Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.

Slides:



Advertisements
Similar presentations
CCNA – Network Fundamentals
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Lecture 7 Transport Layer
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.
Firewalls and Intrusion Detection Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
How the web works: HTTP and CGI explained
TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Know how HTTP accesses data on the WWW Objectives.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Human-Computer Interface Course 5. ISPs and Internet connection.
SUNY Polytechnic Institute CS 490 – Web Design, AJAX, jQuery Web Services A web service is a software system that supports interaction (requesting data,
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Chapter 6: Packet Filtering
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
Application Layer 2 Figures from Kurose and Ross
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
WWW, HTTP, GET, POST, Cookies Svetlin Nakov Telerik Corporation
1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 26.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
Network Protocols A network protocol defines the structure of messages sent over the network We will only talk about the Internet Network protocols need.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 CS 4396 Computer Networks Lab TCP/IP Networking An Example.
HyperText Transfer Protocol (HTTP) RICHI GUPTA CISC 856: TCP/IP and Upper Layer Protocols Fall 2007 Thanks to Dr. Amer, UDEL for some of the slides used.
HTTP1 Hypertext Transfer Protocol (HTTP) After this lecture, you should be able to:  Know how Web Browsers and Web Servers communicate via HTTP Protocol.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Networking Basics CCNA 1 Chapter 11.
Operating Systems Lesson 12. HTTP vs HTML HTML: hypertext markup language ◦ Definitions of tags that are added to Web documents to control their appearance.
2: Application Layer 1 Chapter 2: Application layer r 2.1 Principles of network applications  app architectures  app requirements r 2.2 Web and HTTP.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
Individual Project 1 Sarah Pritchard. Fran, a customer of your company, would like to visit your company’s website from her home computer… How does your.
EE 122: Lecture 21 (HyperText Transfer Protocol - HTTP) Ion Stoica Nov 20, 2001 (*)
Overview of Servlets and JSP
Stateful Filtering and Stateful Inspection.  Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and.
LURP Details. LURP Lab Details  1.Given a GET … call a proxy CGI script in the same way you would for a normal CGI request  2.This UDP perl.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 7 Omar Meqdadi Department of Computer Science and Software Engineering University of.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
Performance testing and engineering Raja Gourav Kokkiligadda, Performance Architect, Domestic and General.
PORT CONNECTION STATUS CT Lab#4. TCP packet UDP packet Ports Background.
1 14-Jun-16 S Ward Abingdon and Witney College CCNA Exploration Semester 1 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,
Lecture 4: Stateful Inspection, Advanced Protocols.
Network Applications: HTTP/1.0
Firewalls.
Port Connection Status
TCP/IP Networking An Example
Multimedia and Networks
Process-to-Process Delivery:
دیواره ی آتش.
Firewalls Chapter 8.
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Process-to-Process Delivery: UDP, TCP
Computer Networks Protocols
Presentation transcript:

Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015

2 Agenda 1 1 File Transfer Protocol - FTP HyperText Transfer Protocol - HTTP 2 2 About next Assignment Roei Ben-Harush 2015 Advanced protection techniques

3 Agenda 1 1 Advanced protection techniques Roei Ben-Harush 2015 HyperText Transfer Protocol - HTTP File Transfer Protocol - FTP About next Assignment 4 4

4 Connection table  Advanced firewalls intelligently associating new packet requests with existing legitimate connections.  We no longer pass each packet through the rule table, but check it’s state first and see if it’s a new or existing connection.  When a packet arrive with ACK flag set to 0 we’ll check it with the static rule table and set the verdict according to it  If the ACK flag is set to 1, we know the packet belongs to existing connection (or illegal), so we’ll check it with the connection table Roei Ben-Harush 2015

5 Connection table  Each approved connection will be saved in a dynamic table  Each row will contain data about the saved connection –Source IP address –Source port –Destination IP address –Destination port –State  Protocols can have several states and we always need to know the current state of the connection. For example: –3-way handshake and waiting for “syn ack” from server –Ftp connection who wait to receive “ready” status from server –Etc. Roei Ben-Harush 2015

6 Connection table  Other way to implement it is to add stateful rules support in the main table.  For example, iptables pass each packet (even ones of established connection) through the “static” rule table  The table has the ability to invoke stateful modules. –Can work on all layers: –inspect IP address, ports, or even GEOIP lookup of IP address –inspect specific bytes, or doing a string search, in the raw packet –inspect MAC address –inspect flags of TCP/UDP/ICMP –stateful connection tracking –And many more Roei Ben-Harush 2015

7 Stateful inspection  Some protocols required connection tracking to establish a secured connection –We can’t just allow traffic from numerous ports  Both in TCP and UDP there are protocols as such: –TFTPTFTP –Both client and server open random ports and connect with each other –VOIP protocols –Need to be fast AND secure –SIPSIP –H.323 protocolsH.323 –Basically anything on top TCP (and some UDP also) Roei Ben-Harush 2015

8 Stateful inspection  Classic example: FTP. By design, the firewall need to be able to open connections to arbitrary high ports for it to function properly.  The client send the server the port it’s open for data connection  The stateless firewall can’t open the port dynamically.  We need to read the payload (the data itself) of the packet to realize we are in ftp connection and we are about to receive port number to open. Roei Ben-Harush 2015

9 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4 Roei Ben-Harush 2015

10 File Transfer Protocol - FTP Roei Ben-Harush 2015 ClientServer Ack Syn get a.out Syn+Ack Syn Ack Syn+Ack a.out X21 20 Y

11 File Transfer Protocol - FTP  Can be enforced only in stateful inspection.  Receive port number to open in the packet’s payload  After connection is established, the client send to the server a packet with a special request, called PORT  A PORT request asks the server to use a different port to the data connection: the server makes a TCP connection to the client though this port.  The PORT request has a parameter in the form: –h1,h2,h3,h4,p1,p2 –the client is listening for connections on TCP port p1*256+p2 at IP address h1.h2.h3.h4. Roei Ben-Harush 2015

12 File Transfer Protocol - FTP  For example, after a connection from to ftp server the client send the following packet: –PORT 10,0,1,1,165,126  What the server understands, and what port number the client has opened?  Answer: the server understand that client in ip address has opened the port 165* , which is  Our firewall now should keep track of packets who reach to this port and IP, and not automatically drop them, but to inspect them and see if they're related to the ftp connection Roei Ben-Harush 2015

13 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4 Roei Ben-Harush 2015

14 HyperText Transfer Protocol - HTTP  Another example to a protocol with lots of information in the payload  In contrast to FTP, HTTP was designed to operate over a single TCP port and a single TCP connection, to avoid the difficulties we've seen for FTP. However, there is still a lot of state to be kept *between* packets in that single TCP connection. We need to listen and search for http request  Once we found the client sent GET request, we need to inspect the following packets to see what response we’ll get  Examples Roei Ben-Harush 2015

15 HyperText Transfer Protocol - HTTP  Regular 200 OK response: GET /secws15/ HTTP/1.1 Host: course.cs.tau.ac.il:443 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,he;q=0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ HTTP/ OK Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Connection: Keep-Alive Content-Length: 4503 Content-Type: text/html; charset=utf-8 Server: Apache/ (Ubuntu) Vary: Accept-Encoding Roei Ben-Harush 2015

16 HTTP redirection  What if we’ll get redirection to another webpage? GET / HTTP/1.0 Host: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*; q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,he;q=0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ HTTP/ Found Connection: Keep-Alive Content-Length: 0 Location: Server: BigIP Roei Ben-Harush 2015

17 HTTP stream: data in the same connection  We then ask from the right address and receive the data on the same connection ( in contrast to FTP) GET HTTP/1.1 Host: Proxy-Connection: keep-alive Accept:… HTTP/ OK Content-Type: … … וואלה! NEWS … Roei Ben-Harush 2015

18 HTTP redirection  As we can see, walla.co.il and walla.com are on a different IP address: C:\Users\roeibh>nslookup walla.com Name: walla.com Address: C:\Users\roeibh>nslookup walla.co.il Name: walla.co.il Address:  In our exercise we would like to approve connection between us and the new address.  pay attention for redirection status code, find and approve the new IP address Roei Ben-Harush 2015

19 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4 Roei Ben-Harush 2015

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.