1 / 26

TCP

Configuring a firewall. Primary approach to configuring a firewallStudy serviceIP ADDRESSES PORTSSet up rules for allowing or denying access to the services you want utilized.Problem:Some of the issues are more subtle than IP/PORT. IP Basics. IP encapsulates TCPIP packets travel through many different routers (hops) before reaching it's destinationMTU variation at the physical layer requires IP to fragment the message into smaller units along the wayReassembly is an option at each hop.31646

mardi
Télécharger la présentation

TCP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. TCP/IP Basics A review for firewall configuration

    2. Configuring a firewall Primary approach to configuring a firewall Study service IP ADDRESSES PORTS Set up rules for allowing or denying access to the services you want utilized. Problem: Some of the issues are more subtle than IP/PORT

    3. IP Basics IP encapsulates TCP IP packets travel through many different routers (hops) before reaching its destination MTU variation at the physical layer requires IP to fragment the message into smaller units along the way Reassembly is an option at each hop. IP does NOT guarantee delivery!

    4. IP Fragmentation

    5. What if frames are lost?

    6. IP Summary Fragmentation results in delivery of frames which are potentially smaller than the original transmission. Some of the frames can be lost If a message is fragmented and frames are lost, all frames up to the first lost frame are passed up to the receiving TCP and all subsequent frames are dropped. TCP views this as a stream and is unaware of the loss of frames. It just accepts the next n bytes, acks the receipt, and waits for subsequent data.

    7. TCP basics Connection-oriented Sets up the connection prior to data transmission SYN and 3-way handshake Guarantees delivery of data Sender holds a copy of the data for retransmission if necessary Receiver ACKS specific byte positions in the stream so sender can resend from any byte position Encapsulated by IP Receiver tells sender its receive window size to limit rate of data arrival (flow control)

    9. TCP handling of fragmentation

    10. What does the TCP frame look like?

    13. Back to the Firewall!

    14. Options to Solve Fragmentation Reassembly can be forced at the firewall Slows down transmission Lets the firewall process the entire frame identically Make sure the sender doesnt send frames which will be fragmented. Path MTU discovery uses ICMP to test for deliverability Sends a message and marks it not to be fragmented Looks for ICMP response saying too large Repeat the process with a smaller packet if necessary Firewall must allow ICMP

    15. Only filter the first frames in a fragmented sequence Allow all others to pass through Assume other frames will be trashed at receiver if the first one doesnt make it through Places undue traffic on network and receiver if the unfragmented sequence is to be filtered Can be used to create denial of service Allows attackers to substitute overlapping tail frames Different OSs handle the repeated packets differently. I.e. which one do you keep? Options to Solve Fragmentation

    17. TCP handshake/setup

    18. TCP Connection Issues Once you make a connection it can be used to transmit data bi-directionally Inside clients-> out, is ok Outside clients -> inside, is NOT ok (usually) Deny the setup sequence and no connection can be established If hacker can determine setup sequence number and window size, noise packets can be injected Not a typical problem but possible

    20. UDP basics No connection establishment No special features of the frame to identify connection information Requires a little more effort on the part of the firewall Must remember what has happened in previous transmissions This is a STATEFUL packet filter firewall

    21. Stateful Packet Filter Allowing if connected from inside

    22. ICMP

    23. ICMP Basics Lower than IP Doesnt use ports Frequently used at the firewall to deny ping of death (too large message), and denial of service (ping flood) Denying is message-type specific Denying precludes utility of a useful tool

    24. ICMP Message types Echo Request Echo Response Time Exceeded Destination Unreachable Redirect

    25. IP Tunnelling

    27. Tunnelling Problem Firewall sees IP not what is embedded Packets can be hidden inside IP Not as problematic as it seems Usually the tunneller at each end is set up by the network admin to implement a desired policy Still provides a leak into the other network

More Related