*

()

6.1 Firewall Technology

6.2 Filtering Technology

6.3 Configure Filtering on a Switch

6.4 Configure Filtering on a Firewall

6.5 Configure Filtering on a Router

*6.1 Firewall Technology(Firewall)Firewall/(Hacker):Internal Network: External Network:

() ()Internet

*6.1 Firewall TechnologyIP(Source IP Address)IP(Destination IP Address)TCP/UDP(Source TCP/IP Port)TCP/UDP(Destination TCP/IP Port)Internet

*6.1 Firewall Technology(server)(client)()

(SMTP)(WWW)

Internet

*6.1 Firewall Technology

Windows(Transparency)IP TCP/UDP(TCP25) IP

*6.1 Firewall Technology

(Access Control Policy):

:

:

*6.1 Firewall Technology

(Denial-Of-Service attack)

IP(Domain Name)

(Viruses)(data attack)

*6.2 Filtering TechnologyStatic packet filteringIP(Source IP Address)IP(Destination IP Address)TCP/UDP(Source TCP/IP Port)TCP/UDP(Destination TCP/IP Port)

Static packet filteringIP()*1140.125.3.82200.100.5.5 InternetStatic packet filteringA200.100.5.5B140.125.3.8

*6.2 Filtering TechnologyStatic packet filtering(Input time)(Output time)(Input/Output)

Static packet filtering12

IP

?

?

?

?

*6.2 Filtering TechnologyStateful packet filteringStatic packet filteringStateful packet filteringStateful packet filtering()

Stateful packet filteringCiscoCBACLinuxiptablesStateful packet filteringInternetTCP SYNTCP ACK+SYN12TCP ACK3TCPStateful packet filteringthree-way handshaking

*6.2 Filtering TechnologyURL filteringURL filteringURL filteringP2P

WebsenseURL filtering3ComBlue CoatCheck Point25 www.websense.com

*6.3 Configure Filtering on a SwitchConfigure Filtering on Switch()()

CAM table overflowMedia Access Control (MAC) address spoofing DHCP starvation VLAN hopping Spanning-Tree Protocol (STP) manipulation

6.3 Configure Filtering on a SwitchPort security Port securityCAM Table overflowPort securityPortMACMACPortPort mapped MACswitchport port-security mac-addressPortMACswitchport port-security maximum (1~132)PortMAC Port securityMACport-security maximum 12PortMAC12Protect12MACportMAC12MACRestrictProtect(PortMAC)syslogShutdownPortMACPortsyslog*:Port ethernet 0/111:22:33:44:55:66MACAMAC 11:22:33:44:55:66BMAC 77:88:99:AA:BB:CCEthernet 0/1

Port Security1Switch(config)#interface ethernet 0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security 1122.3344.5566

6.3 Configure Filtering on a SwitchDHCPSnoopingDHCPSnooping DHCP Snooping Binding DHCP SnoopingDHCPDHCP ServerDHCP RequestDHCP AckDHCP Snooping binding table DHCP SnoopingPortvlanDHCP OfferDHCP Snooping binding :MACIPvlan

DHCPSnoopingbinding MACDHCP ServerIPMACbinding MAC

DHCPSnooping PortDHCP starvationPortDHCP OfferDHCP ServerIPman-in-the-middle attack*:vlan34DHCP Snoopingethernet 0/1Portethernet 0/1 70DHCP

DHCP SnoopingSwitch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 34

Switch(config)#interface ethernet 0/1

Switch(config-if)#ip dhcp snooping trust

Switch(config-if)#ip dhcp snooping limit rate 70

6.3 Configure Filtering on a SwitchSTP manipulationSTP manipulationspanning treerootSTP Root GuardSTP Root Guardnoneroot guardloop guardnone: root guardloop guardroot guard: portspanning treerootloop guard: portmax-ageBPDUportforwardSTP BPDU GuardPortServerPortfastPortfastSpanning TreePortfastPortPortfast PortBPDUBPDUSTP BPDU GuardPortfast portBPDUporterror-disable *: BPDU GuardPortfastPortsethernet 0/0spanning treeroot

STP Root GuardSwitch(config)#spanning-tree portfast bpduguard

Switch(config)#interface ethernet 0/0

Switch(config-if)#spanning-tree guard root

6.4 Configure Firewall:

(WebServerFTP Server)DMZNAT

DMZDMZDMZDMZ*InternetDMZInternet1DMZ2

*6.4 Configure Firewall/TCP/UDPNetwork Address Translation (NAT)private IP(Policy) :SYN FloodIP fragmentationICMP:http://firewalladmin.sourceforge.net/http://www.fs-security.com/

6.4 Configure FirewallIPIP:ConsoleE-MailPagerSNMP TrapUser Defined Program

* : http://www.fs-security.com/

6.4 Configure FirewallSYN FloodSYN FloodTCPTCP TCPClientServerTCP(three-way handshake)1.ClientTCP SYN=1 2.ServerTCPSYN=1 + ACK=1Client3.ClientTCP SYN=1 + ACK=1TCP ACK=1TCPTCP half-openServerTCP half-openSYN+ACKClientACKTCPhalf-open(30~2)ServerSYN+ACKTCP half-openServer*ClientServerSYNSYN+ACKACK123Half-open TCP three-way handshake

6.4 Configure FirewallSYN FloodServerTCPhalf-open ServerSYNServer Server

(SYN)SYN+ACK(three-way handshakeACK) half-open *TCP SYN floodingSYNSYN

6.4 Configure FirewallSYN FloodTCPTCP half-open TCP half-open30220TCPTCPhalf-openTCP resetServerSYNSYN CookiesSYN CookiesTCP interceptSYNServerSYN+ACK(Cookies/TCP/UDPACK sequence numberCookies)ClientACKCookiesACKServer half-openSYN*SYNSYN+ACK(cookie)ACK(cookie)SYN+ACKSYN CookiesSYN FloodClientServerSYNACKTCP Intercept

6.4 Configure FirewallIP fragmentationsize(Maximum Transmission Unit)IP fragmentation(Reassemble)IP fragmentationping of death: sizeping request (ICMP echo request) IP Fragmentation (Buffer) Tiny fragment: IP fragmentation*

InternetOriginal PacketFragmentationReassembleIP fragmentation

6.4 Configure FirewallIP fragmentation

ICMPVirtual reassembly

fragment databaseIP

IP

fragment database

SYSLOGfragment overlapledsmall fragment offset* IP fragmentation

IP fragment overlapped

IP Fragmentation Buffer Full

IP Fragment Overrun - Datagram Too Long

IP Fragment Overwrite - Data is Overwritten

IP Fragment Too Many Datagrams

IP Fragment Incomplete Datagram

IP Fragment Too Small : http://en.wikipedia.org/wiki/IP_Fragmentation_Attackes

*6.4 Configure FirewallICMP

ICMPSmurfICMPIPSmurf:1.ICMP echo request(Source IP address)IP(140.113.92.22)(Destination IP address)(140.125.30.255)2.3.ICMP echo replySmurfICMP echo requestICMP echo replyDenial of Service

ICMP1Smurf 23

6.5 Configure Filtering on a Router Configure Filtering on a RouterNAT()Static packet filtering(Access Control List)Stateful packet filteringURL filteringContext-based filtering(overload)(URL filtering Server)URL filtering Server *

1. HTTP Request6. HTTP Response2. Look-up Request3. HTTP ResponseInternet4. HTTP Request5. HTTP ResponseURL-filtering ServerWeb ServerURL filtering Server

6.5 Configure Filtering on Router(Distributed Denial of ServiceDDoS)WWW Security (http://www.w3.org/Security/Faq)(DDoS)(DDoS)(Agent)(Victim)(DoS) (DoS) DDoS(Attacker)(Handler)(Agent)(Victim)(Attacker)(Handler)(Agent)(Attacker)DDoS(Victim)(Attacker)(Control Command)(Handler)(Handler)(Control Command)(Agent)(Agent)(Attack Traffic)(Victim)(Attacker)(Client/Server)(Handler)(Agent)(Victim)(Attacker) * DDoS

6.5 Configure Filtering on Router(DDoS)(Flood Attack):(Agent)(Victim)(Victim)(Flood Attack)UDPICMPUDPICMPTCP(Connection)(Victim)(Victim)

(Protocol Exploit Attack)TCP SYN

(Amplification Attack):IP(Broadcast Address)Smurf(IP)(Intranet)(Victim)(Victim) (Malformed Packet Attack)IPIP(Quality of Service)1

*

6.5 Configure Filtering on Router(DDoS)Session LayerTCP half-openTCP half-openTCP SYN FloodSession(Flood Attack)IP fragmentationDosICMPICMP(Amplification Attack)(Malformed Packet Attack)IPIPDDoSIP192.168.1.1192.168.1.254IP10.0.0.1IPIP *

StaticStatefulURL

()()(URL filtering Server)*

LinuxLinux iptablesMarcus Goncalves/,Cisco (http://www.cisco.com/) http://firewalladmin.sourceforge.net/ http://www.fs-security.com/ http://www.w3.org/Security/Faq /

*