DOC PREVIEW
Stanford CS 155 - Study Notes

This preview shows page 1-2-14-15-29-30 out of 30 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 30 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1 of 30Simon Cooper <[email protected]>CS155 - Firewalls23 May 2002CS155 Firewalls2 of 30Plug! Building Internet Firewalls2nd Edition, O’ReillyElizabeth D. Zwicky, Simon Cooper, D. Brent Chapman3 of 30What Is A Firewall?•Literally? Prevents fire from spreading!•The Castle Moat Analogy•Restricts access from the outside•Prevents attackers from getting too close•Restricts people from leaving•Logically; a separator, a restrictor and an analyzer•Rarely a single physical object•Any place where internal and external data can meet4 of 30Why Firewalls?•There are a lot of people on the Internet•Millions of people together; bad things happen•True for cities; it is true for the Internet•Exchange of information; Education, Business Recreation, Social and Political•Want to do something useful with your computer•However; Unsolicited attention and bugs5 of 30Bugs, Bugs, Bugs•All programs contain bugs•Larger programs contain more bugs•Network protocols contain design weaknesses and implementation flaws•Careful (defensive) programming & protocol design is hard6 of 30Where Do You Put A Firewall?•Between insecure systems & the Internet•To separate test or lab networks•For networks with more sensitive data;•Financial records•Student grades•Secret Projects•Partner or joint venture networks7 of 30Firewall Design & Architecture Issues•Least Privilege•Defense in Depth•Choke Point•Weakest Link•Fail-Safe Stance•Universal Participation•Diversity of Defense•Simplicity8 of 30Firewall ArchitecturesUsing A Screening Router to do Packet FilteringScreening RouterRoutes or blocks packets, asdetermined by site’s security policy.Internal NetworkInternet9 of 30Packet FilteringIP Packet Headerversion length type of service16-bit total length (in bytes)16-bit identification flags 13-bit fragmentation offset8-bit Time To Live 8-bit protocol 16-bit header checksum32-bit source IP address32-bit destination IP addressIP options (if any)10 of 30Packet FilteringUDP Packet StructureData (if any)version length type of service16-bit total length (in bytes)16-bit identification flags 13-bit fragmentation offset8-bit Time To Live 8-bit protocol 16-bit header checksum32-bit source IP address32-bit destination IP addressIP options (if any)16-bit source port number 16-bit destination port number16-bit UDP length 16-bit UDP checksum11 of 30Packet FilteringTCP Packet Structureversion length type of service16-bit total length (in bytes)16-bit identification flags 13-bit fragmentation offset8-bit Time To Live 8-bit protocol 16-bit header checksum32-bit source IP address32-bit destination IP addressIP options (if any)16-bit source port number 16-bit destination port number32-bit sequence number32-bit acknowledgement numberh length reserved Flags 16-bit window size16-bit TCP checksum 16-bit urgent pointer12 of 30Packet FilteringSummary•IP Source Address•IP Destination Address•Protocol (TCP, UDP, ICMP, etc.)•TCP or UDP Source & Destination Ports•TCP Flags (SYN, ACK, etc.)•ICMP message type•Packet Size13 of 30Router Knowledge•Interface packet arrives on•Interface packet will go out•Is the packet in response to another one?•How many packets have been seen recently?•Is the packet a duplicate?•Is the packet an IP fragment?14 of 30Filtering ExampleInbound SMTPPacket Direction Source Address Dest Address Protocol Dest Port1 In 192.168.3.4 172.16.1.1TCP 252 Out 172.16.1.1 192.168.3.4TCP 1234Internal NetworkInternetFirewallSMTP Client192.168.3.4SMTP Server172.16.1.1TCP 1234TCP 251215 of 30Filtering ExampleOutbound SMTPPacket Direction Source Address Dest Address Protocol Dest Port3 Out 172.16.1.1 192.168.3.4TCP 254 In 192.168.3.4 172.16.1.1TCP 1357Internal NetworkInternetFirewallSMTP Server192.168.3.4SMTP Client172.16.1.1TCP 25TCP 13574316 of 30Stateful or Dynamic Packet FilteringDynamic Packet Filter192.168.51.50Client172.16.3.4ServerSP = source portSA = source addressDP = destination portDA = destination addressFilterremembersthisinformationMatchesoutgoing, soallowed inNo match, sonot allowed inUDPSP = 3264SA = 192.168.51.50DP = 1525DA = 172.16.3.4UDPSP = 1525SA = 172.16.3.4DP = 3264DA = 192.168.51.50UDPSP = 1525SA = 172.16.3.4DP = 2049DA = 192.168.51.5017 of 30Network Address Translation (NAT)Port and Address Translation (PAT)ServerClient 1AddressTranslationSystemInside Outside10.42.6.9: 1024Client 210.42.7.1: 1024192.123.2.5: 2028192.123.2.5: 202718 of 30Normal FragmentationIPHeaderTCPHeader…DATAIPHeaderTCPHeaderDATA…IPHeader...DATA…IPHeader…DATADATA…19 of 30Abnormal FragmentationIPHeaderTCPHeaderDATA…NormalIPHeaderMORE DATA…IPHeaderTCPHeaderDATA…Overlapping dataIPHeaderDATA…IPHeaderTCPHeaderDATA…Overlapping headersIPHeaderDATA…Fake TCPHeaderDATA…DATA…DATA…OverlapOverlap20 of 30Firewall ArchitecturesScreened Host ArchitectureBastion HostInternal NetworkInternetFirewallScreening Router21 of 30Bastion Host•A secured system•Disable all non-required services; keep it simple•Install/modify services you want•Run security audit to establish baseline•Connect system to the network•Be prepared for system to be compromised22 of 30Firewall ArchitecturesScreened Subnet Architecture Using Two RoutersInternetFirewallInteriorRouterBastion HostExteriorRouterPerimeter NetworkInternal Network23 of 30Firewall ArchitecturesSource/Destination Address ForgeryInternal NetworkInternetPacketInterior RouterExterior RouterBastion HostPerimeter NetworkAttacker192.168.3.110.2.3.X192.168.3.X10.2.3.410.2.3.1 10.2.3.2Source: 10.2.3.1(claims to be)Destination: 10.2.3.2172.16.42.9192.168.3.224 of 30Firewall ArchitecturesDual Homed Host ArchitectureDual-homedHostInternetFirewallInternal Network25 of 30Proxies•Application level; Dedicated proxy•Circuit level; “generic proxy”•Some protocols are natural to proxy• SMTP (E-Mail)• NNTP (Netnews)• DNS (Domain Name System)• NTP (Network Time Protocol)•SOCKS - a generic proxy•WinSock - almost generic proxy for Microsoft26 of 30Firewall ArchitecturesAn Intricate Firewall SetupInternetInternal NetworkExteriorRouter 1BackupEmployee trafficCustomer trafficInteriorRouter 2ExteriorRouter 2FirewallBastion HostPerimeter NetworkInteriorRouter 1FirewallPerimeter NetworkWebServerMail 1 Mail 2Perimeter Network27 of 30Firewall ArchitecturesA web server using a database on a perimeter networkWeb ServerDatabase ServerRealDatabase ServerInternetFirewallInternal Network28 of 30Firewall ArchitecturesA


View Full Document

Stanford CS 155 - Study Notes

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Download Study Notes
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Study Notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Study Notes 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?