第六章 架設防火牆監控與管理網路封包
DESCRIPTION
教育部資通訊人才培育先導型計畫 寬頻有線教學推動聯盟中心. 第六章 架設防火牆監控與管理網路封包. 保衛企業網路安全,不可缺少的成員 — 防火牆。 在字典上”防火牆”被解釋為可阻止火勢漫延的耐火牆,在網際網路上防火牆被定義為可遏止網路駭客任意入侵電腦系統的網路裝置。防火牆藉著過濾掉某些不可靠的資料封包來增加企業網路的安全性。 本章先簡述防火牆的觀念及基本型態分類,接著介紹封包過濾技術,最後分別說明在不同的網路裝置 ( 如交換器 、 防火牆 、 路由器等 ) 如何設定過濾政策,以執行保衛企業網路安全的工作。. 前言. 6.1 Firewall Technology - PowerPoint PPT PresentationTRANSCRIPT
-
*
()
6.1 Firewall Technology
6.2 Filtering Technology
6.3 Configure Filtering on a Switch
6.4 Configure Filtering on a Firewall
6.5 Configure Filtering on a Router
-
*6.1 Firewall Technology(Firewall)Firewall/(Hacker):Internal Network: External Network:
() ()Internet
-
*6.1 Firewall TechnologyIP(Source IP Address)IP(Destination IP Address)TCP/UDP(Source TCP/IP Port)TCP/UDP(Destination TCP/IP Port)Internet
-
*6.1 Firewall Technology(server)(client)()
(SMTP)(WWW)
Internet
-
*6.1 Firewall Technology
Windows(Transparency)IP TCP/UDP(TCP25) IP
-
*6.1 Firewall Technology
(Access Control Policy):
:
:
-
*6.1 Firewall Technology
(Denial-Of-Service attack)
IP(Domain Name)
(Viruses)(data attack)
-
*6.2 Filtering TechnologyStatic packet filteringIP(Source IP Address)IP(Destination IP Address)TCP/UDP(Source TCP/IP Port)TCP/UDP(Destination TCP/IP Port)
Static packet filteringIP()*1140.125.3.82200.100.5.5 InternetStatic packet filteringA200.100.5.5B140.125.3.8
-
*6.2 Filtering TechnologyStatic packet filtering(Input time)(Output time)(Input/Output)
Static packet filtering12
IP
?
?
?
?
-
*6.2 Filtering TechnologyStateful packet filteringStatic packet filteringStateful packet filteringStateful packet filtering()
Stateful packet filteringCiscoCBACLinuxiptablesStateful packet filteringInternetTCP SYNTCP ACK+SYN12TCP ACK3TCPStateful packet filteringthree-way handshaking
-
*6.2 Filtering TechnologyURL filteringURL filteringURL filteringP2P
WebsenseURL filtering3ComBlue CoatCheck Point25 www.websense.com
-
*6.3 Configure Filtering on a SwitchConfigure Filtering on Switch()()
CAM table overflowMedia Access Control (MAC) address spoofing DHCP starvation VLAN hopping Spanning-Tree Protocol (STP) manipulation
-
6.3 Configure Filtering on a SwitchPort security Port securityCAM Table overflowPort securityPortMACMACPortPort mapped MACswitchport port-security mac-addressPortMACswitchport port-security maximum (1~132)PortMAC Port securityMACport-security maximum 12PortMAC12Protect12MACportMAC12MACRestrictProtect(PortMAC)syslogShutdownPortMACPortsyslog*:Port ethernet 0/111:22:33:44:55:66MACAMAC 11:22:33:44:55:66BMAC 77:88:99:AA:BB:CCEthernet 0/1
Port Security1Switch(config)#interface ethernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security 1122.3344.5566
-
6.3 Configure Filtering on a SwitchDHCPSnoopingDHCPSnooping DHCP Snooping Binding DHCP SnoopingDHCPDHCP ServerDHCP RequestDHCP AckDHCP Snooping binding table DHCP SnoopingPortvlanDHCP OfferDHCP Snooping binding :MACIPvlan
DHCPSnoopingbinding MACDHCP ServerIPMACbinding MAC
DHCPSnooping PortDHCP starvationPortDHCP OfferDHCP ServerIPman-in-the-middle attack*:vlan34DHCP Snoopingethernet 0/1Portethernet 0/1 70DHCP
DHCP SnoopingSwitch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 34
Switch(config)#interface ethernet 0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#ip dhcp snooping limit rate 70
-
6.3 Configure Filtering on a SwitchSTP manipulationSTP manipulationspanning treerootSTP Root GuardSTP Root Guardnoneroot guardloop guardnone: root guardloop guardroot guard: portspanning treerootloop guard: portmax-ageBPDUportforwardSTP BPDU GuardPortServerPortfastPortfastSpanning TreePortfastPortPortfast PortBPDUBPDUSTP BPDU GuardPortfast portBPDUporterror-disable *: BPDU GuardPortfastPortsethernet 0/0spanning treeroot
STP Root GuardSwitch(config)#spanning-tree portfast bpduguard
Switch(config)#interface ethernet 0/0
Switch(config-if)#spanning-tree guard root
-
6.4 Configure Firewall:
(WebServerFTP Server)DMZNAT
DMZDMZDMZDMZ*InternetDMZInternet1DMZ2
-
*6.4 Configure Firewall/TCP/UDPNetwork Address Translation (NAT)private IP(Policy) :SYN FloodIP fragmentationICMP:http://firewalladmin.sourceforge.net/http://www.fs-security.com/
-
6.4 Configure FirewallIPIP:ConsoleE-MailPagerSNMP TrapUser Defined Program
* : http://www.fs-security.com/
-
6.4 Configure FirewallSYN FloodSYN FloodTCPTCP TCPClientServerTCP(three-way handshake)1.ClientTCP SYN=1 2.ServerTCPSYN=1 + ACK=1Client3.ClientTCP SYN=1 + ACK=1TCP ACK=1TCPTCP half-openServerTCP half-openSYN+ACKClientACKTCPhalf-open(30~2)ServerSYN+ACKTCP half-openServer*ClientServerSYNSYN+ACKACK123Half-open TCP three-way handshake
-
6.4 Configure FirewallSYN FloodServerTCPhalf-open ServerSYNServer Server
(SYN)SYN+ACK(three-way handshakeACK) half-open *TCP SYN floodingSYNSYN
-
6.4 Configure FirewallSYN FloodTCPTCP half-open TCP half-open30220TCPTCPhalf-openTCP resetServerSYNSYN CookiesSYN CookiesTCP interceptSYNServerSYN+ACK(Cookies/TCP/UDPACK sequence numberCookies)ClientACKCookiesACKServer half-openSYN*SYNSYN+ACK(cookie)ACK(cookie)SYN+ACKSYN CookiesSYN FloodClientServerSYNACKTCP Intercept
-
6.4 Configure FirewallIP fragmentationsize(Maximum Transmission Unit)IP fragmentation(Reassemble)IP fragmentationping of death: sizeping request (ICMP echo request) IP Fragmentation (Buffer) Tiny fragment: IP fragmentation*
InternetOriginal PacketFragmentationReassembleIP fragmentation
-
6.4 Configure FirewallIP fragmentation
ICMPVirtual reassembly
fragment databaseIP
IP
fragment database
SYSLOGfragment overlapledsmall fragment offset* IP fragmentation
IP fragment overlapped
IP Fragmentation Buffer Full
IP Fragment Overrun - Datagram Too Long
IP Fragment Overwrite - Data is Overwritten
IP Fragment Too Many Datagrams
IP Fragment Incomplete Datagram
IP Fragment Too Small : http://en.wikipedia.org/wiki/IP_Fragmentation_Attackes
-
*6.4 Configure FirewallICMP
ICMPSmurfICMPIPSmurf:1.ICMP echo request(Source IP address)IP(140.113.92.22)(Destination IP address)(140.125.30.255)2.3.ICMP echo replySmurfICMP echo requestICMP echo replyDenial of Service
ICMP1Smurf 23
-
6.5 Configure Filtering on a Router Configure Filtering on a RouterNAT()Static packet filtering(Access Control List)Stateful packet filteringURL filteringContext-based filtering(overload)(URL filtering Server)URL filtering Server *
1. HTTP Request6. HTTP Response2. Look-up Request3. HTTP ResponseInternet4. HTTP Request5. HTTP ResponseURL-filtering ServerWeb ServerURL filtering Server
-
6.5 Configure Filtering on Router(Distributed Denial of ServiceDDoS)WWW Security (http://www.w3.org/Security/Faq)(DDoS)(DDoS)(Agent)(Victim)(DoS) (DoS) DDoS(Attacker)(Handler)(Agent)(Victim)(Attacker)(Handler)(Agent)(Attacker)DDoS(Victim)(Attacker)(Control Command)(Handler)(Handler)(Control Command)(Agent)(Agent)(Attack Traffic)(Victim)(Attacker)(Client/Server)(Handler)(Agent)(Victim)(Attacker) * DDoS
-
6.5 Configure Filtering on Router(DDoS)(Flood Attack):(Agent)(Victim)(Victim)(Flood Attack)UDPICMPUDPICMPTCP(Connection)(Victim)(Victim)
(Protocol Exploit Attack)TCP SYN
(Amplification Attack):IP(Broadcast Address)Smurf(IP)(Intranet)(Victim)(Victim) (Malformed Packet Attack)IPIP(Quality of Service)1
*
-
6.5 Configure Filtering on Router(DDoS)Session LayerTCP half-openTCP half-openTCP SYN FloodSession(Flood Attack)IP fragmentationDosICMPICMP(Amplification Attack)(Malformed Packet Attack)IPIPDDoSIP192.168.1.1192.168.1.254IP10.0.0.1IPIP *
-
StaticStatefulURL
()()(URL filtering Server)*
-
LinuxLinux iptablesMarcus Goncalves/,Cisco (http://www.cisco.com/) http://firewalladmin.sourceforge.net/ http://www.fs-security.com/ http://www.w3.org/Security/Faq /
*