Guide to Firewalls and VPNs, 3 rd Edition Chapter Five Packet Filtering.

Slides:



Advertisements
Similar presentations
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Advertisements

CCNA – Network Fundamentals
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
(4.4) Internet Protocols Layered approach to Internet Software 1.
Network Layer and Transport Layer.
Guide to Network Defense and Countermeasures Second Edition
Firewalls and Intrusion Detection Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Chapter Overview TCP/IP Protocols IP Addressing.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Guide to Network Defense and Countermeasures Third Edition
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Guide to Firewalls and VPNs, 3rd Edition
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.
Chapter 6: Packet Filtering
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Examining TCP/IP.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
© 2002, Cisco Systems, Inc. All rights reserved..
1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
TCP/IP TCP/IP LAYERED PROTOCOL TCP/IP'S APPLICATION LAYER TRANSPORT LAYER NETWORK LAYER NETWORK ACCESS LAYER (DATA LINK LAYER)
TCP/IP Transport and Application (Topic 6)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
TCP/IP Protocols Contains Five Layers
Chapter 81 Internet Protocol (IP) Our greatest glory is not in never failing, but in rising up every time we fail. - Ralph Waldo Emerson.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.
1 Chapter 8 – TCP/IP Fundamentals TCP/IP Protocols IP Addressing.
TCP/IP (Transmission Control Protocol / Internet Protocol)
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Bus topology network. 2 Data is sent to all computers, but only the destination computer accepts 02608c
Linux Operations and Administration Chapter Eight Network Communications.
1 Computer Communication & Networks Lecture 19 Network Layer: IP and Address Mapping Waleed Ejaz.
Transmission Control Protocol (TCP) Internet Protocol (IP)
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
“ is not to be used to pass on information or data. It should used only for company business!” – Memo from IBM Executive The Languages, Methods &
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
CompTIA Security+ Study Guide (SY0-401)
Introduction to Networking
CompTIA Security+ Study Guide (SY0-401)
Lecture 2: Overview of TCP/IP protocol
Networking Theory (part 2)
Net 323 D: Networks Protocols
Networking Theory (part 2)
Networking Theory (part 2)
Presentation transcript:

Guide to Firewalls and VPNs, 3 rd Edition Chapter Five Packet Filtering

Guide to Firewalls and VPNs, 3 rd Edition Overview Describe packets and packet filtering Explain the approaches to packet filtering Configure specific filtering rules based on business needs 2

Guide to Firewalls and VPNs, 3 rd Edition Introduction Packets –Discrete blocks of data –Basic unit of data handled by a network Network traffic is broken down into packets for network transmission –Then reassembled into its original form at its destination Packet filter –Hardware or software that blocks or allows transmission of information packets based on criteria 3

Guide to Firewalls and VPNs, 3 rd Edition Understanding Packets and Packet Filtering Packet filter –Acts like a doorman in a very popular night club –Reviews the packet header before sending it on its way to a specific location within the network 4

Guide to Firewalls and VPNs, 3 rd Edition Packet-Filtering Devices Routers: –Most common packet filters Operating systems –Built-in utilities can filter packets on the TCP/IP stack of the server software Software firewalls – Most enterprise-level programs filter packets Firewall appliances –Standalone hardware and software devices that have self-contained components 5

Guide to Firewalls and VPNs, 3 rd Edition Anatomy of a Packet Part of Transport Control Protocol/Internet Protocol (TCP/IP) Provides for the transmission of data in small, manageable chunks Start as messages developed by the higher-level protocols –Format it into usable data sets Lower-networking protocols take packets and break them into frames –Coded as electronic pulses on the media 6

Guide to Firewalls and VPNs, 3 rd Edition Anatomy of a Packet (cont’d.) Each packet consists of two parts: –Header Contains information that is normally only read by computers –Data Part that end users actually see 7

Guide to Firewalls and VPNs, 3 rd Edition8 Figure 5-1 Firewall View of Packet Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition IP Header Figure 4-5 An IP datagram

Guide to Firewalls and VPNs, 3 rd Edition Anatomy of a Packet (cont’d.) Header of an IP packet –See Figure 5-2 –Version: identifies the version of IP that was used to generate the packet –Internet Header Length: describes the length of the header in 32-bit words –Type of Service: indicates which of four service options is used to transmit the packet: Minimize delay, maximize throughput, maximize reliability, and minimize cost 10

Guide to Firewalls and VPNs, 3 rd Edition Anatomy of a Packet (cont’d.) –Total Length: 16-bit field gives the total length of the packet –Identification: 16-bit value aids in the division of the data stream into packets of –Information Flags: 3-bit value tells whether this packet is a fragment –Fragment Offset: If the data received is a fragment, indicates where the fragment belongs in the sequence of fragments So that packet can be reassembled 11

Guide to Firewalls and VPNs, 3 rd Edition Anatomy of a Packet (cont’d.) –Time to Live (TTL): 8-bit value identifies the maximum time the packet can remain in the system before it is dropped –Protocol: identifies the IP protocol that was used in the data portion of the packet –Header Checksum: summing up of all the 16-bit values in the packet header in a single value –Source IP Address: address of the computer or device that sent the IP packet 12

Guide to Firewalls and VPNs, 3 rd Edition Anatomy of a Packet (cont’d.) –Destination IP Address: address of the computer or device that is to receive the IP packet –Options: can contain a security field, as well as several source routing fields –Data: part that the end user actually sees –Trailer or footer: contains data that indicates the end of the packet (optional) 13

Guide to Firewalls and VPNs, 3 rd Edition Technical Details The Binary Connection Actual packets sent and received across the Internet are encoded into binary –Just 1s and 0s Example: –Time to Live (TTL): 8-bit value –In binary, packet’s life can be between and Between 1 and 255 hops (also referred to as device transfers) 14

Guide to Firewalls and VPNs, 3 rd Edition Technical Details The Binary Connection (cont’d.) 15

Guide to Firewalls and VPNs, 3 rd Edition Packet-Filtering Rules “Allow” rules –Packet is allowed to pass “Deny” rules –Packet is dropped Packet filters only examine packet headers 16

Guide to Firewalls and VPNs, 3 rd Edition Packet-Filtering Rules (cont’d.) Common rules for packet filtering: –Drop all inbound connections except connection requests for configured servers –Eliminate packets bound for all ports that should not be available to the Internet –Filter out any ICMP redirect or echo (ping) messages –Drop all packets that use the IP header source routing feature 17

Guide to Firewalls and VPNs, 3 rd Edition Packet-Filtering Rules (cont’d.) Small-scale, software-only personal firewall –Should set up an access list that includes all of the computers in your local network by name or IP address so communications can flow between them Easy way to identify computers on the local network –Put them in a list of machines in a trusted zone Block all the traffic that uses protocol on all ports –Add specific ports or programs that enable only the functionality that is needed 18

Guide to Firewalls and VPNs, 3 rd Edition19 Figure 5-3 Trust Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition20 Figure 5-4 Adding Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Packet-Filtering Methods Stateless packet filtering –Reviews packet header content –Allow or drop the packets based on whether a connection has actually been established between an external host and an internal one Stateful packet filtering –Maintains a record of the state of a connection and can thus make informed decisions Filtering based on packet content –Based on the contents of the data part of a packet and the header 21

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering Stateless packet filters –Useful for completely blocking traffic from a subnet or other network Filtering on IP header criteria –Compares the header data against its rule base and forwards each packet as a rule is found to match –Acknowledgement (ACK) flag Indicates destination computer has received the packets that were previously sent Can be used to determine connection status 22

Guide to Firewalls and VPNs, 3 rd Edition23 Figure 5-5 TCP Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) Source IP address –First IP header criteria you can filter on –Allow only certain source IP addresses to access your resources Destination IP address –Enable external hosts to connect to your public servers in the DMZ, but not to hosts in the internal LAN Protocol –Specify which protocols are available 24

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) 25 Table 5-1 Filtering by Destination IP and Port Number 23

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) IP protocol ID field –Internet Group Management Protocol (IGMP) enables a computer to identify its multicast Options –Rarely used Filtering by TCP or UDP port number –Called port filtering or protocol filtering –Helps filter a wide variety of information 26

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) Filtering by ICMP message type –Internet Control Message Protocol (ICMP) General management protocol for TCP/IP Used to diagnose various communication problems and communicate certain status information –A firewall/packet filter must be able to determine, based on message type, whether an ICMP packet should be allowed to pass –Common ICMP message types are shown in Table

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) 28 Table 5-2 ICMP Message Types

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) Filtering by fragmentation flags –TCP or UDP port number appears only in fragments numbered 0 –Should have the firewall reassemble fragmented packets before making the admit/drop decision Filtering by ACK flag –Configure the firewall to allow packets with the ACK bit set to 1 to access Only the ports you specify Only in the direction you want 29

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) Filtering suspicious inbound packets –If a packet arrives at the firewall from the external network but contains an IP address that is inside the network Firewall should send an alert message –Most firewalls customize rules to work with all ports or all protocols 30

Guide to Firewalls and VPNs, 3 rd Edition Stateless Packet Filtering (cont’d.) 31 Figure 5-6 Firewall Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Stateful Packet Filtering Stateful filter –Can do everything a stateless filter can –Also has ability to maintain a record of the state of a connection Powerful enterprise firewalls do stateful packet filtering State table –List of current connections 32

Guide to Firewalls and VPNs, 3 rd Edition33 Figure 5-8 Stateful Packet Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Stateful Packet Filtering (cont’d.) Stateful packet filtering limitation –Inspects only header information and doesn't verify the packet data 34

Guide to Firewalls and VPNs, 3 rd Edition Filtering Based on Packet Content Some traffic uses packets that are difficult to filter reliably for various reasons Stateful inspection –Examine both the contents of packets and the headers for signs that they are legitimate –Temporarily opens high-numbered ports when FTP needs them, then closes them again 35

Guide to Firewalls and VPNs, 3 rd Edition FTP Port Usage Demo watch "netstat -an | grep.*tcp4.*147\.144.*" Link Ch 5a 36

Guide to Firewalls and VPNs, 3 rd Edition Filtering Based on Packet Content Proxy gateway –Looks at the data within a packet to decide how to handle it –May keep logs by username, block certain types of attachments, etc. Link Ch 5b Specialty firewall –Spam or content filter –Looks at the body of messages or Web pages for profanities or other content identified as offensive 37

Guide to Firewalls and VPNs, 3 rd Edition Setting Specific Packet Filter Rules Establish packet-filter rules that control traffic to various resources Block potentially harmful packets Pass packets that contain legitimate traffic –Each rule must be crafted, placed in proper sequence, debugged, and tested –Place resource-intensive rules after the most restrictive rules, to decrease the number of packets that must be inspected so thoroughly 38

Guide to Firewalls and VPNs, 3 rd Edition Best Practices for Firewall Rules Firewall device is never accessible directly from the public network –Restrict internal access as well, require encrypted protocol & two-factor authentication Simple Mail Transport Protocol (SMTP) data –Allowed to pass through the firewall, but all of it is routed to a well-configured SMTP gateway All Internet Control Message Protocol (ICMP) data denied Telnet access to all internal servers from the public networks is blocked 39

Guide to Firewalls and VPNs, 3 rd Edition Best Practices for Firewall Rules (cont’d.) HTTP traffic –Prevented from reaching the internal networks via the implementation of some form of proxy access or DMZ architecture Test all firewall rules before they are placed into production use –ftester is an old tool to test firewalls (link Ch 5c) –scapy is newer and more powerful (link Ch 5d) Included in BackTrack 40

Guide to Firewalls and VPNs, 3 rd Edition Rules That Cover Multiple Variations Packet-filter rules –Account for all possible ports that a type of communication might use or for all variations within a particular protocol –Created and modified as a result of trial and error Figure 5-9 –Typical LAN that is protected by a firewall and two routers –Rules allow Web, FTP, , and other services while blocking potentially harmful packets from getting to the internal LAN 41

Guide to Firewalls and VPNs, 3 rd Edition Rules That Cover Multiple Variations (cont’d.) 42 Figure 5-9 Sample Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Rules for ICMP Packets ICMP packets –Easily forged –Used to redirect other communications Packet Internet Groper (commonly called ping) –Determines if a host is unreachable on the network Establish specific ICMP commands Table 5-3 –Rules to send and receive needed ICMP packets –While blocking those that open internal hosts to intruders 43

Guide to Firewalls and VPNs, 3 rd Edition Rules for ICMP Packets (cont’d.) 44 Table 5-3 ICMP Packet Filter Rules

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable Web Access Cover –Standard HTTP traffic on TCP Port 80 –Secure HTTP (HTTPS) traffic on TCP Port 443 Table 5-4 –Rules for Internet-accessible Web server in test network 45

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable Web Access (cont’d.) 46 Table 5-4 HTTP Access Rules

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable DNS Employees need to be able to resolve the fully qualified domain names (FQDNs) Domain Name System (DNS) –Uses either UDP Port 53 or TCP Port 53 for connection attempts Table 5-5 –Rules that enable external clients to access computers in own network using the same TCP and UDP ports 47

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable DNS (cont’d.) 48 Table 5-5 Rules That Enable DNS Resolution

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable FTP FTP transactions –Either active or passive. –Support two separate connections: TCP Port 21: FTP control port TCP 20: FTP data port. –Client can establish a connection with the FTP server at any port above 1023 Table 5-6 –Specify the IP address of your FTP server 49

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable FTP (cont’d.) 50 Table 5-6 Rules to Enable Active and Passive FTP

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable Setting up firewall rules that filter messages can be difficult –Large variety of protocols used Table 5-7 –Configuration only uses POP3 and SMTP for inbound and outbound , respectively Assess: –Whether your organization needs to accept incoming messages at all –Whether users can access external mail services 51

Guide to Firewalls and VPNs, 3 rd Edition Rules That Enable (cont’d.) 52 Table 5-7 POP3 and SMTP Rules

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.