Firewalls (11)

  • Upload
    xozan

  • View
    230

  • Download
    0

Embed Size (px)

Citation preview

  • 8/10/2019 Firewalls (11)

    1/18

    Firewalls

    Philip MacCabe

    IT 461R

    September 28, 2004

    Heavily borrowi! a" #ometime# o$tri!ht #teali! i%ormatio %rom

    Iteret &irewall#' &re($etly )#*e" +$e#tio#

    by Pa$l Robert#o, Matt C$rti, a" Marc$# Ra$m

    Creative Commons Attribution-NonCommercial-ShareAlike License, Philip MacCabe, 28 September 2004

    Creative Commons Attribution-NonCommercial-ShareAlike License

    http://www.interhack.net/pubs/fwfaq/firewalls-faq.htmlhttp://creativecommons.org/licenses/by-nc-sa/2.5/http://www.maccabe.org/http://creativecommons.org/licenses/by-nc-sa/2.5/http://creativecommons.org/licenses/by-nc-sa/2.5/http://www.maccabe.org/http://creativecommons.org/licenses/by-nc-sa/2.5/http://www.interhack.net/pubs/fwfaq/firewalls-faq.html
  • 8/10/2019 Firewalls (11)

    2/18

    What is a Firewall?

    A System to enforce an access control policy betweentwo or more networks

    Types of Firewalls Network Layer

    Faster

    Less ability to perform sophisticated packet examination

    Application Layer

    Slower More complex packet examination

    Hybrid The spectrum in between

    Most current firewalls are somewhere in this category

  • 8/10/2019 Firewalls (11)

    3/18

    Terminology

    Access Router A router that provides a connection to an external

    network.

    Bastion Host- A system that has been hardened to resist attack,

    one which is expected to come under attack. Defense in Depth A Security approach where all network

    connected systems are secured as much as possible.

    DMZ DeMilitarized Zone, an area outside the firewall for

    externally accessible hosts. These hosts should be bastion hosts. Proxy A software agent that acts on behalf of a user or another

    device, usually providing some sort of authentication.

    Screening Router A router configured to allow or deny access

    based on a set of rules configured by an administrator.

  • 8/10/2019 Firewalls (11)

    4/18

    Firewall Topologies

    ma!es "rom ptables #utorial $%$%$&

  • 8/10/2019 Firewalls (11)

    5/18

    Why do we need Firewalls?

    #o limit access to internal net'orks an( net'ork services

    As a securit) blanket "or mana!ers%

    *istoricall), "ire'alls have acte( as sources "or public in"ormation "ora net'ork or or!ani+ation%

  • 8/10/2019 Firewalls (11)

    6/18

  • 8/10/2019 Firewalls (11)

    7/18

  • 8/10/2019 Firewalls (11)

    8/18

    Designing a Firewall, Planning

    What is the purpose of the Firewall?

    Limit Service[-------------------]Monitor & Audit

    Establish your risk level How paranoid are you?

    Determine how much monitoring and redundancy you

    need

    Financial & Management

    Who pays and how?

    Who is responsible for implementation? maintenance?

  • 8/10/2019 Firewalls (11)

    9/18

    Technical Planning

    Network Level, Application Level or Both

    Network Level Screening Router

    Usually faster at processing data Application Level Exposed Proxy Server

    Better auditing is possible

    A proxy must be configured for each service Both

    Security of both but with overhead in cost and

    configuration

    Ease of Use vs. Security

  • 8/10/2019 Firewalls (11)

    10/18

    Network Layer Firewall

    Filters based on addressing and control

    information, the "envelope"of the packet

    Denies traffic on certain ports or from certainaddress ranges

    Imposes limitations on packets to ensure they

    don't overwhelm the network (TTL, packet size)

  • 8/10/2019 Firewalls (11)

    11/18

    Application Layer Firewall

    Proxy servers for each service allowed through

    the firewall

    Used when it is necessary to filter based oncontent, the "letter"in the packet

    Can be used to detect and prevent known exploits

    of particular protocols

    Acts as a Man in the Middle

  • 8/10/2019 Firewalls (11)

    12/18

    netfilter/iptableshttp://www.netfilter.org/

    Linux firewall implementation toolset

    Provides packet filtering, connection tracking,

    NAT, port forwarding Provides tables of rules through which packets are

    passed to determine what to do with them

    Inside a table there are chains of rules which apacket must traverse before being sent on its way

    Provides an API for applications to interact with

    and manage firewall configuration

  • 8/10/2019 Firewalls (11)

    13/18

    Netfilter Architecturehttp://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html

    --->PRE------>[ROUTE]--->FWD---------->POST------>

    Conntrack | Mangle ^ Mangle

    Mangle | Filter | NAT (Src)

    NAT (Dst) | | Conntrack

    (QDisc) | [ROUTE]

    V |

    IN Filter OUT Conntrack

    | Conntrack ^ Mangle

    | Mangle | NAT (Dst)

    V | Filter

  • 8/10/2019 Firewalls (11)

    14/18

    iptables

    filter rules for DROPing or ACCEPTing

    packets, this is the default table

    INPUT, FORWARD, and OUTPUT chains mangle rules for altering packets

    PREROUTING, OUTPUT, and POSTROUTINGchains

    nat rules that perform NAT on packets

    PREROUTING, POSTROUTING, OUTPUT, INPUT

    and FORWARD chains

  • 8/10/2019 Firewalls (11)

    15/18

    Some Example Commandshttp://iptables-tutorial.frozentux.net/iptables-tutorial.html

    iptables -A INPUT --dport 80 -j DROP

    iptables -D INPUT 1 (rules are numbered within a chain)

    iptables -t nat -A POSTROUTING -p tcp -o eth0-j SNAT --to-source 194.236.50.155-

    194.236.50.160:1024-32000

    iptables -t mangle -A PREROUTING -i eth0 -jTTL --ttl-set 64

    iptables -A INPUT -p TCP --dport 22 -j ULOG

    --ulog-prefix "SSH connection attempt: "

  • 8/10/2019 Firewalls (11)

    16/18

    Other Sources of Information

    on the InternetSite Securit) *an(book

    #he Site Securit) *an(book is an in"ormation /# (ocument that (escribes the basic issues that must bea((resse( "or buil(in! !oo( site securit)% ire'alls are one part o" a lar!er securit) strate!), as the Site Securit) *an(booksho's%

    ire'alls Mailin! List #he internet "ire'alls mailin! list is a "orum "or "ire'all a(ministrators an( implementors%

    ire'all-i+ar(s Mailin! List #he ire'all i+ar(s Mailin! List is a mo(erate( "ire'all an( securit) relate( list that is more like a 1ournal than a publicsoapbo.%

    ire'all *# 3escribes e.actl) 'hat is nee(e( to buil( a "ire'all, particularl) usin! Linu.%

    ire'all #oolkit #56 7 ire'all Papers

    Marcus anum9s ire'all Publications

    #e.as A7M :niverstit) Securit) #ools

    CAS# Pro1ect nternet ire'alls Pa!e

    ptables #utorial $%$%$& skar An(reasson e.plains ho' to setup an( con"i!ure a "ire'all usin! net"ilter;iptables

    http://www.rfc-editor.org/rfc/rfc2196.txthttp://www.isc.org/index.pl?/ops/lists/firewalls/http://honor.icsalabs.com/mailman/listinfo/firewall-wizardshttp://www.linuxdoc.org/HOWTO/Firewall-HOWTO.htmlhttp://../Owner/My%20Documents/Fall%202004/Security/%20http:/www.ranum.com/pubs/%20http://www.net.tamu.edu/ftp/security/TAMU/%20http://www.cerias.purdue.edu/coast/firewalls/%20http://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://iptables-tutorial.frozentux.net/iptables-tutorial.htmlhttp://www.cerias.purdue.edu/coast/firewalls/%20http://www.net.tamu.edu/ftp/security/TAMU/%20http://../Owner/My%20Documents/Fall%202004/Security/%20http:/www.ranum.com/pubs/%20http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.htmlhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizardshttp://www.isc.org/index.pl?/ops/lists/firewalls/http://www.rfc-editor.org/rfc/rfc2196.txt
  • 8/10/2019 Firewalls (11)

    17/18

    Other Sources in Print

  • 8/10/2019 Firewalls (11)

    18/18

    Obligatory

    Any Questions?

    Slide