Transcript TcpIp and Firewalls

TCP/IP Basics
A review for firewall configuration
Configuring a firewall
• Primary approach to configuring a firewall
• Study service
– IP ADDRESSES
– PORTS
• Set up rules for allowing or denying access to
the services you want utilized.
• Problem:
– Some of the issues are more subtle than IP/PORT
IP Basics
• IP encapsulates TCP
• IP packets travel through many different
routers (hops) before reaching it’s destination
• MTU variation at the physical layer requires
IP to fragment the message into smaller units
along the way
• Reassembly is an option at each hop.
• IP does NOT guarantee delivery!
IP Fragmentation
1000 b
R
500 b
500 b
R
250 b
250 b
250 b 250 b
Every link has the potential to dictate adjusting size of frames.
It is possible to reassemble at any point.
1000 b
R
500 b
500 b
R
1000 b
R
R
What if frames are lost?
R
250 b4
250 b3
250 b2 250 b1
R
Receive
Computer
Receive computer will hold the first 2 frames awaiting the
3rd.
After a period of time, a timer expires and IP level passes the
500 bytes up and stops looking for the other pieces.
TCP (NOT IP) then will acknowledge receipt of 500 more
bytes to the sending TCP layer. If the first frame is lost,
NONE are passed up to TCP
IP Summary
• Fragmentation results in delivery of frames which
are potentially smaller than the original
transmission.
• Some of the frames can be lost
• If a message is fragmented and frames are lost, all
frames up to the first lost frame are passed up to
the receiving TCP and all subsequent frames are
dropped.
• TCP views this as a stream and is unaware of the
loss of frames. It just accepts the next “n” bytes,
acks the receipt, and waits for subsequent data.
TCP basics
• Connection-oriented
– Sets up the connection prior to data transmission
• SYN and 3-way handshake
– Guarantees delivery of data
• Sender holds a copy of the data for retransmission if
necessary
• Receiver ACKS specific byte positions in the stream so
sender can resend from any byte position
• Encapsulated by IP
• Receiver tells sender it’s receive window size
to limit rate of data arrival (flow control)
Consider How TCP and IP
Work Together
TCP handling of fragmentation
(Send 2000 bytes)
Transport
2000
Transport
(ACK 500 bytes)
500
Network(IP)
Network(IP)
1000
2501 2502
1000
Physical
Network(IP)
Physical
2503 2504
Physical
What does the TCP frame
look like?
Data
Source Destination Length Checksum
Port
Port
And after TCP is
encapsulated in IP?
IP Header
IP Trailer
TCP
And if the encapsulated
frame is fragmented?
IP Header
IP Trailer
Assume fragmented in 2 parts
Has headers
Port info
Included
No headers
NO Port
Info
Included
Back to the Firewall!
Port info
Included
CAN
See ports
Knows what to do!
No headers
CAN’T
See ports
?
Options to Solve Fragmentation
• Reassembly can be forced at the firewall
– Slows down transmission
– Lets the firewall process the entire frame
identically
• Make sure the sender doesn’t send frames
which will be fragmented.
– Path MTU discovery
•
•
•
•
uses ICMP to test for deliverability
Sends a message and marks it not to be fragmented
Looks for ICMP response saying too large
Repeat the process with a smaller packet if
necessary
• Firewall must allow ICMP
Options to Solve Fragmentation
• Only filter the first frames in a fragmented
sequence
– Allow all others to pass through
– Assume other frames will be trashed at receiver
if the first one doesn’t make it through
– Places undue traffic on network and receiver if
the unfragmented sequence is to be filtered
• Can be used to create denial of service
– Allows attackers to substitute overlapping “tail”
frames
• Different OSs handle the repeated packets
differently. I.e. which one do you keep?
More TCP Issues
TCP handshake/setup
Host A
Host B
Ack 0, Syn 1
Ack 1, Syn 1
Ack 1, Syn 0
Ack 1, Syn 0
time
.
.
.
setup
data
TCP Connection Issues
• Once you make a connection it can be used to
transmit data bi-directionally
• Inside clients-> out, is ok
• Outside clients -> inside, is NOT ok (usually)
• Deny the setup sequence and no connection can be
established
• If hacker can determine setup sequence number and
window size, “noise” packets can be injected
– Not a typical problem but possible
UDP Issues
UDP basics
• No connection establishment
• No special features of the frame to identify
connection information
• Requires a little more effort on the part of
the firewall
• Must remember what has happened in
previous transmissions
• This is a STATEFUL packet filter firewall
Stateful Packet Filter
Allowing if connected from inside
Host
A
I
N
S
I
D
E
UDP
SP = 2987
SA = 137.155.2.20
DP = 1000
DA = 168.17.2.5
Host
B
F
I
R
E
W
A
L
L
UDP
SP = 1000
SA = 168.17.2.5
DP = 2987
DA = 137.155.2.20
O
U
T
S
I
D
E
ICMP
ICMP Basics
• Lower than IP
• Doesn’t use ports
• Frequently used at the firewall to
– deny ping of death (too large message), and
– denial of service (ping flood)
• Denying is message-type specific
• Denying precludes utility of a useful tool
ICMP Message types
•
•
•
•
•
Echo Request
Echo Response
Time Exceeded
Destination Unreachable
Redirect
IP Tunnelling
Transport
Apple
talk
Transport
(IP)
Apple
talk
(IP)
Network(IP)
Physical
Inside
Network
Firewalls
CAN do
AT in IP
Physical
Intermediate
Routers only
See IP
Physical
Receiving
Firewall
Connected
Network
IP Tunnelling at one end
Transport
Apple
talk
(IP)
Appletalk
Appletalk
IP AT
Physical
Physical
Physical
IP AT
Appletalk to local
Appletalk to non-local
Route to Destination
As IP
Tunnelling Problem
• Firewall sees IP not what is embedded
• Packets can be hidden inside IP
• Not as problematic as it seems
– Usually the tunneller at each end is set up by
the network admin to implement a desired
policy
– Still provides a leak into the other network