* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download TcpIp and Firewalls
Survey
Document related concepts
Point-to-Point Protocol over Ethernet wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Parallel port wikipedia , lookup
Computer network wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
IEEE 802.11 wikipedia , lookup
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Internet protocol suite wikipedia , lookup
Distributed firewall wikipedia , lookup
TCP congestion control wikipedia , lookup
Transcript
TCP/IP Basics A review for firewall configuration Configuring a firewall • Primary approach to configuring a firewall • Study service – IP ADDRESSES – PORTS • Set up rules for allowing or denying access to the services you want utilized. • Problem: – Some of the issues are more subtle than IP/PORT IP Basics • IP encapsulates TCP • IP packets travel through many different routers (hops) before reaching it’s destination • MTU variation at the physical layer requires IP to fragment the message into smaller units along the way • Reassembly is an option at each hop. • IP does NOT guarantee delivery! IP Fragmentation 1000 b R 500 b 500 b R 250 b 250 b 250 b 250 b Every link has the potential to dictate adjusting size of frames. It is possible to reassemble at any point. 1000 b R 500 b 500 b R 1000 b R R What if frames are lost? R 250 b4 250 b3 250 b2 250 b1 R Receive Computer Receive computer will hold the first 2 frames awaiting the 3rd. After a period of time, a timer expires and IP level passes the 500 bytes up and stops looking for the other pieces. TCP (NOT IP) then will acknowledge receipt of 500 more bytes to the sending TCP layer. If the first frame is lost, NONE are passed up to TCP IP Summary • Fragmentation results in delivery of frames which are potentially smaller than the original transmission. • Some of the frames can be lost • If a message is fragmented and frames are lost, all frames up to the first lost frame are passed up to the receiving TCP and all subsequent frames are dropped. • TCP views this as a stream and is unaware of the loss of frames. It just accepts the next “n” bytes, acks the receipt, and waits for subsequent data. TCP basics • Connection-oriented – Sets up the connection prior to data transmission • SYN and 3-way handshake – Guarantees delivery of data • Sender holds a copy of the data for retransmission if necessary • Receiver ACKS specific byte positions in the stream so sender can resend from any byte position • Encapsulated by IP • Receiver tells sender it’s receive window size to limit rate of data arrival (flow control) Consider How TCP and IP Work Together TCP handling of fragmentation (Send 2000 bytes) Transport 2000 Transport (ACK 500 bytes) 500 Network(IP) Network(IP) 1000 2501 2502 1000 Physical Network(IP) Physical 2503 2504 Physical What does the TCP frame look like? Data Source Destination Length Checksum Port Port And after TCP is encapsulated in IP? IP Header IP Trailer TCP And if the encapsulated frame is fragmented? IP Header IP Trailer Assume fragmented in 2 parts Has headers Port info Included No headers NO Port Info Included Back to the Firewall! Port info Included CAN See ports Knows what to do! No headers CAN’T See ports ? Options to Solve Fragmentation • Reassembly can be forced at the firewall – Slows down transmission – Lets the firewall process the entire frame identically • Make sure the sender doesn’t send frames which will be fragmented. – Path MTU discovery • • • • uses ICMP to test for deliverability Sends a message and marks it not to be fragmented Looks for ICMP response saying too large Repeat the process with a smaller packet if necessary • Firewall must allow ICMP Options to Solve Fragmentation • Only filter the first frames in a fragmented sequence – Allow all others to pass through – Assume other frames will be trashed at receiver if the first one doesn’t make it through – Places undue traffic on network and receiver if the unfragmented sequence is to be filtered • Can be used to create denial of service – Allows attackers to substitute overlapping “tail” frames • Different OSs handle the repeated packets differently. I.e. which one do you keep? More TCP Issues TCP handshake/setup Host A Host B Ack 0, Syn 1 Ack 1, Syn 1 Ack 1, Syn 0 Ack 1, Syn 0 time . . . setup data TCP Connection Issues • Once you make a connection it can be used to transmit data bi-directionally • Inside clients-> out, is ok • Outside clients -> inside, is NOT ok (usually) • Deny the setup sequence and no connection can be established • If hacker can determine setup sequence number and window size, “noise” packets can be injected – Not a typical problem but possible UDP Issues UDP basics • No connection establishment • No special features of the frame to identify connection information • Requires a little more effort on the part of the firewall • Must remember what has happened in previous transmissions • This is a STATEFUL packet filter firewall Stateful Packet Filter Allowing if connected from inside Host A I N S I D E UDP SP = 2987 SA = 137.155.2.20 DP = 1000 DA = 168.17.2.5 Host B F I R E W A L L UDP SP = 1000 SA = 168.17.2.5 DP = 2987 DA = 137.155.2.20 O U T S I D E ICMP ICMP Basics • Lower than IP • Doesn’t use ports • Frequently used at the firewall to – deny ping of death (too large message), and – denial of service (ping flood) • Denying is message-type specific • Denying precludes utility of a useful tool ICMP Message types • • • • • Echo Request Echo Response Time Exceeded Destination Unreachable Redirect IP Tunnelling Transport Apple talk Transport (IP) Apple talk (IP) Network(IP) Physical Inside Network Firewalls CAN do AT in IP Physical Intermediate Routers only See IP Physical Receiving Firewall Connected Network IP Tunnelling at one end Transport Apple talk (IP) Appletalk Appletalk IP AT Physical Physical Physical IP AT Appletalk to local Appletalk to non-local Route to Destination As IP Tunnelling Problem • Firewall sees IP not what is embedded • Packets can be hidden inside IP • Not as problematic as it seems – Usually the tunneller at each end is set up by the network admin to implement a desired policy – Still provides a leak into the other network