Background on Internet technologies and protocols
Background on Internet Technologies Batch Environment - 1950s no direct interaction between users and their programs during execution dumb terminals were connected to a central computer system Users were able to interact with the computer and could share its information processing resources Marked the beginning of computer communications Distributed Processing: use of minicomputers - 1970s Users demanded computing closer to their work areas
Communication between neighbor processors and applications via networks
LANs collection of hosts connected by a high speed network designed and developed for communications and resource sharing in a local work environment (room, campus, building) PC 1 Printer PC 2 File Server PC n
users can access other networks via bridges and gateways
WANs and Internetworks span a large geographic area, cross public property often based on services provided by 3rd party companies, use telephone networks for transmission from one node to another can be used to connect several LANs together Routers attached to each LAN filter the network traffic to and from the WAN PC 1 PC 2 File Server PC n Router Internetwork
LANs can also be connected by special modems or dedicated leased lines
Routers Special purpose computers used for interconnecting networks Essentially a router receives messages originating from one network and sends (routes) them to the other network The process of selecting a network over which to send a message is called routing
Ex: computers X and Y can communicate via routers R1, R2 and R3
An example x Y R1 R2 R3
Internet The global Internet consists of thousands of computer networks interconnected by routers. Internet appears as a single, seamless communication system to which many computers can attach. each computer is assigned an address
any computer can send a message to any other computer
Client/Server System a type of network that connects a user’s computer (client) to one or more host computers (servers) a computer that offers services server provides services like receiving and executing instructions, sending results Web server, e-mail server, ftp server, .. server runs continuously, waiting for clients’ requests a computer that uses these services A client addresses a request to a server, which replies accordingly
availability, reliability, performance, control
Transmission Capacity Speed of transmission is measured in bits per second (bps) or cycles per second (Hertz) Multiplexing: many signals can be sent on a single physical channel Based on the physical medium twisted wire pair, coaxial cable, fiber optic cable, satellite transmission, microwave
Dial-up access, Leased circuits, Cable modem, DSL technologies,Wireless access
Packet Switching A message is not sent as a single unit, but broken down into small packets that are transmitted individually Each packet has header that contains the info about source, destination and the packer number Packets may travel on different routes May even arrive the destination out of order
Good for data communication
Packet Switches A WAN is constructed from many switches A switch moves packets from one connection to the other A switch is a dedicated computer, with two types of connections High-speed connections with other switches; they can be: leased phone lines, optical fibers, microwave, satellite.
Low-speed connection: used to connect with an individual computer, or a LAN.
Switched Network High speed connection Switch Switch Switch
Internet2 (http://www.internet2.edu/) Is a high speed network that enables communications 100 - 1000 times faster than today’s internet Rutgers, which is part of the Internet2 consortium, has launched RUNet 2000 ($100million) Operates at 10Gbps (compare with the fastest modems now available ~Mbps) 15,000 times faster than a typical home broadband connection Developed by academic and research community: more than 205 universities, NSF, NIH, NASA,.., IBM,DEC,Cisco, Sun, MCI, Sprint, .. In Europe: European Union-funded network, TEN-34 was launched (initially 34Mbps, will later reach 155Mbps)
designed to provide a range of broadband network applications: collaborative research, distance learning, video-conferencing, remote medical consultation and diagnoses
Internet2 (cont’d) Current telephone uses circuit switching where a piece of network entirely dedicated to a call In contrast, information over Internet is broken down into small data packets, and the packets navigate from junction to junction (routers) Aim of Internet2 is to install “gigapops” (gigabit capacity point of presence) capable of routing packets more quickly through the network (by launching a gigabit switch router to support speeds of 10Gbps) With current Internet, real-time images have the same priority as email; Internet2 will be able to distinguish these two (Current IP is democratic)
Although Internet2 is being developed for universities and research labs, in next 5 years it may reach homes (for $30/month with 10Mbps)
IP Addressing Every host on the Internet has a unique IP address. IP protocol (the one in use now) has 32 bits for an address. How many hosts total? 2 32 = 4,294,987,296. 32 bits must be divided into a Network portion and a Host portion.
Typically written in a "dotted decimal" form: 18.104.22.168 In this case, the network portion is 128.6 The host portion is 10.4
IP Addressing (cont’d) How to divide up the addresses ? Four Classes of IP addresses: 1. Class A: First bit is 0, next 7 bits define the network, last 24 bits define the hosts. 128 networks with 16,777,216 hosts each. 2. Class B: First two bits are 1 and 0, next 14 bits define the network, last 16 bits define the hosts. 16,384 networks with 65,536 hosts each. 3. Class C: First three bits are 1 1 0, the next 21 bits define the network, last 8 bits define the host. 2,097,152 networks with 256 hosts each.
4. Class D (Multicast): First three bits are 1 1 1, next 29 bits define a multicast address.
IP Addressing (cont’d) For a network with a large number of hosts (e.g. Class B networks), we can divide the hosts into subnetworks using a subnet mask . The subnet mask indicates which of the 32 bits should be considered the network portion and which should be considered the host portion. A common subnet mask is: 255.255.255.0 meaning the first 24 bits define the network and the last 8 bits define the host.
Special IP address: 127.0.0.1 called the "localhost"
Domain Name Services Each host on the Internet has its own unique IP address - Who can remember all of them ? DNS gives us a means to map an IP address to a "host name" and vice versa. Host names are typically broken down into 4 or 5 parts: 1. A geographic (e.g. country) designation is given at the "highest level": 2 . An organizational designation may be in place of geographic but can also appear in combination: 3. The next level down in the "organizational" level: rutgers microsoft pizzahut plannetreebok
4. Within an organization, there may be several individual hosts, each with their own name:
Domain Name Services (cont’d) These parts are assembled from right to left: Resolving Internet Names using DNS Most commonly used IP and host name pairs are kept in a hosts file. See /etc/hosts If not in the hosts file, a primary DNS site is consulted. UDP is used to send a DNS Query message to the designated Name Server on port 53.
This is done in a logical fashion. e.g. for host names ending in rutgers.edu, a local Rutgers DNS server can be queried.
Domain Name Services (cont’d) If not found at a local DNS server, additional secondary DNS servers are checked until 1. The connection times out or 2. The request exceeds a predefined hop count 3. The list of DNS servers is exhausted
Look at: /etc/resolv.conf on UNIX systems. In Windows, look at the properties of the TCP/IP protocol.
The Structure of WWW A global collection of hypertext pages stored on Internet hosts. Hypertext - Text documents that allow non-linear reading through hypertext links. Normally we read a book in a linear fashion. Page 1, then Page 2, etc. With hypertext, we follow our curiosity by skipping around the document(s) using hypertext links. Hypertext is made up of three distinct parts: Text Pages - The text you read. Anchors - The starting point for a link.
Links - A pointer to another text page.
WWW (cont’d) URL - Uniform Resource Locator. The address of a hypertext page or other Internet resource. HTML - The HyperText Markup Language. The language used to create hypertext pages for use on the WWW. WWW Browser - A program capable of displaying hypertext pages and navigating the WWW by allowing users to select hypertext links. Examples: Netscape Navigator , NCSA Mosaic, Microsoft Internet Explorer, Mozilla
WWW Server - A daemon program (httpd) that responds to requests from a WWW Browser by sending it HTML hypertext pages.
The WWW Client/Server Model The request protocol used for WWW pages is HTTP - The HyperText Transfer Protocol. 1. HTTP is an application layer protocol. 2. Uses TCP/IP to make a connection. 4. HTML Pages are returned. Other protocols can also be used within a WWW Browser:
FTP - File Transfer Protocol
URL’s Uniform Resource Locators A three part name for a WWW or Internet resource: protocol://hostname/filename 1. Protocol: The application layer protocol used to access the resource. Examples: HTTP, FTP, GOPHER, MAILTO 2. Host Name: The name of the host (or IP address) where the resource is located.
3. File Name: The directory and file name of the resource.
Communication Architecture Communication systems involve heterogeneous technologies they are complex (addressing, routing, multiplexing, error control, …) How to cope with the above?
International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) reference model (1974)
OSI Reference Model Each layer provides a set of functions to the layers above and relies on the functions provided by the layers below Each layer communicates with its peer layer on the other node ( protocols ) The layer boundaries ( interfaces ) should be designed in such a way as to minimize the information flow between the boundaries
The main idea is to have independent standards for different layers so that changes to one would not cause changes in other layers
OSI Reference Model (cont’d) +--------------+ +--------------+ | application |<--------------------->| application | +--------------+ +--------------+ | presentation |<--------------------->| presentation | +--------------+ +--------------+ | session |<--------------------->| session | +--------------+ +--------------+ | transport |<--------------------->| transport | +--------------+ +---------+ +--------------+ | network |<---->| network |<---->| network | +--------------+ +---------+ +--------------+ | data link |<---->|data link|<---->| data link | +--------------+ +---------+ +--------------+ | physical |<---->|physical |<---->| physical | +--------------+ +---------+ +--------------+
OSI Reference Model (cont’d) User A User B application presentation session transport network data link physical physical medium application presentation session transport network data link physical Higher level protocols Lower level protocols Lower level protocols Higher level protocols
Physical Layer The physical layer defines electrical signaling on the transmission channel; how bits are converted into electrical current, light pulses or any other physical form connection establishment and termination encoding and transmission of bits
Repeating or amplification to increase the range of transmission
Data Link Layer Specifies how to organize data into packets, and how to transmit packets over a network. For example, defined in this layer are: Defines how the network layer packets are transmitted as bits Examples of data link layer protocols PPP (Point to Point Protocol) Ethernet framing protocol Bridges work at this layer only Framing and Error detection transmission might get corrupted, bits may be lost (parity, checksum) may send data too fast for a modem
data might get delayed a long time in the network
The Network Layer Specifies how addresses are formed (IP addresses) How packets are forwarded (store and forward technique) Delivers packets from sending computer to receiving computer (host-to-host) Defines how information from the transport layer is sent over networks and how different hosts are addressed Example of a network layer protocol: the Internet Protocol Device that takes care of the network level functions is router or sometimes a gateway Addressing: Determines which machine to send the packet to Routing: Determines the best set of links
Congestion Control: Routes the packets via a different route if one intermediate node gets flooded with packets
IP address is different from physical address
The Transport Layer Handles details of reliable transfer format of acks, retransmission times, rules for changing it Essentially, takes care of data transfer, ensuring the integrity of data if desired by the upper layers Provides end-to-end delivery establishing and terminating connection error detection and correction
TCP and UDP operate at this layer
The Session Layer Specifies how to establish a communication with a remote system e.g.: telnet authentication details; e.g.: passwords Establishes and terminates connections and arranges sessions to logical parts Provides a means of controlling the dialogue between two end users Dialogue management (half versus full duplex) Synchronization and recovery management This layer is not often used in existing systems
TCP and RPC provide some functions at this layer
The Presentation Layer Specifies how to represent data Takes care of data type conversion Different computers use different internal representation (Ex: ASCII, EBDIC) for integers and characters; How to translate from one representation to another An example of protocol residing at this layer: XDR (External Data Representation), which is used by RPC applications to provide interoperability between heterogeneous computer systems
Presentation layer functions are, in most systems, handled elsewhere in the network protocols
The Application Layer Specifies how one particular application uses a network Specifies request format (how to name a file) and how the application on another machine responds. Defines the protocols to be used between the application programs
Examples of protocols at this layer are: protocols for electronic mail (e.g. SMTP ), file transfer (e.g. FTP ) and remote login,directory look up, http
How layered software works? Each layer solves one part of the problem To do so, each layer on the sending computer adds information to the outgoing data
The same layer in the receiving computer uses the additional information to process data (for example:checksums in data layer)
How layered software works? Layer N software on the destination computer, must receive the exact message sent by layer N software on the sending computer. if one layer adds a header, the corresponding layer has to remove it.
If one layer encrypts data, the receiving computer layer has to decrypt it.
Once Again, The purpose of Layers independently of other layers.
Each Layer can change and evolve independent of other layers
Applications Remote login (TELNET, rlogin) Bulletin boards and Network News
Networked information discovery and retrieval tools
TCP/IP Protocol Stack Basic protocols Layers 5-7 TELNET FTP SMTP HTTP ….. Layer 4 TCP UDP Layer 3 IP Layer 2 Ethernet Token-ring ATM PPP …..
TCP/IP Protocol Stack Infrastructure and Security protocols Layers 5-7 TELNET FTP SMTP HTTP ….. Layer 4 TCP UDP Layer 3 IP Layer 2 Ethernet Token-ring ATM PPP ….. RIP EGP BGP DNS SSL ICMP IPSEC ARP RARP ICMP: Internet Control Message Protocol, ARP: Address Resolution Protocol RARP: Reverse Address Resolution Protocol, DNS: Domain Name Service RIP: Routing Information Protocol, BGP: Border Gateway Protocol EGP: External Gateway Protocol, SSL: Secure Socket Layer
TCP/IP(Transmission Control Protocol/Internet Protocol) TCP/IP is the basic communication protocol of the Internet Protocol: the special set of rules for communicating that the end points in a telecommunication connection use when they send signals back and forth.
TCP , IP , HTTP, FTP, and other protocols, each with defined set of rules to use with other Internet points relative to a defined set of capabilities.
TCP/IP(Cont’d) manages the assembling of a message into packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. A packet is the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network
handles the address part of each packet so that it gets to the right destination.
TCP/IP(Cont’d) Uses the client/server model of communication Communication is primarily point-to-point: Each communication is from one point (or host computer) in the network to another point or host. Higher layer application protocols that use TCP/IP to get to the Internet
Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet (Telnet), and the Simple Mail Transfer Protocol (SMTP).
TCP Adds Port Numbers , packet Sequence Numbers , Acknowledgement Numbers and other fields to IP addresses A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23. source IP address + source port number is a socket: uniquely identifies sender
destination IP address + destination port number is a socket: uniquely identifies receiver
TCP (cont’d) Result is a TCP/IP "stream" - a connection established using handshake and error detection/control through positive acknowledgement. 1. A sends a SYN message to B - I'd like to set up a connection and I will start with sequence number s 2. B Replies with a SYN and ACK message to A - Yes I will talk to you. initiator responder SYN(A) ACK(B) SYN(B),ACK(A)
3. A sends an ACK message to B along with the first piece of data - I got your ACK so here's the start of my data.
TCP (cont’d) Useful for when error correction is required and connection will last a long time (e.g. large data transfer).
Large data is broken into chunks and sent separately. Can arrive in any order. Discards duplicates.
User Datagram Protocol (UDP) Adds Port Numbers to IP addresses A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23. source IP address + source port number is a socket: uniquely identifies sender destination IP address + destination port number is a socket: uniquely identifies receiver Also an optional Checksum - Error checking No handshaking or error control Also called a "Connectionless" protocol Often referred to as "Unreliable" - meaning error control can't be relied upon.
Useful for situations where overhead is a concern. Small data requests such as queries, etc.
TCP/UDP Port Numbers and Services TCP and UDP add Port Numbers to the IP addresses. Each port corresponds to a specific application or service. Ports 1 - 1024 are generally considered privileged ports . That is, on UNIX systems, one needs to have special permissions to run services on these ports. Above 1024, any port number can be used.
Internet assigned numbers committee agrees on some standard port numbers.
TCP/UDP Port Numbers and Services (cont’d)
The following are some well known services and their assigned IP port numbers.
Background on Internet technologies and protocols
Attacks Public, private, and government networks have been penetrated by unauthorized users and rogue programs Increased volume of security breaches Computer Emergency Response Team (CERT) reports a tremendous increase in cracking incidents The insider is already an authorized user insider acquires privileged access exploiting bugs in privileged systems programs exploiting poorly configured privileges install backdoors/trojan horses to facilitate subsequent acquisition of privileged access Exploitation of software bugs acquire access to an authorized account
perpetrate an insider attack
Attacks attacks that exploit trusted access spoof network protocols to effectively acquire access to an authorized account (IP spoofing) Unauthorized access to resources Disclosure, modification, and destruction of resources Compromised system used as hostile attack facility Masquerade as authorized user or end system Importation of malicious or infected code Network sniffing/packet sniffing
User IDs, passwords, and other information are often stolen on Internet
Attacks modify router configurations
domain name server attacks
Contributing Factors Lack of awareness of Internet threats and risks Security measures are often not considered until an Enterprise has been penetrated by malicious users Wide-open network policies Many Internet sites allow wide-open Internet access Vast majority of Internet traffic is unencrypted Network traffic can be monitored and captured Lack of security in TCP/IP protocol suite Most TCP/IP protocols not built with security in mind Work is actively progressing within the Internet Engineering Task Force (IETF) Complexity of security management and administration Exploitation of software (e.g., protocol implementation) bugs
Cracker skills keep improving
Who is perpetrating these attacks? People with lots of free time Former/disgruntled employees Current/disgruntled employees
TCP SYN Flooding attack send SYN packet with random IP source address return SYN-ACK packet is lost this half open connection stays for a fairly long period of time initiator responder SYN(A) ACK(B) SYN(B),ACK(A)
Basis for IP spoofing attack
SYN Flooding Upper limit of how many concurrent SYN requests TCP can process for a given socket (called the backlog) length of the queue where incoming (as yet incomplete) connections are kept Queue limit applies to both the number of incomplete connections (the 3-way handshake is not complete) the number of completed connections that have not been pulled from the queue by the application by way of the accept() system call.
If backlog limit reached, TCP silently discards all incoming SYN requests until the pending connections can be dealt with
DoS vs Distributed DoS
IP Spoofing send SYN packet with spoofed IP address SYN flood real source so it drops SYN-ACK packet guess sequence number and send ACK packet to target initiator responder SYN(A) ACK(B) SYN(B),ACK(A)
target will continue to accept packets and response packets will be dropped
IP Spoofing First, choose the target host Discover a pattern of trust, along with a trusted host Sample the target's TCP sequence numbers Impersonate the trusted host Guess the sequence numbers Make a connection attempt to a service that only requires address-based authentication
If successful, the attacker executes a simple command to leave a backdoor
Patterns of trust After choosing a target, must determine the patterns of trust It is necessary to assume the target host *does* in fact trust somebody. If it didn't, the attack ends here Figuring out who a host trusts may or may not be easy A 'showmount -e' may show where filesystems are exported rpcinfo can give out valuable information as well With sufficient background information, it should not be too difficult
If all else fails, trying neighboring IP addresses in a brute force effort may be a viable option
SYN Flooding The attacking host sends several SYN requests to the TCP port she desires disabled The attacking host also must make sure that the source IP-address is spoofed to be that of another, currently unreachable host (the target TCP will be sending it's response to this address) IP may inform TCP that the host is unreachable, but TCP considers these errors to be transient and leaves the resolution of them up to IP (reroute the packets, etc) effectively ignoring them.)
IP-address must be unreachable because the attacker does not want any host to receive the SYN/ACKs that will be coming from the target TCP (this would result in a RST being sent to the target TCP, which would foil our attack).
Sequence number sampling and prediction Attacker needs to get an idea of where in the 32-bit sequence number space the target's TCP is Connect to a TCP port on the target (SMTP is a good choice) just prior to launching the attack and completes the three-way handshake. Same as normal connection, except that attacker saves the value of the Initial Sequence Number sent by the target host Repeat process several times and the final ISN sent is stored The attacker needs to get an idea of what the RTT (round-trip time) from the target to her host is like. (repeat and average) Necessary to accuraetly predict the next ISN Baseline (the last ISN sent), incrementation speed (128,000/second and 64,000 per connect), datagram travel time – guess the next ISN Immediately proceed to the next phase of the attack
Another TCP connection on attack port, ISN predicted would be off by 64,000
Session Hijacking Send SYN packet with spoofed source IP address and appropriate sequence number to one end
send ACK packets to target at the other end
Packet Sniffing a program that monitors and analyzes network traffic, detecting bottlenecks and problems packets can be intercepted at any point login packets travelling over the Internet can be captured intruder can find hostname, username, password and gain access to the system
can also obtain sensitive information
Background on Internet technologies and protocols
Internet Firewalls Make some services available within the company such as Telnet/Rlogin and FTP between the company's hosts. Disallow outside users from gaining access to the company's internal hosts via Telnet, FTP, etc. Allow users within the company to access other services on the Internet such as WWW and FTP. Allow users from the Internet to visit the company's WWW home pages.
Allow the exchange of e-mail with others on the Internet.
But, It is difficult to restrict traffic in only one direction Recall that the TCP/IP protocol sends acknowledgements to make sure data arrives whole. What we need is a more sophisticated gatekeeper that can distinguish what services to allow and which to block.
The general term for this is a Firewall .
Firewalls Filter between private network and internet Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)
May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices
Proxy Servers Proxy servers: Software servers that handle all communications originating from inside an organization
May improve performance considerably, by caching most frequently asked pages .
Firewalls and Proxy Servers
Most rudimentary firewall Network adapter input filters source or destination addresses other information in the incoming packet port numbers for UDP and TCP protocol of the traffic - TCP, UDP, and generic routing encapsulation (GRE) Blocks packet or allows it through Applies only to incoming traffic
Cannot control outgoing traffic
Basic Internet Firewalls A basic firewall is a router or host with 2 network interfaces. One interface is connected to the Internet - the Host side. The second is connected to the company's internal network. Anything not explicitly denied is allowed.
Anything not explicitly allowed is denied.
Benefits Secure and carefully administer firewall machines to allow controlled interaction with the external internet
internal machines can be administered with varying degrees of care
Basic Limitations Connections that bypass firewall may be dangerous services through firewall introduce vulnerabilities insiders can exercise internal vulnerabilities not possible to safely squeeze everything that users desire through a firewall users settle for degraded service
tolerate increased vulnerability
Types of Firewalls Packet Filtering firewall
application gateway firewall
Packet filtering firewall Special software examines the network traffic (TCP, UDP and IP packets) and selectively blocks or allows IP packets 32 bit source IP address, 32 bit destination IP address, 8 bit protocol field, additional header fields, data typically several 100 bytes long an IP packet carries TCP or UDP header data TCP/UDP header in data part of IP packets carries 16 bit source port number, 16 bit destination port number SYN: first packet in a TCP connection IP header TCP header application data IP header UDP header application data
ACK: packet from an existing connection
Packet filtering firewall IP packets are filtered based on source IP address + source port number destination IP address + destination port number protocol field: TCP or UDP TCP protocol flag: SYN or ACK packet filtering can be very effective for simple services Packet filtering router Mail gateway Internal network External Internet Allow only packets with source address Mail gateway Allow only packets with destination address Mail gateway, destination port 25 Allow only TCP ACK packets with source port 25 to destination port 1023
never allow packet with source address of internal machine to enter from external internet
Packet Filtering Firewall
Packet filtering firewall Example: Drop any TCP/IP packets coming from the Internet to port 23 (Telnet) of any internal host. The allow/deny policy lists must be maintained and grow quite complex. Assume company LAN uses IP addresses: 200.10.10.* Asterisk ( * ) means "any"
Source IP Source Port Destination IP Destination Port Allow?
Packet filtering firewall 1: Allow packets with destination in internal networks 2 and 3 2: Allow packets with destination in internal networks 1 and 3 3: Allow packets with any destination 4: Allow TCP packets with destination address Mail gateway, destination port 25 Packet filtering router Mail gateway (internal network 3) Internal network 1 External Internet Internal network 2 1 4 3 2
Allow only TCP ACK packets with source port 25 with destination Mail gateway, port 1023
Packet filtering firewall packet filtering firewall when connection to Internet is via an external service provider packet filtering is effective for coarse grained controls not very effective for fine grained control can do: allow incoming telnet from a particular host cannot do: allow incoming telnet from a particular user IP source address can be spoofed filtering hard to configure correctly Packet filtering firewall host Internal network External Internet External router
remote router management uses cleartext passwords
Packet Filtering Firewall Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event
Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table
Attacks & Solutions?
Packet filtering - Advantages Generally faster since fewer evaluations performed Easily implemented as hardware solutions A single rule can help protect an entire network by prohibiting connections between specific Internet sources and internal computers. Do not require client computers to be specifically configured
In conjunction with network address translation, you can use packet filter firewalls to shield internal IP addresses from external users
Packet filtering - Disadvantages Do not understand application layer protocols. Cannot restrict access to protocol subsets - less secure than application layer and circuit level firewalls Packet filters - typically stateless Limited abilities to manipulate information within a packet. No value-added features, such as HTTP object caching, URL filtering, and authentication – since no knowledge of protocols Little or no audit event generation and alerting mechanisms.
Difficult to test "accept" and "deny" rules.
Circuit Gateways Circuit gateway firewall operates at transport layer Look at sessions, instead of packets or connections Built in support for protocols with secondary connections, such as FTP, RTP Like filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels
Mitigates risk of network reconnaissance, DoS and IP spoofing
Application gateway firewall Allow incoming Telnet from our users who are travelling user telnets to gateway machine gateway does strong authentication and establishes telnet relay to internal machine user to internal machine telnet session is relayed through the gateway Once established, relays do not examine traffic Outgoing telnet can similarly be relayed through the gateway user telnets to gateway machine gateway establishes telnet relay to external machine Application gateway firewall host Internal network External Internet External router
user to external machine telnet session is relayed through the gateway
Application gateway firewall Outgoing ftp requires incoming call inside user initiates ftp connection to outside machine when a file is transferred outside machine initiates a tcp connection to inside machine to effect the transfer allowing incoming tcp calls to internal machines is dangerous use gateway as a proxy for outgoing ftp Proxies and relays have to be implemented for each service
proxies for sophisticated services such as X windows, NFS, WWW, Gopher exist
Application gateway firewall Packet filtering and application gateway can be bundled on the same host Protocol Source IP Source Port Destination IP Destination Port Allow? tcp 200.10.10.* * * 23 No udp * * 200.10.10.* 23 No application gateways work better for TCP based services recall that UDP is connectionless better for control over individual service relative to packet filters allow filtering of application protocols disallow PUT for FTP from internal clients
filter email attachments for viruses
Application Layer Filtering Most sophisticated level of firewall traffic inspection Analyze a data stream for a particular application, provide application-specific processing Inspect many different protocols
Works on clear-text traffic – what about encrypted data?
Options Terminating the SSL traffic at the firewall Regenerating SSL traffic from the firewall to the exposed Web service
Allowing the SSL traffic to pass through the firewall to the back-end server
Software vs. Hardware: the SOHO Firewall Debate Which firewall type should the residential user implement? Where would you rather defend against a hacker? With the software option, hacker is inside your computer
With the hardware device, even if hacker manages to crash firewall system, computer and information are still safely behind the now disabled connection
Content Filters Software filter—not a firewall—that allows administrators to restrict content access from within network Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations Primary focus to restrict internal access to external material
Most common content filters restrict users from accessing non-business Web sites or deny incoming span