firewalls, nats and sdn - zoo.cs.yale.edu time smart devices-cloud computing-cloud storage-cloud...

CPSC 426/526Firewalls, NATs and SDN

Ennan ZhaiComputer Science Department

Yale University

Recall: Lec-6

• Sybil attacks and defenses:- What is sybil attack- How to defend against sybil attacks- Case study: DSybil- Case study: SybilGuard

Lecture Roadmap

• P2P vs Global Enterprises• Firewalls• NATs• Software Defined Networks

P2P vs Global Companies

• In P2P years:- any node can message other nodes out of the blue- early Internet applications were P2P topology- all the peers were individual machines on the public

Internet

• The Internet succeeded and evolved:- PC networking revolution- More and more nontechnical users accessed the Internet- IP address pressure from the 32-bit IP address space- Security, protection and management issues

The Internet Evolved



• What happened?- Big companies offer global services- Firewalls and NATs were proposed to fix the above issues- Originally separate; now bundled into same box- Back to “client/server” model from Peer-to-Peer model

2005-20071999

P2P Time

GFS[2003]

MapReduce[2004]

- Napster and BitTorrent- Unstructured P2P- DHTs

Cloud Time

Smart devices

- Cloud computing- Cloud storage- Cloud middle-box- ... ...


2005-20071999

P2P Time

GFS[2003]

MapReduce[2004]


Cloud Time

Smart devices



Firewall & NATsBecame popular

2005-20071999

P2P Time

GFS[2003]

MapReduce[2004]


Cloud Time

Smart devices



Cloud companies need to do access control to manage enterprise networks!

Lecture Roadmap


Firewalls• Firewalls were proposed to fix security problems:

- Public networks and private networks- Inside: internal hosts assumed to be “friendly by default”- Outside: Public, external hosts assumed to be “unfriendly

by default”

Internal Network

Firewalls• Firewalls were proposed to fix security problems:

- Public networks and private networks- Inside: internal hosts assumed to be “friendly by default”- Outside: Public, external hosts assumed to be “unfriendly

by default”

• Administrators define access policies:- Allow certain applications, disallow others- Write rules or policies to manage internal networks

Firewalls• How does a typical firewall work:

- Look at the first packet on a connection- Making a decision based on the policies

- For allowed connections, first packet causes firewall to create an entry in a flow table

- Subsequent packets in either direction allowed if there is a flow table entry

- Flow usually identified by 5-tuple (source IP and port, dest IP and port, type of protocol)

Firewall Example (in iptables).... ....iptables -A INPUT -p udp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp -s 172.168.14.6 -j DROPiptables -A INPUT -m limit --limit 6/seconds -p tcp -j ACCEPT

Firewall Example (in iptables).... ....iptables -A INPUT -p udp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp -s 172.168.14.6 -j DROPiptables -A INPUT -m limit --limit 6/seconds -p tcp -j ACCEPT

Linux Kernel

Netfilter

iptables

Firewalls

• Pros and Cons:- Pros: They do filter out a huge amount of harmful traffics- Cons: Bad guys can still bypass the firewall via other ways

- Cons: It is hard to reason about a complex firewall

Lecture Roadmap


A Simple NAT Example

192.168.2.2

1.1.1.4S=192.168.2.2:4445D=1.1.1.4:7777

NAT

NAT

192.168.2.2

1.1.1.4S=192.168.2.2:4445D=1.1.1.4:7777

192.168.2.2:4445 1.1.1.8:10100


NAT

192.168.2.2

1.1.1.4

S=192.168.2.2:4445D=1.1.1.4:7777

192.168.2.2:4445 1.1.1.8:10100

S=1.1.1.8:10100D=1.1.1.4:7777


NAT (Network Address Translation)• NATs were proposed to fix IP address pressure:

- Internal hosts are assigned private IP addresses- Internal host initiates a flow from internal to external- NAT intercepts first packet; allocates a public source port using the

NAT’s own public IP address- NAT maintains a translation table:

Internal IPs and ports-> External IPs and ports- Uses table to perform the same mapping in reverse on subsequent

incoming packets on flow

IPv4 Private IP Addresses

• According to Internet Engineering Task Force (IETF) document RFC-1918:- 10.0.0.0/8 IP addresses: 10.0.0.0 -- 10.255.255.255- 172.16.0.0/12 IP addresses: 172.16.0.0 -- 172.31.255.255- 192.168.0.0/16 IP addresses: 192.168.0.0 -- 192.168.255.255

• NATs also address ease of use:- NAT only needs to buy one public IP address from ISP- Internal hosts only need to know their internal IP addresses- Users in the companies just plug in the cables without

knowing their IP addresses

NAT (Network Address Translation)

UDP Hole Punching

To write application for today’s global Internet, we need to work around ubiquity of firewalls and NATs.

• How can we make downstream traffic talk with specific hosts in the internal network?

• How can we make two hosts behind two NATs communicate with each other?

To write application for today’s global Internet, we need to work around ubiquity of firewalls and NATs.

• How can we make downstream traffic talk with specific hosts in the internal network?

• How can we make two hosts behind two NATs communicate with each other?

UDP Hole Punching

Four Different Categories of NATs• NATs have four different categories:

- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT

Full Cone NAT• A full cone NAT is NAT where all the requests from the

same internal IP address and port are mapped to the same public IP and port.

• Once a mapping is created, all incoming traffic to the public address is routed to the internal host without checking the address of the remote host.

Full Cone

Full cone NATHost A Host B Host C

192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100

Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777


Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100


Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100S=1.1.1.5:4321

D=192.168.2.2:4445


Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100S=1.1.1.5:4321

D=192.168.2.2:4445 S=1.1.1.6:1234D=1.1.1.4:10100


Full Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100S=1.1.1.5:4321

D=192.168.2.2:4445 S=1.1.1.6:1234D=1.1.1.4:10100

S=1.1.1.6:1234D=192.168.2.2:4445


Restricted Cone NAT• A restricted cone NAT: like full cone all requests from the

same internal IP address and port are mapped to the same public IP and port.

• Unlike a full cone NAT, a remote host, with IP x, can send a packet to the internal host only if the internal host and had previously sent a packet to IP x.

Restricted Cone

Restricted cone NATHost A Host B Host C

192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100

Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777


Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100


Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445


Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234

D=1.1.1.4:10100


Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234

D=1.1.1.4:10100


✘

Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234

D=1.1.1.4:10100


✘S=192.168.2.2:4445D=1.1.1.6:7777

Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234

D=1.1.1.4:10100


✘S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10100D=1.1.1.6:7777

Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234

D=1.1.1.4:10100


✘

S=1.1.1.6:4321D=1.1.1.4:10100

S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10100D=1.1.1.6:7777

Restricted Cone


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234

D=1.1.1.4:10100

S=1.1.1.6:4321D=192.168.2.2:4445


✘

S=1.1.1.6:4321D=1.1.1.4:10100

S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10100D=1.1.1.6:7777

Port Restricted Cone NAT

• A port restricted cone NATis like a restricted cone NAT, but the restriction includes port numbers.

• An external host can send a packet, with source IP x, and source port P, to the internal host only if the internal host had previously sent a packet to IP x and port P.

Host A Host B Host C

192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

Port Restricted Cone

Port restricted cone NAT


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777



Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100


192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777





192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100





192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100



✘



192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100



✘S=1.1.1.5:7777D=1.1.1.4:10100



192.168.2.2 1.1.1.5 1.1.1.61.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100

D=1.1.1.5:7777

S=1.1.1.5:4321D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445



✘S=1.1.1.5:7777D=1.1.1.4:10100


Symmetric NAT• A symmetric NAT is a NAT where all requests from the

same Internal IP and port to a specific destination IP and port are mapped to the same ones.

• If the same internal host sends a packet with the same source IP and port to a different destination, a different mapping should be used.

• Only the external host that receives a packet can send a UDP packet back to the internal host.

Symmetric Cone

Symmetric NATHost A Host B Host C

192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100


Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445


Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445

Mapping:192.168.2.2:4445 1.1.1.4:10100

Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100

S=192.168.2.2:4445D=1.1.1.6:7777

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445


S=192.168.2.2:4445D=1.1.1.6:7777

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445


S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10179D=1.1.1.6:7777

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445


S=1.1.1.6:7777D=1.1.1.4:10179

S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10179D=1.1.1.6:7777

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445

S=1.1.1.6:7777D=192.168.2.2:4445


S=1.1.1.6:7777D=1.1.1.4:10179

S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10179D=1.1.1.6:7777

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445

S=1.1.1.6:7777D=192.168.2.2:4445


S=1.1.1.6:7777D=1.1.1.4:10179

S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10179D=1.1.1.6:7777

S=1.1.1.6:7777D=1.1.1.4:10100

Symmetric Cone


192.168.2.21.1.1.5 1.1.1.6

1.1.1.4

S=192.168.2.2:4445D=1.1.1.5:7777

S=1.1.1.4:10100D=1.1.1.5:7777

S=1.1.1.5:7777D=1.1.1.4:10100

S=1.1.1.5:7777D=192.168.2.2:4445

S=1.1.1.6:7777D=192.168.2.2:4445


S=1.1.1.6:7777D=1.1.1.4:10179

S=192.168.2.2:4445D=1.1.1.6:7777

S=1.1.1.4:10179D=1.1.1.6:7777

S=1.1.1.6:7777D=1.1.1.4:10100

✘



How to make two hosts behind different NATs communicate with each other?

Two Hosts Behind NATs

Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

NAT155.9.3.1

NAT132.76.29.7


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

NAT155.9.3.1

NAT132.76.29.7

Restricted NAT


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

NAT155.9.3.1

NAT132.76.29.7


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)

NAT155.9.3.1

NAT132.76.29.7

1. Allow 18.181.3.3 to me


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)

NAT155.9.3.1

NAT132.76.29.7

1. Allow 18.181.3.3 to me

1. Allow 18.181.3.3 to me


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

NAT155.9.3.1

NAT132.76.29.7

1. Allow 18.181.3.3 to me

1. Allow 18.181.3.3 to me

1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1


NAT155.9.3.1

NAT132.76.29.7

1. Allow 18.181.3.3 to me

1. Allow 18.181.3.3 to me


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1


NAT155.9.3.1

NAT132.76.29.7

1. Allow 18.181.3.3 to me

1. Allow 18.181.3.3 to me2. Allow 132.76.29.7 to me


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

✘


NAT155.9.3.1

NAT132.76.29.7


1. Allow 18.181.3.3 to me


Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

✘


NAT155.9.3.1

NAT132.76.29.7




Host A Host B

Server18.181.3.3

192.168.2.2 192.168.2.1

✘


NAT155.9.3.1

NAT132.76.29.7



✔

Lecture Roadmap


Software Defined Networks

• We need to have an approach to easily manage the control plane for entire enterprise networks

Traditional Network

Software Defined Networks• Decouple control and data planes by providing open

standard APIs


standard APIs

ControllerPla+orm


standard APIs

ControllerPla+orm

Controller Appication 1



standard APIs

ControllerPla+orm



Rules

Rules

Rules

RulesRules

Rules

Next Lecture

• In the lec-8, I will cover:- Cloud platform- IaaS, PaaS and SaaS- File systems and MapReduce

firewalls, nats and sdn - zoo.cs.yale.edu time smart devices-cloud computing-cloud storage-cloud...

Documents