Internet and Intranet Fundamentals Class 9 Session A.
-
Upload
annabel-mcbride -
Category
Documents
-
view
221 -
download
0
Transcript of Internet and Intranet Fundamentals Class 9 Session A.
![Page 1: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/1.jpg)
Internet and Intranet Fundamentals
Class 9
Session A
![Page 2: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/2.jpg)
Topics
• Firewalls (continued)
![Page 3: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/3.jpg)
Firewalls(Continued)
• Bastion Hosts
• Packet Filtering
![Page 4: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/4.jpg)
Bastion Hosts
• Public Presence on the Internet
• The “Lobby” Analogy
• Public Exposure Implies Increased Security Requirements– focus special attention on building a Bastion
host– host security
• some principles apply to other hosts as well
![Page 5: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/5.jpg)
Bastion HostsVarious Types
• Non-routing Dual-homed Hosts– make sure they are non-routing!
• Victim Machines– sacrificial goat– don’t let users put valuables on them
• Internal, semi-Bastion Hosts– inside the firewall– communicate with external bastion
![Page 6: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/6.jpg)
Bastion HostsGeneral Design Guidelines
• Minimize the Number of Services Provided– keep it simple, scholar– server software may have bugs that can be
exploited
• Expect Bastion Host to be Compromised– expect the worst and plan for it– most likely to be attacked– bastion host considered untrusted host
![Page 7: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/7.jpg)
Bastion Hosts• What Platform?
– Unix, NT, etc. ?
• Criteria– your experience– firewall tools availability
• Class of Machine– minimal– not a supercomputer– RAM more important than CPU
![Page 8: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/8.jpg)
Bastion HostsLocation
• Physical Location– safe
• Network Location– preferably on a perimeter network– or a network not susceptible to spoofing
• ATM, Ethernet switch
![Page 9: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/9.jpg)
Bastion HostServices
• Proxy and Relay Services– HTTP Proxy– SMTP Server– NNTP Server– FTP Server
• Public Services– HTTP– SMTP
![Page 10: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/10.jpg)
Bastion HostsConstruction Steps
• Secure the Machine– start with minimal, clean operating system– fix all known system bugs– use a security checklist– safeguard the system logs
• requires lots of logging
![Page 11: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/11.jpg)
Bastion HostsConstruction Steps
• Disable Non-required Services
• Install or Modify Services
• Reconfigure Machine from Development to Deployment
• Perform Security Audit
• Connect Machine to Network
![Page 12: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/12.jpg)
Packet FilteringTopics
• What is it?
• Advantages and Disadvantages
• Configuring a Packet Filtering Router
• Various Kinds of Filtering
![Page 13: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/13.jpg)
Packet FilteringWhat is it?
• Selectively reject IP packets based on:– source address– destination address– incoming physical port– tcp application port
![Page 14: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/14.jpg)
Packet FilteringAdvantages and Disadvantages
• Advantages– one router protects an entire network– doesn’t require user knowledge or cooperation– widely available
• Disadvantages– current filtering tools not perfect
• can be hard to configure, test, and maintain
• may have bugs
– some protocols don’t lend themselves to filtering
![Page 15: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/15.jpg)
Packet FilteringConfiguring a PF Router
• Protocols Bidirectional• Inbound vs. Outbound Semantics
– packets vs. services– think “packets”
• Default Security Policy– permit or deny?
• Returning ICMP Error Codes– destination unreachable, for example
![Page 16: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/16.jpg)
Various Kinds of Filtering
• Rules– Direction– Source Address– Destination Address– ACK Set– Action
![Page 17: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/17.jpg)
Various Kinds of FilteringRules
Rule Direction Source Address DestAddress
ACKSet
Action
A Inbound Trusted externalhost
Internal Any Permit
B Outbound Internal Trustedexternal host
Any Permit
C Either Any Any Any Deny
![Page 18: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/18.jpg)
Various Kinds of FilteringRisks of Address Filtering
• Address Forgery– source
• does not hope to get any packets back
– man-in-the-middle• must intercept return packets
• must alter network topology to get in the middle
![Page 19: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/19.jpg)
Various Kinds of FilteringFiltering by Service
• More Complicated
• TELNET– outgoing
• local host’s IP source address
• remote host’s IP destination address
• TCP packet type
• TCP destination port is 23
• content: your keystrokes
![Page 20: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/20.jpg)
Various Kinds of FilteringFiltering by Service
• TELNET– incoming
• remote host’s IP source address
• local host’s IP destination address
• TCP packet type
• TCP source port is 23
• TCP destination port is same as prior source port
• ACK set
![Page 21: Internet and Intranet Fundamentals Class 9 Session A.](https://reader036.fdocuments.net/reader036/viewer/2022062423/56649e9f5503460f94ba0ead/html5/thumbnails/21.jpg)
Various Kinds of FilteringFiltering by Service
• TELNET– Rules
• permit output on port 23
• permit inbound on port 23 if ACK is set
• deny both outbound and inbound for everything else– default rule
• Risks– some other service on port 23?