suomeksi

TML / Studies / T-110.402 / Homeworks

2002: Homework 4

---

• Material
• Assignment
• Returning

The deadline is on Friday, November 29th, at 15.45.

---

Material

Remember to acknowledge your sources!

• course book and lecture slides
• Curtin, M and Ranum, M: Internet Firewalls: Frequently Asked Questions
• Srisuresh, P: IP Network Address Translator (NAT) Terminology and Considerations (or the same in html)
• Foreman, T: Network Address Translation - Not a Security Panacea
• netfilter/iptables documentation

---

Firewalls

1. Terms and concepts (12 points)

   Explain the following concept pairs, write about their similarities and differences and about benefits they have compared to each other. Also compare pairs "b" and "c", proxy services and packet filters, to each other on a general level using the same criteria as above (similarities, differences, benefits).

   1. Area protection and host protection (3 p)
   2. Proxy service and transparent proxy service (3 p)
   3. Transparent bridge and packet filter (3 p)
   4. c) vs. d) (3 p)

    

2. Progressive firewall (18 points)

   Familiarise yourself with the following firewall solutions of Company Y and explain:

   • What additional security each solution brings compared to the previous ( in item "a", compared to network without any firewall)?
   • For which kinds of attacks the solutions cover for and which not?
   • Are there any problems this kind of setup might cause?
   The different firewall solutions are:
   1. There are five workstations in Company Y's internal network. The network is connected to Internet through NAPT-router.

    

              "Internet"
   ---------------+---------------
   	       |
   	    +--+---+
   	    | NAPT |
   	    +--+---+
   10.0.0.	       |
   ---+-----+-----+-----+-----+---
      |     |     |     |     |
     +++   +++   +++   +++   +++
     | |   | |   | |   | |   | |
     +-+   +-+   +-+   +-+   +-+
      1     2     3     4     5
   
   

   2. The NAPT-router is upgraded to do also packet filtering. Use of only the most vital network services between the internal network and the Internet is allowed.
   3. Company Y installs a new network segment with proxy servers (1,3) for the most vital network services and another packet filter (2). Connections from and to the internal network are allowed only through proxy servers, all direct connections between network 10.0.0. and the Internet are blocked by packet filters.

    

              "Internet"
   ---------------+---------------
   	       |
   	    +--+---+
   	    | NAPT |
   	    +--+---+
   10.0.1.        |
   ---+-----------+-----------+---
      |           |           |
    +-+-+       +-+-+       +-+-+    
   1|   |      2|   |      3|   |
    +---+       +-+-+       +---+
                  |
                  |
   10.0.0.	       |
   ---+-----+-----+-----+-----+---
      |     |     |     |     |
     +++   +++   +++   +++   +++
     | |   | |   | |   | |   | |
     +-+   +-+   +-+   +-+   +-+
      1     2     3     4     5
   

    

3. Packet filtering (10 points)

   A ruleset conforming to the syntax of netfilter/iptables for linux is presented below:

   1. What network services are allowed to pass? Name the services and from where to where are they allowed. (3 p)
   2. How would you change the ruleset so that downloading files from the Internet using ftp would be possible? (1 p)
   3. What does the ruleset tell you about the firewall server? What kind of environment would the server be suitable for? (3 p)
   4. How would you arrange for an anonymous ftp service in this kind of environment? Name three possibilities where to put the ftp service (in relation to the firewall) and choose the most suitable option. Justify your choice. (3 p)

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -P FORWARD DROP
   
   iptables -A INPUT -p icmp -j ACCEPT
   iptables -A OUTPUT -p icmp -j ACCEPT
   iptables -A FORWARD -p icmp -j ACCEPT
   
   iptables -A FORWARD -i eth0 -p tcp -s 10.0.0.0/8 -m multiport --destination-port 22,53,80,6666:6669 -j ACCEPT
   iptables -A FORWARD -i eth0 -p udp -s 10.0.0.0/8 --destination-port 53 -j ACCEPT
   iptables -A FORWARD -i eth1 -d 10.0.0.0/8 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT
   iptables -A INPUT -p tcp --destination-port 143 -j ACCEPT
   iptables -A OUTPUT -p tcp -o eth1 --destination-port 25 -j ACCEPT
   

4. Feedback (max. 2 p bonus)

   How long did it take to do this assignment? Was the assignment too easy or too difficult? How could the assignment be made better?

---

Returning

The answers should be written to a text file (not e.g. a MS Word document). In the beginning of your answer file you should write your name and your student number. The answer file is signed and then returned by e-mail. You can also encrypt the file with the course public key if you want to.

One way to sign the answer file is clearsigning, which does not compress the text. The can be done in following way:
gpg --clearsign -u 'my_username' ans_4.txt
where ans_4.txt is the answer file. (If you want, you can alternatively use the normal signing, i.e. the option -s instead of --clearsign)

The signed file is then sent to the address [email protected] with the subject ASSIGNMENT 4
This can be done e.g. from the command line like this:
mailx -s "ASSIGNMENT 4" [email protected] < ans_4.txt.asc
(Note that in the command above, the quotes are not part of the subject but they tell the shell that the subject consists of several words.)

NB: There is no automatic comfirmation for returns. Save your answer files, at least until you get results, preferably 'til the end of the course.

---

This page is made by assistants of the course. Newsgroup of the course: opinnot.tik.verkkoturva
Last updated Nov 14, 2002.
URL: http://www.tml.hut.fi/Studies/T-110.402/2002/assignment_04.html