Network and System Security Risk Assessment

Slides:

Advertisements

Similar presentations

Using EAP-SIM for WLAN Authentication

Advertisements

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

DCN 多核防火墙快速配置之目的 NAT 配置神州数码网络蒋忠平.

计算机在分析化学的应用 ( 简介 ) 陈辉宏. 一. 概述信息时代的来临, 各门学科的研究方法都有了新的发展. 计算机的介入, 为分析化学的进展提供了一种更方便的研究方法.

吉林大学远程教育课件主讲人 : 杨凤杰学时： 64 ( 第六十二讲 ) 离散数学. 最后，我们构造能识别 A 的 Kleene 闭包 A* 的自动机 M A* =(S A* ， I ， f A* ， s A* ， F A* ) ，令 S A* 包括所有的 S A 的状态以及一个附加的状态 s.

1 为了更好的揭示随机现象的规律性并利用数学工具描述其规律, 有必要引入随机变量来描述随机试验的不同结果例电话总机某段时间内接到的电话次数, 可用一个变量 X 来描述例检测一件产品可能出现的两个结果, 也可以用一个变量来描述第五章随机变量及其分布函数.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Circuit & Application Level Gateways CS-431 Dick Steflik.

System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.

SYSTEM SECURITY NETWORK (Firewall) Install a firewall Determine the type of the type of network security Identify the control network is needed Design.

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.

Packet Filtering and Firewall

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post.

Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.

1 Firewalls. ECE Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.

1 實驗九：建置網路安全閘道器教師：助教：. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.

网络设计与管理实践 DHCP 和网络地址转换首都师范大学信息工程学院

LOGO s 数控机床故障诊断与维修. 子项目 8 掌握 M 、 T 代码的工作原理并进行控制冷却、转速、刀库等。任务 8.3 编制斗笠式刀库换刀 PLC 程序，排除故障.

Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.

IPtables Objectives Contents Practicals Summary

Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.

Le firewall Technofutur. Table des matières Schémas du réseau Routage sans VPN Routage avec VPN Le NAT Le firewall.

CSN09101 Networked Services Week 6 : Firewalls + Security Module Leader: Dr Gordon Russell Lecturers: G. Russell.

Network Configuration in Linux

EC 营客通产品操作（九） EC 营客通产品操作（九） 400 电话 400 电话. 400 电话有助于提升企业形象，无论企业地址变更、机构变化、人员变动，联系方式永远不变。且在 EC 上申请的 400 电话可以在 EC 平台上进行统一的 400 电话接听及 400 电话客服的管理。

表单自定义 “ 表单自定义 ” 功能是用于制作表单的工具，用数飞 OA 提供的表单自定义功能能够快速制作出内容丰富、格式规范、美观的表单。

1 Firewalls. ECE Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.

CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)

Minimizing Service Loss and Data Theft in a Campus Network Describing STP Security Mechanisms.

1 IPTABLES and NAT on Fedora Core 6 Speaker ： Rex Wu Date ：

逻辑设计基础 1 第 7 章多级与（或）非门电路逻辑设计基础多级门电路.

IPTABLES -FIREWALL. IPTABLES IPTABLE BASIC IMPORTANT FILES SIMPLE SECURITY IMPLEMENTATION (GRAPHICAL WAY) IMPLEMENTING FIREWALL RULE WITH EXAMPLE (COMMAND.

Computer Networks and Internets 《计算机网络与因特网》课件林坤辉

Introduction to Linux Firewall

U niversity of S cience and T echnology of C hina VxWorks 及其应用开发陈香兰年 7 月.

Firewalls Chien-Chung Shen The Need for Firewalls Internet connectivity is essential –however it creates a threat (from the network) vs.

LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.

Linux Firewall Iptables.

Routing with Linux 'cause you really love the command line

防火牆 Firewall All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer.

Securing your network But still be able to access it Hugh Mahon.

Firewalls. A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that.

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

Network and System Security Risk Assessment

FIREWALL configuration in linux

Network Address Translation (NAT)

ECE 544: Middlebox lab Abhigyan Sharma.

Mateti/PacketFilters

Port Scanning (based on nmap tool)

Network Address Translation (NAT)

Packet Filtering Dick Steflik.

Network and System Security Risk Assessment

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Setting Up Firewall using Netfilter and Iptables

Firewalls By conventional definition, a firewall is a partition made

From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)

Virtual Private Network

Presentation transcript:

Network and System Security Risk Assessment Firewall

Review Last week, we have talked about sniffer and firewall Sometimes, sniffer can sniff users’ private information http, telnet…. Wireshark sniffing on the network Firewall can control a computer/network communication Iptables, ufw

Review Stateful firewall Traditional: to allow outgoing website visiting and to drop other communication To allow input tcp with source port 80 and ack Can’t visit websites on ports other than 80 To use stateful firewall State tracking sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP sudo iptables -A INPUT -p udp -j ACCEPT (DNS) sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -p tcp --sport 80 --tcp-flags SYN,ACK,RST,FIN ACK -j ACCEPT

Practice Iptables Examples Prevent a machine from telneting to other machines Prevent a telnet server from being connected by other machines Prevent inner network from connecting a social network 1.2.3.4 iptables -A OUTPUT -p tcp --dport 23 -j DROP Iptables –A INPUT –p tcp –dport 23 –j DROP Iptables –A INPUT –p tcp –d 1.2.3.4 –j DROP

Practice Iptables examples Disable to be pinged, enable to ping To limit the number of pings To change the source IP of a ping packet sent out from our machine sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP iptables -P INPUT DROP iptables -A INPUT -I eth0 -p icmp -m state --state ESTABLISH,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP sudo iptables -t nat -A POSTROUTING -p icmp --icmp-type 8 -j SNAT --to-source 192.168.137.131

Practice Allow outgoing web access; Disable all other communication iptables –A INPUT –p tcp –sport 80 –j ACCEPT Problem?

Practice Iptables example To act as a firewall (protect inner network) To enable packet forward Find /etc/sysctl.conf sudo sysctl –p /etc/sysctl.conf to redirect the input packet to a specific website To change the source and dst to change the reply packet to a specific source and port sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 202.38.64.3:80 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.200:80 Iptables –t nat –A PREROUTING –p tcp –dport 8123 –j DNAT –to 192.168.141.235:80 sudo iptables -t nat -A PREROUTING -p tcp --dport 8123 -j DNAT --to 192.168.141.235:80 sudo iptables -t nat -A POSTROUTING -p tcp -s 192.168.141.1 -j SNAT --to 192.168.141.226 sudo iptables -t nat -A PREROUTING -p tcp -s 192.168.141.235 --sport 80 -j DNAT --to 192.168.141.1 sudo iptables -t nat -A POSTROUTING -p tcp -s 192.168.141.235 --sport 80 -j SNAT --to 192.168.141.226:8123

Practice Iptables example To stop conntrack sudo iptables -t raw -A OUTPUT -j NOTRACK sudo iptables -t raw -A PREROUTING -j NOTRACK

Practice Iptables example To act as a firewall (protect inner network) To enable packet forward Change the .1 machine to the firewall itself sudo iptables -t nat -A PREROUTING -p tcp --dport 8123 -j DNAT --to 192.168.141.235:80 sudo iptables -t nat -A POSTROUTING -p tcp -s 192.168.141.1 -j SNAT --to 192.168.141.226 sudo iptables -t nat -A PREROUTING -p tcp -s 192.168.141.235 --sport 80 -j DNAT --to 192.168.141.1 sudo iptables -t nat -A POSTROUTING -p tcp -s 192.168.141.235 --sport 80 -j SNAT --to 192.168.141.226:8123 sudo iptables -t nat -A OUTPUT -p tcp --dport 8123 -j DNAT --to 192.168.141.235:80

Practice Iptables example To disable traffic To enable ftp Must enable ip_conntrack_ftp Modprobe ip_conntrack_ftp You should use ESTABLISHED and RELATED at the same time. Otherwise, either the command or the data connection can’t be established.

Practice Iptables example the secure version of telnet: ssh Besides encryption, ssh has another function: port forwarding Using ssh port forwarding, firewall rules can be bypassed sudo iptables -A INPUT -i lo -j ACCEPT Sudo iptables –t nat –A OUTPUT –p tcp –dport 21 –j DEDIRECT –to-ports 7001

SSH服务器拥有一项服务，SSH客户端电脑希望能够使用。但是SSH服务器限定为仅有本机可以使用这种服务。使用了端口转发之后，TCP 端口 A 与 B 之间现在并不直接通讯，而是转发到了 SSH 客户端及服务端来通讯，从而自动实现了数据加密并同时绕过了防火墙的限制

Practice Iptables example ftp server: only allows localhost ftp service Also demonstrate ftp data and control connections On the server, ftp is blocked On the client, we try to do ssh port forwarding sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j DNAT --to-destination 127.0.0.1:7002 ssh -L 7002:localhost:21 guoyan@192.168.137.151

Practice Iptables example Support squid to act as a web proxy iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128