34
Firewalls: General Firewalls: General Principles & Principles & Configuration (in Configuration (in Linux) Linux) Bruhadeshwar Bezawada Bruhadeshwar Bezawada International Institute of International Institute of Information Technology, Information Technology, Hyderabad Hyderabad

Firewalls (12)

  • Upload
    xozan

  • View
    241

  • Download
    2

Embed Size (px)

DESCRIPTION

Firewalls (12)

Citation preview

Page 1: Firewalls (12)

Firewalls: General Firewalls: General Principles & Principles &

Configuration (in Linux)Configuration (in Linux)Bruhadeshwar BezawadaBruhadeshwar BezawadaInternational Institute of International Institute of Information Technology, Information Technology,

HyderabadHyderabad

Page 2: Firewalls (12)

OverviewOverview General Principles of FirewallsGeneral Principles of Firewalls TypesTypes Issues in design and deploymentIssues in design and deployment

Rules, conflicts and performance issuesRules, conflicts and performance issues ConfigurationConfiguration

IPTables IPTables IPChains IPChains

Page 3: Firewalls (12)

Relevant OSI Layers for Relevant OSI Layers for Firewall OperationFirewall Operation

Page 4: Firewalls (12)

General Principles of General Principles of FirewallsFirewalls

Network firewalls are devices or systems that control the Network firewalls are devices or systems that control the flow of network traffic between networks employing flow of network traffic between networks employing different security posturesdifferent security postures One usage is to limit/control connectivity to the InternetOne usage is to limit/control connectivity to the Internet Another usage in corporate networks is to restrict connectivity Another usage in corporate networks is to restrict connectivity

to and from internal networks servicing more sensitive to and from internal networks servicing more sensitive functions, like accounting or personnel departmentfunctions, like accounting or personnel department

Firewalls operate at different layers in networkFirewalls operate at different layers in network Firewalls that can examine information at more than one layer Firewalls that can examine information at more than one layer

is more thorough and effectiveis more thorough and effective A firewall that works with layers 2 and 3 does deal with specific A firewall that works with layers 2 and 3 does deal with specific

usersusers A firewall at application layer like an application-proxy gateway A firewall at application layer like an application-proxy gateway

firewall firewall can enforce user authentication as well as logging events to can enforce user authentication as well as logging events to

specific users.specific users.

Page 5: Firewalls (12)

Add-ons Supported by Add-ons Supported by FirewallsFirewalls

NAT, DHCP, encryption for VPNs, and application NAT, DHCP, encryption for VPNs, and application content filteringcontent filtering Firewalls support DHCP so as to allocate IP addresses for Firewalls support DHCP so as to allocate IP addresses for

those systems that will be the subject of firewall's those systems that will be the subject of firewall's security control and to simplify network managementsecurity control and to simplify network management

Firewalls can act as VPN gateways, where the gateway is Firewalls can act as VPN gateways, where the gateway is responsible for encrypting traffic that is leaving its responsible for encrypting traffic that is leaving its boundary and destined to other systems in the VPNboundary and destined to other systems in the VPN

Active content filtering, firewall is capable of filtering Active content filtering, firewall is capable of filtering actual application data at layer 7 actual application data at layer 7

For example, scanning email attachments for viruses, For example, scanning email attachments for viruses, filtering out active content in technologies like Java, filtering out active content in technologies like Java, JavaScript, ActiveXJavaScript, ActiveX

Can filter on content or key words to restrict access to Can filter on content or key words to restrict access to inappropriate sites or domains.inappropriate sites or domains.

Page 6: Firewalls (12)

Types of FirewallsTypes of Firewalls Packet FiltersPacket Filters Stateful Inspection FirewallsStateful Inspection Firewalls Application-proxy Gateway FirewallsApplication-proxy Gateway Firewalls Dedicated proxy serversDedicated proxy servers Hybrid FirewallsHybrid Firewalls Network Address Translation (NAT)Network Address Translation (NAT)

Page 7: Firewalls (12)

Packet FiltersPacket Filters

Page 8: Firewalls (12)

Packet Filter FirewallsPacket Filter Firewalls Packet filters operate at layer 2/3 of OSIPacket filters operate at layer 2/3 of OSI

The basic functionality is designed to provide network The basic functionality is designed to provide network access control based on the information at network layeraccess control based on the information at network layer

source address of packet, the IP address from which the source address of packet, the IP address from which the packet originatedpacket originated

destination address of the packet, i.e., the IP address where destination address of the packet, i.e., the IP address where it is goingit is going

Type of traffic, i.e., the type of specific network protocol Type of traffic, i.e., the type of specific network protocol being used to communicate between source and destinationbeing used to communicate between source and destination

Source and destination portsSource and destination ports Incoming, outgoing interfaces for the packetIncoming, outgoing interfaces for the packet filter type of traffic e.g., ICMP traffic the layer 3 protocol is filter type of traffic e.g., ICMP traffic the layer 3 protocol is

ICMPICMP Prevent attacks that exploit weaknesses in TCP/IP suitePrevent attacks that exploit weaknesses in TCP/IP suite

The access control functionality of a packet filter is The access control functionality of a packet filter is decided by a set of directives called as a rulesetdecided by a set of directives called as a ruleset

Page 9: Firewalls (12)

Boundary RouterBoundary Router Packet filters also called boundary routersPacket filters also called boundary routers

Packet filter gateways have both speed and flexibility as Packet filter gateways have both speed and flexibility as they examine a limited amount of data, they can operate they examine a limited amount of data, they can operate very quicklyvery quickly

The ability to block attacks, filter unwanted protocol, The ability to block attacks, filter unwanted protocol, perform access control, block denial-of-service and perform access control, block denial-of-service and related attacks, makes it ideal to be placed at the related attacks, makes it ideal to be placed at the outermost boundary with an un-trusted network.outermost boundary with an un-trusted network.

E.g., the boundary router accepts packets from un-trusted E.g., the boundary router accepts packets from un-trusted networks, performs access control according to the policy in networks, performs access control according to the policy in place, say, block SNMP, permit HTTP, block ICMP etc.place, say, block SNMP, permit HTTP, block ICMP etc.

The boundary router will pass the packets to a The boundary router will pass the packets to a more powerful firewall that can perform access more powerful firewall that can perform access control and filtering at higher layers of the OSI control and filtering at higher layers of the OSI stackstack

Page 10: Firewalls (12)

Boundary RouterBoundary Router

Page 11: Firewalls (12)

Sample Packet Filter RulesetSample Packet Filter Ruleset

Page 12: Firewalls (12)

Examining the Rule SetExamining the Rule Set Some notes on the rulesetSome notes on the ruleset

192.168.1.0 indicates all addresses in the range 102.168.1.0 to 192.168.1.0 indicates all addresses in the range 102.168.1.0 to 192.168.1.254 (Firewall has interface: 192.168.1.1)192.168.1.254 (Firewall has interface: 192.168.1.1)

Examines source port, destination port, source address, destination Examines source port, destination port, source address, destination address, basically all information that is necessary for examining the rules address, basically all information that is necessary for examining the rules in the rulesetin the ruleset

Actions taken areActions taken are Accept: firewall passes the packet through the firewall as requestedAccept: firewall passes the packet through the firewall as requested Deny: drops packet. An error message is returned to the sending systemDeny: drops packet. An error message is returned to the sending system Discard: drops the packet and does not return an error to the source Discard: drops the packet and does not return an error to the source

systemsystem ExampleExample

Rule 1 allows any TCP connections from outsideRule 1 allows any TCP connections from outside Rule 3 says deny any attempts to connect to firewall from outsideRule 3 says deny any attempts to connect to firewall from outside Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP

(192.168.1.3) servers(192.168.1.3) servers Last rule is default, if packets don’t match any of the above they are Last rule is default, if packets don’t match any of the above they are

denieddenied

Page 13: Firewalls (12)

WeaknessesWeaknesses As they don't examine upper-layer data, they cannot prevent As they don't examine upper-layer data, they cannot prevent

attacks that employ application specific vulnerabilities or functionsattacks that employ application specific vulnerabilities or functions For example, it cannot block specific application commands: if a packet For example, it cannot block specific application commands: if a packet

filter firewall allows a given application, all functions available from that filter firewall allows a given application, all functions available from that application will be permittedapplication will be permitted

Logging functionality is limited as packet firewalls work on a small Logging functionality is limited as packet firewalls work on a small amount of data amount of data

Most packet filters do not support advanced user authentication Most packet filters do not support advanced user authentication schemesschemes

Vulnerable to attacks and exploits that take advantage of problems Vulnerable to attacks and exploits that take advantage of problems within TCP/IP specification and protocol stack, such as IP spoofingwithin TCP/IP specification and protocol stack, such as IP spoofing

Due to small number of variables used in access control decisions, Due to small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused packet filter firewalls are susceptible to security breaches caused by improper configuration by improper configuration

These firewalls are suitable for high-speed environments where These firewalls are suitable for high-speed environments where logging and user authentication with network resources are not logging and user authentication with network resources are not importantimportant

Page 14: Firewalls (12)

Stateful Inspection FirewallsStateful Inspection Firewalls

Page 15: Firewalls (12)

Stateful Inspection FirewallsStateful Inspection Firewalls Address some functionalities of the TCP layerAddress some functionalities of the TCP layer Many clients connect to remote systems from high-Many clients connect to remote systems from high-

numbered portsnumbered ports E.g., client port is >1023 in most casesE.g., client port is >1023 in most cases Packet filter firewall must allow all communication to Packet filter firewall must allow all communication to

happen above this porthappen above this port Allowing so many ports leaves the network vulnerableAllowing so many ports leaves the network vulnerable

Stateful inspection firewall solves this problem by Stateful inspection firewall solves this problem by adding the state information of the relevant TCP adding the state information of the relevant TCP connectionconnection Only ports having legitimate TCP connections are allowedOnly ports having legitimate TCP connections are allowed State table is maintained for every connectionState table is maintained for every connection

Page 16: Firewalls (12)

Sample State TableSample State Table

Page 17: Firewalls (12)

Application-Proxy Gateway Application-Proxy Gateway FirewallsFirewalls

Page 18: Firewalls (12)

Application-proxy Gateway Application-proxy Gateway FirewallsFirewalls

Combine application layer information with lower Combine application layer information with lower layer information for filtering purposeslayer information for filtering purposes

Application proxies take over the routing task of Application proxies take over the routing task of packets from inside and outside the networkpackets from inside and outside the network If it fails no packets can pass through the firewallIf it fails no packets can pass through the firewall All network packets must traverse the firewall under All network packets must traverse the firewall under

software controlsoftware control Each individual application-proxy (proxy agent) Each individual application-proxy (proxy agent)

interfaces directly with the firewall access control interfaces directly with the firewall access control ruleset to determine whether a given traffic ruleset to determine whether a given traffic should be permitted to transit the firewallshould be permitted to transit the firewall Authentication of each user is possible based on login-Authentication of each user is possible based on login-

password, source address, bio-metrics etcpassword, source address, bio-metrics etc

Page 19: Firewalls (12)

Advantages Over Previous Advantages Over Previous FirewallsFirewalls

They have more extensive logging They have more extensive logging capabilities as the entire packet is examinedcapabilities as the entire packet is examined E.g., malicious commands like su – root from E.g., malicious commands like su – root from

outside can be loggedoutside can be logged They allow administrators to enforce the They allow administrators to enforce the

required authentication based on the security required authentication based on the security policy of the organizationpolicy of the organization IP spoofing can be detected as the attackers need IP spoofing can be detected as the attackers need

to know more information such as login and to know more information such as login and passwordpassword

Page 20: Firewalls (12)

Typical Proxy AgentsTypical Proxy Agents

Page 21: Firewalls (12)

DisadvantagesDisadvantages Needing to read entire packet makes these Needing to read entire packet makes these

firewalls slowfirewalls slow Not suited for high-bandwidth or real-time Not suited for high-bandwidth or real-time

applicationsapplications Some work is often offloaded to dedicated proxy Some work is often offloaded to dedicated proxy

serversservers They are not flexible in supporting new They are not flexible in supporting new

network applications and protocolsnetwork applications and protocols They ship with generic supportThey ship with generic support This can allow malicious traffic to tunnel through This can allow malicious traffic to tunnel through

these generic application without checkthese generic application without check

Page 22: Firewalls (12)

Dedicated Proxy ServersDedicated Proxy Servers Proxy servers are deployed behind traditional firewallsProxy servers are deployed behind traditional firewalls Main firewall will accept inbound traffic and forward the Main firewall will accept inbound traffic and forward the

traffic to proxy, if that application is handled by proxytraffic to proxy, if that application is handled by proxy E.g., email proxy serverE.g., email proxy server

Proxy servers can also accept outbound traffic from internal Proxy servers can also accept outbound traffic from internal systemssystems Filter or log the traffic accordinglyFilter or log the traffic accordingly E.g., HTTP proxy that is behind firewallE.g., HTTP proxy that is behind firewall

Dedicated proxies allow enforcement of user authentication Dedicated proxies allow enforcement of user authentication requirements in addition to filtering and loggingrequirements in addition to filtering and logging Prevent email virusesPrevent email viruses Protect web server updates from internal usersProtect web server updates from internal users

Page 23: Firewalls (12)

Email and Content ScanningEmail and Content Scanning Java applet or application filtering (based on digital Java applet or application filtering (based on digital

signature availability)signature availability) ActiveX control filtering (same as above)ActiveX control filtering (same as above) JavaScript filtering (eliminating cross-site scripting JavaScript filtering (eliminating cross-site scripting

attacks)attacks) Blocking specific Multipurpose Internet Multimedia Blocking specific Multipurpose Internet Multimedia

Extensions typesExtensions types Virus scanning and removalVirus scanning and removal Application-specific commands like HTTP “delete” andApplication-specific commands like HTTP “delete” and User-specific controls, including blocking content User-specific controls, including blocking content

types for certain userstypes for certain users Caching of web pages to reduce incoming trafficCaching of web pages to reduce incoming traffic

Page 24: Firewalls (12)

Sample Proxy ConfigurationSample Proxy Configuration

Page 25: Firewalls (12)

Hybrid Firewall Hybrid Firewall TechnologiesTechnologies

Combining basic packet filters with Combining basic packet filters with application-proxy gateway firewallsapplication-proxy gateway firewalls

Combining stateful inspection Combining stateful inspection firewalls with application-proxy firewalls with application-proxy functionality to offset weaknesses of functionality to offset weaknesses of existing stateful inspection firewallsexisting stateful inspection firewalls

Page 26: Firewalls (12)

Network Address Network Address TranslationTranslation

Two reasons for NAT:Two reasons for NAT: Hiding the real IP addresses in the network Hiding the real IP addresses in the network

prevents many attackers from attacking individual prevents many attackers from attacking individual systemssystems

Depletion of IP address space has made NAT Depletion of IP address space has made NAT necessary for most organizationsnecessary for most organizations

Three techniquesThree techniques Static Address TranslationStatic Address Translation Hiding Network Address TranslationHiding Network Address Translation Port Address TranslationPort Address Translation

Page 27: Firewalls (12)

Static Address TranslationStatic Address Translation Every internal IP has a different Every internal IP has a different

routable IP (fixed)routable IP (fixed) Not very frequently used due lack of Not very frequently used due lack of

IPsIPs Very fast and scalableVery fast and scalable

Page 28: Firewalls (12)

Sample TableSample Table

Page 29: Firewalls (12)

Hiding NATHiding NAT All Internal IP addresses share the All Internal IP addresses share the

SAME external IP addressSAME external IP address E.g., All systems connecting to Internet E.g., All systems connecting to Internet

through a proxythrough a proxy For those addresses that need For those addresses that need

mapping from outside will require mapping from outside will require their external addresses for their external addresses for efficiency purposesefficiency purposes

Page 30: Firewalls (12)

Port Address TranslationPort Address Translation Forward inbound connections based on portsForward inbound connections based on ports Client port is used to identify connection, Client port is used to identify connection,

unlike NAT where IP address is used to unlike NAT where IP address is used to identify connectionidentify connection Each connection internal connection gets a port Each connection internal connection gets a port

from the firewall based on the connectionfrom the firewall based on the connection When response comes from outside, the firewall When response comes from outside, the firewall

looks up the destination port and identifies the looks up the destination port and identifies the clientclient

Page 31: Firewalls (12)

Sample PAT TableSample PAT Table

Page 32: Firewalls (12)

Other FirewallsOther Firewalls Host-based firewalls in Linux based systems Host-based firewalls in Linux based systems

for application serversfor application servers Server application is protected betterServer application is protected better A separate hardware/software is not necessaryA separate hardware/software is not necessary

Personal Firewalls to protect PCsPersonal Firewalls to protect PCs Personal Firewall Appliance for protecting Personal Firewall Appliance for protecting

small networks like ISP-client connections etcsmall networks like ISP-client connections etc Integrates with the following devices, cable Integrates with the following devices, cable

modem, routing modules, DHCP servers, hubs, modem, routing modules, DHCP servers, hubs, switches, SNMP agents, application-proxy agentsswitches, SNMP agents, application-proxy agents

Page 33: Firewalls (12)

DMZDMZ Created out of a network connecting Created out of a network connecting

two firewallstwo firewalls Specifically, for nodes that should not Specifically, for nodes that should not

be put in protected internal networksbe put in protected internal networks

Page 34: Firewalls (12)

DMZDMZ


E firewalls

E firewalls

Technology
firewalls - español

firewalls - español

Documents
IntSec1 Firewalls

IntSec1 Firewalls

Documents
ART.redundant Firewalls

ART.redundant Firewalls

Documents
firewalls...Firewalls Sommario • Introduzione (Sicurezza e Firewall) • Firewalls (Da bastion host a rete di difesa) •Firewalls(Overview) • 2 Filosofie ed 1 Principio Firewalls

firewalls...Firewalls Sommario • Introduzione (Sicurezza e Firewall) • Firewalls (Da bastion host a rete di difesa) •Firewalls(Overview) • 2 Filosofie ed 1 Principio Firewalls

Documents
Hardware firewalls

Hardware firewalls

Documents
Firewalls Types of Firewalls

Firewalls Types of Firewalls

Documents
Designing firewalls

Designing firewalls

Education
Network Firewalls

Network Firewalls

Documents
12 Firewalls

12 Firewalls

Documents
Troubleshooting Firewalls

Troubleshooting Firewalls

Documents
Gypsum Firewalls

Gypsum Firewalls

Documents
Inexpensive Firewalls

Inexpensive Firewalls

Documents
Security Comparing network firewalls to web application firewalls

Security Comparing network firewalls to web application firewalls

Documents
CVP Firewalls

CVP Firewalls

Documents
Firewalls and IDS 1 Firewalls and Intrusion Detection Systems

Firewalls and IDS 1 Firewalls and Intrusion Detection Systems

Documents
Firewalls Authentication Encryptionsignoril/mc363/security.pdf · 2001-12-05 · Filtering Layer of Filtering Frame (data link) Switches Packet (internet) Routers, Firewalls Transport

Firewalls Authentication Encryptionsignoril/mc363/security.pdf · 2001-12-05 · Filtering Layer of Filtering Frame (data link) Switches Packet (internet) Routers, Firewalls Transport

Documents
Deploying Juniper Firewalls - Elsevier · 2013. 12. 20. · Deploying Juniper Firewalls Solutions in this chapter: Managing Your Juniper Firewall Configuring Your Firewall for the

Deploying Juniper Firewalls - Elsevier · 2013. 12. 20. · Deploying Juniper Firewalls Solutions in this chapter: Managing Your Juniper Firewall Configuring Your Firewall for the

Documents
Les Firewalls

Les Firewalls

Technology
Firewalls Explained

Firewalls Explained

Documents
SIP, Firewalls and NATs Oh My!. SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically

SIP, Firewalls and NATs Oh My!. SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically

Documents
CS155 - Firewalls · 1 CS155 - Firewalls Simon Cooper CS155 – Firewalls 22 May 2003

CS155 - Firewalls · 1 CS155 - Firewalls Simon Cooper CS155 – Firewalls 22 May 2003

Documents
6. Firewalls

6. Firewalls

Documents
Firewalls PDF

Firewalls PDF

Documents
Firewalls Opensource

Firewalls Opensource

Technology
Lecture 12 Firewalls and Intrusion Prevention

Lecture 12 Firewalls and Intrusion Prevention

Documents
1 Introduction to firewalls and IDS/IPS. 2 firewalls

1 Introduction to firewalls and IDS/IPS. 2 firewalls

Documents
Firewalls - Columbia Universitysmb/classes/f06/l15.pdf · Why Use Firewalls? Firewalls What’s a Firewall Why Use Firewalls? Tradttional Firewalls by Analogy Should We Fix the Network

Firewalls - Columbia Universitysmb/classes/f06/l15.pdf · Why Use Firewalls? Firewalls What’s a Firewall Why Use Firewalls? Tradttional Firewalls by Analogy Should We Fix the Network

Documents
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion

Documents
Firewalls (6)

Firewalls (6)

Documents