Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Published byNorman Evans Modified over 9 years ago

Similar presentations

Presentation on theme: "Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single."— Presentation transcript:

1 Packet Filtering & Firewalls

2 Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single packet against a good or bad signature/pattern, and accordingly – the packet either passes on or is dropped silently / dropped “loudly” / logged We run our set of black-list (deny) rules first, followed by our white-list (allow) rules. The first rule that matches takes precedence (no need to examine the rules)

3 Stateless rules Source & Destination IP addresses Transport protocol – TCP / UDP Source & Destination Ports TCP & UDP fields (i.e.: TCP Flags) Packet direction (from X interface to Y interface, internal network->world vs. world- >internal network) Usually not used but possible – o Inspecting deeper layers o Pattern matching on packet data (e.g.: shellcode signature)

4 Stateful Packet Filtering To enable faster and more advanced filtering, the FW stores a list of active (and allowed) connections, and associated metadata If a packet matches a known connection – accept it If it doesn’t, we’ll run through our list of rules to see if the connection is valid

5 Complex Protocols Some protocols are complicated – o VoIP & P2P protocols may need to accept incoming connections o FTP uses one port for control and another (incoming) port for bulk data o TFTP uses random ports for both endpoints o Etc. We need to inspect (and modify) the application layer to perform proper packet filtering (i.e.: allow valid connections to enable these protocols)

6 DNS & DNS Attacks

7 DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu NS stanford.edu www.cs.stanford.edu NS cs.stanford.edu A www=IPaddr cs.stanford.edu DNS server DNS record types (partial list): - NS:name server (points to other server) - A:address record (contains IP address) - MX:address in charge of handling email - TXT:generic text (e.g. used to distribute site public keys (DKIM) ) 7

8 Caching DNS responses are cached at each level o Quick response for repeated translations o Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached o Save time for nonexistent sites, e.g. misspelling Cached data periodically times out o Lifetime (TTL) of data controlled by owner of data o TTL passed with every record 8

9 DNS Packet Query ID: o 16 bit random value o Links response to query (from Steve Friedl) 9

10 Resolver to NS request 10

11 Response to resolver Response contains IP addr of next NS server (called “glue”) Response ignored if unrecognized QueryID 11

12 Authoritative response to resolver final answer bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com) 12

13 Basic DNS Vulnerabilities Users/hosts trust the host-address mapping provided by DNS: o Used as basis for many security policies: Browser same origin policy, URL address bar Obvious problems o Interception of requests or compromise of DNS servers can result in incorrect or malicious responses e.g.: malicious access point in a Cafe o Solution – authenticated requests/responses Provided by DNSSec Unfortunately, DNSSec is not yet commonly implemented 13

14 DNS cache poisoning (a la Kaminsky’08) Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: a.bank.com QID=x 1 attacker attacker wins if  j: x 1 = y j response is cached and attacker owns bank.com ns.bank.com IPaddr 256 responses: Random QID y 1, y 2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP 14

15 If at first you don’t succeed … Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: b.bank.com QID=x 2 attacker 256 responses: Random QID y 1, y 2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if  j: x 2 = y j response is cached and attacker owns bank.com ns.bank.com IPaddr success after  256 tries (few minutes) 15

16 Defenses Increase Query ID size. How? Randomize src port, additional 11 bits Now attack takes several hours Ask every DNS query twice: o Attacker has to guess QueryID correctly twice (32 bits) o But the DNS system cannot handle the load 16

17 Questions?

Download ppt "Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Internet Security: How the Internet works and some basic vulnerabilities Slides from D.Boneh, Stanford and others 1.

Internet Security: How the Internet works and some basic vulnerabilities Slides from D.Boneh, Stanford and others 1.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Internet Security: How the Internet works and some basic vulnerabilities Dan Boneh CS 155 Spring 2014.

Internet Security: How the Internet works and some basic vulnerabilities Dan Boneh CS 155 Spring 2014.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Protocols and Vulnerabilities Dan Boneh CS 155 Spring 2010.

Network Protocols and Vulnerabilities Dan Boneh CS 155 Spring 2010.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google