Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Flow Permutation within Linux

Published byJulius Nichols Modified over 5 years ago

Similar presentations

Presentation on theme: "Packet Flow Permutation within Linux"— Presentation transcript:

1 Packet Flow Permutation within Linux
Student: Shih-Hsin Chien Adviser : Dr. Ying-Dar Lin Date : 2004/09/30

2 Outline Issue Packet flow with components Components compatibility
Conclusion Reference

3 Issues Packet flow within firewall, routing, NAT, VPN, IDS, CF, BM
How each component works and how each interact Provide admin to write firewall rules with fewer errors Add new components to gateway easily

4 Network socket buffer Data structure: sk_buff 欄位 意義 head 指向sk_buff的起點
指向真正資料的起點 tail 指向真正資料的終點 end 指向sk_buff的終點 len 真正資料的長度 truesize sk_buff的總長度

5 Packet processing internals

6 Complete packet flow

7 Compare with another flow

8 Some issues about permutation
Security: Firewall V.S. VPN Compatibility: VPN V.S. NAT Management: IDS V.S. Firewall

9 IPsec V.S. Firewall (security problem)
WANIPsecfirewallLAN Allow VPN traffic to be inspected Internet Security Threats Multiple Authentication Challenges WANfirewallIPsecLAN Protect from Internet security threats Not know VPN data after decryption

10 IPsec V.S. NAT (compatible problem)
WANNATIPsecLAN For AH Tunnel/Transport Mode (X) For ESP Transport Mode (X) For ESP Tunnel Mode (O) WANIPsecNATLAN Hide the real source IP address after be NAT-ed

11 IPsec V.S. NAT (cont.) How to be compatible Case 1: Case 2:
Use NAT before IPsec Case 2: IPsec packet not to be NAT-ed (iptables –t nat –A POSTROUTING –o eth0 –s gw_IP_addr –d \! Subnet_addr –j MASQUERADE) Encapsulating UDP packet Not change protocol but have more cost Change IPsec protocol ESP null replaces AH Checksum disable Not have more cost but only for special NAT RSIP protocol

12 IDS V.S. Firewall (management problem)
IDS->Firewall IDS can provide firewall with dynamic policy Firewall->IDS Internal network protection e.g. viruses and worms IDP (Intrusion Detection & Prevention)

13 Components permutation
back Firewall NAT Routing VPN IDS CF BM L/R D/D L/L R/R M/M R/L D/M I/M D/L D/I I/I M/I D/R front Lan to Wan/Wan to Lan M: must I: impossible L: likely R: rarely D: don’t care

14 Components permutation (cont.)
Firewall & NAT wanNATfirewalllan NAT & routing wanNATroutinglan VPN & routing wanVPNroutinglan CF Handle at Application layer

15 Conclusion VPN is protected by firewall
Packet must filter once again after de-VPN NAT before VPN IDS provides firewall dynamic policy No absolute permutation

16 Reference 蔡孟甫、曹世強、林盈達,「NetBSD核心網路安全模組: IPFilter及IPSec」;
RFC3715 ”IPsec-Network Address Translation Compatibility Requirements” B. Aboba, W. Dixon, Mar. 2004 IPtables, Dansguardian, VPN 的難題:Firewall 與 NAT 的配置」 Linux IP Masquerade HOWTO,

Download ppt "Packet Flow Permutation within Linux"

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

Similar presentations

Ads by Google