防火牆 Firewall All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang ( 黃能富特聘教授 國立清華大學資訊工程系

防火牆 - 2 Contents n Firewall Introduction n Firewall Technologies n Firewall Architecture n Iptables and Ip6tables

防火牆 - 3 What is a Firewall ? n A firewall isolates organization’s internal net from Internet, allowing some packets to pass, blocking others. privately administered /16 protected network External network

防火牆 - 4 What is a Firewall ? n A firewall acts as a security gateway between two networks  Usually between trusted and untrusted networks  Such as between a corporate network and the Internet Internet Corporate Site Corporate Gateway

防火牆 - 5 What is a Firewall ? n A firewall tracks and controls network communications  Decides whether to pass, reject, encrypt, or log communications (Access Control) Corporate Site “Allow Traffic to Internet” Internet “Block traffic from Internet”

防火牆 - 6 What is a Firewall ? n A firewall is a security policy enforcement point that regulates access between networks n Controls TCP and UDP protocols l http, smtp, ftp, telnet etc n Only one of many different security tool’s to control and regulate network traffic

防火牆 - 7 Why Firewalls are Needed ? n Prevent attacks from untrusted networks n Protect data integrity of critical information n Preserve customer and partner confidence

防火牆 - 8 Firewall goals n All traffic from outside to inside and vice-versa passes through the firewall. n Only authorized traffic, as defined by local security policy, will be allowed to pass. n The firewall itself is immune to penetration.

防火牆 - 9 What do Firewalls Protect ? n Data l Proprietary corporate information l Financial information l Sensitive employee or customer data n Resources l Computing resources l Time resources l Bandwidth resources n Reputation l Loss of confidence in an organization l Intruder uses an organization’s network to attack other sites

防火牆 - 10 Contents n Firewall Introduction n Firewall Technologies n Firewall Architecture n Iptables and Ip6tables

防火牆 - 11 Firewalls Technologies Traditional packet filters filters often combined with router widely available in routers, linux (iptables) Application gateways often implemented with SOCKS protocol Stateful Inspection filters maintains connection state table

防火牆 - 12 Evolution of Firewalls Packet Filter Stateful Inspection Stage of Evolution Application Proxy

防火牆 - 13 Traditional packet filters n source IP address n destination IP address n source port n destination port n TCP flag bits l SYN bit set: datagram for connection initiation l ACK bit set: part of established connection n TCP or UDP or ICMP l Firewalls often configured to block all UDP n direction l Is the datagram leaving or entering the internal network? n router interface l decisions can be different for different interfaces Analyzes each datagram going through it; makes drop decision based on:

防火牆 - 14 n Packets examined at the network layer n Commonly deployed on routers n Simple accept or reject decision model n No awareness of higher protocol layers Packet Filter Applications Presentations Sessions Transport Data Link Physical Data Link Physical Applications Presentations Sessions Transport Data Link Physical Network

防火牆 - 15 Packet Filtering Firewalls n Packet filtering is one of the most common types of firewall technologies. n Inspect each packet of information individually, examining the source and destination IP addresses and ports. n This information is compared to access control rules to decide whether the given packet should be allowed through the firewall.

防火牆 - 16 Packet Filtering Firewalls n Decide packet flow very quickly. n But due to every packet is checked against the access control rules, larger, complex rule bases decrease performance. n Packet filters can only check low-level attributes l Not secure against malicious code hiding in the other layers.

防火牆 - 17 Packet Filtering Rules - Examples

防火牆 - 18 Access control list (ACL) Apply rules from top to bottom (priority): Each router/firewall interface can have its own ACL

防火牆 - 19 Network Address Translation (NAT) n Converts a network ’ s private IP addresses to public IP addresses l Hides the true addresses of individual hosts, protecting them from attack l Allows more devices to be connected to the network Internet Private IP Addresses Corporate LAN Public IP Address(es)

防火牆 - 20 Traditional packet filters n Advantages l One router can protect entire network l Can be efficient if filtering rules are kept simple l Widely available. Almost any router, even Linux boxes n Disadvantages l Can possibly be penetrated l Cannot enforce some policies. For example, permit certain users. l Rules can get complicated and difficult to test

防火牆 - 21 Application Level Firewalls n Application proxies, provide the most secure type of data connection n Examine every layer of the communication, including the application data. n The connection from a client to a server is intercepted by the proxy.

防火牆 - 22 Application Gateway or Proxy Applications Presentations Sessions Transport Data Link Physical Data Link Physical Applications Presentations Sessions Transport Data Link Physical Network Presentations Sessions Transport Applications n Packets examined at the application layer n Application/Content filtering possible l For example, prevent SNMP “set” commands

防火牆 - 23 Application Level Firewalls n If the proxy determines that the connection is allowed, it opens a second connection to the server from itself. n The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection. n This thorough examination and handling of packets means that proxy firewalls are very secure and generally slow.

防火牆 - 24 Application Level Firewalls n Proxies must understand the application layer. n As new protocols are developed, new proxies must be written and implemented to handle them.

防火牆 - 25 Application Level Firewalls n Web Proxy Severs n Application Proxy Servers l A mail server is an example of an application gateway n Second Generation Firewall Technology l Makes connections on behalf of the client l Not flexible

防火牆 - 26 SOCKS Proxy protocol n Generic proxy protocol l Don’t have to redo all of the code when proxifying an application. n Can be used by HTTP, FTP, telnet, SSL,… l Independent of application layer protocol n Includes authentication, restricting which users/apps/IP addresses can pass through firewall.

防火牆 - 27 SOCKS proxy protocol HTTP SOCKS Library TCP SOCKS Daemon TCP Apache/IIS Firefox/IE HTTP TCP Firewall Application 1. For example, let’s assume that browser requests a page 2. SOCKS Library is a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon 3. The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server. 4. The server receives requests as ordinary HTTP. It does not need a SOCKS library.

防火牆 - 28 Proxy gateways n Advantages l Proxy can log all connections, activity in connections l Proxy can provide caching l Proxy can do intelligent filtering based on content l Proxy can perform user-level authentication n Disadvantages l Not all services have proxied versions l May need different proxy server for each service l Requires modification of client l Performance

防火牆 - 29 Stateful Filters n Stateful filter: State tables are created to maintain connection context l Stateful = remember past packets Applications Presentations Sessions Transport Data Link Physical Data Link Physical Applications Presentations Sessions Transport Data Link Physical Network Transport Dynamic State Tables

防火牆 - 30 Example of Stateful filters source address dest address source port dest Port If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table Log each TCP connection initiated through firewall: SYN segment Timeout entries which see no activity for, say, 60 seconds

防火牆 - 31 Example of Stateful Filters action source address dest address proto source port dest port flag bit check connection deny /16 outside of /16 TCP> any allow outside of /16 TCP80> 1023ACK V allow /16 outside of /16 UDP> allow outside of /16 UDP53> V denyall 1)Packet arrives from outside: SA= , SP=80, DA= , DP=5000, SYN=0, ACK=1 2)Check filter table ➜ check stateful table 3) Connection is listed in connection table ➜ let packet through

防火牆 - 32 Contents n Firewall Introduction n Firewall Technologies n Firewall Architecture n Iptables and IP6tables

防火牆 - 33 Firewall Architectures n Screening Router n Simple Firewall n Multi-Legged firewall

防火牆 - 34 Screening Router n Access Control Lists (ACL) provide security n Routers are not application aware l Only inspects network level (Layer 3) information n Forward or block packets according to the policy n Very fast n Not commonly used alone for security

防火牆 - 35 Screening Router Internal Trusted Network Internet Untrusted Network Screening Router (ACL)

防火牆 - 36 Simple Firewall n Small Companies with limited security needs n Only utilizes two interfaces l Trusted l Un-trusted n Provides modest security n Does not offer DMZ sandbox n Inherently allows some level of connections between trusted and un-trusted networks n Firewall then handles traffic additionally to provide more security

防火牆 - 37 Simple Firewall Internal Trusted Network Internet Untrusted Network Screening Router (ACL) Firewall

防火牆 - 38 Multi-Legged Firewall n Small to large sized business n Provides stronger security n Creates a secure sandbox for semi-trusted services n Flexible and secure

防火牆 - 39 Multi-Legged Firewall Internal Trusted Network Internet Untrusted Network Screening Router (ACL) Firewall DMZ Semi-trusted Network Web Server Mail Server Demilitarized Zone (DMZ)

防火牆 - 40 Defense in depth 縱深防禦 n Security has no single right answer l Use every tool available to bolster security n Layered security is always the best approach n Strong security controls coupled with audit, administrative reviews, and an effective security response plan will provide a strong holistic defense

防火牆 - 41 Contents n Firewall Introduction n Firewall Technologies n Firewall Architecture n Iptables and IP6tables

防火牆 - 42 Network or host firewall ? Network firewall: linux host with 2 interfaces protected network linux host with iptables External network Filter table

防火牆 - 43 Network or host firewall ? Host firewall: linux host with 1 interface Linux host with iptables External network Filter table

防火牆 - 44 Tables, Chains & Rules n Three types of tables: FILTER, NAT, MANGLE n A table consists of chains. l For example, a filter table can have  an INPUT chain,  an OUTPUT chain, and  a FORWARD chain. n A chain consists of a set of rules.

防火牆 - 45 Chain types for host firewall INPUT chain OUTPUT chain Linux host with iptables External network Linux host with iptables External network

防火牆 - 46 Chain types for network firewall FORWARD chain OUTPUT chain INPUT chain protected network External network protected network External network protected network External network

防火牆 - 47 Chain types for network firewall n INPUT chain applies for all packets destined to firewall n OUTPUT chain applies for all packets originating from firewall n FORWARD chain applies for all packets passing through firewall.

防火牆 - 48 iptables: Example command iptables –A INPUT –i eth0 –s /24 –j ACCEPT n Sets a rule l Accepts packets that enter from interface eth0 and have source address in /24 n Kernel applies the rules in order l The first rule that matches packet determines the action for that packet n Append: -A l Adds rule to bottom of list of existing rules

防火牆 - 49 iptables: Example command iptables –A INPUT –i eth0 –j DENY n Sets a rule l Rejects all packets that enter from interface eth0 (except for those accepted by previous rules)

防火牆 - 50 iptables: More examples iptables –L list current rules iptables –F flush all rules iptables –D INPUT 2 deletes 2 nd rule in INPUT chain iptables –I INPUT 1 –p tcp –tcp-flags SYN –s /24 – d 0/0:22 –j ACCEPT -I INPUT 1: insert INPUT rule at top Accept TCP SYNs to from /24 to firewall port 22 (ssh)

防火牆 - 51 iptables Options -p protocol type (tcp, udp, icmp) -s source IP address & port number -d dest IP address & port number -i interface name (lo, ppp0, eth0) -j target (ACCEPT, DENY) -l log this packet --sport source port --dport dest port --icmp-type

防火牆 - 52 IP6tables n Iptables 原始檔放置於 /etc/sysconfig/iptables n Ip6tables 原始檔放置於 /etc/sysconfig/ip6tables l 需手動設定，設定原則與 IPv4 相當類似 –A INPUT –i eth0 –s 2001:6789::/32 –j ACCEPT n Sets a rule l Accepts packets that enter from interface eth0 and have source address in 2001:6789::/32