TCP/IP Basics A review for firewall configuration

Configuring a firewall Primary approach to configuring a firewall Study service –IP ADDRESSES –PORTS Set up rules for allowing or denying access to the services you want utilized. Problem: –Some of the issues are more subtle than IP/PORT

IP Basics IP encapsulates TCP IP packets travel through many different routers (hops) before reaching it’s destination MTU variation at the physical layer requires IP to fragment the message into smaller units along the way Reassembly is an option at each hop. IP does NOT guarantee delivery!

IP Fragmentation R R R 1000 b500 b 250 b Every link has the potential to dictate adjusting size of frames. It is possible to reassemble at any point. R R R 1000 b500 b 1000 b

What if frames are lost? R R 250 b Receive Computer Receive computer will hold the first 2 frames awaiting the 3 rd. After a period of time, a timer expires and IP level passes the 500 bytes up and stops looking for the other pieces. TCP (NOT IP) then will acknowledge receipt of 500 more bytes to the sending TCP layer. If the first frame is lost, NONE are passed up to TCP

IP Summary Fragmentation results in delivery of frames which are potentially smaller than the original transmission. Some of the frames can be lost If a message is fragmented and frames are lost, all frames up to the first lost frame are passed up to the receiving TCP and all subsequent frames are dropped. TCP views this as a stream and is unaware of the loss of frames. It just accepts the next “n” bytes, acks the receipt, and waits for subsequent data.

TCP basics Connection-oriented –Sets up the connection prior to data transmission SYN and 3-way handshake –Guarantees delivery of data Sender holds a copy of the data for retransmission if necessary Receiver ACKS specific byte positions in the stream so sender can resend from any byte position Encapsulated by IP Receiver tells sender it’s receive window size to limit rate of data arrival (flow control)

Consider How TCP and IP Work Together

Transport Network(IP) Physical Network(IP) Physical Transport Network(IP) Physical (Send 2000 bytes) (ACK 500 bytes) TCP handling of fragmentation

What does the TCP frame look like? Source Port Destination Port LengthChecksum Data

And after TCP is encapsulated in IP? IP Header IP Trailer TCP

And if the encapsulated frame is fragmented? IP Header IP Trailer Assume fragmented in 2 parts Has headers No headers Port info Included NO Port Info Included

Back to the Firewall! No headers Port info Included CAN See ports CAN’T See ports ? Knows what to do!

Options to Solve Fragmentation Reassembly can be forced at the firewall –Slows down transmission –Lets the firewall process the entire frame identically Make sure the sender doesn’t send frames which will be fragmented. –Path MTU discovery uses ICMP to test for deliverability Sends a message and marks it not to be fragmented Looks for ICMP response saying too large Repeat the process with a smaller packet if necessary Firewall must allow ICMP

Only filter the first frames in a fragmented sequence –Allow all others to pass through –Assume other frames will be trashed at receiver if the first one doesn’t make it through –Places undue traffic on network and receiver if the unfragmented sequence is to be filtered Can be used to create denial of service –Allows attackers to substitute overlapping “tail” frames Different OSs handle the repeated packets differently. I.e. which one do you keep? Options to Solve Fragmentation

More TCP Issues

TCP handshake/setup time Host AHost B Ack 0, Syn 1 Ack 1, Syn 0 Ack 1, Syn 1 Ack 1, Syn setup data

TCP Connection Issues Once you make a connection it can be used to transmit data bi-directionally Inside clients-> out, is ok Outside clients -> inside, is NOT ok (usually) Deny the setup sequence and no connection can be established If hacker can determine setup sequence number and window size, “noise” packets can be injected –Not a typical problem but possible

UDP Issues

UDP basics No connection establishment No special features of the frame to identify connection information Requires a little more effort on the part of the firewall Must remember what has happened in previous transmissions This is a STATEFUL packet filter firewall

Stateful Packet Filter Allowing if connected from inside UDP SP = 2987 SA = DP = 1000 DA = Host A I N S I D E Host B O U T S I D E FIREWALLFIREWALL UDP SP = 1000 SA = DP = 2987 DA =

ICMP

ICMP Basics Lower than IP Doesn’t use ports Frequently used at the firewall to –deny ping of death (too large message), and –denial of service (ping flood) Denying is message-type specific Denying precludes utility of a useful tool

ICMP Message types Echo Request Echo Response Time Exceeded Destination Unreachable Redirect

IP Tunnelling Transport (IP) Physical Network(IP) Physical Apple talk Intermediate Routers only See IP Firewalls CAN do AT in IP Receiving Firewall Inside Network Connected Network Transport (IP) Physical Apple talk

Transport (IP) Physical Apple talk IP Tunnelling at one end Physical Appletalk Physical Appletalk Appletalk to local Appletalk to non-local AT IP AT IP Route to Destination As IP

Tunnelling Problem Firewall sees IP not what is embedded Packets can be hidden inside IP Not as problematic as it seems –Usually the tunneller at each end is set up by the network admin to implement a desired policy –Still provides a leak into the other network