TML / Studies / T-110.402 / Homeworks
2002: Homework 4
The deadline is on Friday, November 29th, at 15.45.
Remember to acknowledge your sources!
- course book and lecture slides
- Curtin, M and Ranum, M: Internet Firewalls: Frequently Asked Questions
- Srisuresh, P: IP Network Address Translator (NAT) Terminology and Considerations (or the same in html)
- Foreman, T: Network Address Translation - Not a Security Panacea
- netfilter/iptables documentation
Terms and concepts (12 points)
Explain the following concept pairs, write about their similarities and differences and about benefits they have compared to each other. Also compare pairs "b" and "c", proxy services and packet filters, to each other on a general level using the same criteria as above (similarities, differences, benefits).
- Area protection and host protection (3 p)
- Proxy service and transparent proxy service (3 p)
- Transparent bridge and packet filter (3 p)
- c) vs. d) (3 p)
Progressive firewall (18 points)
Familiarise yourself with the following firewall solutions of Company Y and explain:
- What additional security each solution brings compared to the previous ( in item "a", compared to network without any firewall)?
- For which kinds of attacks the solutions cover for and which not?
- Are there any problems this kind of setup might cause?
The different firewall solutions are:
- There are five workstations in Company Y's internal network. The network is connected to Internet through NAPT-router.
"Internet" ---------------+--------------- | +--+---+ | NAPT | +--+---+ 10.0.0. | ---+-----+-----+-----+-----+--- | | | | | +++ +++ +++ +++ +++ | | | | | | | | | | +-+ +-+ +-+ +-+ +-+ 1 2 3 4 5
- The NAPT-router is upgraded to do also packet filtering. Use of only the most vital network services between the internal network and the Internet is allowed.
- Company Y installs a new network segment with proxy servers (1,3) for the most vital network services and another packet filter (2). Connections from and to the internal network are allowed only through proxy servers, all direct connections between network 10.0.0. and the Internet are blocked by packet filters.
"Internet" ---------------+--------------- | +--+---+ | NAPT | +--+---+ 10.0.1. | ---+-----------+-----------+--- | | | +-+-+ +-+-+ +-+-+ 1| | 2| | 3| | +---+ +-+-+ +---+ | | 10.0.0. | ---+-----+-----+-----+-----+--- | | | | | +++ +++ +++ +++ +++ | | | | | | | | | | +-+ +-+ +-+ +-+ +-+ 1 2 3 4 5
Packet filtering (10 points)
A ruleset conforming to the syntax of netfilter/iptables for linux is presented below:
- What network services are allowed to pass? Name the services and from where to where are they allowed. (3 p)
- How would you change the ruleset so that downloading files from the Internet using ftp would be possible? (1 p)
- What does the ruleset tell you about the firewall server? What kind of environment would the server be suitable for? (3 p)
- How would you arrange for an anonymous ftp service in this kind of environment? Name three possibilities where to put the ftp service (in relation to the firewall) and choose the most suitable option. Justify your choice. (3 p)iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT iptables -A FORWARD -i eth0 -p tcp -s 10.0.0.0/8 -m multiport --destination-port 22,53,80,6666:6669 -j ACCEPT iptables -A FORWARD -i eth0 -p udp -s 10.0.0.0/8 --destination-port 53 -j ACCEPT iptables -A FORWARD -i eth1 -d 10.0.0.0/8 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT iptables -A INPUT -p tcp --destination-port 143 -j ACCEPT iptables -A OUTPUT -p tcp -o eth1 --destination-port 25 -j ACCEPT
Feedback (max. 2 p bonus)
How long did it take to do this assignment? Was the assignment too easy or too difficult? How could the assignment be made better?
The answers should be written to a text file (not e.g. a MS Word document). In the beginning of your answer file you should write your name and your student number. The answer file is signed and then returned by e-mail. You can also encrypt the file with the course public key if you want to.
One way to sign the answer file is clearsigning, which does not compress the text. The can be done in following way:
gpg --clearsign -u 'my_username' ans_4.txt
where ans_4.txt is the answer file. (If you want, you can alternatively use the normal signing, i.e. the option -s instead of --clearsign)
The signed file is then sent to the address email@example.com with the subject ASSIGNMENT 4
This can be done e.g. from the command line like this:
mailx -s "ASSIGNMENT 4" firstname.lastname@example.org < ans_4.txt.asc
(Note that in the command above, the quotes are not part of the subject but they tell the shell that the subject consists of several words.)
NB: There is no automatic comfirmation for returns. Save your answer files, at least until you get results, preferably 'til the end of the course.
This page is made by assistants of the course. Newsgroup of the course: opinnot.tik.verkkoturva
Last updated Nov 14, 2002.