Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security 0368-3065, Spring 2017 Lecture 9: Network Defenses: Firewalls, NAT, VPN, DoS Avishai Wool Slides credit: John Mitchell,

Published byGavin Kennedy Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security 0368-3065, Spring 2017 Lecture 9: Network Defenses: Firewalls, NAT, VPN, DoS Avishai Wool Slides credit: John Mitchell,"— Presentation transcript:

1 Introduction to Information Security , Spring Lecture 9: Network Defenses: Firewalls, NAT, VPN, DoS Avishai Wool Slides credit: John Mitchell, Stanford; Brian LaMacchia, U. Washington

2 Perimeter network defenses
Plan for today Perimeter network defenses Firewalls NAT Protecting network connections IPSEC Denial of Service

3 Basic network protocols
Last lecture Basic network protocols L2.5: ARP L3: IP, L4: TCP, UDP, L5: DNS Problems with them No SRC authentication: can’t tell where packet is from Packet sniffing Connection hijacking, spoofing, sequence numbers

4 Network Protocol Stack
Application protocol Application Application TCP protocol Transport Transport Network IP protocol IP IP protocol Network Link Network Access Link Data Link Data Link

5 Should all traffic be allowed?

6 Reasons for traffic filtering
Avoid data loss / theft Avoid misuse of assets Avoid damage to systems Legal / Regulatory “put a guard at the building entrance” … also lock the office doors … and also keep sensitive documents in a safe

7 decides whether to allow or block specific traffic based on a defined
What is a firewall? A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. (Cisco)

8 What do firewalls check?
Layer 3: Source IP address Destination IP address Protocol (TCP/UDP/ICMP/…) Layer 4: Destination Port Source Port (?) Other Criteria (sometimes): Direction (incoming/outgoing, network interface) Client program (if available)

9 Services and Port Numbers
Protocol + Destination Port == “Service” TCP/80 is “http” TCP/22 is “ssh” Most daemons listen on a “well known” port Common convention, not mandatory Default: TCP client has “random” source port Usually above 1024, up to 65535  Unreliable as a filtering criterion

10 Types of firewall Host-based firewall Network Firewall:
Stateless packet filter Statefull firewall

11 Host-based Firewall A host-based firewall is software running on a server or workstation. Control access to (and also from) a single computer. Can (usually does) filter based on program name Examples: Linux: iptables / netfilter Windows: Windows Firewall (Microsoft) ZoneAlarm (Check Point)

12 Host-based Firewalls

13 Properties of Host-based Firewalls
Connecting program (client) is known Protection is as good as the rules in the policy ALLOW all services from anywhere to anywhere ?? Good default for a laptop/desktop: allow everything outbound (from selected programs) allow nothing inbound Policy is not centrally managed If attacker can log in – can turn off the firewall  A form of Discretionary Access Control

14 Network Firewall Placed in the network path (as a router) Force all traffic to go through it Policy managed by IT / Security staff A form of Mandatory Access Control Connecting program (client) not reliably known

15 Network Firewall: Basic Topology

16 Network Firewalls: 2-Firewall Topology with DMZ
DMZ: DeMilitarized Zone Network segment for semi-trusted systems

17 A Firewall can have Multiple Sides

18 Policy and Rules A single rule can refer to many IP addresses
Usually a subnet like /16 A network firewall has many rules Overlaps are possible: #100: Allow http from anywhere to #101: Block http from anywhere to /16 First matching rule wins So #100 is an exception to #101

19 Stateless Packet Filters
Every packet is filtered on its own Firewall does not “remember state of the connection” But TCP traffic is bi-directional: ClientServer: s-port = rand, d-port=80 ServerClient: s-port = 80, d-port=rand

20 Security Problem with Stateless Packet Filters
Suppose we want to allow browsing to anywhere Requires 2 rules: Allow ClientAny when s-port=any, d-port=80, Allow AnyClient when s-port=80, d-port=any Insecure! Attacker can select source-port to non-random value! Can send packets to all services by setting s-port=80

21 Performance Problem with Stateless Packet Filters
A network firewall has many rules Including monsters with 20,000 – 50,000 rules ! 1Gbps = approx. 1M packets per second Each packet needs to be compared to all rules Slow comparisons can become a serious bottleneck

22 Stateful Inspection in Firewalls
Invented & Patented by Gil Shwed US patent 5,606,668, 1993 Shwed co-founded Check Point, serves as CEO to this day Simple & brilliant idea Solves both security and performance problems

23 How Stateful Inspection works #1
Put only the ClientServer rule in the policy Allow ClientAny when s-port=any, d-port=80 Filtering based on the reliable d-port 1st (SYN) packet seen by firewall: Clients1, with s-port=3777, d-port=80 store “(Client, s1, 3777, 80)” in a state table E.g., use a hash table data structure

24 How Stateful Inspection works #2
Algorithm when receive packet (s, d, s-port, d-port) // Fast path If ( “(s, d, s-port, d-port)” in state table, or “(d, s, d-port, s-port)” in state table ) : Allow // Slow Path Else if SYN packet check “(s, d, s-port, d-port)” against rules if decision is Allow: store in state table else Block

25 Analysis of Stateful Inspection
Performance: Assume N rules, M connections. Lookup time: Fast Path: O(1) // with good (M)-size hash table Slow Path: O(N) // Naïve data structure Extremely effective on long TCP connections Less effective with short connections Security “pinhole” for return traffic of a specific connection Much more secure than stateless Management: need only 50% of rules

26 Network Address Translation (NAT)

27 Network Address Translation (NAT)
A short term solution to IP addresses shortage Long term solution is IP v6 Some security element Idea: Hide many hosts behind a single IP address Allows use of private addresses (RFC1918) /8: /12: /16: Private addresses: Non unique Not assigned Not routed by Internet routers

28 NAT hiding private addresses
NAT replaces TCP source ports to allow return traffic to internal addresses

29 NAT: Concerns & Limitations
Crosses layering: both L3 and L4 Breaks end-to-end reachability: a host in the public Internet cannot initiate communication to a host in a private network. Adds some security: harder for attacker to reach target Difficult to run a server on a home network Complications for non-TCP traffic, and for protocols that carry IP addresses inside the data

30 A Home Gateway Typically Includes:
Layer 1+2: ADSL/Cable modem, Ethernet, WiFi Layer 2: Switch + WiFi hotspot Layer 2.5: DHCP (Dynamic Host Configuration Protocol) Dynamically assigns IP addresses to internal computers Layer 3: Router: “default gateway” for internal computers Layer 3+4: NAT device hiding internal addresses Layer 3+4: Firewall Layer 5: DNS server … Plus other features and capabilities

31 VPN

32 Network packets pass by untrusted hosts
Defending against: Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a machine close to victim TCP state can be easy to guess Enables spoofing and session hijacking

33 Virtual Private Network (VPN)
Different modes of use: LAN-to-LAN internetworking Remote access client connections LAN-to-LAN IPsec (Layer-3: network layer) Usually terminated at firewalls Remote access: Usually “SSL-VPN”

34 Credit: Checkpoint

35 Security extensions for IPv4 and IPv6 IP Authentication Header (AH)
IPSEC Security extensions for IPv4 and IPv6 IP Authentication Header (AH) Authentication and integrity of payload and header IP Encapsulating Security Protocol (ESP) Confidentiality of payload

36 Recall packet formats and layers
TCP Header Application Application message - data message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet IP TCP data Link Layer frame ETH IP TCP data ETF IP Header Link (Ethernet) Header Link (Ethernet) Trailer

37 IPSec Tunnel Mode: IPSEC header + IP header

38 IPSEC Tunnel Mode Firewalls

39 IPSEC Key Management

40 IPSEC Key Management IPSEC Key Management is all about establishing and maintaining Security Associations (SAs) between pairs of communicating hosts “hosts” are usually the firewalls at the 2 sides

41 Internet Key Exchange (IKE)
Resynchronize two ends of an IPsec SA Choose cryptographic keys Reset sequence numbers to zero Authenticate endpoints Simple, right? Design evolved into something very complex Many modes and sub-protocols

42 General Idea of Main Mode
Alice Bob gA mod p, nonceA {“Alice”, proof I’m Alice} key variant-dependent gB mod p, nonceB crypto suites I support crypto suites I choose {“Bob”, proof I’m Bob} Diffie-Hellman

43 Main-Mode-Preshared key S
Alice Bob gA mod p, nonceA {“Alice”, proof I’m Alice} f(S,gAB) gB mod p, nonceB crypto suites I support crypto suites I choose {“Bob”, proof I’m Bob} f(S,gAB) This is a variant of Diffie-Hellman, with additional encryption f() with pre-shared secret key S to protect against MITM

44 IPSEC AH and NAT Change in address or port will cause message integrity check to fail Packet will be rejected by destination IPSEC AH cannot be used with NAT devices Orig IP Hdr AH Hdr TCP Hdr Data Message Integrity Check coverage (except for mutable fields)

45 Denial of Service (DoS)

46 Denial of Service Attack Definition
An explicit attempt by attackers to prevent legitimate users of a service from using that service Threat model – taxonomy from CERT Consumption of network connectivity and/or bandwidth Consumption of other resources, e.g. queue, CPU Destruction or alternation of configuration information Malformed packets confusing an application, cause it to freeze Physical destruction or alternation of network components Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

47 Examples: Flooding Attacks
Smurf attacks SYN Flood Distributed attacks: hierarchical structures Attacker’s goals: Amplification Anonymity

48 Smurf DoS Attack Send ping request to broadcast addr of subnet
1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target Send ping request to broadcast addr of subnet E.g. dest= on subnet /16 Spoof source address to IP of DoS target Lots of responses: Every host on network sends a ping reply to victim gateway DoS Target DoS Source

49 Distributed DoS (DDoS)
BadGuy Unidirectional commands Handler Handler Handler Coordinating communication Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Why such hierarchy? Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.[1] Attack traffic Victim

50 SYN Flooding Attack 90% of DoS attacks use TCP SYN floods Takes advantage of three way handshake Server starts “half-open” connections These build up… until queue is full and all additional requests are blocked

51 Store data (half-open)
TCP Handshake C S SYNC Listening Store data (half-open) SYNS, ACKC Wait ACKS Connected

52 SYN Flooding C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5

53 SYN Flooding Explained
Send many SYN requests, spoofed source IP Victim allocates resources for each request New thread, connection state maintained until timeout Fixed bound on half-open connections Resources exhausted  requests from legitimate clients are denied

54 Preventing Denial of Service
DoS caused by asymmetric state allocation SYN-Cookies ensure that the responder is stateless until initiator produced at least two messages Responder’s state (IP addresses and ports of the connection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

55 SYN Cookies Listening… Does not store state
Compatible with standard TCP; simply a “weird” sequence number scheme SYNS, ACKC sequence # = cookie Cookie must be unforgeable and tamper-proof Client should not be able to invert a cookie F(source addr, source port, dest addr, dest port, coarse time, server secret) F=crypto hash ACKS(cookie) Recompute cookie, compare with with the one received, only establish connection if they match More info:

Download ppt "Introduction to Information Security 0368-3065, Spring 2017 Lecture 9: Network Defenses: Firewalls, NAT, VPN, DoS Avishai Wool Slides credit: John Mitchell,"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Chapter 13 – Network Security

Chapter 13 – Network Security
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google