packet filtring project
TRANSCRIPT
-
7/29/2019 Packet Filtring Project
1/20
Firewalls based on AccessControl Lists
(Packet filtering)
prepared by: Mussab Saleh El Riani
Supervision: Dr Behalul El Fgee
Academy of Science Misurata
Computer Science Department
-
7/29/2019 Packet Filtring Project
2/20
Firewalls
Sits between two networks Used to protect one from the other
Places a bottleneck between the networks
All communications must pass through thebottleneck this gives us a single point of
control
17 March 2009 ITCN2
-
7/29/2019 Packet Filtring Project
3/20
Protection Methods
Packet Filtering
Rejects TCP/IP packets from unauthorized hosts and/or
connection attempts bt unauthorized hosts
Network Address Translation (NAT)
Translates the addresses of internal hosts so as to hide
them from the outside world
Also known as IP masquerading
3
-
7/29/2019 Packet Filtring Project
4/20
Packet Filters
Compare network and transport protocols to
a database of rules and then forward only thepackets that meet the criteria of the rules
Implemented in routers and sometimes in the
TCP/IP stacks of workstation machines
in a router a filter prevents suspicious packetsfrom reaching your network
in a TCP/IP stack it prevents that specific
machine from responding to suspicious traffic
4
-
7/29/2019 Packet Filtring Project
5/20
Packet-filtering Router
Packet-filtering Router is implemented inrouter with access control lists
So what are access control lists?
5
-
7/29/2019 Packet Filtring Project
6/20
6
This Week
Access Control Lists
What are ACLs?
What are they for?
How do they work?
Standard ACLs
Extended ACLs
Where to place them
-
7/29/2019 Packet Filtring Project
7/207
Reasons for ACLs
Limit network traffic to where we define andincrease network performance
Provide traffic flow control ACLs can restrict or reduce the contents of
routing updates
Provide a basic level of security for networkaccess
Decide which types of traffic are forwarded orblocked at router interfaces
-
7/29/2019 Packet Filtring Project
8/20
-
7/29/2019 Packet Filtring Project
9/20
-
7/29/2019 Packet Filtring Project
10/2010
The Order of ACLs is important
If you create a condition statement that permitsall traffic, no statements added later will ever bechecked
Implicit last statement denies all traffic
Must make statements preceding this allow the
permitted traffic to flow Construct statements carefully
Anything not explicitly permitted will be denied
-
7/29/2019 Packet Filtring Project
11/20
-
7/29/2019 Packet Filtring Project
12/20
12
Extended ACLs
These are used whenever we want to be
more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g.
www or ftp or icmp (ping)
These are used very frequently
-
7/29/2019 Packet Filtring Project
13/20
-
7/29/2019 Packet Filtring Project
14/20
14
Which Interface to place the ACL?
ACLs assigned to one or more interfaces
Can filter inbound or outbound traffic Inbound ACLs must check all packets before
switching packet to outbound interface
-
7/29/2019 Packet Filtring Project
15/20
-
7/29/2019 Packet Filtring Project
16/20
16
Extended ACLs
Provide a greater range of control than standardACLs
E.g. we can allow Web traffic but deny FileTransfer Protocol (FTP) or TELNET or other traffic
Extended ACLs check for both source anddestination packet addresses.
Specific protocols, port numbers and otherparameters can be checked for
-
7/29/2019 Packet Filtring Project
17/20
-
7/29/2019 Packet Filtring Project
18/20
17 March 2009 ITCN18
Well-known Port numbers
Some ports are commonly used
Their numbers are well-known
PC can be configured by a hacker to use a different port !
-
7/29/2019 Packet Filtring Project
19/20
19
Placing Standard and Extended ACLs
Put the Extended ACLs as close as possible to
the source machine or range (on yournetwork) for the traffic type denied
Standard ACLs do not specify destination
addresses, so you have to put the standardACL as near to the destination machine (or
range) we want to deny as possible
-
7/29/2019 Packet Filtring Project
20/20
20
Conclusion
ACLs will check packets for certain
conditions Standard ACLs test simple conditions
Extended ACLs test for more rigorous
conditions
Define ACL Apply to interface
Place ACLs sensibly
Be sure to order ACLs sensibly too!