MIS 4850 Systems Security



MIS 4850 Systems Security

Understanding Firewalls Operation

Exhibit 1

Figure 1: Access Control List (ACL) for Ingress Filtering at a border firewall

[pic]

|1 |If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] |

|2 |If Source IP Address = 172.16.*.* to 172.31.*.*, DENY [Private IP Address Range] |

|3 |If Source IP Address = 192.168.*.*, DENY [Private IP Address Range] |

|4 |If source IP address = 60.47.*.*, DENY [internal address range] |

|5 |If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] |

|6 |If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS |

|7 |If TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection from the outside] |

|8 |If TCP Destination Port = 20, DENY |

|9 |If TCP Destination Port = 135 Through 139, DENY |

|10 |If TCP destination port = 513, DENY [UNIX rlogin without password] |

|11 |If UDP Destination Port = 69, DENY [Trivial FTP; no login necessary] |

|12 |DENY ALL |

The following questions are not related.

1. In Figure 1, some of the rules are redundant given the final Deny All. What are the redundant rules? Explain.

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

2. What would be the downside of leaving redundant rules, like the ones that could be taken care of by the final Deny All, in the ACL?

a. Leaving them could make the firewall pass some attack messages.

b. Leaving them would add some burden on the firewall in terms of more processing time.

c. None of the above

3. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in Figure 1 to add a rule that permits incoming requests to a particular computer (IP address 60.47.3.4) that hosts DNS service. (Note: the Appendix contains a list of TCP/UDP ports for common services).

a. Write down the rule: _____________________________________________________

b. Where should that rule be inserted? Why? _____________________________________

4. What would be the possible consequences of making the rule you created when answering Question 3 (above) the very first rule of the ACL?

a. This may decrease the likelihood of being attacked

b. This may allow an attacker using IP spoofing with a Class A IP address in the private range to get to the corporate web server.

c. This may allow an attacker using IP spoofing with a Class A IP address in the private range to get to target the DNS server.

d. None of the above

5. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in Figure 1 to add a rule that allows packet destined to a an internal secured web server (HTTPS) that has IP address 60.47.3.7 to pass. (Note: the Appendix contains a list of TCP/UDP ports for common services).

a. Write down the rule: ___________________________________________________

b. Where the rule should be inserted in the ACL? ______________________________

6. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in Figure 1 to add a rule that says all SMTP traffic should pass through an SMTP application proxy which IP address is 60.47.3.10.

a. Write down the rule: ___________________________________________________

b. Where the rule should be inserted in the ACL? ______________________________

7. Which of the following would Rule 1 help prevent?

a. Attacks initiated by any trusted network’s legitimate user targeting hosts in the trusted network or in the untrusted network.

b. Attacks initiated by any outsider targeting hosts in the untrusted network.

c. Attacks initiated by any outsider targeting hosts in the trusted network.

d. None of the above.

The following questions do not refer to the exhibit above.

8. Create an ACL (i.e. write down the rules) for Ingress Filtering in a case where the only messages allowed are those coming from external web servers or external email servers. (Note: the Appendix contains a list of TCP/UDP ports for common services).

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

9. Create an ACL (i.e. write down the rules) for Egress Filtering in a case where the only messages allowed are those destined to internal web servers or internal email servers. (Note: the Appendix contains a list of TCP/UDP ports for common services).

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

Exhibit 2

Figure 2: Access Control List (ACL) for Egress Filtering at a border firewall

[pic]

|1 |If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] |

|2 |If Source IP Address = 172.16.*.* to 172.31.*.*, DENY [Private IP Address Range] |

|3 |If Source IP Address = 192.168.*.*, DENY [Private IP Address Range] |

|4 |If source IP address NOT = 60.47.*.*, DENY [not in internal address range] |

|5 |If ICMP Type = 8, PASS [allow outgoing echo messages] |

|6 |If Protocol = ICMP, DENY [drop all other outgoing ICMP messages] |

|7 |If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] |

|8 |If source IP address = 60.47.3.9 AND TCP source port = 80 OR 443, PASS [public webserver] |

|9 |If TCP source port = 0 through 49151, DENY [well-known and registered ports] |

|10 |If UDP source port = 0 through 49151, DENY [well-known and registered ports] |

|11 |If TCP source port = 49152 through 65536, PASS [allow outgoing client connections] |

|12 |If UDP source port = 49152 through 65536, PASS [allow outgoing client connections] |

|13 |DENY ALL |

The following questions are not related one to another.

10. What rules prevent any host that provides service (other than web service) to respond to any external host?

________________________________________________________________________

________________________________________________________________________

11. Are rules 9 and 10 necessary? Why? ____________________________________________

12. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in Figure 2 to add a rule that allows DNS response from the DNS server with IP address 60.47.3.4 to pass. (Note: the Appendix contains a list of TCP/UDP ports for common services).

a. Write down the rule: ___________________________________________________

b. Where the rule should be inserted in the ACL? ______________________________

13. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in Figure 2 to add a rule that allows packets from the internal secured web server (HTTPS) with IP address 60.47.3.7 to pass. (Note: the Appendix contains a list of TCP/UDP ports for common services).

a. Write down the rule: ___________________________________________________

b. Where the rule should be inserted in the ACL? ______________________________

Exhibit 3

14. Name the host that will filter incoming and outgoing emails to make sure that they are safe:___________________________. Provide its IP address: ___________________

15. NAT is usually implemented on firewalls or routers to hide the actual IP addresses of hosts to outsiders for security reasons. In the firewall architecture shown in Exhibit 3, what host should not be protected by NAT? (Circle all correct answers)

a. The Marketing Client

b. The Accounting server

c. The public web server

d. The external DNS server

e. The SMTP proxy server

Appendix

Common TCP/UDP ports

|Port |Primary |Application |

|Number |Protocol | |

|20 |TCP |FTP Data Traffic |

|21 |TCP |FTP Supervisory Connection. Passwords sent in the clear |

|22 |TCP |SSH (Secure Shell). Used for secure logins and file transfers (sftp) |

|23 |TCP |Telnet. Passwords sent in the clear |

|25 |TCP |Used for SMTP email transfer between email servers |

|53 |TCP/UDP |Domain Name System (DNS) |

|69 |UDP |Trivial File Transfer Protocol (TFTP). No login necessary |

|80 |TCP |Hypertext Transfer Protocol (HTTP). Used for transferring web pages b/w clients and non secure web servers. |

|110 |TCP |POP3 (Post Office Protocol Ver. 3). Used for retrieving emails b/w clients and mailservers |

|137-139 |TCP |NETBIOS service for P2P file sharing in older versions of Windows |

|443 |TCP |HTTP over SSL/TLS. Used for secured transfer of web pages b/w clients and web servers. |

-----------------------

Firewall

Trusted network

Untrusted network

60.47.3.1

60.47.3.5

60.47.3.9

60.47.3.2

Untrusted network

Trusted network

Firewall

60.47.3.1

60.47.3.5

60.47.3.9

60.47.3.2

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download