Professional Documents
Culture Documents
Presented by
NGUYEN CAO DAT
(dat@dit.hcmut.edu.vn)
Outline
Attacks and Network Security Goals
Cryptography and Applications
Denial-of-Service and Solutions
Firewall and Linux
Lab
Summary
Attacks
Passive Threats
Active Threats
Active Threats
Summary
Basic Tool:
Cryptography: Confidentiality, Authentication
Internet Threat Model:
DOS (Denial Of Service) and Solutions
Internet Security Mechanisms, Standards:
Secure Tunnels:TSL/SSL, IP-Sec
Intrusion detection, Firewalls, …
…
Cryptographical Algorithms
Secret key cryptography:
Data Encryption Standard (DES)
Triple DES, AES, IDEA, …
Public key cryptography:
RSA algorithm
Hash Algorithms:
Message digest, MD5
Both the sender and the receiver use the same secret
keys
Example:
One-Time Pad (bitwise XOR)
US (NIST)Standards:
1977-2000 : DES (56 bit Key)
2001 : AES (128 bit Key)
Dept. of IT - HCMC Univ. of Technology Page 15
3rd phase
Key is 56 bits 63 0
IV + + + +
Hash Algorithms
The message digest algorithm MD5:
Ron Rivest
Uses 128 bit hash values.
The secure hash algorithm SHA-1:
NSA and standardized by NIST.
uses 160 bit hash values encoded in 5 x 32 bit words.
The family SHA-256, SHA-384, SHA-512:
They will be part of the NIST Cryptographic Toolkit.
problems.
1. Cracking
2. Signalling 3. Flooding
ISP Target
mbehring
Incomplete Solutions
Fair Queue
Weighted Fair Queueing (WFQ)
User Fair Queueing (UFQ)
Class-Based Weighted Fair Queueing (CBWFQ)
Integrated Services and Differentiated Services
RSVP & QoS
http://www.isi.edu/div7/rsvp/.index.html
Bibliography
1. Introduction to Network Security, Amir Herzberg, 2003
2. Network Security, Ion Stoica, 2002
3. Topics in Network Security ELEN689-604/CPSC689-605;
Narasimha Reddy, Riccardo Bettati, Andreas Klappenecker
4. OS Fingerprinting For Fun and Profit, Christopher Soghoian,
2003.
Firewall Architectures
Firewall in Linux
Introduction to Iptables
Mini-lab
Introduction to Firewalls
• What is Firewalls ?
• Isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
administered public
network Internet
Types of Firewall
Packet-filtering firewall Communication Layers
At the network layer
Application
Application-level gateway
Presentation
At the application layer
Session
Transport
Network
Data Link
Physical
Firewall in Linux
Before kernel 2.2 : ipfwadm
kernel 2.2.x : IP Chains
After kernel 2.3.15 : netfilter
http://www.netfilter.org/ is main site for the package.
Tutorial and HOW-TO manual is available there.
Netfilter supports:
Standard packet filtering
Statfull inspection
Maquerading
Complete address translation (NAT/PAT)
Load balancing
Traffic shaping
Allow user-level module creation
IPTABLES (cont.)
How does IPTABLES work ?
The different types of packets the firewall will manage:
Forwarded: coming from other hosts, destinated to other hosts
Input: destinated for localhost
Output: generated by localhost
A packet passes through Tables and Chains before to be:
Forwarded: sent to destination
Passed to a local process
Dropped, rejected
...
Depending on packet type (forwarded, input, output) it traverse
different chains.
IPTABLES (cont.)
The big picture: traversing of tables and chains
IPTABLES (cont.)
Input packets path
1. On the wire
2. Firewall interface
3. PREROUTING chain
- Mangle table
- NAT table
4. Routing decision
5. INPUT chain
- FILTER table
6. Local application/process
IPTABLES (cont.)
MANGLE table
Allow to change parameters
TOS: Type Of Service, allow to implement routing policies
using iptables
TTL: Time To Live. Send packet to the Internet Service
Provider with the same TTL (making more difficult for some
ISP to check if you are using the connection)
MARK: used by iproute2 to make different routing decision
(bandwidth limiting and class based queuing)
IPTABLES (cont.)
Connection tracking
IPTABLES with connection tracking
IPTABLES (cont.)
IPTABLES mini Howto
Operations to manage whole chains
N: create a new chain
P: change the policy of built-in chain
L: list the rules in a chain
F: flush the rules out of a chain
Manipulate rules inside a chain
A: append a new rule to a chain
I: insert a new rule at some position in a chain
R: Replace a rule at some position in a chain
D: delete a rule in a chain
IPTABLES (cont.)
IPTABLES mini Howto
TCP Extensions:
--tcp-flags: filter on specific flags
--syn: shorthand of --tcp-flags SYN, RST, ACK SYN
--source-port (or --sport): specify the source port
--destination port (or --dport): specify the destination
port
UDP Extensions:
--sport and --dport
IPTABLES (cont.)
CASE STUDY : ACCEPT
[root@firewall]#iptables –F
[root@firewall]#iptables –P INPUT DROP
[root@firewall]#iptables –P OUTPUT DROP
[root@firewall]#iptables –P FORWARD DROP
[root@firewall]#iptables –A FORWARD –p icmp \
--icmp-type echo-request –d 192.168.0.10 –jACCEPT
[user@192.168.1.1]#ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=0.360 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=0.319ms
[user@192.168.0.10]#tcpdump –n
12:07:00.061966 192.168.1.1 > 192.168.0.10: icmp: echo request
12:07:00.062148 192.168.0.10>192.168.1.1: icmp: echo reply
[user@192.168.1.1]#ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.
CTRL^C
[user@192.168.0.10]#tcpdump –n
CTRL^C
IPTABLES (cont.)
CASE STUDY : REJECT
[root@firewall]#iptables –F
[root@firewall]#iptables –P INPUT ACCEPT
[root@firewall]#iptables –P OUTPUT ACCEPT
[root@firewall]#iptables –P FORWARD ACCEPT
[root@firewall]#iptables –A FORWARD –p icmp \
--icmp-type echo-request –d 192.168.0.10 –jREJECT
[user@192.168.1.1]#ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.
From 192.168.0.254 icmp_seq=1 Destination port Unreachable
From 192.168.0.254 icmp_seq=1 Destination port Unreachable
[user@192.168.0.10]#tcpdump –n
CTRL^C
IPTABLES (cont.)
CASE STUDY : DNAT
“DNAT to HTTP”
[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.74 \
- -dport 80 -j DNAT --to-destination 10.0.0.10
“DNAT to DNS”
[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.75 \
- -dport 53 -j DNAT --to-destination 10.0.0.11
[root@firewall]# iptables –t nat –A PREROUTING –p UDP –i eth1 -d 217.58.102.75 \
- -dport 80 -j DNAT --to-destination 10.0.0.11
“DNAT to SMTP”
[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.76 \
- -dport 25 -j DNAT --to-destination 10.0.0.12
“DNAT to POP3”
[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.75 \
- -dport 113 -j DNAT --to-destination 10.0.0.12
IPTABLES (cont.)
CASE STUDY: SNAT or MASQUERADING
Mini-lab
Introduction
In this lab we will be using iptables to implement a better firewall than the
somewhat lacking Red Hat default.
Be sure to make a backup copy of your original rules file in case of
catastrophic mistakes!
Reference Material
Iptables Tutorial 1_1_19.htm
Important Files
/etc/rc.d/init.d/iptables : This script is used to start and restart iptables.
You don’t need to edit it at all, just use it. You may want to take a peek
inside to see how it works too.
/etc/sysconfig/iptables : This file is holds the rules for your firewall. We’re
going to start from scratch and build up a complete set of rules for our
systems, so all your editing should take place here.
Mini-lab
Procedure
1) Enable IP forwarding
# echo 1 > /proc/sys/net/ipv4/ip_forward
2) Remove any existing rules from all chains
# iptables –flush
# iptables -t nat –flush
# iptables -t mangle --flush
3) Unlimited traffic on the loopback interface
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
4) Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP