Upload
blaze-tyler
View
220
Download
2
Embed Size (px)
Citation preview
Firewalls in LinuxFirewalls in Linux
Rodney Barker
Amanda Bolster
Jennifer Dixon
OverviewOverview
START– The Project Objectives– Definitions– What firewall? What technology?– Installation Process– Testing– Problems encountered
END
The Project …The Project …
Objectives– Successfully install a firewall on the Linux-
Mandrake Operating System– To learn about firewalls
Why?– We haven’t done it before– To Have FUN!!!
What is a Firewall?What is a Firewall?
“A system designed to prevent unauthorized access to or from a private network” (www.webopedia.com)
Often used to protect Intranets
Set of security criteria to define access to a computer or network of computers
Firewalls and Network Firewalls and Network InterfacesInterfaces
FirewallInternet Intranet
External NIC Internal NIC
Firewalls that protect a network from the Internet have two Network Interfaces, one for the Internet, one for the Intranet.
Firewall TechniquesFirewall Techniques
Packet Filter – Based on a set of rules, accept or reject each
packet Application Gateway
– Place restrictions on specific applications (eg FTP) Circuit-Level Gateway
– Apply security mechanisms when the connection between computers is established
Proxy Server – Hides true network addresses
Protocols Related to Firewall Protocols Related to Firewall SecuritySecurity
Different protocols exist at different layers of the OSI (Open System Interconnection) model.
ApplicationDNS, FTP, TFTP, BOOTP, SNMP, RLOGIN, SMTP, MIME, NFS, FINGER, TELNET, NCP, APPC, AFP, SMB
Presentation
SessionNetBIOS Names Pipes, Mail Slots, RPC
TransportTCP, ARP, RARP; SPX, NWLinkNetBIOS / NetBEUI, ATP
NetworkIP, ARP, RARP, ICMP, RIP, OSFP, IGMP, IPX, NWLink, NetBEUI, OSI, DDP, DECnet
Datalink
802.1 OSI Model, 802.2 Logical Link Control, 802.3 CSMA/CD (Ethernet)802.4 Token Bus (ARCnet), 802.5 Token Ring, 802.12 Demand Priority
Physical IEEE 802, IEEE 802.2, ISO 2110, ISDN
Firewall Security and the OSI Firewall Security and the OSI ModelModel
Because different protocols exist at different levels of the OSI model, firewalls must also provide security at different levels.
The lower down the OSI model the firewall can provide security, the more effective and efficient the firewall is.
Firewalls provide security at different levels by establishing IP chain rules for each protocol.
Setting the Firewall Scene…Setting the Firewall Scene…
Where?– In the Linux Lab (PIII computer, called Linux1)
When?– On a dark and stormy Sunday
What?– Linux-Mandrake OS
Who?– Rodney, Amanda, and Jennifer
Theoretical Firewall UseTheoretical Firewall Use
Our group selected an installation and configuration process for setting-up a personal firewall at home, suitable for:
– Firewall security for a single personal PC; or– Firewall security for a small network
Therefore, this process is easy for other students and first-time users to understand.
Choosing a FirewallChoosing a Firewall
Use the Firewall included with Linux-Mandrake OS– Only a personal (not network) firewall
Download free firewall from Internet– www.freshmeat.net– www.linux-mandrake.com
Purchase a Firewall– www.linuxiso.org/
PMFirewallPMFirewall
Features– Autodetection of the IP Address and
Netmask of each interface.
– Blocking of NetBIOS, NetBUS, Back Orifice and Samba attacks.
– Protection against IP Spoofing Attacks.
PMFirewallPMFirewall
Features (cont.)– Logging of DENY packets.
– Masquerading support is decided during install.
– Custom rules can be added to the pmfirewall.rules.local file.
PM Firewall TechnologyPM Firewall Technology
The technology underlying PMFirewall is known as IP Chain Software.
This is the case for many Firewall packages designed for Linux operating systems.
The configuration of the PMFirewall package automatically configures the underlying IP Chain Software (saving the user from entering the commands manually).
IP Chain Software DescriptionIP Chain Software Description
IP Chain Software is described by its Author Paul Russel as:
"...an update to [and hopefully an improvement upon] the 2.0 Linux packet-filtering code, for the 2.2 Linux kernel…”
IP Chain Software allows for the setting up of a Firewall as well as providing access for multiple PCs using a single Internet connection
IP Chain Software ExplainedIP Chain Software Explained
Inbuilt in the kernel of Linux operating system are IP packet filtering capabilities.
IP Chain software is a program that makes use of these facilities.
The program examines the header of a packet to determine what action is suitable for each packet.
Actions include:– DENY (discard the packet silently)– ACCEPT (let the packet through or out)– REJECT (deny and notify the source of the
packet)
Obtaining IP Chain SoftwareObtaining IP Chain Software
Most distributions of Linux come with preinstalled IP Chain Software.
IP Chain Software is also readily available for free all over the Internet, below is just one example.– http://www.rustcorp.com/linux/ipchains/Incidentally you cannot access this site from
within the Bond Network as ITS classifies it as Porn!
IP Chains and KernelsIP Chains and Kernels
Certain IP Chain Software is not compatible for certain Linux kernels
(As we found out the IP Chain software used in the Linux Mandrake 8.0 Kernel is not compatible with the PMFirewall Package we were using.)
Setting up IP Chain Software on older Linux Kernels (earlier that 2.2) may require Kernel manipulation and extra configuration.
IP Chains and KernelsIP Chains and Kernels
Some newer Linux distributions still require the Kernel to be changed to allow IP Masquerading (e.g SuSe)
This requires changing and recompiling the Kernel source code (!Danger).
This is not required when installing PMFirewall on Linux-Mandrake.
IP Chain Syntax (Briefly)IP Chain Syntax (Briefly)
The Configuration of the PM Firewall does not require knowledge of IP Chain Software. However, for interests, this has been included.
General Format:ipchains <command> <chain> [<options>]
Switches- F : flush a chain so it starts fresh- P : sets default handling- A : adds conditions or rules- L : view all rules
- E.g. ipchains -L
IP Chain SyntaxIP Chain Syntax
The rule can apply to – Input (incoming traffic)– Output (outgoing traffic)– Forward (forwarding traffic)
More switches– i : Specify Network Card– s: Source Address– d: Destination Address– j: Jump - Specify Action
IP Chain SyntaxIP Chain Syntax
The jump switch allows us to specify the action to take with the packet (accept, reject, deny).
If the Firewall is responsible for masquerading an option for this switch can be MASQ. In which case the packet’s IP and port address will be modified.
IP Chains ExampleIP Chains Example
ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT
This command adds a rule to REJECT all INCOMING packets to eth0 from the SOURCE address 10.2.x.x going to any DESTINATION address.
All IP Chains rules for the PMFirewall package are automatically generated to avoid doing this.
IP Chains ExampleIP Chains Example
ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT
Adds a rule
Specify network card Specify source address
Specify destination address
Specify action to take
Incoming packets
Installation ProcessInstallation Process
Downloading PMFirewallDownloading PMFirewall
We downloaded PMFirewall from:– www.pmfirewall.com/PMFirewall/
The package was then transferred to the Linux lab in the school of IT.
The package was unzipped into amanda’s home directory.
Configuring and Starting the Configuring and Starting the FirewallFirewall
Our initial configuration and starting of the firewall failed. The error message displayed informed us that the IP Chains in use were incompatible with the kernel.
The package we had selected was compatible with the Linux kernel 2.2 (Linux-Mandrake 7.2). We had assumed that it was compatible with the Linux kernel 2.4 (Linux-Mandrake 8.0). This assumption was wrong.
As a solution we moved to a machine running Linux-Mandrake
7.2, and ensured it was correctly connected to the network.
The configuration offered by PMFirewall was command driven. No GUI facilities were offered.
Configuration started by typing sh install.sh in a console window, ensuring we were in the directory of the unpacked Firewall.
Configuration was in a clear question-answer format.
Configuration InterfaceConfiguration Interface
Phases of ConfigurationPhases of Configuration
Configuration consisted of three phases:
Phase 1: IP blocking and permitting
Phase 2: Setting up underlying IP Chains
Phase 3: Preparing the Linux kernel
Phase 1: IP blocking and Phase 1: IP blocking and permittingpermitting
Consisted of a set of questions asking us
1. To specify the IP Address of any machine we wished to block from all services permanently. As we yet knew no hostile IP addresses, we answered NO to this.
2. To specify the IP Address of any machine we wished to grant full access to all services permanently. Again, we answered NO to this.
Phase 1 ContinuedPhase 1 Continued
3. If we wanted our firewall to start on boot-up. For security reasons we answered yes to this.
4. To specify the IP addresses of the internal network card eth0 and the external network card eth1.
Address Assignment Via Address Assignment Via DHCPDHCP
During phase 1 we were asked if our external IP address or our internal IP address was assigned via DHCP.
Dynamic Host Configuration Protocol is a protocol that lets network administrators or ISP’s centrally manage and automate the assignment of IP addresses.
Each time a computer connects to the Internet (or network) the host sends a request to the ISP (or administrator) for an IP address, the ISP (or administrator) automatically checks which addresses are available and replies with the relevant address.
DHCP ContinuedDHCP Continued
As Linux1 has a permanent IP address within the Linux Lab (not assigned with DHCP), we answered NO to this question.
If we were connecting to the Internet through an ISP such as Bigpond, we would answer YES to this question.
Phase 2: Setting up Phase 2: Setting up IP ChainsIP Chains
Consisted of a set of questions asking us to specify which protocols we wished our Firewalls to allow.
The package used these question to set up the IP Chains for the Firewall.
IP ChainsIP Chains
We were later able to view the IP Chains list to see how these questions were turned into rules.
This was done by going to the /sbin directory and typing the command – ipchains -L
Phase 3Phase 3
Consisted of some questions asking if we wished our Firewall to contain, for example:
– Masquerading
Masquerading allows outgoing packets from internal hosts to be given the source address of the firewall, rather than their internal IP addresses.
Original Firewall ConfigurationOriginal Firewall Configuration
The first time we configured our Firewall we disallowed everything
To test if the Firewall was functioning properly we had to test if anything would be allowed by the firewall
In order to do this, the following servers had to be installed on our Firewall: Apache Server, SSH Server, FTP, Finger
We then tested if the Firewall would successfully block these services
Apache ServerApache Server
Apache is a Web Server Software Application
– Delivers (serves) web pages on the Internet
SSH ServerSSH Server
Secure Shell
– A program that allows a user to log into another computer over a network
– It provides secure communication with encryption
FTPFTP
File Transfer Protocol
– A protocol that is used on the Internet for sending/transferring files
FingerFinger
This is a program in UNIX that takes and e-mail address and returns information about the user of that e-mail address, such as;– Is that user currently logged on?– User’s full name– User’s Address– User’s Telephone Number
TestingTesting
TestingTesting
Test to see if firewall denied the packets on the ports that were closed
To see if the packets were accepted on the ports that were allowed.
OrderOrder
First ping to see if the computer is responding– Ping (Packet Internet Groper) – determines
whether an IP Address is accessible by sending a packet to the specified address and waiting for a reply
Test ports to see if the client could access the server
MethodMethod
First disallowed access to the server on all ports, except control packets– eg ICMP (Internet Control Message Protocol) –
supports packets that contain error, control, and informational messages. ICMP is used by Ping.
Allow one service to clients
Allow multiple services to clients
Linux PingLinux Ping
Windows PingWindows Ping
Deny All Services: Web Deny All Services: Web ServerServer
Under Windows the following error message appeared:
Deny All Services: SSH Deny All Services: SSH ServerServer
On another Linux box tried to connect via SSH to the server
Reconfiguring OrderReconfiguring Order
When we changed the firewall to a new configuration we needed to:
1. Reconfigure the firewall
2. Restart the network
3. Restart the firewall
Restarting ProcessRestarting Process
Command Line– /usr/local/pmfirewall/pmfirewall start
GUI– DrakConf LinuxConf Control Panel
Control Services pmfirewall
Allow Only Web ServerAllow Only Web Server
Allow client to connect to the web server only
Only Web Server Cont.Only Web Server Cont.
The SSH client could still not connect to the SSH server
All other services that attempted to connect to the server also failed
Allow Only SSHAllow Only SSH
All other ports were denied– Eg: As before the web server was not
allowed to be accessed, the same error message appeared in the browser
SSH Cont.SSH Cont.
The view from the Linux console when the client could connect to the SSH server
Multiple Services AllowedMultiple Services Allowed
Allowed the SSH and Web server to be accessed from a client
Both were allowed through with no problems
All others were still denied
Kernel Log FileKernel Log File
Logs network activitiesDisplays only the denial of ports
– No accepts are shownRecords when the firewall was
configured and restartedRecords when the network was
restarted
Log File LayoutLog File Layout
For each denial of service entry in log fileDate and timeName of the computerThe interface cardIP and port of the clientIP and port of the server that is trying to
be accessed
ProblemsProblems
Testing the NetworkTesting the Network
Originally, work began on the nofriends computer To ensure our computer was correctly connected to
the network, we logged into three neighboring dual-boot computers in an attempt to:
– View the computer through Windows NT’s network neighborhood.
– Ping the computer from both Windows NT and Linux-Mandrake with 0% packet loss.
Initial Network ProblemsInitial Network Problems
Initially there were two network problems:1. nofriends could only be accessed through
network neighborhood on neighboring machines when nofriends was running NT.
2. nofriends could only successfully be pinged from neighboring machines when nofriends was running NT.
When nofriends was running Linux-Mandrake, the machine was obviously not correctly connecting to the network.
Locating Initial Network Locating Initial Network ProblemsProblems
Through comparison of our network settings both under Linux-Mandrake and Windows NT, it was discovered that:
– Our primary network card eth1 was configured differently under Linux-Mandrake. Under windows this card had been set to type 3c905c-TX, in Linux-Mandrake this was not the case.
Solving Initial Network Solving Initial Network ProblemsProblems
Our group solved these problems by:– Resetting the card type of eth1 under
Linux-Mandrake to ensure that is was identical to what it was under Windows NT.
– Disabling eth0
Conflict between FTP and Conflict between FTP and ApacheApache
Our group found we could successfully install Apache on our machine but as soon as the FTP server was installed then neither FTP nor Apache server would function properly, regardless of the Firewall configuration.
This problem was not present on the Linux-Mandrake 8.0 operating system.
Linux-Mandrake 8.0Linux-Mandrake 8.0Compatible FirewallCompatible Firewall
Mandrake 8.0Mandrake 8.0
A firewall that could be used for Mandrake 8.0 is Single Network Firewall 7.2 (SNL)
The product is available for free for linux-mandrake.com
We did not use this package because the size of it is 250 Mbytes.– Too big for a floppy– No Internet connection in lab
SNL FeaturesSNL Features
Secure web interface to configure remotely over the web
DHCP server for the internal networkIntegrated proxy serverURL / content filtering to restrict web
pages and banners not wanted to be visible inside the network
SNL FeaturesSNL Features
Monitoring tools display detailed information about network activity, system, logs, Intrusion detection, DHCP and URL reports
Intrusion detection systems to alert administrator of hostile attacks
SNL FeaturesSNL Features
Bastille is a powerful "hardening" system that provides extra protection against IP Spoofing attacks.
Filtering rules can be created at the user level to control information entering and leaving a network or a subgroup of a network.
SNL RequirementsSNL Requirements
Pentium Processor or compatible. CD ROM drive. 250 MB disk space (minimum). At least 32 MB of RAM (64 MB
recommended). VESA 2.0 compliant graphics card. Ethernet Network Card. Internet connection A Web Browser.
ResourcesResources
http://www.linuxplanet.comhttp://www.yolinux.comhttp://www.linuxdoc.orghttp://www.linuxgazette.comhttp://www.webopedia.comhttp://www.linux-mandrake.comhttp://www.freshmeat.net
The EndThe End