beginning network security monitor and control flow into and out of the lan ingress egress only let...
TRANSCRIPT
Beginning Network Security
• Monitor and control flow into and out of the LAN• Ingress• Egress
• Only let in the good guys• Only let out the corp. business
How do they get in?
• Vulnerable services• Unexpected format and/or quantity
• Inside information• Accounts, passwords & configuration
• Lack of access control• Weak/no passwords
• Virus payloads• Unsafe computing practices
Where do they get in?
• Network Services• Intentional• Unintentional
• User Conveniences• File Sharing• File servers• Spy-ware Conveniences
• BAD e-mail Practices• Phishing scams
• Loop Backs• Peer-to-Peer
What do they get out?
• Intellectual Property• myfip
• Spam• remailers
• Tunes & toons• server
• DoS platform
Network servicesIntentional
• ftp• telnet• DNS• Mail servers
● http● ssh● https● Web servers
Network ServicesUnintentional
• Trojans• Spyware• Web services
• e-Wallets• e-Cash
● Peer-to-Peer networks● Bots● Bot servers● Virus payload
Traffic Flow
Source Destination Category
Internal Internal InternalInternal External OutboundExternal Internal Inbound
Secure Shell Protocolssh
Client
Server acknowledges client
Client connects to server's ssh port (22)
Server
New connection
Established
connection
Secure Shell Protocolssh
Conn. Src Dest Protocol Src Dst SYN ACK NotesState Addr. Addr. Port Port
New client server TCP >1023 22 Yes No Client opens
ssh connection
Est server client TCP 22 >1023 Yes Yes Server acknowledges
clientEst client server TCP >1023 22 No Yes
Connection
establishedEst server client TCP 22 >1023 No Yes
Connection
established
File Transfer Protocolftp
ClientUser port User port
Server acknowledges client
Client connects to server's ftp
command port (21)
Server
New connectioncommand port
Confirm command
connection port
Port 20data
Port 21cmnd's
New connection
data portConfirm connection
data port
Server connects to client's ftpdata port
Client acknowledges server
File Transfer Protocolftp
Conn. Src Dest Protocol Src Dst SYN ACK NotesState Addr. Addr. Port Port
New client server TCP >1023 21 Yes No Client opensftp connection
Est server client TCP 21 >1023 Yes Yes Server acknowledges
clientRel server client TCP 20 >1023 Yes No Server opens ftp
dataconnection to
clientEst client server TCP >1023 20 Yes Yes Client
acknowledgesconnection to
serverEst server client TCP 20 >1023 No Yes Established TCP
dataconnection -
server to clientEst client server TCP >1023 21 No Yes Established TCP
commandconnection -
client to server
Http
Conn. Src Dest Protocol Src Dst SYN ACK NotesState Addr. Addr. Port Port
New client server TCP >1023 80 Yes No Client opens
http connection
Est server client TCP 80 >1023 Yes Yes Server acknowledges
clientEst client server TCP >1023 80 No Yes
Connection
establishedEst server client TCP 80 >1023 No Yes
Connection
established
What to do?
• Control!• Who gets in• What comes in
• Who goes out• What goes out
• What services are offered• Privileges
Blockers and Observers
• Blockers• Filters• Firewalls• ACLs
• Observers• IDS
Packet Filters
• Look at the packet• Varying depths of information in headers
• Accept or reject• Depending on rules and filter type
• Three types• Static• Statefull• Proxy
Static Packet Filters
• Inspect only the IP address and packet header
• Each packet is accepted or rejected base only on the info in that packet
• Fast• Simple
Stateful Packet Filters
• Tracks the state of each connection• Maintains a state table of every
connection• Remembers permitted traffic
• Accepts or rejects based on the packet's place in a state table
TCPConnection-oriented Protocol
• TCP– Connection states are well defined– Start-up – Connected– Shutting down
TCP StatesRFC 793
• CLOSED• Non-state
• LISTEN• Server waiting for a
connection
• SYN-SENT• Host sent a SYN• Waiting for a SYN-ACK
• SYN-RCVD• Host receivec SYN• Sent SYN-ACK
• ESTABLISHED• After SYN , SYN-ACK, ACK have
been sent
• FIN-WAIT-1• After the initial FIN is sent
asking for a graceful shutdown
• CLOSE-WAIT• Host's state after FIN received
and ACK has been sent
TCP StatesRFC 793
• FIN-WAIT-2• Host has received ACK in
response to it's FIN and waits for the final FIN
• LAST-ACK• State of host who has sent the
second FIN to gracefully close waits for acknowledgement
• TIME-WAIT• State of initiating host having
sent final ACK to a received ACK. Wait for a specific time, no response is expected
• CLOSING• The state employed when a
non-standard simultaneous close is used
TCP States3 way handshake
SYN
SYN ACK
ACK
Client Server
SYN-SENT
ESTABLISHED
LISTEN
SYN-RCVD
ESTABLISHED
CLOSED
TCP StatesGraceful Shutdown
FIN
ACK
ACK
Client Server
FIN_WAIT_1
TIME_WAIT
LAST_ACK
CLOSE_WAIT
ESTABLISHED
FIN
FIN_WAIT_2
CLOSED
TCP StatesSimultaneous Shutdown
FIN
ACKACK
Client Server
FIN_WAIT_1
TIME_WAIT
FIN
CLOSING
FIN_WAIT_1
TIME_WAIT
CLOSING
UDP – States
• Is connectionless• Has no connection concept• Has no sequence numbers• IP addresses and ports are all we have• Pseudo-states are based on IP and ports• Shutdown is based on time out• ICMP is UDP's error handler• UDP/ICMP relation is important for pseudo-state tracking
Firewall
• Purpose• Control Inbound and outbound traffic• Control in accordance with a set of rules• Reduce risk of LAN compromise• Ensure you are a good network citizen
• Configuration• Multi-ported host• Set of rules and actions• Set of states
Firewalls
• Computer System• Actions• Rules• States
FirewallsSystem
• Computer System• Fast• Memory• At least 2 network interfaces
– Internal– External
• Sometimes only 1 interface– A desktop that does no routing
FirewallsActions
• Firewalls inspect all inbound and outbound network traffic
• Three actions possible• Accept – permit flow• Reject – send icmp error message• Drop – stealth mode
• Logs action
FirewallsRules
• Ingress rules – actions for inbound packets• Egress rules – actions for outbound packets
Example:
Src Addr. Dest Addr. Protocol Src Port Dst Port SYN FIN Action
any 172.16.13.3 TCP >1023 22 Yes No Accept
FirewallsStates
• New• Packets establishing a connection (tcp)
• Established• Connection established and packet is related
• Related• Packet is related to an established connection but different
protocol or port
• Invalid• Not one of the above
FirewallsInternet Services
• Application protocols will determine the firewall rules• Crucial to know how a connection is established• Crucial to know how a connection is maintained
FirewallsInfo for Rules
Source portDestination portSYN flagACK flag
Connection stateSource IPDestination IPProtocol