Beginning Network Security

• Monitor and control flow into and out of the LAN• Ingress• Egress

• Only let in the good guys• Only let out the corp. business

How do they get in?

• Vulnerable services• Unexpected format and/or quantity

• Inside information• Accounts, passwords & configuration

• Lack of access control• Weak/no passwords

• Virus payloads• Unsafe computing practices

Where do they get in?

• Network Services• Intentional• Unintentional

• User Conveniences• File Sharing• File servers• Spy-ware Conveniences

• BAD e-mail Practices• Phishing scams

• Loop Backs• Peer-to-Peer

What do they get out?

• Intellectual Property• myfip

• Spam• remailers

• Tunes & toons• server

• DoS platform

Network servicesIntentional

• ftp• telnet• DNS• Mail servers

● http● ssh● https● Web servers

Network ServicesUnintentional

• Trojans• Spyware• Web services

• e-Wallets• e-Cash

● Peer-to-Peer networks● Bots● Bot servers● Virus payload

Traffic Flow

Source Destination Category

Internal Internal InternalInternal External OutboundExternal Internal Inbound

Secure Shell Protocolssh

Client

Server acknowledges client

Client connects to server's ssh port (22)

Server

New connection

Established

connection

Secure Shell Protocolssh

Conn. Src Dest Protocol Src Dst SYN ACK NotesState Addr. Addr. Port Port

New client server TCP >1023 22 Yes No Client opens

ssh connection

Est server client TCP 22 >1023 Yes Yes Server acknowledges

clientEst client server TCP >1023 22 No Yes

Connection

establishedEst server client TCP 22 >1023 No Yes

Connection

established

File Transfer Protocolftp

ClientUser port User port

Server acknowledges client

Client connects to server's ftp

command port (21)

Server

New connectioncommand port

Confirm command

connection port

Port 20data

Port 21cmnd's

New connection

data portConfirm connection

data port

Server connects to client's ftpdata port

Client acknowledges server

File Transfer Protocolftp

Conn. Src Dest Protocol Src Dst SYN ACK NotesState Addr. Addr. Port Port

New client server TCP >1023 21 Yes No Client opensftp connection

Est server client TCP 21 >1023 Yes Yes Server acknowledges

clientRel server client TCP 20 >1023 Yes No Server opens ftp

dataconnection to

clientEst client server TCP >1023 20 Yes Yes Client

acknowledgesconnection to

serverEst server client TCP 20 >1023 No Yes Established TCP

dataconnection -

server to clientEst client server TCP >1023 21 No Yes Established TCP

commandconnection -

client to server

Http

Conn. Src Dest Protocol Src Dst SYN ACK NotesState Addr. Addr. Port Port

New client server TCP >1023 80 Yes No Client opens

http connection

Est server client TCP 80 >1023 Yes Yes Server acknowledges

clientEst client server TCP >1023 80 No Yes

Connection

establishedEst server client TCP 80 >1023 No Yes

Connection

established

What to do?

• Control!• Who gets in• What comes in

• Who goes out• What goes out

• What services are offered• Privileges

Blockers and Observers

• Blockers• Filters• Firewalls• ACLs

• Observers• IDS

Packet Filters

• Look at the packet• Varying depths of information in headers

• Accept or reject• Depending on rules and filter type

• Three types• Static• Statefull• Proxy

Static Packet Filters

• Inspect only the IP address and packet header

• Each packet is accepted or rejected base only on the info in that packet

• Fast• Simple

Stateful Packet Filters

• Tracks the state of each connection• Maintains a state table of every

connection• Remembers permitted traffic

• Accepts or rejects based on the packet's place in a state table

TCPConnection-oriented Protocol

• TCP– Connection states are well defined– Start-up – Connected– Shutting down

TCP StatesRFC 793

• CLOSED• Non-state

• LISTEN• Server waiting for a

connection

• SYN-SENT• Host sent a SYN• Waiting for a SYN-ACK

• SYN-RCVD• Host receivec SYN• Sent SYN-ACK

• ESTABLISHED• After SYN , SYN-ACK, ACK have

been sent

• FIN-WAIT-1• After the initial FIN is sent

asking for a graceful shutdown

• CLOSE-WAIT• Host's state after FIN received

and ACK has been sent

TCP StatesRFC 793

• FIN-WAIT-2• Host has received ACK in

response to it's FIN and waits for the final FIN

• LAST-ACK• State of host who has sent the

second FIN to gracefully close waits for acknowledgement

• TIME-WAIT• State of initiating host having

sent final ACK to a received ACK. Wait for a specific time, no response is expected

• CLOSING• The state employed when a

non-standard simultaneous close is used

TCP States3 way handshake

SYN

SYN ACK

ACK

Client Server

SYN-SENT

ESTABLISHED

LISTEN

SYN-RCVD

ESTABLISHED

CLOSED

TCP StatesGraceful Shutdown

FIN

ACK

ACK

Client Server

FIN_WAIT_1

TIME_WAIT

LAST_ACK

CLOSE_WAIT

ESTABLISHED

FIN

FIN_WAIT_2

CLOSED

TCP StatesSimultaneous Shutdown

FIN

ACKACK

Client Server

FIN_WAIT_1

TIME_WAIT

FIN

CLOSING

FIN_WAIT_1

TIME_WAIT

CLOSING

UDP – States

• Is connectionless• Has no connection concept• Has no sequence numbers• IP addresses and ports are all we have• Pseudo-states are based on IP and ports• Shutdown is based on time out• ICMP is UDP's error handler• UDP/ICMP relation is important for pseudo-state tracking

Firewall

• Purpose• Control Inbound and outbound traffic• Control in accordance with a set of rules• Reduce risk of LAN compromise• Ensure you are a good network citizen

• Configuration• Multi-ported host• Set of rules and actions• Set of states

Firewalls

• Computer System• Actions• Rules• States

FirewallsSystem

• Computer System• Fast• Memory• At least 2 network interfaces

– Internal– External

• Sometimes only 1 interface– A desktop that does no routing

FirewallsActions

• Firewalls inspect all inbound and outbound network traffic

• Three actions possible• Accept – permit flow• Reject – send icmp error message• Drop – stealth mode

• Logs action

FirewallsRules

• Ingress rules – actions for inbound packets• Egress rules – actions for outbound packets

Example:

Src Addr. Dest Addr. Protocol Src Port Dst Port SYN FIN Action

any 172.16.13.3 TCP >1023 22 Yes No Accept

FirewallsStates

• New• Packets establishing a connection (tcp)

• Established• Connection established and packet is related

• Related• Packet is related to an established connection but different

protocol or port

• Invalid• Not one of the above

FirewallsInternet Services

• Application protocols will determine the firewall rules• Crucial to know how a connection is established• Crucial to know how a connection is maintained

FirewallsInfo for Rules

Source portDestination portSYN flagACK flag

Connection stateSource IPDestination IPProtocol