Dr. Igor Santos Slide 2 Firewalls Types of firewall Packet
filtering vs. Application filtering 'Stateless' vs. Stateful'
Netfilter/IPTables IDS NIDS HIDS VPN 2 Slide 3 Firewalls 3 Slide 4
A system that filters traffic between networks it, at least two of
them It can be a physical device or a software running on an
operating system A device with two or more network interfaces where
filtering rules are established and with them decides whether a
connection can be established or not 4 Slide 5 A firewall system
contains a set of default rules for: Authorize the connection
(allow) Block the connection (deny) Reject the connection request
without informing to the sender (deny / ignore) 5 Slide 6 Types
regarding functionality Network layer packet filtering It works at
the network layer (layer 3) Often also allow filtering at the
transport level (level 4) or data link layer (Layer 2) Application
Layer It works at the application level (level 7) Application Proxy
firewall Eg HTTP Traffic - filtered by URL PROXY 6 Slide 7 7
Application Presentation Session Transport Network Link Physical
HTTP URL IP MAC Protocol+Port Application Layer Firewall Packet
filtering Firewall Slide 8 Software Firewalls Software that runs
over a general-puropose software Advantages Highly customizable
Settings Inexpensive flexible and omnipresent hardware
Disadvantages Difficult to fortify Several require specific
hardware 8 Slide 9 Hardware firewall It consists of a black box or
'appliance' Advantages It offers more security (Depending on the
reliability of the manufacturer) Disadvantages More expensive Less
flexible / customizable 9 Slide 10 Scheme of typical firewall
between local network and internet 10 Slide 11 Scheme firewall
between LAN and internet with DMZ zone for exposed servers 11 Slide
12 Scheme of a firewall between LAN and internet with DMZ zone for
exposed servers created with double firewall (perimeter) 12 Slide
13 Stateless firewalls Analyzes network traffic and filters packets
based on source and destination addresses and other static values
(network layer - level 3) Doesnt process patterns or data streams
Uses simple rules 13 Slide 14 It does not understand the concept of
TCP connection It does not take into account the possibility of
receiving a package that claims to be something that has not been
asked Eg: ACK from source port 80 to port 22 Examples of 'stateless
firewall rules : Allow IP packets with network source 10.0.0 / 8
Allow UDP packets with destination port 53 14 Slide 15 Statefull
firewalls It does understand the concept of TCP connection The
conditions of the rules can be specified in terms of connections,
not only in terms of packets For example: Allow related packets
through established connections from the internal network Allow
incoming connections to port 80 (http) 15 Slide 16 Security
Policies Deny The default is to deny all except those
communications that expressly authorized Accept They accept and
reject all explicitly forbidden communications Deny is the safest
However, it requires a precise and restrictive communication 16
Slide 17 Netfilter/IPTables Statefull' packet filtering firewall
Netfilter is the part in the kernel and is responsible for packet
filtering Iptables is the user tool to manage Netfilter Firewalls
created this way, are just shell scripts with many calls to the
iptables command 17 Slide 18 iptables: Usage iptables receives a
packet, analyzes their headers and sends it to one of their
treatment chaing Once the package is in a chain, the rules and
policies of that chain are checked and once one is satisfied, the
associated action is executed (typically ACCEPT, REJECT or DROP)
The order in which rules are written is very important If the
package does not meet the first rule, the next is checked 18 Slide
19 The changes performed in iptables are not permantly stored in
any file The rules must be written in a shell script and run it at
startup 19 Slide 20 Three important chains INPUT: incoming packets
whose destination address our firewall and are not modified by
cortafuegos y no son modificados por NAT OUTPUT: output packets
FORWARD: packets with no source nor destination the firewall
itself, but pass through the firewall, and can be modified or not
(eg doing NAT: Network Address Translation) 20 Slide 21 Very
simplified diagram of what happens when a packet arrives to
iptables 21 Slide 22 Example A TCP packet arrived to the 80 port
for our machine iptables sends this pakect to the INPUT chain,
because it is an input packet for our machine In the INPUT chain,
there is no defined rule for the port number 80, so the policy of
INPUT is applied, which is DROP (discard) 22 Slide 23 Set the
default policy (ACCEPT or DROP) for one chain (INPUT, OUTPUT,
FORWARD) iptables -P INPUT DROP iptables -P OUTPUT ACCEPT 23 Slide
24 Parameters to add rules to a chain -A: adds a rule to a chain
(at the end) -s : IP of the source machine of a packet -d:I P of
the destiny machine of a packet -i: interface through which the
packet arrives -o: interface through which the packet is sent 24
Slide 25 -p: IP protocol of the packet (tcp, udp, icmp) --sport:
origin port of paquete --dport: destination port of paquete -j:
determines that to do with packets that match a rule ACCEPT DROP
REJECT -L: displays the current firewall rules 25 Slide 26 Allow
access to our web server iptables -A INPUT -p TCP --dport 80 - j
ACCEPT Allow access to our FTP server iptables -A INPUT -p TCP
--dport 21 - j ACCEPT Add a rule to deny all the output packets
directed to the IP 80.90.1.30 iptables -A OUTPUT -d 80.90.1.30 -j
DROP 26 Slide 27 Add a rule so our machine cannot be pinged
iptables -A INPUT -p icmp -j DROP Allow the machine with IP
192.168.1.2 connect with our machine through SSH iptables -A INPUT
-s 192.168.1.2 - p TCP --dport 22 -j ACCEPT iptables -A OUTPUT -d
192.168.1.2 -p TCP --sport 22 -j ACCEPT 27 Slide 28 Tutorial
http://www.frozentux.net/iptables- tutorial/iptables-tutorial.html
http://www.frozentux.net/iptables- tutorial/iptables-tutorial.html
28 Slide 29 29 Intrusion Detection System IDS Slide 30 IDS:
Intrusion Detection System Program used to detect the unauthorized
accesses to a computer or a network It is based in network traffic
analysis They usually have a database of patterns or signatures of
known attacks It neither protects or filters, only detects 30 Slide
31 2types: Network Intrusion Detection System (NIDS) Host-Based
Intrusion Detection System (HIDS) 31 Slide 32 NIDS Use packet
sniffers (sensors) to capture network traffic The content of each
packet is analyzed for malicious patterns The sensors are usually
located at critical points in the network that have to be
monitored: The DMZ Network Endpoints 32 Slide 33 33 Read the
traffic Network Traffic Rule Engine RULES Search for a pattern A
pattern matches Opmitized packet for the engine Alert detected
Notify e-mail Store in DB or plain text Filter attacker IP in the
firewall (IPS) Slide 34 34 Ejemplo NIDS: Snort Example NIDS: Snort
It works as a network sniffer Detects attacks on the basis of a set
of rules Save the alerts in a database mysql http://www.snort.org
http://www.snort.org Slide 35 Managing and viewing alerts ACID -
Analysis Console for Intrusion Databases 35 Slide 36 HIDS The
sensor consists of a software agent that monitors all the activity
on the host on which it is installed Search local information
sources on the host, such as system logs User Sessions Privileged
user activities Changes to the file system ... 36 Slide 37 Ejemplo
HIDS: OSSEC Free, open source host-based intrusion detection system
(HIDS) Performs log analysis, integrity checking, Windows registry
monitorizacn, rootkit detection, real-time alerts,... Available for
Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows
http://www.ossec.net http://www.ossec.net 37 Slide 38 Problemas IDS
False positives and false negatives Its effectiveness depends
largely on its configuration They are not easy to implement Falsos
positivos y falsos negativos 38 Slide 39 Otros enfoques IPS
(Intrusion Prevention System): besides detection, it takes action
Event Correlator: safety knowledge inferred from IDS, IPS,
firewalls, AV, etc.. 39 Slide 40 40 Slide 41 41 VPN - Virtual
Private Network Slide 42 VPN: Virtual Private Network Technology
that allows to implement a local area network (LAN) within a wide
area network (Internet, for example) securely It requires
Encapsulated traffic (IP over TCP, for example) Traffic Encryption
Traffic compression 42 Slide 43 Advantages Comfortable for end
users Cheaper than a dedicated node High level of scalability (eg
going from 2-10 nodes) Security 43 Slide 44 disadvantages Overload
on the client side (encapsulation, encryption, data compression)
Less reliable than a dedicated node More complex credential
management (certificates) The VPN server can easily suffer DoS
attacks (by overloading cryptograpy) 44 Slide 45 VPN types Remote
access VPN (road warriors) Remote and disperse clients connected to
a corporate LAN through a VPN server Point to point VPN Two or more
nodes remotely interconnected to the Internet through encrypted
tunnels VPN over LAN Implements a secure LAN within a LAN which is
considered unsafe (eg Academic Management network within the
University network) 45 Slide 46 Typical protocolos PPTP:
Point-to-Point Tunneling Protocol L2F: Layer-2 Forwarding (CISCO)
L2TP: Layer-2 Tunneling Protocol IPSec: Internet Protocol Security
SSL/TLS: Secure Sockets Layer/Transport Layer Security SSH: Secure
Shell The de facto standard is IPSec, although the others are used
to be more straightforward to implement 46 Slide 47 Encrypted
Tunnels with SSH SSH (Secure Shell) Encrypts every connection
Allows port-forwarding It is possible to create encrypted tunnels
for insecure protocols Example: HTTP HTTP traffic is encapsulated
into SSH protocol All HTTP traffic is encrypted 47 Slide 48 Tools
putty (windows)
http://www.chiark.greenend.org.uk/~sgtatham/putty/do wnload.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/do wnload.html
ssh (Unix) aptitude install ssh 48 Slide 49 49 Slide 50 50 Slide 51
51 Slide 52 Client configuration of putty 52 Slide 53 53 Slide 54
Firefox configuration 54 Slide 55 Images
http://www.flickr.com/photos/jmam/2810270475
http://www.flickr.com/photos/jmam/2810270475
http://www.meh.ro/2010/12/26/its-a-trap-wallpaper/
http://www.meh.ro/2010/12/26/its-a-trap-wallpaper/
http://www.flickr.com/photos/twicepix/2825051329
http://www.flickr.com/photos/twicepix/2825051329 55
