Class notes
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,122
On Slideshare
3,122
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
100
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Firewalls A firewall prevents specific types of information from moving between the outside world, known as the untrusted network, and the inside world, known as the trusted network. The firewall may be a separate computer system, a software service running on an existing router or server, or a separate network containing a number of supporting devices.
  • Circuit Gateways The circuit gateway firewall operates at the transport layer. Connections are authorized based on addresses. Like filtering firewalls, circuit gateway firewalls do not usually look at data traffic flowing between one network and another, but they do prevent direct connections between one network and another. They accomplish this by creating tunnels connecting specific processes or systems on each side of the firewall, and then allow only authorized traffic, such as a specific type of TCP connection for only authorized users, in these tunnels.
  • Software vs. Hardware: The SOHO Firewall Debate So which type of firewall should the residential user implement? Where would you rather defend against a hacker? With the software option, the hacker is inside your computer, battling with a piece of software that may not have been correctly installed, configured, patched, upgraded, or designed. If the software happens to have a known vulnerability, the hacker could bypass it and then have unrestricted access to your system. With the hardware device, even if the hacker manages to crash the firewall system, your computer and information are still safely behind the now disabled connection, which is assigned a non-routable IP address making it virtually impossible to reach from the outside.
  • Content Filters A content filter is a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network. It is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations, or restricts users from receiving general types or specific examples of Internet content. Some refer to content filters as reverse firewalls, as their primary focus is to restrict internal access to external material. In most common implementation models, the content filter has two components: rating and filtering. The rating is like a set of firewall rules for Web sites, and is common in residential content filters. The filtering is a method used to restrict specific access requests to the identified resources, which may be Web sites, servers, or whatever resources the content filter administrator configures. The most common content filters restrict users from accessing Web sites with obvious non-business related material, such as pornography, or deny incoming spam e-mail.

Transcript

  • 1. Internet Security
    • Background on Internet technologies and protocols
      • LANs and WANs
      • IP Addressing, DNS
      • OSI model
      • TCP/IP, UDP
    • Attacks
    • Firewalls
  • 2. Background on Internet Technologies
    • Evolution of Networking
      • Batch Environment - 1950s
        • no direct interaction between users and their programs during execution
      • Time Sharing - 1960s
        • dumb terminals were connected to a central computer system
        • Users were able to interact with the computer and could share its information processing resources
        • Marked the beginning of computer communications
      • Distributed Processing: use of minicomputers - 1970s
        • Users demanded computing closer to their work areas
        • Communication between neighbor processors and applications via networks
      • WAN and LAN- 1980s
  • 3. LANs
    • collection of hosts connected by a high speed network
    • designed and developed for communications and resource sharing in a local work environment (room, campus, building)
    • users can access other networks via bridges and gateways
    PC 1 Printer PC 2 File Server PC n
  • 4. WANs and Internetworks
    • span a large geographic area, cross public property
    • often based on services provided by 3rd party companies, use telephone networks for transmission from one node to another
    • can be used to connect several LANs together
    • Routers attached to each LAN filter the network traffic to and from the WAN
    • LANs can also be connected by special modems or dedicated leased lines
    PC 1 PC 2 File Server PC n Router Internetwork
  • 5. Routers
    • Special purpose computers used for interconnecting networks
    • Essentially a router receives messages originating from one network and sends (routes) them to the other network
    • The process of selecting a network over which to send a message is called routing
    • Ex: computers X and Y can communicate via routers R1, R2 and R3
  • 6. An example x Y R1 R2 R3
  • 7. Internet
    • The global Internet consists of thousands of computer networks interconnected by routers.
    • Internet appears as a single, seamless communication system to which many computers can attach.
      • each computer is assigned an address
      • any computer can send a message to any other computer
  • 8. Client/Server System
    • a type of network that connects a user’s computer (client) to one or more host computers (servers)
    • Server
      • a computer that offers services
        • server provides services like receiving and executing instructions, sending results
        • Web server, e-mail server, ftp server, ..
      • server runs continuously, waiting for clients’ requests
    • Client
      • a computer that uses these services
      • A client addresses a request to a server, which replies accordingly
    • Issues
      • availability, reliability, performance, control
  • 9. Transmission Capacity
    • Speed of transmission is measured in bits per second (bps) or cycles per second (Hertz)
    • Multiplexing: many signals can be sent on a single physical channel
    • Based on the physical medium
      • twisted wire pair, coaxial cable, fiber optic cable, satellite transmission, microwave
      • Dial-up access, Leased circuits, Cable modem, DSL technologies,Wireless access
  • 10. Packet Switching
    • A message is not sent as a single unit, but broken down into small packets that are transmitted individually
    • Each packet has header that contains the info about source, destination and the packer number
    • Packets may travel on different routes
    • May even arrive the destination out of order
    • Good for data communication
  • 11. Packet Switches
    • A WAN is constructed from many switches
    • A switch moves packets from one connection to the other
    • A switch is a dedicated computer, with two types of connections
      • High-speed connections with other switches; they can be: leased phone lines, optical fibers, microwave, satellite.
      • Low-speed connection: used to connect with an individual computer, or a LAN.
  • 12. Switched Network High speed connection Switch Switch Switch
  • 13. Internet2 (http://www.internet2.edu/)
    • Is a high speed network that enables communications 100 - 1000 times faster than today’s internet
    • Rutgers, which is part of the Internet2 consortium, has launched RUNet 2000 ($100million)
    • Operates at 10Gbps (compare with the fastest modems now available ~Mbps) 15,000 times faster than a typical home broadband connection
    • Developed by academic and research community: more than 205 universities, NSF, NIH, NASA,.., IBM,DEC,Cisco, Sun, MCI, Sprint, ..
    • In Europe: European Union-funded network, TEN-34 was launched (initially 34Mbps, will later reach 155Mbps)
    • designed to provide a range of broadband network applications: collaborative research, distance learning, video-conferencing, remote medical consultation and diagnoses
  • 14. Internet2 (cont’d)
    • Current telephone uses circuit switching where a piece of network entirely dedicated to a call
    • In contrast, information over Internet is broken down into small data packets, and the packets navigate from junction to junction (routers)
    • Aim of Internet2 is to install “gigapops” (gigabit capacity point of presence) capable of routing packets more quickly through the network (by launching a gigabit switch router to support speeds of 10Gbps)
    • With current Internet, real-time images have the same priority as email; Internet2 will be able to distinguish these two (Current IP is democratic)
    • Although Internet2 is being developed for universities and research labs, in next 5 years it may reach homes (for $30/month with 10Mbps)
  • 15. IP Addressing
    • Every host on the Internet has a unique IP address.
    • IP protocol (the one in use now) has 32 bits for an address. How many hosts total? 2 32 = 4,294,987,296.
    • 32 bits must be divided into a Network portion and a Host portion.
    • Typically written in a "dotted decimal" form: 128.6.10.4 In this case, the network portion is 128.6 The host portion is 10.4
  • 16. IP Addressing (cont’d)
    • How to divide up the addresses ?
    • Four Classes of IP addresses:
      • 1. Class A: First bit is 0, next 7 bits define the network, last 24 bits define the hosts. 128 networks with 16,777,216 hosts each.
      • 2. Class B: First two bits are 1 and 0, next 14 bits define the network, last 16 bits define the hosts. 16,384 networks with 65,536 hosts each.
      • 3. Class C: First three bits are 1 1 0, the next 21 bits define the network, last 8 bits define the host. 2,097,152 networks with 256 hosts each.
      • 4. Class D (Multicast): First three bits are 1 1 1, next 29 bits define a multicast address.
  • 17. IP Addressing (cont’d)
        • For a network with a large number of hosts (e.g. Class B networks), we can divide the hosts into subnetworks using a subnet mask .
        • The subnet mask indicates which of the 32 bits should be considered the network portion and which should be considered the host portion.
        • A common subnet mask is: 255.255.255.0 meaning the first 24 bits define the network and the last 8 bits define the host.
        • Special IP address: 127.0.0.1 called the "localhost"
  • 18. Domain Name Services
    • Each host on the Internet has its own unique IP address - Who can remember all of them ?
    • DNS gives us a means to map an IP address to a "host name" and vice versa.
    • Host names are typically broken down into 4 or 5 parts:
      • 1. A geographic (e.g. country) designation is given at the "highest level":
        • uk us ca au fr it dr zw
      • 2 . An organizational designation may be in place of geographic but can also appear in combination:
        • com edu gov mil org net
      • 3. The next level down in the "organizational" level:
        • rutgers microsoft pizzahut plannetreebok
      • 4. Within an organization, there may be several individual hosts, each with their own name:
        • CIMIC andromeda
  • 19. Domain Name Services (cont’d)
    • These parts are assembled from right to left:
      • andromeda.rutgers.edu
      • www.microsoft.com
      • psych.leeds.ed.uk
      • www.whitehouse.gov
    • Resolving Internet Names using DNS
      • Most commonly used IP and host name pairs are kept in a hosts file. See /etc/hosts
      • If not in the hosts file, a primary DNS site is consulted.
      • UDP is used to send a DNS Query message to the designated Name Server on port 53.
      • This is done in a logical fashion. e.g. for host names ending in rutgers.edu, a local Rutgers DNS server can be queried.
  • 20. Domain Name Services (cont’d)
    • If not found at a local DNS server, additional secondary DNS servers are checked until
        • 1. The connection times out or
        • 2. The request exceeds a predefined hop count
        • 3. The list of DNS servers is exhausted
    • Look at: /etc/resolv.conf on UNIX systems. In Windows, look at the properties of the TCP/IP protocol.
  • 21. The Structure of WWW
    • A global collection of hypertext pages stored on Internet hosts.
      • Hypertext - Text documents that allow non-linear reading through hypertext links.
      • Normally we read a book in a linear fashion. Page 1, then Page 2, etc.
      • With hypertext, we follow our curiosity by skipping around the document(s) using hypertext links.
        • Hypertext is made up of three distinct parts:
          • Text Pages - The text you read.
          • Anchors - The starting point for a link.
          • Links - A pointer to another text page.
  • 22. WWW (cont’d)
    • URL - Uniform Resource Locator. The address of a hypertext page or other Internet resource.
    • HTML - The HyperText Markup Language. The language used to create hypertext pages for use on the WWW.
    • WWW Browser - A program capable of displaying hypertext pages and navigating the WWW by allowing users to select hypertext links. Examples:
      • Netscape Navigator , NCSA Mosaic, Microsoft Internet Explorer, Mozilla
    • WWW Server - A daemon program (httpd) that responds to requests from a WWW Browser by sending it HTML hypertext pages.
  • 23. The WWW Client/Server Model
    • WWW Servers are Servers
    • The request protocol used for WWW pages is HTTP - The HyperText Transfer Protocol.
      • 1. HTTP is an application layer protocol.
      • 2. Uses TCP/IP to make a connection.
      • 3. Issues a GET command.
      • 4. HTML Pages are returned.
    • Other protocols can also be used within a WWW Browser:
      • FTP - File Transfer Protocol
      • E-Mail
      • Telnet
  • 24. URL’s
    • Uniform Resource Locators
      • A three part name for a WWW or Internet resource: protocol://hostname/filename
        • 1. Protocol: The application layer protocol used to access the resource. Examples: HTTP, FTP, GOPHER, MAILTO
        • 2. Host Name: The name of the host (or IP address) where the resource is located.
        • 3. File Name: The directory and file name of the resource.
            • URL Examples
  • 25. Communication Architecture
    • Why do we need?
      • Communication systems involve heterogeneous technologies
      • change rapidly
      • they are complex (addressing, routing, multiplexing, error control, …)
    • How to cope with the above?
      • modularization
      • standardization
    • International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) reference model (1974)
  • 26. OSI Reference Model
    • Consists of seven layers
    • Each layer provides a set of functions to the layers above and relies on the functions provided by the layers below
    • Each layer communicates with its peer layer on the other node ( protocols )
    • The layer boundaries ( interfaces ) should be designed in such a way as to minimize the information flow between the boundaries
    • The main idea is to have independent standards for different layers so that changes to one would not cause changes in other layers
  • 27. OSI Reference Model (cont’d) +--------------+ +--------------+ | application |<--------------------->| application | +--------------+ +--------------+ | presentation |<--------------------->| presentation | +--------------+ +--------------+ | session |<--------------------->| session | +--------------+ +--------------+ | transport |<--------------------->| transport | +--------------+ +---------+ +--------------+ | network |<---->| network |<---->| network | +--------------+ +---------+ +--------------+ | data link |<---->|data link|<---->| data link | +--------------+ +---------+ +--------------+ | physical |<---->|physical |<---->| physical | +--------------+ +---------+ +--------------+
  • 28. OSI Reference Model (cont’d) User A User B application presentation session transport network data link physical physical medium application presentation session transport network data link physical Higher level protocols Lower level protocols Lower level protocols Higher level protocols
  • 29. Physical Layer
    • The physical layer defines electrical signaling on the transmission channel; how bits are converted into electrical current, light pulses or any other physical form
    • Specific functions
      • connection establishment and termination
      • encoding and transmission of bits
      • Repeating or amplification to increase the range of transmission
  • 30. Data Link Layer
    • Specifies how to organize data into packets, and how to transmit packets over a network. For example, defined in this layer are:
      • maximum packet size,
      • format packet header,
      • checksum computation
    • Defines how the network layer packets are transmitted as bits
    • Examples of data link layer protocols
      • PPP (Point to Point Protocol)
      • Ethernet framing protocol
    • Bridges work at this layer only
    • Other functions
      • Framing and Error detection
        • transmission might get corrupted, bits may be lost (parity, checksum)
        • may lose connection
      • Flow control
        • may send data too fast for a modem
        • data might get delayed a long time in the network
  • 31. The Network Layer
    • Specifies how addresses are formed (IP addresses)
    • How packets are forwarded (store and forward technique)
    • Delivers packets from sending computer to receiving computer (host-to-host)
    • Defines how information from the transport layer is sent over networks and how different hosts are addressed
    • Example of a network layer protocol: the Internet Protocol
    • Device that takes care of the network level functions is router or sometimes a gateway
    • Functions
      • Addressing: Determines which machine to send the packet to
      • Routing: Determines the best set of links
      • Congestion Control: Routes the packets via a different route if one intermediate node gets flooded with packets
  • 32. IP address is different from physical address
  • 33. The Transport Layer
    • Handles details of reliable transfer
      • format of acks, retransmission times, rules for changing it
    • Essentially, takes care of data transfer, ensuring the integrity of data if desired by the upper layers
    • Provides end-to-end delivery
    • Functions:
      • establishing and terminating connection
      • flow control
      • error detection and correction
      • multiplexing
    • TCP and UDP operate at this layer
  • 34. The Session Layer
    • Specifies how to establish a communication with a remote system e.g.: telnet
      • authentication details; e.g.: passwords
    • Establishes and terminates connections and arranges sessions to logical parts
    • Provides a means of controlling the dialogue between two end users
      • Dialogue management (half versus full duplex)
      • Synchronization and recovery management
    • This layer is not often used in existing systems
    • TCP and RPC provide some functions at this layer
  • 35. The Presentation Layer
    • Specifies how to represent data
      • Takes care of data type conversion
        • Different computers use different internal representation (Ex: ASCII, EBDIC) for integers and characters;
        • How to translate from one representation to another
    • An example of protocol residing at this layer: XDR (External Data Representation), which is used by RPC applications to provide interoperability between heterogeneous computer systems
    • Presentation layer functions are, in most systems, handled elsewhere in the network protocols
  • 36. The Application Layer
    • Specifies how one particular application uses a network
      • Specifies request format (how to name a file) and how the application on another machine responds.
    • Defines the protocols to be used between the application programs
    • Examples of protocols at this layer are: protocols for electronic mail (e.g. SMTP ), file transfer (e.g. FTP ) and remote login,directory look up, http
  • 37. How layered software works?
    • Each layer solves one part of the problem
    • To do so, each layer on the sending computer adds information to the outgoing data
    • The same layer in the receiving computer uses the additional information to process data (for example:checksums in data layer)
  • 38. How layered software works?
    • Layering Principle:
    • Layer N software on the destination computer, must receive the exact message sent by layer N software on the sending computer.
    • For example
      • if one layer adds a header, the corresponding layer has to remove it.
      • If one layer encrypts data, the receiving computer layer has to decrypt it.
  • 39. Once Again, The purpose of Layers
    • Each layer can be:
      • Designed
      • Implemented
      • Tested
    • independently of other layers.
    • Each Layer can change and evolve independent of other layers
  • 40. Applications
    • Electronic mail
    • File transfers (FTP)
    • Remote login (TELNET, rlogin)
    • Chat
    • Bulletin boards and Network News
    • Commerce
    • Network news
    • Networked information discovery and retrieval tools
    • Fax over the Internet
    • Games
    • … .
  • 41. TCP/IP Protocol Stack Basic protocols Layers 5-7 TELNET FTP SMTP HTTP ….. Layer 4 TCP UDP Layer 3 IP Layer 2 Ethernet Token-ring ATM PPP …..
  • 42. TCP/IP Protocol Stack Infrastructure and Security protocols Layers 5-7 TELNET FTP SMTP HTTP ….. Layer 4 TCP UDP Layer 3 IP Layer 2 Ethernet Token-ring ATM PPP ….. RIP EGP BGP DNS SSL ICMP IPSEC ARP RARP ICMP: Internet Control Message Protocol, ARP: Address Resolution Protocol RARP: Reverse Address Resolution Protocol, DNS: Domain Name Service RIP: Routing Information Protocol, BGP: Border Gateway Protocol EGP: External Gateway Protocol, SSL: Secure Socket Layer
  • 43. TCP/IP(Transmission Control Protocol/Internet Protocol)
    • TCP/IP is the basic communication protocol of the Internet
      • Protocol: the special set of rules for communicating that the end points in a telecommunication connection use when they send signals back and forth.
        • TCP , IP , HTTP, FTP, and other protocols, each with defined set of rules to use with other Internet points relative to a defined set of capabilities.
  • 44. TCP/IP(Cont’d)
    • TCP:
      • manages the assembling of a message into packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message.
        • A packet is the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network
    • IP
      • handles the address part of each packet so that it gets to the right destination.
  • 45. TCP/IP(Cont’d)
    • Uses the client/server model of communication
    • Communication is primarily point-to-point:
      • Each communication is from one point (or host computer) in the network to another point or host.
    • Higher layer application protocols that use TCP/IP to get to the Internet
      • Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet (Telnet), and the Simple Mail Transfer Protocol (SMTP).
  • 46. TCP
    • Adds Port Numbers , packet Sequence Numbers , Acknowledgement Numbers and other fields to IP addresses
      • A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23.
    • TCP Header format
      • source port number
        • source IP address + source port number is a socket: uniquely identifies sender
      • destination port number
        • destination IP address + destination port number is a socket: uniquely identifies receiver
      • SYN, ACK flags
      • sequence number
      • acknowledgement number
  • 47. TCP (cont’d)
    • Result is a TCP/IP &quot;stream&quot; - a connection established using handshake and error detection/control through positive acknowledgement.
      • Three-way handshake :
        • 1. A sends a SYN message to B - I'd like to set up a connection and I will start with sequence number s
        • 2. B Replies with a SYN and ACK message to A - Yes I will talk to you.
        • 3. A sends an ACK message to B along with the first piece of data - I got your ACK so here's the start of my data.
    initiator responder SYN(A) ACK(B) SYN(B),ACK(A)
  • 48. TCP (cont’d)
    • Useful for when error correction is required and connection will last a long time (e.g. large data transfer).
    • Large data is broken into chunks and sent separately. Can arrive in any order. Discards duplicates.
    • Provides flow control.
  • 49. User Datagram Protocol (UDP)
    • Adds Port Numbers to IP addresses
      • A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23.
    • UPP header format
      • source port number
        • source IP address + source port number is a socket: uniquely identifies sender
      • destination port number
        • destination IP address + destination port number is a socket: uniquely identifies receiver
    • Also an optional Checksum - Error checking
    • No handshaking or error control
    • Also called a &quot;Connectionless&quot; protocol
    • Often referred to as &quot;Unreliable&quot; - meaning error control can't be relied upon.
    • Useful for situations where overhead is a concern. Small data requests such as queries, etc.
  • 50. TCP/UDP Port Numbers and Services
      • TCP and UDP add Port Numbers to the IP addresses.
      • Each port corresponds to a specific application or service.
      • Ports 1 - 1024 are generally considered privileged ports . That is, on UNIX systems, one needs to have special permissions to run services on these ports.
      • Above 1024, any port number can be used.
      • Internet assigned numbers committee agrees on some standard port numbers.
  • 51. TCP/UDP Port Numbers and Services (cont’d)
    • The following are some well known services and their assigned IP port numbers.
      • Service Port Protocol
      • Day Time 13 TCP/UDP
      • FTP 21 TCP
      • Telnet 23 TCP
      • SMTP Mail 25 TCP
      • DNS 53 UDP
      • HTTP/WWW 80 TCP
  • 52. Internet Security
    • Background on Internet technologies and protocols
      • LANs and WANs
      • IP Addressing, DNS
      • OSI model
      • TCP/IP, UDP
    • Attacks
    • Firewalls
      • benefits, limitations
      • various types
  • 53. Attacks
    • Public, private, and government networks have been penetrated by unauthorized users and rogue programs
    • Increased volume of security breaches
    • Computer Emergency Response Team (CERT) reports a tremendous increase in cracking incidents
    • Insider attack
      • The insider is already an authorized user
      • insider acquires privileged access
        • exploiting bugs in privileged systems programs
        • exploiting poorly configured privileges
      • install backdoors/trojan horses to facilitate subsequent acquisition of privileged access
      • Exploitation of software bugs
    • Outsider attack
      • acquire access to an authorized account
      • perpetrate an insider attack
  • 54. Attacks
    • outsider/insider attack
      • password-based attacks
      • attacks that exploit trusted access
      • spoof network protocols to effectively acquire access to an authorized account (IP spoofing)
        • Unauthorized access to resources
        • Disclosure, modification, and destruction of resources
        • Compromised system used as hostile attack facility
        • Masquerade as authorized user or end system
        • E-Mail forgery
        • Importation of malicious or infected code
      • Session hijacking
      • Network sniffing/packet sniffing
        • User IDs, passwords, and other information are often stolen on Internet
    • Denial of service attack
      • flooding network ports
  • 55. Attacks
    • Infrastructure attacks
      • router attacks
        • modify router configurations
      • domain name server attacks
      • internet service attacks
        • web sites, ftp archives
  • 56. Contributing Factors
    • Lack of awareness of Internet threats and risks
      • Security measures are often not considered until an Enterprise has been penetrated by malicious users
    • Wide-open network policies
      • Many Internet sites allow wide-open Internet access
    • Vast majority of Internet traffic is unencrypted
      • Network traffic can be monitored and captured
    • Lack of security in TCP/IP protocol suite
      • Most TCP/IP protocols not built with security in mind
      • Work is actively progressing within the Internet Engineering Task Force (IETF)
    • Complexity of security management and administration
    • Exploitation of software (e.g., protocol implementation) bugs
      • Example: Sendmail bugs
    • Cracker skills keep improving
  • 57. Who is perpetrating these attacks?
    • People with lots of free time
    • Former/disgruntled employees
    • Current/disgruntled employees
    • Current/former/disgruntled customers
    • Governments
  • 58. TCP SYN Flooding attack
    • TCP 3 way handshake
      • send SYN packet with random IP source address
      • return SYN-ACK packet is lost
      • this half open connection stays for a fairly long period of time
    • Denial of service attack
    • Basis for IP spoofing attack
    initiator responder SYN(A) ACK(B) SYN(B),ACK(A)
  • 59. SYN Flooding
    • Upper limit of how many concurrent SYN requests TCP can process for a given socket (called the backlog)
    • length of the queue where incoming (as yet incomplete) connections are kept
    • Queue limit applies to both
      • the number of incomplete connections (the 3-way handshake is not complete)
      • the number of completed connections that have not been pulled from the queue by the application by way of the accept() system call.
    • If backlog limit reached, TCP silently discards all incoming SYN requests until the pending connections can be dealt with
  • 60. DoS vs Distributed DoS
  • 61. IP Spoofing
    • send SYN packet with spoofed IP address
    • SYN flood real source so it drops SYN-ACK packet
    • guess sequence number and send ACK packet to target
      • target will continue to accept packets and response packets will be dropped
    initiator responder SYN(A) ACK(B) SYN(B),ACK(A)
  • 62. IP Spoofing
    • First, choose the target host
    • Discover a pattern of trust, along with a trusted host
    • Disable the trusted host
    • Sample the target's TCP sequence numbers
    • Impersonate the trusted host
    • Guess the sequence numbers
    • Make a connection attempt to a service that only requires address-based authentication
    • If successful, the attacker executes a simple command to leave a backdoor
  • 63. Patterns of trust
    • After choosing a target, must determine the patterns of trust
      • It is necessary to assume the target host *does* in fact trust somebody. If it didn't, the attack ends here
    • Figuring out who a host trusts may or may not be easy
    • A 'showmount -e' may show where filesystems are exported
    • rpcinfo can give out valuable information as well
    • With sufficient background information, it should not be too difficult
    • If all else fails, trying neighboring IP addresses in a brute force effort may be a viable option
  • 64. SYN Flooding
    • The attacking host sends several SYN requests to the TCP port she desires disabled
    • The attacking host also must make sure that the source IP-address is spoofed to be that of another, currently unreachable host (the target TCP will be sending it's response to this address)
    • IP may inform TCP that the host is unreachable, but TCP considers these errors to be transient and leaves the resolution of them up to IP (reroute the packets, etc) effectively ignoring them.)
    • IP-address must be unreachable because the attacker does not want any host to receive the SYN/ACKs that will be coming from the target TCP (this would result in a RST being sent to the target TCP, which would foil our attack).
  • 65. Sequence number sampling and prediction
    • Attacker needs to get an idea of where in the 32-bit sequence number space the target's TCP is
    • Connect to a TCP port on the target (SMTP is a good choice) just prior to launching the attack and completes the three-way handshake.
    • Same as normal connection, except that attacker saves the value of the Initial Sequence Number sent by the target host
    • Repeat process several times and the final ISN sent is stored
    • The attacker needs to get an idea of what the RTT (round-trip time) from the target to her host is like. (repeat and average)
    • Necessary to accuraetly predict the next ISN
    • Baseline (the last ISN sent), incrementation speed (128,000/second and 64,000 per connect), datagram travel time – guess the next ISN
    • Immediately proceed to the next phase of the attack
      • Another TCP connection on attack port, ISN predicted would be off by 64,000
  • 66. Session Hijacking
    • Send SYN packet with spoofed source IP address and appropriate sequence number to one end
    • SYN-flood that end
    • send ACK packets to target at the other end
  • 67. Packet Sniffing
    • Shared media network
      • a program that monitors and analyzes network traffic, detecting bottlenecks and problems
      • packets can be intercepted at any point
      • login packets travelling over the Internet can be captured
      • intruder can find hostname, username, password and gain access to the system
      • can also obtain sensitive information
  • 68. Internet Security
    • Background on Internet technologies and protocols
      • LANs and WANs
      • OSI model
      • TCP/IP, UDP, DNS
    • Attacks
    • Firewalls
      • benefits, limitations
      • various types
  • 69. Internet Firewalls
    • What we need
      • Make some services available within the company such as Telnet/Rlogin and FTP between the company's hosts.
      • Disallow outside users from gaining access to the company's internal hosts via Telnet, FTP, etc.
      • Allow users within the company to access other services on the Internet such as WWW and FTP.
      • Allow users from the Internet to visit the company's WWW home pages.
      • Allow the exchange of e-mail with others on the Internet.
  • 70. But,
    • It is difficult to restrict traffic in only one direction
    • Recall that the TCP/IP protocol sends acknowledgements to make sure data arrives whole.
    • What we need is a more sophisticated gatekeeper that can distinguish what services to allow and which to block.
    • The general term for this is a Firewall .
  • 71. Firewalls
    • Filter between private network and internet
    • Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)
    • May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices
  • 72. Proxy Servers
    • Proxy servers: Software servers that handle all communications originating from inside an organization
      • May improve performance considerably, by caching most frequently asked pages .
  • 73. Firewalls and Proxy Servers
  • 74. Most rudimentary firewall
    • Network adapter input filters
    • Examines
      • source or destination addresses
      • other information in the incoming packet
        • Matches IP addresses
        • port numbers for UDP and TCP
        • protocol of the traffic - TCP, UDP, and generic routing encapsulation (GRE)
    • Blocks packet or allows it through
    • Applies only to incoming traffic
    • Cannot control outgoing traffic
  • 75. Basic Internet Firewalls
    • A basic firewall is a router or host with 2 network interfaces.
      • One interface is connected to the Internet - the Host side.
      • The second is connected to the company's internal network.
    • Two overall policies:
      • Anything not explicitly denied is allowed.
      • Anything not explicitly allowed is denied.
  • 76. Benefits
    • Secure and carefully administer firewall machines to allow controlled interaction with the external internet
    • internal machines can be administered with varying degrees of care
    • does work
  • 77. Basic Limitations
    • Connections that bypass firewall may be dangerous
    • services through firewall introduce vulnerabilities
    • insiders can exercise internal vulnerabilities
    • not possible to safely squeeze everything that users desire through a firewall
      • users settle for degraded service
      • tolerate increased vulnerability
    • performance may suffer
    • single point of failure
  • 78. Types of Firewalls
    • Packet Filtering firewall
      • IP layer
    • application gateway firewall
      • application layer
    • circuit relay firewalls
      • TCP layer
    • combinations of these
  • 79. Packet filtering firewall
    • Special software examines the network traffic (TCP, UDP and IP packets) and selectively blocks or allows IP packets
    • Each IP packet contains
      • 32 bit source IP address, 32 bit destination IP address, 8 bit protocol field, additional header fields, data
      • typically several 100 bytes long
      • an IP packet carries TCP or UDP header data
      • TCP/UDP header in data part of IP packets carries
        • 16 bit source port number, 16 bit destination port number
      • TCP header also carries
        • SYN: first packet in a TCP connection
        • ACK: packet from an existing connection
    IP header TCP header application data IP header UDP header application data
  • 80. Packet filtering firewall
    • IP packets are filtered based on
      • source IP address + source port number
      • destination IP address + destination port number
      • protocol field: TCP or UDP
      • TCP protocol flag: SYN or ACK
    • packet filtering can be very effective for simple services
    • never allow packet with source address of internal machine to enter from external internet
    Packet filtering router Mail gateway Internal network External Internet Allow only packets with source address Mail gateway Allow only packets with destination address Mail gateway, destination port 25 Allow only TCP ACK packets with source port 25 to destination port 1023
  • 81. Packet Filtering Firewall
  • 82. Packet filtering firewall
    • Example: Drop any TCP/IP packets coming from the Internet to port 23 (Telnet) of any internal host.
    • The allow/deny policy lists must be maintained and grow quite complex.
    • Assume company LAN uses IP addresses: 200.10.10.*
    • Asterisk ( * ) means &quot;any&quot;
    • Source IP Source Port Destination IP Destination Port Allow?
    • 200.10.10.* * * 23 No
    • * * 200.10.10.* 23 No
  • 83. Packet filtering firewall
    • 1: Allow packets with destination in internal networks 2 and 3
    • 2: Allow packets with destination in internal networks 1 and 3
    • 3: Allow packets with any destination
    • 4: Allow TCP packets with destination address Mail gateway, destination port 25
    • Allow only TCP ACK packets with source port 25 with destination Mail gateway, port 1023
    Packet filtering router Mail gateway (internal network 3) Internal network 1 External Internet Internal network 2 1 4 3 2
  • 84. Packet filtering firewall
    • packet filtering firewall when connection to Internet is via an external service provider
    • packet filtering is effective for coarse grained controls
    • not very effective for fine grained control
      • can do: allow incoming telnet from a particular host
      • cannot do: allow incoming telnet from a particular user
    • Vulnerabilities
      • IP source address can be spoofed
      • IP source routing
      • filtering hard to configure correctly
      • remote router management uses cleartext passwords
    Packet filtering firewall host Internal network External Internet External router
  • 85. Packet Filtering Firewall
    • Stateless
      • Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed
      • Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event
    • Stateful
      • Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table
  • 86. Attacks & Solutions?
    • Packet fragmentation
    • Source routing
    • TTL attacks
  • 87. Packet filtering - Advantages
    • Generally faster since fewer evaluations performed
    • Easily implemented as hardware solutions
    • A single rule can help protect an entire network by prohibiting connections between specific Internet sources and internal computers.
    • Do not require client computers to be specifically configured
    • In conjunction with network address translation, you can use packet filter firewalls to shield internal IP addresses from external users
  • 88. Packet filtering - Disadvantages
    • Do not understand application layer protocols.
    • Cannot restrict access to protocol subsets - less secure than application layer and circuit level firewalls
    • Packet filters - typically stateless
    • Limited abilities to manipulate information within a packet.
    • No value-added features, such as HTTP object caching, URL filtering, and authentication – since no knowledge of protocols
    • Little or no audit event generation and alerting mechanisms.
    • Difficult to test &quot;accept&quot; and &quot;deny&quot; rules.
  • 89. Circuit Gateways
    • Circuit gateway firewall operates at transport layer
    • Look at sessions, instead of packets or connections
    • Built in support for protocols with secondary connections, such as FTP, RTP
    • Like filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another
    • Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels
    • Mitigates risk of network reconnaissance, DoS and IP spoofing
  • 90.  
  • 91. Application gateway firewall
    • Proxies or relays
      • Allow incoming Telnet from our users who are travelling
        • user telnets to gateway machine
        • gateway does strong authentication and establishes telnet relay to internal machine
        • user to internal machine telnet session is relayed through the gateway
      • Once established, relays do not examine traffic
      • Outgoing telnet can similarly be relayed through the gateway
        • user telnets to gateway machine
        • gateway establishes telnet relay to external machine
        • user to external machine telnet session is relayed through the gateway
    Application gateway firewall host Internal network External Internet External router
  • 92. Application gateway firewall
    • Outgoing ftp requires incoming call
      • inside user initiates ftp connection to outside machine
      • when a file is transferred outside machine initiates a tcp connection to inside machine to effect the transfer
    • allowing incoming tcp calls to internal machines is dangerous
      • use gateway as a proxy for outgoing ftp
    • Proxies and relays have to be implemented for each service
      • proxies for sophisticated services such as X windows, NFS, WWW, Gopher exist
  • 93. Application gateway firewall
    • Packet filtering and application gateway can be bundled on the same host
    • Protocol Source IP Source Port Destination IP Destination Port Allow?
    • tcp 200.10.10.* * * 23 No
    • udp * * 200.10.10.* 23 No
    • application gateways work better for TCP based services
      • recall that UDP is connectionless
    • better for control over individual service relative to packet filters
    • allow filtering of application protocols
      • disallow PUT for FTP from internal clients
      • disallow Java applets
      • filter email attachments for viruses
  • 94. Application Layer Filtering
    • Most sophisticated level of firewall traffic inspection
    • Analyze a data stream for a particular application, provide application-specific processing
      • inspecting
      • screening or blocking
      • redirecting
      • and modifying data
    • Inspect many different protocols
    • Works on clear-text traffic – what about encrypted data?
  • 95. Options
    • Terminating the SSL traffic at the firewall
    • Regenerating SSL traffic from the firewall to the exposed Web service
    • Allowing the SSL traffic to pass through the firewall to the back-end server
  • 96. Software vs. Hardware: the SOHO Firewall Debate
    • Which firewall type should the residential user implement?
    • Where would you rather defend against a hacker?
    • With the software option, hacker is inside your computer
    • With the hardware device, even if hacker manages to crash firewall system, computer and information are still safely behind the now disabled connection
  • 97. Content Filters
    • Software filter—not a firewall—that allows administrators to restrict content access from within network
    • Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations
    • Primary focus to restrict internal access to external material
    • Most common content filters restrict users from accessing non-business Web sites or deny incoming span