10 Firewalls

8/10/2019 10 Firewalls

1/24

Advanced Network Services Topic 10 - Firewalls 17:24 ( 1 of 24)

ITECH2108 Topic 10

Firewalls


2/24

Advanced Network Services Topic 10 - Firewalls

What is a firewall?

It is nota virus scanner

Although it might include that

It is not a secure communication system

A firewall regulates network traffic

At some network boundary

In and out of your home computer

Through your broadband router

Through a computer configured as router


3/24


Classes of firewall

Network layer - our focus

Inspect each packet at the network & transport layer

Accept/reject according to rules Application layer

Particular to an application

Eg ftp, telnet

Filter on content

Stateless/Stateful

Keeps a check on responses relative to requests


4/24


Stateful example

Consider user accessing Web site

Stateless firewall will need to say:

All outbound port 80 traffic OK

All inbound non-SYN traffic OK

Stateful firewall can say:

All outbound port 80 traffic OK

Inbound traffic for open connectionsOK


5/24


What kind of attacks?

Denial of Service (DOS)

Anything that ties up server resources

Why? To slow things down

To distract for some other attack

TCP connect to listening port

Once connected attempt to break in

Buffer overflow might allow attackers code to execute

Many, many others


6/24


Packet-level operations

A network layer firewall involves

inspection of each packet

Where does this occur?

In the OS kernel

Privileged operation

Requires root/Administrator login

In User Space

More relaxed


7/24


Networking Application

winsock

Transport Driver Interface

TCPIP driver

NDIS Driver

User

Kernel

How its done on Windows

Applicationlayer firewall

Network layer

firewall

Network layer

firewall

W2K packet

filtering interface


8/24


How its done on Linux

Same User/Kernel split

Kernel includes netfilter hooks

Kernel filtering controlled by user spaceprograms

ipfw

ipchainsiptables

This is what we will study


9/24


ipfw The earliest framework for configuring

netfilter

Still used in BSD Unix

Cant handle non-IP rules

Simple rule format

add 1000 allow all from any to any

Rule number

lowest number

that fits is

followed

allow,

deny,

reset,

count

Type

eg tcp,

icmp..

Source

& Dest


10/24


ipchains netfilterarchitecture

Packets move through the kernel and canhave rules from a chainapplied

To be

routed?forwardinput

outputProcess


11/24


ipchainswhy not?

The main disadvantages of ipchains

Excessive activity for the input chain rules

Because they are applied before the routing decision

Onlystatelessrules can be defined

Not extensible

What about completely new criteria?No way to add them

Note lower casechain names


12/24


iptables netfilterarchitecture

An improved flowchart for packets allowsless use of theINPUTchain

To be

routed?FORWARD

INPUT OUTPUTProcess


13/24


Adding two more steps

The extra steps are places that we couldapply rules like NAT

To be

routed?FORWARD

INPUT OUTPUT

PREROUTING POSTROUTING

Process


14/24


So what are the tables?

In iptables tablesare a collection of chains

There are 3 built-in tables:

filter INPUT, OUTPUT and FORWARD chains

nat PREROUTING, POSTROUTING and OUTPUT

chainsmangle (other changes in packetseg QoS

options) All the chains!


15/24


iptables rule format

[command-type][pattern-match-options] -j[target]

Add, delete, listetc on a

specified chain

Protocol, port,

interface and

many otheroptions

DROP, REJECT,

ACCEPT,LOG


16/24


iptables command types -L

List rules in chain

-F Flush all rules from the chan

-P Set policy for chain (eg ACCEPT, REJECT)

Compare with ipfwapproach

-A Add (append) a rule to the chain (insertI and replaceR also)

-D Delete a rule from the chain

-N Create a new chain


17/24


iptablespattern match options Unbounded given the extensibility but. -p [protocol]

tcp, udp or icmp.

-d [address / mask], -s [address / mask] Destination/source address

--dport [port], --sport [port] Destination/source port

-i [interface], -o [interface]

eth0, wlan0a standard Linux interface inor out -m state --statestate_type

For tcp: NEW, ESTABLISHED For icmp: RELATED

-icmp-type [typename] Such as ECHO, REPLY


18/24


iptables targets

ACCEPT Stop processinglet the packet through

DROP Stop processing - silently

LOG Make an entry in the log

REJECT Stop processing and try to reply with an appropriate message

DNAT

Modify packet with specified dest address for Destination NAT SNAT Modify packet with specified source address for Source NAT

MASQUERADE Modify packet with dynamically assigned source address


19/24


Saving the rules

The rules you have created can be saved to

/etc/sysconfig/iptables

Use:

service iptables save

These rules will be re-established at startup


20/24


Reading some rules

# Allow all loopback (lo0) traffic-A INPUT -i lo -j ACCEPT

# Accept all established connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic

-A OUTPUT -j ACCEPT

# Accept all SSH and Web server connections

-A INPUT -p tcp --dport 22 -j ACCEPT



# Reject and log all other inbound

-A INPUT -j LOG

-A INPUT -j REJECT

-A FORWARD -j LOG

-A FORWARD -j REJECT


21/24


The nat tableiptables -t nat -A POSTROUTING

-o ppp0 -j MASQUERADE

This single entry does it

nat table

append rule

POSTROUTING chain

Dial up interface

MASQUERADE

The right kind of mangling


22/24


Easing rule writing

iptables rules are quite hard to write!

Firewall Builder

On ADIOS and can be downloaded for

Windowsit creates rules in a generalised

XML format and then compiles them into rules

for a specific platform (eg iptables on Linux)Although the tool is available for Windows too

the actual firewall will always be on Linux


23/24


The lab

Build a test environment

Apply Linux firewalls

Public

address

NATRouter

A

(Linux)

Client

(Linux or

Windows)

192.168.a.1

192.168.a.2


24/24


Virtual machines to the rescue

User Mode Linux (UML)

Documents

10 Firewalls