Adds final parts for firewalls lecture

Author: dbosk

overview/Makefile

@@ -6,11 +6,12 @@ LATEXFLAGS+=	-shell-escape
 SRC+=		preamble.tex
 SRC+=		abstract.tex contents.tex
 
-FIGS+= 		xkcd-341.png
-FIGS+= 		skatteverket-hack.png
-FIGS+=		behaviour-profiles.pdf
 FIGS+=		network-rotated.pdf
+FIGS+=		network-dmz-rotated.pdf
 FIGS+=		network-layers.pdf
+FIGS+=		network-layers-packet.pdf
+FIGS+=		network-layers-fw.pdf
+FIGS+=		network-layers-dpi.pdf
 
 
 notes.pdf: notes.tex

overview/contents.tex

@@ -85,25 +85,247 @@ \section{Packet filters}
 
 \begin{frame}
   \begin{figure}
-    \includegraphics[width=\columnwidth]{figs/network-layers.pdf}
+    \includegraphics[width=\columnwidth]{figs/network-layers-fw.pdf}
     \caption{Communication between Bob and a server.}
   \end{figure}
 \end{frame}
 
+\begin{frame}[fragile]
+  \begin{definition}[Packet filter]
+    \begin{itemize}
+      \item \emph{Stateless} filtering based on transport layer data.
+    \end{itemize}
+  \end{definition}
+
+  \begin{minted}{json}
+    {
+      "src addr": "Bob",
+      "dst addr": "server",
+      "payload": {
+        "src port": "random",
+        "dst port": "https",
+        "payload": "unintelligible blob"
+      }
+    }
+  \end{minted}
+\end{frame}
+
+\begin{frame}
+  \begin{definition}[Ingress, egress filtering]
+    \begin{description}
+      \item[Ingress] inbound traffic.
+      \item[Egress] outbound traffic.
+    \end{description}
+  \end{definition}
+\end{frame}
+
+\begin{frame}[fragile]
+  \begin{example}[Ingress filtering]
+  \begin{minted}{json}
+    {
+      "src addr": "not internal",
+      "dst addr": "Bob",
+      "payload": {
+        "src port": "random",
+        "dst port": "https",
+        "payload": "unintelligible blob"
+      }
+    }
+  \end{minted}
+  \end{example}
+\end{frame}
+
+\begin{frame}[fragile]
+  \begin{example}[Egress filtering]
+  \begin{minted}{json}
+    {
+      "src addr": "Bob",
+      "dst addr": "server",
+      "payload": {
+        "src port": "random",
+        "dst port": "http",
+        "payload": "unintelligible blob"
+      }
+    }
+  \end{minted}
+  \end{example}
+\end{frame}
+
+\begin{frame}
+  \begin{remark}
+    \begin{itemize}
+      \item A blunt tool.
+      \item Discard or forward a packet.
+      \item Vulnerable to TCP/IP bugs.
+    \end{itemize}
+  \end{remark}
+\end{frame}
 
-\section{Circuit-level gateways}
 
+\section[SPI]{Circuit-level gateways}
 
-\section{Application firewalls}
+\begin{frame}[fragile]
+  \begin{definition}[Stateful firewall/circuit-level gateway]
+    \begin{itemize}
+      \item Stateful filtering based on transport layer data.
+    \end{itemize}
+  \end{definition}
 
+  \begin{columns}[T]
+    \begin{column}{0.35\columnwidth}
+      \begin{minted}{json}
+    {
+      "src addr": "Bob",
+      "dst addr": "server",
+      "payload": {
+        "flag": "SYN",
+        "seq num": 0,
+        "src port": "random",
+        "dst port": "https",
+        "payload": "blob"
+      }
+    }
+      \end{minted}
+    \end{column}
+    \begin{column}{0.55\columnwidth}
+      \begin{tabular}{llll}
+        \textbf{src} & \textbf{dst} & \textbf{state} & \textbf{sn} \\
+        \midrule
+        Bob:random & server:https & SYN & 0
+      \end{tabular}
+    \end{column}
+  \end{columns}
+\end{frame}
 
-\section{Summary}
+\begin{frame}[fragile]
+  \begin{columns}[T]
+    \begin{column}{0.35\columnwidth}
+      \begin{minted}{json}
+    {
+      "src addr": "server",
+      "dst addr": "Bob",
+      "payload": {
+        "flag": "ACK",
+        "seq num": 1,
+        "src port": "https",
+        "dst port": "random",
+        "payload": "blob"
+      }
+    }
+      \end{minted}
+    \end{column}
+    \begin{column}{0.55\columnwidth}
+      \begin{tabular}{llll}
+        \textbf{src} & \textbf{dst} & \textbf{state} & \textbf{sn} \\
+        \midrule
+        Bob:random & server:https
+                   & \only<1>{SYN}\only<2>{\color{blue}ACK}
+                   & \only<1>{0}\only<2>{\color{blue}1}
+      \end{tabular}
+    \end{column}
+  \end{columns}
+\end{frame}
 
 \begin{frame}
-  \begin{block}{Summary}
+  \begin{remark}
     \begin{itemize}
-      \item \dots
+      \item Keeps track of TCP connections.
+      \item Avoids TCP/IP bugs.
     \end{itemize}
+  \end{remark}
+\end{frame}
+
+
+\section[DPI]{Application firewalls}
+
+\begin{frame}
+  \begin{figure}
+    \includegraphics[width=\columnwidth]{figs/network-layers-dpi.pdf}
+    \caption{Communication between Bob and a server.}
+  \end{figure}
+\end{frame}
+
+\begin{frame}[fragile]
+  \begin{definition}[Application firewalls/Deep packet inspection]
+    \begin{itemize}
+      \item Stateful filtering based on data from \emph{all layers}.
+    \end{itemize}
+  \end{definition}
+  \begin{minted}{json}
+    {
+      "src addr": "server",
+      "dst addr": "Bob",
+      "payload": {
+        "flag": "ACK",
+        "seq num": 4,
+        "src port": "http",
+        "dst port": "random",
+        "payload": {
+          "data": "...<h1>Down with government!</h1>..."
+        }
+      }
+    }
+  \end{minted}
+\end{frame}
+
+\begin{frame}
+  \begin{remark}
+    \begin{itemize}
+      \item Can detect banned content.
+      \item Can detect forbidden protocols on non-standard ports.
+      \item Can even detect certain buffer-overflow attacks.
+      \item Essentially a combination of stateful firewall and network-based 
+        intrusion detection system.
+    \end{itemize}
+  \end{remark}
+\end{frame}
+
+\begin{frame}
+  \begin{example}[The Great Firewall of China]
+    \begin{itemize}
+      \item Many countries engaging in censorship use DPI.
+      \item See 
+        \citetitle{MeasuringCircumventingInternetCensorship}\footfullcite{MeasuringCircumventingInternetCensorship} 
+        for an adversarial treatment of DPI.
+    \end{itemize}
+  \end{example}
+\end{frame}
+
+
+\section{Placement}
+
+\begin{frame}
+  \centering
+  \only<1>{
+    \includegraphics[height=0.70\textheight]{figs/network-rotated.pdf}
+  }
+  \only<2>{
+    \includegraphics[height=0.70\textheight]{figs/network-dmz-rotated.pdf}
+  }
+
+  \begin{question}
+    \begin{itemize}
+      \item Where to place the firewall?
+    \end{itemize}
+  \end{question}
+\end{frame}
+
+\begin{frame}
+  \begin{block}{Types}
+    \begin{description}
+      \item[Bastion host] Stronghold in network.
+        \begin{itemize}
+          \item Minimize attack surface.
+        \end{itemize}
+
+      \item[Host based] Firewalls on servers, secure individual host.
+        \begin{itemize}
+          \item Tailored filter to host needs.
+          \item Protects from internal attacks.
+        \end{itemize}
+
+      \item[Personal] Firewall on workstations, much less complex.
+    \end{description}
   \end{block}
 \end{frame}
 

overview/figs/.gitignore

@@ -4,4 +4,13 @@ network-layers.pdf_tex
 network-rotated.pdf
 network.pdf
 network.pdf_tex
+network-dmz-rotated.pdf
+network-dmz.pdf
+network-dmz.pdf_tex
+network-layers-dpi.pdf
+network-layers-dpi.pdf_tex
+network-layers-fw.pdf
+network-layers-fw.pdf_tex
+network-layers-packet.pdf
+network-layers-packet.pdf_tex
 

overview/figs/Makefile

@@ -1,18 +1,26 @@
 %-crop.pdf: %.pdf
 	pdfcrop $<
 
-network.pdf: network.svg
-network-rotated.pdf: network.pdf
+%-rotated.pdf: %.pdf
 	pdftk $< cat 1-endeast output $@
 
+network.pdf: network.svg
+network-dmz.pdf: network-dmz.svg
 network-layers.pdf: network-layers.svg
+network-layers-packet.pdf: network-layers-packet.svg
+network-layers-fw.pdf: network-layers-fw.svg
+network-layers-dpi.pdf: network-layers-dpi.svg
 
 
 .PHONY: clean
 clean:
 	${RM} *-crop.pdf
 	${RM} network.pdf network.pdf_tex network-rotated.pdf
+	${RM} network-dmz.pdf network-dmz.pdf_tex network-dmz-rotated.pdf
 	${RM} network-layers.pdf network-layers.pdf_tex
+	${RM} network-layers-packet.pdf network-layers-packet.pdf_tex
+	${RM} network-layers-fw.pdf network-layers-fw.pdf_tex
+	${RM} network-layers-dpi.pdf network-layers-dpi.pdf_tex
 
 
 INCLUDE_MAKEFILES?=../../makefiles

overview/figs/network-dmz.svg

@@ -11,11 +11,52 @@ @book{Anderson2008sea
   keywords={IT-s{\"a}kerhet},
 }
 
-@book{SecurityEconometrics,
-  title={Security econometrics: The dynamics of (in) security},
-  author={Frei, Stefan},
-  volume={93},
-  year={2009},
-  publisher={ETH Zurich}
+@phdthesis{MeasuringCircumventingInternetCensorship,
+  author = {Winter, Philipp},
+  institution = {Karlstad University, Department of Mathematics and
+                 Computer Sc     ience},
+  pages = {147},
+  school = {Karlstad University, Department of Mathematics and
+            Computer Science     },
+  title = {Measuring and circumventing Internet censorship},
+  series = {Karlstad University Studies},
+  ISSN = {1403-8099},
+  number = {2014:65},
+  keywords = {tor, censorship, circumvention,
+              anonymity},
+  abstract = {An ever increasing amount of governments, organisations, and
+              comp     anies employ Internet censorship in order to filter
+              the free flow of informat     ion.  These efforts are
+              supported by an equally increasing number of companie     s
+              focusing on the development of filtering equipment. Only
+              what these entitie     s consider right can pass the
+              filters. This practice constitutes a violation      of the
+              Universal Declaration of Human Rights and hampers progress. 
+              This thes     is contributes novel techniques to measure and
+              to circumvent Internet censors     hip. In particular, we 1)
+              analyse how the Great Firewall of China is blocking      the
+              Tor network by using active probing techniques as well as
+              side channel m     easurements, we 2) propose a concept to
+              involve users in the process of censo     rship analysis, we
+              3) discuss the aptitude of a globally-deployed network mea
+              surement platform for censorship analysis, and we 4)
+              propose a novel circumve     ntion protocol. We attach
+              particular importance to practicality and usability     .
+              Most of the techniques proposed in this thesis were
+              implemented and some of      them are deployed and used
+              on a daily basis.  We demonstrate that the measur
+              ement techniques proposed in this thesis are practical
+              and useful by applying      them in order to shed light
+              on previously undocumented cases of Internet cen
+              sorship. We employed our techniques in three countries
+              and were able to expos     e previously unknown
+              censorship techniques and cooperation between a corporat
+              ion and a government for the sake of censorship. We also
+              implemented a circum     vention protocol which was
+              subsequently deployed and is used to evade the Gre     at
+              Firewall of China. },
+  ISBN = {978-91-7063-605-9},
+  year = {2014},
+  URL = {http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-34475}
 }