{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Packet filtering destination ip address this is the

Info iconThis preview shows pages 11–18. Sign up to view the full content.

View Full Document Right Arrow Icon
Packet Filtering Destination IP address: This is the IP address to which the packet is being sent. Make sure you list the actual IP address in the packet filter rule and not the Domain Name System (DNS) name, such as server3. microsoft.com. Otherwise, a hacker that takes over a DNS server can immediately pass all packet filters undisturbed   IP protocol ID: An IP header can be followed by different protocol headers. Each of these protocols has its own IP protocol ID. The best-known examples are TCP (ID 6) and UDP (ID 17). Others that you will encounter are ICMP (ID 1), GRE (ID 47) — which is used for PPTP connections —and ESP (ID 50) and AH (ID 51), which are both used for the IPSec protocols
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Packet Filtering TCP or UDP port number: The port number indicates to which service this packet is destined. You should allow only ports that are associated with allowed services, such as HTTP (port 80) or FTP (port 20/21). The Fragmentation flags: IP packets can be broken into smaller packets to accommodate network segments that can only handle smaller-sized packets. Unfortunately, as is discussed later in the presentation, this functionality can be misused. IP Options setting: Optional functions of TCP/IP can be specified in this field. Hackers can exploit the Source Route option in particular. These options are only used for diagnostics, so the firewall should drop network packets with IP Options set
Background image of page 12
o (log k-1 n) k is the number of classification fields and n is the filtering rule length Complex (Multi-field) classifiers inspect headers' fields (e.g., FW, NAT) IP header Source IP address Destination IP address Protocol identifier TCP/UDP header Source Port number Destination Port number (n) (k)
Background image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Introduction 14 Filtering Rules - Examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP  address, port 80 External connections to public  Web server only. Drop all incoming TCP SYN packets to  any IP except 222.22.44.203, port 80 Prevent IPTV from eating up the  available bandwidth. Drop all incoming UDP packets -  except DNS and router broadcasts. Prevent your network from being  used for a Smurf DoS attack. Drop all ICMP packets going to a  “broadcast” address (eg  222.22.255.255). Prevent your network from being  tracerouted Drop all outgoing ICMP
Background image of page 14
15 Access control lists  action source address dest address protocol source port dest port allow 222.22/16 outside of 222.22/16 TCP > 1023 80 allow outside of 222.22/16 222.22/16 TCP 80 > 1023 allow 222.22/16 outside of 222.22/16 UDP > 1023 53 allow outside of 222.22/16 222.22/16 UDP 53 > 1023 deny all all all all all Apply rules from top to bottom:
Background image of page 15

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
16 Packet classification Source address Destination address Source port Destination port Protocol Action 193.95.66.11 192.168.2.0 53 * UDP Accept 10.1.1.1 192.168.2.2 80 * TCP Deny 192.168.2.0 193.95.66.11 * 53 UDP Accept 10.1.1.1 192.168.2.2 80 * TCP Deny
Background image of page 16
General Strategy: Allow-All or Deny- All Allow-all strategy: Allows all network packets except those that are explicitly denied Deny-all strategy: Denies all network packets except those that are explicitly allowed
Background image of page 17

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 18
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page11 / 32

Packet Filtering Destination IP address This is the IP...

This preview shows document pages 11 - 18. Sign up to view the full document.

View Full Document Right Arrow Icon bookmark
Ask a homework question - tutors are online