Upload
xozan
View
231
Download
0
Embed Size (px)
Citation preview
8/10/2019 10 Firewalls
1/24
Advanced Network Services Topic 10 - Firewalls 17:24 ( 1 of 24)
ITECH2108 Topic 10
Firewalls
8/10/2019 10 Firewalls
2/24
Advanced Network Services Topic 10 - Firewalls
What is a firewall?
It is nota virus scanner
Although it might include that
It is not a secure communication system
A firewall regulates network traffic
At some network boundary
In and out of your home computer
Through your broadband router
Through a computer configured as router
8/10/2019 10 Firewalls
3/24
Advanced Network Services Topic 10 - Firewalls
Classes of firewall
Network layer - our focus
Inspect each packet at the network & transport layer
Accept/reject according to rules Application layer
Particular to an application
Eg ftp, telnet
Filter on content
Stateless/Stateful
Keeps a check on responses relative to requests
8/10/2019 10 Firewalls
4/24
Advanced Network Services Topic 10 - Firewalls
Stateful example
Consider user accessing Web site
Stateless firewall will need to say:
All outbound port 80 traffic OK
All inbound non-SYN traffic OK
Stateful firewall can say:
All outbound port 80 traffic OK
Inbound traffic for open connectionsOK
8/10/2019 10 Firewalls
5/24
Advanced Network Services Topic 10 - Firewalls
What kind of attacks?
Denial of Service (DOS)
Anything that ties up server resources
Why? To slow things down
To distract for some other attack
TCP connect to listening port
Once connected attempt to break in
Buffer overflow might allow attackers code to execute
Many, many others
8/10/2019 10 Firewalls
6/24
Advanced Network Services Topic 10 - Firewalls
Packet-level operations
A network layer firewall involves
inspection of each packet
Where does this occur?
In the OS kernel
Privileged operation
Requires root/Administrator login
In User Space
More relaxed
8/10/2019 10 Firewalls
7/24
Advanced Network Services Topic 10 - Firewalls
Networking Application
winsock
Transport Driver Interface
TCPIP driver
NDIS Driver
User
Kernel
How its done on Windows
Applicationlayer firewall
Network layer
firewall
Network layer
firewall
W2K packet
filtering interface
8/10/2019 10 Firewalls
8/24
Advanced Network Services Topic 10 - Firewalls
How its done on Linux
Same User/Kernel split
Kernel includes netfilter hooks
Kernel filtering controlled by user spaceprograms
ipfw
ipchainsiptables
This is what we will study
8/10/2019 10 Firewalls
9/24
Advanced Network Services Topic 10 - Firewalls
ipfw The earliest framework for configuring
netfilter
Still used in BSD Unix
Cant handle non-IP rules
Simple rule format
add 1000 allow all from any to any
Rule number
lowest number
that fits is
followed
allow,
deny,
reset,
count
Type
eg tcp,
icmp..
Source
& Dest
8/10/2019 10 Firewalls
10/24
Advanced Network Services Topic 10 - Firewalls
ipchains netfilterarchitecture
Packets move through the kernel and canhave rules from a chainapplied
To be
routed?forwardinput
outputProcess
8/10/2019 10 Firewalls
11/24
Advanced Network Services Topic 10 - Firewalls
ipchainswhy not?
The main disadvantages of ipchains
Excessive activity for the input chain rules
Because they are applied before the routing decision
Onlystatelessrules can be defined
Not extensible
What about completely new criteria?No way to add them
Note lower casechain names
8/10/2019 10 Firewalls
12/24
Advanced Network Services Topic 10 - Firewalls
iptables netfilterarchitecture
An improved flowchart for packets allowsless use of theINPUTchain
To be
routed?FORWARD
INPUT OUTPUTProcess
8/10/2019 10 Firewalls
13/24
Advanced Network Services Topic 10 - Firewalls
Adding two more steps
The extra steps are places that we couldapply rules like NAT
To be
routed?FORWARD
INPUT OUTPUT
PREROUTING POSTROUTING
Process
8/10/2019 10 Firewalls
14/24
Advanced Network Services Topic 10 - Firewalls
So what are the tables?
In iptables tablesare a collection of chains
There are 3 built-in tables:
filter INPUT, OUTPUT and FORWARD chains
nat PREROUTING, POSTROUTING and OUTPUT
chainsmangle (other changes in packetseg QoS
options) All the chains!
8/10/2019 10 Firewalls
15/24
Advanced Network Services Topic 10 - Firewalls
iptables rule format
[command-type][pattern-match-options] -j[target]
Add, delete, listetc on a
specified chain
Protocol, port,
interface and
many otheroptions
DROP, REJECT,
ACCEPT,LOG
8/10/2019 10 Firewalls
16/24
Advanced Network Services Topic 10 - Firewalls
iptables command types -L
List rules in chain
-F Flush all rules from the chan
-P Set policy for chain (eg ACCEPT, REJECT)
Compare with ipfwapproach
-A Add (append) a rule to the chain (insertI and replaceR also)
-D Delete a rule from the chain
-N Create a new chain
8/10/2019 10 Firewalls
17/24
Advanced Network Services Topic 10 - Firewalls
iptablespattern match options Unbounded given the extensibility but. -p [protocol]
tcp, udp or icmp.
-d [address / mask], -s [address / mask] Destination/source address
--dport [port], --sport [port] Destination/source port
-i [interface], -o [interface]
eth0, wlan0a standard Linux interface inor out -m state --statestate_type
For tcp: NEW, ESTABLISHED For icmp: RELATED
-icmp-type [typename] Such as ECHO, REPLY
8/10/2019 10 Firewalls
18/24
Advanced Network Services Topic 10 - Firewalls
iptables targets
ACCEPT Stop processinglet the packet through
DROP Stop processing - silently
LOG Make an entry in the log
REJECT Stop processing and try to reply with an appropriate message
DNAT
Modify packet with specified dest address for Destination NAT SNAT Modify packet with specified source address for Source NAT
MASQUERADE Modify packet with dynamically assigned source address
8/10/2019 10 Firewalls
19/24
Advanced Network Services Topic 10 - Firewalls
Saving the rules
The rules you have created can be saved to
/etc/sysconfig/iptables
Use:
service iptables save
These rules will be re-established at startup
8/10/2019 10 Firewalls
20/24
Advanced Network Services Topic 10 - Firewalls
Reading some rules
# Allow all loopback (lo0) traffic-A INPUT -i lo -j ACCEPT
# Accept all established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Accept all SSH and Web server connections
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Reject and log all other inbound
-A INPUT -j LOG
-A INPUT -j REJECT
-A FORWARD -j LOG
-A FORWARD -j REJECT
8/10/2019 10 Firewalls
21/24
Advanced Network Services Topic 10 - Firewalls
The nat tableiptables -t nat -A POSTROUTING
-o ppp0 -j MASQUERADE
This single entry does it
nat table
append rule
POSTROUTING chain
Dial up interface
MASQUERADE
The right kind of mangling
8/10/2019 10 Firewalls
22/24
Advanced Network Services Topic 10 - Firewalls
Easing rule writing
iptables rules are quite hard to write!
Firewall Builder
On ADIOS and can be downloaded for
Windowsit creates rules in a generalised
XML format and then compiles them into rules
for a specific platform (eg iptables on Linux)Although the tool is available for Windows too
the actual firewall will always be on Linux
8/10/2019 10 Firewalls
23/24
Advanced Network Services Topic 10 - Firewalls
The lab
Build a test environment
Apply Linux firewalls
Public
address
NATRouter
A
(Linux)
Client
(Linux or
Windows)
192.168.a.1
192.168.a.2
8/10/2019 10 Firewalls
24/24
Advanced Network Services Topic 10 - Firewalls
Virtual machines to the rescue
User Mode Linux (UML)