Network Security

NETWORK SECURITY
Presented by
NGUYEN CAO DAT
(dat@dit.hcmut.edu.vn)
Outline
Attacks and Network Security Goals
Cryptography and Applications
Denial-of-Service and Solutions
Firewall and Linux
Lab
Dept. of IT - HCMC Univ. of Technology Page 2

Attacks and Network Security Goals
Attacks: Passive Threats, Active Threats

Network Security Goals
Summary
Attacks

Passive Threats
Passive Threats

Active Threats
Active Threats

Active Threats
Active Threats

Network Security Goals
Confidentiality
Sender encrypts message
Receiver decrypts message
Privacy
Authentication
who created or sent the data ?
Integrity
Ensure message are not altered
Non-repudiation
the order is final
Access and Availability
prevent misuse of resources
permanence, non-erasure
Summary
Basic Tool:
Cryptography: Confidentiality, Authentication
Internet Threat Model:
DOS (Denial Of Service) and Solutions
Internet Security Mechanisms, Standards:
Secure Tunnels:TSL/SSL, IP-Sec
Intrusion detection, Firewalls, …
…

Cryptography and Applications
- Cryptographical Algorithms
- Discussion and Applications
- Mini-lab
Cryptographical Algorithms
Secret key cryptography:
Data Encryption Standard (DES)
Triple DES, AES, IDEA, …
Public key cryptography:
RSA algorithm
Hash Algorithms:
Message digest, MD5

Symmetric Key
Both the sender and the receiver use the same secret
keys
Example:
One-Time Pad (bitwise XOR)
US (NIST)Standards:
1977-2000 : DES (56 bit Key)
2001 : AES (128 bit Key)
Data Encryption Standard (DES)

DES encrypts a 64-bit block 1st phase
of plain text using a 64-bit key
Three phases: Round 1
Permute the 64 bits in the block
Apply a given operation 16 .. key
.

times on the 64 bits 2nd phase

Permute the 64 bits using the
inverse of the original
Round 16
permutation
3rd phase

Operation in Each Round of 2nd Phase
Key is 56 bits 63 0
Each round the key is

63 32 31 0
modified and 48 bits are Li-1 Ri-1
selected from it. Given F Ki
result Ki, the following
+
operations are performed:
Li Ri
Li = Ri −1
Ri = Li −1 ⊕ F ( Ri −1 , K i )
Encrypting Larger Messages

Initialization Vector (IV) is a random
number generated by sender and sent
together with the ciphertext
Block1 Block2 Block3 Block4
IV + + + +
DES DES DES DES
Cipher1 Cipher2 Cipher3 Cipher4

Public Key
Sender uses a public key, Receiver uses a private key

RSA
RSA: Generating Public and Private Keys
Choose two large prime numbers p and q (>= 256

bit long) and multiply them: n = p*q
Chose encryption key e such that e and (p-1)*(q-1)
are relatively prime
Compute decryption key d, where
d = e-1 mod ((p-1)*(q-1))
Construct public key from pair (n, e)
Construct private key from pair (d, n)

RSA Encryption and Decryption
Encryption:
c = me mod n
Decryption:
m = cd mod n
Example:
Choose p = 7 and q = 11 Æ n = p*q = 77
Compute encryption key e: (p-1)*(q-1) = 6*10 = 60 Æ chose e = 13 (13
and 60 are relatively prime numbers
Compute decryption key d: d = 13-1 mod 60 Æ 13*d mod 60 = 1 mod 60
Æ d = 37 (37*13 = 481)
n = 77; e = 13; d = 37
Send message m = 7
Encryption: c = me mod n = 713 mod 77 = 35
Decryption: m = cd mod n = 3537 mod 77 = 7
Hash Algorithms
The message digest algorithm MD5:
Ron Rivest
Uses 128 bit hash values.
The secure hash algorithm SHA-1:
NSA and standardized by NIST.
uses 160 bit hash values encoded in 5 x 32 bit words.
The family SHA-256, SHA-384, SHA-512:
They will be part of the NIST Cryptographic Toolkit.

MD5
Plaintext corrupted msg Plaintext
NO
=
digest’
Digest Internet Digest
(MD5) (MD5)
digest
Basic property: digest operation very hard to invert

In practice someone cannot alter the message without
modifying the digest
Discussion and Applications

Symmetric Key
Can provide confidentiality
No mathematical proof, but practical evidence suggests that decrypting a
message without knowing the key requires exhaustive search
To increase security use triple-DES, AES
Public Key
Can provide confidentiality
Receiver A computes n, e, d, and sends out (n, e)
Everyone who wants to send a message to A uses (n, e) to encrypt it
How difficult is to recover d ? (Someone that can do this can decrypt any
message sent to A!)
Recall that
d = e-1 mod ((p-1)*(q-1))
So to find d, you need to find primes factors p and q
(This is provable very difficult)

Hash Algorithms
Message and file integrity
authentication
Secure login
fingerprints of keys
Applications
Confidentiality (encryption)
Messages authentication
Signatures and Certificates

Message Authentication Code (MAC)

Digital Signatures

Certification Authorities

Certificates
Encrypt message
Validate signature

Certificates

Mini-lab
Install and using the following packages :
libdes-3.01.tgz (DES)
eliptic-2.1.0.tgz (RSA)
md5_c.tar.gz (MD5)
Additional references:
http://www.eskimo.com/~weidai/algorithms.html
http://www.ssh.fi/support/cryptography/algorithms/
http://kremlinencrypt.com/algorithms.htm
http://www.homeport.org/~adam/crypto/
http://munitions.vipul.net/
http://albin.abo.fi/~ernylund/des.html
http://inet.uni2.dk/~svolaf/des.htm
Denial-of-Service and Solutions

Introduction
Types of Attacks and Solutions
Local DOS against hosts
Network Based DOS attacks (OS Fingerprinting, UDP bombing,
TCP SYN flooding, PING of death, Smurf attack)

Distributed Denial of Service (DDOS)
Introduction
The goal of a denial of service attack:
Disrupts service to a computer or network resource.
Deny legitimate users access to a particular resource.
Because of resource exhaustion
Resource exhaustion:
Disk Space
CPU Cycles
Memory
Network Bandwidth
Application Resources
TCP Stack
Web Connections
Types of attacks and Solutions

Local DOS against hosts
fork() bomb
Intentionally generate errors to fill logs, consuming
disk space, crashing
…
Solutions
Partition disks
Disk quotas
Set process limits
Monitor system activity/CPU/Disk Usage
Types of attacks and Solutions (cont.)
Network Based DOS attacks
Most involve either resource exhaustion or corruption
of the operating system runtime environment.
OS Fingerprinting
UDP bombing
TCP SYN flooding
PING of death
Smurf attack

OS Fingerprinting
OS Fingerprinting is a method of detecting the remote
host’s operating system using information leaked by
that host’s TCP stack.
To do this, we use:
the responses it gives to carefully crafted packets (active
mode)
Or by observing captured network traffic (passive mode).
NOTE: These methods are possible because each OS
implements their TCP stack differently.

OS Fingerprinting
OS TCP stack implementation differences
Differences between OSes : BSD, many changes
Differences between OS versions: patch to their TCP stacks
“Strange Attractors and TCP/IP Sequence Number Analysis”
Paper by Michal Zalewski in 2001
Studied, and graphed the randomness of Initial Sequence
Numbers of various operating systems.
Graphs the output of 100,000 ISNs for each OS.
Attempts an ISN attack on each OS, and lists the difficulty for
each.
Final Verdict:
OpenBSD is great, Linux is pretty good. Others have big
problems.

OS Fingerprinting
OS Dectection
Using Nmap(Network Mapper)
http://www.insecure.org/nmap/index.html
Nmap is a free open source utility for network exploration or
security auditing. It was designed to rapidly scan large
networks, although it works fine against single hosts. Nmap
uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and
version) those hosts are offering, what operating systems (and
OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.

OS Fingerprinting
Defeating OS Fingerprinting
A number of methods for doing this are explained in “A
practical approach for defeating Nmap OS-Fingerprinting” by
David Barroso Berrueta, 2003
http://voodoo.somoslopeor.com/papers/nmap.html
The best method he describes is the IP Personality project.
This is a Linux kernel module that allows you to change the IP
stack behavior and 'personality‘ of your system.
It allows you to have multiple network personalities depending
on parameters that you can specify as an iptables rule.
Thus, with this project, not only can you protect your own
machine, but with a Linux NAT firewall, you can mask the OS
fingerprint of all hosts on your network.

UDP bombing
UDP services (echo, chargen):
used in the past for network testing.
enabled by default on most systems.
These services can be used to launch a DOS by connecting the
chargen to echo ports on the same or another machine and
generating large amounts of network traffic.
Solution
Disable echo, chargen and all other unused services whenever
possible.
Filter UDP traffic at the firewall level. Only allow legitimate
traffic such as UDP port 53 (DNS)

TCP SYN Flooding
Referred to as the TCP “half-open” attack
B A C (masquerading B)
)
, seq=(Sb,?
flags=SYN
+ACK,
flags=SYN
b)
seq=(Sa,S
A
A allocates
allocates kernel
kernel resource
resource
for
for handling
handling the
the starting
starting connection
connection
No
No answer
answer from
from B…
B…
B…
120
120 sec
sec timeout
timeout Denial of Services
Free
Free the
the resource
resource
kernel resources exhausted

TCP SYN Flooding (Cont.)
Solution
SYN Flood Protection
TCP Intercept (Cisco Routers)
SYN Defender (Checkpoint Firewall 1)
SYN Flood Prevention
Increase the listen queue (depend on OS)
Aggressive timeouts.
Use an OS impervious to this attack
Apply all vendor patches.
SYN Flood remedies
Use a cache of half-open connections
When the cache is full, drop waiting half-opens randomly
Impact of floods reduced
SYN Cookies !!!

Ping of Death
The TCP/IP specification allows for a maximum packet
size of 65,536 octets.
The ping of death attack sends oversized ICMP
datagrams (encapsulated in IP packets) to the victim.
Some systems, upon receiving the oversized packet,
will crash, freeze, or reboot, resulting in denial of
service.
Solution
Most systems are now immune, but apply vendor patches if
needed.

Smurf Attacks

Smurf Attacks (cont.)
Solution
Configure routers to deny IP broadcast traffic onto your
network from other networks. In almost all cases, IP-directed
broadcast functionality is not needed.
Configure hosts (via kernel variable) to NOT reply to a packet
sent to a broadcast address
Configure Ingress/Egress filters on routers to counteract IP
address spoofing.
1. Cracking
2. Signalling 3. Flooding
ISP Target
mbehring

ICMP Flood, UDP Flood, SYN Flood, Smurf attacks.
DOS Toolkits
DDOS Programs
Trin00 (WinTrinoo): Used in the February 2000 attacks on eBay,
Amazon, CNN, etc.
Tribe Flood Network (TFN) (TFN2k)
Shaft
Stacheldraht
Mstream
Information
http://staff.washington.edu/dittrich/misc/ddos/
Newsgroups
Do a Google search for Denial of Service

Detections:
RID
Sends out packets and listens for reply
Detects Trinoo, TFN, Stacheldraht
NIPC - find_ddos tool
Runs on local system
Detects Trinoo, TFN, TFN2k
Bindview’s Zombie Zapper
Tells DDOS slave to stop flooding traffic

Incomplete Solutions
Fair Queue
Weighted Fair Queueing (WFQ)
User Fair Queueing (UFQ)
Class-Based Weighted Fair Queueing (CBWFQ)
Integrated Services and Differentiated Services
RSVP & QoS
http://www.isi.edu/div7/rsvp/.index.html
Weighted Fair Queueing (WFQ)

RSVP
Bibliography
1. Introduction to Network Security, Amir Herzberg, 2003
2. Network Security, Ion Stoica, 2002
3. Topics in Network Security ELEN689-604/CPSC689-605;
Narasimha Reddy, Riccardo Bettati, Andreas Klappenecker
4. OS Fingerprinting For Fun and Profit, Christopher Soghoian,
2003.

Firewall and Linux
Introduction to Firewalls
Types of Firewall
Firewall Architectures
Firewall in Linux
Introduction to Iptables
Mini-lab
Introduction to Firewalls
• What is Firewalls ?
• Isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
administered public
network Internet

Introduction to Firewalls (cont.)
What firewalls can do:
A firewall is a focus for security decisions
A firewall can enforce a security policy, i.e. concerning access control
A firewall can log Internet activity efficiently
A firewall can limit exposure to security problems in one part of a
network
What firewalls can not do:
A firewall can’t protect against malicious insiders
A firewall can’t protect against connections that don’t go through it
If, for example, there is a modem pool behind a firewall that provides PPP
service to access a subnetwork, the firewall can not provide any protection
against malicious traffic from dial-in users
A firewall can’t protect against completely new threats
A firewall can’t fully protect against viruses
A firewall can’t set itself up correctly.

Two Fundamental Approaches Regarding Firewall Policy
Default deny strategy:
“Everything that is not explicitly permitted is denied”
Examine the services the users of the protected network need
Consider the security implications of these services and how the
services can be safely provided
Allow only those services that can be safely provided and for which
there is a legitimate need
Deny any other service
Default permit strategy:
“Everything that is not explicitly forbidden is denied”
Permit every service that is not considered dangerous
Example:
Network file system (NFS) and X-Windows is not permitted across the
firewall
Incoming telnet connections are only allowed to one specific host

What Internet Services & Protocols are to be Considered?
Electronic mail: simple mail transfer protocol (SMTP)
File exchange: file transfer protocol (FTP), network file system (NFS)
Remote terminal access and command execution: telnet, rlogin, ssh
Usenet news: network news transfer protocol (NNTP)
World wide web: hypertext transfer protocol (HTTP)
Information about people: finger
Real-time conferencing services: CUseeMe, Netmeeting, Netscape
conference, MBone tools, ...
Name services: domain name service (DNS)
Network management: simple network management protocol (SNMP)
Time service: network time protocol (NTP)
Window systems: X-Windows
Printing systems: line printing protocols (LPR/LPD)
Types of Firewall
Packet-filtering firewall Communication Layers
At the network layer
Application
Application-level gateway
Presentation
At the application layer
Session
Transport
Network
Data Link
Physical

Types of Firewall (cont.)
Stateful vs. Stateless Firewalls
Stateless firewalls can make filter decision based only
on:
Source/destination addresses and ports
Stateful firewalls associate a packet to a state and can
make decision base on:
The most common firewall now.
Source/destination addresses and ports
State of the packet

should arriving
packet be allowed
in? Departing packet
let out?
Network layer - Packet Filtering

Network layer - Packet Filtering
Internal network connected to Internet via router
firewall
Router filters packet-by-packet, decision to
forward/drop packet based on:
Source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
Eventually, specific protocol flags (TCP’s SYN and ACK)
The network interface a packet has been received on

Network layer - Packet Filtering (cont.)
More elaborate packet filtering:
Stateful or dynamic packet filtering:
Example 1: “Let incoming UDP packets through only if they are responses to
outgoing UDP packets that have been observed”
Example 2: “Accept TCP packets with the SYN bit set only as part of TCP
connection initiation”
Protocol checking:
Example 1: “Let in packets bound for the DNS port, but only if they are formatted
like DNS packets”
Example 2: “Do not allow HTTP transfers to these sites”
However, more elaborate packet filtering consumes more resources!
Actions of a packet filter:
Pass the packet
Drop the packet
Eventually, log the passed or dropped packet (entirely or parts of it)
Eventually, pass an error message to the sender (may help an attacker!)

Application layer - Application gateways
Users authenticate themselves to create connection.
Depend on application service: telnet, www, ftp, …
Proxy Server
Example
Allow select internal users to telnet outside.
Users authenticate themselves to create telnet connection.
Solution
Router filter blocks all telnet connections not originating from
gateway.
For authorized users, gateway sets up telnet connection to dest
host. Gateway relays data between 2 connections

gateway-to-remote
host telnet session
host-to-gateway
telnet session
router and filter

application
gateway
Application layer - Application gateways

Firewall Architectures
• The most simple architecture just consists of a packet

filtering router.
• It can be either realized with:
• A standard workstation (e.g. Linux PC) with at least two
network interfaces plus routing and filtering software
• A dedicated router device, which usually also offers filtering
capabilities
Firewall Architectures (cont.)
• The dual-homed host provides:

- Proxy services to internal and / or external clients
- Eventually packet filtering capabilities if it is also acting as a router
• Properties of the dual-homed host:
- It has at least two network interfaces
• Drawback: As all permitted traffic passes through the bastion
host, this might introduce a performance bottleneck

• The packet filter:

- Allows permitted IP traffic to flow between the screened host and the Internet
- Blocks all direct traffic between other internal hosts and the Internet
• The screened host provides proxy services:
- Despite partial protection by the packet filter the screened host acts as a
bastion host
• A perimeter (DMZ) network is created between two packet filters

• The inner packet filter serves for additional protection in case the
bastion
host is ever compromised:
- For example, this avoids a compromised bastion host to sniff on internal traffic
• The perimeter (DMZ) network is also a good place to host a publicly
accessible information server, e.g. a www-server
• A dual-homed bastion host splits the perimeter network in two distinct

networks. This provides defense in depth, as:
- The dual-homed bastion host provides finer control on the connections as his
proxy services are able to interpret application protocols
- The bastion host is protected from external hosts by an outer packet filter
- The internal hosts are protected from the bastion host by an inner packet filter
Firewall in Linux
Before kernel 2.2 : ipfwadm
kernel 2.2.x : IP Chains
After kernel 2.3.15 : netfilter
http://www.netfilter.org/ is main site for the package.
Tutorial and HOW-TO manual is available there.
Netfilter supports:
Standard packet filtering
Statfull inspection
Maquerading
Complete address translation (NAT/PAT)
Load balancing
Traffic shaping
Allow user-level module creation

IPTABLES
Mastering IPTABLES mini Howto
Learn basics about TCP/IP
Undestand connection tacking system
Learn iptables chains and tables scheme
Learn iptables syntax
Use a simple network and test it many times
Enjoy iptables
Good thinks about IPTABLES
Connection tracking
Additional modules
Optional userland modules
IPTABLES (cont.)
How does IPTABLES work ?
The different types of packets the firewall will manage:
Forwarded: coming from other hosts, destinated to other hosts
Input: destinated for localhost
Output: generated by localhost
A packet passes through Tables and Chains before to be:
Forwarded: sent to destination
Passed to a local process
Dropped, rejected
...
Depending on packet type (forwarded, input, output) it traverse
different chains.

IPTABLES (cont.)
Chains and Tables
IPTABLES uses 5 default chains:
PREROUTING: packet coming from other hosts
FORWARD: packet to be forwarded
INPUT: packet destinated to localhost
OUTPUT: packet generated by localhost
POSTROUTING: packet going out to other hosts
Every chain “contains” one or more tables.
Tables are:
Mangle
Filter
NAT
IPTABLES (cont.)
The big picture: traversing of tables and chains

IPTABLES (cont.)
Forwarded packets path
1. On the wire
2. Firewall interface
3. PREROUTING chain
- Mangle table
- NAT table
4. Routing decision
5. FORWARD chain
- Filter table
6. POSTROUTING chain
- NAT table
7. Outgoing interface on the wire again
IPTABLES (cont.)
Input packets path
1. On the wire
2. Firewall interface
3. PREROUTING chain
- Mangle table
- NAT table
4. Routing decision
5. INPUT chain
- FILTER table
6. Local application/process

IPTABLES (cont.)
Output packets path
1. Local application/process
2. OUTPUT chain
- Mangle table
- NAT table
- FILTER table
3. Routing decision
4. POSTROUTING chain
- NAT table
5. Correct local interface on the wire
IPTABLES (cont.)
MANGLE table
Allow to change parameters
TOS: Type Of Service, allow to implement routing policies
using iptables
TTL: Time To Live. Send packet to the Internet Service
Provider with the same TTL (making more difficult for some
ISP to check if you are using the connection)
MARK: used by iproute2 to make different routing decision
(bandwidth limiting and class based queuing)

IPTABLES (cont.)
Network Address Translation (NAT) table
Destination NAT (DNAT): Allow to change destination
address. Useful to receive packets from Internet
redirecting them to Internal LAN services (like services
running on servers inside DMZ network)
Source NAT (SNAT): Allow to hide internal DMZ
network. The Firewall change the source address of
outgoing packets using it’s own internet IP address (a
public one)
NOTE: This allow DMZ and Trusted networks to use
private Internet addresses like 192.168.1.0/24 and
172.28.0.0/16.
IPTABLES (cont.)
Connection tracking
IPTABLES with connection tracking
Use your Linux box become a stateful Firewall
“ALLOW TO WRITE TIGHTER RULES”
“YOU DON’T NEED TO OPEN ALL PORTS > 1024”

IPTABLES (cont.)
Connection tracking
PREROUTING chain make decision about packet states, possible
states are:
NEW: the packet is new in the connection
ESTABLISHED: the packet is part of an established connection
RELATED: the packet is NEW in the connection but the connection
is related to an already ESTABLISHED connection
ex: ICMP message are related to the relative connection
ex: FTP-DATA stream is related to the FTP-CONTROL one
ex: More complicated TCP/UDP protocols needs additional modules to be
understood as related
INVALID: Packet that cannot be identified and does not have a valid
state. Is good practice to always DROP INVALID packets
IPTABLES (cont.)
IPTABLES mini Howto
Operations to manage whole chains
N: create a new chain
P: change the policy of built-in chain
L: list the rules in a chain
F: flush the rules out of a chain
Manipulate rules inside a chain
A: append a new rule to a chain
I: insert a new rule at some position in a chain
R: Replace a rule at some position in a chain
D: delete a rule in a chain

IPTABLES (cont.)
IPTABLES mini Howto
Some filtering specifications:
j: specify the rule target
s: specify the source addresses
d: specify the destination addresses
p: specify the protocol used (e.g. tcp, udp, icmp)
i: specify the input interface
o: specify the output interface
!: specify the inversion (i.e. NOT)
IPTABLES (cont.)
IPTABLES mini Howto
TCP Extensions:
--tcp-flags: filter on specific flags
--syn: shorthand of --tcp-flags SYN, RST, ACK SYN
--source-port (or --sport): specify the source port
--destination port (or --dport): specify the destination
port
UDP Extensions:
--sport and --dport

IPTABLES (cont.)
Examples
Drop all icmp (such as ping) packets
# iptables –A INPUT –p icmp –j DROP
Flush all chains
# iptables –F
List all existing rules
# iptables –L
Accept the telnet service from machine
(143.248.37.197)
# iptables –A INPUT –p tcp –s 143.248.37.197 –d 0/0
--dport 23 –j ACCEPT
IPTABLES (cont.)
CASE STUDY : ACCEPT
[root@firewall]#iptables –F
[root@firewall]#iptables –P INPUT DROP
[root@firewall]#iptables –P OUTPUT DROP
[root@firewall]#iptables –P FORWARD DROP
[root@firewall]#iptables –A FORWARD –p icmp \
--icmp-type echo-request –d 192.168.0.10 –jACCEPT
[user@192.168.1.1]#ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=0.360 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=0.319ms
[user@192.168.0.10]#tcpdump –n
12:07:00.061966 192.168.1.1 > 192.168.0.10: icmp: echo request
12:07:00.062148 192.168.0.10>192.168.1.1: icmp: echo reply

IPTABLES (cont.)
CASE STUDY : DROP
[root@firewall]#iptables –P INPUT ACCEPT
[root@firewall]#iptables –P OUTPUT ACCEPT
[root@firewall]#iptables –P FORWARD ACCEPT
--icmp-type echo-request –d 192.168.0.10 –jDROP
[user@192.168.1.1]#ping 192.168.0.10
CTRL^C
CTRL^C
IPTABLES (cont.)
CASE STUDY : REJECT
[root@firewall]#iptables –P INPUT ACCEPT
[root@firewall]#iptables –P OUTPUT ACCEPT
[root@firewall]#iptables –P FORWARD ACCEPT
--icmp-type echo-request –d 192.168.0.10 –jREJECT
[user@192.168.1.1]#ping 192.168.0.10
From 192.168.0.254 icmp_seq=1 Destination port Unreachable
From 192.168.0.254 icmp_seq=1 Destination port Unreachable
CTRL^C

IPTABLES (cont.)
CASE STUDY : DNAT
IPTABLES (cont.)
CASE STUDY : DNAT
“DNAT to HTTP”
[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.74 \
- -dport 80 -j DNAT --to-destination 10.0.0.10
“DNAT to DNS”
[root@firewall]# iptables –t nat –A PREROUTING –p UDP –i eth1 -d 217.58.102.75 \
“DNAT to SMTP”
“DNAT to POP3”

IPTABLES (cont.)
CASE STUDY : DNAT
[213.178.208.130]#telnet 217.58.102.74 80
Trying 217.58.102.74...
Connected to host74-102.pool21758.interbusiness.it (217.58.102.74).
Escape character is '^]'.
[fw]# tcpdump -i eth1 dst host 10.0.0.10

tcpdump: listening on eth1
21:59:05.665687 213.178.208.130.37795 > 10.0.0.10.http: S 1475560217:1475560217(0) win 5840 <mss
1460,sackOK,timestamp 87998393 0,nop,wscale 0> (DF) [tos 0x10]
21:59:05.749653 213.178.208.130.37795 > 10.0.0.10.http: . ack 1855920720 win 5840 <nop,nop,timestamp
87998402 126118625> (DF) [tos 0x10]
[10.0.0.10]#tcpdump -n host 213.178.208.130

22:06:13.467533 213.178.208.130.37795 > 10.0.0.10.http: S 1475560217:1475560217(0) win 5840 <mss
1460,sackOK,timestamp 87998393 0,nop,wscale 0> (DF) [tos 0x10]
22:06:13.467587 10.0.0.10.http > 213.178.208.130.37795: S 1855920719:1855920719(0) ack 1475560218 win 5792
<mss 1460,sackOK,timestamp 126118625 87998393,nop,wscale 0> (DF)
22:06:13.551483 213.178.208.130.37795 > 10.0.0.10.http: . ack 1 win 5840 <nop,nop,timestamp 87998402
126118625> (DF) [tos 0x10]
IPTABLES (cont.)
CASE STUDY: SNAT or MASQUERADING
[fw]#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT \

--to-source 217.58.102.77 <- SNAT
[fw]#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE <- MASQUERADING
[root@192.168.0.10]# telnet 140.105.16.57 80

Trying 140.105.16.57...
Connected to 140.105.16.57.
Escape character is '^]'.
[root@140.105.16.57]# tcpdump -n host 217.58.102.77

09:40:44.405824 217.58.102.77.32947 > 140.105.16.57.http:
S 3222243845:3222243845(0) win 5840
<mss 1460,sackOK,timestamp 1968354 0,nop,wscale 0> (DF) [tos 0x10]

Bibliography
1. Building Internet Firewalls. Second Edition, E. Zwicky, S. Cooper,
B. Chapman, O’Reilly, 2000.
2. Internet Firewalls and Security, C. Semeria, 3Com Technical
Paper, 1996.
3. Keeping Your Site Comfortably Secure, J. P. Wack, L.J. Carnahan.
4. An Introduction to Internet Firewalls. NIST Special Publication
800-10, 1995.
5. Firewalls and Linux, Simone Grassi
6. Iptables tutorial 1.1.18, Oskar Andreasson
7. “Firewall on Linux” - poletti@niscent.com
Mini-lab
Introduction
In this lab we will be using iptables to implement a better firewall than the
somewhat lacking Red Hat default.
Be sure to make a backup copy of your original rules file in case of
catastrophic mistakes!
Reference Material
Iptables Tutorial 1_1_19.htm
Important Files
/etc/rc.d/init.d/iptables : This script is used to start and restart iptables.
You don’t need to edit it at all, just use it. You may want to take a peek
inside to see how it works too.
/etc/sysconfig/iptables : This file is holds the rules for your firewall. We’re
going to start from scratch and build up a complete set of rules for our
systems, so all your editing should take place here.

Mini-lab
Network Topology
• Firewall: eth0(172.28.12.1/24), eth1(172.28.11.1/24

• Server: 172.28.11.2/24
• Outside Workstation: 172.28.12.2/24
Mini-lab
Procedure
1) Enable IP forwarding
# echo 1 > /proc/sys/net/ipv4/ip_forward
2) Remove any existing rules from all chains
# iptables –flush
# iptables -t nat –flush
# iptables -t mangle --flush
3) Unlimited traffic on the loopback interface
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
4) Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Mini-lab
Procedure (cont.)
5) Now you are free to get started on your firewalls. following
services MUST be open to the outside world:
HTTP (80/TCP)
SMTP (25/TCP)
DNS (53/UDP,53/TCP)
6) Additionally, you need to think about “essential” ICMP
messages, SSH, FTP
7) Give an example of how the POSTROUTING chain would be
useful (SNAT, DNAT)

Network Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security

Uploaded by

Copyright:

Available Formats

NETWORK SECURITY

Dept. of IT - HCMC Univ. of Technology Page 2

 Attacks: Passive Threats, Active Threats

Dept. of IT - HCMC Univ. of Technology Page 4

Dept. of IT - HCMC Univ. of Technology Page 5

Dept. of IT - HCMC Univ. of Technology Page 6

Dept. of IT - HCMC Univ. of Technology Page 7

Dept. of IT - HCMC Univ. of Technology Page 8

Dept. of IT - HCMC Univ. of Technology Page 9

Dept. of IT - HCMC Univ. of Technology Page 10

Dept. of IT - HCMC Univ. of Technology Page 11

Dept. of IT - HCMC Univ. of Technology Page 12

Dept. of IT - HCMC Univ. of Technology Page 14

Data Encryption Standard (DES)

times on the 64 bits 2nd phase

Dept. of IT - HCMC Univ. of Technology Page 16

 Each round the key is

Dept. of IT - HCMC Univ. of Technology Page 17

Encrypting Larger Messages

DES DES DES DES

Cipher1 Cipher2 Cipher3 Cipher4

Dept. of IT - HCMC Univ. of Technology Page 18

 Sender uses a public key, Receiver uses a private key

Dept. of IT - HCMC Univ. of Technology Page 19

RSA: Generating Public and Private Keys

 Choose two large prime numbers p and q (>= 256

Dept. of IT - HCMC Univ. of Technology Page 20

Dept. of IT - HCMC Univ. of Technology Page 21

Dept. of IT - HCMC Univ. of Technology Page 22

 Basic property: digest operation very hard to invert

Dept. of IT - HCMC Univ. of Technology Page 23

Discussion and Applications

Dept. of IT - HCMC Univ. of Technology Page 24

Dept. of IT - HCMC Univ. of Technology Page 25

Discussion and Applications

Dept. of IT - HCMC Univ. of Technology Page 26

Dept. of IT - HCMC Univ. of Technology Page 27

Discussion and Applications

Dept. of IT - HCMC Univ. of Technology Page 28

Dept. of IT - HCMC Univ. of Technology Page 29

Discussion and Applications

Dept. of IT - HCMC Univ. of Technology Page 30

Denial-of-Service and Solutions

TCP SYN flooding, PING of death, Smurf attack)

Dept. of IT - HCMC Univ. of Technology Page 33

Types of attacks and Solutions

Dept. of IT - HCMC Univ. of Technology Page 35

Types of attacks and Solutions (cont.)

Dept. of IT - HCMC Univ. of Technology Page 36

Dept. of IT - HCMC Univ. of Technology Page 37

Types of attacks and Solutions (cont.)

Dept. of IT - HCMC Univ. of Technology Page 38

Dept. of IT - HCMC Univ. of Technology Page 39

Types of attacks and Solutions (cont.)

Dept. of IT - HCMC Univ. of Technology Page 40

Types of attacks and Solutions (cont.)

Dept. of IT - HCMC Univ. of Technology Page 42

Dept. of IT - HCMC Univ. of Technology Page 43

Types of attacks and Solutions (cont.)

Dept. of IT - HCMC Univ. of Technology Page 44

Dept. of IT - HCMC Univ. of Technology Page 45

Distributed Denial of Service (DDOS)

Dept. of IT - HCMC Univ. of Technology Page 46

Attacks: Passive Threats, Active Threats

Each round the key is

Sender uses a public key, Receiver uses a private key

Choose two large prime numbers p and q (>= 256

Basic property: digest operation very hard to invert