part of slides provided by j.f kurose and k.w. ross, all rights reserved network security7-1 chapter...
TRANSCRIPT
Network Security 7-1
Part of slides provided by J.F Kurose and K.W. Ross, All Rights Reserved
Chapter 7Network SecurityExtra Slides
Communication NetworksP. Demeester
Network Security 7-2
Packet Filtering : example
Standard policy : deny all trafficAllow : - access to public web- access to UGent web server and FTP server- access to UGent back-up DNS server- sending and receiving e-mail (from/to UGent)- full access between 157.192.133.0/24 and 157.193.122.0/24
(except sending e-mail from 157.193.0.0/16 to 157.192.133.0/24)
Internet
firewall/router
switch
router
router157.193.122.0/24
157.193.184.0/24
157.192.133.0/24
UGent157.193.0.0/16
13.13.13.13back-up DNS server UGent
157.193.122.5e-mail server
157.193.184.4Web en FTP server
Network Security 7-3
Packet Filtering : exampleprotocol source destination ports
ACCEPT
TCP 157.193.0.0/16 0.0.0.0/0 1024:65535 -> 80
ACCEPT
TCP 0.0.0.0/0 157.193.0.0/16 80 -> 1024:65535
ACCEPT
TCP 157.193.184.4/32
0.0.0.0/0 80 ->1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.184.4/32
1024:65535 -> 80
ACCEPT
TCP 157.193.184.4/32
0.0.0.0/0 20 -> 1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.184.4/32
1024:65535 -> 20
ACCEPT
TCP 157.193.184.4/32
0.0.0.0/0 21 -> 1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.184.4/32
1024:65535 -> 21
ACCEPT
TCP 157.193.122.5/32
0.0.0.0/0 25 -> 1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.122.5/32
1024:65535 -> 25
ACCEPT
TCP 157.193.122.5/32
0.0.0.0/0 1024:65535 -> 25
ACCEPT
TCP 0.0.0.0/0 157.193.122.5/32
25 -> 1024:65535
ACCEPT
ALL 157.193.122.0/24
157.192.133.0/24
N/A
ACCEPT
ALL 157.192.133.0/24
157.193.122.0/24
N/A
ACCEPT
UDP 157.193.0.0/16 13.13.13.13/32 1024:65535 -> 53
ACCEPT
UDP 13.13.13.13/32 157.193.0.0/16 53 -> 1024:65535
DENY TCP 157.193.0.0/16 157.192.133.0/24
1024:65535 -> 25
DENY TCP 157.192.133.0/24
157.193.0.0/16 25 -> 1024:65535
DENY ALL 0.0.0.0/0 0.0.0.0/0 N/A
public web
UGent web
UGent FTP
UGent FTP
Receive e-mail
Send e-mail
No e-mail to 157.192.133.0/24
Between 2 subnets
UGent DNS back-up
Standard DENY
Overruled by
Network Security 7-4
Packet Filtering : example : correctprotocol source destination ports
ACCEPT
TCP 157.193.0.0/16 0.0.0.0/0 1024:65535 -> 80
ACCEPT
TCP 0.0.0.0/0 157.193.0.0/16 80 -> 1024:65535
ACCEPT
TCP 157.193.184.4/32
0.0.0.0/0 80 ->1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.184.4/32
1024:65535 -> 80
ACCEPT
TCP 157.193.184.4/32
0.0.0.0/0 20 -> 1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.184.4/32
1024:65535 -> 20
ACCEPT
TCP 157.193.184.4/32
0.0.0.0/0 21 -> 1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.184.4/32
1024:65535 -> 21
DENY TCP 157.193.0.0/16 157.192.133.0/24
1024:65535 -> 25
DENY TCP 157.192.133.0/24
157.193.0.0/16 25 -> 1024:65535
ACCEPT
TCP 157.193.122.5/32
0.0.0.0/0 25 -> 1024:65535
ACCEPT
TCP 0.0.0.0/0 157.193.122.5/32
1024:65535 -> 25
ACCEPT
TCP 157.193.122.5/32
0.0.0.0/0 1024:65535 -> 25
ACCEPT
TCP 0.0.0.0/0 157.193.122.5/32
25 -> 1024:65535
ACCEPT
ALL 157.193.122.0/24
157.192.133.0/24
N/A
ACCEPT
ALL 157.192.133.0/24
157.193.122.0/24
N/A
ACCEPT
UDP 157.193.0.0/16 13.13.13.13/32 1024:65535 -> 53
ACCEPT
UDP 13.13.13.13/32 157.193.0.0/16 53 -> 1024:65535
DENY ALL 0.0.0.0/0 0.0.0.0/0 N/A
public web
UGent web
UGent FTP
UGent FTP
Receive e-mail
Send e-mail
No e-mail to 157.192.133.0/24
Between 2 subnets
UGent DNS back-up
Standard DENYback