This preview shows page 1. Sign up to view the full content.
Unformatted text preview: VNSA220 VNSA220 Cyber Self Defense
Firewalls and Port Scanning Erik Golen What is a “firewall”? What is a “firewall”?
• Row houses Fire travels Fire travels Office 100 sq. ft . Office 100 sq. ft . Offi ce 100 sq. ft . Offi ce 100 sq. ft . Office 100 sq. ft . Does not put out fire! Does not put out fire! Office 100 sq . ft . Office 100 sq . ft . Office 100 sq . ft . Office 100 sq . ft . Office 100 sq . ft . " 0 '8 2 Purpose of a firewall Purpose of a firewall
• • •
Block flames from entering your home Prevent the spreading of a fire Prevent your neighbors mistakes from burning down your house What a firewall does not do! What a firewall does not do!
• Put fires out • Protect your neighbor from burning their own house down • Stop someone from starting a fire inside your house What is a Computer Firewall? What is a Computer Firewall?
• Software or device which protects your computer from
– (Some) Attacks by malicious users or by malicious software – Unsolicited incoming network traffic that might attack your computer – Prevent unauthorized access to or from a system or a private network Purpose of a computer firewall Purpose of a computer firewall
• • •
Block attacks from entering your computer Prevent the spreading of an attack (to you) Prevent your neighbors mistakes from bringing down your computer What a computer firewall does not do! What a computer firewall does not do!
• Kill an attack that is already inside your computer • Protect your neighbor from getting their own computer attacked • Stop someone inside your computer from attacking it How does a firewall do it? How does a firewall do it?
• Creates a barrier to traffic (i.e. border check point) • Checks each piece of traffic against a set of rules • Drops, forwards, rejects and/or logs – Allow vs deny rules Placement of firewalls Placement of firewalls
• Personal (software)
– – – – – – – – ZoneAlarm Norton Security Suite Only protects a single system Protects from local and remote attacks Cisco PIX Astaro Can protect several systems on a LAN Does not protect from attacks by local systems • Appliance (hardware) Method of intervention – Method of intervention – Firewall Techniques • • • Packet Filtering CircuitLayer Gateway Application Gateway/Proxy Server Packet filters Packet filters
• • • • • looks at each packet that enters or leaves the network accepts or rejects the packet based on userdefined rules (source, destination, type) fairly effective and transparent, but it is difficult to configure susceptible to IP spoofing Stateless (does not know if packet is part of a new or existing connection) Circuitlayer gateway Circuitlayer gateway
• Applies security mechanisms when a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection is established • “Stateful” • After the connection has been established, packets can flow between the hosts without further checking Application gateway/Proxy Application gateway/Proxy server
• applies security mechanisms to specific • • • •
programs, such as FTP and Telnet very effective, but can cause performance degradation intercepts all messages that enter and leave the network effectively hides the true network addresses Tailored to each application Application proxies Application proxies
• have access to the whole range of information in •
the network stack make decisions based on basic authorization (the source, the destination, and the protocol), and also to filter offensive or disallowed commands in thedata stream. "stateful," meaning that they keep the "state" of connections inherently • Hardware Firewalls Use NAT Hardware Firewalls Use NAT
• Network Address Translation
– Rewrites IPs in and out – Shares a single outside IP address – Hides actual source IP address – May filter based on source or destination IP – May direct incoming traffic to an internal IP References References
• Description of a Personal Firewall
– http://support.microsoft.com/kb/321050 Port Scanning Port Scanning Port Scanning Port Scanning
• Attacker sees which ports are open or closed • Check to see which neighborhood doors are unlocked Ports Ports
• • • • • •
0 – 65535 doors to check TCP – connection oriented UDP – connectionless 0 – 1023 are well known or standard > 1023 are nonstandard http://www.iana.org/ Even more ports Even more ports
• echo 7 /tcp Echo (returns exact copy of packet sent to it) • • • • • ftpdata 20 /File Transfer ftp 21 /tcp File Transfer telnet 23 /tcp Telnet wwwhttp 80 /tcp World Wide Web Simple Mail Transfer Protocol 25 – Obvious target for Denial of Service attack Scanning Scanning
• • •
Send request Connect to target ports Check for response Problems for Attacker Problems for Attacker
• Their scan is detected • See the connect attempt with no data Attacker Countermeasures Attacker Countermeasures
• • • • •
Stealth scan (many scans at once) Fragmented packets SYN Scan (TCP connection setup) FIN Scan (TCP connection teardown) XMAS Tree Scan (URG, PUSH, FIN flags set, first byte says 00101001) • Null (no specific port is targeted) Detecting a Scan Detecting a Scan
• • • •
Monitoring Logging Alerts & thresholds Tools – http://www.zonealarm.com/store/content/home.jsp Running a Port Scan Running a Port Scan
• Policy, Permission • Tools – Nmap – http://www.t1shopper.com/tools/portscanner/ – http://www.auditmypc.com/ – http://security.symantec.com/sscv6/default.as p?langid=ie&venid=sym ...
View Full Document
This note was uploaded on 05/27/2009 for the course NSSA 4050-220 taught by Professor Golen during the Fall '08 term at RIT.
- Fall '08