Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Module 5: Configuring Access to Internal Resources.
Internet Security: How the Internet works and some basic vulnerabilities Slides from D.Boneh, Stanford and others 1.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name System Security Extensions (DNSSEC) Hackers 2.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Internet Security: How the Internet works and some basic vulnerabilities Dan Boneh CS 155 Spring 2014.
1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Protocols and Vulnerabilities Dan Boneh CS 155 Spring 2010.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
CS526Topic 19: DNS Security1 Information Security CS 526 Topic 19: DNS Security.
Dan Boneh (Modified by Vijay Ganesh)
Chapter 6: Packet Filtering
DNS: Domain Name System
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Cisco Discovery Semester 1 Chapter 6 JEOPADY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Ch 2. Application Layer Myungchul Kim
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
1 Introduction to Information Security , Spring 2016 Lecture 7: TCP/IP security Avishai Wool Slides credit: Dan Boneh, Stanford.
DNS Security Advanced Network Security Peter Reiher August, 2014
Enabling Secure Internet Access with TMG
Prepared By : Pina Chhatrala
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
DNS security.
CS 155 Internet Security: How the Internet works and some basic vulnerabilities Dan Boneh.
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewall.
Firewalls.
Computer Networks Protocols
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Packet Filtering & Firewalls

Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single packet against a good or bad signature/pattern, and accordingly – the packet either passes on or is dropped silently / dropped “loudly” / logged We run our set of black-list (deny) rules first, followed by our white-list (allow) rules. The first rule that matches takes precedence (no need to examine the rules)

Stateless rules Source & Destination IP addresses Transport protocol – TCP / UDP Source & Destination Ports TCP & UDP fields (i.e.: TCP Flags) Packet direction (from X interface to Y interface, internal network->world vs. world- >internal network) Usually not used but possible – o Inspecting deeper layers o Pattern matching on packet data (e.g.: shellcode signature)

Stateful Packet Filtering To enable faster and more advanced filtering, the FW stores a list of active (and allowed) connections, and associated metadata If a packet matches a known connection – accept it If it doesn’t, we’ll run through our list of rules to see if the connection is valid

Complex Protocols Some protocols are complicated – o VoIP & P2P protocols may need to accept incoming connections o FTP uses one port for control and another (incoming) port for bulk data o TFTP uses random ports for both endpoints o Etc. We need to inspect (and modify) the application layer to perform proper packet filtering (i.e.: allow valid connections to enable these protocols)

DNS & DNS Attacks

DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server NS stanford.edu NS cs.stanford.edu A www=IPaddr cs.stanford.edu DNS server DNS record types (partial list): - NS:name server (points to other server) - A:address record (contains IP address) - MX:address in charge of handling - TXT:generic text (e.g. used to distribute site public keys (DKIM) ) 7

Caching DNS responses are cached at each level o Quick response for repeated translations o Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached o Save time for nonexistent sites, e.g. misspelling Cached data periodically times out o Lifetime (TTL) of data controlled by owner of data o TTL passed with every record 8

DNS Packet Query ID: o 16 bit random value o Links response to query (from Steve Friedl) 9

Resolver to NS request 10

Response to resolver Response contains IP addr of next NS server (called “glue”) Response ignored if unrecognized QueryID 11

Authoritative response to resolver final answer bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com) 12

Basic DNS Vulnerabilities Users/hosts trust the host-address mapping provided by DNS: o Used as basis for many security policies: Browser same origin policy, URL address bar Obvious problems o Interception of requests or compromise of DNS servers can result in incorrect or malicious responses e.g.: malicious access point in a Cafe o Solution – authenticated requests/responses Provided by DNSSec Unfortunately, DNSSec is not yet commonly implemented 13

DNS cache poisoning (a la Kaminsky’08) Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: a.bank.com QID=x 1 attacker attacker wins if  j: x 1 = y j response is cached and attacker owns bank.com ns.bank.com IPaddr 256 responses: Random QID y 1, y 2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP 14

If at first you don’t succeed … Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: b.bank.com QID=x 2 attacker 256 responses: Random QID y 1, y 2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if  j: x 2 = y j response is cached and attacker owns bank.com ns.bank.com IPaddr success after  256 tries (few minutes) 15

Defenses Increase Query ID size. How? Randomize src port, additional 11 bits Now attack takes several hours Ask every DNS query twice: o Attacker has to guess QueryID correctly twice (32 bits) o But the DNS system cannot handle the load 16

Questions?