TCP

1. TCP/IP Basics A review for firewall configuration

2. Configuring a firewall Primary approach to configuring a firewall Study service IP ADDRESSES PORTS Set up rules for allowing or denying access to the services you want utilized. Problem: Some of the issues are more subtle than IP/PORT

3. IP Basics IP encapsulates TCP IP packets travel through many different routers (hops) before reaching it�s destination MTU variation at the physical layer requires IP to fragment the message into smaller units along the way Reassembly is an option at each hop. IP does NOT guarantee delivery!

4. IP Fragmentation

5. What if frames are lost?

6. IP Summary Fragmentation results in delivery of frames which are potentially smaller than the original transmission. Some of the frames can be lost If a message is fragmented and frames are lost, all frames up to the first lost frame are passed up to the receiving TCP and all subsequent frames are dropped. TCP views this as a stream and is unaware of the loss of frames. It just accepts the next �n� bytes, acks the receipt, and waits for subsequent data.

7. TCP basics Connection-oriented Sets up the connection prior to data transmission SYN and 3-way handshake Guarantees delivery of data Sender holds a copy of the data for retransmission if necessary Receiver ACKS specific byte positions in the stream so sender can resend from any byte position Encapsulated by IP Receiver tells sender it�s receive window size to limit rate of data arrival (flow control)

9. TCP handling of fragmentation

10. What does the TCP frame look like?

13. Back to the Firewall!

14. Options to Solve Fragmentation Reassembly can be forced at the firewall Slows down transmission Lets the firewall process the entire frame identically Make sure the sender doesn�t send frames which will be fragmented. Path MTU discovery uses ICMP to test for deliverability Sends a message and marks it not to be fragmented Looks for ICMP response saying too large Repeat the process with a smaller packet if necessary Firewall must allow ICMP

15. Only filter the first frames in a fragmented sequence Allow all others to pass through Assume other frames will be trashed at receiver if the first one doesn�t make it through Places undue traffic on network and receiver if the unfragmented sequence is to be filtered Can be used to create denial of service Allows attackers to substitute overlapping �tail� frames Different OSs handle the repeated packets differently. I.e. which one do you keep? Options to Solve Fragmentation

17. TCP handshake/setup

18. TCP Connection Issues Once you make a connection it can be used to transmit data bi-directionally Inside clients-> out, is ok Outside clients -> inside, is NOT ok (usually) Deny the setup sequence and no connection can be established If hacker can determine setup sequence number and window size, �noise� packets can be injected Not a typical problem but possible

20. UDP basics No connection establishment No special features of the frame to identify connection information Requires a little more effort on the part of the firewall Must remember what has happened in previous transmissions This is a STATEFUL packet filter firewall

21. Stateful Packet FilterAllowing if connected from inside

22. ICMP

23. ICMP Basics Lower than IP Doesn�t use ports Frequently used at the firewall to deny ping of death (too large message), and denial of service (ping flood) Denying is message-type specific Denying precludes utility of a useful tool

24. ICMP Message types Echo Request Echo Response Time Exceeded Destination Unreachable Redirect

25. IP Tunnelling

27. Tunnelling Problem Firewall sees IP not what is embedded Packets can be hidden inside IP Not as problematic as it seems Usually the tunneller at each end is set up by the network admin to implement a desired policy Still provides a leak into the other network