1

Internet Security Background on Internet technologies and protocols

LANs and WANs IP Addressing, DNS OSI model TCP/IP, UDP

• Attacks

• Firewalls

2

Background on Internet Technologies• Evolution of Networking

– Batch Environment - 1950s• no direct interaction between users and their programs during execution

– Time Sharing - 1960s• dumb terminals were connected to a central computer system• Users were able to interact with the computer and could share its information

processing resources• Marked the beginning of computer communications

– Distributed Processing: use of minicomputers - 1970s• Users demanded computing closer to their work areas • Communication between neighbor processors and applications via networks

– WAN and LAN- 1980s

3

LANs• collection of hosts connected by a high speed network

• designed and developed for communications and resource sharing in a local work environment (room, campus, building)

• users can access other networks via bridges and gateways

PC 1

PrinterPC 2

File ServerPC n

4

WANs and Internetworks • span a large geographic area, cross public property• often based on services provided by 3rd party companies,

use telephone networks for transmission from one node to another

• can be used to connect several LANs together• Routers attached to each LAN filter the network traffic to

and from the WAN• LANs can also be connected by special modems or

dedicated leased linesPC 1

PC 2

File Server

PC n

Router

Internetwork

5

Routers

• Special purpose computers used for interconnecting networks

• Essentially a router receives messages originating from one network and sends (routes) them to the other network

• The process of selecting a network over which to send a message is called routing

• Ex: computers X and Y can communicate via routers R1, R2 and R3

6

An example

x

Y

R1

R2

R3

7

Internet

• The global Internet consists of thousands of computer networks interconnected by routers.

• Internet appears as a single, seamless communication system to which many computers can attach.– each computer is assigned an address– any computer can send a message to any other

computer

9

Transmission Capacity• Speed of transmission is measured in bits per

second (bps) or cycles per second (Hertz)• Multiplexing: many signals can be sent on a

single physical channel• Based on the physical medium

– twisted wire pair, coaxial cable, fiber optic cable, satellite transmission, microwave

– Dial-up access, Leased circuits, Cable modem, DSL technologies,Wireless access

10

Packet Switching

• A message is not sent as a single unit, but broken down into small packets that are transmitted individually

• Each packet has header that contains the info about source, destination and the packer number

• Packets may travel on different routes

• May even arrive the destination out of order

• Good for data communication

11

Packet Switches

• A WAN is constructed from many switches

• A switch moves packets from one connection to the other

• A switch is a dedicated computer, with two types of connections– High-speed connections with other switches; they can be: leased phone

lines, optical fibers, microwave, satellite.

– Low-speed connection: used to connect with an individual computer, or a LAN.

Switched Network

SwitchSwitch

Switch

High speed connection

13

Internet2(http://www.internet2.edu/)• Is a high speed network that enables communications 100 - 1000

times faster than today’s internet • Rutgers, which is part of the Internet2 consortium, has launched

RUNet 2000 ($100million)• Operates at 10Gbps (compare with the fastest modems now

available ~Mbps) 15,000 times faster than a typical home broadband connection

• Developed by academic and research community: more than 205 universities, NSF, NIH, NASA,.., IBM,DEC,Cisco, Sun, MCI, Sprint, ..

• In Europe: European Union-funded network, TEN-34 was launched (initially 34Mbps, will later reach 155Mbps)

• designed to provide a range of broadband network applications: collaborative research, distance learning, video-conferencing, remote medical consultation and diagnoses

14

Internet2 (cont’d)• Current telephone uses circuit switching where a piece of

network entirely dedicated to a call• In contrast, information over Internet is broken down into small

data packets, and the packets navigate from junction to junction (routers)

• Aim of Internet2 is to install “gigapops” (gigabit capacity point of presence) capable of routing packets more quickly through the network (by launching a gigabit switch router to support speeds of 10Gbps)

• With current Internet, real-time images have the same priority as email; Internet2 will be able to distinguish these two (Current IP is democratic)

• Although Internet2 is being developed for universities and research labs, in next 5 years it may reach homes (for $30/month with 10Mbps)

15

IP Addressing Every host on the Internet has a unique IP address. IP protocol (the one in use now) has 32 bits for an

address. How many hosts total? 232 = 4,294,987,296.

32 bits must be divided into a Network portion and a Host portion.

Typically written in a "dotted decimal" form:128.6.10.4 In this case, the network portion is 128.6

The host portion is 10.4

16

IP Addressing (cont’d)• How to divide up the addresses ?

Four Classes of IP addresses: – 1.Class A: First bit is 0, next 7 bits define the network,

last 24 bits define the hosts. 128 networks with 16,777,216 hosts each.

– 2.Class B: First two bits are 1 and 0, next 14 bits define the network, last 16 bits define the hosts. 16,384 networks with 65,536 hosts each.

– 3.Class C: First three bits are 1 1 0, the next 21 bits define the network, last 8 bits define the host. 2,097,152 networks with 256 hosts each.

– 4.Class D (Multicast): First three bits are 1 1 1, next 29 bits define a multicast address.

17

IP Addressing (cont’d) For a network with a large number of hosts (e.g. Class B

networks), we can divide the hosts into subnetworks using a subnet mask.

The subnet mask indicates which of the 32 bits should be considered the network portion and which should be considered the host portion.

A common subnet mask is: 255.255.255.0meaning the first 24 bits define the network and the last 8 bits define the host.

Special IP address: 127.0.0.1 called the "localhost"

18

Domain Name Services• Each host on the Internet has its own unique IP address - Who can

remember all of them ? • DNS gives us a means to map an IP address to a "host name" and vice

versa. • Host names are typically broken down into 4 or 5 parts:

– 1.A geographic (e.g. country) designation is given at the "highest level":

• uk us ca au fr it dr zw– 2.An organizational designation may be in place of geographic but can also

appear in combination:

• com edu gov mil org net– 3.The next level down in the "organizational" level:

• rutgers microsoft pizzahut plannetreebok– 4.Within an organization, there may be several individual hosts, each with

their own name:

• CIMIC andromeda

19

Domain Name Services (cont’d)• These parts are assembled from right to left:

– andromeda.rutgers.edu– www.microsoft.com– psych.leeds.ed.uk– www.whitehouse.gov

• Resolving Internet Names using DNS– Most commonly used IP and host name pairs are kept in a hosts

file. See /etc/hosts – If not in the hosts file, a primary DNS site is consulted. – UDP is used to send a DNS Query message to the designated

Name Server on port 53. – This is done in a logical fashion. e.g. for host names ending in

rutgers.edu, a local Rutgers DNS server can be queried.

20

Domain Name Services (cont’d)

• If not found at a local DNS server, additional secondary DNS servers are checked until

• 1.The connection times out or

• 2.The request exceeds a predefined hop count

• 3.The list of DNS servers is exhausted

• Look at: /etc/resolv.conf on UNIX systems. In Windows, look at the properties of the TCP/IP protocol.

21

The Structure of WWW A global collection of hypertext pages stored on Internet hosts.

– Hypertext - Text documents that allow non-linear reading through hypertext links.

– Normally we read a book in a linear fashion. Page 1, then Page 2, etc.

– With hypertext, we follow our curiosity by skipping around the document(s) using hypertext links.

• Hypertext is made up of three distinct parts: –Text Pages - The text you read.

–Anchors - The starting point for a link. –Links - A pointer to another text page.

22

WWW(cont’d) URL - Uniform Resource Locator. The address of a hypertext

page or other Internet resource. HTML - The HyperText Markup Language. The language

used to create hypertext pages for use on the WWW. WWW Browser - A program capable of displaying hypertext

pages and navigating the WWW by allowing users to select hypertext links. Examples: Netscape Navigator , NCSA Mosaic, Microsoft Internet Explorer,

Mozilla WWW Server - A daemon program (httpd) that responds to

requests from a WWW Browser by sending it HTML

hypertext pages.

23

The WWW Client/Server Model• WWW Servers are Servers • The request protocol used for WWW pages is HTTP - The

HyperText Transfer Protocol. – 1.HTTP is an application layer protocol.

– 2.Uses TCP/IP to make a connection. – 3.Issues a GET command. – 4.HTML Pages are returned.

• Other protocols can also be used within a WWW Browser: – FTP - File Transfer Protocol

– E-Mail – Telnet

24

URL’s• Uniform Resource Locators

– A three part name for a WWW or Internet resource: protocol://hostname/filename

• 1.Protocol: The application layer protocol used to access the resource. Examples: HTTP, FTP, GOPHER, MAILTO

• 2.Host Name: The name of the host (or IP address) where the resource is located.

• 3.File Name: The directory and file name of the resource.

» URL Examples

25

Communication Architecture• Why do we need?

– Communication systems involve heterogeneous technologies

– change rapidly– they are complex (addressing, routing, multiplexing,

error control, …)

• How to cope with the above? – modularization– standardization

• International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) reference model (1974)

26

OSI Reference Model• Consists of seven layers• Each layer provides a set of functions to the layers

above and relies on the functions provided by the layers below

• Each layer communicates with its peer layer on the other node (protocols)

• The layer boundaries (interfaces) should be designed in such a way as to minimize the information flow between the boundaries

• The main idea is to have independent standards for different layers so that changes to one would not cause changes in other layers

27

OSI Reference Model (cont’d)

+--------------+ +--------------+ | application |<--------------------->| application | +--------------+ +--------------+ | presentation |<--------------------->| presentation | +--------------+ +--------------+ | session |<--------------------->| session | +--------------+ +--------------+ | transport |<--------------------->| transport | +--------------+ +---------+ +--------------+ | network |<---->| network |<---->| network | +--------------+ +---------+ +--------------+ | data link |<---->|data link|<---->| data link | +--------------+ +---------+ +--------------+ | physical |<---->|physical |<---->| physical | +--------------+ +---------+ +--------------+

28

OSI Reference Model (cont’d)

User A User B

application

presentation

session

transport

network

data link

physical

physical medium

application

presentation

session

transport

network

data link

physical

Higher levelprotocols

Lower levelprotocols

Lower levelprotocols

Higher levelprotocols

29

Physical Layer• The physical layer defines electrical signaling on the

transmission channel; how bits are converted into electrical current, light pulses or any other physical form

• Specific functions – connection establishment and termination

– encoding and transmission of bits

– Repeating or amplification to increase the range of transmission

30

Data Link Layer• Specifies how to organize data into packets, and how to transmit packets over a

network. For example, defined in this layer are:– maximum packet size, – format packet header, – checksum computation

• Defines how the network layer packets are transmitted as bits• Examples of data link layer protocols

– PPP (Point to Point Protocol) – Ethernet framing protocol

• Bridges work at this layer only• Other functions

– Framing and Error detection • transmission might get corrupted, bits may be lost (parity, checksum)• may lose connection

– Flow control• may send data too fast for a modem• data might get delayed a long time in the network

31

The Network Layer• Specifies how addresses are formed (IP addresses)• How packets are forwarded (store and forward technique)• Delivers packets from sending computer to receiving computer (host-to-

host) • Defines how information from the transport layer is sent over networks

and how different hosts are addressed• Example of a network layer protocol: the Internet Protocol• Device that takes care of the network level functions is router or

sometimes a gateway • Functions

– Addressing: Determines which machine to send the packet to– Routing: Determines the best set of links – Congestion Control: Routes the packets via a different route if one intermediate

node gets flooded with packets

32

IP address is different from physical address

33

The Transport Layer• Handles details of reliable transfer

– format of acks, retransmission times, rules for changing it

• Essentially, takes care of data transfer, ensuring the integrity of data if desired by the upper layers

• Provides end-to-end delivery • Functions:

– establishing and terminating connection – flow control – error detection and correction – multiplexing

• TCP and UDP operate at this layer

34

The Session Layer• Specifies how to establish a communication with a

remote system e.g.: telnet– authentication details; e.g.: passwords

• Establishes and terminates connections and arranges sessions to logical parts

• Provides a means of controlling the dialogue between two end users– Dialogue management (half versus full duplex)– Synchronization and recovery management

• This layer is not often used in existing systems • TCP and RPC provide some functions at this layer

35

The Presentation Layer• Specifies how to represent data

– Takes care of data type conversion• Different computers use different internal representation

(Ex: ASCII, EBDIC) for integers and characters;• How to translate from one representation to another

• An example of protocol residing at this layer: XDR (External Data Representation), which is used by RPC applications to provide interoperability between heterogeneous computer systems

• Presentation layer functions are, in most systems, handled elsewhere in the network protocols

36

The Application Layer

• Specifies how one particular application uses a network– Specifies request format (how to name a file) and how the

application on another machine responds.

• Defines the protocols to be used between the application programs

• Examples of protocols at this layer are: protocols for electronic mail (e.g. SMTP), file transfer (e.g. FTP) and remote login,directory look up, http

37

How layered software works?• Each layer solves one part of the problem

• To do so, each layer on the sending computer adds information to the outgoing data

• The same layer in the receiving computer uses the additional information to process data (for example:checksums in data layer)

38

How layered software works?

• Layering Principle: Layer N software on the destination

computer, must receive the exact message sent by layer N software on the sending computer.

• For example– if one layer adds a header, the

corresponding layer has to remove it.– If one layer encrypts data, the

receiving computer layer has to decrypt it.

39

Once Again, The purpose of Layers

• Each layer can be:– Designed– Implemented – Tested

independently of other layers.

Each Layer can change and evolve independent of other layers

40

Applications

• Electronic mail• File transfers (FTP)• Remote login (TELNET, rlogin)• Chat• Bulletin boards and Network News• Commerce• Network news• Networked information discovery and retrieval tools• Fax over the Internet• Games• ….

41

TCP/IP Protocol StackBasic protocols

Layers 5-7 TELNET FTP SMTP HTTP …..

Layer 4 TCP UDP

Layer 3 IP

Layer 2 Ethernet Token-ring ATM PPP …..

42

TCP/IP Protocol StackInfrastructure and Security protocols

Layers 5-7 TELNET FTP SMTP HTTP …..

Layer 4 TCP UDP

Layer 3 IP

Layer 2 Ethernet Token-ring ATM PPP …..

RIP EGPBGP

DNS SSL

ICMP IPSECARP RARP

ICMP: Internet Control Message Protocol, ARP: Address Resolution ProtocolRARP: Reverse Address Resolution Protocol, DNS: Domain Name ServiceRIP: Routing Information Protocol, BGP: Border Gateway ProtocolEGP: External Gateway Protocol, SSL: Secure Socket Layer

43

TCP/IP(Transmission Control Protocol/Internet Protocol)

• TCP/IP is the basic communication protocol of the Internet– Protocol: the special set of rules for communicating that the end

points in a telecommunication connection use when they send signals back and forth. • TCP , IP , HTTP, FTP, and other protocols, each with

defined set of rules to use with other Internet points relative to a defined set of capabilities.

44

TCP/IP(Cont’d)• TCP:

– manages the assembling of a message into packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message.• A packet is the unit of data that is routed between an origin

and a destination on the Internet or any other packet-switched network

• IP – handles the address part of each packet so that it gets to the

right destination.

45

TCP/IP(Cont’d)• Uses the client/server model of communication

• Communication is primarily point-to-point: – Each communication is from one point (or host computer) in

the network to another point or host.

• Higher layer application protocols that use TCP/IP to get to the Internet – Hypertext Transfer Protocol (HTTP), File Transfer Protocol

(FTP), Telnet (Telnet), and the Simple Mail Transfer Protocol (SMTP).

46

TCP • Adds Port Numbers, packet Sequence Numbers,

Acknowledgement Numbers and other fields to IP addresses A Port number refers to a specific application running on a host. e.g.

SMTP uses Port 25 while Telnet uses Port 23. • TCP Header format

– source port number• source IP address + source port number is a socket: uniquely

identifies sender

– destination port number • destination IP address + destination port number is a socket:

uniquely identifies receiver

– SYN, ACK flags

– sequence number

– acknowledgement number

47

TCP (cont’d) • Result is a TCP/IP "stream" - a connection established using

handshake and error detection/control through positive acknowledgement.

– Three-way handshake:

• 1. A sends a SYN message to B - I'd like to set up a connection and I will start with sequence number s

• 2. B Replies with a SYN and ACK message to A - Yes I will talk to you.

• 3. A sends an ACK message to B along with the first piece of data - I got your ACK so here's the start of my data.

initiator responderSYN(A)

ACK(B)

SYN(B),ACK(A)

48

TCP (cont’d)

• Useful for when error correction is required and connection will last a long time (e.g. large data transfer).

• Large data is broken into chunks and sent separately. Can arrive in any order. Discards duplicates.

• Provides flow control.

49

User Datagram Protocol (UDP) Adds Port Numbers to IP addresses

A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23.

UPP header format– source port number

• source IP address + source port number is a socket: uniquely identifies sender

– destination port number • destination IP address + destination port number is a socket: uniquely identifies receiver

Also an optional Checksum - Error checking No handshaking or error control Also called a "Connectionless" protocol Often referred to as "Unreliable" - meaning error control can't be relied upon. Useful for situations where overhead is a concern. Small data requests such as

queries, etc.

50

TCP/UDP Port Numbers and Services

TCP and UDP add Port Numbers to the IP addresses. Each port corresponds to a specific application or

service. Ports 1 - 1024 are generally considered privileged

ports. That is, on UNIX systems, one needs to have special permissions to run services on these ports.

Above 1024, any port number can be used. Internet assigned numbers committee agrees on some

standard port numbers.

51

TCP/UDP Port Numbers and Services (cont’d)

• The following are some well known services and their assigned IP port numbers.

– Service Port Protocol – Day Time 13 TCP/UDP – FTP 21 TCP – Telnet 23 TCP – SMTP Mail 25 TCP – DNS 53 UDP – HTTP/WWW 80 TCP

52

Internet Security• Background on Internet technologies and protocols

• LANs and WANs• IP Addressing, DNS• OSI model• TCP/IP, UDP

Attacks• Firewalls

• benefits, limitations• various types

53

Attacks• Public, private, and government networks have been penetrated by

unauthorized users and rogue programs• Increased volume of security breaches• Computer Emergency Response Team (CERT) reports a tremendous increase

in cracking incidents• Insider attack

– The insider is already an authorized user– insider acquires privileged access

• exploiting bugs in privileged systems programs• exploiting poorly configured privileges

– install backdoors/trojan horses to facilitate subsequent acquisition of privileged access– Exploitation of software bugs

• Outsider attack– acquire access to an authorized account– perpetrate an insider attack

54

Attacks• outsider/insider attack

– password-based attacks– attacks that exploit trusted access– spoof network protocols to effectively acquire access to an authorized account (IP

spoofing)• Unauthorized access to resources• Disclosure, modification, and destruction of resources• Compromised system used as hostile attack facility• Masquerade as authorized user or end system• E-Mail forgery• Importation of malicious or infected code

– Session hijacking– Network sniffing/packet sniffing

• User IDs, passwords, and other information are often stolen on Internet

• Denial of service attack– flooding network ports

55

Attacks• Infrastructure attacks

– router attacks• modify router configurations

– domain name server attacks– internet service attacks

• web sites, ftp archives

56

Contributing Factors• Lack of awareness of Internet threats and risks

– Security measures are often not considered until an Enterprise has been penetrated by malicious users

• Wide-open network policies– Many Internet sites allow wide-open Internet access

• Vast majority of Internet traffic is unencrypted– Network traffic can be monitored and captured

• Lack of security in TCP/IP protocol suite– Most TCP/IP protocols not built with security in mind– Work is actively progressing within the Internet Engineering Task Force (IETF)

• Complexity of security management and administration• Exploitation of software (e.g., protocol implementation) bugs

– Example: Sendmail bugs• Cracker skills keep improving

57

Who is perpetrating these attacks?

• People with lots of free time

• Former/disgruntled employees

• Current/disgruntled employees

• Current/former/disgruntled customers

• Governments

58

TCP SYN Flooding attack• TCP 3 way handshake

– send SYN packet with random IP source address– return SYN-ACK packet is lost– this half open connection stays for a fairly long

period of time

• Denial of service attack

• Basis for IP spoofing attack

initiator responderSYN(A)

ACK(B)

SYN(B),ACK(A)

59

SYN Flooding

• Upper limit of how many concurrent SYN requests TCP can process for a given socket (called the backlog)

• length of the queue where incoming (as yet incomplete) connections are kept

• Queue limit applies to both – the number of incomplete connections (the 3-way handshake

is not complete) – the number of completed connections that have not been

pulled from the queue by the application by way of the accept() system call.

• If backlog limit reached, TCP silently discards all incoming SYN requests until the pending connections can be dealt with

60

DoS vs Distributed DoS

61

IP Spoofing• send SYN packet with spoofed IP address

• SYN flood real source so it drops SYN-ACK packet

• guess sequence number and send ACK packet to target– target will continue to accept packets and response

packets will be dropped

initiator responderSYN(A)

ACK(B)

SYN(B),ACK(A)

62

IP Spoofing

• First, choose the target host • Discover a pattern of trust, along with a trusted host• Disable the trusted host• Sample the target's TCP sequence numbers • Impersonate the trusted host• Guess the sequence numbers• Make a connection attempt to a service that only

requires address-based authentication• If successful, the attacker executes a simple command

to leave a backdoor

63

Patterns of trust

• After choosing a target, must determine the patterns of trust – It is necessary to assume the target host *does* in fact trust

somebody. If it didn't, the attack ends here• Figuring out who a host trusts may or may not be easy• A 'showmount -e' may show where filesystems are

exported• rpcinfo can give out valuable information as well• With sufficient background information, it should not

be too difficult• If all else fails, trying neighboring IP addresses in a

brute force effort may be a viable option

64

SYN Flooding

• The attacking host sends several SYN requests to the TCP port she desires disabled

• The attacking host also must make sure that the source IP-address is spoofed to be that of another, currently unreachable host (the target TCP will be sending it's response to this address)

• IP may inform TCP that the host is unreachable, but TCP considers these errors to be transient and leaves the resolution of them up to IP (reroute the packets, etc) effectively ignoring them.)

• IP-address must be unreachable because the attacker does not want any host to receive the SYN/ACKs that will be coming from the target TCP (this would result in a RST being sent to the target TCP, which would foil our attack).

65

Sequence number sampling and prediction

• Attacker needs to get an idea of where in the 32-bit sequence number space the target's TCP is

• Connect to a TCP port on the target (SMTP is a good choice) just prior to launching the attack and completes the three-way handshake.

• Same as normal connection, except that attacker saves the value of the Initial Sequence Number sent by the target host

• Repeat process several times and the final ISN sent is stored• The attacker needs to get an idea of what the RTT (round-trip

time) from the target to her host is like. (repeat and average) • Necessary to accuraetly predict the next ISN• Baseline (the last ISN sent), incrementation speed

(128,000/second and 64,000 per connect), datagram travel time – guess the next ISN

• Immediately proceed to the next phase of the attack– Another TCP connection on attack port, ISN predicted would be off by

64,000

66

Session Hijacking

• Send SYN packet with spoofed source IP address and appropriate sequence number to one end

• SYN-flood that end

• send ACK packets to target at the other end

67

Packet Sniffing

• Shared media network– a program that monitors and analyzes network

traffic, detecting bottlenecks and problems – packets can be intercepted at any point– login packets travelling over the Internet can be

captured– intruder can find hostname, username, password and

gain access to the system– can also obtain sensitive information

68

Internet Security

• Background on Internet technologies and protocols• LANs and WANs• OSI model• TCP/IP, UDP, DNS

• Attacks Firewalls

benefits, limitations various types

69

Internet Firewalls What we need

Make some services available within the company such as Telnet/Rlogin and FTP between the company's hosts.

– Disallow outside users from gaining access to the company's internal hosts via Telnet, FTP, etc.

– Allow users within the company to access other services on the Internet such as WWW and FTP.

– Allow users from the Internet to visit the company's WWW home pages.

– Allow the exchange of e-mail with others on the Internet.

70

But,

It is difficult to restrict traffic in only one direction Recall that the TCP/IP protocol sends

acknowledgements to make sure data arrives whole.

What we need is a more sophisticated gatekeeper that can distinguish what services to allow and which to block.

The general term for this is a Firewall.

71

Firewalls

• Filter between private network and internet

• Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)

• May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices

72

Proxy Servers

• Proxy servers: Software servers that handle all communications originating from inside an organization – May improve performance considerably, by caching most

frequently asked pages.

73

Firewalls and Proxy Servers

74

Most rudimentary firewall

• Network adapter input filters• Examines

– source or destination addresses – other information in the incoming packet

• Matches IP addresses

• port numbers for UDP and TCP

• protocol of the traffic - TCP, UDP, and generic routing encapsulation (GRE)

• Blocks packet or allows it through• Applies only to incoming traffic • Cannot control outgoing traffic

75

Basic Internet Firewalls A basic firewall is a router or host with 2 network interfaces.

– One interface is connected to the Internet - the Host side.

– The second is connected to the company's internal network.

Two overall policies: – Anything not explicitly denied is allowed.

– Anything not explicitly allowed is denied.

76

Benefits

• Secure and carefully administer firewall machines to allow controlled interaction with the external internet

• internal machines can be administered with varying degrees of care

• does work

77

Basic Limitations• Connections that bypass firewall may be dangerous

• services through firewall introduce vulnerabilities

• insiders can exercise internal vulnerabilities

• not possible to safely squeeze everything that users desire through a firewall– users settle for degraded service– tolerate increased vulnerability

• performance may suffer

• single point of failure

78

Types of Firewalls Packet Filtering firewall

IP layer

application gateway firewall application layer

circuit relay firewalls TCP layer

combinations of these

79

Packet filtering firewall Special software examines the network traffic (TCP, UDP and

IP packets) and selectively blocks or allows IP packets Each IP packet contains

32 bit source IP address, 32 bit destination IP address, 8 bit protocol field, additional header fields, data

typically several 100 bytes long an IP packet carries TCP or UDP header data

TCP/UDP header in data part of IP packets carries 16 bit source port number, 16 bit destination port number

TCP header also carries SYN: first packet in a TCP connection ACK: packet from an existing connection

IP header TCP header application data

IP header UDP header application data

80

Packet filtering firewall IP packets are filtered based on

source IP address + source port number destination IP address + destination port number protocol field: TCP or UDP TCP protocol flag: SYN or ACK

packet filtering can be very effective for simple services never allow packet with source address of internal machine

to enter from external internet

Packet filtering router

Mail gateway

Internal network

External Internet

Allow only packets with source address Mail gateway

Allow only packets with destination address Mail gateway, destination port 25

Allow only TCP ACK packets with source port 25 to destination port 1023

81

Packet Filtering Firewall

82

Packet filtering firewall

Example: Drop any TCP/IP packets coming from the Internet to port 23 (Telnet) of any internal host.

The allow/deny policy lists must be maintained and grow quite complex.

Assume company LAN uses IP addresses: 200.10.10.* Asterisk ( * ) means "any" Source IP Source Port Destination IP Destination Port Allow?

200.10.10.* * * 23 No

* * 200.10.10.* 23 No

83

Packet filtering firewall

1: Allow packets with destination in internal networks 2 and 3

2: Allow packets with destination in internal networks 1 and 3

3:Allow packets with any destination

4: Allow TCP packets with destination address Mail gateway, destination port 25

Allow only TCP ACK packets with source port 25 with destination Mail gateway, port 1023

Packet filtering router

Mail gateway(internal network 3)

Internal network 1

External Internet

Internal network 2

14

3

2

84

Packet filtering firewall packet filtering firewall when connection to Internet is via an external service provider

packet filtering is effective for coarse grained controls not very effective for fine grained control

can do: allow incoming telnet from a particular host cannot do: allow incoming telnet from a particular user

Vulnerabilities IP source address can be spoofed IP source routing filtering hard to configure correctly remote router management uses cleartext passwords

Packet filtering firewall host

Internal network

External InternetExternal

router

85

Packet Filtering Firewall

• Stateless

– Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed

– Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event

• Stateful

– Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table

86

Attacks & Solutions?

• Packet fragmentation

• Source routing

• TTL attacks

87

Packet filtering - Advantages

• Generally faster since fewer evaluations performed• Easily implemented as hardware solutions• A single rule can help protect an entire network by

prohibiting connections between specific Internet sources and internal computers.

• Do not require client computers to be specifically configured• In conjunction with network address translation, you can use

packet filter firewalls to shield internal IP addresses from external users

88

Packet filtering - Disadvantages

• Do not understand application layer protocols. • Cannot restrict access to protocol subsets - less secure

than application layer and circuit level firewalls• Packet filters - typically stateless• Limited abilities to manipulate information within a

packet.• No value-added features, such as HTTP object caching,

URL filtering, and authentication – since no knowledge of protocols

• Little or no audit event generation and alerting mechanisms.

• Difficult to test "accept" and "deny" rules.

89

Circuit Gateways

• Circuit gateway firewall operates at transport layer• Look at sessions, instead of packets or connections• Built in support for protocols with secondary connections,

such as FTP, RTP• Like filtering firewalls, do not usually look at data traffic

flowing between two networks, but prevent direct connections between one network and another

• Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels

• Mitigates risk of network reconnaissance, DoS and IP spoofing

90

91

Application gateway firewall

• Proxies or relays– Allow incoming Telnet from our users who are travelling

• user telnets to gateway machine• gateway does strong authentication and establishes telnet relay to internal machine• user to internal machine telnet session is relayed through the gateway

– Once established, relays do not examine traffic

– Outgoing telnet can similarly be relayed through the gateway• user telnets to gateway machine• gateway establishes telnet relay to external machine• user to external machine telnet session is relayed through the gateway

Application gateway firewall host

Internal network

External InternetExternal

router

92

Application gateway firewall• Outgoing ftp requires incoming call

– inside user initiates ftp connection to outside machine– when a file is transferred outside machine initiates a tcp

connection to inside machine to effect the transfer

• allowing incoming tcp calls to internal machines is dangerous– use gateway as a proxy for outgoing ftp

• Proxies and relays have to be implemented for each service– proxies for sophisticated services such as X windows, NFS,

WWW, Gopher exist

93

Application gateway firewall• Packet filtering and application gateway can be bundled on

the same hostProtocol Source IP Source Port Destination IP Destination Port Allow?

tcp 200.10.10.* * * 23 No udp * * 200.10.10.* 23 No

• application gateways work better for TCP based services– recall that UDP is connectionless

• better for control over individual service relative to packet filters• allow filtering of application protocols

– disallow PUT for FTP from internal clients– disallow Java applets– filter email attachments for viruses

94

Application Layer Filtering

• Most sophisticated level of firewall traffic inspection• Analyze a data stream for a particular application,

provide application-specific processing– inspecting

– screening or blocking

– redirecting

– and modifying data

• Inspect many different protocols • Works on clear-text traffic – what about encrypted

data?

95

Options

• Terminating the SSL traffic at the firewall

• Regenerating SSL traffic from the firewall to the exposed Web service

• Allowing the SSL traffic to pass through the firewall to the back-end server

96

Software vs. Hardware: the SOHO Firewall Debate

• Which firewall type should the residential user implement?

• Where would you rather defend against a hacker? • With the software option, hacker is inside your

computer• With the hardware device, even if hacker manages to

crash firewall system, computer and information are still safely behind the now disabled connection

97

Content Filters

• Software filter—not a firewall—that allows administrators to restrict content access from within network

• Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations

• Primary focus to restrict internal access to external material

• Most common content filters restrict users from accessing non-business Web sites or deny incoming span