Computer%20System%20Evolution

1
Computer System Evolution
Central Data Processing System - with directly
attached peripherals (card reader, magnetic
tapes, line printer). Local Area Networks -
connects PCs (in terminal emulation mode),
remote terminals (next building) and
mini-computers. Premises Network - connects
LANs and LAN-attached devices to each
other. Enterprise-wide Network - leased data
lines (T1, DS-3) connect various
offices. Internet Connectivity - initially for
email, now for Web access, e-commerce, ... .
Makes the world accessible, but now the world
also has access to you.
1
2
Connectivity Provided by the Georgia Backbone
Network


Citizens

Schools

Contractors
WWW

Libraries

City County

Kiosks
Governments
State WWW Gateway
State Internet
Agency Gateway
Other Agencies
Web Server
Agency Virtual
Private Network
Private Virtual
Connection
Agency
Server
LANs at Agency
Offices across Georgia
Non-Agency
State Server
2
3
Agency Firewall - Protects Agency Subnets
Agency Firewall - Protects Agency Subnets
from Unwanted Connections
from Unwanted Connections
Subnet

1
Subnet 2
Gate-
WAN
Gate-
way
way
Firewalls (and many routers) can reject

Packets with certain source and destination
addresses

Packets with certain high-level protocols (UDP,
Telnet)
Proxy Servers - for specific applications

Email messages assembled and inspected, then
passed to
internal email server machine.
Prevent Cyber Loafing - Exploring the Internet
for fun.
3
4
Web Server
Browser
Application
Application
Router-Firewall can drop packets based on source
or destination, ip address and/or port
Layer
Layer
(HTTP)
(HTTP)
Port 31337
Port 80
Transport
Transport
Layer
Layer
(TCP,UDP)
(TCP,UDP)
Segment No.
Segment No.
Network
Network
Layer (IP)
Layer (IP)
IP Address 130.207.22.5
IP Address 24.88.15.22
Network
Network
Layer
Layer
Token Ring
E'net Data
Token Ring
E'net Data
Link Layer
Link Layer
Data-Link Layer
Data Link Layer
Token Ring
Ethernet
Token Ring
E'net Phys.
Phys. Layer
Phys. Layer
Layer
Phys. Layer
4
5
Transport or App.-Layer
Process
Process
Application
Application
Layer (HTTP,
Layer
Gateway, or Proxy
(HTTP(HTTP,
FTP, TELNET,
FTP, TELNET,
SMTP)
SMTP)
Transport
Transport
Transport
Transport
Layer
Layer
Layer
Layer
(TCP,UDP)
(TCP, UDP)
(TCP, UDP)
(TCP, UDP)
Network
Network
Network
Network
Layer (IP)
Layer (IP)
Layer (IP)
Layer (IP)
TR Data
E'net Data
Link
Link
E'net Data
TR Data
Layer
Layer
Link Layer
Link Layer
TR Phys.
E'net Phys.
E'net Phys.
TR Phys.
Layer
Layer
Layer
Layer
5
6
Policy No outside Web access. Outside
connections to Public Web Server Only.
Prevent Web-Radios from eating up the available
bandwidth. Prevent your network from being
used for a Smuft DoS attack. Prevent your network
from being tracerouted or scanned.
Firewall Setting Drop all outgoing
packets to any IP, Port 80 Drop all incoming
TCP SYN packets to any IP except 130207244.203,
port 80 Drop all incoming UDP packets - except
DNS and Router Broadcasts. Drop all ICMP
packets going to a broadcast address
(130.207.255.255 or 130.207.0.0). Drop all
incoming ICMP, UDP, or TCP echo-request packets,
drop all packets with TTL lt 5.
6
7
Firewall Attacks IP Internal-Address
Spoofing. Source Routing (External Spoof).
Tiny Fragment Attacks. 2nd-Fragment Probes.
SYN-ACK Probes.
Firewall Defense Drop all incoming
packets with local address. Drop all IP
packets with Source-Routing Option. Drop all
incoming packets with small offset. Assemble
IP fragments (hard work). Be Stateful
-keep track of TCP outgoing SYN packets (start of
all TCP connections) (hard work).
7
8
A Firewall is a single point that a Network
Administrator can control, even if individual
computers are managed by workers or
departments. ------- Over half of corporate
computer misfeasance is caused by employees who
are already behind the main firewall. Solution 1
- isolate subnets with firewalls (usually routers
or Ethernet switches with filter capabilities).
Protect Finance from Engineering. Solution 2 -
implement IP Chains to limit access to
individual computers at the lowest protocol
level possible, to specific hosts and subnets.
8
9
IP Chains
/etc/hosts.deny ALLALL
/etc/hosts.allow in.telnetd 199.77.146
24.88.154.17 in.ftpd 199.77.146.19
199.77.146.102
UNIX and Linux computers allow network
contact to be limited to individual hosts or
subnets (199.77.146 means 199.77.146.any).
Above, telnet connection is available to all on
the 199.77.146.0 subnet, and a single off-subnet
host, 24.88.154.17 FTP service is available to
only to two local hosts, .19 and .102. The
format for each line is daemonhost-list
9
10
Router Setup with Network Address Translation
(NAT) Addresses 10.0.0.0 and 192.168.0.0 reserved
for private networks.
11
FTP Client 130.27.8.35
Internet
To 130.27.8.35x from 24.88.48.4723
To 24.88.48.4723 from 130.27.8.35x
Router 24.88.48.47 with NAT that
Masquerades could be a dual-homed bastion host
To 130.27.8.35x from 192.168.0.4023
To 192.168.0.4023 from 130.27.8.35x
Host 192.168.0.10
Host 192.168.0.20
Host 192.168.0.30
Host 192.168.0.40
Web Server port 80
FTP Server port 23
11
Note x is a high port number, 1024-65,535
12
Web Host 130.27.8.35
Internet
To 130.27.8.3580 from 24.88.48.47x
To 24.88.48.47x from 130.27.8.3580
Router 24.88.48.47 with NAT that Masquerades
To 130.27.8.3580 from 192.168.0.20x
To 192.168.0.20x from 130.27.8.3580
Host 192.168.0.10
Web Client 192.168.0.20
Host 192.168.0.30
Host 192.168.0.40
Web Server port 80
FTP Server port 23
12