Upload
xozan
View
230
Download
0
Embed Size (px)
Citation preview
8/10/2019 Firewalls (11)
1/18
Firewalls
Philip MacCabe
IT 461R
September 28, 2004
Heavily borrowi! a" #ometime# o$tri!ht #teali! i%ormatio %rom
Iteret &irewall#' &re($etly )#*e" +$e#tio#
by Pa$l Robert#o, Matt C$rti, a" Marc$# Ra$m
Creative Commons Attribution-NonCommercial-ShareAlike License, Philip MacCabe, 28 September 2004
Creative Commons Attribution-NonCommercial-ShareAlike License
http://www.interhack.net/pubs/fwfaq/firewalls-faq.htmlhttp://creativecommons.org/licenses/by-nc-sa/2.5/http://www.maccabe.org/http://creativecommons.org/licenses/by-nc-sa/2.5/http://creativecommons.org/licenses/by-nc-sa/2.5/http://www.maccabe.org/http://creativecommons.org/licenses/by-nc-sa/2.5/http://www.interhack.net/pubs/fwfaq/firewalls-faq.html8/10/2019 Firewalls (11)
2/18
What is a Firewall?
A System to enforce an access control policy betweentwo or more networks
Types of Firewalls Network Layer
Faster
Less ability to perform sophisticated packet examination
Application Layer
Slower More complex packet examination
Hybrid The spectrum in between
Most current firewalls are somewhere in this category
8/10/2019 Firewalls (11)
3/18
Terminology
Access Router A router that provides a connection to an external
network.
Bastion Host- A system that has been hardened to resist attack,
one which is expected to come under attack. Defense in Depth A Security approach where all network
connected systems are secured as much as possible.
DMZ DeMilitarized Zone, an area outside the firewall for
externally accessible hosts. These hosts should be bastion hosts. Proxy A software agent that acts on behalf of a user or another
device, usually providing some sort of authentication.
Screening Router A router configured to allow or deny access
based on a set of rules configured by an administrator.
8/10/2019 Firewalls (11)
4/18
Firewall Topologies
ma!es "rom ptables #utorial $%$%$&
8/10/2019 Firewalls (11)
5/18
Why do we need Firewalls?
#o limit access to internal net'orks an( net'ork services
As a securit) blanket "or mana!ers%
*istoricall), "ire'alls have acte( as sources "or public in"ormation "ora net'ork or or!ani+ation%
8/10/2019 Firewalls (11)
6/18
8/10/2019 Firewalls (11)
7/18
8/10/2019 Firewalls (11)
8/18
Designing a Firewall, Planning
What is the purpose of the Firewall?
Limit Service[-------------------]Monitor & Audit
Establish your risk level How paranoid are you?
Determine how much monitoring and redundancy you
need
Financial & Management
Who pays and how?
Who is responsible for implementation? maintenance?
8/10/2019 Firewalls (11)
9/18
Technical Planning
Network Level, Application Level or Both
Network Level Screening Router
Usually faster at processing data Application Level Exposed Proxy Server
Better auditing is possible
A proxy must be configured for each service Both
Security of both but with overhead in cost and
configuration
Ease of Use vs. Security
8/10/2019 Firewalls (11)
10/18
Network Layer Firewall
Filters based on addressing and control
information, the "envelope"of the packet
Denies traffic on certain ports or from certainaddress ranges
Imposes limitations on packets to ensure they
don't overwhelm the network (TTL, packet size)
8/10/2019 Firewalls (11)
11/18
Application Layer Firewall
Proxy servers for each service allowed through
the firewall
Used when it is necessary to filter based oncontent, the "letter"in the packet
Can be used to detect and prevent known exploits
of particular protocols
Acts as a Man in the Middle
8/10/2019 Firewalls (11)
12/18
netfilter/iptableshttp://www.netfilter.org/
Linux firewall implementation toolset
Provides packet filtering, connection tracking,
NAT, port forwarding Provides tables of rules through which packets are
passed to determine what to do with them
Inside a table there are chains of rules which apacket must traverse before being sent on its way
Provides an API for applications to interact with
and manage firewall configuration
8/10/2019 Firewalls (11)
13/18
Netfilter Architecturehttp://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
--->PRE------>[ROUTE]--->FWD---------->POST------>
Conntrack | Mangle ^ Mangle
Mangle | Filter | NAT (Src)
NAT (Dst) | | Conntrack
(QDisc) | [ROUTE]
V |
IN Filter OUT Conntrack
| Conntrack ^ Mangle
| Mangle | NAT (Dst)
V | Filter
8/10/2019 Firewalls (11)
14/18
iptables
filter rules for DROPing or ACCEPTing
packets, this is the default table
INPUT, FORWARD, and OUTPUT chains mangle rules for altering packets
PREROUTING, OUTPUT, and POSTROUTINGchains
nat rules that perform NAT on packets
PREROUTING, POSTROUTING, OUTPUT, INPUT
and FORWARD chains
8/10/2019 Firewalls (11)
15/18
Some Example Commandshttp://iptables-tutorial.frozentux.net/iptables-tutorial.html
iptables -A INPUT --dport 80 -j DROP
iptables -D INPUT 1 (rules are numbered within a chain)
iptables -t nat -A POSTROUTING -p tcp -o eth0-j SNAT --to-source 194.236.50.155-
194.236.50.160:1024-32000
iptables -t mangle -A PREROUTING -i eth0 -jTTL --ttl-set 64
iptables -A INPUT -p TCP --dport 22 -j ULOG
--ulog-prefix "SSH connection attempt: "
8/10/2019 Firewalls (11)
16/18
Other Sources of Information
on the InternetSite Securit) *an(book
#he Site Securit) *an(book is an in"ormation /# (ocument that (escribes the basic issues that must bea((resse( "or buil(in! !oo( site securit)% ire'alls are one part o" a lar!er securit) strate!), as the Site Securit) *an(booksho's%
ire'alls Mailin! List #he internet "ire'alls mailin! list is a "orum "or "ire'all a(ministrators an( implementors%
ire'all-i+ar(s Mailin! List #he ire'all i+ar(s Mailin! List is a mo(erate( "ire'all an( securit) relate( list that is more like a 1ournal than a publicsoapbo.%
ire'all *# 3escribes e.actl) 'hat is nee(e( to buil( a "ire'all, particularl) usin! Linu.%
ire'all #oolkit #56 7 ire'all Papers
Marcus anum9s ire'all Publications
#e.as A7M :niverstit) Securit) #ools
CAS# Pro1ect nternet ire'alls Pa!e
ptables #utorial $%$%$& skar An(reasson e.plains ho' to setup an( con"i!ure a "ire'all usin! net"ilter;iptables
http://www.rfc-editor.org/rfc/rfc2196.txthttp://www.isc.org/index.pl?/ops/lists/firewalls/http://honor.icsalabs.com/mailman/listinfo/firewall-wizardshttp://www.linuxdoc.org/HOWTO/Firewall-HOWTO.htmlhttp://../Owner/My%20Documents/Fall%202004/Security/%20http:/www.ranum.com/pubs/%20http://www.net.tamu.edu/ftp/security/TAMU/%20http://www.cerias.purdue.edu/coast/firewalls/%20http://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://www.cerias.purdue.edu/coast/firewalls/%20http://www.net.tamu.edu/ftp/security/TAMU/%20http://../Owner/My%20Documents/Fall%202004/Security/%20http:/www.ranum.com/pubs/%20http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.htmlhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizardshttp://www.isc.org/index.pl?/ops/lists/firewalls/http://www.rfc-editor.org/rfc/rfc2196.txt8/10/2019 Firewalls (11)
17/18
Other Sources in Print
8/10/2019 Firewalls (11)
18/18
Obligatory
Any Questions?
Slide