Network Security Administrator

Module VIII: Packet Filtering and Proxy Servers

Module Objectives
~ Introduction ~ Application

of NAT

~ Filtering

Layer

Gateways
~ Defining: VPN, IDS ~ Packet ~ Packet

ACK flags ~ Filtering Packet Contents ~ Proxy servers

~ Authentication Process ~ Authentication Process

Filtering

Filtering Approaches by TCP/UDP Port Number

Types

~ Filtering

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Module Flow
NAT Application Layer Gateways VPN

Packet Filtering Approaches

Packet Filtering

IDS

Packet Filtering Approaches

Filtering by TCP/UDP Port Number

Filtering ACK Flags

Authentication Process Types EC-Council

Authentication Process

Proxy servers

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Network Address Translation

~ ~ ~ ~

Conceals the TCP/IP information of hosts in the network Functions as a network layer proxy making requests on behalf of all internal hosts over the network Converts IP address of internal hosts to IP address of the firewall NAT-equipped firewall receives the request and replaces the genuine IP address

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

NAT

11.0.0.6 11.0.01

11.0.0.5 R outer 11.0.0.2 Server gets request from24.44.8.0 Firew all 24.44.8.0 R equest com es from11.0.0.3 PrivateN etw ork

11.0.0.4

Internet

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Application Layer Gateways

~

Also known as proxy server that operates at the application layer of the OSI model Controls network access by establishing proxy services Inspects the content in the packet header to decide whether to grant/deny access

~ Security Techniques:

Load balancing: Divides the traffic load and enables firewalls to monitor the traffic IP address mapping: Maps static IP address with private IP address of a computer Filtering content: Blocks files, file name, keyword, e-mail attachment or content type URL Filtering: Blocks a sites DNS name
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Application Proxies
~

Acts on behalf of a host that handles requests, rebuilds and forwards the request to the intended location Compatible with dual-homed host or screened host system Dual-Homed Host: Lies between the internal LAN and the Intern et Proxy server software makes requests and forwards packets from the Internet

~ ~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Packet Filtering
~

Blocks or allows transmission of packets on the basis of port, IP address and protocol Common rules for packet filtering are: Drop all inbound connections Eliminate packets destined for all ports unavailable to the Internet Filter ICMP redirect and echo messages Drop all packets using the IP header source routing feature

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Packet Filtering : Devices

~

Routers: Common packet filters preventing unauthorized traffic intruding the network

Operating Systems: Windows and Linux have build-in utilities that performs packet filtering on the TCP/IP stack

Software Firewalls: Check Point Firewall-1 performs stateful filtering

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Packet Filtering: Approaches

~

Stateless (static) Packet Filtering: Reviews packet header contents and decides whether to allow or discard the packets Blocks traffic from a subnet or other traffic

Stateful Packet Filtering (Stateful Inspection): Maintains connection status, while performing all functions of stateful packet filtering

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Stateless Packet Filtering

~ ~

Without considering whether connection is established or not, it determines the if data transfer is to flow or to be blocked Used to completely block the traffic

Configuration:
IP

header information UDP port number in use flags (the ACK, SYN) ICMP message type

TCP/ The

Fragmentation

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Based On IP Header

~

Compares header data against rule base and forwards packets that match the criteria on the basis of: Packets source IP address Destination or target IP address Protocol for the host requesting access IP protocol and ID field in the header

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

TCP Flags in a Packet Header

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Based On TCP/UDP Port Number

~ ~

Also called as port filtering or protocol filtering Filters a wide variety of information like:

SMTP and POP e-mail messages NetBIOS sessions DNS requests Network News Transfer Protocol (NNTP) newsgroup sessions

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Based On Fragmentation Flags

~ ~ ~

Fragmenting the packets allow them to traverse the network with ease despite their size Only the first frame carries the port number Down side of fragmentation: Modifying IP header of packet to start with number 1 makes them to pass through the network

Measure to avoid the fragments to traverse the network: Employ a firewall to reassemble the fragments and to pass the complete packets to the network

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Based On ICMP Message Type

~ ~ ~ ~

ICMP enables network to handle communication problems Hackers exploit ICMP packets to crash computers on the network ICMP packets have no authentication method to verify the authenticity of the packet Firewall/packet filter determines the authenticity of the ICMP packet

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Based On ICMP Message Type

ICMP Type 0 3 3 code 6 3 code 7 4 5 8 11 12

Name Echo reply Destination unreachable Destination network unknown Destination host unknown Secure quench Redirect Echo request Time exceeded Parameter problem

Possible Cause Normal cause to a ping Destination unreachable Destination network unknown Destination host unknown Router receiving too much traffic Faster route located Normal ping request Too many hops to destination There is a problem with parameter
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Filtering based On ACK flags

~

ACK flag: Indicates either connection request or connection establishment Hacker can set ACK flag to 1

Configure firewall to allow access to ports and to specify the direction of data flow in the ports with the ACK flag is set to 1

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Suspicious Inbound packets

~ ~

Firewall alerts the arrival of a packets from external network consisting of a internal networks IP address Firewalls allow user to set the permitting or denying of packets: Case-by-case basis Automatically, by setting rules

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Suspicious Inbound packets

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Suspicious Inbound packets

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Stateful Packet Filtering

~ ~ ~ ~

Maintains records of the state of the connection Maintains a state table that maintains the list of current connections Consults the state table and the rule base when a packet is encountered Permits packets based on previously accepted packets

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Stateful Packet Filtering

Internet 3. Rule that internal hosts access TCP/80 exists; packets are allowed to pass through 4. Packets received by course.com Web server; SYN/ACK reply sent to firewall

Router

5. Packets received state table entry referenced 2. Router checks for state table and sees that no coneection exists, state entry created and request passed to rule base
State Table Source IP: www.course.com Source port: 70 Destination IP: 10.0.0.6 Destination port: 1087 Transport: TCP

Ethernet

6. Packets allowed to pass

1. Host attempts to connect www.course.com

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Filtering Based On Packet Contents

~

Stateful Inspection:
Examines the contents of packets and headers to ensure reliability

Proxy Gateway:
Examines the data in a packet and evaluates which application should handle it

Specialty Firewall:
Examines the body of e-mail messages or Web pages for identifying malicious content

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Overview of Proxy Servers

~

Other Names:
Proxy services Application-level gateways Application proxies

Scans and act on the data part of an IP packet ~ Working:

~

Intercepts a request from internal network computer and transmits to the destination computer on the Internet
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Proxy Server Vs Packet Filtering

Scan complete data part of IP packets and create elaborate log file listings ~ Restructure packet with new source of IP information which protects internal users from outsiders ~ Server on the Internet and an internal host are never directly connected to one another ~ More vital to network communications
~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Goals of Proxy Servers

~

Conceals Internal Clients

Hides internal clients from external clients who try to gain access to internal networks Prevents employees from visiting websites that offer content regarded as inappropriate by the management Scans the packets for contents that can cause troubles Protects users surfing the Internet including e-mails

Blocks URLs

Blocks and Filters Content

Protects E-mail Proxy

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Goals of Proxy Servers (Cont)

~

Improves Performance
Decreases the access time for documents requested frequently Provides a reliable checkpoint to monitor network activity Enhances security when used in combination with authentication Scans specific parts of the data part of an HTTP packet and redirects it to specific location

Ensures Security

Provides user authentication

Redirects URLs

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Proxy Server Based Firewalls

~

Transparent Proxies
Can be configured to be completely invisible to the end users

Nontransparent Proxies
Requests client software to be configured to use the server software

SOCKS-Based Proxies
SOCKS Protocol:
Enables the establishment of generic proxy applications

SOCKS Features:
Has security-related advantages

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewall:Authentication Process
~ ~

Process of identifying users and providing network services based on their identity Types of authentication: Basic authentication Server does matching of username-password pair supplied by the client Challenge-response authentication Firewall generates a random code or number termed as challenge Centralized authentication service Centralized server handles the three practices : Authentication Authorization Auditing

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls Implementing The Authentication Process

~ ~ ~ ~ ~ ~ ~

Client sends a request to access a resource Firewall interrupts the request and prompts the user for name and password User submits information to the firewall User is authenticated Request is verified against the firewalls rule base If request matches existing allow rule, user is granted access User accesses the required resources

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls : Types Of Authentication Process

~

User Authentication:
Basic type of authentication where user is given access to resources by verifying username and password

Client authentication:
Identical to user authentication with the addition of usage restrictions

Session authentication:
Requests for authentication whenever a client establishes a session to connect to a network resource

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Summary
~ ~ ~ ~ ~

NAT hides the TCP/IP information of hosts in the network and converts IP addresses of host to that of firewalls and vice-versa Proxy servers limits network access by setting proxy services Application proxies are compatible with dual-homed host or screened host system to handle requests of intended clients VPN connections are limited to machines with specific IP addresses IDS alerts administrator against attacks

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited