:

A:(10.0.0.1:4321, 155.99.25.11:62000) B:(10.1.1.3:4321, 138.76.29.7:31000)

Source http://pdos.csail.mit.edu/papers/p2pnat.pdf

(18)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 18

NAT UDP Hole Punching - 2

1.

A asks S for help to establish a session with B

2.

S replies to A with B's public and private endpoints

3.

S sends B a connection request with A‘s endpoints (using the pre-established session B-S)

Now A and B know each others public and private endpoints

(19)

NAT UDP Hole Punching - 3

§

A and B start sending UDP

packets to the peers endpoints (without synchronization)

§

A‘s first packet to B‘s public endpoint

§ „punches a hole“ in A‘s NAT

§ is blocked at B‘s NAT

§

B‘s first packet to A‘s public endpoint

§ „punches a hole“ in B‘s NAT

§ passes A‘s NAT

§

A‘s next packet to B‘s public endpoint

§ passes B‘s NAT

(20)

NSHS08H8353226

Prof. Bernhard Plattner, TIK, ETH Zürich P+S Linux Router & Firewall 2013 20

NAT UDP Hole Punching - 4

§

Communication through the peers public endpoints is established.

§

Only the messages to the public endpoints get through.

(21)

NAT UDP Hole Punching - 5

§ Assumption: NAT-A is well behaved

§ NAT-A preserves the identity of A‘s private endpoint, consistently translating all outbound sessions from (10.0.0.1:4321) to the corresponding public endpoint (155.99.25.111:62000).

§ The new session‘s source endpoint (10.0.0.1:4321) is the same as that of the existing session A-S.

§ This is supported by most vendors of NAT devices.

§ Recommended reading

§ http://pdos.csail.mit.edu/papers/p2pnat.pdf

- Section 3: UDP Hole Punching

- Section 5.1: Consistent Endpoint Translation

References

Download now ( PDF - 21 Page - 469.33 KB )

Related documents

Vol 1, No 3 (2013)

If the router receives IP packets with external IP addresses on an internal interface, or it receives IP packets with an internal IP address on an external interface,

BIPAC 6500 Broadband VPN Firewall Router with 4-port 10/100M Switch User Manual

To: Enter the last address of this local IP network address pool that you want the DHCP server to assign IP addresses to.. Therefore, the local computer will get an IP address

256 4 = 4,294,967,296 ten billion = 18,446,744,073,709,551,616 ten quintillion. IP Addressing. IPv4 Address Classes

To allow hosts that use these private addresses to talk to the Internet, the site’s border router runs a system called NAT, Network Address Translation.. NAT intercepts

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

application level filter based firewalls inspect each packet and decide whether it should be allowed to pass the firewall and continue travelling towards its destination, or

VLAN und MPLS, Firewall und NAT,

 Assign private addresses to the hosts of the corporate network  NAT device has static address translation entries which bind the. private address of a host to the

What is a DoS attack?

Sending a stream of ICMP echo request packets from spoofed IP addresses to an open network broadcast address. All the hosts on the destination subnet will send ICMP echo replies

Router and Routing Basics

• Routers examine a packets destination IP address and determine the best path by using a routing table... Cisco

Chapter 41. Firewall

If the value specified for the ACTION parameter is not NAT, the REMOTEIP parameter also specifies a single IP address or range of IP addresses that match the source address of