CSCE 465 Lecture 17
« previous | Thursday, March 21, 2013 | next »
Honors project progress report due next Wednesday.
Homework 4 is out
Vulnerability Analysis
ARP Cache Poisoning
ARP translates hardware (MAC) address to IP address
What if attacker tells all computers on the network that it is the router? (Man-in-Middle attack)
TCP SYN Flooding
Open a lot of conncetions to a server and leave them open.
Remedy: stateless design using SYN cookie:
- send number in ACK response package that represents session
Firewall
- Originally a wall constructed to prevent the spread of fire.
- More similar to a moat around a castle
- Device that provides secure connectivity between networks (internal/external; varying levels of trust among machines/users)
- Implement and enforce security policy for communication between networks.
Capabilities:
- Restrict incoming/outgoing traffic by IP address, ports, or users
- Block invalid packets
Convenience:
- Give insight into traffic mix via logging
- Network Address Translation
- Encryption
Potential Vulnerabilities
- Doesn't protect traffic that doesn't cross it (routing around; internal traffic)
- Must be configured correctly
Filtering Firewall
- packet filtering
- Checks and blocks individual packets that are not allowed by policy
- Can be very slow
- Look at only first packet in session; allow/deny further communication based on response to first
- Decisions made on a per-packet basis
- No state information saved
- Ports above 1024 left open
- session filtering
- Dynamic Packet Filtering
- Stateful Inspection
- Context-Based
FTP Example
FTP Active Mode
- Client opens command channel (port 20) to server
- Server acknowledges and opens connection to client's second (data) port
- Client acknowledges
FTP Passive Mode
- Client opens connection (port 20) to server
- Server opens port for passive data transport
- Client connects to open port
- Server acknowledges
FTP Packet Filter:
access-list 100 permit tcp any gt 1023 host 173.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 173.168.10.12 eq 20 ! allows packets sent from any client to the FTP control and data groups access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! allows FTP server to send packets back to any
Proxy Firewall
Proxy "man-in-middle" to relay connections between client and server
Application Gateways
Understands specific application protocols.
- Limited proxies available
- Proxy impersonates both sides of connection
- Resource-intensive (process per connection)
- HTTP proxies may cache web pages
More appropriate for TCP protocols (ICMP is difficult)
Implicitly (by design) blocks all unless specifically allowed
Circuit-Level Gateways
Support more services than Gatweay, but less control over data.
- Difficult to handle protocols like FTP
- Clients must be aware of circuit-levil gateway
Example: SOCKS
- Actually supports UDP
Comparison
| Security | Performance | Service Support | Modify Client App | ICMP | Fragmentation | |
| Packet Filter | 3 | 1 | No dynamic w/o holes | No | YES | |
| Session Filter | 2 | 2 | No | YES | ||
| Circuit GW | Socks v5 | |||||
| App GW |
Page Under Construction
This page still needs revision. Please edit this page to finish it.
Network Address Translation (NAT)
Often attached to Firewalls (but not required) since they are an "inline" device
- Useful if organization does not have enough real IP addresses
- Extra security measure if internal hosts do not have valid IP addresses (harder to trick firewall)
- Only really need real (external) IP address for services that outside networks will open connections to
- Many-to-One
- Many machines appear as one IP address on Internet (like proxies)
- One-to-One
- Each machine acts as itself on the external network
Encryption
- Allows trusted users to access sensitive information while traversing untrusted networks
- Useful for remote users/sites
- Encryption called IPsec