 Good morning everybody. I hope you can see and hear me well. So, now we will start the lecture for Monday morning and also you have a new lecture at today and the talks title is its security assurance from the perspective of a system administrator. So, we will have a lab related to this topic also. It is on Friday afternoon and tomorrow morning we will take you through little bit more detail of what the lab will be and what you will learn from the lab. So, today let me build the background for that and I have the first two parts of the talk which will enable the good and the bad are really you know maybe five minutes each sort of a big higher level overview just so that we understand the lecture in the correct context. So, most of the focus of the lecture will be on the part that is called ugly which is how you monitor, analyze and react to security incidents in your infrastructure which provides the services for a campus or an organization or a company and so on. So, good bad ugly in case some of you do not know is the title of a movie. So, I like to divide my talk into three parts. So, let us just start very quickly with the good. After this disclaimer that in almost any topic you have heard this story and the Gajanya, five or six blind men trying to find out what is an elephant by touching different parts of the elephant and so I want dwell on the story and security is like that depending on where you come from whether you are a programmer, whether you are a end user, whether you are a system administrator, whether you are a hardware manufacturer or a programming language designer for each person has a role to play in ensuring the security and today we will be probably playing the role of the scissor which is a wall fire wall. So, on and not the part that you have been probably talking about earlier web applications and how to design for safe applications and so on. So, each person has of course a role to play and elephant has all the parts are needed for it to work properly. So, with that introduction a 50,000 feet view stressing the same point that if you want the entire landscape you are flying way above and you want to see the whole of India and you are in a rocket this is how security will look that there are many, many parts why are systems insecure is the top most part which says vulnerabilities. The vulnerability could be in an application, it could be in the host, it could be in the network, it could be the user who is not careful with his passwords and who is clicking on the wrong links and so on. And of course, we start with the requirements that irrespective of why these things are happening we want a lot of requirements which we will again see later somewhere in the slides and then we will see why it is not safe who are the threats this is not in today's lecture. I am saying if you teach an entire course and you want to have a full feel for what is security then this is also important who is the attacker, what resources they have, why they are doing it, how to track them and so on so forth. And then this is a very, very important part of any course on security which I think a lot of it you have been doing in the first two, three days. What are the mechanisms to provide this security? How does the system be made secure internally and further cryptography is the sign going on without that you can do nothing and therefore you are learning all this and today will be a little bit about firewalls but the focus today is on what I wrote in the title security assurance. So, assurance means guarantee that irrespective of whatever mechanisms you use and whatever vulnerabilities you patch and so on how do you give the assurance that nothing bad is happening. So, for that the part that we will be focusing a lot on in the later part of the lecture is what is called monitoring, log analysis, anomalies, emergency response that you have to constantly know what is going on in the network or the systems, the server, the applications and without that you cannot be sure that things are okay. So, this will be the focus today although it is looks like a very small part, it is an important part and in the lab on Friday you will be using some tools that help you to do this, monitor, react and analyze threats and react to them. So, now let us go on to the part which is highlighted here the good and I will just spend a minute or so. Today we know that without computers we cannot be relying on paper, books and film and what they used to have in the libraries in the older days, magnetic film tapes for which people read and go and spend a lot of time. Today everything is instant on the internet, there are search engines using which you can access information very fast and therefore the role of the teacher is moving from this part of the inverted pyramid which is to convert information to knowledge which is what lot of teachers normally do, use well-known textbooks, repeat what is there and this sort of thing today is much more easily accessible to the student. So, the teacher's role is more here that from that knowledge how do we distill wisdom, so how do we teach a student how to learn what to do and so on and so forth and of course in a lighter vein so that Monday morning does not feel so bad in the Indian tradition, even wisdom is not the top, the top is of course moksha, moksha means you do not have to know anything, you are detached from the world and so on and so forth. Let me just spend you know 15-20 seconds telling a joke which many of you may have heard that when the Americans were excavating for constructing a building they found a lot of copper wires buried around 20 feet from the ground, so they sort of said see even 200 years back our ancestors knew computer networks, they had ethernet cables and so on and so forth. So, the Russians then next day they were doing something, they went a little further they found optical fiber, so they said our ancestors knew optical fiber and they could do more bandwidth and so on. So, what happened in India? 20 feet, 100 feet, 1000 feet nothing happened, so they said we knew wireless or moksha, we could do networking without wire, so that is the joke. So, the reason is that networking today whatever may have been the ability to live 100 years back with or a little bit more last 4 centuries, last 400 years there are very, very brilliant people and Apple fell on somebody's head and he wrote things for which he is still very famous. So, that is Newton and there was Ramana Jammu who just used the notebook, pencil, sat all alone and he is still very famous and most of us do not understand many of the results that he derived. So, these sort of things are all called small signs that is not possible today to the same extent that it was possible 200, 300 years back. So, we will not debate this, but maybe you can think about this later. What happens today is that without computers and without very powerful computers no signs you know no branch whether it be molecular, biology, chemistry, physics you name it. There is no signs or engineering that can do without computers and computers alone is not enough, one computer in one room is not going to do signs. What you need is collaboration, you need data generated from various places to be available instantly, you need rich as working in various places to collaborate, do parts of the experiment like that you would have heard of DNA sequencing and so on. Thousands of researchers all over the world splitting the problem into pieces cooperating, applying their energies in the right places and so on. So, which is entirely what this you know computer cyber and network security is all about that all these good things can happen and we are going to conclude the good part now can only happen if the network is stable, if the computers are not attacked and there is no fraud, there is no bad things happening. So, this is the reason why we need to quickly take a look at what is the bad and if you do not do that then already life is very difficult for us. Mathematicians like Ramanujam today cannot work without huge computers doing a part of the work for them, you might have read I do not know how many if you saw just a few days back, I hope now most of you do not smoke but all of you have seen cigarettes. So, about 50 years back in the scientific American a puzzle was posed, if you take seven cigarettes can you arrange them in some way. So, that every cigarette touches or other six, you understood the problem seven cigarettes each one should touch the other six. So, this proof was done using 30 days of super computer time a month or so back that it can be done the configuration was found but not by just the human brain thinking and drawing because a lot of calculations were involved floating point calculations to ensure that the diameters are ok that it will not it will be there will be no gap and so on so forth. So, those one can search out for this cylinder seven cylinder touching. So, similarly banks today you cannot go to a bank and writer check all that we still do but it is decreasing everything is done on the network. So, I know that of course, come let us come closer to home why are teachers affected I already told you just giving knowledge to students is not enough knowledge is already available easily. So, what we need to do is to give them through the national knowledge network and through Akash the tablet that will cure all the evils. So, life has become difficult for teachers also. So, with that let us move on to see why. So, a few minutes on the bad part here is a website all of you can access this later when you are in the lab or when you are home and you have a lot of time please do go to this website atlas.arber.net and what you will see could be shocking if you are not seen it before that I am not sure how clean early you can read the bottom parts. This particular slide is the blue dots are showing where in the world there are fast flux bots ok where I explain what it is later, but you can see that all over the world they are able to identify in that this is happening may be the next one will be little easier to understand. The next one is again a similar map, but it is for fishing sites and many of you may be aware of what is the fishing site it looks like state bank of India or it looks like some other real site and users are somehow made to go there and enter their personal detail account number password this is fishing for foolish people who will reveal their personal information and there are sites in India also and these are not just a map drawn statically it is something that changes we will see it will be it is really analyzing what is the situation now real time. So, I will show you some more and then we will see how they are doing it this is the monitoring and reacting they are able to tell you what are the top threat sources in the past 24 hours luckily India is not figuring in the top 8 or 10, but America China they are all there and this is where all the bad people this is in the last 24 hours they keep sure you can watch you can go to atlas Robert and see how they keep updating this information and here are some statistics they are saying that there were 2,539 DDoS attack DDoS is distributed denial of service attack per day and that has been happening they are monitoring the trend and they are telling you how many active botnet botnet is something we will probably spend a minute on because it is important and you might already know it botnet is like sleeper cells that terror is used computers that are infected or computers that are carrying bad programs ability to do bad things, but they are not doing bad things they are just waiting and they are been infected all over the world this is why it is called a net a robot network botnet and when the attacker gives the signal all these computers will aid him to carry out the attack and there are 1000 such botnets which are detected today. So, why are we able to detect this and do nothing about it we will see that also. So, now let us come closer to home what does atlas the robot network tell about India it says in India there are all these bad things happening bad activity there are people scanning at around 1 o clock 2 o clock it shows you the trend on a particular day in October 2012 this is the old data you can see the real data people in India are scanning subnet outside trying to find out which computers are up what services they are running you might have seen little bit about nmap and so on they are using tools like that to scan to find out targets good thing bad thing it is a bad thing and who is scanning they are able to zoom in closer they are able to see that Tata communication network people reliance network people what is a traffic what percentage of these scans are coming from various ISPs who are providing internet services in India. So, by now you might have guessed how they are able to do this that they are cooperating with each other and VSNL or MTNL router is giving some information to this atlas.arbor.net about traffic that is passing through its main links all the backbone routers are analyzing the data analyzing the traffic and are able to give information which is a way to monitor the real time bad activity and they are even able to do well even further and they are even able to find out who is hosting phishing sites again by which service provider and if you go further possibly even the IPs these are the malicious servers malicious servers not only phishing sites they could be having websites with cross site scripting or websites containing worms which when you visit the site it downloads other data which is not visible to the normal user and they are able to even tell the IP. So, this is an example of just knowing what are the bad things how they do this that is later but with this data what can they do unfortunately internet is a distributed completely out of control of any single organization. So, to make sure that these bad guys were spread all over the world and who are actually cooperating all over the world it is much easier for the bad guys than the good guys when the good guys have to cooperate and bring these sites down or take action then the procedures are not yet easy to do. So, these bad things are happening again I am going through the good and bad very fast. So, that we come to the real topic of the lecture is again if you look at it from the higher point of view there could be many vulnerabilities and this is part of this course why web applications are vulnerable how you can fix it then the host security may not be part of it we will see today that how bad configuration or changing the files or permissions are not ok on the server side or the client side can cause problem then of course this is very important transmission security and why are the bad guys able to exploit all this. So, just a few minutes on this that you go to any Google or YouTube or anywhere and search for attack tool kit internet attack tool kit and you will find lots of it is very easy you do not have to know lot of TCP IP or programming or this or that there are many people who are leaving such attack tool kits free of cost no need to pay you can download it you can then type attack this website and that tool will try and find out if there is any vulnerability and if there is a vulnerability and it is successful it will tell you I have got it and you can ask it to scan a particular network IIT Bombay's network and then find an attack find a host that is open we will see a little bit of that any kid can do this these are called script kiddies. So, the question I want to raise is it took a lot of effort and time for that person to write this attack tool kit why do they make it available for free to others. So, if you think a little bit you will understand that it is because that most of these are actually doing more than what they claim to do on the surface value they have hidden payloads they compromise the computer on which the attack tool kit is downloaded and used and that becomes part of the botnet of the person who has left such tool kit free for others like a Trojan horse. So, that is the motivation of people that but the effect of that is that any person any high school or college teenager can carry out reasonably sophisticated attacks without investing time and energy in learning anything. So, I will not spend a lot of time on the bad part but I would urge you to strongly go to this website certain we will be hearing a little bit more about cert computer emergency response team it is a worldwide organization cert CERT dash in means the Indian branch of it which is run by Ministry of IT in Delhi they have a website in collaboration with websites all over of the CERT organization just like the bad guys are collaborating the good guys have realized that it is time we also collaborate and they have left lot of training material and this slide I will not go through in detail, but I urge you all to go through not only this slide, but the entire talk available on that website giving you the timelines how 20 years back it was an individual student writing some small program to attack a particular vulnerability to today how it has grown and today it is governments and organization spending a lot of money trying to find out how to compromise a particular network. Similarly they have even tried to classify what types of attack are happening and several times today we mentioned botnet and botnet controller this is one of the most dangerous attacks when the attacker has access to computers all over the world because then it is much harder to stop the attack and it is done through spyware and route gates and so on which are spread through websites social engineering email. So again this is just a slide which tells you why bad things happen how attacks are orchestrated how the bad guys are finding it easier and so on so forth of course it's a relevant part of this course, but not today. So please do go back to this website cert.org certin.org.in and look at their training material educational material and you will find very very interesting lectures about this which are meant again the reason you should do this is because they are not 100% technical lectures they are giving you the complete overview and a good starting point to understand the complexity of this threat. So that we can then concentrate on the real ugly part which is to ensure all this that our goal in today's lecture is not from the attackers point of view it is from the sysads point of view that we want to set up services and network in our organization where we can again I want to read out all these properties assure users that they have confidentiality integrity availability and so on so forth. So now let's come to the third and the main part of the lecture the ugly part how do you defend and defending has many many components two or three of them we will see and in the Friday's lab you will be experimenting with some of the tools that make it help the defender to understand what is going on in your system and to plan accordingly how to react. So I hope you are able to recognize this map this is the map of IIT Bombay drawn by one of our industrial design cell people just to make it easy for visitors and there are hostels in the back there are residences here there is academic area there are playgrounds hostels here and there are lakeside areas guest house so on so forth so on so. So we are going to assume that this is a critical national infrastructure which itself is debatable but critical national infrastructure could be in ISRO or BARC or state bank of India's data center. So these are sites or SEBI or Bombay stock exchange many of you may have read Bombay stock exchange went through a three hour four hour network problem a two weeks back they had to stop trading so I am not very up to date on what it means but I am told that that is a very serious disruption to the economic activity of India. So let us not go into that part but it is something that will definitely be a critical national infrastructure which needs to be protected IIT Bombay if it goes down for a day or two of course it is some sad thing but it is not so critical but still for today's lecture we will assume that our goal is that we are the system administrators of a university or a campus like this which is spread out where we have to have all the services where there are different types of uses and then what we can do to make the infrastructure more secure. So of course this is again in a lighter vein that the attacker need not do too many technical things. If they know this is the main gate this is the main road and all connectivity to IIT Bombay comes through fibers which have two or three places in the boundary wall through which they enter the campus and if they are able to just cut those fibers they can cause quite a lot of damage to us. Again it is not that difficult it is not so well protected and so on and so forth but we are relying on secrecy right now people do not know which tube it is going through where it is and therefore a small bulldozer on that road can in five minutes cause damage that will take a week or so to repair. So this is the lighter vein we are not looking at this type of attack physical attack somebody else police has to be involved there have to be protection of the infrastructure from the physical point of view physical security is not so much the focus. So of course to do that we do try to scare people by saying that there are a lot of crocodiles in this lake on this side poway lake so nobody should try to swim across and cut wires and so on. Similarly on this side there is a national park and leopards come over from there so we will just see that for five minutes we will do a role playing that I am sitting somewhere in IIT Delhi or some other place in India or outside and I want to cause damage to IIT bomb base systems and services without physically doing all the earlier things that I said cutting the fiber or putting a bomb and so on so forth. So what would you do? So the first thing you should do is this is something which in your lab you can try out there is a website called dnsstuff.com and what it does is that if you give it a domain name such as itb.ac.in and you all know that that is our domain name. Similarly you know sbi.co.in you know for any organization it is in their interest to publicize their website and domain name. So this information is easily available and if you use that and try to find out you will find ask this server on the internet to tell you information about this domain dnsstuff means using dns try to find out what that what are the computers what are the systems what they are doing and what you will find is that it starts giving you some more information it says that IIT Bombay has three name servers and it gives their IP address. Similarly for other organizations you will start getting the first piece of information the IP address. So what you do when you have more information you continue it will tell that it has MX records MX records is IIT Bombay advertises to the rest of the world how to send mail to IIT Bombay if you want to send mail to sivaditb.ac.in which is my address from your computer in some other part of the country then you need to know which IP address will accept mail for IIT Bombay. So that information is also advertised and if you go little carefully and look you will find that there are mail relay one mail relay two and their IP addresses are revealed and then this says this site tries to find out little more information and so on but with this information we can find out at least the important one service the mail service and once you know the mail services IP address you can try to trace out how to reach it. So what are the links with service provider is providing the link there is a utility called trace route and trace route will try to tell you and you can later on see that if you try that that one of the links that reaches us is through Mumbai vsnl.net.in why is this information useful we will see later but sophisticated more sophisticated tools are there some of which you use in the lab Nmap, Nessus, Metasploit once you know a particular IP you can try to find out if there is any vulnerability and what are the others can other IPs in that range see which ones are running what services and all this information is accessible. So this is what the attacker will do you should never assume that he does not know what is your IP address which version of mail server you are using what web server you are using what proxy server you are using so security by obscurity is a very old principle we have to assume when we start defending that the attacker is able to get a lot of information about my network without physically coming and stealing anything this information is needed because without this others whom we want should contact us will not be able to contact us. So we come back to the big picture that we have infrastructure in the campus and again we are not going to talk a lot about UPS, air conditioning, cables you have to protect all these also and then you have PCs, printers so on so forth routers and then you have services which are network related LDAP directory service domain name service and then you have mail services you have web services then you have of course your system administration online payroll grading administrative software then you have research and teaching software application level software and there are so many people involved there is faculty student staff there are vendors who sell you products and services who give you licenses for their software and then there are people alumni press outsiders who need to interact so this is the big picture that we are setting up an infrastructure where security should be first on our design principles and even if it was not at some point we have to analyze that where was security and let us focus on the network first what are the security threats how to prevent. So our campus network has several areas academic area hostels it is one way to segment your network and we have many I want show the entire diagram but we have many layer three switches gigabit ethernet switches so this is what is called the LAN then we have this is the dated information we have much faster higher bandwidth now but we have many van links three or four van links I will show you today's information later on and then we have applications and I am going to focus on these two and in the lab on Friday we will focus on these two IIT Bombay stands and receives mail for about five six thousand people student staff faculty all the other so on so forth we host the websites of every department at least 40 50 different websites are within the domain IITB TSE dot IDB, CHE, EE each department and then we have all this users and we have to have worry about misuse by internal users also it is not just practice always outside and once you start looking at internal users and seeing what damage they can do then you will find that is much harder to control and therefore we will have quite a bit of a problem in the network so let us focus on one segment of the network IIT Bombay provides residential area network connectivity that we have staff quarters we have faculty housing we have hostels they all come under residence and we need to make sure that the usage from there is to some extent controlled by us let us not worry about threats from China or Pakistan first this design principles will apply later when you expose yourself to the outside world also all I want to say and make sure that you understand is that the internal threat is also as important and in fact harder and if you control the internal threat the external threat is also going to be diminished significantly so this is our LAN what is below this slide I will give you a minute to look at this diagram not a complete diagram but it gives you the idea that this part is what I will try to explain but you can assume that below this is IIT campus and its plan you can assume that above this is the big bad internet where we have van links from different service providers national knowledge network MTNL VSNL BARTHY TATA and so on depending on which campus you are so those are the two and this is where the entire security figures for protecting you from the outside world but also from the inside world okay you do not want a student in IIT Bombay to do bad things outside and IIT Bombay being held legally responsible so this area which most of you will know is called DMZ what does it mean the militarized zone and it is in this area that we get the ability to control what we allow what we deny what we monitor so I will not explain all this you need servers to send and receive mail you need servers which will act as proxy for your web servers which are actually inside PC department as a web server and that web server cannot directly be exposed to the entire internet you need some middle person who will field the request and this is where you can do some sanitization you can do some checking can do some control then get the real page from the CSE server and give it out this is a reverse of the proxy similarly for students inside IIT Bombay who want access websites outside one way of course is to directly give every machine access through just translating the IP address to a useful address outside nothing we'll see a little bit more about that but that way is not the secure way the secure way would be to use proxies here this is proxy server which you call called squid which is what we will talk a little bit about in the lab on Friday which filters request does not allow everything which allows you to control what your users can do and cannot do so you need to know how to do those services so we will be concentrating a little bit on this how what are the important services here and how different aspects of how you configure them how you monitor them and how you react to problems with them is going to give a level of security assurance to your campus your mail will not break your browsing will happen speeds will not come down to a crawl all these things have to be done at this part of course I just again want to caution you at this stage in the lecture that I do not expect that I do not neither do I have the time not do I expect that you will understand every part of every service in this DMZ we will just give you samples it's like saying that when I cook food you know you don't have to eat the whole food to know if it is good so sample a little bit and know what is there so that later on you can apply your mind and learn and teach more about whichever part of it interest you more so we will be just sampling some of this so if you look at the issues in the land we want virus spyware not to be infecting our users machines we do not want users to use wrong IP addresses what is the meaning of wrong IP address that if you are in a hostel I don't want you to have the freedom to change your IP address in your room whenever you want why don't I want you to have that freedom first of course if you change it to something very wrong from the sense that the routing table will not work properly then you will not connect to the rest of the network but within the range allowed for your hostel I want to narrow down to room level also I do not want you to use your neighbor's address or the address of somebody in the other wing why would I not want that so this is for little bit of audit trails accountability so again I can spend a lot of time telling you stories but I will just ask you to later on look up the story of a person called Vikram Wuddi V I K R A M B U D D H I so you just type this name in Google and you will find many links explaining why he was arrested by the US government in 2008 or 9 and kept in jail for 3 years he was a student in Purdue University and apparently he posted hate messages which could have led to violence on some news group Facebook like news group and they traced the IP address back through the university switches and network logs to his room apparently now there is a lot of controversy about that so we will not go into that and then you can see what happened how it evolved and so on so forth but this level of problems might come in your campus or our campus also that we might be forced to do some what is called 4 and 6 investigation of something bad that happened where we have to trace back all the way to where it originated okay and this is something that you can do with the static Mac IP mapping and all that's why I will not explain all the solutions I'm just highlighting some of the problems okay and a good land design will help a lot in making sure it doesn't work that the attacker finds it much harder to conceal even if he succeeds we can trace so again summarizing this is where we will spend some time today firewall that first and foremost you have to I already told you internet is on one side campus land is on the other side you have to now allow both ways traffic to flow under your control not uncontrolled that users inside should not be able to do whatever they want users outside should not be able to do whatever they want and we should control what is allowed what is not allowed so we will be using there are many firewalls commercial firewalls and so on so forth but the one best tool to learn and experiment in the lab and teach students is something called IP tables netfilter.org which is an open source firewall we will be using that to illustrate how do you control access both ways this is the title that was given off or the lecture today's lecture in your handout it was called access control then of course other services are important we won't talk much about it today but you should know how to set up domain name servers how to set up directory servers for your users using which you can control you can do virus checking and so on so forth and you can do proxy servers you can set up servers to receive email we will talk a little bit about this tomorrow news groups web proxy web servers so all these are the services in the demilitarized zone we will talk about the firewall for the next 10 15 minutes so this is a very common situation that inside the campus you will have you will want to organize it into different parts each hostel can be a separate subnet each residential area faculty quarters staff quarters can be a separate subnet so that way in our campus we have split it into geographically contiguous places into a subnet for IP 50 sets of nets we have more than 5000 nodes now it's even more with all these smartphones and wireless enabled devices which also need IP addresses to contact and therefore the solution is not to ask service provider to give us so many IP addresses nobody will give you that today especially if you are in IPv4 which is what most of us still are and because of the limitation a service provider even if you have 4 service providers all put together will give you only a few hundred 64 into 4 or each one will give you 64 addresses or at most 128 addresses which are valid internet addresses which can talk to other posts on internet for which data will be rooted but the advantage which we all know and if you don't know you should study a lot is that there is a some reserved segments especially the one beginning with 10 similarly the one beginning with 192.168 which are called private IP addresses which are not rooted in the rest of internet but which can be used by you freely within your LAN so know all our machines in IT Bombay use addresses starting inside IT Bombay the one below that demilitarized zone use addresses starting with 10 10.105 is computer science department 10.129 is IT department 10. something else is 104 or something is EE department so every department then can further subdivide if they want they have the space for the next 2 bytes but we have only 50 such subnets visible at the top level now none of these addresses are directly reachable from outside if from Japan you try to reach 10.105.1.14 which is actually the IP address of the computer science department's main server there is no way that that through packet can come because 10 is a private address no router in Japan will be routing packets to a 10. address in India so we have to somehow enable data coming from Japan to the computer science server in IT Bombay through that DMZ that is IP table they will help us rescue it so we can allow selective services to selective machines similarly from inside also for incoming also you can do that similarly for outgoing none of the 10. addresses inside IT Bombay can directly connect to Google or directly connect to any other government of India website passport site or income tax site because when they send a packet out with address 10 point replies cannot come back so somewhere the we have to translate or called NAT network address translation replace the addresses with a publicly usable address send the data out when the reply comes send it back we have to play this role of post month getting from data from one side giving it out and the other way so we can do it at various layers we can do that network layer or we can do it at application layer if you do that network layer it's called IP tables that means you don't worry which application but if you do it at TCP level then you know the port number also so you can allow for a particular IP a particular application SSH uses port number 22 mail uses port number 25 you can even do it at application level if you do the application level proxy is called squid or web proxy or email email goes to a mail relay machine inside your thing and then is sent out mail is received by that machine and sent in so this is where we have to first decide what are the services that you want to allow incoming outgoing and this again I will not explain in detail today but this is a very important part that you must make a very good policy which is well known and accepted and understood in your organization so IP tables is an implementation of a firewall in Linux and it uses packet filtering so you should go to this website and read more in detail today we will be seeing examples how it is able to take a packet that is coming and match various fields in the packet and then decide whether to send the packet on or not so this will protect you from exposing your network directly to external entities it will regulate traffic based on the security requirements and it will provide choke points for screening the packets so one word which I have not specifically used it will also allow you to shape the bandwidth that you can make sure that web traffic does not use more than 50 percent of your bandwidth mail traffic does not use more than 20 percent of your bandwidth if this is useful to you and I am sure most of you understand the reasons for limiting the traffic because you do not want less important traffic to swamp out domain name service request or mail request or web page request so you have to prioritize assigned classes that is not explained today but IP tables those who want to go further should not stop with only doing this matting and translation and blocking they should also look at other features which allows you to do rate limit which we will talk about and also bandwidth shaping so like I said we are only sampling the good things and showing you in the lab you can go more and more in detail as you teach the course and develop this topic so the highest level view of IP tables is that there are set of rules 1 2 3 4 like that and every packet that comes we see which rule applies and the first rule that applies is used so we go down this is the thing rule does not match try the next rule and if a rule matches take the appropriate action so with this understanding the basic functionality of IP tables is to take packets from one side say ITB LAN and put it on the other side so in that case it has to do source matting because the packet coming from IT LAN will have a source IP address of 10.105 it is coming from CSE department but when I send it to the outside world I have to replace that 10.105 the source IP address with something that is known to the rest of the world so that the replies can come back it can be 103.5 point whatever IP address we own so that the packets reply will come back the other way is that when I advertise a web server of the CSE department when the packet comes from outside world say Japan I have to destination that it will come for a particular IP address which is known to the rest of the world but really has to go to 10.105 so I have to change the destination address and send it back inside the IT LAN so this is the two important matting and we have to keep track of connections because once you do this you cannot just randomly change you have to know for which connection you changed in what way and therefore when the packets and replies comes you have to keep this flow going until the connection closes so those as you can see that learning security is not something that you can learn without knowing TCP IP first so in a course like this we are assuming that you have enough background on IP addresses TCP connection sockets so that you understand and if not the student has to be given that preparatory learning of how applications work on internet tomorrow we will spend little bit of time on email now this is the basic functionality that it has to do without this it is not useful but it is not the only thing it can do it can do what is called packet mangling it can change some fields in the packet why would you change what will you change why is it useful we will see this is where you can do traffic shaping you can do control of number of connections per second and so on so forth so here is a diagram that I should probably come to after showing you the basic setup so we will come back to that diagram but just want to explain to you what is happening that IP tables is running on a machine like this which has two different interfaces ETH 1 ETH 0 one side is connected to let us say this subnet 192.168 the other side is connected to some other subnet 10.105 and we need to make sure that these two sides can talk to each other the way we want only for the applications that we want so whenever I am explaining IP tables I am trying to explain to you what this machine does and this machine is typically called firewall and it is the same principle for firewalls made by commercial manufacturers scopics or some other companies make different brand name firewalls all of them have this multiple interfaces and when packet come on one interface you have to know how to handle it so this is what this diagram is showing this is called the kernel packet traversal diagram so there are two things that we want to understand one is that when packet comes from the Ethernet card the device the network what do we do with that packet that packet does not go to any which there are in my computer many applications are running the user is running chat is running Skype is running and then mail is going squid web services are going so when the packet comes on my network they will have my IP so I have to decide what to do and I have to distinguish based on the port number and give it to the application and so on there is another thing that we have to do applications on my computer the local process might want to send data out so I have to put it on the network through the device may be a different device so this diagram tries to tell you that when a packet comes in the network first we look at what is called the type of rules which are called pre-routing chain whether to look at that packet at all suppose I do not want a bad IP address to talk to me I just drop the packet if he keeps sending me packets I do not even reply that could be one of the rules and then I later on look is this packet for me or am I having to forward it to somebody else I have to three interfaces so if the packet is for me then I give it to my input chain my is it for my application chat application Skype application running on my computer then I use the input chain rules so essentially what I am trying to say is that IP tables rules are logically divided into several segments one is called pre-routing one is called input chain one is called output chain output chain is the user is sending a packet I want to know whether to send it out or not I may allow only certain services if he is trying to send a packet for email I may block it if he is trying to send a packet for a web server that means destination port is 80 I may allow destination port 25 I may not allow for applications on my computer itself so this is called output chain rules then there is the forward chain rules if the packet is not for me but I am acting as a firewall taking packets from one side and sending it out on the other side then I have the rules called forward chain whether to use those rules or not and then finally the post-routing chain that after doing it should I translate the IP address should I keep track of the connection should I remit the rate of connections if I already allowed 56 connections should I allow the 6th one 7th one 8th one all these rules are called post-routing rules and then I send out the network so this is the top level view of what happens in a firewall so now let us go a little bit deeper here is an example so this one says drop packets which are coming on the interface see this computer has two interfaces Ethernet zero and Ethernet one two network cards and this rule is saying that if packets are coming in via Ethernet zero for the TCP application running on port 166 rejected that I may run an application on my computer which I want only people in this side to access IIT Bombay I do not want the outside world to access so then I use rules like this that I specifically say drop this particular and this particular packet is identified by the TCP port destination 166 just giving an example 166 is not a real application it is to tell you that these things can be done similarly this one says that if from Ethernet zero a packet TCP packet is coming with the source IP as 192.168.1.1 accepted so now you try to remember what I said that these two rules are actually contradictory this rule is saying if the source address is this accept other one is saying is the destination port is 166 drop which rule should I use so that is why I told you that we have to know the ordering we have to know which rules are used first whether it forwarding rules are used first or pre-routing is used first and within that in what order the rules are written so this is why IP tables has a little bit of complexity because you have to design the rules well so in general rather than go deep into this the two principles that you should be aware of is one is called default deny default deny means what that I design my system so that all the rules I put are accept rules I only tell you what to accept so everything that I want to allow I should write a rule allow this port allow this IP allow this port allow this IP and then I should put a rule called everything else deny default deny this is strategy one