Presentation is loading. Please wait.

Presentation is loading. Please wait.

Novell BorderManager®: Advanced Packet Filtering

Published byAshley Dorsey Modified over 6 years ago

Similar presentations

Presentation on theme: "Novell BorderManager®: Advanced Packet Filtering"— Presentation transcript:

1 Novell BorderManager®: Advanced Packet Filtering
Novell BrainShare 2002 Novell BorderManager®: Advanced Packet Filtering Craig Johnson Consultant Caterina Luppi TUT342—Novell BorderManager: Advanced Packet Filtering

2 Why Change from Defaults
The default filters are fine—the default filter exceptions are too open The default filter exceptions in BorderManager 3.6 are the same as in 2.1 NetWare® has changed since BorderManager 2.1, and now includes several programs accessible from the Internet

3 Default Exception Vulnerabilities
Remote Web Manager (PORTAL.NLM) RCONAG6 CSATPXY (subject to a denial of service attack) Third party programs like Compaq web-enabled Insight Manager agents

4 Understanding the Defaults
FILTERS—block all traffic TO and FROM the public interface (This is good!) EXCEPTIONS—allow certain traffic to and from the public IP address Web server inbound (for reverse proxy) VPN traffic TCP and UDP high ports All outbound IP

5 The Worst Offender Dynamic/TCP—designed to allow return traffic on high ports, it also allows inbound high port connections to be initiated Dynamic/UDP is similar, but there are few programs listening on UDP high ports on a NetWare server

6 How ACK Bit Filtering Can Help
The default Dynamic/TCP exception does not enable ACK bit filtering The ACK bit is set when an connection is established The ACK bit is not set when an initial connection is being set up The first TCP packet is sent without the ACK bit set

7 ACK Bit Filtering Example
Host1 sends a TCP Packet to host2 using some defined destination port (for instance, HTTP) Host2 recognizes destination port, and sends back an acknowledgement, with ACK bit set All traffic from this point on has the ACK bit set Host1 receives the acknowledgement packet, with ACK bit, and sends back another acknowledgement packet

8 Enabling ACK Bit Filtering
Replace the default Dynamic/TCP exception with a custom definition called Dyn/ACK/TCP Source port=Any, Destination ports= , ACK bit filtering enabled, OR Change the default definition for Dynamic/TCP in FILTERS.CFG to enable ACK bit filtering

9 Problems Changing Defaults
BRDCFG—if you run it again to redo the defaults, you will see some problems If a Dyn/ACK/TCP custom definition was used, an additional Dynamic/TCP exception will be added that defeats the custom exception If the default Dynamic/TCP definition was changed, BRDCFG will put a flawed exception in place that allows all inbound traffic Traffic allowed before (to the public IP address) may now be blocked

10 Solution/Workaround Delete or rename the BRDCFG.NLM so that it cannot be run accidentally later on by someone who does not understand the implications for custom filtering Add a BRDCFG.NCF file that simply puts up a message not to run BRDCFG.NLM because of the problem, and rename BRDCFG.NLM

11 Alternative to Dynamic/TCP
Replace the Dynamic/TCP and Dynamic/UDP inbound exception, and the default ‘all IP’ outbound exception with a single Stateful ‘all IP’ outbound exception This takes care of all return traffic automatically Even allows ping from the server console Produces somewhat more overhead on the server for keeping track of all IP traffic

12 Further Customization
Delete the filter exceptions that are not being used HTTP and SSL (Accel Auth) definitions, and VPN, if not using VPN Do not load programs that can be accessed from the Internet Replace the default exceptions with definitions that specify source ports

13 Complete Customization
Concept: Remove all the default exceptions, and create only custom definitions with the minimum ports needed for the application All outbound exceptions will be stateful All inbound exceptions will not be stateful You must understand exactly what ports will be required for every application and proxy

14 Outbound Exceptions for Proxies
XYZ Proxy Source interface: Public Destination interface: Public Source IP Address: Proxy public IP Address Destination IP Address: Any Source Ports: (varies, often ) Destination Port: as needed Stateful Filtering: Enabled

15 Inbound Exception for Proxies
Reverse XYZ Proxy Source Interface: Public Destination Interface: Public Source Ports: varies, typically Destination Port: as needed Source IP address: Any Destination IP address: Reverse XYZ Proxy public IP address

16 Inbound Exception for Proxies, (cont.)
Must allow reverse proxies to send return packets Source and destination interfaces: Public Source port: use the destination ports from part 1 Destination ports: use the source ports from part 1 Source IP address: Reverse XYZ Proxy public IP address

17 Outbound HTTP Proxy Trickier than you might expect, because of non-standard port numbers in use by some web sites Need to allow at least TCP destination ports 80 and 443 out Often will need to allow destination ports 8080, 8008, 8009, and ?? outbound If using a Stateful ‘All IP’ outbound, should be no problem

18 Outbound Non-Proxy Traffic
Use customized stateful filter exceptions Always specify both a ‘from’ and a ‘to’ (usually using source and destination interfaces, but sometimes might be an IP address instead) When making a customized exception, specify the source ports

19 Inbound Static NAT Traffic
Don’t use a stateful filter exception—better security and performance Customize the exception, and specify the source ports Use a ‘from’ and ‘to’ (usually source and destination interface), and also specify the internal host IP address as the destination IP address

20 Inbound Static NAT Return Traffic
For every inbound packet, you need to allow a return reply (response) Reverse the definition of the inbound exception; Switch source and destination interfaces, ports and IP address(es) For TCP exceptions (the majority), enable ACK bit filtering here

21 3-NIC DMZ A 3-NIC DMZ provides an isolated LAN segment for servers to be accessed from the Internet Access to servers on the DMZ is controlled by packet filtering for both public (Internet) and private (internal LAN) Start by blocking all traffic to and from the DMZ NIC Use BRDCFG.NLM Delete all of the new default exceptions afterward Declare the DMZ address as private

22 3-NIC DMZ, (cont.) Access to the DMZ segment from the Internet will be exactly the same as if providing access to servers on the private LAN segment Reverse proxy, static NAT, filter exceptions Use stateful filter exceptions to allow selected traffic from the private LAN to the DMZ It is best not to allow any traffic (including NDS) from the DMZ to the private LAN

23 3-NIC DMZ Example—Web Server
Web server in DMZ segment needs Either a reverse proxy definition, or Static NAT Filter exceptions for the reverse proxy, or Filter exceptions for static NAT Filter exceptions to allow updating the web server content from the private LAN, such as: FTP-PORT-ST Source interface=private, destination interface=DMZ Source ports= , destination ports=20-21 Stateful filtering enabled

24 Odds and Ends SET FILTER DEBUG=ON—see specific traffic
SET TCP IP DEBUG=1—see all traffic for a free packet analysis tool There is no ACK Bit in UDP Novell Public Forums—free advice! Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions

25 Changes Coming in BorderManager 3.7
GUI Filtering Interface (via iManage) Other (information not yet available at the time this version of the presentation was written)

26 Book Giveaway Novell BorderManager:
A Beginner’s Guide to Configuring Filter Exceptions

27 wiN big Access and Security table one Net solutions lab visit the
in the to obtain an entry form

28

Download ppt "Novell BorderManager®: Advanced Packet Filtering"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Address Resolution Protocol.

CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Firewalls. What are firewalls? a hardware device and/or software program which sits between the Internet and the intranet, internet, of an organization.

Firewalls. What are firewalls? a hardware device and/or software program which sits between the Internet and the intranet, internet, of an organization.
Sales Kickoff - ARCserve

Sales Kickoff - ARCserve

Similar presentations

Ads by Google