2.19.netcontrol2 - Network Control, Cont CS 161 - Computer...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Network Control, Con’t CS 161 - Computer Security TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 19, 2010
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Focus of Today’s Lecture • Finish discussion of packet-filter firewalls • The general notion of reference monitors • Firewall limitations • Virtual Private Networks (VPNs) • Application proxies • Network Address Translation (NAT)
Background image of page 2
3 Problem: Outbound Connections Fail 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.drop * *:* -> *:* • Inside host opens TCP connection to port 80 on external machine: – Initial SYN packet passed through by rule 2 – SYN+ACK packet coming back is dropped • Fails rule 1 (not destined for port 25) • Fails rule 2 (source not inside host) • Matches rule 3 DROP • Fix? – In general, we need to distinguish between 2 kinds of inbound pkts • Allow inbound packets associated with an outbound connection • Restrict inbound packets associated with an inbound connection – How do we tell them apart? • Approach #1: remember previous outbound connections (takes state ) • Approach #2: leverage details of how TCP works
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Inbound vs. Outbound Connections • Key TCP feature: ACK bit set on all packets except first – Plus: TCP receiver disregards packets with ACK set if they don’t belong to an existing connection • Solution ruleset: 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* – Rules 1 and 2 allow traffic in either direction for inbound connections to port 25 on machine 1.2.3.4 – Rules 2 and 3 allow outbound connections to any port
Background image of page 4
5 How This Ruleset Protects 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* • Suppose external attacker tries to exploit vulnerability in SMB (TCP port 445): = Attempts to open an inbound TCP connection to internal SMB server • Attempt #1: Sends SYN packet to server – Packet lacks ACK bit no match to Rules 1-3, dropped by Rule 4 • Attempt #2: Sends SYN+ACK packet to server – Firewall permits the packet due to Rule 3 – But then dropped by server’s TCP stack (since ACK bit set, but isn’t part of existing connection)
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Security Principle: Reference Monitors • Firewalls embody useful principles that are applicable elsewhere in computer security
Background image of page 6
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Wagner during the Spring '10 term at University of Central Arkansas.

Page1 / 23

2.19.netcontrol2 - Network Control, Cont CS 161 - Computer...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online