= . n " Nah So ws pelps avoid network congestion, Afterall the other datagrams Wy * a a re re pea Oe Gnlonion tat ey aeRO Ne aces ga ant fa tion, the its retransmission. Thus, TP is not Sing datagram and wi Felivery of the entire message ~ itis done by TOP. mely and in-sequence + Protoco . 8 top of ft constructed from its fragments, it c.0n 10 Uo TFA the datagzam could be TCP of UDP. This field specifies which piece of softness et Software picce. This {datagram should be passed on to. Oras «Source address: This field contains the 32-bit IP address ofthe sender ett 5 estination adres: This (eld contains he 32-04 1 ede he al destatgn en Options: This field contains optiona ion such as routing details, Sore alignment, For instance, it can store the informati a oh anda aie insaaes, ie ‘act route thatthe datagram eam, has taken. When it pass aa sid, and optionally, aso thesinns tien passed tag hat rutin one of he ss in his ll Ts hep a a Neteton of datagrams However, most othe time, the spc inthis elds otc | ee orn therefore, itis NOt Used Very often al tis brie introduction to TCPYIP would suffice forthe scope ofthe cure txt 2 Firewauts gy 9.2.1 Introduction ‘fe dramatic rise and progress ofthe Internet bas opened posibiliis that no one would have thought we Fo aan connect any computer inthe world (0 any other compute, no matter how Ear ThS Te are oe cach oer This is undoubtedly a great advantage for individuals and sorporate ar wel ee mare for network support staff, which is left with a very difficult job of hag Frowever-this-can be a nightmare for 1 f dificult job of hen Peeve protest the corporate networks from vaity of atacks, Ata broad lve, thee are wo Kinds 0 PP corporations have large amounts of valuable and confidential data in theic networks, Leaking its ea. grat setback. of is 1rinformatior to Competitors 6a = « ZApart from the danger of the insider informati sa pveal danser artim eaetan 4 Cerments (auch assizuses and_Wworms) entering a corporate newwork create haves, . We can depict this situation as shown in Fig. 9.5. 2 ‘Asa result of these dangers, We must have mechanisms which can ensure thatthe inside information e remains inside, and also prevent the outsider attacKers from entering inside. @-compaale TEGO As " ‘ve know, encryption of information (if implemented properly) renders its transmission to the outside : ‘world redundant. That is, even if confidential information flows out of a corporate network, if it is e in encrypted form, outsiders cannot make any sense of it. However, encryption does not work in the : other direction, Outside attackers can still try to break inside a corporate network. Consequently, better ) schemes are desired to achieve protection from outside attacks. This is where a firewalh comes int hy \ 0922.3 Network address translation (NAT) letail in the next section. of the interesting jobs done by a ion (NAT). The number of peo ing at a mind boggling rat povider (ISP) for a short time and {nen disco access the Intemet via an THERE fear whiciFAC would dynamically allocate one IP cian toe ou have a set of IP ease firewall or evthe tate ss address to every user for the duration the user w omected to the Internet. Once’ the user disconnected, the ISP ce = another user, who wanted to “ ISP would reallocate that same IP address powever, This Situation changed dramatically a ; : ically as the number of peopk d eee People started using the ADSL or ee chancesoie oor t, sing the broadband technology. Worse yet, people wanted multiple IP addresses cca since they started creating small personal netw ji Ee P networks. This led to a serious problem of shortage of IP roblem of the shortage of IP addresses. NAT. to have a 7 internally, but only a single IP address externall the external needs the external address.(The internal traffic can work with the internal addresses > (For to sible, the Internet authorities have specified that certain IP addresses must be used ssonly internal IP addressés,Others should be used only as external IP addresses. Thus, just by looking dan IP address, we can determine whether it is an internal or external IP address. Also, routers and Insts have no confusion, because of this classification. The internal (or private) IP addresses are listed inFig. 9.16. Range ‘of IP addresses _ 10,0.0.0 to 10.255.255.255 172.16,0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 Fig. 9.16 Internal or private IP addressesaddress within this_range_a8_an_ internal Jp yy anyone) A [dress within this range is unique Within ae Ty not unique outside of the-prganination's network. "Thy gaa to be used in the context of(i.e. an organisation's neiyg Ket with destination ATUTESS STUNT BY ade eek Je, since it knows thatthe address ime jar to what is shown in F mal, organisation's net not matter, since th he way, Therefore, if a router receives a Pa i ae = ranges, it does not forward it outsic in one of the above the ranges, itd eerteete smal IP Swe hen implemented in real-life, a NAT configura ee ihe other is ani ee ee > router has two addresses: one external IP add ternal TP address Thee ; knows the router based on the router's external agai orld (i t of th 5 I > 01.26 9 fe the internal hosts refer to the router based on the router's of 201.26.7.9, whereas the interna : res ernal IP addresses (192, 168.x.x), ernal hosts hav 192.168.100.10. Also note how the internal host: | Titernal network with internal i Bo 192.168.1041 J tex.es02 oe 192.168.103 ae 9.17 NAT impl entation examp! This clearly means that the external world always sees only one IP address: the NAT router's extemal Pires Tits . f all incoming packets, regardless of which is actually the final destination in the intemal network, the destination address field would always contain the NAT router's external address of which is actually the original sender in the internal networks ontaini the NAT router's external address when the packet the nenWorK) As a result, the NAT router router does the following \ For all incoming packets, the NAT route replaces the destination addi is set to the NAT router’s extern vi it t has to perform the job of address translation. For this purpose, the NAT address) With the internal address of the final receiving host —-_ay nat es Ils al. ve ss, of or all outgoing packets, the to the internal address ofiigre Outer rept Nerwork Pconcept is shown in all send nees He Security 391 i vith Psy of i oe Thi Packet (which is set sof the NAT router. ‘Source: 192.168.1011 t a | Souee: 201.2625 NAT rower ee Fig. 9.18 NAT example ifwe have studied this carefully, we would have r fully, We ¥ ave realised that NAT for outgoing pack mich straightforward. The NAT router simply has to replace the =f dire ict alk ee a ; lace the source address in the packet, which the internal host’s address with the external address of the NAT n oie a or ternal address of the NAT router. However, when it comes to iazming packets, how does the NAT router know what shoul! be the etal internal host. address? iAfer all, if a network contains hundreds of hosts, the packet can be intended for any one of them! Forresolving this issue, the NAT router maintains a simple translation table, which maps the internal aééress of the host with the address ofthe external host to which the intemal host is sending this packet. Thus, whenever an internal host sends a packet to an extemal host, the NAT makes an esi il the fensiotion table. This entry contains the addresses of the internal host and that of fhe external host to tiich the packet is being sent over the Internet. Whenever a response Comet back from any external fost, the NAT router consults the translation table to see 10 which internal host the packet should be sent ple to understand this. ost (with address 192.168.10.1) w The internal host sends this p contains source addre Let us consider an ex ants to send a packet to an external host acket on to the internal network (@) Suppose an internal = 192,168.10.) (with address 210,10,20.20). which reaches the NAT router Currently, this and destination address = 210.10,20.20. packet392 Crypeagraphy and Neework Security (b) The NAT router adds an entry to the translation table, as follows: eT ne address in the packet with its own address (i.e. . = Se ee Se opriale external host over the Internet, with the help a te routing mechanisms. Now, this packet contains source address = 201.26.7.9 and destination : ee th cket and sends a response back. Currently, thi: x SCS je par = - i co S ese Aedes Siti o0 Saas destination address = 201.26.7.9. * Packet (e) The packet reaches the NAT router, as the destination address in the packet matches with % the NAT router. The NAT router needs to find out whether this packet is meant for itself, of another internal host. Therefore, the NAT router consults its translation table to see if there ig - entry for address 210.10.20.20 as the External address. In other words, the NAT router ties find out if any host has sent a packet to and is expecting a response from an external host with, address 210.10.20.20. It finds a match, and comes to know that the internal host corresponding to this entry has an address of 192.168.10.1. (f) The NAT router replaces the destination address of the packet with that of the internal host for which it is destined, i.e. 192.168.10.1 and forwards the packet to this host. This process is depicted in Fig. 9.19. All this works fine, but we have another problem. With this scheme, only one internal host can communicate with any given external host at a given moment. Otherwise, the translation table will haye multiple internal address entries for the same single external host. As a result, the NAT router will not be able to decide to which of these internal hosts a packet needs to be forwarded. In some cases, the NAT router has multiple external addresses. For example, if the NAT router has four external addresses four internal hosts can access the same single external host now, each via a separate external NAT router address. However, there are two limitations in this approach: () There is still a limitation on the number of internal users that can access the same external host simultaneously. (ii) A single internal host cannot access two different applications on the same single external host (e.g. HTTP and FTP) at the same time. This happens because there is no way to distinguish between one application and another. For a single internal-external host combination, our translation table has a single entry. 5 To resolve these issues, the translation table is modified to several odified ‘ : s new col s ifie translation table looks as shown in Fig. 9.20. oe\ =| rg2leR1ork \ = eae bac (eas raaciedalbeee | r \ eth ADIGE ie | Cor) ee 2699 | | eet eeS a IPxe ye Sei CON CINE Mage + SHA] & MDS” SS ES = 2+ 168-2904 | ee ae fond aa se Die Router : Pies po ans (mers aa | \ 2p | ine L Wie | ( Reon Wh Wun data athe dace ouk V > > . 5 vouper CMA me) . udwwak wfto NAT exten ) y I Sue ae \S& % sus gt wits avata ole \PRouter + NAT Server Host Private Network 150.150.0.1 200.100.10.1 Source IP___ Destination IP Source IP__ Destination IP “| 10.0.0.1 200.100.10.1 | | 150.150.0.1 | 200.100.10.1 os r Changes according - to NAT 10.0.0.1 Source IP Destination IP Source IP__ Destination IP --| 200.100.10.1 10.0.0.1 3 = 200.100.10.1 | 150.150.0.1 |--gy. or 1S vas le n\\ Ab kor cay oak = ? i A " ; ; r = ah g | A) hotwerk 4 boy] 4 ae pO. i lols yi hk | advection must pass ty a \ aC . ewes ro henna \w als OG ¥yar a Cy = oer ol oH. AS ticg yukta & . a : yu eso : he ti, Se oy Re mutker— ov ao erases } e ; aut oy Styeels, a * canny ¥ TY { Paige cable) Servers V M om ¢ \e8 tO Recieng patie [yu 'yuleo | i\ ih aeenpede On ok ae he ing oh = fG0 i thd fe of SHen tnd Po CR oR hy Cow ane Vicadion CG ottnoo. Gti: » Tis iS 4b t + KAP ox wb arle cow {vt $e Aer Yr | Ww 4 1a \ ep Ua ys V = Nv? 3) ag An oftatRac | tae ote paret take dye —bhter tax ~tuiat Vi Rute ayn gtiaOKW— also eajdud pron cause HW acho jug] | r ORY Quad. cuca row si apple! o Aaa | ) G rapa! rer ott Wo \ | he a no ol be a bee yee oeam, attack. 3 fragment attacks: IP ackets pass through a variety of physical networks, such as ing, %.25, Frame Relay, ATM, etc. ese networks have a pre-defin themer, Frame size (called as the Maximum Transmission Unit or MTU). Many times, fhe =e AY packet is greater than this maximum size allowed by the underlying network. In such cars e so that after fragmentation, it checkS omty th —fragment, and does not check the remaining fragments.|This attack can be foiled a frst 7 all the packets where the (upper layer) protocol type iS TCP and the packet is fragmented che __ to identification and protocol fields of an IP packet discussed earlier t to identification and protocol fields of an IP packgr discussed earhss #0 wngerstand how we can, | eeb) Applic Ry “ple hes iy COVA A MS rtd Oy mn penal, yin dA connect On. Ww AW poefrre_Network Security 395 ned host firewall,| | Sereened host firewal ingle-homed bastion | | Dual-homed bastion firewall Fig. 9.21 Firewall configurations hy ) Let us discuss these possible configurations now ! hal 9.2.3.1 Screened host firewall, Single-homed bastion ts m configuration, a 1 firewall set_up consists of two In the Screened | si Screened host firewall, Singh iT Parts: ff pac [ heir purposes are as Tollows. acoming traffic (1.c. from the Internet to the corporate network) © packet filter ensures that the teway, by examining the destination address is allowSd only if it 1s destined for the ipplic: atior u field of every incoming IP packet. Similarly, it also ensures that the outgoing traffic (i.e, from c ‘the co: rts ft 1 9 rporate network to the Internet) is allowed only if 11 is originating from the app ication | : uloway, by examining the source address field of every outgoing IP packet. e-The : ’ he application gateway performs authentication and proxy functions, as s explain ained earlier y i ntication and prox) aS, This configuration is illustrated in Fig. 9.22 ) l - —— 2 | ll Application gateway | | = hy: HTTP | | Sl SMTP Internet | a | cE NE T a | aR | oe Se Internal network | Fig. 9.22 Screened host firewall, Single-homed bastion This configuration increases the security of the network by performing checks at both pac lication levels, This also gives more flexibility to the network administrators to define more aj secusity policies he Jawever, as we can see. one big disadvantage here is that the internal users are connected to th application ¢ gateway, as well as to the packet filter. Therefo: the packet filter is somehow successfull attacked and its security compromised, then the whole inten ranular network is exposed to the attacker.firewall, dual-homed bastion ae the drawback of a ne hast iret, Dual-homed bastion, exists. This config ed as Screen heme. Here, direct connections between the internal hosts the earlier se : : ly to the application gateway, wy the internal hosts. Therefore, now eve is visible to the att: Application gateway —_ Packet filter Fig. 9.23 Screened host firewall, Dual-homed bastion Can we think of a scheme, which is even better than this? i. a x aa Ji, sin gle-homed bastion configuration, enokiel :Can we think of a scheme, which is even better than this? 2.3.3 Screened subnet firewall offers the highest security among the possible firewall configurati revious scheme of screened host firewall, Dual-homed beistion ee . ere, between the Internet and the application gateway, as previous} way and the internal network. This is shown in Fig Ae The Screened subnet firewall It is an improvement over the p two packet filters are used, one another one between the application gate Packet filter oe Application gateway Packet filter a Internal network — Fig. 9.24 Screened subnet firewallNetwork Security 397 there are three levels of Security for an ‘ow, difficult. The attacker does not come a the packet filters and the Single bo attacker to break into, to know about the application gatew This makes the li internal netyw ay standing betwee fe of the attacker ork, unless she breaks into n them. 4 4. ~ PRamiliéa-2... .. 2»... ytBlocked — Public Access ancy aatei9Nerwork Security 397 Now, there are three levels, f security { cker to break into, This makes the life of the al icult. The attacker does not come to know about th packet filters and the single application ker internal network, unless she breaks into y standing between them. very di both th 9.2.4 Demilitarised zone (DMZ) networks The concept of a E Fire ne litarised’ Zone (DMZ) networks is quite popular in firewall architectures nged to form a DMZ. DMZ is required only if an organisation has servers that it As to make available to the outside world (e.g. Web servers or FTP servers). For this, a firewall has at least three network interfaces. One interface connects to the internal private network; the second connects to the external public network (jc. the Internet), and the third connects to the public servers (which form the DMZ network), The idea is illustrated in Fig. 9.25 Internal private i network eet S 4 Firewall | ! Demilitarised | t zone (DMZ) Fig. 9.25 Demilitarised (DMZ) network The chief advantage of such a scheme is that the access to any service on the DMZ can be restricted. For instance, if the Web server is the only required service, we can limit the traffic in/out of the DMZ network to the HTTP and HTTPS protocols (i.e. ports 80 and 443, respect vely). All other traffic can be filtered. More significantly, the internal private network is no way directly connected to the DM ito the DMZ, So, even if an attacker can somehow manage to hack he internal private network is safe, and out of the reach of the attacker