A. The firewall services are installed on the router. Create the firewall rules to implement
the packet filtering and only allow the specified traffic. The firewall rules are to be
created in the following format.
Rule
Application
No.
Protocol
1 HTTP TCP 0.0.0.0/0 Any 138.77.5.89 80 allow
2. HTTPS TCP 0.0.0.0/0 Any 138.77.5.89 443 allow
3. DNS UDP/
4. DNS UDP/
5. DNS UDP/
6. SMTP UDP 0.0.0.0/0 Any 138.77.5.110 25 allow
7. IMAP UDP 138.77.5.110 143 192.168.1.0/25 any allow
8. HTTP TCP 192.168.1.0/25 Any 0.0.0.0/0 80 allow
9. HTTPS TCP 192.168.1.0/25 Any 0.0.0.0/0 443 allow
10. FTP TCP 192.168.1.0/25 Any 0.0.0.0/0 20,21 allow
Transport
Protocol
Source IP Source
Port
TCP
TCP
TCP
0.0.0.0/0 Any 138.77.5.6 53 allow
138.77.5.6 Any 0.0.0.0/0 53 allow
192.168.1.0/25 Any 138.77.5.6 53 allow
Rule 1.
This rule allows all the traffic directed from any source towards the web server specifically for port
80 which stands for HTTP traffic.
Rule 2.
This rule allows HTTPS traffic directed from any source towards the web server. Destination port 443
stands for HTTPS service r
Rule 3.
This rule allows DNS requests from the internet towards the DNS server.
Rule 4.
This rule allows DNS server to query other DNS server on the internet if it cannot resolve DNS
queries on its own.
Rule 5.
Rule 5 allows internal users to query the DNS server in the DMZ .
Rule 6.
This rule allows the email server to receive emails sent from other mail servers.
Rule 7.
This rule allows the hosts on the inside network to download mails from the mail server onto their
workstations.
Rule 8.
This allows hosts on the inside network to access web services running on port 80 on the outside
network.
Rule 9.
This rule gives outside the inside hosts HTTPS access on the outside network.
Rule 10.
Similarly this rule allows inside hosts to access FTP sites and download files from a FTP site.
Packet Addressing on internal network Packet Addressing on external network
Source IP Src
192.168.1.2 1033 203.206.209.77 80 138.77.5.210 1055 203.206.209.77 80
192.168.1.2 1035 210.10.102.196 443 138.77.5.210 1056 210.10.102.196 443
192.168.1.5 2301 203.206.209.55 21 138.77.5.210 1057 203.206.209.55 21
192.168.1.5 2302 202.2.59.40 443 138.77.5.210 1058 202.2.59.40 443
192.168.1.5 4123 72.5.124.55 80 138.77.5.210 1059 72.5.124.55 80
192.168.1.8 4128 72.5.124.35 21 138.77.5.210 1060 72.5.124.35 21
192.168.1.8 1033 150.101.16.250 80 138.77.5.210 1061 150.101.16.250 80
192.168.1.9 1035 150.101.16.250 443 138.77.5.210 1062 150.101.16.250 443
Dst IP Dst
Port
Source IP Src
Port
PAT stands for Port Address Translation which translates the source address of the internal hosts to
the public IP of the gateway proxy.
It maintains a NAT table which maps all the inside IPs which are translated to a different port. Hence
the resulting packet has its source port and source destination translated as shown in the table.
Question 2: Attack and Defence Research
The major difference between ARP cache poisoning and DNS cache poisoning is that quite evident
from the name. Arp cache poisoning is filling an ARP table of a machine with wrong values primarily
with the intention of performing man in the Middle attack.
DNS caching poisoning is poisoning the DNS entries in DNS servers with wrong values with the
intention if phishing or making a site unreachable. Both these attacks result in manipulating
important values in different machines.
Arp cache poisoning is basically a LAN based attack limiting the participants (victim, source, attacker)
in the same subnet since ARP is protocol operates in one subnet in a LAN network.
DNS on the other hand is a sever based attack and the victim is a DNS server. This can be performed
by compromising a DNS serve cache by any other means and putting a wrong entry for a particular
website or name. Since DNS servers continuously update their entries by querying other DNS servers
across the world a poisoned DNS server cache may poison a number of other DNS servers all across
the world. This could lead to a snowball effect and can affect hundreds of DNS servers all across the
globe. DNS cache poisoning is thus more complex in terms of rectifying as compared to ARP cache
poisoning.
ARP cache poisoning does not have as adverse affects as caused by DNS cache poisoning since the
victim is a local LAN based machine and does not affect other machines. However if the victim is
communicating a confidential information and compromise of such information using a man-in-the-
middle attack can impact business operations in several ways .
There have been various measures to prevent such attacks.
Cisco switches have various features which could prevent these attacks. Some of the features are :-
1. DCHP snooping which creates the database of all the IP address given out by the DHCP
server and binding them to a particular port.
2. Dynamic ARP inspection is a feature which uses the database of DHCP snooping and
validates whether an ARP request is valid or invalid.
3. IP source guard is another feature which checks the validity of a packet and prevents IP
spoofing which may be used to perform ARP cache poisoning.
DNS cache poisoning can be prevented by a new suite of IETF specification called DNSSEC. DNSSEC
uses PKI to validate DNS updates. Each DNS servers generates a public and a private key and digitally
signs all DNS requests and queries using its private key. Any other DNS server communicating with
this DNS server can now trust this DNS server and can update its DNS entries and avoid DNS cache
poisoning of any sort.
References
• Son,S and Shmatikov,V . The Hitchhiker’s Guide to DNS Cache Poisoning
(available at https://www.cs.utexas.edu/~shmat/shmat_securecomm10.pdf)
• Manwani,S . ARP Cache Poisoning Detection and Prevention
(available at http://www.cs.sjsu.edu/faculty/stamp/students/Silky_report.pdf)
• Ateniese, G and Mangard,S . A new Approach to DNS Security (DNSSEC)
(available at http://www.cs.jhu.edu/~ateniese/papers/dnssec.pdf)
the packet filtering and only allow the specified traffic. The firewall rules are to be
created in the following format.
Rule
Application
No.
Protocol
1 HTTP TCP 0.0.0.0/0 Any 138.77.5.89 80 allow
2. HTTPS TCP 0.0.0.0/0 Any 138.77.5.89 443 allow
3. DNS UDP/
4. DNS UDP/
5. DNS UDP/
6. SMTP UDP 0.0.0.0/0 Any 138.77.5.110 25 allow
7. IMAP UDP 138.77.5.110 143 192.168.1.0/25 any allow
8. HTTP TCP 192.168.1.0/25 Any 0.0.0.0/0 80 allow
9. HTTPS TCP 192.168.1.0/25 Any 0.0.0.0/0 443 allow
10. FTP TCP 192.168.1.0/25 Any 0.0.0.0/0 20,21 allow
Transport
Protocol
Source IP Source
Port
TCP
TCP
TCP
0.0.0.0/0 Any 138.77.5.6 53 allow
138.77.5.6 Any 0.0.0.0/0 53 allow
192.168.1.0/25 Any 138.77.5.6 53 allow
Rule 1.
This rule allows all the traffic directed from any source towards the web server specifically for port
80 which stands for HTTP traffic.
Rule 2.
This rule allows HTTPS traffic directed from any source towards the web server. Destination port 443
stands for HTTPS service r
Rule 3.
This rule allows DNS requests from the internet towards the DNS server.
Rule 4.
This rule allows DNS server to query other DNS server on the internet if it cannot resolve DNS
queries on its own.
Rule 5.
Rule 5 allows internal users to query the DNS server in the DMZ .
Rule 6.
This rule allows the email server to receive emails sent from other mail servers.
Rule 7.
This rule allows the hosts on the inside network to download mails from the mail server onto their
workstations.
Rule 8.
This allows hosts on the inside network to access web services running on port 80 on the outside
network.
Rule 9.
This rule gives outside the inside hosts HTTPS access on the outside network.
Rule 10.
Similarly this rule allows inside hosts to access FTP sites and download files from a FTP site.
Packet Addressing on internal network Packet Addressing on external network
Source IP Src
192.168.1.2 1033 203.206.209.77 80 138.77.5.210 1055 203.206.209.77 80
192.168.1.2 1035 210.10.102.196 443 138.77.5.210 1056 210.10.102.196 443
192.168.1.5 2301 203.206.209.55 21 138.77.5.210 1057 203.206.209.55 21
192.168.1.5 2302 202.2.59.40 443 138.77.5.210 1058 202.2.59.40 443
192.168.1.5 4123 72.5.124.55 80 138.77.5.210 1059 72.5.124.55 80
192.168.1.8 4128 72.5.124.35 21 138.77.5.210 1060 72.5.124.35 21
192.168.1.8 1033 150.101.16.250 80 138.77.5.210 1061 150.101.16.250 80
192.168.1.9 1035 150.101.16.250 443 138.77.5.210 1062 150.101.16.250 443
Dst IP Dst
Port
Source IP Src
Port
PAT stands for Port Address Translation which translates the source address of the internal hosts to
the public IP of the gateway proxy.
It maintains a NAT table which maps all the inside IPs which are translated to a different port. Hence
the resulting packet has its source port and source destination translated as shown in the table.
Question 2: Attack and Defence Research
The major difference between ARP cache poisoning and DNS cache poisoning is that quite evident
from the name. Arp cache poisoning is filling an ARP table of a machine with wrong values primarily
with the intention of performing man in the Middle attack.
DNS caching poisoning is poisoning the DNS entries in DNS servers with wrong values with the
intention if phishing or making a site unreachable. Both these attacks result in manipulating
important values in different machines.
Arp cache poisoning is basically a LAN based attack limiting the participants (victim, source, attacker)
in the same subnet since ARP is protocol operates in one subnet in a LAN network.
DNS on the other hand is a sever based attack and the victim is a DNS server. This can be performed
by compromising a DNS serve cache by any other means and putting a wrong entry for a particular
website or name. Since DNS servers continuously update their entries by querying other DNS servers
across the world a poisoned DNS server cache may poison a number of other DNS servers all across
the world. This could lead to a snowball effect and can affect hundreds of DNS servers all across the
globe. DNS cache poisoning is thus more complex in terms of rectifying as compared to ARP cache
poisoning.
ARP cache poisoning does not have as adverse affects as caused by DNS cache poisoning since the
victim is a local LAN based machine and does not affect other machines. However if the victim is
communicating a confidential information and compromise of such information using a man-in-the-
middle attack can impact business operations in several ways .
There have been various measures to prevent such attacks.
Cisco switches have various features which could prevent these attacks. Some of the features are :-
1. DCHP snooping which creates the database of all the IP address given out by the DHCP
server and binding them to a particular port.
2. Dynamic ARP inspection is a feature which uses the database of DHCP snooping and
validates whether an ARP request is valid or invalid.
3. IP source guard is another feature which checks the validity of a packet and prevents IP
spoofing which may be used to perform ARP cache poisoning.
DNS cache poisoning can be prevented by a new suite of IETF specification called DNSSEC. DNSSEC
uses PKI to validate DNS updates. Each DNS servers generates a public and a private key and digitally
signs all DNS requests and queries using its private key. Any other DNS server communicating with
this DNS server can now trust this DNS server and can update its DNS entries and avoid DNS cache
poisoning of any sort.
References
• Son,S and Shmatikov,V . The Hitchhiker’s Guide to DNS Cache Poisoning
(available at https://www.cs.utexas.edu/~shmat/shmat_securecomm10.pdf)
• Manwani,S . ARP Cache Poisoning Detection and Prevention
(available at http://www.cs.sjsu.edu/faculty/stamp/students/Silky_report.pdf)
• Ateniese, G and Mangard,S . A new Approach to DNS Security (DNSSEC)
(available at http://www.cs.jhu.edu/~ateniese/papers/dnssec.pdf)
No comments:
Post a Comment