Documente Academic
Documente Profesional
Documente Cultură
http://www.csc.gatech.edu/copeland/jac/6612/
Prof.JohnA.Copeland
john.copeland@ece.gatech.edu
4048945177
fax4048940035
Office:Klaus3362
emailorcallforofficevisit,4048945177
Chapter10aFirewalls
3/10/2013
ComputerSystemEvolution
CentralDataProcessingSystem:withdirectlyattachedperipherals(card
reader,magnetictapes,lineprinter).
LocalAreaNetworks:connectsPCs(interminalemulationmode),
remoteterminals(nextbuilding)andminicomputers.
PremisesNetwork:connectsLANsandLANattacheddevicestoeach
other.
EnterprisewideNetwork:leaseddatalines(T1,DS3)connectvarious
offices.
InternetConnectivity:initiallyforemail,nowforWebaccess,e
commerce,musicandvideodownloads,socialnetworking,telecommuting,
Webandvideoconferencing,distancelearning,....Makestheworld
accessible,butnowtheworldalsohasaccesstoyou.
2
WWW
State WWW Gateway
Citizens
Contractors
City & County
Governments
Firewalls
State Internet
Other Agencies
Agency Virtual
Private Network
LANs at Agency
Offices across Georgia
Agency
Server
Private Virtual
Connection
Non-Agency
State Server
Agency
Agency Firewall
Firewall -- Protects
Protects Agency
Agency Subnets
Subnets
from Unwanted Connections
Subnet 1
Subnet 2
Gateway
WAN
Gateway
Browser
Web Server
Application
Layer
(HTTP)
Port80
Transport
Layer
(TCP,UDP)
SegmentNo.
Network
Layer (IP)
IPAddress
130.207.22.5
E'net Data
Link Layer
Ethernet
Phys.
Layer
Router-Firewall
can drop packets
based on
source or destination,
ip address and/or port
Network
Layer
Network
Layer
Application
Layer
(HTTP)
Port31337
Transport
Layer
(TCP,UDP)
SegmentNo.
Network
Layer (IP)
IPAddress
24.88.15.22
Token Ring
Data-Link Layer
Token Ring
Phys. Layer
Process
Application
Layer (HTTP,
FTP, TELNET,
SMTP)
Transport or
App.-Layer
Gateway, or Proxy
Transport
Transport
Layer
Layer
(TCP, UDP)
(TCP, UDP)
Network
Network
Layer (IP)
Layer (IP)
E'net Data
TR Data
E'net Data
Link Layer
Link
Link
Layer
Layer
E'net Phys.
Layer
E'net Phys.
TR Phys.
Layer
Layer
Transport
Layer
(TCP, UDP)
Network
Layer (IP)
Process
Application
Layer
(HTTP(HTTP,
FTP, TELNET,
SMTP)
Transport
Layer
(TCP,UDP)
Network
Layer (IP)
TR Data
Link Layer
TR Phys.
Layer
Policy
NooutsideWebaccess.
FirewallSetting
DropalloutgoingpacketstoanyIP,Port80
OutsideconnectionstoPublicWeb DropallincomingTCPSYNpacketstoanyIP
ServerOnly.
except130:207:244.203,port80
PreventWebRadiosfromeatingup DropallincomingUDPpacketsexceptDNS
theavailablebandwidth.
andRouterBroadcasts.
Preventyournetworkfrombeing
usedforaSmuftDoSattack.
DropallICMPpacketsgoingtoabroadcast
address(130.207.255.255or130.207.0.0).
Preventyournetworkfrombeing
traceroutedorPingscanned.
DropallincomingICMP,UDP,orTCPecho
requestpackets,dropallpacketswithTTL<5.
FirewallAttacks
FirewallDefense
IPInternalAddressSpoofing Dropallincomingpacketswithlocalsourceaddress.
SourceRouting(ExternalSpoof)DropallIPpacketswithSourceRoutingOption.
TinyFragmentAttacks
Dropallincomingpacketfragmentswithsmallsize.
2ndFragmentProbes
AssembleIPfragments(hardwork),oratleast*.
SYNACKProbes
BeStatefulkeeptrackofTCPoutgoingSYN
packets(startofallTCPconnections).
InternalOutboundHacking
Dropalloutgoingpacketswhichdonothavean
"internal"sourceIPaddress.
*Fragmentsafterthefirstonehavenotransportheader(nowaytotellifitis
TCP,UDP,ICMP,...,ordetermineportnumbers.Firewallmustatleastkeepa
temporarylistofapprovedIPIDNumbersbasedonthefirstfragmentdecision.
8
ANetworkFirewallisasinglepointthataNetworkAdministratorcancontrol,
evenifindividualcomputersaremanagedbyworkersordepartments.
Overhalfofcorporatecomputermisfeasanceiscausedbyemployeeswhoare
alreadybehindthemainfirewall.
Solution1isolatesubnetswithfirewalls(usuallyroutersorEthernetswitches
withfiltercapabilities).ProtectFinanceDepartmentfromEngineering
Department[Problem:internalnetworkismuchhigherbitrate,firewallsmore
expensive].
Solution2implementhostbasedfirewallstolimitaccessexceptoncertain
TCP/UDPportsfromspecifichostsorsubnets.Mustbecentrallymanagedto
beeconomical.
Solution3UseaIntruderDetectionSystemthatdividesthenetworkinto
zones,andreportsunauthorizedcrosszoneconnections.
9
Stateful
Firewall
LocalPC
ip1
ExternalHost
ip2
TCP SYN
establishes state (ip1,ip2,tcp, 33489,80)
TCP SYN-ACK or RESET or relatedICMP
established state (ip1,ip2,tcp, 33489,80)
TCP ACKs
established state (ip1,ip2,tcp, 33489,80)
10
# iptables -L -n
Chain INPUT (policy DROP)
target
prot opt source
destination
ACCEPT
tcp -- 143.218.132.0/25
0.0.0.0/0
ACCEPT
tcp -- 130.207.225.0/24
0.0.0.0/0
ACCEPT
all -- 79.76.0.0/16
0.0.0.0/0
ACCEPT
tcp -- 130.207.152.119
0.0.0.0/0
ACCEPT
tcp -- 143.215.151.0/24
0.0.0.0/0
ACCEPT
udp -- 64.192.0.0/10
0.0.0.0/0
ACCEPT
tcp -- 69.59.0.0/16
0.0.0.0/0
ACCEPT
tcp -- 24.0.0.0/8
0.0.0.0/0
DROP
all -- 0.0.0.0/0
0.0.0.0/0
tcp dpt:22
tcp dpt:22
tcp dpt:22
tcp dpt:22
tcp dpt:22
destination
anywhere
destination
10.0.0.0/24
anywhere state RELATED,ESTABLISHED
Anoptionspeedsupiptablesbecauseitstopsreverselookups.Alsobeneficialforroute,
netstat,.
11
[
[
[
[
[
[
To
Action
From
---------1] 8822/tcp ALLOW IN
2] Anywhere ALLOW IN
3] 8822/tcp ALLOW IN
4] 8822/tcp ALLOW IN
5] 8822/tcp ALLOW IN
6] Anywhere DENY IN
130.207.150.144
143.215.138.0/25
130.207.225.103
78.88.0.0/16
80.55.0.0/16
Anywhere
NATNetwork
AddressTranslation
WebServer
130.27.8.35
Internet
To24.88.48.47:y
from130.27.8.35:80
3
To130.27.8.35:80
from24.88.48.47:y
2
Router24.88.48.47withNAT
To192.168.0.20:x
from130.27.8.35:80
Host
192.168.0.10
WebClient
192.168.0.20
To130.27.8.35:80
from192.168.0.20:x
Host
192.168.0.30
x&yarehigh
numberephemeral
clientports.
SimpleNATs,use
x=y
Host
192.168.0.40
WebServer
FTPServer
port80
port21
LocalWebclientaccessinganexternalWebserver
13
FTPClient
130.27.8.35
Internet
To130.27.8.35:x
from24.88.48.47:21
4
To24.88.48.47:21
from130.27.8.35:x
1
Router24.88.48.47withNAT
2
To192.168.0.30:21
from130.27.8.35:y
Host
192.168.0.10
Host
192.168.0.20
Forwarding
Table
Port80>.10
Port21>.30
To130.27.8.35:y
from192.168.0.20:21
Host
192.168.0.30
Host
192.168.0.40
WebServer
FTPServer
port80
port21
ExternalFTPclientaccessingalocalFTPserver
14
15
16
CombinedFirewallsandIDS
(seealso:IBMProventiawww.iss.net)
17
18
NetworkOperations
*Resolvenetworkperformanceissuesinminutes
*Providesenterprisenetworkvisibilitydowntouserlevel
*Troubleshootsnetworkincidentsat1/3thetimeofpointsolutions
*AnalyzesNetFlow/sFlowtofacilitatecapacityplanningandtraffic
engineering
NetworkSecurity
*Detectsattacksthatbypasssignaturebased,perimeterdefenses
*Leveragesflowdata,includingpacketcapture,toreducesecurityrisksby
90%
*Enforcespoliciesandassurescompliancewithagentfreeuseridentity
tracking
*Deliversscalable,robustsecurityandriskmanagement
fromwww.lancope.com
(alsoseehttp://users.ece.gatech.edu/~copeland/jac/lancope/index.html)
19