Packet Flow Permutation within Linux

Slides:



Advertisements
Similar presentations
Secure Mobile IP Communication
Advertisements

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
SCSC 455 Computer Security Virtual Private Network (VPN)
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Network Security Lecture 8 IP Sec Waleed Ejaz
Advanced Unix 25 Oct 2005 An Introduction to IPsec.
1 實驗九:建置網路安全閘道器 教師: 助教:. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.
TCP/IP Protocols Contains Five Layers
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
Network Layer by peterl. forwarding table routing protocols path selection RIP, OSPF, BGP IP protocol addressing conventions datagram format packet handling.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Firewall C. Edward Chow CS691 – Chapter 26.3 of Matt Bishop Linux Iptables Tutorial by Oskar Andreasson.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
IPv6 Security By Eric Pennington COSC 356 – Network Security Dr. Oblitey
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
An Analysis on NAT Security
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Virtual Private Networks
IPsec Problems and Solutions
Network Security Solution
Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016
Network Address Translation (NAT)
CSE 4905 IPsec.
Encryption and Network Security
Virtual Private Networks
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
VPN: Virtual Private Network
Network Address Translation (NAT)
CSE565: Computer Security Lecture 23 IP Security
תרגול 11 – אבטחה ברמת ה-IP – IPsec
Virtual Private Networks
Security Protocols in the Internet
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.
Windows Firewall Adem Enes POLAT
Internet protocol stack
Presentation transcript:

Packet Flow Permutation within Linux Student: Shih-Hsin Chien Adviser : Dr. Ying-Dar Lin Date : 2004/09/30

Outline Issue Packet flow with components Components compatibility Conclusion Reference

Issues Packet flow within firewall, routing, NAT, VPN, IDS, CF, BM How each component works and how each interact Provide admin to write firewall rules with fewer errors Add new components to gateway easily

Network socket buffer Data structure: sk_buff 欄位 意義 head 指向sk_buff的起點 指向真正資料的起點 tail 指向真正資料的終點 end 指向sk_buff的終點 len 真正資料的長度 truesize sk_buff的總長度

Packet processing internals

Complete packet flow

Compare with another flow

Some issues about permutation Security: Firewall V.S. VPN Compatibility: VPN V.S. NAT Management: IDS V.S. Firewall

IPsec V.S. Firewall (security problem) WANIPsecfirewallLAN Allow VPN traffic to be inspected Internet Security Threats Multiple Authentication Challenges WANfirewallIPsecLAN Protect from Internet security threats Not know VPN data after decryption

IPsec V.S. NAT (compatible problem) WANNATIPsecLAN For AH Tunnel/Transport Mode (X) For ESP Transport Mode (X) For ESP Tunnel Mode (O) WANIPsecNATLAN Hide the real source IP address after be NAT-ed

IPsec V.S. NAT (cont.) How to be compatible Case 1: Case 2: Use NAT before IPsec Case 2: IPsec packet not to be NAT-ed (iptables –t nat –A POSTROUTING –o eth0 –s gw_IP_addr –d \! Subnet_addr –j MASQUERADE) Encapsulating UDP packet Not change protocol but have more cost Change IPsec protocol ESP null replaces AH Checksum disable Not have more cost but only for special NAT RSIP protocol

IDS V.S. Firewall (management problem) IDS->Firewall IDS can provide firewall with dynamic policy Firewall->IDS Internal network protection e.g. viruses and worms IDP (Intrusion Detection & Prevention)

Components permutation back Firewall NAT Routing VPN IDS CF BM L/R D/D L/L R/R M/M R/L D/M I/M D/L D/I I/I M/I D/R front Lan to Wan/Wan to Lan M: must I: impossible L: likely R: rarely D: don’t care

Components permutation (cont.) Firewall & NAT wanNATfirewalllan NAT & routing wanNATroutinglan VPN & routing wanVPNroutinglan CF Handle at Application layer

Conclusion VPN is protected by firewall Packet must filter once again after de-VPN NAT before VPN IDS provides firewall dynamic policy No absolute permutation

Reference 蔡孟甫、曹世強、林盈達,「NetBSD核心網路安全模組: IPFilter及IPSec」; RFC3715 ”IPsec-Network Address Translation Compatibility Requirements” B. Aboba, W. Dixon, Mar. 2004 IPtables, http://www.iptables.org/ Dansguardian,http://dansguardian.org/ http://www.iii.org.tw/ncl/document/IPSecVPN.htm,「IPsec VPN 的難題:Firewall 與 NAT 的配置」 Linux IP Masquerade HOWTO, http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.