Lecture 4: Stateful Inspection, Advanced Protocols.

Slides:



Advertisements
Similar presentations
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Advertisements

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A Brief Taxonomy of Firewalls
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Cisco Discovery Working at a Small-to-Medium Business or ISP CHAPTER 7 ISP Services Jr.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
SUNY Polytechnic Institute CS 490 – Web Design, AJAX, jQuery Web Services A web service is a software system that supports interaction (requesting data,
Basic Network Services IMT 546 – Lab 4 December 4, 2004 Agueda Sánchez Shannon Layden Peyman Tajbakhsh.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
FTP (File Transfer Protocol) & Telnet
Chapter 6: Packet Filtering
Application Layer 2 Figures from Kurose and Ross
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 26.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
Network Protocols A network protocol defines the structure of messages sent over the network We will only talk about the Internet Network protocols need.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 CS 4396 Computer Networks Lab TCP/IP Networking An Example.
HTTP1 Hypertext Transfer Protocol (HTTP) After this lecture, you should be able to:  Know how Web Browsers and Web Servers communicate via HTTP Protocol.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Presented by Rebecca Meinhold But How Does the Internet Work?
Networking Basics CCNA 1 Chapter 11.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
Stateful Filtering and Stateful Inspection.  Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and.
LURP Details. LURP Lab Details  1.Given a GET … call a proxy CGI script in the same way you would for a normal CGI request  2.This UDP perl.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 7 Omar Meqdadi Department of Computer Science and Software Engineering University of.
© 2002, Cisco Systems, Inc. All rights reserved..
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
PORT CONNECTION STATUS CT Lab#4. TCP packet UDP packet Ports Background.
Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Firewalls.
Port Connection Status
Port Scanning (based on nmap tool)
Introduction to Networking
TCP/IP Networking An Example
Multimedia and Networks
Firewalls By conventional definition, a firewall is a partition made
دیواره ی آتش.
Firewalls Chapter 8.
Process-to-Process Delivery: UDP, TCP
Computer Networks Protocols
Presentation transcript:

Lecture 4: Stateful Inspection, Advanced Protocols

2 Agenda 1 1 File Transfer Protocol - FTP HyperText Transfer Protocol - HTTP 2 2 About next Assignment Advanced protection techniques

3 Agenda 1 1 Advanced protection techniques HyperText Transfer Protocol - HTTP File Transfer Protocol - FTP About next Assignment 4 4

4 Stateful connection tracking  Advanced firewalls intelligently associating new packet requests with existing legitimate connections.  A connection tables tracks existing TCP connections  If an incoming TCP packet has ACK=0 then it’s a new attempted connection –consult the static rule table and (if accepted) record a new connection in the connection table  If ACK=1, check the packet against the connection table (but not the static rule table) –If connection present and packet is valid according to protocol state machine, accept and update the connection table record –Otherwise reject

5 Connection table Ack == 1 Ack == 0 Ack == 1 Ack == 0  Step 1: SYN Static rule table Dynamic connection table

6 Connection table Ack == 1 Ack == 0 Ack == 1 Ack == 0  Step 1 (cont.): Check the SYN packet and pass it to the server Static rule table Dynamic connection table

7 Connection table Ack == 1 Ack == 0 Ack == 1 Ack == 0  Step 2: SYN-ACK Static rule table Dynamic connection table

8 Connection table Ack == 1 Ack == 0 Ack == 1 Ack == 0  Step 2 (cont.): read/write the session and pass it forward Static rule table Dynamic connection table

9 Connection table Ack == 1 Ack == 0 Ack == 1 Ack == 0  Step 3: ACK Static rule table Dynamic connection table

10 Connection table Ack == 1 Ack == 0 Ack == 1 Ack == 0  Step 3(cont.): check in the connection table and pass it Static rule table Dynamic connection table

11 Connection table – a closer look  Each 2-way session is represented by two rows in the connection table, one for each direction  The last row is a SYN packet which passed the static rule table, and now we wait for the SYN-ACK packet with ACK == 1 Source IPDest. IPSource PortDest. PortState Wait for Syn-ack Syn-ack sent ftp established ftp established ftp data session ftp data session Syn sent

12 Connection table  Each approved connection will be saved in a dynamic table  Each row will contain data about the saved connection –Source IP address –Source port –Destination IP address –Destination port –State  Protocols can have several states and we always need to know the current state of the connection. For example: –3-way handshake and waiting for “syn ack” from server –Ftp connection who wait to receive “ready” status from server –Etc.

13 Alternative approach (Linux’s iptables)  Alternative: support stateful rules in the main table.  For example, iptables pass every packet (even those of established connection) through the same rule table  The table has the ability to invoke modules, loaded into the Linux kernel.  Modules can work on all layers, and can access stateful data structures: –inspect IP address, ports, or even GEOIP lookup of IP address –inspect specific bytes, or doing a string search, in the raw packet –inspect MAC address –inspect flags of TCP/UDP/ICMP –stateful connection tracking: look up a dynamic connection table –And many more

14 Stateful inspection  Some protocols required connection tracking to establish a secured connection –We can’t just allow traffic from numerous ports  Both in TCP and UDP there are protocols as such: –TFTPTFTP –Both client and server open random ports and connect with each other –VoIP protocols –SIPSIP –H.323 protocolsH.323 –Basically anything on top TCP (and some UDP also)

15 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4

16 FTP (File Transfer Protocol)  The client send the server the port it’s open for data connection  The firewall need to be able to open connections to arbitrary high ports for it to function properly.  Thus, the firewall needs to read the payload (the data itself) of the packet to realize we are in FTP connection and identify the FTP command that specifies the receive port number to open.  The command is inside a TCP stream –May be, for example, fragmented across several TCP packets, so inspecting packets individually does not suffice

17 File Transfer Protocol - FTP ClientServer Ack Syn get a.out Syn+Ack Syn Ack Syn+Ack a.out X21 20 Y

18 File Transfer Protocol - FTP  Can be enforced only in stateful inspection.  Receive port number to open in the packet’s payload  After connection is established, the client send to the server a packet with a special request, called PORT  A PORT request asks the server to use a different port to the data connection: the server makes a TCP connection to the client though this port.  The PORT request has a parameter in the form: –h1,h2,h3,h4,p1,p2 –the client is listening for connections on TCP port p1*256+p2 at IP address h1.h2.h3.h4.

19 File Transfer Protocol - FTP  For example, after a connection from to FTP server , the client send the following textual command on the TCP connection: PORT 10,0,1,1,165,126  The server understand that client at IP address has opened the port 165* =42366 for transferring a file  Our firewall now should keep track of packets who reach to this port and IP address, and not automatically drop them, but to inspect them and see if they're related to the ftp connection

20 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4

21 HTTP (HyperText Transfer Protocol)  Another example to a protocol with lots of information in the payload  In contrast to FTP, HTTP was designed to operate over a single TCP port and a single TCP connection, to avoid the difficulties we've seen for FTP. However, there is still a lot of state to be kept between packets in that single TCP connection. We need to listen and search for http request  Once we found the client sent GET request, we need to inspect the following packets to see what response we’ll get  Examples

22 HyperText Transfer Protocol - HTTP  Regular 200 OK response: GET /secws16/ HTTP/1.1 Host: course.cs.tau.ac.il Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,he;q=0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ HTTP/ OK Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Connection: Keep-Alive Content-Length: 4503 Content-Type: text/html; charset=utf-8 Server: Apache/ (Ubuntu) Vary: Accept-Encoding

23 HTTP stream: data in the same connection  We then ask from the server and receive the data on the same connection ( in contrast to FTP) GET HTTP/1.1 Host: Proxy-Connection: keep-alive Accept:… HTTP/ OK Content-Type: … … וואלה! NEWS …

24 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.