Upload
rajasekarkala
View
212
Download
0
Embed Size (px)
DESCRIPTION
erteruylkmn,
Citation preview
7/21/2019 Firewall
1/27
1cs591 chow
C. Edward ChowFirewall
Chapter 18, Sec. 18.3.2 of Security Engineering
age !51, Section ".! of Security in Co#puting
$inu%&pta'les (utorial 1.2.) 'y *s+ar ndreasson
http://www.cl.cam.ac.uk/~rja14/Papers/SE-18.pdfhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://www.cl.cam.ac.uk/~rja14/Papers/SE-18.pdf7/21/2019 Firewall
2/27
2cs591 chow
*utline of (he (al+
Definition
Perimeter Defense and Firewall
Implement Firewall using Linux iptables
7/21/2019 Firewall
3/27
3cs591 chow
Firewall
Here is how Bob Shirey defines it in RFC !!" Firewall#
$I% &n internetwor' gateway that restri(ts data(ommuni(ation traffi( to and from one of the (onne(tednetwor's $the one said to be )inside) the firewall% andthus prote(ts that networ'*s system resour(es againstthreats from the other networ' $the one that is said to be)outside) the firewall%" $See# guard+ se(urity gateway"%
7/21/2019 Firewall
4/27
!cs591 chow
eri#eter -efense and Firewall
&ntra1 /0
Internet
,uter FirewallRouter
Firewall
Inner FirewallRouter
Firewall
S-
D.SSer/er
-ebSer/er
Intranet
S-
0ailSer/er
Intra$win112%
D03
S-
IDSIDS
IDS
Honeypot
7/21/2019 Firewall
5/27
5cs591 chow
&ntrusion reent Syste# &S0
co#'ining Firewall with &-S
IPS,uter
&ntra1 /0
Internet
S-
D.SSer/er
-ebSer/er
Intranet
S-
0ailSer/er
Intra$win112%
D03
S-
Firewall
IPSInner
IDS
IDS
Honeypot
Firewall
7/21/2019 Firewall
6/27
cs591 chow
IPS,uter
nchec+ed aths and eri#eter
-efense
http4cs.uccs.edu6a'7ohnsocs591hardlans.pdf
&ntra1 /0
Internet
S-
D.SSer/er
-ebSer/er
Intranet
S-
0ailSer/er
Intra$4P%
D03
S-
Firewall
IPSInner
IDS
IDS
Honeypot
Firewall
http://cs.uccs.edu/~abjohnso/cs591/hardlans.pdfhttp://cs.uccs.edu/~abjohnso/cs591/hardlans.pdf7/21/2019 Firewall
7/27
"cs591 chow
-
De0ilitari5ed 3one# a portion of a networ' that separate a purelyinternal networ' from an external networ'"
6uard $Firewall%# a host that mediates a((ess to a networ'+allowing7disallowing (ertain types of a((ess on the basis of a
(onfigured poli(y" Filtering firewall# firewall that performs a((ess (ontrol based on the
attributes of pa('et headers+ rather than the (ontent"
Proxy# an intermediate agent or ser/er that a(ts on behalf of anendpoint without allowing a dire(t (onne(tion between two end
points" Proxy $&ppli(ation Le/el% Firewall# firewall that uses proxies to
perform a((ess (ontrol" It (an based on (ontent and header info"
Content Swit(h7So(' Ser/er are typi(al examples"
7/21/2019 Firewall
8/27
8cs591 chow
-esign rinciples for Secure
echanis#sLeast Pri/ilegesFail8Safe Defaults
9(onomy of 0e(hanism
Complete 0ediation
,pen Design
Separation of Pri/ilege
Least Common 0e(hanism
Psy(hologi(al &((eptability
http://../designPrinciples/designPrinciples.ppthttp://../designPrinciples/designPrinciples.ppthttp://../designPrinciples/designPrinciples.ppthttp://../designPrinciples/designPrinciples.ppt7/21/2019 Firewall
9/27
9cs591 chow
Security olicies
:he D03 ser/ers are typi(ally not allowed ma'e (onne(tions to theintranet"
Systems in Internet not allowed to dire(tly (onta(t any systems inthe intranet"
Systems in Intranet not allowed to dire(tly (onta(t any systems inthe Internet" $least pri/ilege prin(iple%
Systems in D03 ser/e as mediator $go8between%"Password7(ertifi(ate7(redential are presented for allowingmediating ser/i(es"
.o dual interfa(e from D03 ser/ers dire(tly to systems Intranetex(ept the inner firewall"
Intranet system typi(ally uses Pri/ate L&. addresses# ;1"x"y"57!!"x"y7"
7/21/2019 Firewall
10/27
1)cs591 chow
Security olicy
Complete 0ediation Prin(iple# inner firewall mediatee/ery a((ess in/ol/es with D03 and Intranet"
Separation of pri/ileges< with different D03 ser/errunning different networ' fun(tions< firewall ma(hinesare different entities than the D03 ser/ers"
It is also related to least (ommon me(hanism prin(iple"
:he outer firewall allows H::P7H::PS and S0:Pa((ess to D03 ser/er" .eed to dete(t /irus+ mali(iouslogi("
7/21/2019 Firewall
11/27
11cs591 chow
$inu% &pta'les:etfilter
In Linux 'ernel "7"> we typi(ally use the new netfilterpa('age with iptables (ommands to setup the firewallforPa('et filtering.etwor' &ddress and Port :ranslation $.&:.&P:%Pa('et mangling"
:he old pa('age (alled IP (hains $e/en older ipfwadm%will be depre(ated"
http#77www"netfilter"org7is main site for the pa('age" -e are using iptables ;"2"" :utorial and H,-8:, manual is a/ailable there"
http://www.netfilter.org/http://www.netfilter.org/7/21/2019 Firewall
12/27
12cs591 chow
:etfilter and &pta'les
netfilter is a set of hoo's inside the Linux 'ernel thatallows 'ernel modules to register (allba(' fun(tions withthe networ' sta('" & registered (allba(' fun(tion is then(alled ba(' for e/ery pa('et that tra/erses the
respe(ti/e hoo' within the networ' sta('" iptables is a generi( table stru(ture for the definition of
rulesets" 9a(h rule within an IP table (onsists of anumber of (lassifiers$iptables mat(hes% and one(onne(ted a(tion$iptables target%"
netfilter+ ipEtables+ (onne(tion tra('ing $ipE(onntra('+nfE(onntra('% and the .&: subsystem together build themaor parts of the framewor'"
7/21/2019 Firewall
13/27
13cs591 chow
;hat can & do with netfilteripta'lesE>*(&:? Chain
RoutingDecision
filter (a'le
F*>;>- Chain
nat (a'le
*S(>*(&:? Chain
NIC to Intranet
iptables 8t nat 8& PR9R,:I.6 8p :CP8i eth1 8d ;!";>!">1"; 88dport !18 D.&: 88to8destination ;A";>!";1"
iptables 8t nat 8& F,R-&RDJp &LL 8s ;!";AA">>";8 R9K9C:
iptables 8& F,R-&RD 8p &LL 8s ;!"11"1"8 L,688log8prefix )bad guy#)
iptables 8& F,R-&RD 8p &LL 8s ;!"11"1"8 DR,P
7/21/2019 Firewall
15/27
15cs591 chow
-:( and &pta'les co##and
D.&:# Destination .etwor' &ddress :ranslation" Deal with pa('ets from Internet to our Internet exposed ser/ers" It translates the destination $external% IP addresses to the
(orresponding internal IP address of D03 ser/ers"
iptables 8t nat 8& PR9R,:I.6 8p :CP8i eth1 8d ;!";>!">1"; 88dport !18 D.&: 88to8destination ;A";>!";1"
8t spe(ify the type of tables8& &ppend to a spe(ifi( (hain8p spe(ify the proto(ol
8i spe(ify the in(oming interfa(e8d spe(ify the mat(hed destination IP address in pa('et8 spe(ify the targetM or operation to be performed"88to8destination substitute the destination IP address"
7/21/2019 Firewall
16/27
1cs591 chow
*utgoing ac+et =ourney
through $inu% Firewall
NIC to Intranet
nat (a'le
>E>*(&:? Chain
RoutingDecision
filter (a'le
F*>;>- Chain
nat (a'le
*S(>*(&:? Chain
NIC to Internet (eth0)
iptables 8t nat 8& F,R-&RD 8s ;A";>!";1";18 R9K9C:Certain system in Intranet not allowed out
iptables 8t nat 8& P,S:R,:I.6 8o eth18 0&S9R&D9
7/21/2019 Firewall
17/27
1"cs591 chow
S:( s. S@E>-E
S.&: whi(h translates only the IP addresses+ the portnumber is preser/ed un(hanged"
Howe/er+ it reGuires that you ha/e the eGual number ofoutgoing IP addresses as IP address in your intranetthat are (arrying in the sour(e address field of theoutgoing pa('ets"
Sin(e it does not ha/e to sear(h for the a/ailable port ora/ailable IP address+ S.&: is faster than
0&S9R&D9" For smaller organi5ation whi(h only ha/e a few stati( IP
addresses+ 0&S9R&D9 is the typi(ally method"
7/21/2019 Firewall
18/27
18cs591 chow
&nco#ing ac+et
=ourney to
Serer in Firewall
filter (a'le
&:( Chain
NIC to Internet (eth0)
nat (a'le
>E>*(&:? Chain
RoutingDecision
iptables 8t nat 8& PR9R,:I.6 8p :CP8i eth1 8d ;!";>!">1";; 88dport 28 D.&: 88to8destination ;A";>!";1";
$ocal
rocess
E%a#ple4 A: gateway running on firewall
alpha.uccs.edu
7/21/2019 Firewall
19/27
19cs591 chow
*utgoing ac+et =ourney
fro# &nside Firewall
filter (a'le
*(( Chain
nat (a'le
*S(>*(&:? Chain
NIC to Internet (eth0)
nat (a'le
*(( Chain
$ocal
rocess
7/21/2019 Firewall
20/27
2)cs591 chow
& (a'les and ac+et =ourney
7/21/2019 Firewall
21/27
21cs591 chow
- E%a#ple See http#77iptables8tutorial"fro5entux"net7iptables8
tutorial"htmlNRCD03FIR9-&LL:4:
7/21/2019 Firewall
22/27
22cs591 chow
(urtle Firewall
:urtle Firewall is a software whi(h allows you to reali5ea Linux firewall in a simply and fast way"
It*s based on Oernel ""x and Iptables" Its way ofwor'ing is easy to understand# you (an define the
different firewall elements $5ones+ hosts+ networ's% andthen set the ser/i(es you want to enable among thedifferent elements or groups of elements"ou (an do this simply editing a 40L file or using the(omfortable web interfa(e -ebmin"
:urtle Firewall is an ,pen Sour(e proe(t written usingthe perl language and realeased under 6PL /ersion "1by &ndrea Frigido $Frisoft%"
7/21/2019 Firewall
23/27
23cs591 chow
S#ooth;all
Smooth-all 9xpress is an open sour(e firewalldistribution based on the 6.7Linux operating system"
Smooth-all is (onfigured /ia a web8based 6I+ andreGuires absolutely no 'nowledge of Linux to install oruseM $s(ary statementQ%
It integrates with firewall+ DHCP+ P.+ IDS+ -eb proxy+SSH+ Dynami( D.S"
http#77downloads"smoothwall"org7pdf7"17admin"pdf
7/21/2019 Firewall
24/27
2!cs591 chow
Sonicwall ro 3)) Firewall
& firewall de/i(e with 2 ports# Internet+ D03+ Intranet"
http#77www"soni(wall"(om7produ(ts7pro221"html
Restri(tion# .&: does not apply to ser/ers on D03" .eed to usepubli( IP address"
ou (an use one8to8one .&: for systems in Intranet"
Support P." IPSe( P.+ (ompatible with other IPSe(8(ompliantP. gateways
Bundled with 11 P. (lients for remote users
Supports up to ;+111 P. Se(urity &sso(iations
2 D9S $;>!8Bit% Performan(e# 0bps
ICS& Certified+ Stateful Pa('et Inspe(tion firewall
nlimited number of users
Con(urrent (onne(tions# ;!+111
Firewall performan(e# ;A1 0bps $bi8dire(tional%
7/21/2019 Firewall
25/27
25cs591 chow
Stateful Firewall
:he most (ommon firewall now"
It (he('s the state of the (onne(tions+ say :CP" anddis(ards pa('ets with in(orre(t msg types"
-ith netfilter+ we (an use Jm state option of iptables TIP:&BL9S 8& badEt(pEpa('ets 8p t(p 88t(p8flags S.+&CO S.+&CO U
8m state 88state .9- 8 R9K9C: 88ree(t8with t(p8resetTIP:&BL9S 8& badEt(pEpa('ets 8p t(p Q 88syn 8m state 88state .9- 8 L,6 U 88log8prefix ).ew not syn#)TIP:&BL9S 8& badEt(pEpa('ets 8p t(p Q 88syn 8m state 88state .9- 8 DR,P
TIP:&BL9S 8& allowed 8p :CP Ji TD03EIF&C9 8d;1"1"2"17 8m state 88state new 8 R9K9C:
http#77iptables8tutorial"fro5entux"net7iptables8tutorial"htmlN:CPC,..9C:I,.S
7/21/2019 Firewall
26/27
2cs591 chow
$a' (est'ed for E%ercise
,uterF-$f(>% &ntra1 /0
Internet
DLin' S-
D.SSer/er
-ebSer/er
Intranet$;1"1"n"17%
DLin' S-;
0ailSer/er
Intra$win112%
D03$;A";>!"n"17%
HP111 S-
Firewall
InnerF-$f(>%
Firewall
$f(>%
7/21/2019 Firewall
27/27
2"cs591 chow
Firewall Facts
$C% & firewall typi(ally prote(ts a smaller+ se(ure networ' $su(h as a(orporate L&.+ or e/en ust one host% from a larger networ' $su(h as theInternet%" :he firewall is installed at the point where the networ's (onne(t+and the firewall applies se(urity poli(y rules to (ontrol traffi( that flows inand out of the prote(ted networ'"
$C% & firewall is not always a single (omputer" For example+ a firewall may
(onsist of a pair of filtering routers and one or more proxy ser/ers runningon one or more bastion hosts+ all (onne(ted to a small+ dedi(ated L&.between the two routers" :he external router blo('s atta('s that use IP tobrea' se(urity $IP address spoofing+ sour(e routing+ pa('et fragments%+while proxy ser/ers blo(' atta('s that would exploit a /ulnerability in ahigher layer proto(ol or ser/i(e" :he internal router blo('s traffi( fromlea/ing the prote(ted networ' ex(ept through the proxy ser/ers" :he
diffi(ult part is defining (riteria by whi(h pa('ets are denied passagethrough the firewall+ be(ause a firewall not only needs to 'eep intruders out+but usually also needs to let authori5ed users in and out"