Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network and System Security Risk Assessment

Published byElisabeth McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "Network and System Security Risk Assessment"— Presentation transcript:

1 Network and System Security Risk Assessment
Firewall

2 Review Last week, we have talked about sniffer and firewall
Sometimes, sniffer can sniff users’ private information http, telnet…. Wireshark sniffing on the network Firewall can control a computer/network communication Iptables, ufw

3 Review Stateful firewall
Traditional: to allow outgoing website visiting and to drop other communication To allow input tcp with source port 80 and ack Can’t visit websites on ports other than 80 To use stateful firewall State tracking sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP sudo iptables -A INPUT -p udp -j ACCEPT (DNS) sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -p tcp --sport 80 --tcp-flags SYN,ACK,RST,FIN ACK -j ACCEPT

4 Practice Iptables Examples
Prevent a machine from telneting to other machines Prevent a telnet server from being connected by other machines Prevent inner network from connecting a social network iptables -A OUTPUT -p tcp --dport 23 -j DROP Iptables –A INPUT –p tcp –dport 23 –j DROP Iptables –A INPUT –p tcp –d –j DROP

5 Practice Iptables examples Disable to be pinged, enable to ping
To limit the number of pings To change the source IP of a ping packet sent out from our machine sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP iptables -P INPUT DROP iptables -A INPUT -I eth0 -p icmp -m state --state ESTABLISH,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP sudo iptables -t nat -A POSTROUTING -p icmp --icmp-type 8 -j SNAT --to-source

6 Practice Allow outgoing web access; Disable all other communication
iptables –A INPUT –p tcp –sport 80 –j ACCEPT Problem?

7 Practice Iptables example To act as a firewall (protect inner network)
To enable packet forward Find /etc/sysctl.conf sudo sysctl –p /etc/sysctl.conf to redirect the input packet to a specific website To change the source and dst to change the reply packet to a specific source and port sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination :80 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination  :80 Iptables –t nat –A PREROUTING –p tcp –dport 8123 –j DNAT –to :80 sudo iptables -t nat -A PREROUTING -p tcp --dport j DNAT --to :80 sudo iptables -t nat -A POSTROUTING -p tcp -s j SNAT --to sudo iptables -t nat -A PREROUTING -p tcp -s sport 80 -j DNAT --to sudo iptables -t nat -A POSTROUTING -p tcp -s sport 80 -j SNAT --to :8123

8 Practice Iptables example To stop conntrack
sudo iptables -t raw -A OUTPUT -j NOTRACK sudo iptables -t raw -A PREROUTING -j NOTRACK

9 Practice Iptables example To act as a firewall (protect inner network)
To enable packet forward Change the .1 machine to the firewall itself sudo iptables -t nat -A PREROUTING -p tcp --dport j DNAT --to :80 sudo iptables -t nat -A POSTROUTING -p tcp -s j SNAT --to sudo iptables -t nat -A PREROUTING -p tcp -s sport 80 -j DNAT --to sudo iptables -t nat -A POSTROUTING -p tcp -s sport 80 -j SNAT --to :8123 sudo iptables -t nat -A OUTPUT -p tcp --dport j DNAT --to :80

10 Practice Iptables example To disable traffic To enable ftp
Must enable ip_conntrack_ftp Modprobe ip_conntrack_ftp You should use ESTABLISHED and RELATED at the same time. Otherwise, either the command or the data connection can’t be established.

11 Practice Iptables example the secure version of telnet: ssh
Besides encryption, ssh has another function: port forwarding Using ssh port forwarding, firewall rules can be bypassed sudo iptables -A INPUT -i lo -j ACCEPT Sudo iptables –t nat –A OUTPUT –p tcp –dport 21 –j DEDIRECT –to-ports 7001

12 SSH服务器拥有一项服务,SSH客户端电脑希望能够使用。但是SSH服务器限定为仅有本机可以使用这种服务。
使用了端口转发之后,TCP 端口 A 与 B 之间现在并不直接通讯,而是转发到了 SSH 客户端及服务端来通讯,从而自动实现了数据加密并同时绕过了防火墙的限制

13 Practice Iptables example
ftp server: only allows localhost ftp service Also demonstrate ftp data and control connections On the server, ftp is blocked On the client, we try to do ssh port forwarding sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j DNAT --to-destination :7002 ssh -L 7002:localhost:21

14 Practice Iptables example Support squid to act as a web proxy
iptables -t nat -A PREROUTING  -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

Download ppt "Network and System Security Risk Assessment"

Similar presentations

Using EAP-SIM for WLAN Authentication

Using EAP-SIM for WLAN Authentication
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
DCN 多核防火墙快速配置之 目的 NAT 配置 www.dcnetworks.com.cn 神州数码网络 蒋忠平.

DCN 多核防火墙快速配置之 目的 NAT 配置 神州数码网络 蒋忠平.
计算机 在分析化学的应用 ( 简介 ) 陈辉宏. 一. 概述 信息时代的来临, 各门学科的研究方法都 有了新的发展. 计算机的介入, 为分析化学的进展提供了 一种更方便的研究方法.

计算机 在分析化学的应用 ( 简介 ) 陈辉宏. 一. 概述 信息时代的来临, 各门学科的研究方法都 有了新的发展. 计算机的介入, 为分析化学的进展提供了 一种更方便的研究方法.
吉林大学远程教育课件 主讲人 : 杨凤杰学 时: 64 ( 第六十二讲 ) 离散数学. 最后,我们构造能识别 A 的 Kleene 闭包 A* 的自动机 M A* =(S A* , I , f A* , s A* , F A* ) , 令 S A* 包括所有的 S A 的状态以及一个 附加的状态 s.

吉林大学远程教育课件 主讲人 : 杨凤杰学 时: 64 ( 第六十二讲 ) 离散数学. 最后,我们构造能识别 A 的 Kleene 闭包 A* 的自动机 M A* =(S A* , I , f A* , s A* , F A* ) , 令 S A* 包括所有的 S A 的状态以及一个 附加的状态 s.
1 为了更好的揭示随机现象的规律性并 利用数学工具描述其规律, 有必要引入随 机变量来描述随机试验的不同结果 例 电话总机某段时间内接到的电话次数, 可用一个变量 X 来描述 例 检测一件产品可能出现的两个结果, 也可以用一个变量来描述 第五章 随机变量及其分布函数.

1 为了更好的揭示随机现象的规律性并 利用数学工具描述其规律, 有必要引入随 机变量来描述随机试验的不同结果 例 电话总机某段时间内接到的电话次数, 可用一个变量 X 来描述 例 检测一件产品可能出现的两个结果, 也可以用一个变量来描述 第五章 随机变量及其分布函数.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.

System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.
SYSTEM SECURITY NETWORK (Firewall) Install a firewall Determine the type of the type of network security Identify the control network is needed Design.

SYSTEM SECURITY NETWORK (Firewall) Install a firewall Determine the type of the type of network security Identify the control network is needed Design.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post.

IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post.
Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.

Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.

Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.
1 Firewalls. ECE 4112 - Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.

1 Firewalls. ECE Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.

Similar presentations

Ads by Google