Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Slide 1
Document related concepts
Computer network wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Network tap wikipedia , lookup
TCP congestion control wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Parallel port wikipedia , lookup
Internet protocol suite wikipedia , lookup
Distributed firewall wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
Firewall Configuration Rules Firewall Configuration Rules Port review Nat Review Proxy Review Firewall Configuration Port Review PROTOCOL and PORT NUMBERS APPLICATION LAYER TFTP Source Port 5512 TRANSPORT LAYER Destination Port 69 UDP NETWORK LAYER 17 IP Header Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1 DATA LINK LAYER ETHERNET PREAMBLE DESTINATION ADDR 00 00 1B 12 23 34 SOURCE ADDR 00 00 1B 09 08 07 FIELD TYPE IP HEADER TCP HEADER DATA FCS USER DATAGRAM PROTOCOL UDP Source/Destination Port. 1. The port numbers identify the receiving and sending process. It demultiplexes the UDP datagram to a particular process running on the computer. 2. The IP demultiplexes the incoming IP datagram to either TCP or UDP based upon the protocol value in the IP header. The UDP demultiplexes the UDP datagram to a particular application depending upon the port number. 3.The port number and the IP address allow any application in any computer on internet to be uniquely identified. 4. UDP port number can be both static and dynamic. Static ports (<= 1023) are assigned by a central authority and are sometimes called Universal Assignments or well-known port assignments. Typical static ports are 7 = Echo, 37 = time, 69 = TFTP, 161 = SNMP net monitor, 514 = System log, 520 = RIP. Dynamic ports are not globally known but are assigned by software. These numbers are 0 - 65535 (minus the static port assignments). UDP Message Length. This field indicates the size of the UDP header and its data in bytes. The minimum size must be 8 (size of header). 0 15 16 UDP Source Port 31 UDP Destination Port UDP Checksum UDP Message Length Data . . . USER DATAGRAM PROTOCOL Well Known UDP Ports Examples Echo Discard Daytime 7 9 13 Echo user datagram back to user Discard user datagrams Report time in a user friendly fashion Quote Chargen Nameserver Sql-Net BOOTPS BOOTPC TFTP POP3 SunRPC NTP SNMP SNMP-trap IRC IPX SysLog RIP NFS 17 19 53 66 67 68 69 110 111 123 161 162 194 213 514 520 2049 Return "Quote of the day" Character generator Domain Name Server Oracle Sequel Network Server port to download configuration information Client port to receive configuration information Trivial File Transport Protocol Post Office Protocol - V3 Sun Remote Procedure Call Network Time Protocol Used to receive network management queries Used to receive network problem reports. Internet Relay Chat IPX - IP Tunneling System Log Routing Information Protocol Network File Service Well-Known ports are standard ports between 0-1023 reserved for standard services. The Internet Assigned Numbers Authority (IANA) is responsible for assigning well - known ports. PROTOCOL and PORT NUMBERS APPLICATION LAYER Telnet Source Port 5512 TRANSPORT LAYER Destination Port 23 TCP Header NETWORK LAYER 6 IP Header Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1 DATA LINK LAYER ETHERNET PREAMBLE DESTINATION ADDR 00 00 1B 12 23 34 SOURCE ADDR 00 00 1B 09 08 07 FIELD TYPE IP HEADER TCP HEADER DATA FCS TCP ENCAPSULATION 0 15 16 VERS HLEN TOS 4 bits 4 bits 8 bits Total Length 16 bits Identification 16 bits TTL 31 Flags Fragment Offset 3 bits 13 bits Protocol 8 bits Checksum IP Header 16 bits 8 bits Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) 32 bits Destination Port Source Port IP Datagram 16 bits 16 bits Sequence Number 32 bits Acknowledgement Number TCP Header 32 bits Offset 4 bits Reserved U A P R S F 6 bits Receive Window Size 16 bits Urgent Pointer Checksum 16 bits 16 bits Options (if any) TCP Data (if any) ETHERNET PREAMBLE 8 DESTINATION ADDRESS 6 SOURCE ADDRESS 6 FIELD TYPE 2 IP HEADER TCP HEADER DATA 0-65535 FCS 4 WELL KNOWN TCP PORT NUMBERS Port 9 19 20 21 23 25 79 80 88 110 119 179 513 514 Application Discard Chargen FTP-Data FTP-CMD Telnet SMTP Finger HTTP Kerberos POP3 NNTP BGP Rlogin Rexec Description Discard all incoming data port Exchange streams of data port File transfer data port File transfer command port Telnet remote login port Simple Mail Transfer Protocol port Obtains information about active users Hypertext Transfer Protocol port Authentication Protocol PC Mail retrieval service port Network news access port Border Gateway Protocol Remote Login In Remote Execute TCP PROCESS ADDRESSING End Point describes a connection in terms of: < Local Addr, Local Port # > < 164.22.40.8, 1500 > Half association describes just one process in terms of : < Prot, Local Addr, Local Port # > < tcp,164.22.40.8,1500 > Full Association describes a connection in terms of: <Prot, Local Addr, Local Port #, Remote Addr, Remote Port #> <Eg: tcp,164.22.40.8,1500,165.62.125, 22> UDP Port 1500 TCP IP 22 TCP IP Address 164.22.40.8 UDP IP 165.62.1.125 LINK LINK PHYS PHYS Selected Ports Echo - UDP Port 7: Retransmits to the sender any thing it receives. Used for testing networks. Disable if not needed or block at the Firewall.. Discard - TCP/UDP Port 9: Discards anything it receives. Used for developing network tools. Disable if not needed or block at the Firewall. Daytime - UDP Port 13: Sends the date/time for the server to the client. Disable if not needed or block at the Firewall.. Quote - UDP Port 17: Sends to the connecting client a quote selected from a file of quotes.. Disable if not needed or block at the Firewall.. Selected Ports (cont…) Chargen - TCP/UDP Port 19: Continuously sends out printable ASCII characters. Used for testing network tools. Disable if not needed or block at the Firewall. FTP - TCP Ports 20 and 21: Used for transferring files over the Internet. Disable if not needed otherwise use a proxy. Telnet - TCP Port 23: Used to connect remotely to a server.The data is not encrypted and the password/logon is readable. Disable if not needed or block at the firewall. SMTP - TCP Port 25: Used for the exchange of email over the Internet. Proxy SMTP across the Firewall Selected Ports (cont…) DNS - UDP Port 53: Translates text based names into IP addresses. Proxy DNS across the /firewall. BootP/DHCP - UDP Ports 67 and 68: BootP allows diskless workstations to find and load their OSs over the network. DHCP provides for dynamic allocation of IP addresses. Both BootP and DHCP should be employed inside the Firewall. TFTP - UDP Port 69: A simpler version of FTP that is used with BootP and DHCP to allow diskless workstations to acquire and load their operating systems. Disable or block at the Firewall. Gopher - TCP Port 70: The first hypertext system on the Internet. Disable or block at Firewall. Selected Ports (cont…) Finger - TCP Port 79: Used to system information such as names, office hours, TP#, current projects. Disable. HTTP - TCP Port 80: Used to transfer text, video, graphics, sound and programs over th Internet. Proxy HTTP across the /firewall. POP3 - TCP Port 110: Allows users to check their mail over the LAN or the Internet. Proxy POP3 or block at the firewall. RPC - UDP Port 111: Allows two computers to coordinate the execution of software. Disable or block at the firewall. Selected Ports (cont…) NetBios - TCP Ports 137, 138, 139: Used by MS Windows networking to connect LAN clients to file and print services.. Block at the Firewall. IMAP - TCP Port 143: Used by clients to transfer email from servers not configured to send email to the clients. Disable if not needed. SNMP - UDP Port 161: Used to remotely manage network devices such as routers, servers, hubs and clients. Block at the firewall. LDAP - TCP/UDP Port 389: Used to maintain contact information across the Internet. Block at the firewall. Selected Ports (cont…) RSH - TCP Port 514: Used to connect remotely to a server. Teh passwords are encrypted. Block at the Firewall. NFS - TCP/UDP Port 2049: Provides clients LAN access to data storage. The Unix equivalent of NetBios. Block at the Firewall. NAT Review Overview The IAB identified three immediate Internet danger 1. INTERNIC is fast exhausting Class B addresses. 2. The increase in networks/hosts has resulted in a routing table explosion. 3 The increase in networks/host is fast depleting the 32 bit address space. Class B Exhaustion(Three Bears Problem). Class A : 8/24:256 networks:16,772,214 hosts - to scarce(IANA assigned ). Class B : 14/16:16384 networks:65534 hosts - about right for subnetting. Class C : 21/8: 2,097,152 networks:254 hosts - to narrow. Routing Table Explosion This is a catch all term for all the problems posed by the manipulation of large data bases. IP Address Depletion Strategies The InterNIC adopted four major strategies for handling the depletion of the IP addresses. Creative IP Address Space Allocation. RFC 2050 - Internet Registry IP Allocation Guidelines Private Addresses/Network Address Translation (NAT). RFC 1918 - Address Allocation for Private Networks. RFC 1631 - The IP Network Address Translator. Classless InterDomain Routing (CIDR). RFC 1519 - Class InterDomain Routing(CIDR): An Address and Aggregation Strategy. IP Version 6 (IPv6). RFC 1883 - Internet Protocol, Version 6 (IPv6). Private IP Addresses Private IP addresses relax the rule that IP addresses are globally unique. This IP conservation technique reserves part of the IP address space for use exclusively within an organization. The organization does not require connectivity to the Internet. IANA reserves three ranges of IP addresses for "Private Internets": 10.0.0.0 - 10.255.255.255 A single Class A network 172.16.0.0 - 172.31.255.255 Sixteen continuous Class B Networks 192.168.0.0 - 192.168.255.255 256 contiguous Class C networks Any organization can use these addresses provide they adhere to the following rules: They cannot be referenced by hosts in another organization. They cannot be defined to any external router. Organization with private addresses cannot externally advertise those IP addressees and cannot forward IP datagrams containing those addresses to external routers. External routers will quietly discard all routing information regarding these addresses. All connectivity to an Internet host must be provided by a Network Address Translator. Network Address Translators NATs are based upon the idea that only a small part of the hosts in a private network will communicate outside that network. Nats are a solution for those organizations that use Non-routable IP addresses. A NAT, normally part of a Firewall, is positioned between the Private Network and the Internet and: Dynamically translates the private IP address of an outgoing packet into an Internet IP address. Dynamically translates the return Internet IP address into a private IP address. Only TCP/UDP Packets are translated by NAT. For example, the Private Network cannot be Pinged (ie. ICMP is not supported). NAT hides the internal network from the view of outsiders. Network Address Translator Translate Private Network Map Exclude Pool Static Addresses Internet NAT Translation Modes Static Translation (Port Forwarding) A fixed IP translation between internal resources with non-routable IP addresses and a specific external routable IP Address. Dynamic Translation (Automatic, Hide Mode, IP Masquerade or NAPT) A large group of internal resources are dynamically given nonroutable IP address which are translated into a single external, nonroutable IP address. Each internal resource is uniquely identified by an external port number. Load Balancing Translation: A single external IP address is translated into a pool of identically configured servers. A single external IP address serves a number of servers. Network Redundancy Translation: A single Firewall is attached to multiple Internet connections that the firewall can use for load balancing or redundancy. Static Translation 10.4.3.1 Source Destination 10.4.3.1 198.34.2.5 Source Destination 200.10.4.10 198.34.2.5 198.34.2.5 Private Network Internet Nat Pool 10.4.3.2 10.4.3.1 10.4.3.2 <Free> 200.10.4.10 200.10.4.11 200.10.4.12 The Private Network is assigned non-routable addresses. The NAT pool are registered IP address that resolve to the external address of the Private Network. For outgoing packets a NAT Pool IP address is substituted for the source IP address. For incoming packets the original IP address is reinserted as the destination IP address replacing the NAT pool address. Dynamic Translation 10.4.3.2 198.34.2.5 Private Network 10.4.3.1 200.10.4.10 Internet 10.4.3.3 Private Private Address Port 10.4.3.2 10.4.3.3 10.4.3.11 21023 1234 26066 Public Address NAT Port External Address 200.10.4.10 200.10.4.10 200.10.4.10 14003 14005 14007 198.34.2.1 198.34.2.1 198.34.2.1 External Protocol Port Used 80 80 21 T CP TCP TCP Network Address & Port Translation (NAPT) Table Load Balancing Translation Server A Server B Browser Firewall Server C Server D Private Network Internet Network Redundancy Translation UUNET Browser Server Firewall Private Network Sprint Browser MindSpring Internet Firewall Configuration Rules Firewall Decisions Rules by Security Levels? Paranoid: Nothing is allowed(no external connections) - The organization has been hacked and its paranoid. Cautious: That which is not explicitly permitted is not allowed. The default policy is to deny. Optimistic: That which is not explicitly prohibited is allowed. The default policy is to allow. Open: Everything is allowed. This organization has not been hacked. NOTE: Instructor's recommendation: BE CAUTIOUS. Rules by traffic (protocol) needs? Browser (HTTP). Address Resolution (DNS). Electronic Mail (SMTP). Network Management (SMTP). Rules for Rules First Match (Apply in order). Place the most specific rules at the top of the rule set and Place the least specific rules a the bottom of the rule set. Group like protocol rules. Firewall Performance. Place those protocols bearing the most traffic at the top of the rule set. This will generally be HTTP. The Firewall must distinguish packets. By the arrival/departure interface. By Type of packet. By the Source/Destination Address. By source/Destination Port. By IP Header Option By ICMP Message By ACK bit. Typical Configuration Rules NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. The rule is to handle only HTTP and SMTP traffic Rule HTTP1 Direct Out SIP Any SPRT >1023 DIP Any DPRT 80 OPT Flag PKT TYP ACT Any SYN TCP Any Pass Any SYN TCP Any Pass Allow an outgoing connection from to HTTP server. HTTP2 In Any 80 Any >1023 Allow already established HTTP traffic to travel back through the firewall. SMTP1 Out Any SServ Any 25 Any SYN TCP Any Pass SServ Any Any TCP Any Pass 25 Any ACK TCP Any Drop TCP Any Drop Allow the mail server to establish a outgoing connection. SMTP2 In Any 25 Any Allow incoming connections to the mail server.. SMTP3 In Any Any Not SServ Disallow any connection form the outside other than to the mail server. HTTP3 In Any Any Not WServ 80 Any Any Disallow any connection form the outside other than to the mail server.. Typical Configuration Rules (cont…) NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of spoofing rules. Rule Source Direct In SIP Any SPRT DIP Any DPRT OPT Flag PKT TYP ACT Any Any Source Any Any Any Drop Any Any Any Any Any Any Drop Any Drop Drop all Source-Routed Packets. Spoof1 In Internal Any Drop all packets that appear on the external interface that have an internal IP address. Spoof2 Out Outside Any Any Any Any Any Any Drop all packets that appear on the internal interface that have an outside source IP address. Spoof3 In Any Any Any PServs Any Any Any Any Drop RIP/OSPF Any Any Any Any Drop Any Any Any Drop Drop all packets destined for the protected servers. Spoof4 In Any Any Any Disallow any incoming routing packets. Stop1 In 196.7.9.9 Any Any Drop any packets from this specific IP address. Any Any Typical Configuration Rules (cont…) NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of ICMP Rules to pass packets. Rule ICMP1 Direct In SIP Any SPRT Any DIP Any DPRT Any OPT Flag PKT TYP ACT Any Any ICMP Source Quench Pass ICMP Echo Request Allow ICMP Source Quench packets from External hosts. ICMP2 Out Any Any Any Any Any Any Pass Any Any Any Any ICMP Echo Reply Any Any ICMP Dest Unreach Pass Allow Echo Requests outbound.. ICMP3 In Any Any Pass Allow the replies to the echo request to be returned. ICMP5 In Any Any Any Any Allow ICMP Destination Unreachable packets from the external hosts.. ICMP6 In Any Any Any Any Any Any ICMP Serv Unav Pass Any ICMP TTL Exced Pass Allow the ICMP Service Unavailable packets from the external hosts. ICMP7 In Any Any Any Any Any Allow the ICMP Time-to-Live exceeded from external hosts. Typical Configuration Rules (cont…) NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of ICMP Rules to drop packets. Rule ICMP7 Direct In SIP Any SPRT Any DIP Any DPRT Any OPT Flag PKT TYP ACT Any Any ICMP Redirect Any Any ICMP Echo Request Any Any ICMP Echo Reply Any Any ICMP Dest Unreach Drop Any ICMP Serv Unav Drop Any ICMP Drop Drop Drop the ICMP Redirect on the External interface. ICMP8 In Any Any Any Any Drop Drop ICMP Echo Request on the External Interface ICMP9 Out Any Any Any Any Drop Drop the ICMP Echo Reply packets that are outbound. ICMP10 Out Any Any Any Any Drop ICMP Destination Unreachable packets that are outbound ICMP6 Out Any Any Any Any Any Drop the ICMP Service Unavailable packets that are outbound. ICMP7 Any Any Any Any Drop all ICMP packets in either direction. Any Any Any
