Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Published byJayson Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities."— Presentation transcript:

1 Firewalls

2 Evil Hackers FirewallYour network

3 Firewalls mitigate risk Block many threats They have vulnerabilities

4 Firewalls can be your connection to the Internet. As a prerequisite to this course you already know about networking, but it is worthwhile to look at the interface to the Internet with respect to security.

5 Typical Network Stack Application Layer (FTP, HTTP, SSH, etc.) Transport Layer (TCP, UDP, ICMP) Internet Layer (IP) Network Access Layer (Ethernet, FDDI, etc.) (If you have a Novel or AppleShare network, the IP layer will be different.) (Carrier Pigeon Network Layer: RFC1149 on 1 April 1990 defines the Avian Transport Protocol)

6 Packet Organization Each layer’s packet organization has a header and data fields. Each layer treats the information it gets from the layer above it as data, i.e. every layer adds a header.

7 Encapsulation Application (FTP, HTTP, …) Transport (TCP,UDP,…) Internet (IP) Network (Ethernet) Data Header

8 Ethernet Layer Header: –Packet Type, e.g. IP –Source Address Original source or last router on path –Destination Address Final destination or next router Maybe multicast or broadcast –Addresses are Media Access Control (MAC) Data is an IP packet

9 IP Layer Header –IP Source Address, e.g. 35.9.20.20 –IP Destination Address –IP Protocol Type, e.g. TCP, UDP, ICMP Data: TCP packet (or UDP, etc.) Fragmentation If (network max packet size < IP max size) split data into multiple packets (fragments)

10 TCP Layer Header –TCP Source Port (2-bytes) –TCP Destination Port –TCP Flags: designates packet type ACK, SYN, etc. Data: application data, e.g. FTP data

11 Multicast or Broadcast Source Legitimate use: DHCP request uses a broadcast source since it doesn’t have a valid address Illegitimate use: sending a broadcast source to a single destination will prompt a broadcast reply allowing you to use the destination as a broadcast source Since DHCP isn’t external (normally), block broadcast source

12 IP Fragmentation Prevent fragmentation with path MTU discovery –Maximum Transmission Unit (MTU) –Send message with “don’t fragment” set If (error returned), decrease size else increase size

13 Packet Filters & Fragmentation Solution: packet filter only first packet and let non-first packets through If you drop the first, a higher level protocol (TCP) will invalidate the rest. Problem #1: destination holds non-first packets waiting for the missing one (until timeout) resulting in Denial of Service!

14 Packet Filter & Fragmentation Problem #2: attacker carefully constructs overlapping fragments so that non-first packets contain useful information. Overlapping fragments may be reassembled into invalid packets causing the OS to crash.

15 Packet Filter & Fragmentation Problem #3: Attacker can get information to otherwise blocked ports by having valid TCP packets in non-first fragments which slip through.

16 Packet Filter & Fragmentation Solutions Fragment reassembly before filtering Time consuming Reject all non-first fragments May reject otherwise good connections, but they will retransmit. Increased use of MTU is reducing fragmentation

17 TCP TCP is reliable because it guarantees to the application layer: –Provide data in order it was sent –Provide all data sent –Will not provide duplicates It will kill a connection before violating any.

18 Blocking TCP To block a TCP connection, simply block the first packet. The first packet is unique: ACK is not set –“start-of-connection” packet Can enforce a policy of only allowing connections to external servers, i.e. deny external connection requests to internal servers

19 TCP Options Common TCP Options: –ACK (acknowledgement) –SYN (synchronize) –RST (reset) –FIN (finish) 3-way handshake uses ACK & SYN RST & FIN are used to close connections

20 TCP Options Firewalls use ACK and RST –ACK indicates first packet of connection –RST tells people to “shut up” without providing a useful error message

21 TCP Sequence Numbers Sequence numbers allow reconstruction of correct order of packets Supposed to begin with a random number, but often is not random—vulnerability! How to hijack a TCP connection?

22 Hijacking a TCP Connection Attackers needs Ability to forge TCP/IP packets. Initial sequence number Knowledge that a TCP connection has started (but not the ability to see it) When the TCP connection started Ability to redirect responses to you OR continue the conversation without responses to you while achieving your goal Thought to be too hard, but exists in the wild.

23 UDP Since UDP does not guarantee reliability there is no uniquely identifiable first packet

24 ICMP Examples –Echo Request: send by ping –Echo Response –Time exceeded (really hops exceeded) –Destination unreachable –Redirect (router redirected a packet and is telling the sender that a better way exists)

25 ICMP “Destination Unreachable” has codes to indicate reason The relevant ones are “Fragmentation Needed” and “Don’t Fragment” used for path MTU discovery Desirable to drop all other “unreachable” replies since they provide useful information to scanners. Most firewalls do not allow discrimination on ICMP reason.

26 ICMP Attacks ICMP packets should be very small— large one indicate a problem so filter out large ones. For example, echo packets allow padding which could contain data. Not useful for cracking, but could be used to maintain a connection to a compromised site.

27 IP over IP Encapsulating IP over IP –Encrypted traffic –Mobile IP (movement with fixed IP) –Burying protocol Multicast over non-supporting networks IPv6 over IPv4 –VPN: virtual private networks Problem: cannot see “actual” IP packet (encrypted) or may not look at it

28 Low-level attacks Port scanning –Send SYN without ACK; receives SYN if open or RST if not –Send FIN “all options on” = Christmas tree (lights it up) “all options off” = null Either can crash a weak TCP/IP stack

29 Low-level Attacks IP Spoofing: Apparent problem: reply not sent to attacker –Attacker can intercept reply –Attacker doesn’t care to see it (e.g. DoS) –Attacker doesn’t want reply: smurf attack redirects response to attack while multiplying replies with broadcast source

30 Packet Filtering Pro/Con Pro –One filter can protect an entire network –Simple filtering is efficient –Widely available Con –Not perfect: hard to configure and test –Reduces router performance –Some security policies cannot be enforced, e.g. block a user

31 Network Address Translation (NAT) (Linux calls it masquerading) Server NAT 10.42.6.935.9.20.20 Client

32 NAT Pro/Con Pro –Enforces control over outbound connections –Dynamic translation is more restrictive changed mapping increases attack difficulty –Conceals internal configuration Con –Dynamic translation requires maintaining state (how long to keep connection open?) –Interferes with some encryption schemes –Dynamic translation interferes with logging –Dynamic translation of ports can interfere with filtering

Download ppt "Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 03.01.2010.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
Transport Layer TCP and UDP IS250 Spring 2010

Transport Layer TCP and UDP IS250 Spring 2010
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.

1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
Guide to TCP/IP, Third Edition

Guide to TCP/IP, Third Edition

Similar presentations

Ads by Google