© 1998-1999 Mike D. Schiffman. Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures.

Slides:



Advertisements
Similar presentations
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Advertisements

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
1 Reading Log Files. 2 Segment Format
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Firewalls and Intrusion Detection Systems
Internet Control Message Protocol (ICMP)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Examining IP Header Fields
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Networking Components
1 ICMP – Using Ping and Trace CCNA Semester
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.
Guide to TCP/IP, Third Edition
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Exploring the Packet Delivery Process Chapter
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Internet Control Message Protocol (ICMP). Objective l IP and ICMP l Why need ICMP? l ICMP Message Format l ICMP fields l Examples: »Ping »Traceroute.
Chapter 6: Packet Filtering
1 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz.
FIREWALKING. KNOW YOUR ENEMY: FIREWALLS What is a firewall? A device or set of devices designed to permit or deny network transmissions based upon a set.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 4 Internet Control Message Protocol (ICMP)
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Chapter 9 Firewalls. The Need for Firewalls Putting a Web server on the Internet without a firewall is dangerous –Remember in CNIT 123 how a firewall.
1 Internet Control Message Protocol PRESENTED BY VAMSEE K PEMMARAJU VIVEK GADDIPATI.
ACCESS CONTROL LIST.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
Implementing Firewall Technologies
Access Control Lists (ACL). Access-List Overview 4 A Filter through which all traffic must pass 4 Used to Permit or Deny Access to Network 4 Provides.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
1 Connectivity with ARP and RARP. 2 There needs to be a mapping between the layer 2 and layer 3 addresses (i.e. IP to Ethernet). Mapping should be dynamic.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.
Network Devices and Firewalls Lesson 14. It applies to our class…
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
The Technicalities of Active Response Sergio Caltagirone April 26, 2005 CS 523 – Net Sec.
Introduction to Information Security
Introduction to Networking
ICMP – Using Ping and Trace
ITL Simple Diagnostic Tools
Firewalls Chapter 8.
ITIS 6167/8167: Network and Information Security
Session 20 INST 346 Technologies, Infrastructure and Architecture
EVAPI - Enumeration Auburn Hacking club
Presentation transcript:

© Mike D. Schiffman

Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures

Introduction  Firewalking: “Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device.” “Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device.”

Terminology  ACL  router/gateway  firewall

Slightly more detail  Map `pass-through` port Determine gateway ACLs Determine gateway ACLs Map hosts behind filtering gateways Map hosts behind filtering gateways

Importance  Network Reconnaissance Network mapping Network mapping Security auditing Security auditing

Base concepts  Traceroute  Network discovery tool  UDP packets  IP TTL Monotonic increments Monotonic increments

Sample network

IP TTL Sample traceroute

Info recon using traceroute  Protocol subterfuge  Nascent port seeding View hosts behind a firewall View hosts behind a firewall

Protocol subterfuge

Nascent port seeding 1 p0 = (p - (hops * probes)) = (53 - (8 * 3)) - 1

Nascent port seeding 2

Logical progression  Traceroute works at the IP layer Any protocol on top of IP can be used Any protocol on top of IP can be used  Prohibitive filter on a gateway Causes probes to be dropped Causes probes to be dropped  We can determine the last host that responded Different protocols Different protocols ‘Waypoint’ host ‘Waypoint’ host

Firewalking basics 1  Firewalking requires 3 hosts The firewalking host The firewalking host The gateway host The gateway host – The waypoint host from above The destination host The destination host – The host the sends the terminal packet in a traceroute scan – Must be ‘behind’ the gateway host – Used to direct the scan, never contacted

Firewalking basics 2  A packet are sent to (towards) the destination host  A timer is set If we get a response before the timer expires, the port is open If we get a response before the timer expires, the port is open If we do not, the port is probably closed If we do not, the port is probably closed  Repeat for all interesting ports/protocols

Firewalk internals 1  2 phases Network discovery phase Network discovery phase Scanning phase Scanning phase  Network discovery phase Required to get the correct TTL Required to get the correct TTL `TTL ramping` ala traceroute towards destination host `TTL ramping` ala traceroute towards destination host – This host is never contacted When gateway hopcount is determined, scan is `bound`. When gateway hopcount is determined, scan is `bound`.

Firewalk internals 2  Scanning phase Send a packet towards destination Send a packet towards destination – Packet is set to expire 1 hop (by default) past the gateway Set a timer and listen for response Set a timer and listen for response – If response is received before timer expires, protocol in question is allowed through – If not it is probably denied by the gateway (maybe)

Firewalking diagram

IP TTL 123 Sample firewalk: phase 1

IP TTL Bound at 3 hops Sample firewalk: phase 2 UDP/53 UDP/137 TCP/23 UDP/161 TCP/25

Nothing is ever as simple as it seems False negative scenario

False negative circumvention  `Slow walk` Firewalk each hop en route to the target Firewalk each hop en route to the target If a probe is shown to be filtered on an intermediate gateway, that protocol/port cannot be scanned any further on that route If a probe is shown to be filtered on an intermediate gateway, that protocol/port cannot be scanned any further on that route

Risk mitigation  Block egress ICMP TTL expired in transit messages  NAT or proxy servers can remove the threat of firewalking

Futures  More protocols to scan with  More intelligence on the part of the scan Make the program understand different packet types and what types of terminal packets it might get Make the program understand different packet types and what types of terminal packets it might get  Efficiency  Portability  A better, more stable GUI

Web resources  firewalk firewalk tracerx tracerx libnet libnet