7/21/2019 Firewall

1/27

1cs591 chow

C. Edward ChowFirewall

Chapter 18, Sec. 18.3.2 of Security Engineering

age !51, Section ".! of Security in Co#puting

$inu%&pta'les (utorial 1.2.) 'y *s+ar ndreasson

http://www.cl.cam.ac.uk/~rja14/Papers/SE-18.pdfhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://www.cl.cam.ac.uk/~rja14/Papers/SE-18.pdf

7/21/2019 Firewall

2/27

2cs591 chow

*utline of (he (al+

Definition

Perimeter Defense and Firewall

Implement Firewall using Linux iptables

7/21/2019 Firewall

3/27

3cs591 chow

Firewall

Here is how Bob Shirey defines it in RFC !!" Firewall#

$I% &n internetwor' gateway that restri(ts data(ommuni(ation traffi( to and from one of the (onne(tednetwor's $the one said to be )inside) the firewall% andthus prote(ts that networ'*s system resour(es againstthreats from the other networ' $the one that is said to be)outside) the firewall%" $See# guard+ se(urity gateway"%

7/21/2019 Firewall

4/27

!cs591 chow

eri#eter -efense and Firewall

&ntra1 /0

Internet

,uter FirewallRouter

Firewall

Inner FirewallRouter

Firewall

S-

D.SSer/er

-ebSer/er

Intranet

S-

0ailSer/er

Intra$win112%

D03

S-

IDSIDS

IDS

Honeypot

7/21/2019 Firewall

5/27

5cs591 chow

&ntrusion reent Syste# &S0

co#'ining Firewall with &-S

IPS,uter

&ntra1 /0

Internet

S-

D.SSer/er

-ebSer/er

Intranet

S-

0ailSer/er

Intra$win112%

D03

S-

Firewall

IPSInner

IDS

IDS

Honeypot

Firewall

7/21/2019 Firewall

6/27

cs591 chow

IPS,uter

nchec+ed aths and eri#eter

-efense

http4cs.uccs.edu6a'7ohnsocs591hardlans.pdf

&ntra1 /0

Internet

S-

D.SSer/er

-ebSer/er

Intranet

S-

0ailSer/er

Intra$4P%

D03

S-

Firewall

IPSInner

IDS

IDS

Honeypot

Firewall

http://cs.uccs.edu/~abjohnso/cs591/hardlans.pdfhttp://cs.uccs.edu/~abjohnso/cs591/hardlans.pdf

7/21/2019 Firewall

7/27

"cs591 chow

-

De0ilitari5ed 3one# a portion of a networ' that separate a purelyinternal networ' from an external networ'"

6uard $Firewall%# a host that mediates a((ess to a networ'+allowing7disallowing (ertain types of a((ess on the basis of a

(onfigured poli(y" Filtering firewall# firewall that performs a((ess (ontrol based on the

attributes of pa('et headers+ rather than the (ontent"

Proxy# an intermediate agent or ser/er that a(ts on behalf of anendpoint without allowing a dire(t (onne(tion between two end

points" Proxy $&ppli(ation Le/el% Firewall# firewall that uses proxies to

perform a((ess (ontrol" It (an based on (ontent and header info"

Content Swit(h7So(' Ser/er are typi(al examples"

7/21/2019 Firewall

8/27

8cs591 chow

-esign rinciples for Secure

echanis#sLeast Pri/ilegesFail8Safe Defaults

9(onomy of 0e(hanism

Complete 0ediation

,pen Design

Separation of Pri/ilege

Least Common 0e(hanism

Psy(hologi(al &((eptability

http://../designPrinciples/designPrinciples.ppthttp://../designPrinciples/designPrinciples.ppthttp://../designPrinciples/designPrinciples.ppthttp://../designPrinciples/designPrinciples.ppt

7/21/2019 Firewall

9/27

9cs591 chow

Security olicies

:he D03 ser/ers are typi(ally not allowed ma'e (onne(tions to theintranet"

Systems in Internet not allowed to dire(tly (onta(t any systems inthe intranet"

Systems in Intranet not allowed to dire(tly (onta(t any systems inthe Internet" $least pri/ilege prin(iple%

Systems in D03 ser/e as mediator $go8between%"Password7(ertifi(ate7(redential are presented for allowingmediating ser/i(es"

.o dual interfa(e from D03 ser/ers dire(tly to systems Intranetex(ept the inner firewall"

Intranet system typi(ally uses Pri/ate L&. addresses# ;1"x"y"57!!"x"y7"

7/21/2019 Firewall

10/27

1)cs591 chow

Security olicy

Complete 0ediation Prin(iple# inner firewall mediatee/ery a((ess in/ol/es with D03 and Intranet"

Separation of pri/ileges< with different D03 ser/errunning different networ' fun(tions< firewall ma(hinesare different entities than the D03 ser/ers"

It is also related to least (ommon me(hanism prin(iple"

:he outer firewall allows H::P7H::PS and S0:Pa((ess to D03 ser/er" .eed to dete(t /irus+ mali(iouslogi("

7/21/2019 Firewall

11/27

11cs591 chow

$inu% &pta'les:etfilter

In Linux 'ernel "7"> we typi(ally use the new netfilterpa('age with iptables (ommands to setup the firewallforPa('et filtering.etwor' &ddress and Port :ranslation $.&:.&P:%Pa('et mangling"

:he old pa('age (alled IP (hains $e/en older ipfwadm%will be depre(ated"

http#77www"netfilter"org7is main site for the pa('age" -e are using iptables ;"2"" :utorial and H,-8:, manual is a/ailable there"

http://www.netfilter.org/http://www.netfilter.org/

7/21/2019 Firewall

12/27

12cs591 chow

:etfilter and &pta'les

netfilter is a set of hoo's inside the Linux 'ernel thatallows 'ernel modules to register (allba(' fun(tions withthe networ' sta('" & registered (allba(' fun(tion is then(alled ba(' for e/ery pa('et that tra/erses the

respe(ti/e hoo' within the networ' sta('" iptables is a generi( table stru(ture for the definition of

rulesets" 9a(h rule within an IP table (onsists of anumber of (lassifiers$iptables mat(hes% and one(onne(ted a(tion$iptables target%"

netfilter+ ipEtables+ (onne(tion tra('ing $ipE(onntra('+nfE(onntra('% and the .&: subsystem together build themaor parts of the framewor'"

7/21/2019 Firewall

13/27

13cs591 chow

;hat can & do with netfilteripta'lesE>*(&:? Chain

RoutingDecision

filter (a'le

F*>;>- Chain

nat (a'le

*S(>*(&:? Chain

NIC to Intranet

iptables 8t nat 8& PR9R,:I.6 8p :CP8i eth1 8d ;!";>!">1"; 88dport !18 D.&: 88to8destination ;A";>!";1"

iptables 8t nat 8& F,R-&RDJp &LL 8s ;!";AA">>";8 R9K9C:

iptables 8& F,R-&RD 8p &LL 8s ;!"11"1"8 L,688log8prefix )bad guy#)

iptables 8& F,R-&RD 8p &LL 8s ;!"11"1"8 DR,P

7/21/2019 Firewall

15/27

15cs591 chow

-:( and &pta'les co##and

D.&:# Destination .etwor' &ddress :ranslation" Deal with pa('ets from Internet to our Internet exposed ser/ers" It translates the destination $external% IP addresses to the

(orresponding internal IP address of D03 ser/ers"

iptables 8t nat 8& PR9R,:I.6 8p :CP8i eth1 8d ;!";>!">1"; 88dport !18 D.&: 88to8destination ;A";>!";1"

8t spe(ify the type of tables8& &ppend to a spe(ifi( (hain8p spe(ify the proto(ol

8i spe(ify the in(oming interfa(e8d spe(ify the mat(hed destination IP address in pa('et8 spe(ify the targetM or operation to be performed"88to8destination substitute the destination IP address"

7/21/2019 Firewall

16/27

1cs591 chow

*utgoing ac+et =ourney

through $inu% Firewall

NIC to Intranet

nat (a'le

>E>*(&:? Chain

RoutingDecision

filter (a'le

F*>;>- Chain

nat (a'le

*S(>*(&:? Chain

NIC to Internet (eth0)

iptables 8t nat 8& F,R-&RD 8s ;A";>!";1";18 R9K9C:Certain system in Intranet not allowed out

iptables 8t nat 8& P,S:R,:I.6 8o eth18 0&S9R&D9

7/21/2019 Firewall

17/27

1"cs591 chow

S:( s. S@E>-E

S.&: whi(h translates only the IP addresses+ the portnumber is preser/ed un(hanged"

Howe/er+ it reGuires that you ha/e the eGual number ofoutgoing IP addresses as IP address in your intranetthat are (arrying in the sour(e address field of theoutgoing pa('ets"

Sin(e it does not ha/e to sear(h for the a/ailable port ora/ailable IP address+ S.&: is faster than

0&S9R&D9" For smaller organi5ation whi(h only ha/e a few stati( IP

addresses+ 0&S9R&D9 is the typi(ally method"

7/21/2019 Firewall

18/27

18cs591 chow

&nco#ing ac+et

=ourney to

Serer in Firewall

filter (a'le

&:( Chain

NIC to Internet (eth0)

nat (a'le

>E>*(&:? Chain

RoutingDecision

iptables 8t nat 8& PR9R,:I.6 8p :CP8i eth1 8d ;!";>!">1";; 88dport 28 D.&: 88to8destination ;A";>!";1";

$ocal

rocess

E%a#ple4 A: gateway running on firewall

alpha.uccs.edu

7/21/2019 Firewall

19/27

19cs591 chow

*utgoing ac+et =ourney

fro# &nside Firewall

filter (a'le

*(( Chain

nat (a'le

*S(>*(&:? Chain

NIC to Internet (eth0)

nat (a'le

*(( Chain

$ocal

rocess

7/21/2019 Firewall

20/27

2)cs591 chow

& (a'les and ac+et =ourney

7/21/2019 Firewall

21/27

21cs591 chow

- E%a#ple See http#77iptables8tutorial"fro5entux"net7iptables8

tutorial"htmlNRCD03FIR9-&LL:4:

7/21/2019 Firewall

22/27

22cs591 chow

(urtle Firewall

:urtle Firewall is a software whi(h allows you to reali5ea Linux firewall in a simply and fast way"

It*s based on Oernel ""x and Iptables" Its way ofwor'ing is easy to understand# you (an define the

different firewall elements $5ones+ hosts+ networ's% andthen set the ser/i(es you want to enable among thedifferent elements or groups of elements"ou (an do this simply editing a 40L file or using the(omfortable web interfa(e -ebmin"

:urtle Firewall is an ,pen Sour(e proe(t written usingthe perl language and realeased under 6PL /ersion "1by &ndrea Frigido $Frisoft%"

7/21/2019 Firewall

23/27

23cs591 chow

S#ooth;all

Smooth-all 9xpress is an open sour(e firewalldistribution based on the 6.7Linux operating system"

Smooth-all is (onfigured /ia a web8based 6I+ andreGuires absolutely no 'nowledge of Linux to install oruseM $s(ary statementQ%

It integrates with firewall+ DHCP+ P.+ IDS+ -eb proxy+SSH+ Dynami( D.S"

http#77downloads"smoothwall"org7pdf7"17admin"pdf

7/21/2019 Firewall

24/27

2!cs591 chow

Sonicwall ro 3)) Firewall

& firewall de/i(e with 2 ports# Internet+ D03+ Intranet"

http#77www"soni(wall"(om7produ(ts7pro221"html

Restri(tion# .&: does not apply to ser/ers on D03" .eed to usepubli( IP address"

ou (an use one8to8one .&: for systems in Intranet"

Support P." IPSe( P.+ (ompatible with other IPSe(8(ompliantP. gateways

Bundled with 11 P. (lients for remote users

Supports up to ;+111 P. Se(urity &sso(iations

2 D9S $;>!8Bit% Performan(e# 0bps

ICS& Certified+ Stateful Pa('et Inspe(tion firewall

nlimited number of users

Con(urrent (onne(tions# ;!+111

Firewall performan(e# ;A1 0bps $bi8dire(tional%

7/21/2019 Firewall

25/27

25cs591 chow

Stateful Firewall

:he most (ommon firewall now"

It (he('s the state of the (onne(tions+ say :CP" anddis(ards pa('ets with in(orre(t msg types"

-ith netfilter+ we (an use Jm state option of iptables TIP:&BL9S 8& badEt(pEpa('ets 8p t(p 88t(p8flags S.+&CO S.+&CO U

8m state 88state .9- 8 R9K9C: 88ree(t8with t(p8resetTIP:&BL9S 8& badEt(pEpa('ets 8p t(p Q 88syn 8m state 88state .9- 8 L,6 U 88log8prefix ).ew not syn#)TIP:&BL9S 8& badEt(pEpa('ets 8p t(p Q 88syn 8m state 88state .9- 8 DR,P

TIP:&BL9S 8& allowed 8p :CP Ji TD03EIF&C9 8d;1"1"2"17 8m state 88state new 8 R9K9C:

http#77iptables8tutorial"fro5entux"net7iptables8tutorial"htmlN:CPC,..9C:I,.S

7/21/2019 Firewall

26/27

2cs591 chow

$a' (est'ed for E%ercise

,uterF-$f(>% &ntra1 /0

Internet

DLin' S-

D.SSer/er

-ebSer/er

Intranet$;1"1"n"17%

DLin' S-;

0ailSer/er

Intra$win112%

D03$;A";>!"n"17%

HP111 S-

Firewall

InnerF-$f(>%

Firewall

$f(>%

7/21/2019 Firewall

27/27

2"cs591 chow

Firewall Facts

$C% & firewall typi(ally prote(ts a smaller+ se(ure networ' $su(h as a(orporate L&.+ or e/en ust one host% from a larger networ' $su(h as theInternet%" :he firewall is installed at the point where the networ's (onne(t+and the firewall applies se(urity poli(y rules to (ontrol traffi( that flows inand out of the prote(ted networ'"

$C% & firewall is not always a single (omputer" For example+ a firewall may

(onsist of a pair of filtering routers and one or more proxy ser/ers runningon one or more bastion hosts+ all (onne(ted to a small+ dedi(ated L&.between the two routers" :he external router blo('s atta('s that use IP tobrea' se(urity $IP address spoofing+ sour(e routing+ pa('et fragments%+while proxy ser/ers blo(' atta('s that would exploit a /ulnerability in ahigher layer proto(ol or ser/i(e" :he internal router blo('s traffi( fromlea/ing the prote(ted networ' ex(ept through the proxy ser/ers" :he

diffi(ult part is defining (riteria by whi(h pa('ets are denied passagethrough the firewall+ be(ause a firewall not only needs to 'eep intruders out+but usually also needs to let authori5ed users in and out"