Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Filtering Dick Steflik.

Published byRudolf Long Modified over 6 years ago

Similar presentations

Presentation on theme: "Packet Filtering Dick Steflik."— Presentation transcript:

1 Packet Filtering Dick Steflik

2 Stateless Packet Filters
A border router configured to pass or reject packets based on information in the header of each individual packet can theoretically be configured to pass/reject based on any field but usually done based on: protocol type IP address TCP/UDP port Fragment number Source routing information

3 Protocol Filtering Filtering based on the IP protocol field allows rejecting of entire protocol suites UDP TCP ICMP IGMP This is almost too general ex suppose you block UDP then any TCP based application won’t be able to convert host/domain to IP address so it is seldom used.

4 IP Address Filtering Pass/reject packets based on membership in a set of acceptable IP addresses Usually not used to block specific hosts oscar is frequently blocked so corporate users can use AIM same for some disk backup services Usually block source routed packets big security hole (explained later) If a hacker knows an address that the filter will pass they can easily forge a packet that will pass through the filter

5 Port Filtering Most commonly used filtering method
can also be thought of as protocol filtering as most ports below 1024 relate to specific high level protocols pass all but those specified reject all but those specified Important ports/protocol to block: telent NetBIOS POP NFS X Windows Windows Terminal Services pcAnywhere and VNC

6 Source Route Filtering
Source routed packed should never be allowed into your network Source routing was added to IP to accommodate debugging Allows you to specify the path a packet will take through your network Strict Source Routing Specifies the exact path to be taken Loose Source Routing Indicates one or more hosts the packet must go through A hacker can plug in their own address and force packets to travel through a machine that they can sniff

7 Loose Source Routing A packet is given a list of hops to be taken
Each packet carries same source address, destination is whatever the next IP in the hop path is; the hop path is in the IP Option field. 131 is the type for Loose Source Routing Length – total length of the option Offset – byte offset to next IP to hop to IP Option field 1 byte 1 byte 1byte 4 bytes 4 bytes Type Length offset IP 1 IP2 ……… 131

8 Loose Source Routed Example
For example, if a packet was generated from , with a final destination of via a hop to , the intial packet would have a source of , a dest of , and an IP option with a length of 7, an offset of 4, and the IP address starting at byte 4 of If forwards LSR packets, it would re-emit the packet with a source of , dest of , offset of 8, and the IP address at offset 4 of Initial source= dest. = IP Option 131,7,4, Initial source= dest. = IP Option 131,8,4, Problem with loose source routing is that some stacks will reverse the source route when responding to a source routed packet, this would make it trivial for a hacker to spoof a packet coming from a trusted source and insert their own address in the source route. The hacker can then sniff on it; the unsuspecting victim would then send return traffic to the spoofed source but LSR it through the attacker

9 Fragmentation Filtering
Fragmentation was added to IP to facilitate passing through a network that only supports small packet sizes Any router in the path can break a large packet up into smaller pieces problem is that the port number is only in the first fragment meaning that filtering on TCP or UDP is lost

10 Problems with Stateless Filters
Effectiveness of stateless filters is limited due to: They cannot check the payload of the packets service related filtering can only be done by application level proxies They do not retain the state of the connections

11 Stateful Packet Filtering
Record the state of all connections flowing through the firewall and use the connection state as the basis for dropping packets create an in memory state table for the state of all Network and session layers pass only packets relating to allowed (configured) ports that are currently in the state table. Drop entries when the TCP close session happens or after a few minutes, this insures that the table stays “clean” and without holes in in it Newer Firewalls all provide Stateful packet filtering some also provide higher level protocol proxying

12 Hacking Through Packet Filters
The following exploits are common: TCP can only be filtered in the 0th fragment setting the fragment number to 1 the packet will usually passe through the packet filter Older packet filters only filter ports below 1024 used to be that only HTTP used higher numbered ports for passing data back to web browsers, many new applications use ports above for normal communication Public services must be forwarded services like the updating of web pages via Netscape Composer must be controlled (possibly bt IP address) to limit public access Trojan horses can defeat packet filters using NAT

13 Best Practices Use a proxy Use Stateful Packet Filters
physically breaks the network path Use Stateful Packet Filters can’t be bypassed like stateless filters Disable all Ports by Default enable only what is absolutely needed if a Trojan Horse get in it will most likely set up a server that the hacker can then attach to, it the port is blocked, this can’t happen Secure the Base Operating System (Hardening) apply all patches provided by vendor check the vendor web site frequently always use a hardened protocol stack

14 IP Chains Stateless packet filter
optionally built into the Linux kernel will pass or deny packets based on a rule set applied against IP header fields used in v 2.2 kernels, replaced by IPTables in 2.4 kernels

15 IPChains Flow lo interface IP Packet checksum sanity Input Chain Route
Decision Forward Chain Output Chain ACCEPT Local DENY DENY DENY Demasquerade

16 IPChains Commands Command Description -A Add rule to chain
-D Delete rule from chain -I Insert rule -R Replace rule -F Flush all rules -L List all rules -N Create new chain -X Delete user defined chain -P Set default targe

17 IPChains Command Options
Command Option Description -s Source address of packet -d Destination address of packet -i Interface packet is arriving from -p Protocol -j Target to send packet to -y For -p tcp. Packet is SYN packet. --icmp-type For -p icmp. -l Log the packet to syslog. /var/log/messages Available in Red Hat 6.0+ kernel

18 IPChains Targets System targets Description (policy)
ACCEPT Let packet through DENY Deny packet REJECT Deny packet and notify sender MASQ Forward chain masquerade REDIRECT Send to different port RETURN Handled by default targets

19 IPChains- Chain Types IP input chain IP output chain
IP forwarding chain User defined chains (just give it a new name instead of the built-in names: input, output or forward)

20 IPChains Example # Flush Rules ipchains -F forward ipchains -F output ipchains -F input # Set default to deny all ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Add Rules # Accept packets from itself (localhost) (s)ource to itself (d)estination # Keeps system logging, X-Windows or any socket based service working. ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo # Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses ipchains -A input -j REJECT -p all -s /24 -i eth0 -l # Accept requests/responses from/to your own firewall machine ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0 ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s /24 -i eth1 ipchains -A output -j ACCEPT -p all -s /24 -i eth1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth0 -l ipchains -A forward -s /24 -j MASQ ipchains -A forward -i eth1 -j MASQ # Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward

21 IPTables Commands -A , --append Append rule to chain
-D , --delete Delete rule from chain -I , --insert Insert rule at beginning or at specified sequence number in chain. -R , --replace Replace rule -F , --flush Flush all rules -Z , --zero Zero byte counters in all chains -L , --list List all rules. Add option --line-numbers for rule number. -N , --new-chain Create new chain -X , --delete-chain Delete user defined chain -P , --policy Set default policy for a chain -E , --rename-chain Rename a chain

22 IPTables Command Options
-s , --source Source address of packet -d , --destination Destination address of packet -I , --in-interface Interface packet is arriving from -o , --out-interface Interface packet is going to -p , --protocol Protocol: *tcp --sport port[:port] --dport port[:port] --syn *udp *icmp *mac -j , --jump Target to send packet to -f , --fragment Fragment matching -c , --set-counters Set packet/byte counter -m tcp , --match tcp *--source-port port[:port] (port # or range #:#) *--destination-port port[:port] *--tcp-flags -m state , --match state --state *ESTABLISHED *RELATED *NEW *INVALID (Push content, not expected to recieve this packet.)

23 IPTables Defined Policies
Defined Policies Description ACCEPT Let packet through DROP Deny packet with no reply REJECT Deny packet and notify sender RETURN Handled by default targets MARK Used for error response. Use with option --reject-with type MASQUERADE Used with nat table and DHCP. LOG Log to file and specify message: °--log-level # °--log-prefix "prefix" °--log-tcp-sequence °--log-tcp-options °--log-ip-options ULOG Log to file and specify userpace logging messages SNAT Valid in PREROUTING chain. Used by nat. REDIRECT Used with nat table. Output. DNAT Valid in POSTROUTING chain. Output. QUEUE Pass packet to userspace.

24 IPTables Example Simple firewall for the desktop Linux system:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.) Allow network input/output from self (lo).

25 …more # Allow loopback access. This rule must come before the rules denying port access!! iptables -A INPUT -i lo -p all -j ACCEPT - Rule for your computer to be able to access itself via the loopback iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport j DROP - Block NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport j DROP - Block NFS iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windows iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport j DROP - Block X-Windows font server iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS iptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny packets which claim to be from your loopback interface.

Download ppt "Packet Filtering Dick Steflik."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Packet Filtering and Firewall

Packet Filtering and Firewall
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Similar presentations

Ads by Google