Hi, folks. Ed Amoroso here.
If you've been watching these videos,
you may remember one of the videos that you may have seen.
I talked about something called a reference monitor concept.
I'll sort of repeat it here because it's kind of important to
understanding where we're going here
from a technology perspective and that's toward firewalls.
The idea of reference monitor,
introduced in the 1970s by James Anderson,
is that Alice wants to do something with Bob and I put this thing in
the middle that's going to watch what's being
requested and make a decision about whether it's allowed or not.
Really simple, but it's so fundamental to the way computer security works,
cyber security works, that it's worth repeating.
So, take that concept and now,
let's take what we understand about TCP/IP and let's think about
the three-step handshake that we have between Alice and Bob to set up a session.
Alice goes, "Hey, here's a SYN packet."
Bob goes, "Hey, here's a SYN ACK." Alice goes, "Hey, here's ACK."
Now, that first packet,
the first initiating packet,
the SYN, it turns out that in TCP,
we got really lucky in the way that thing was designed.
I'm not entirely sure that, Cerf and Kahn,
the two inventors, were thinking security when they did this. I doubt it.
But they were certainly thinking about
establishment of a session and what they decided was,
the first packet in that TCP sequence would have the ACK Bit set to zero.
All subsequent packets going back and forth including all data transfer,
the ACK that would be set to one. How cool is that?
So, what that allows you to do is you can put a little piece of equipment,
think of it as equipment,
it's not going to be equipment but think of it as equipment,
sitting there between Alice and Bob,
and all it's doing is watching packets command
and looking at the ACK Bit and saying, ACK Bit zero.
And if it is, you go, "Oh, wait.
Wait, wait, wait. Hold on.
ACK Bit zero. Hey, everybody.
Somebody is trying to do something here.
Now let's look at the full five-tuple.
It's coming from here.
Go in there. We good with that?
Okay. It's this source port going to this destination port?
Are we good with that? All right.
As protocol, everybody good with that? Everybody's good with it.
Okay, we allow it to proceed."
And what's going to then happen is this SYN ACK and the ACK and so on.
But if that at ACK Bit set to zero that packet hits, and we decide,
for whatever reason, that we're going to drop the packet,
the session never happens.
Bob never gets the phone call,
never gets the connection, never gets the packet.
Do you see how powerful that is?
And that in essence is the embryonic beginnings,
the embryonic birth, of a firewall.
That comes from that.
You probably like, "Oh, firewall.
No big deal. We put this thing in between."
But that's where it starts.
They get packet hits and you know that, all right,
it's going to port 80 and it's coming from a source port greater
than 1023 from an internet address to one of my addresses.
Oh, I see.
Somebody's trying to surf my website.
We good with that? Yeah, it's all ideas why we have a website. Come on in.
But if it's some other port, let's say,
it's port 23, that's an old one.
We see this protocol tool called Telenet,
where you log on to somebody's computer.
Nobody's going to let you do that now.
So now, I see, why it is on port 23?
You go, "Wait. Hold on a minute.
What, are you kidding me?
Destination, port 23? What do you think,
I was born yesterday?
Forget it. No way are you going to tell that on to my machine."
Boom, drop. You get the idea?
Just using that one packet,
we can make some pretty powerful decisions.
Now, to test your understanding here,
this little bit, we got a little test quiz.
So the answer is A, if you do that, there's no session.
The way TCP/IP works is that if you're not expecting something,
and a packet hits with the ACK Bit one,
you discard it, or whatever.
It depends on the implementation.
You'd like to think that your router is set up to do that.
And as we get into firewall design and security design,
you'll see we'll be watching for weird, stray things,
and making sure we have rules in place to catch stray garbage that may be coming at you.
So in a modern design,
you wouldn't get away with that.
And even if you did, you wouldn't be able to set up a session.
So I hope this has been useful.
I hope you got a good understanding of how that
ACK Bit has been so useful for firewall designers for many years.
We'll explore this more in subsequent videos. I'll see you on the next one.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
