 uw campu network firewal secur practic network firewal uw secur practic 2002-01-03 file localhost d itu web 20mine project uw-can-data webdata campus-network netfirew html termin terminolog file localhost d itu web 20mine project uw-can-data webdata campus-network netfirew html common common firewal file localhost d itu web 20mine project uw-can-data webdata campus-network netfirew html secpra router-firewal secur practic file localhost d itu web 20mine project uw-can-data webdata campus-network netfirew html unauth protect unauthent-user devic file localhost d itu web 20mine project uw-can-data webdata campus-network netfirew html futur further work requir terminolog nbsp --------- ---------- ----------- nbsp nbsp harm firewal protect nbsp nbsp '----+----' '--+----+--' '-----+-----' nbsp nbsp nbsp nbsp '------------' '-------------' nbsp a firewal gener term kind barrier prevent spread harm understand firewal requir understand harm thing firewal prevent spread see file localhost d itu web 20mine project uw-can-data webdata netdescr html campu network descript file localhost d itu web 20mine project uw-can-data webdata campus-network netmgmt html campu network manag background common firewal simpl firewal exist transmiss-system layer network layer at transmiss-system layer the ethernet interfac comput firewal normal oper the harm thing volum frame cabl-system segment connect under normal oper interfac ignor frame address comput multicast frame definit examin devic connect transmiss system thi problem ethernet-switch transmiss system seriou concern share-medium transmiss system a person control machin's oper system instruct ethernet interfac pass frame transit cabl-system segment comput process thi essenc frame analyz refer packet sniffer packet snooper in hand author technic-support person trust perform problem-diagnosi task essenti tool in hand harm thing a repeat firewal the purpos repeat transmiss-system frame receiv port repeat frame port in 1980s repeat joint thick-wire coax cabl segment joint thick-wire multipl thin-wire coax segment in earli 1990s multiport repeat hub join multipl unshield twist pair utp cabl-system segment in half 1990s ethernet switch repeat obsolet a multi-port repeat eavesdrop protect firewal the harm thing data portion frame frame network-layer packet a repeat eavesdrop protect send frame intact port lead destin devic prevent spread devic put garbag data portion frame send port cours multicast frame repeat intact a bridg firewal it interconnect cabl-system segment the harm thing volum frame cabl-system segment the bridg prevent unneed frame spread segment segment ignor frame destin devic port frame receiv otherwis frame transmit port lead destin devic howev multicast frame transmit port a switch firewal it high-perform multiport bridg process capac suffici move frame 2 pair port sum physic-layer speed media connect pair some switch permit singl devic connect port other permit singl devic cabl-system segment connect port in case frame port lead destin devic multicast frame transmit port receiv frame destin address switch case switch flood frame port at network layer a devic forward packet base ip address transmiss-system address refer router a router firewal it interconnect otherwis-unconnect transmiss system each independ transmiss system form network uniqu network number the harm thing volum frame transmiss system the router prevent unneed frame spread transmiss system accept frame address router port ignor transmiss-layer multicast frame well the data portion frame network-layer packet the router extract packet's network-layer destin address consult rout tabl packet port li network destin address port put packet data portion frame transmit transmiss system if destin network-layer multicast address packet copi port router lead address receiv multicast traffic router learn port intend scope document a router access-control rule firewal the harm thing sourc destin type packet pass router the router prevent spread examin packet receiv test field packet set organ-determin rule decid drop reject filter forward accept rout packet uw router-firewal secur practic implement effect network secur practic requir place carefulli-chosen constraint natur traffic consid safe allow network in simplest form requir proper set vendor-provid configur option access-control rule campu-backbon router interconnect extern network subnet intern network ideal rule form permit thing safe deni extern uw rest ist configur option access-control list rule uw's extern router control packet enter leav campu network extern connect the option rule reject traffic type secur liabil exploit extern hacker attempt penetr comput campu network activ imped mission-relev traffic consum share-resourc bandwidth includ denial-of-servic attack the list traffic type reject determin consult http ist uwaterloo cnag cnag http ist uwaterloo csag csag for ip packet rule test success match occur the overview rule current place deni incom packet uw subnet-broadcast destin address deni incom packet multicast loopback rfc1918 privat network sourc address permit incom packet establish tcp session permit incom packet multicast destin address permit incom bgp rout updat author sourc permit incom snmp icmp packet author sourc deni incom icmp echo request packet reject incom ping tracerout request snmp packet deni outgo icmp echo repli packet deni packet icmp redirect unreach udp echo chargen link lpd netbu client server nf rpc tftp uucp deni incom dn zone-transfer request destin uw's intern primari sourc uw's extern secondari deni incom packet claim uw sourc address deni outgo packet claim non-uw sourc address deni packet protocol music video file-share softwar gnutella kazaa morpheu permit the list review regular basi eventu campu network convert permit small set assum-to-be-safe thing requir support uw's mission deni form prevent not-yet-understood thing hurt uw environ intern subnet the extern firewal curtail intern penetr attempt share-resourc abus machin subnet campu network ist configur core router interconnect second-level subnet activ intrus-reject featur serious imped perform router further work requir area for exampl on-campu subnet allow traffic machin subnet initi subnet intern machin subnet ensur machin subnet wire switch share-access transmiss system repeat prevent machin passiv spy traffic machin prevent machin penetr masquerad machin subnet switch sophist hopefulli dai transmiss system campu network switch demand user authent time comput plug power assign comput ip address durat prevent ip address but technolog routin protect sensit devic campu network in simplest case requir intern router access-control mechan permit commun initi sensit devic subnet campu network deni attempt initi commun sensit devic campu network more complex case requir special access-control measur treatment intend scope document such measur on-go investig includ permit access subnet devic specif-authent peopl protect campu unauthent-user devic there grow desir provid wireless wire network port search retriev workstat portabl devic laptop comput person digit assist area campu from perspect secur provis connect regard harm extrem nbsp harm devic protect devic nbsp nbsp - - - - ---------- - - - - nbsp nbsp h h h h firewal p p p p nbsp nbsp '+' '+' '+' '+' '--+----+--' '+' '+' '+' '+' nbsp nbsp nbsp nbsp --+---+---+---+-- --+---+---+---+-- nbsp nbsp untrust -----' '----- trust nbsp nbsp '-----------------' '-----------------' nbsp sinc 1991 univers impos administr regul natur devic connect portion campu network file localhost d itu web 20mine project uw-can-data webdata campus-network netmgmt html network manag practic detail devic authent user multipl peopl harm for exampl constitut launch pad anonym commun malici intent hacker anonym attempt penetr comput campu network therefor devic isol campu network connect harm devic privat network firewal server perform user authent maintain audit-trail log fashion a login proxi server the devic access campu network each user devic commun proxi process run server telnet rlogin server complet userid password login server sourc commun as campu network rest internet concern devic exist an authent address server the server allow traffic devic pass user devic complet userid password login assign ip address there counterpart process server detect user's session end disallow traffic devic reclaim ip address reassign ist develop http ist uwaterloo sy project netauth html network-port authent system provid network-switch port laptop comput time system commerci investig underwai provid compar user-authent mechan wireless access engin comput develop gener http eng uwaterloo bruce applianc naa network authent applianc suffici varieti lower-volum situat by connect devic router access-control list sever constrain permit commun deem-to-be-safe subset specif applic protocol specif network destin thi solut imposs authent user harm devic further work requir secur uw's comput network resourc on-go task ist track evolv network comput-system secur technolog network-port user authent viru intrus detect firewal deploi campu dictat uw prioriti fund http ist uwaterloo rwwatt roger watt ist 