Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Practical Network Defense Theory, Appunti di Sicurezza delle reti

A comprehensive overview of the internet's architecture, delving into its hierarchical structure, key protocols, and addressing schemes. It explores the roles of various network components, including routers, switches, and hosts, and explains the concepts of ip addressing, subnet masks, and the evolution from ipv4 to ipv6. The document also discusses the importance of internet standards, such as rfcs, and the role of the internet engineering task force (ietf).

Tipologia: Appunti

2023/2024

In vendita dal 19/02/2025

annalu.lamacchia
annalu.lamacchia 🇮🇹

4

(2)

43 documenti

1 / 86

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Internet: an interconnected network of networks
Hierarchical networks:
Internet backbone: connecting the ISPs’ backbones
ISP backbone: connecting organizations’ backbones
Organization backbone connects local area networks
(LANs)
LAN connects end systems
Public Internet versus private intranet
RFC: Request for comments
IETF: Internet Engineering Task Force
Free download of RFCs at rfc-editor.org
Network edge
Hosts: server, client, P2P
Applications: http, mail, Facebook, Twitter
Network core
Edge router: connecting an organization/ISP to the Internet
Interconnection of routers using fiber
Naming services
Routers and fiber links (in orange) form the Internet core
Routers work together to figure out the most efficient path
for routing a packet from source to destination host
A distributed algorithm can adapt to changing Internet conditions
Great idea during the cold war
Routing tables are generated and maintained in real time7
The core is provided by ISPs that interconnect multiple continents
ISPs
Global ISPs or Tier-1 ISPs
Regional ISPs or Tier-2 ISPs
Access networks: Wired, or wireless communication links
network of networks
Internet Backbone connects tier-1 ISPs: e.g., Verizon, Sprint, AT&T, Qwest, Level 3 Communications
The backbones of tier-1 ISPs are interconnected at various access points called Internet eXchange Points (IXP)
The number of IXPs around the world is continually growing -> to date more than 1000
Interactive (probably not exhaustive) map: https://www.pch.net
Specify rules about the desired service
Procedure Rules
Types and sequences of messages exchanged: Syntax and semantics
Actions to take with respect to messages and events
Message Format: format, size and coding of messages.
Timing: the time to wait between any event.
Access to medium
Flow control
Timeouts
Protocol specification examples
Modularization → Many protocols for each layer
Hides implementation details
Layers can change without disturbing other layers
Development (one company can tackle one module)
Maintenance
Updating the system
Packet switching
Best effort delivery
Better for resource sharing
Network congestion and flow control
Internet uses a gateway (edge router) to connect a Local Area Network (LAN) or a subnet to the hierarchical network
Residential Internet access overview
Point to point protocol (PPP) for access to an ISP
Dialup via modem
DSL: digital subscriber line
Cable modem
Fiber In The Loop
Broadband over a power line
Broadband wireless: such as WiMAX
Internet
venerdì 1 marzo 2024
11:00
Theory Page 1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56

Anteprima parziale del testo

Scarica Practical Network Defense Theory e più Appunti in PDF di Sicurezza delle reti solo su Docsity!

Internet: an interconnected network of networks

Hierarchical networks:

Internet backbone: connecting the ISPs’ backbones

ISP backbone: connecting organizations’ backbones

Organization backbone connects local area networks

(LANs)

▪ LAN connects end systems

○ P ublic Internet versus private intranet

Internet standards

RFC: Request for comments

IETF: Internet Engineering Task Force ○

○ Free download of RFCs at rfc-editor.org

Network edge

Hosts: server, client, P2P ○

Applications: http, mail, Facebook, Twitter

Network core

Edge router: connecting an organization/ISP to the Internet

○ Interconnection of routers using fiber

○ Naming services

Routers and fiber links (in orange) form the Internet core ○

○ Routers work together to figure out the most efficient path

for routing a packet from source to destination host

○ A distributed algorithm can adapt to changing Internet conditions

○ Great idea during the cold war

○ Routing tables are generated and maintained in real time

The core is provided by ISPs that interconnect multiple continents

▪ ISPs

▪ Global ISPs or Tier-1 ISPs

▪ Regional ISPs or Tier-2 ISPs

  • Access networks: Wired, or wireless communication links

network of networks

Internet Backbone connects tier-1 ISPs: e.g., Verizon, Sprint, AT&T, Qwest, Level 3 Communications ○

○ The backbones of tier-1 ISPs are interconnected at various access points called Internet eXchange Points (IXP)

○ The number of IXPs around the world is continually growing - > to date more than 1000

○ Interactive (probably not exhaustive) map: https://www.pch.net

Specify rules about the desired service

Procedure Rules

Types and sequences of messages exchanged: Syntax and semantics

▪ Actions to take with respect to messages and events

Message Format: format, size and coding of messages.

Timing: the time to wait between any event.

▪ Access to medium

▪ Flow control

▪ Timeouts

Protocol specification examples

Modularization → Many protocols for each layer

▪ Hides implementation details

Layers can change without disturbing other layers

□ Development (one company can tackle one module)

□ Maintenance

□ Updating the system

Packet switching

▪ Best effort delivery

▪ Better for resource sharing

Network congestion and flow control

  • Internet uses a gateway (edge router) to connect a Local Area Network (LAN) or a subnet to the hierarchical network

Residential Internet access overview

○ Point to point protocol (PPP) for access to an ISP

○ Dialup via modem

○ DSL: digital subscriber line

○ Cable modem

Fiber In The Loop ○

○ Broadband over a power line

Broadband wireless: such as WiMAX

Internet

venerdì 1 marzo 2024 11:

○ Broadband wireless: such as WiMAX

○ Satellite

Local area network connected to Internet

○ Organization/home local area network (LAN) or subnet connects hosts to edge router

Edge router connects LANs to Internet: Telco uses ATM over fiber

Ethernet LAN

▪ Hosts connect into Ethernet switch

▪ 10Mbps, 100Mbps, 1Gbps, 10Gbps Ethernet

ATM: asynchronous transfer mode

  • Constituted by networks with end-points of the same local management
  • Provides connectivity among stations on the same network
  • Nodes in the same network can directly communicate among them - > Used protocol: Ethernet family
    • Each host in a Ethernet network has a NIC (Network Internet Card) with a (generally) fixed address
    • MAC addresses are 48 bits (6 bytes) long and UNIQUELY ideintify hosts in the network
    • Each host only processes packets intended for it
    • Each Ethernet packet (“frame”) has a fixed format

How to build a Ethernet network: All the hosts connected together with a shared “transmission system” based on Ethernet are a network, as if

they were connected to the same medium

○ Two computer with a single Ethernet cable

○ Many computer connected with several Ethernet cables to a single device (generally a switch, but also repeater, hubs or bridges)

○ Many computer connected with several Ethernet cables to several devices (generally switches)

An Ethernet network constitutes a broadcast domain: For historical reasons there also exist collision domains, but full-duplex and switches

have made them obsolete

Ideally frames sent in a broadcast domain are potentially received by all the hosts in the network: All the host receive all the frames and only

read some

  • Actually, switches segment the network to limit the explosion of packets in the network
  • Only broadcast messages are “replicated”

How switches segment the network

○ Switches remembers the source MAC addresses on the different ports

○ They only replicate the frame on the segment where the destination MAC address replies - >

Tables of MAC are

▪ ARP tables for hosts

▪ CAM tables for switches

Why Internet is not a large Ethernet net?

Ethernet makes high use of broadcast packets: Inefficient for large networks

Large networks are split in order to reduce the broadcast domain ○

There is the need of a logical division of the networks: Ethernet is the Access layer, but wee need a Distribution layer

○ Hosts in a local network use a Default Gateway to go out and have access to the Distribution layer

○ Distribution layer is based on IP, the Internet Protocol

  • Interconnect local networks among them
  • Distribution layer is at level of Autonomous Systems (like big enterprises and ISPs)
  • Core layer is at the level of continents: Telia, Cogent, AT&T, Orange…
  • Use logical addressing: IP
  • The connections between the networks are done by routers

Router and switches

○ Routers are the Default Gateways

○ Give access to the Internet

Ethernet has physical addresses

○ You can not change the MAC address of your NICs: It is like your name: it goes wherever you go

An Ethernet address tells WHO you are, but does not tell anything on WHERE you are ○

IP has logical addresses

○ You can change IP address of your NIC - > It is like your home address: it changes if you go somewhere

○ IP addresses are used to identify and reach networks and hosts

Local addresses and remote addresses

Analogy: if you want to say something to somebody

▪ If both of you are in the same room, you can simply call his/her name and he/she will answer: Directly connected → Local address

If you are NOT in the same room, you have to know where he/she is, before sending the message AND the message has to LEAVE th e

room through the door: Remote address

How to know if one IP is the same network than you? Subnet mask

Two versions of IP addresses: IPv4 and IPv6.

IPv4 defines IP address with 32 bits organized in four octets (8 bits in each).

IPv6 (version 6) has 128 bits.

For human readability, the bits in each octet are separated by dots while writing an IPv4 address (colons in IPv6):

○ E.g. 69.58.201.25 and fe80::250:56ff:fec0:

Certain bits from the left correspond to the network address (69.58.201) and the remaining correspond to define the computer (host) on the

  • Not a “new” protocol.
  • Developed mid to late 1990s.
  • Much learned from IPv4.
  • 128 - bit address space, written in hexadecimal - > This gives us 340 undecillion Addresses which is 10 followed by 30 zeros

Internet is a much different place and will continue to evolve:

○ Mobile devices

○ Video on demand

○ Internet of Everything

○ A critical part in how we “live, work, play, and learn”.

3.4×

38

○ -> “It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future.”

IPv6 is not just about more addresses:

○ Stateless autoconfiguration : no one care about the address an host picks - > the DHCP server is not used

○ End-to-end reachability without private addresses and NAT: substituting NAT and private anddresses by public addresses

○ Better support for mobility

○ Peer-to-peer networking easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.

  • 1993, IETF announced a call for white papers with RFC 1550 IP: Next Generation (IPng) White Paper Solicitation.

IETF chose Simple Internet Protocol Plus (SIPP) written by Steve Deering, Paul Francis, and Bob Hinden but changed the addres s size from

64 bits to 128 bits.

  • 1995, IETF published RFC 1883 Internet Protocol, Version 6 (IPv6) Specification - later obsoleted by RFC 2460 in 1998.

What About IPv5?

In the late 1970s, a family of experimental protocols was developed intended to provide quality of service (QoS) for real-time

multimedia applications such video and voice.

○ Known as Internet Stream Protocol (ST) and later ST2 – (RFC 1190 and RFC 1819).

○ Although it was never known as IPv5, when encapsulated in IP, ST uses IP Protocol version 5.

The Need for IPv

○ We are running out of IPv4 address space.

○ Monday, January 31, 2011 IANA allocated the last /8 IPv4 address blocks to the RIRs.

○ In November 2019, RIPE NCC made their final /22 IPv4 allocation from the last remaining addresses in their available pool.

RIPE NCC now allocates IPv4 addresses only from the pool of returned addresses, which by itself is not enough for the scalability of

the Internet - > the idea is to reuse addresses that are not used anymore and assigning them to users in a queue

  • The regions with the largest populations have the lowest percentages of people connected to the Internet

No More NAT as We Know It

○ NAT has been used to help “hide” customers and works for many client-initiated applications.

○ However, NAT also creates some issues, like peer-to-peer networking and accessing our “hidden” systems from other networks.

○ Using NAT to “hide” IPv6 networks has been the source of some debate.

○ IETF continues to state that NAT is not a security feature.

IPv

venerdì 8 marzo 2024 11:

IPv6 addresses are 128-bit addresses represented in:

○ Hexadecimal: 1 hex digit = 4 bits

○ Eight 16-bit segments or “hextets” (not a formal term) between 0000 and FFFF

○ Separated by colons

○ Reading and subnetting IPv6 is easier than IPv4, almost always

Number of IPv6 Addresses

○ IPv4 addresses: 4.3 billion

○ IPv6 addresses: 340 undecillion

Two rules for reducing the size of written IPv6 addresses.

1. Leading zeroes in any 16-bit segment do not have to be written - > Only leading 0s can be excluded, trailing 0s must be included

Any single, contiguous string of one or more 16-bit segments consisting of all zeroes can be represented with a double colon

(::) - > If there are multiple possible reductions, RFC 5952 states that the longest string of zeroes must be replaced with the :: and

if they are equal then only the first string of 0’s should use the :: representation.

  • IPv6 does not have a “broadcast” address
  • IPv6 Source: Always a unicast (linklocal or GUA)
  • IPv6 Destination: Unicast, multicast, or anycast.
  • Many operating systems will use a random 64-bit Interface IDs for GUA and Link-Local IPv6 Addresses.

An Important Role in IPv

○ Used as a source IPv6 address before a device gets one dynamically (SLAAC and DHCPv6).

○ Router’s link-local address is used by devices as the default gateway.

○ Routers exchange routing messages.

○ Router use the link-local address as the next-hop address in the routing table: via link-local address.

○ The only important part to generate a global routing is the prefix

ICMPv6 Neighbor Discovery defines 5 different packet types:

Router Solicitation Message + Router Advertisement Message: Used with dynamic

address allocation

Neighbor Solicitation Message + Neighbor Advertisement Message: Used with address

resolution (IPv4 ARP)

Redirect Message

○ Similar to ICMPv4 redirect message

○ Router-to-Device messaging

3 Options in Router(config)# ipv6 unicast-routing:

1. SLAAC - No DHCPv6 (Default on Cisco routers): “I’m everything you need (Prefix, Prefix-length, Default Gateway)”

SLAAC + Stateless DHCPv6 for DNS address: “Here is my information but you need to get other information such as DNS

addresses from a DHCPv6 server.” (DNS can be in RA)

3. All addressing except default gateway use DHCPv6: “I can’t help you. Ask a DHCPv6 server for all your information.”

  • Option 1 and 2: Stateless Address Autoconfiguration - > DHCPv6 Server does not maintain state of addresses
  • Option 3: Stateful Address Configuration - > Address received from DHCPv6 Server

Verifying SLAAC on the PC Using EUI- 64 - > A 64-bit Interface ID and the EUI-64 process accommodates:

○ The IEEE specification for a 64-bit MAC address

○ 64 - bit boundary processing

  • Verifying SLAAC on the PC Using Privacy Extension

Ensuring Unique Unicast Addresses

○ SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings.

How can we guarantee the address is unique? Duplicate Address Detection (DAD)

▪ Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended.

/64 Interface IDs

DAD protocol for detecting duplication of addresses in stateless address autoconfiguration in which the hosts can choose

random addresses

▪ Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link.

▪ A device will send a Neighbor Solicitation for its own unicast address (static or dynamic).

After a period of time, if a NA is not received, then the address is deemed unique.

▪ Once required, RFC was updated to where it is only recommended - /64 Interface ID makes duplicates unlikely

Problem in EUI-64 is that the process is

related to MAC addresses: you will always be

recognizable wherever you go, since the only

thing that changes is the prefix

Privacy extension : is a balance between the

nees of privacy and the traceability, in fact if

you join the same network you will always

generate randomly the same kind of IP

address

The router needs a network

Are two different networks

Idea: provide additional addresses that have relatively

short lifetimes and are used as the source address

when originating connections

Same prefix as a public address, randomized value

for the Interface ID

  • Short lifetime, usually hours or days

It is common to have multiple temporary addresses

to make sure existing connections can continue

while a new temporary address is created for new

connections

  • Used by a device to send a single packet to multiple destinations simultaneously (one-to-many).
  • Equivalent to 224.0.0.0/4 in IPv4.

Two types of multicast addresses:

1. Assigned

2. Solicited-Node

  • IPv6 Source: Always a unicast
  • IPv6 Destination : Unicast, multicast, or anycast

IPv6 multicast addresses

have the prefix FF00::/

Scope is a 4-bit field used to define the range of

the multicast packet.

Scope (partial list):

○ 0 Reserved

○ 1 Interface-Local scope

○ 2 Link-Local scope

○ 5 Site-Local scopoe

○ 8 Organization-Local scope

○ E Global scope

Permanent, well-known

multicast address assigned by

IANA.

Includes both assigned and

solicited-node multicast

addresses.

Non-permanently-assigned,

“dynamically" assigned multicast

address.

An example might be

FF18::CAFE:1234, used for a

multicast application with

organizational scope.

RFC 2375, IPv6 Multicast Address Assignments, defines the initial assignment of IPv6 multicast addresses that have permanently

assigned Global IDs.

Reference for assigned multicast addresses: (IANA) IPv6 Multicast Address Space Registry - > http://www.iana.org/assignments/ipv6-

multicast-addresses/ipv6-multicastaddresses.xhtml

Assigned Multicast Addresses with Link-local Scope

○ Flag = 0 , Assigned multicast

○ Scope = 2 , Link-local scope

Assigned Multicast Addresses with Site-local Scope

○ Flag = 0 , Assigned multicast

○ Scope = 5 , Site-local scope

Used to communicate within a “site”, possibly

routed within the site.

○ Must have IPv6 multicast routing enabled:

Router(config)# ipv6 multicast-routing

○ DHCPv6, relay agents and DHCPv6 multicast

addresses are included

  • DHCPv6 without and with relay agents
    • FF02::1 – > All IPv6 Devices
    • All IPv6 devices, including the router, belong to this group.
    • Every IPv6 device will listen and process packets to this address.

Isn’t this the same as a broadcast? No, because it maps to a Layer 2 MAC address

which is more efficient

  • FF02::2 - > All IPv6 Routers
  • All IPv6 routers belong to this group: Process these packets
  • Used by devices to communicate with an IPv6 Router.
  • IPv4 Protocol
  • IPv6 Next Header
  • For both protocols, the field indicates the type of header following the IP header

Common values:

○ 6 = TCP

○ 17 = UDP

○ 58 = ICMPv

88 = EIGRP

○ 89 = OSPF

  • The next header manages the different options - > after the main header there is another header or the PDU (packet of the transport layer)
  • In IPv4 there cannot be another header, but there can be only the PDU
  • IPv4 TTL (Time to Live)
  • IPv6 Hop Limit
  • Renamed to more accurately reflect process.
  • Set by source, every router in path decrements hop limit by 1.
  • When 0, drop packet.
    • IPv6 Source and Destination addresses have the same basic functionality as IPv4.
    • IPv4 = 32-bit addresses.
    • IPv6 = 128-bit addresses.
    • Some significant changes in IPv6.
  • IPv4 Header Checksum not used in IPv6.
  • Upper-layer protocols generally have a checksum (UDP and TCP).
  • So, in IPv4 the UDP checksum is optional
  • Because it’s not in IPv6, the UDP checksum is now mandatory.
  • IPv4 Options and Padding not used in IPv6.
  • Variable length, optional.
  • IPv4 Options are handled using extension headers in IPv6.
  • Padding makes sure IPv4 options fall on a 32-bit boundary.
  • IPv6 header is fixed at 40 bytes.

Next Header identifies:

The protocol carried in the data portion of the packet.

The presence of an extension header.

  • Extension headers are optional and follow the main IPv6 header.
  • Provide flexibility and features to the main IPv6 header for future enhancements without having to redesign the entire protocol.
  • Allows the main IPv6 header to have a fixed size for more efficient processing.

Properties

Flexible (normally there are no EHs in IPv6 packets)

▪ The use of EHs is optional, providing a powerful and flexible mechanism for IPv

▪ In the Basic IPv6 header, the EHs and the upper layer header (if used), are linked using the Next Header field. This is calle d the “IPv6 Header Chain”

Fixed (Types and order): The number of Extension Header types is fixed and standardised.

Processed only at endpoints (Except Hop-by-Hop and Routing): Packet processing complexity moved from the core to the edge of the Internet for improved IPv

performances.

without encryption

with encryption

  • A router is a device that connects two networks

A firewall is a device that besides acting as a router, also contains (and implements) rules to determine whether packets are

allowed to travel from one network to another - > Router also can perform some form of screening (packet filter)

Why firewalls?

○ Restricts access from the outside: Internet = millions of people together → bad things happen

○ Prevents attackers from getting too close

○ Restricts people from leaving

To attain a certain level of network security, you can:

○ Regulate which traffic is allowed (sources, destinations, services, ...)

○ Protect the traffic by encryption

○ Monitor the traffic for “bad behaviour”

○ Monitor the hosts for “bad behaviour”

  • The choice will depend on the security policy to be fulfilled (particularly the CIA targets).

Firewall Design & Architecture Issues

Least privilege: User can do only basic tasks

Defense in depth: different layers of protection

Choke point: all incoming connections go through one single point that you want to protect

Weakest links

Fail-safe stance : if something goes bad, do it in a safe state

Universal participation: be sure that security mechanism will be used by anyone

Diversity of defense

Simplicity

  • Kind of firewall that disciplines the traffic in/out a single host
  • It specifies the packets that can be received and sent - > Ex: iptables, windows firewall and all the so called “personal firewalls”
  • Vendor products generally work per-app: each installed application has a known policy that has to obey

Network Access Control Lists: List the rights for

accessing/using networks - > Extensively used in

switches, routers and firewalls

Usually distinguish between incoming and

outgoing traffic, per interface/port - > Ex: lists of IP

addresses that can send packets to an

interface/port

Stateless: every packet is treated independently,

without any knowledge of what has come before

The ACL are rules that enforce the decision to filter

the traffic based on IP address

The Internal Network is basically a switch that

sends the packets to the screening router

Firewalls

venerdì 5 aprile 2024 11:

  • Use a f irewall to filter ingoing and outgoing traffic between “your” network (or individual PC) and the Internet

Assumptions

  1. You have security policy stating what is allowed and not allowed.
  2. You can identify the “good” and the “bad” traffic by its IP-address, TCP port numbers, etc, …
  3. The firewall itself is immune to penetration - > A question of assurance: needs for a trusted system, secure OS etc.
  • Drop packets based on their source or destination addresses or port numbers or flags
  • No context, only contents

Can operate on

○ incoming interface

○ outgoing interface

○ Both

  • The packet filters accesses a very limited number of information - > only information from the transport and the network layers

Check packets with fake IP addresses:

○ from outside - > ingress filtering

○ from inside - > egress filtering

  • Packet filters operating layers

Three-step process

1. Know your policy

  1. Translate the policy in a formal language - > E.g.: logical expression on packet fields 3. Rewrite the policy in terms of the firewall syntax

General mechanism:

○ Rules are checked from top to bottom

○ The first matching rule is applied

○ One implicit rule is assumed if no rule matches

○ Block/Allow everything

Policy:

○ allow inbound email (SMTP, port 25) only to our-gateway machine: Mailgw

○ refuse all traffic from a known spamming site: demon

  • Possible rules:
  • Add the policy: any inside host can send mail to the outside
  • Very bad: we can not control the type of traffic originated from port 25 and coming from the outside
  • Then: rules have to specify the direction of the traffic
  • Consider the TCP flags
  • We distinguish the replies to our SMTP connection considering the ACK flag

Policy:

○ Internal Net 1 is a DMZ and only hosts Mail GW

○ Very limited connections between Mail GW and Internet (only partner servers)

○ Limited connections allowed between Mail GW and net 2 and net 3

○ Anything can pass between net 2 and net 3

○ Outgoing requests only between net 2 or net 3 and the link to the Internet

Requirements

We cannot only consider where packets have to go (destination→ egress filtering)

▪ Open access to net 2 only allowed for traffic with source address in net 3

▪ No way to avoid fake source addresses (address spoofing) from outside

We need to define rules based on from where packets are arriving, (source → ingress filtering)

Interface towards Internet

Interface on net 1

Interface on net 2 - > net 3 is similar

  • Problems with Packet Filters

Incoming TCP connections with IP frag

  • Firewall blocks any incoming TCP connection
  • ACK packet is allowed for outgoing packets
  • Internal host reassembles a packet with the SYN bit set because

two fragment offsets are chosen in order to set the SYN bit

Attacks

○ SYN scan

○ Create TCP connection

○ SYN flood - DoS

Stateful packet inspection

Stateful Inspection Firewalls (or Dynamic Packet Filters) can keep track of established connections

Can drop packets based on their source or destination IP addresses, port numbers and possibly TCP flags: Solve one

major problem of simple packet filters, since they can check that incoming traffic for a high-numbered port is a genuine

response to a previous outgoing request to set up a connection

○ Considered layers are Transport, Network and Data Link

Connection tracking - > Considered TCP States

Setting up connection:

□ client calls from (high-numbered) port to port for application on server

□ server replies to (high-numbered) port on client

□ connection is considered established when the server gives correct SYN/ACK response.

Closing connection: both parties have to close the connection by sending a TCP packet with FIN flag set before

connection is considered closed

  • Stateful firewall example

Stateful Firewalls

venerdì 12 aprile 2024 11: