chapter 30 – internet security and firewall design 30.13 firewalls and internet access
DESCRIPTION
Chapter 30 – Internet Security and Firewall Design 30.13 Firewalls and Internet Access. “Intranet”. 30.13 Firewalls and Internet Access - continued Successful access control and content protection requires a careful combination of: ► restrictions on network topology - PowerPoint PPT PresentationTRANSCRIPT
1
Chapter 30 – Internet Security and Firewall Design
30.13 Firewalls and Internet Access
“Intranet”
2
30.13 Firewalls and Internet Access - continued
Successful access control and content protection requires a careful combination of:
► restrictions on network topology
► intermediate information staging
► packet filters
30.14 Multiple Connections and Weakest Links
Refers to first item above.
In general, an organization’s intranet has multiple connections to the Internet.
Must form a security perimeter by installing a firewall at each connection.
All firewalls must be configured to have same access restrictionselse entry through “weakest link.”
3
Chapter 30 – Internet Security and Firewall Design
30.13 Firewalls and Internet Access
“Intranet”
4
30.15 Firewall Implementation and Packet Filters
Refers to 3rd item.
We have previously seen the addition of additional capability to a router – NAT.
Now we add another capability – packet filter.
Recall: ► restrictions on network topology► intermediate information staging► packet filters
Usually, a packet filter allows a manager to identify classes of datagrams by specifying arbitrary combinations of:
► source IP address► destination IP address► protocol► source port► destination port► arrival interface
5
A packet filter is stateless; it treats each datagram in isolation, not “remembering” datagrams that arrived earlier and keeping
no record of this event, apart from possibly writing to a log.
30.15 Firewall Implementation and Packet Filters - continued
We hope that the packet filter will operate at wire speed, not delaying incoming IP datagram traffic.
6
Figure 7.2
Recall row-by-row table search in routing:
7
30.15 Firewall Implementation and Packet Filters - continued
When an IP datagram arrives, the packet filter will work through this table, row by row. If the datagram matches the specification on any row, the datagram will be filtered/blocked/discarded.
128.5.0.0
The ports are not in the IP datagram header, so modified router must “drill down” into data.
8
Like NAPT, packet filtering gets router involved in layer 4!
(looking inside “data” in IP datagram, not just header)
Transport
9
30.16 Security and Packet Filter Specification
This packet filter has specified a small list of services to be blocked.
This does not work well, because:
► the number of well-known (i.e. server) ports is large and growing► some Internet traffic does not travel to or from the well-known
ports (e.g. organization can run WWW server on port 8080, instead of 80)
► listing ports of well-known services leaves the firewall vulnerable to tunneling (needs inside accomplice).
This suggests reversing the idea of the filter:
Instead of specifying types of datagram that should be filtered, specify types that should be forwarded.
Everything else is filtered.
10
30.17 Consequences of Restricted Access for Clients
Problem with this scheme:
It prevents a client inside the firewall from receiving a reply from a server outside the firewall.
Why? Because the client chooses a source port at random, in the range 1024 to 65,536. In the server’s reply the client’s source port becomes the destination port. The packet filter would have to be configured to forward all of these possibilities.
11
30.18 Stateful Firewalls
Recall that basic packet filters are stateless. They treat each IP datagram separately and keep no record of datagrams received.
Stateful firewalls watch outgoing requests and adapt the filter rules to accommodate the replies.
Example:
Internal client sends TCP connection request to external WWW server.
Stateful firewall records this as the two endpoints of the requested connection:
( IPsource, Portsource, IPdest, 80 )
When the server returns a connection accept the firewall will recognize this as a response to the request, and forward it to the client.
This is additional to the packet filter, so actions can still be prohibited, as determined by the administrator.
12
30.18 Stateful Firewalls – continued
In the previous example, what if no reply is received to the connection request after a reasonable time?
The record of the connection must be purged – “soft state”
How does the stateful firewall know when a TCP connection is terminated, so that the record can be deleted?
Firewall must watch for the two FIN segments (“connection monitoring”)
13
Figure 12.15
Basically, the firewall must be following this state-transition diagram for each of the active connections!
14
30.19 Content Protection and Proxies
Recall that successful access control requires a careful combination of:
► restrictions on network topology► intermediate information staging► packet filters
Proxies refer to the second item.We have been concentrating on access, but we may also
have to protect content.
This is almost impossible at the packet-filter level, since content can be divided among many datagrams, which can arrive in any order and may be fragmented.
This is going far beyond the original idea of a wire-speed firewall!
The firewall must mimic the ultimate destination host by assembling the entire message for inspection – application proxy.
15
30.19 Content Protection and Proxies - continued
“Transparent” proxy – apart from delay, client/user is unaware that there is a proxy.
“Non-transparent” – client is configured to access proxy when it tries to access the external server.
PROXY
16
30.20 Monitoring and Logging
If you’re the network administrator, do it!
Or else you don’t know what’s happening.
17
7.11 Establishing Routing Tables
For now, assume routing tables are loaded manually;
In chapters 13 and 15 we’ll see protocols that allow routers to learn routes from each other.
End of Chapter 7.
Background to Chapter 13 - 15
18
BHM
ATL
*
19
8.11 Route Change Requests from Routers – continued
This is not a general mechanism for route changes. It is restricted to routers sending to directly-connected hosts.
Figure 8.7 – R5 cannot redirect R1 to use the shorter path from S to D
But R1 could tell S to use R6 for traffic to D, provided that R6 is in R1’s routing table as “next hop” for destination D
20
13.6 Automatic Route Propagation
“Routing protocols serve two important functions. First, they compute a set of shortest paths. Second, they respond to network failures or topology changes by continually updating the routing information.”
A network administrator cannot respond manually to failures fast enough.
Figure 13.3
13.7 Distance Vector (Bellman-Ford) Routing
This is the first type of automatic routing protocol that we shall study.
At start-up routing tables include only the directly-connected networks.
21
“Distance” for direct connection has been changed from 0 to 1to agree with chapter 15.
Figure 13.3
Routers advertise their capabilities to their directly-connected neighbors, using IP local broadcast capability.
22
13.7 Distance Vector (Bellman-Ford) Routing - continued
Periodically, routers broadcast copies of their routing tables to all directly-connected routers.
Consider router J sending to router K.
We think of J as advertising “I can get you to network X at a cost of Y”
“cost” means the number of routers along the path to X (router J plus subsequent routers).
Router K will update its routing table on the basis of the information received from J.
23
Router K’s initial routing table
To see how it works, assume that at some later time router K has learned routes and its routing table looks like this:
Routers J, L, M, and Q are directly-reachable from K
24
Router K now receives an update message from directly-connected router J
Recall that J says “I can get you to network X at a cost of Y”
Router K’s routing table Update message from J
Update items marked with arrow cause K to change its routing table.
25
Router K’s routing table Update message from J
Resulting Changes to K’s routing table:
► to Net 4 – distance 4 – via J (a better route has been discovered)
K will now advertise “I can get you to Net 4 at a cost of 4 via J”“I can get you to Net 21 at a cost of 5 via J”“I can get you to Net 42 at a cost of 4 via J”
► to Net 21 – distance 5 – via J (a new route has been discovered)
► to Net 42 – distance 4 – via J (something has gone wrong with the old route beyond J )
26
What routers are where? (detective work!)
27
13.7 Distance Vector (Bellman-Ford) Routing – continued
Advantages:
► Distance-vector algorithms are easy to implement.
Disadvantages:
► All routers must participate
► In a relatively static environment they compute the shortest paths and propagate correct routes to all destinations.
► When routes change rapidly the computations may not stabilize (changes propagate slowly – diffusion)
► In a large internet the update messages get large (size is proportional to the number of networks in the
internet, so distance-vector algorithms “do not scale well”)
28
13.9 Link-State SPF) Routing
An alternative to distance-vector routing is link-state routing.
These are known as Shortest Path First
(a misnomer, since all routing algorithms compute the shortest path)
Every router has a graph (CS 250/350) showing all other routers and the networks to which they connect. Nodes in the graph are the routers; links in the graph are direct connections between routers.
Periodically each router tests the reachability of all directly-connected routers (i.e. tests whether each of its links is “up” or “down”)
The router multicasts this information to all other routers.
If a receiving router detects a change in link status, the router recomputes shortest paths to all possible destinations, using Dijkstra’s algorithm.
29
Link-State Routing.
Advantages:
► size of the update messages sent by a router is proportional to the number of links it has
(i.e. update messages are much smaller than those in vector-distance, so link-state “scales better”)
Disadvantages:
► computational load on routers.
► each router computes routes independently from original data (not relying on intermediate routers)
30
14.5 Autonomous System Concept
We cannot run an automatic routing protocol for the entire Global Internet.
How should the Internet be partitioned into sets of routers so that each set can run a routing update protocol?
Networks and routers are owned by organizations and individuals.Within each, an administrative authority can guarantee that internal routes remain consistent and viable.
For purposes of routing, a group of networks controlled by a single administrative authority is called an autonomous system (AS) identified by an autonomous system number.
Comer suggests thinking about an autonomous system as corresponding to a large ISP (but UAB is an AS, number 3452)
31
One router can be chosen to inform the outside world of networks within the organization (assume desire for universal connectivity - temporarily ignore security!)
This router also learns about outside networks and distributes this information internally.
32
Figure 14.2
Within an autonomous system, the administration chooses a routing method.
Between autonomous systems, the Border Gateway Protocol (BGP-4) is used.
14.6 Exterior Gateway Protocols and Reachability
R1 gathers information about networks in AS1 and BGPs the info to R2
R2 gathers information about networks in AS2 and BGPs the info to R1.
33
Chapter 15: Routing Within an Autonomous System (RIP, OFPF)
15.3 Routing Information Protocol
RIP is a straightforward implementation of distance-vector routing.
Routers run RIP in “active mode,” broadcast update messages to directly-connected neighbors every 30 seconds.
Hosts listen and learn, but do not broadcast.
34
15.3 Routing Information Protocol – continued
RIP rules:
► routers send updates every 30 seconds
► receiving routers do not replace an existing routewith one of equal cost (hop count)
► the maximum hop count is 16 (“infinity”)
► receivers use 180-second timeout on entries (“soft state”)
We will use fig 15.2 to illustrate how RIP works.
35
Initially: R5 not running
Other routers have only direct connections.
N3 1 dir
N4 1 dir
N2 1 dirN3 1 dir
N2 1 dir
N3 1 dir
N1 1 dir
N2 1 dir
N1 3 R2N2 2 R2
N1 2 R1N1 2 R1
N1 3 R5 N2 2 R5
36
15.4 Slow Convergence Problem
Fig 15.4 (a)
37
R1
R2
Send to R2
Send to R1
and R3
N1 1
N1 2 R1
N1 2
N1 16
N1 3 R2 N1 3
N1 4 R1
N1 4
N1 5 R2 N1 5
N1 6 R1N1 6
At this point we have a routing loop!
Fails!
38
15.4 Slow Convergence Problem
Fig 15.4
39
15.5 Solving the Slow Convergence Problem
Problem arises from sending back a route to the router that sent it.
“Split horizon updates” prevent this.
Router K must not send routes to Net 24 and Net 42 back to router J
Easy to implement: recall figure 13.4:Router K’s routing table
This is done in RIPv2
40
15.5 Solving the Slow Convergence Problem – continued
Other techniques:
after receipt of information that a network is unreachable:
► “hold down”
ignore further information about that network
for hold-down period (60 seconds)
► “poison reverse” with “triggered updates” continue to advertise path to that network, with cost 16 send immediate special update –
don’t wait for the regular 30-second schedule.
41
15.9 RIP2 Extensions and Message Format
Figure 15.6
COMMAND: 1 = request, 2 = response
Route to Network 1 Goes next to this D-C router
And this is the total distance to the destination over this route.
42
15.9 RIP2 Extensions and Message Format – continued
In RIPv1 routers broadcast their messages, so that every computer in the local network had to process the message. This is wasteful.
RIPv2 makes use of multicasting to the class–D “RIP2 routers” address 224.0.0.9.
This sends messages specifically (only) to routers on the local network.
43
15.9 RIP2 Extensions and Message Format – continued
RIP messages travel encapsulated in UDP datagrams
Both source and destination ports are 520 (not client/server).
15.10 The Disadvantage of RIP Hop Counts
Using hop counts as a metric does not always yield routes with the least delay or the highest capacity.
44
15.11 Delay Metric
HELLO protocol measures delay of competing routes and selects route with least delay.
15.12 Delay Metrics and Oscillation
HELLO is susceptible to oscillation between two routes with similar delay.
45
15.15 The Open SPF Protocol (OSPF)
An Implementation of link-state routing.
Features:
► open standard (not proprietary)
► type-of-service routing
► load balancing – “if a manager specifies multiple routes to a given destination at the same cost, OSPF distributes traffic
over all routes equally.”
► can partition internets into areas
► exchanges between routers can be authenticated
► supports host-specific, subnet-specific, classful and class-less
routes
46
15.16 Routing with Partial Information
“Routers at the center of the Internet have a complete set of routes to all possible destinations; such routers do not use default routes.”
(288,000 entries in routing tables in 2009 +14% /year)
Most other routers do not have complete information they use default routes.
47
15.16 Routing with Partial Information - continued
Using default routes for most routers has two consequences:
► local routing errors can go undetected – one router’s default may send datagrams to the wrong next-hop router (perhaps
outside the autonomous system), but that router may quietly forward the datagram to the correct next hop
(perhaps back inside the autonomous system);
► routing update messages exchanged by routers can be much smaller than if the messages contained all possible
destinations (our original motivation for using default routes).
48
No N3 Default R1
N3 2 R3
Sub-optimal routing
49
50
Lab Session 5 – Packet Filtering
1. Physical Connections
INSIDE: as usual (192.168.1.0)
OUTSIDE: UAB class B address 138. 26. 0. 0
CIS subnet 138. 26. 66. 0
mask 255. 255. 255. 0
we will subnet further 255. 255. 255. 240
Packet filter
51
OUTSIDE: UAB class B address 138. 26. 0. 0 CIS subnet 138. 26. 66. 0
mask 255. 255. 255. 0we will subnet further 255. 255. 255. 240
255. 255. 255. 240
11111111.11111111.11111111.11110000
Subnets are 138. 26. 66. 0
66. 16 ..
66. 240 use this
000000010010 …
1111
Available host IP addresses are: 138.26.66.241 thru 138.26.66.254
138 . 26 . 66 .
0001
52
138.26.66.241 138.26.66.242
2. Configure the Interfaces
eth0 on CENTER: 138.26.66.254
53
3. Install Routes and Check Operation
same as Lab 4, except take opportunity to use default routes
54
Recall Packet Filter:
First idea: if match, discard datagram
Second idea: if match, accept datagram
Linux can implement packet filter with module called iptables –
can do either of these via “policy” -- DROP or ACCEPT
55
There are 3 tables: INPUT FORWARD and OUTPUT
Default policy for all three is ACCEPT
This is the “null firewall” (Section 4)
eg. Routing changes
56
In lab session 5 sections 5 thru 9 we implement various packet filter configurations by making changes only in the FORWARD table.
57Echo request from LEFT arriving at RIGHT2 will appear to have come from CENTER’s IP address (Network Address Translation)
58
11. Masquerading with FTP
This was designed to demonstrate NAPT
TCP connection request from LEFT arriving at RIGHT2 will appear to have come from CENTER’s IP address
In general the source port number will not need to be changed, but will be if two clients choose same random source port number.
You will see that FTP in “active” mode does not work, but “passive” mode works.
59
60
March 26, 2011: Microsoft pays Nortel $7.5 million for 666,624 IPv4 addresses, raising questions if the IPv4 black market has arrived.