Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

Similar presentations


Presentation on theme: "1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?"— Presentation transcript:

1 1 Topic 2 – Lesson 4 Packet Filtering Part I

2 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header? What is the size for each such element? What elements are inside an IP header? What is the size for each such element? What elements are inside a TCP header? What is the size for each such element? What elements are inside a TCP header? What is the size for each such element? Assume client A with ( :1078) wants to establish a TCP connection with server B ( : 80), explain the TCP 3-Way Shake process step-by-step. Assume client A with ( :1078) wants to establish a TCP connection with server B ( : 80), explain the TCP 3-Way Shake process step-by-step. Compare TCP with UDP Compare TCP with UDP Discuss Example 1: Discuss Example 1: Explain Figure 2-5 Explain Figure 2-5 Explain the 4 policy rules one-by-one Explain the 4 policy rules one-by-one Explain the 6 firewall rules one-by-one Explain the 6 firewall rules one-by-one

3 3 What is packet filtering? Blocks/filters traffic from and to the internal network Blocks/filters traffic from and to the internal network Hardware can be called: Screening Router Hardware can be called: Screening Router Firewall accepts or blocks data based on packet header Firewall accepts or blocks data based on packet header Network Layer! Network Layer! Does NOT scan content Does NOT scan content Firewall Policy describes rules for allowing/rejecting packets Firewall Policy describes rules for allowing/rejecting packets

4 4 What elements are inside an IP header? What is the size for each such element? The 4 info: The 4 info: Source IP: source hotel building street address Source IP: source hotel building street address Source port: room number Source port: room number Dest Ip: dest hotel Dest Ip: dest hotel Dest port: room number Dest port: room number Source / Dest IP (both 32 bits) Source / Dest IP (both 32 bits) Protocol (8bits) (TCP? UDP?) Protocol (8bits) (TCP? UDP?) Protocol can also be ICMP Protocol can also be ICMP

5 5 What elements are inside a TCP header? What is the size for each such element? Source / Dest Ports (16bits) Source / Dest Ports (16bits) Contain ACK/SYN flags (1bit each) Contain ACK/SYN flags (1bit each)

6 6 How to establish a TCP connection between two ports? A TCP connection A TCP connection Step 1: establish the connection Step 1: establish the connection Step 2: send the messages back and forth Step 2: send the messages back and forth Step 3: terminate the connection Step 3: terminate the connection A phone call session A phone call session Step 1: Dial the phone number Step 2: do talking Step 3: hang up Step 1 includes three sub-steps! The three sub-steps are called the TCP 3-way handshake.

7 7 TCP 3-way handshake

8 8 Assume client A with ( :1078) wants to establish a TCP connection with server B ( : 80), explain the TCP 3-Way Shake process step-by-step. 1 st Step: Connection request by client A : Contains source IP( ), source port(1078), and destination IP ( ), destination Port(80). Also has SYN flag is set to 1, ACK is 0 1 st Step: Connection request by client A : Contains source IP( ), source port(1078), and destination IP ( ), destination Port(80). Also has SYN flag is set to 1, ACK is 0 2 nd Step: the ip will acknowledge by sending ACK flag (set to 1). 2 nd Step: the ip will acknowledge by sending ACK flag (set to 1). Source destination is Source destination is rd Step: the original IP of sends back to ACK 1 SYN 0. 3 rd Step: the original IP of sends back to ACK 1 SYN 0. Additional comments: SYN flag is used to setup TCP connection, ACK flag is used to acknowledge receipt of a packet. Additional comments: SYN flag is used to setup TCP connection, ACK flag is used to acknowledge receipt of a packet.

9 9 Compare TCP with UDP header information exactly same header information exactly same UDP connectionless, no flags UDP connectionless, no flags Unlike TCP, UDP has no way of checking if packet successfully transmitted Unlike TCP, UDP has no way of checking if packet successfully transmitted Block all packets in order to block UDP session Block all packets in order to block UDP session UDP= User Datagram Protocol UDP= User Datagram Protocol

10 10 Explain Figure 2-5 Telnet service can go out except for one user Telnet service can go out except for one user No UDP packets allowed No UDP packets allowed Incoming Telnet packets allowed from external servers to internal clients Incoming Telnet packets allowed from external servers to internal clients Who is inside and who is outside? Who is inside and who is outside? Inside network=above firewall Inside network=above firewall

11 11 Figure 2-5 Internet Internet Server (telnet listens on 23) Incoming packets Outgoing packets Firewall

12 12 Explain the 4 policy rules one-by-one (Example 1) 1. No incoming telnet service (request) should be processed 1. No incoming telnet service (request) should be processed 2. Outgoing telnet requests are OK 2. Outgoing telnet requests are OK 3. Computer cannon do Telnet 3. Computer cannon do Telnet 4. UDP packets are not allowed 4. UDP packets are not allowed

13 13 The 6 Packet Filtering Rules

14 14 Explain the 6 firewall rules one-by-one (Example 1) Rule A: Denies any incoming TCP packets that attempt to open a Telnet connection Rule A: Denies any incoming TCP packets that attempt to open a Telnet connection Rule B: Denies any outgoing Telnet packets from internal client to external telnet server. Rule B: Denies any outgoing Telnet packets from internal client to external telnet server. Rule C: Denies incoming packets from external telnet serves (internal host server) Rule C: Denies incoming packets from external telnet serves (internal host server) Rule D and E: Someone from inside firewalls can telnet out, but no one from the outside can telnet in. Connection is established starting from the inside Rule D and E: Someone from inside firewalls can telnet out, but no one from the outside can telnet in. Connection is established starting from the inside What’s the difference between telnet in and telnet out? What’s the difference between telnet in and telnet out? Telnet in= Internet client to Telnet server on network internally Telnet in= Internet client to Telnet server on network internally Telnet out= Client on the network; the server is on the Internet Telnet out= Client on the network; the server is on the Internet Rule F: Denies any incoming UDP packets Rule F: Denies any incoming UDP packets Firewall rules are processed sequentially Firewall rules are processed sequentially

15 15 How to enforce policy rule 1 Policy rule 1: no incoming telnet service Policy rule 1: no incoming telnet service We can enforce this policy rule by a single packet filtering rule which has the following field: We can enforce this policy rule by a single packet filtering rule which has the following field: RULE #: RULE A RULE #: RULE A FIELD 1: source address FIELD 1: source address External IP (outside IP) External IP (outside IP) Field 2 : destination Field 2 : destination Inside IP (the IP of the internal telnet server) Inside IP (the IP of the internal telnet server) F3: direction F3: direction inbound inbound F4: source port -- any port (no restriction) F4: source port -- any port (no restriction) F5: dest port (telnet server) F5: dest port (telnet server) F6: protocol -- TCP F6: protocol -- TCP F7: ACK -- 0 F7: ACK -- 0 F8: Action -- deny F8: Action -- deny

16 16 Policy rule 2: outgoing telnet requests OK To enforce this policy rule, we need TWO packet filtering rules To enforce this policy rule, we need TWO packet filtering rules We need two rules because even if an internal employee telnets out, he needs to receives packets from the outside telnet server We need two rules because even if an internal employee telnets out, he needs to receives packets from the outside telnet server Rule D: permit outgoing packets to the outside telnet server Rule D: permit outgoing packets to the outside telnet server So the source IP must be an internal IP; the dest IP must be an outside IP; the source port can be any; but the dest port must 23; So the source IP must be an internal IP; the dest IP must be an outside IP; the source port can be any; but the dest port must 23; Dir4ection: outbound Dir4ection: outbound Protocol: TCP Protocol: TCP ACK: 0 or 1 -- we need to allow both otherwise the telnet connection can NOT be established. ACK: 0 or 1 -- we need to allow both otherwise the telnet connection can NOT be established. Rule E: permit incoming packets from the outside telnet server Rule E: permit incoming packets from the outside telnet server

17 17 Policy rule 2 – cont’d Rule E: permit incoming packets from the outside telnet server Rule E: permit incoming packets from the outside telnet server Source IP: outside Source IP: outside Dest IP; inside Dest IP; inside Direction: incoming - inbound Direction: incoming - inbound TCP TCP Source port: 23 (***) Source port: 23 (***) Dest port (internal telnet client): any Dest port (internal telnet client): any Permit Permit ACK: 1 (********) ACK: 1 (********) ACK canNOT be 0 because we do NOT allow an outside telnet server to initiate a connection; actually a Telnet server should NEVER initiate a connection ACK canNOT be 0 because we do NOT allow an outside telnet server to initiate a connection; actually a Telnet server should NEVER initiate a connection

18 18 Rule A vs. Rule E Rule A : no incoming telnet service request Rule A : no incoming telnet service request Rule E: allow incoming telnet packets from an outside telnet server Rule E: allow incoming telnet packets from an outside telnet server

19 19 Policy Rule 3: Why is Rule C Redundant? Rule B already specifies host is not able to establish telnet session, so no incoming traffic from a telnet server. Rule B already specifies host is not able to establish telnet session, so no incoming traffic from a telnet server. If hacker spoofs a packet, and rule C is removed then the packet goes through If hacker spoofs a packet, and rule C is removed then the packet goes through Will this packet be a problem for the network? Will this packet be a problem for the network? No No packet like a car, without rule c, packet will get in, packet will die there, packet will not be processed because no telnet session is established. No damage packet like a car, without rule c, packet will get in, packet will die there, packet will not be processed because no telnet session is established. No damage

20 20 Policy rule 4: Do you think Rule F is enough to block all UDP Packets? Not enough, resources inside can cause damage to outside, if an internal resource gets hacked, it can cause problems for another network. Have to block all UDP going out to be safe. Not enough, resources inside can cause damage to outside, if an internal resource gets hacked, it can cause problems for another network. Have to block all UDP going out to be safe. UDP same header information as TCP, there is no way to tell if it is a response or if it is from a session already in progress. UDP same header information as TCP, there is no way to tell if it is a response or if it is from a session already in progress. UDP no 3 way handshake UDP no 3 way handshake Worm Slammer- Worm show malicious UDP packets can be sent from inside out to outside computers Worm Slammer- Worm show malicious UDP packets can be sent from inside out to outside computers

21 21 Rule A and Rule E conflict, how so? Rule A doesn’t give a port number, but Rule E uses port 23. Rule A doesn’t give a port number, but Rule E uses port 23. Process rules in order, fail Rule A first before it gets to E. Process rules in order, fail Rule A first before it gets to E. Rule A blocks incoming requests to create a new TCP session, where Rule E allows already established sessions to continue Rule A blocks incoming requests to create a new TCP session, where Rule E allows already established sessions to continue Look at ACK flag Look at ACK flag

22 22 Rule B and Rule D conflict, how so? B denies all outgoing telnet packets from an internal server, D does the opposite B denies all outgoing telnet packets from an internal server, D does the opposite If D allows outgoing telnet sessions and B denies the outgoing session through the host, is there a point to having written rule B? If D allows outgoing telnet sessions and B denies the outgoing session through the host, is there a point to having written rule B? B trumps D. Rule B will kill packet, if not from the host it will go through rule B. B trumps D. Rule B will kill packet, if not from the host it will go through rule B. Why is the ACK permitting anything, and in Rule B ACK is set to 1 or 0? Why is the ACK permitting anything, and in Rule B ACK is set to 1 or 0? Writing 0 or 1 can be replaced by the * Writing 0 or 1 can be replaced by the *

23 23 Rule C and Rule E conflict, how so? E allows incoming packets, but C denies incoming packets E allows incoming packets, but C denies incoming packets Order doesn’t matter, need both for it to be true, but only 1 to be false to deny packet Order doesn’t matter, need both for it to be true, but only 1 to be false to deny packet is there a reason to have D and E since they allow everything? is there a reason to have D and E since they allow everything? Yes, you want to specify what you allow. Packets that go through rule set are denied by default. Depends on how the firewalls are setup. Yes, you want to specify what you allow. Packets that go through rule set are denied by default. Depends on how the firewalls are setup.


Download ppt "1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?"

Similar presentations


Ads by Google