Download CH 2 Packet Filtering

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Computer network wikipedia , lookup

Point-to-Point Protocol over Ethernet wikipedia , lookup

Lag wikipedia , lookup

Wireless security wikipedia , lookup

Parallel port wikipedia , lookup

AppleTalk wikipedia , lookup

Internet protocol suite wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

IEEE 1355 wikipedia , lookup

TCP congestion control wikipedia , lookup

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Network tap wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Net bias wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

RapidIO wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
CH 2 Packet Filtering
Packet Filtering
-
One of the oldest and most widely available means to control access to networks
Simple concept: Determine whether a packet is allowed to enter or exit the network by comparing some
basic identifying pieces of information that are located in the packet’s header
Can be found in operating system, software and hardware firewalls, and as a security feature of most
routers
TCP/IP Primer: How Packet filtering Works
- Information you send needs to be broken down into manageable pieces called packets
- Packet headers are small segments of information that are stuck at the beginning of a packet to identify
it
- Packets are directed, or routed, by the values that are located in their packet headers
 Source address
 Destination address
 Port number of the protocol with which they are communicating
 Other information describing the type of service that the packet might support
o TCP and UDP Ports
- TCP (Transmission Control Protocol) – a reliable transport-oriented way for information to be
communicated
- UDP (User Datagram Protocol) – unreliable transport protocol that works well with programs that don’t
rely on the protocol to make sure that their payload gets where it’s going
- Both use ports to keep track of communication sessions
- Certain ports are set aside as the particular port to contact a server through running a given service
HTTP(80), FTP(21), Telnet(23), DNS(53), SMTP(25)
- Only way that a packet filter can determine the service that it is filtering
EX might want to filter out all Telnet traffic – do so by blocking all traffic that is directed at TCP port 23
o TCP’s Three-Way Handshake
Host A wants to connect to Host B
1. Host A sends a packet to Host B with the SYN (synchronization flag set)
2. If Host B can and wants to converse back to Host A, it returns a a packet with the SYN and ACK
3. Host A returns a packet with the ACK flag set
Client
Server
SYN
SYN/ACK
ACK
The Cisco Router as a Packet Filter
- Cisco router filters packets is known as an access control list (ACL)
 ACL serves as a laundry list of things for the router to look at in the packet header, to decide
whether the packet should be permitted or denied access to a network segment
-
Routers are a convenient choice for network filtering because they are already a part of your network’s
infrastructure and are located at its furthermost edge
o The Cisco ACL
- simply a means to filter traffic that crosses your router
- Two major syntax typer
1. Numbered – 1-99 standard 100-199 extended
 format - access-list <number> <criteria>
2. Name lists
 format – ip access-list <type> <name>
-
Three Filtering types
1. Standard
2. Extended
3. Reflexive
EX access-list 111 deny tcp any host 200.200.200.2 eq 80 log
Denies all tcp traffic on any host on port 80 and logs all the events
o Rule Order
- If ACL is not empty – then router implicitly denies traffic (must be careful)
-
Implicit deny takes place when a little as one access list is added to an interface on a Cisco router
-
Because rules are processed from the top down and a packet only has to pass or fail one rule to be
dropped or allowed into the network, it is imperative to put specific filters before general filters
-
When a packet “matches” a rule te packet is immediately dropped(deny rule), or forwarded(permit
rule) without being tested by the rest of the access list
Effective Uses of Packet-Filtering Devices
o Filtering based on Source Address: The Cisco Standard ACL
- One of the things that packet filtering technology is great for is the blocking or allowing of traffic
based on the IP Address on the IP address of the source syste
-
Filters blocking specific hosts (black-listing), filters allowing specific hosts, and in the
implementation of ingress and egress filters
-
Standard access list is used to specifically allow or disallow traffic from a given source IP address
only
-
Cannot filter based on destination or port number
-
Less expensive means to get things done and faster than other firewall technologies
-
Only one access list can be applied in one direction (in or out) per interface. This means a maximum
of two applied ACLs per interface: one inbound and one outbound
Note
“in” means traffic moving toward the interface
“out” means traffic moving away from interface
EX Simple dual interface router
Out
Out
Internal
Network
Internet
In
In
E1
S1
Router
-
Always try to filter traffic at the first interface it enters, or apply you filters “inbound” as much as
possible
o Black- Listing: The Blocking of Specific Address
- The most popular reason for blocking a given address is mischief
-
If your IDS shows that you are being scanned constantly by a given address, or you have found that
a certain IP address seems to be constantly trying to log in to your systems, you might simply want
to block it as a preventative measure
-
The blocking of address ranges is also a popular way to band-aid your system against an immediate
threat
-
Must be careful when doing this
o “Friendly Net”: Allowing Specific Addresses
- Another way you can use a standard access list is to permit traffic from a given IP address – Not
recommended
-
Allowing access to an address in this matter, without any kind of authentication, can make you a
candidate for attacks and scans that use spoofed addresses
o Ingress Filtering
- RFC 1918 pertains to reserved addresses
-
Private/Reserved addresses are ranges of IP addresses that will never be distributed for public use
-
These ranges should be blocked at the outside of your network
1. Class A: 10.0.0.0 – 10.255.255.255 – reserve address of Class A
2. Class B: 172.16.0.0 – 172.31.255.255 – reserve address of Class B
3. Class C: 192.168.0.0 – 192.168.255.255 – reserve address of Class C
4. 127.0.0.1 – loopback address – the default address that all IP stations use to “address”
themselves
5. 224.0.0.0 – 239.255.255.255 – multicast address range
6. 0.0.0.0
7. It is also advisable to create a rule to block traffic coming into your network that claims to have a
source address matching that of your internal network
o Egress Filtering
- Only packets with your network’s source address should be leaving your network
-
By creating an ACL that only allows your subnet’s address in from your network, you prevent this
type of traffic from touching the outside world
-
Implicit deny takes care of denying all other source addresses
-
It is also possible to set up filters that prevent traffic from leaving your network from specified
systems
o Filtering by Port and Destination Address: The Cisco Extended ACL
-
Filtering based on packet header information and port numbers
1. Source address
2. Destination address
3. Protocol type
4. Specific layer 4 port number information
5. Flags
-
Advantages
1. Flexibility – based on how it filters
2. Granularity – the effectiveness of the Cisco router as a packet filter is greatly increased
3. Viable for many
-
Cisco Syntax
access-list <number 100-199> <permit|deny> <protocol> <source> <source-mask> <source-port>
<destination> <destination-mask> <destination port> <log|log-input>
-
<protocol> - Possible selections are IP, TCP, UDP, and ICMP. Because TCP, UDP, and ICMP are all
forms of IP-based traffic, when you use IP as the protocol on an access list, it permits or denies any of
the other three traffic types
-
<source-port> or <destination-port> - entry can specify the type of traffic you want to allow or disallow
-
When specifying a port number or name, you must also include and operator
 eq – meaning equal to this port number
 gt – for any port above this number
 lt – for any port less than this number
 range – to list an entire contiguous range of port numbers
-
As mentioned previously, allowing access to a given IP address is not a favored practice. The main
reason for this is lack of control and the dangers of spoofing
-
Be sure to tightly harden the system if you elect to control access to its resources solely through the use
of packet filters, without further authentication
-
Function of the extended access list is the filtering of certain types of traffic
-
You can allow or disallow certain types of traffic that enter you network
1. Denying traffic to a list of popular Trojan horse program ports
2. Disallow use of ports that programs use that conflict with you Internet usage or security policies
(IRC, Napster, instant messenger programs, etc)
3. ICMP traffic –one of the most exploited of the protocols
- it is recommended that you block incoming echo request (ping and traceroute), block any
outgoing echo replies, and block time exceeded , for maximum security
Problems with Packet Filters
- Spoofed and fragmented traffic can bypass the packet filter if protection aren’t properly implemented
o Spoofing and Source Routing
- Spoofing means sending a packet that is addressed with false information, so it appears to come from
somewhere other than where it did
-
It’s possible that an internal host could believe that the packet came from a “trusted” host that has
rights to private information, and could in turn reply to the spoofed address
-
Source routing allows a packet to carry information that tells a router the “correct” or a better way
for it to get back to where it came from, allowing it to override the router’s prescribed routing rules
for the packet
o Fragments
- Many of the great fragmenting attacks were originally designed to defeat packet filtering technology
-
Originally, some packet filtering technologies allowed all fragments to pass, which wasn’t good
-
One attack by splitting up the packet into such small pieces that the header containing TCP or UDP
port information was divided – most only check the first and the rest past
-
Solution to fragment attack – RFC 1858 defined methods to deter fragment flow
 Dropping initial fragments that were smaller than a defined size
 Dropping second fragment based on information found in it
 Fragment reassembly before packets are ruled on
o Opening a “Hole” in a Static Packet Filter
- One of the great flaws of static packet filtering is that to allow a protocol into a network, you need to
open a “hole”
- It is recommended when opening a port using an access list of this type that you limit the target hosts
as much as possible with the access list
o Two-Way Traffic and the established Keyword
- Adding the work established to an access list, any traffic, other than return traffic, is blocked,
theoretically
-
Stealthy Scanning
-
Despite the drawbacks of the established keyword, it is one of the only static means by which a
Cisco router can allow only return traffic back in to your network
o The established Keyword and the Problem of DNS
o Protocol Problems: Extended Access Lists and FTP
- File Transfer Protocol (FTP) is a popular means to move files back and forth between remote
systems
-
Problems
 Allow a malicious user to pull company information or information (including password files)
from inside servers
 User could upload files in an attempt to fill a hard drive and crash a server
 Upload a Trojan
 Overwrite important server configuration files with ones that allow compromise of the server
-
FTP is also one of the more complicated services to secure because of the way it works.
-
Securing on incoming connections is relatively easy, but securing outgoing FTP connection is
considerably more difficult
-
Solution – Passive FTP clients (PASV) – works like active FTP until the data connection
 FTP server tells the client (through the port tat the client last used to connect to it) what >1023
port it wants to use to transfer data
 All traffic that comes from the server is established traffic, permitting extended lists with the
established keyword to function correctly
Dynamic Packet Filtering and the Reflexive Access List
- Problems with static packet filtering and extended ACL – can be alleviated by dynamic packet filtering
technology
-
Concept: filters are built on-the-fly as needed and torn down after connections are broken
-
Reflexive Access list – ex of dynamic packet filtering technology
 Criterion – set up on the outbound interface that watches defined connection types to the outside
world
 When the traffic returns, it is compared to an access list that was dynamically created as the outgoing
traffic left the network
-
EX
Client with IP address of 192.168.100.2 – Reflexive access list to check for TCP traffic using the Telnet
Port
Server with IP address of 100.100.100.1
Reflexive access list would see the client sending a telnet packet out port 1072 (Random > 1023) to port
23 on Server
The reflexive access list would then generate an incoming access list base on this outgoing connection
Client 192.168.100.2.172 > telnet server 100.100.100.1.23
Reverse it into an incoming access list that permits traffic from server to client would look like
Access-list 111 permit tcp host 100.100.100.1 eq 23 192.168.100.2 eq 1072
The dynamically generated list would be deleted after the connection has ended
-
Problems
 One reset packet is all that is required to entirely remove a reflexively generated ACL

Reflexive access list is that they keep no records of TCP flags, so initial traffic could flow in without
an alarm being sounded
Related documents
Summer Packet EnteringGrade7
Summer Packet EnteringGrade7
Network Traffic Measurement and Modeling
Network Traffic Measurement and Modeling
H37-R38 - Uplift Mighty Prep
H37-R38 - Uplift Mighty Prep
Modern Geometry Review Packet
Modern Geometry Review Packet
2 - UTRGV Faculty Web
2 - UTRGV Faculty Web
Slides
Slides
TCP/IP Architecture TCP/IP ARCHITECTURE
TCP/IP Architecture TCP/IP ARCHITECTURE
Networks
Networks
The Internet
The Internet
Advanced Computer Networks cs538, Fall 2014 @ UIUC
Advanced Computer Networks cs538, Fall 2014 @ UIUC
Firewall Configuration
Firewall Configuration