System and Network Administration
lecture
in color
Firewalling concepts
- Subnet and subnet mask
- Address mask
- Address range
- Port range
Subnet
- addressing scheme on 'one wire'.
- determined by subnet address and subnet mask.
- Ex: 130.64.23.0 mask 255.255.255.0
- All components are 8-bit integers 0-255.
- 1's in mask tell which bits are frozen in subnet.
- 0's in mask tell which bits can change on a subnet.
- The mask above says that 130.64.23 is frozen,
while the last component can be between 1-254.
Special subnet conventions:
- the address with all 1's in the free locations is the
subnet broadcast address
- older equipment also utilizes the address with all 0's in the
free locations.
- the latter is also called the 'wire address' (and only appears
in routing tables.
Subnet examples:
- 130.64.23.0 255.255.255.0 means
- 130.64.23.0 255.255.255.224 means
- 130.64.23.32 255.255.255.224 means
- 130.64.23.64 255.255.255.224 means
- 130.64.23.96 255.255.255.224 means
- 130.64.23.128 255.255.255.224 means
- 130.64.23.160 255.255.255.224 means
- 130.64.23.192 255.255.255.224 means
- 130.64.23.224 255.255.255.224 means
Subnet masks are NOT created equal:
- 255.255.255.0: (8 bits) 1 group of 254 workstations
- 255.255.255.128: (7 bits) 2 groups of 126 = 252 workstations
- 255.255.255.192: (6 bits) 4 groups of 62 = 248 workstations
- 255.255.255.224: (5 bits) 8 groups of 30 = 240 workstations
Problems for you to solve
- If your subnet mask is 255.255.255.192, and your host address is
130.64.23.17, what are the addresses of the other hosts on your subnet?
- If your subnet mask is 255.255.255.3 and your host address is
130.64.23.17, what are the addresses of the other hosts?
Comments on subnets
- used to be illegal to use subnet 0, 224 for mask 224.
- used to be illegal to use 0 as a host number.
- times change.
Address mask
Problems to solve
- what are the appropriate ranges for
base address 10.1.0.42 mask 255.255.7.7?
- what are the appropriate ranges for
base address 192.168.67.0 mask 0.0.255.255?
Caveats:
- sometimes masks are INVERTED bit by bit,
- e.g., 255.255.255.0 => 0.0.0.255
- trailing 0 masks are often notated with / notation:
- 130.64.24.0 255.255.255.0 is written as 130.64.24.0/24
or simply 130.64.24/24
- 130.64.23.32 255.255.255.224 is written 130.64.23.32/27
IP Address range:
- many firewalls allow you to specify rules for address RANGES.
- Addresses are 32-bit binary numbers
- numeric comparison.
- Ex: if 130.64.24.0 <= x <= 130.64.26.127, which 8-bit subnets
are affected (selected)?
Access list
- list of (address,mask,port range) or (address range,port range)
- hosts/services to deny or allow.
So far
- Tools have been standard
- Form follows function
In firewalling
- Many different tools/syntaxes
- Concepts remain unchanging
New terms
- choke: a machine that limits access
- gate: a machine that provides access
- proxy: a machine that acts on behalf of another
- bastion host: a host that's accessible from outside
as a limited form of gate.
- tunnel: a systematic attempt to send a packet
through a choke by encapsulating it inside an acceptable
protocol.
The art of firewalling
- choke off undesirable access
- poke holes with gates.
- 'case harden' gates to limit risk
Two basic firewall policies
- Everything not explicitly allowed is denied ('closed').
- security is more important than service
- must poke holes for services
- Everything not explicitly denied is allowed ('open').
- service is more important than security
- deny access to specific hosts
A basic firewall
Kinds of chokes
- host-based
- tcp wrappers
- services shut down
- packet filter
- within router
- on a server serving as router.
- stateful inspection
- within new routers
- within a firewall
Host-based
- like tcp wrappers
- must do on EVERY host.
- rdist/cfengine helps!
Packet filter
- stops packets by type and content
- 'stateless': simple pattern matching
- If packets match an allow pattern, they go through.
- If packets match a deny pattern, they get blackholed.
- Characterized by how much they know about the packet
- protocol (tcp/udp)
- address range/mask
- port number/range
- internal packet contents (e.g., who mail is addressed to!)
Stateful inspection
- Keeps track of the state of a communication.
- E.g., if you request a name from an outside name server,
- create a flow between you and the name server.
- allow you to exchange data
- If you don't request a name and a name server contacts you
anyway
- create a flow that blocks the unsolicited packet.
- reject all such packets until such time as you make a
legitimate request.
Bastion
- A host you must log into in order to get to services.
- Usually outside or inside another choke.
Transparency
- does the user know they're talking through a firewall?
- high transparency: users can't detect the firewall.
- packet filter
- stateful inspection
- low transparency: users have to do something different with the
firewall in place.
- bastion host
- tunnelling or VPN
Kinds of 'firewalls'
- Firewalls vary drastically in design,
transparency, cost, throughput.
- Best: high transparency, low cost, high throughput.
- Worst: the illusion of security.
The doctrine of STO
- STO: security through obscurity
- if you can find the name of a thing, you can hack it.
- so hide the names
- generally a really bad idea
The packet filter
:( ----|<-----your network
The dmz approach
:( ---- dmz machines ----|< ---- private network
- untrusted people use dmz bastions
- they can get through choke, and act as gates
Choke and gate
:( ---- |<---+---gate
|
+---your network
- outside access limited to one or more gates
- gate transmits packets to your network
Belt and suspenders
:( ---- |< ---gate---- |< ----your network
- first choke limits packets to gate.
- second choke permeable only to gate.
Cascade
:( ---- |< --- gate1 ---- |< ----gate2 ---- |< ---- your network
lecture
in color
/comp/150NET/notes/filters-old.php
downloaded on Nov-23-2009 02:56:01 PM,
was last modified on Feb-17-2004 10:47:53 PM.
All lecture note content is copyright 2004 by
Alva L. Couch,
Computer Science,
Tufts University