Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.

Published byLee Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015."— Presentation transcript:

1 Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015

2 2 Agenda 1 1 File Transfer Protocol - FTP HyperText Transfer Protocol - HTTP 2 2 About next Assignment 3 3 4 4 Roei Ben-Harush 2015 Advanced protection techniques

3 3 Agenda 1 1 Advanced protection techniques Roei Ben-Harush 2015 HyperText Transfer Protocol - HTTP 2 2 3 3 File Transfer Protocol - FTP About next Assignment 4 4

4 4 Connection table  Advanced firewalls intelligently associating new packet requests with existing legitimate connections.  We no longer pass each packet through the rule table, but check it’s state first and see if it’s a new or existing connection.  When a packet arrive with ACK flag set to 0 we’ll check it with the static rule table and set the verdict according to it  If the ACK flag is set to 1, we know the packet belongs to existing connection (or illegal), so we’ll check it with the connection table Roei Ben-Harush 2015

5 5 Connection table  Each approved connection will be saved in a dynamic table  Each row will contain data about the saved connection –Source IP address –Source port –Destination IP address –Destination port –State  Protocols can have several states and we always need to know the current state of the connection. For example: –3-way handshake and waiting for “syn ack” from server –Ftp connection who wait to receive “ready” status from server –Etc. Roei Ben-Harush 2015

6 6 Connection table  Other way to implement it is to add stateful rules support in the main table.  For example, iptables pass each packet (even ones of established connection) through the “static” rule table  The table has the ability to invoke stateful modules. –Can work on all layers: –inspect IP address, ports, or even GEOIP lookup of IP address –inspect specific bytes, or doing a string search, in the raw packet –inspect MAC address –inspect flags of TCP/UDP/ICMP –stateful connection tracking –And many more Roei Ben-Harush 2015

7 7 Stateful inspection  Some protocols required connection tracking to establish a secured connection –We can’t just allow traffic from numerous ports  Both in TCP and UDP there are protocols as such: –TFTPTFTP –Both client and server open random ports and connect with each other –VOIP protocols –Need to be fast AND secure –SIPSIP –H.323 protocolsH.323 –Basically anything on top TCP (and some UDP also) Roei Ben-Harush 2015

8 8 Stateful inspection  Classic example: FTP. By design, the firewall need to be able to open connections to arbitrary high ports for it to function properly.  The client send the server the port it’s open for data connection  The stateless firewall can’t open the port dynamically.  We need to read the payload (the data itself) of the packet to realize we are in ftp connection and we are about to receive port number to open. Roei Ben-Harush 2015

9 9 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4 Roei Ben-Harush 2015

10 10 File Transfer Protocol - FTP Roei Ben-Harush 2015 ClientServer Ack Syn get a.out Syn+Ack Syn Ack Syn+Ack a.out X21 20 Y

11 11 File Transfer Protocol - FTP  Can be enforced only in stateful inspection.  Receive port number to open in the packet’s payload  After connection is established, the client send to the server a packet with a special request, called PORT  A PORT request asks the server to use a different port to the data connection: the server makes a TCP connection to the client though this port.  The PORT request has a parameter in the form: –h1,h2,h3,h4,p1,p2 –the client is listening for connections on TCP port p1*256+p2 at IP address h1.h2.h3.h4. Roei Ben-Harush 2015

12 12 File Transfer Protocol - FTP  For example, after a connection from 10.0.1.1 to ftp server 10.0.2.2 the client send the following packet: –PORT 10,0,1,1,165,126  What the server understands, and what port number the client has opened?  Answer: the server understand that client in ip address 10.0.1.1 has opened the port 165*256+126, which is 42366  Our firewall now should keep track of packets who reach to this port and IP, and not automatically drop them, but to inspect them and see if they're related to the ftp connection Roei Ben-Harush 2015

13 13 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4 Roei Ben-Harush 2015

14 14 HyperText Transfer Protocol - HTTP  Another example to a protocol with lots of information in the payload  In contrast to FTP, HTTP was designed to operate over a single TCP port and a single TCP connection, to avoid the difficulties we've seen for FTP. However, there is still a lot of state to be kept *between* packets in that single TCP connection. We need to listen and search for http request  Once we found the client sent GET request, we need to inspect the following packets to see what response we’ll get  Examples Roei Ben-Harush 2015

15 15 HyperText Transfer Protocol - HTTP  Regular 200 OK response: GET /secws15/ HTTP/1.1 Host: course.cs.tau.ac.il:443 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,he;q=0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Connection: Keep-Alive Content-Length: 4503 Content-Type: text/html; charset=utf-8 Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Roei Ben-Harush 2015

16 16 HTTP redirection  What if we’ll get redirection to another webpage? GET / HTTP/1.0 Host: www.walla.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*; q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,he;q=0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 HTTP/1.0 302 Found Connection: Keep-Alive Content-Length: 0 Location: http://www.walla.co.il/ Server: BigIP Roei Ben-Harush 2015

17 17 HTTP stream: data in the same connection  We then ask from the right address and receive the data on the same connection ( in contrast to FTP) GET http://www.walla.co.il/ HTTP/1.1 Host: www.walla.co.il Proxy-Connection: keep-alive Accept:… HTTP/1.1 200 OK Content-Type: … … וואלה! NEWS … Roei Ben-Harush 2015

18 18 HTTP redirection  As we can see, walla.co.il and walla.com are on a different IP address: C:\Users\roeibh>nslookup walla.com Name: walla.com Address: 192.118.82.157 C:\Users\roeibh>nslookup walla.co.il Name: walla.co.il Address: 81.218.79.154  In our exercise we would like to approve connection between us and the new address.  pay attention for redirection status code, find and approve the new IP address Roei Ben-Harush 2015

19 19 Agenda 1 1 Advanced protection techniques File Transfer Protocol - FTP 2 2 HyperText Transfer Protocol - HTTP 3 3 About next Assignment 4 4 Roei Ben-Harush 2015

Download ppt "Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015."

Similar presentations

CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Lecture 7 Transport Layer

Lecture 7 Transport Layer
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.

Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
Firewalls.

Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Know how HTTP accesses data on the WWW Objectives.

TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Know how HTTP accesses data on the WWW Objectives.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Human-Computer Interface Course 5. ISPs and Internet connection.

Human-Computer Interface Course 5. ISPs and Internet connection.

Similar presentations

Ads by Google