DOC PREVIEW
Stanford CS 155 - Network Security Defense Tools

This preview shows page 1-2-3-4-25-26-27-51-52-53-54 out of 54 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 54 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Spring 2008 CS 155 Network Security Defense Tools Firewalls and Intrusion Detection Christoph Schuba Senior Research Staff Sun Microsystems Inc Slides John Mitchell Security Posture Prevention vs Detection Recovery and Response Security Posture cont This lecture Standard perimeter defense mechanisms Bag of tricks Firewall Packet filter stateless stateful Application layer proxies Intrusion detection Anomaly and misuse detection Methods applicable to network or host Perimeter and Internal Defenses bag of tricks Commonly deployed defenses Perimeter defenses Firewall IDS Internal defenses Virus scanning Protect local area network and hosts Keep external threats from internal network Protect hosts from threats that get through the perimeter defenses Extend the perimeter VPN Common practices but could be improved Internal threats are significant Unhappy employees Compromised hosts Firewall Technology A Definition We define firewall technology as a set of mechanisms that collectively enforce a network domain security policy on communication traffic entering or leaving a guarded network policy domain A firewall system or firewall is an instantiation of firewall technology Basic Firewall Concept Separate local area net from internet Firewall Local network Internet Router All packets between LAN and internet routed through firewall Firewall goals Prevent malicious attacks on hosts Port sweeps ICMP echo to broadcast addr syn flooding Worm propagation Prevent general disruption of internal network External SMNP packets Provide defense in depth Programs contain bugs and are vulnerable to attack Network protocols may contain Exploit buffer overflow in program listening on network Design weaknesses SSH CRC Implementation flaws SSL NTP FTP SMTP Control traffic between zones of trusts Can control traffic between separate local networks etc Two Separable Topics Arrangement of firewall and routers Several different network configurations Separate internal LAN from external Internet Wall off subnetwork within an organization Intermediate zone for web server etc Personal firewall on end user machine How the firewall processes data Packet filtering router Application level gateway Proxy for protocols such as ftp smtp http etc Personal firewall E g disallow telnet connection from email client 0 Review TCP Protocol Stack Application Transport Application protocol TCP UDP protocol Application Transport Network IP protocol IP IP protocol Network Link Data Link Network Access Data Link Link Transport layer provides ports logical channels identified by number 1 Review Data Formats TCP Header Application message Transport TCP UDP segment Network IP packet Link Layer frame IP Header Application message data TCP data TCP data IP TCP data ETH IP TCP data Link Ethernet Header TCP data ETF Link Ethernet Trailer 2 Screening router for packet filtering Illustrations Simon Cooper 3 Packet Filtering Uses transport layer information only IP Source Address Destination Address Protocol TCP UDP ICMP etc TCP or UDP source destination ports TCP Flags SYN ACK FIN RST PSH etc ICMP message type Examples DNS uses port 53 Block incoming port 53 packets except known trusted servers Issues Stateful filtering Encapsulation address translation other complications Fragmentation 4 Packet filtering examples Compare Tiny Personal Firewall ZoneAlarm 5 Source Destination Address Forgery 6 More about networking port numbering Port numbers Well known ports 0 1023 DCCP registered ports 1024 49151 Dynamic private ports 49152 65535 Permanent assignment examples Ports 1024 assigned permanently http www iana org assignments port numbers 20 21 for FTP 25 for server SMTP 23 for Telnet 80 for HTTP Variable use available for client to make connection Limitation for stateless packet filtering If client wants port 2048 firewall must allow incoming traffic Better stateful filtering knows outgoing requests Only allow incoming traffic on high port to a machine that has initiated an outgoing request on low port 7 Filtering Example Inbound SMTP Can block external request to internal server based on port number 8 Filtering Example Outbound SMTP Known low port out arbitrary high port in If firewall blocks incoming port 1357 traffic then connection fails 9 Stateful or Dynamic Packet Filtering 0 Telnet Telnet Server Telnet Client 23 1234 Client opens channel to server tells server its port number The ACK bit is not set while establishing the connection but will be set on the remaining packets 234 1 PORT ACK Server acknowledges Stateful filtering can use this pattern to identify legitimate sessions 1 FTP FTP Server Client opens command channel to server tells server second port number Server acknowledges Server opens data channel to client s second port Client acknowledges 20 Data FTP Client 21 Command 5150 5151 51 ORT 51 P OK DATA C HANNE TCP ACK L 2 NAT Network Address Translation rest of Internet local network e g home network 10 0 0 24 10 0 0 1 10 0 0 4 10 0 0 2 138 76 29 7 10 0 0 3 Datagrams with source or All datagrams leaving local destination in this network network have same single source NAT have 10 0 0 24 address for IP address 138 76 29 7 source destination as usual different source port numbers Illustration Kurose and Ross 3 Advantages of NAT Motivations for NAT Limited address space Prevent unsolicited inbound requests Avoid renumbering if provider changes Port numbering host behind NAT not reachable as server Small mid sized LANs inherit address space from ISP Addresses hidden by NAT Normal routing Outgoing msg from 171 64 78 90 contains sending address Recipient or observer can access 171 64 78 90 Addressing with NAT NAT rewrites outgoing packet so recipient sees public addr only An outside computer cannot see 171 64 78 90 4 Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet fragmentation 5 Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host 6 Packet Fragmentation Attack Firewall configuration First packet Fragmentation Offset 0 DF bit 0 May Fragment MF bit 1 More Fragments Destination Port 25 TCP port 25 is allowed so firewall allows packet Second packet TCP port 23 is blocked but SMTP port 25 is allowed Fragmentation Offset 1 second packet overwrites all but first 8 bits of the first packet DF bit 0 May Fragment MF bit 0 Last Fragment Destination Port 23 Normally be blocked but sneaks by What happens Firewall ignores second packet TCP header


View Full Document

Stanford CS 155 - Network Security Defense Tools

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Download Network Security Defense Tools
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Security Defense Tools and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Security Defense Tools 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?