Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP/IP Basics A review for firewall configuration.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "TCP/IP Basics A review for firewall configuration."— Presentation transcript:

1 TCP/IP Basics A review for firewall configuration

2 Configuring a firewall Primary approach to configuring a firewall Study service –IP ADDRESSES –PORTS Set up rules for allowing or denying access to the services you want utilized. Problem: –Some of the issues are more subtle than IP/PORT

3 IP Basics IP encapsulates TCP IP packets travel through many different routers (hops) before reaching it’s destination MTU variation at the physical layer requires IP to fragment the message into smaller units along the way Reassembly is an option at each hop. IP does NOT guarantee delivery!

4 IP Fragmentation R R R 1000 b500 b 250 b Every link has the potential to dictate adjusting size of frames. It is possible to reassemble at any point. R R R 1000 b500 b 1000 b

5 What if frames are lost? R R 250 b 1 2 34 Receive Computer Receive computer will hold the first 2 frames awaiting the 3 rd. After a period of time, a timer expires and IP level passes the 500 bytes up and stops looking for the other pieces. TCP (NOT IP) then will acknowledge receipt of 500 more bytes to the sending TCP layer. If the first frame is lost, NONE are passed up to TCP

6 IP Summary Fragmentation results in delivery of frames which are potentially smaller than the original transmission. Some of the frames can be lost If a message is fragmented and frames are lost, all frames up to the first lost frame are passed up to the receiving TCP and all subsequent frames are dropped. TCP views this as a stream and is unaware of the loss of frames. It just accepts the next “n” bytes, acks the receipt, and waits for subsequent data.

7 TCP basics Connection-oriented –Sets up the connection prior to data transmission SYN and 3-way handshake –Guarantees delivery of data Sender holds a copy of the data for retransmission if necessary Receiver ACKS specific byte positions in the stream so sender can resend from any byte position Encapsulated by IP Receiver tells sender it’s receive window size to limit rate of data arrival (flow control)

8 Consider How TCP and IP Work Together

9 Transport Network(IP) Physical Network(IP) Physical 1000 2000 Transport Network(IP) Physical 250 1 500 250 2 250 3 250 4 (Send 2000 bytes) (ACK 500 bytes) TCP handling of fragmentation

10 What does the TCP frame look like? Source Port Destination Port LengthChecksum Data

11 And after TCP is encapsulated in IP? IP Header IP Trailer TCP

12 And if the encapsulated frame is fragmented? IP Header IP Trailer Assume fragmented in 2 parts Has headers No headers Port info Included NO Port Info Included

13 Back to the Firewall! No headers Port info Included CAN See ports CAN’T See ports ? Knows what to do!

14 Options to Solve Fragmentation Reassembly can be forced at the firewall –Slows down transmission –Lets the firewall process the entire frame identically Make sure the sender doesn’t send frames which will be fragmented. –Path MTU discovery uses ICMP to test for deliverability Sends a message and marks it not to be fragmented Looks for ICMP response saying too large Repeat the process with a smaller packet if necessary Firewall must allow ICMP

15 Only filter the first frames in a fragmented sequence –Allow all others to pass through –Assume other frames will be trashed at receiver if the first one doesn’t make it through –Places undue traffic on network and receiver if the unfragmented sequence is to be filtered Can be used to create denial of service –Allows attackers to substitute overlapping “tail” frames Different OSs handle the repeated packets differently. I.e. which one do you keep? Options to Solve Fragmentation

16 More TCP Issues

17 TCP handshake/setup time Host AHost B Ack 0, Syn 1 Ack 1, Syn 0 Ack 1, Syn 1 Ack 1, Syn 0...... setup data

18 TCP Connection Issues Once you make a connection it can be used to transmit data bi-directionally Inside clients-> out, is ok Outside clients -> inside, is NOT ok (usually) Deny the setup sequence and no connection can be established If hacker can determine setup sequence number and window size, “noise” packets can be injected –Not a typical problem but possible

19 UDP Issues

20 UDP basics No connection establishment No special features of the frame to identify connection information Requires a little more effort on the part of the firewall Must remember what has happened in previous transmissions This is a STATEFUL packet filter firewall

21 Stateful Packet Filter Allowing if connected from inside UDP SP = 2987 SA = 137.155.2.20 DP = 1000 DA = 168.17.2.5 Host A I N S I D E Host B O U T S I D E FIREWALLFIREWALL UDP SP = 1000 SA = 168.17.2.5 DP = 2987 DA = 137.155.2.20

22 ICMP

23 ICMP Basics Lower than IP Doesn’t use ports Frequently used at the firewall to –deny ping of death (too large message), and –denial of service (ping flood) Denying is message-type specific Denying precludes utility of a useful tool

24 ICMP Message types Echo Request Echo Response Time Exceeded Destination Unreachable Redirect

25 IP Tunnelling Transport (IP) Physical Network(IP) Physical Apple talk Intermediate Routers only See IP Firewalls CAN do AT in IP Receiving Firewall Inside Network Connected Network Transport (IP) Physical Apple talk

26 Transport (IP) Physical Apple talk IP Tunnelling at one end Physical Appletalk Physical Appletalk Appletalk to local Appletalk to non-local AT IP AT IP Route to Destination As IP

27 Tunnelling Problem Firewall sees IP not what is embedded Packets can be hidden inside IP Not as problematic as it seems –Usually the tunneller at each end is set up by the network admin to implement a desired policy –Still provides a leak into the other network

Download ppt "TCP/IP Basics A review for firewall configuration."

Similar presentations

Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.

Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
IS333, Ch. 26: TCP Victor Norman Calvin College 1.

IS333, Ch. 26: TCP Victor Norman Calvin College 1.
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.

Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Transport Layer 3-1 Transport Layer r To learn about transport layer protocols in the Internet: m TCP: connection-oriented protocol m Reliability protocol.

Transport Layer 3-1 Transport Layer r To learn about transport layer protocols in the Internet: m TCP: connection-oriented protocol m Reliability protocol.
IP Basics. Physical Link Network IP ARP ICMP RoutingTables.

IP Basics. Physical Link Network IP ARP ICMP RoutingTables.
CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.

CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 03.01.2010.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
IP Basics. IP encapsulates TCP IP packets travel through many different routers (hops) before reaching it’s destination MTU variation at the physical.

IP Basics. IP encapsulates TCP IP packets travel through many different routers (hops) before reaching it’s destination MTU variation at the physical.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google