{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

2.19.network-control.v1 - Network Control Cont CS 161...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Network Control, Con’t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 19, 2010
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 Focus of Today’s Lecture Finish discussion of packet-filter firewalls The general notion of reference monitors Firewall limitations Virtual Private Networks (VPNs) Application proxies Network Address Translation (NAT)
Background image of page 2
3 Problem: Outbound Connections Fail 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.drop * *:* -> *:* Inside host opens TCP connection to port 80 on external machine: Initial SYN packet passed through by rule 2 SYN+ACK packet coming back is dropped Fails rule 1 (not destined for port 25) Fails rule 2 (source not inside host) Matches rule 3 DROP • Fix? In general, we need to distinguish between 2 kinds of inbound pkts Allow inbound packets associated with an outbound connection Restrict inbound packets associated with an inbound connection How do we tell them apart? Approach #1: remember previous outbound connections (takes state ) Approach #2: leverage details of how TCP works
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
4 Inbound vs. Outbound Connections • Key TCP feature: ACK bit set on all packets except first – Plus: TCP receiver disregards packets with ACK set if they don’t belong to an existing connection • Solution ruleset: 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* – Rules 1 and 2 allow traffic in either direction for inbound connections to port 25 on machine 1.2.3.4 – Rules 2 and 3 allow outbound connections to any port
Background image of page 4
5 How This Ruleset Protects 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* Suppose external attacker tries to exploit vulnerability in SMB (TCP port 445): = Attempts to open an inbound TCP connection to internal SMB server Attempt #1: Sends SYN packet to server Packet lacks ACK bit no match to Rules 1-3, dropped by Rule 4 Attempt #2: Sends SYN+ACK packet to server Firewall permits the packet due to Rule 3 But then dropped by server’s TCP stack (since ACK bit set, but isn’t part of existing connection)
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
6 Security Principle: Reference Monitors Firewalls embody useful principles that are applicable elsewhere in computer security – Optimized for enforcing particular kind of access
Background image of page 6
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}