module 08 - packet filtering and proxy servers

Network Security Administrator

Module VIII:

Packet Filtering and Proxy Servers

EC-CouncilCopyright © by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Module Objectives

Introduction of NAT

Application Layer Gateways

Defining: VPN, IDS

Packet Filtering

Packet Filtering Approaches

Filtering by TCP/UDP Port Number

Filtering ACK flags

Filtering Packet Contents

Proxy servers

Authentication Process

Authentication Process Types



Module Flow

NAT

Packet Filtering

Approaches

Packet Filtering

Approaches

Authentication

Process TypesProxy servers

Authentication

Process

Filtering by TCP/UDP

Port NumberFiltering ACK Flags

Packet Filtering IDS

Application Layer

Gateways VPN



Network Address Translation

Conceals the TCP/IP information of hosts in the network

Functions as a network layer proxy making requests on behalf of all internal hosts over the network

Converts IP address of internal hosts to IP address of the firewall

NAT-equipped firewall receives the request and replaces the genuine IP address



NAT

11.0.0.5

11.0.0.4

Request comesfrom 11.0.0.3

11.0.0.2

11.0.01

Firewall 24.44.8.0

Router

Server gets request from 24.44.8.0

Private Network

11.0.0.6

Internet



Application Layer Gateways

Also known as ‘proxy server’ that operates at the application layer of the OSI model

Controls network access by establishing proxy services

Inspects the content in the packet header to decide whether to grant/deny access

Security Techniques:

•Load balancing:

–Divides the traffic load and enables firewalls to monitor the traffic

•IP address mapping:

–Maps static IP address with private IP address of a computer

•Filtering content:

–Blocks files, file name, keyword, e-mail attachment or content type

•URL Filtering:

–Blocks a site’s DNS name



Application Proxies

Acts on behalf of a host that handles requests, rebuilds and forwards the request to the intended location

Compatible with dual-homed host or screened host system

Dual-Homed Host:

• Lies between the internal LAN and the Intern et

• Proxy server software makes requests and forwards packets from the Internet



Packet Filtering

Blocks or allows transmission of packets on the basis of port, IP address and protocol

Common rules for packet filtering are:

• Drop all inbound connections

• Eliminate packets destined for all ports unavailable to the Internet

• Filter ICMP redirect and echo messages

• Drop all packets using the IP header source routing feature



Packet Filtering : Devices

Routers:

• Common packet filters preventing unauthorized traffic intruding the network

Operating Systems:

• Windows and Linux have build-in utilities that performs packet filtering on the TCP/IP stack

Software Firewalls:

• Check Point Firewall-1 performs stateful filtering



Packet Filtering: Approaches

Stateless (static) Packet Filtering:

• Reviews packet header contents and decides whether to allow or discard the packets

• Blocks traffic from a subnet or other traffic

Stateful Packet Filtering (Stateful Inspection):

• Maintains connection status, while performing all functions of stateful packet filtering



Stateless Packet Filtering

Without considering whether connection is established or not, itdetermines the if data transfer is to flow or to be blocked

Used to completely block the traffic

Configuration:

• IP header information

• TCP/ UDP port number in use

• The ICMP message type

• Fragmentation flags (the ACK, SYN)



Filtering Based On IP Header

Compares header data against rule base and forwards packets that match the criteria on the basis of:

• Packet’s source IP address

• Destination or target IP address

• Protocol for the host requesting access

• IP protocol and ID field in the header



TCP Flags in a Packet Header



Filtering Based On TCP/UDP Port Number

Also called as port filtering or protocol filtering

Filters a wide variety of information like:

• SMTP and POP e-mail messages

• NetBIOS sessions

• DNS requests

• Network News Transfer Protocol (NNTP) newsgroup sessions



Filtering Based On Fragmentation Flags

Fragmenting the packets allow them to traverse the network with ease despite their size

Only the first frame carries the port number

Down side of fragmentation:

• Modifying IP header of packet to start with number 1 makes them to pass through the network

Measure to avoid the fragments to traverse the network:

• Employ a firewall to reassemble the fragments and to pass the complete packets to the network



Filtering Based On ICMP Message Type

ICMP enables network to handle communication problems

Hackers exploit ICMP packets to crash computers on the network

ICMP packets have no authentication method to verify the authenticity of the packet

Firewall/packet filter determines the authenticity of the ICMP packet



Filtering Based On ICMP Message Type

ICMP Type Name Possible Cause

0 Echo reply Normal cause to a ping

3 Destination unreachable Destination unreachable

3 code 6 Destination network unknown

Destination network unknown

3 code 7 Destination host unknown Destination host unknown

4 Secure quench Router receiving too much traffic

5 Redirect Faster route located

8 Echo request Normal ping request

11 Time exceeded Too many hops to destination

12 Parameter problem There is a problem with parameter



Filtering based On ACK flags

ACK flag:

• Indicates either connection request or connection establishment

• Hacker can set ACK flag to 1

Configure firewall to allow access to ports and to specify the direction of data flow in the ports with the ACK flag is set to 1



Filtering Suspicious Inbound packets

Firewall alerts the arrival of a packets from external network consisting of a internal network’s IP address

Firewalls allow user to set the permitting or denying of packets:

• Case-by-case basis

• Automatically, by setting rules



Filtering Suspicious Inbound packets



Stateful Packet Filtering

Maintains records of the state of the connection

Maintains a state table that maintains the list of current connections

Consults the state table and the rule base when a packet is encountered

Permits packets based on previously accepted packets



Stateful Packet Filtering

Internet

Router

Ethernet

1. Host attempts to connect www.course.com

2. Router checks for state table and sees that no coneection

exists, state entry created and request passed to rule base

3. Rule that internal hosts access TCP/80 exists; packets are

allowed to pass through

4. Packets received by course.com Web server; SYN/ACK

reply sent to firewall

5. Packets received state table entry referenced

6. Packets allowed to pass

State TableSource IP: www.course.com

Source port: 70Destination IP: 10.0.0.6Destination port: 1087

Transport: TCP



Filtering Based On Packet Contents

Stateful Inspection:• Examines the contents of packets and headers to

ensure reliability

Proxy Gateway:• Examines the data in a packet and evaluates which

application should handle it

Specialty Firewall:• Examines the body of e-mail messages or Web pages

for identifying malicious content



Overview of Proxy Servers

Other Names:• Proxy services

• Application-level gateways

• Application proxies

Scans and act on the data part of an IP packet

Working:• Intercepts a request from

internal network computer and transmits to the destination computer on the Internet



Proxy Server Vs Packet Filtering

Scan complete data part of IP packets and create elaborate log file listings

Restructure packet with new source of IP information which protects internal users from outsiders

Server on the Internet and an internal host are never directly connected to one another

More vital to network communications



Goals of Proxy Servers

Conceals Internal Clients

• Hides internal clients from external clients who try to gain access to internal networks

Blocks URLs

• Prevents employees from visiting websites that offer content regarded as inappropriate by the management

Blocks and Filters Content

• Scans the packets for contents that can cause troubles

Protects E-mail Proxy

• Protects users surfing the Internet including e-mails



Goals of Proxy Servers (Cont)

Improves Performance

• Decreases the access time for documents requested frequently

Ensures Security

• Provides a reliable checkpoint to monitor network activity

Provides user authentication

• Enhances security when used in combination with authentication

Redirects URLs

• Scans specific parts of the data part of an HTTP packet and redirects it to specific location



Proxy Server Based Firewalls

Transparent Proxies• Can be configured to be completely invisible

to the end users

Nontransparent Proxies• Requests client software to be configured to

use the server software

SOCKS-Based Proxies• SOCKS Protocol:

– Enables the establishment of generic proxy applications

• SOCKS Features:– Has security-related advantages



Firewall:Authentication Process

Process of identifying users and providing network services based on their identity

Types of authentication:

• Basic authentication

– Server does matching of username-password pair supplied by the client

• Challenge-response authentication

– Firewall generates a random code or number termed as challenge

• Centralized authentication service

– Centralized server handles the three practices :

– Authentication

– Authorization

– Auditing



Firewalls Implementing The Authentication Process

Client sends a request to access a resourceFirewall interrupts the request and prompts the user for name and passwordUser submits information to the firewallUser is authenticatedRequest is verified against the firewall’s rule baseIf request matches existing allow rule, user is granted accessUser accesses the required resources



Firewalls : Types Of Authentication Process

User Authentication:• Basic type of authentication where user is

given access to resources by verifying username and password

Client authentication:• Identical to user authentication with the

addition of usage restrictions

Session authentication:• Requests for authentication whenever a

client establishes a session to connect to a network resource



Summary

NAT hides the TCP/IP information of hosts in the network and converts IP addresses of host to that of firewalls and vice-versa

Proxy servers limits network access by setting proxy services

Application proxies are compatible with dual-homed host or screened host system to handle requests of intended clients

VPN connections are limited to machines with specific IP addresses

IDS alerts administrator against attacks

module 08 - packet filtering and proxy servers

Documents

eccouncilall rights

internet eccouncilcopyright

private ip address

packet header

content typeurl filtering

packet filteringblocks

network layer proxy

maps static ip address