Firewalls

A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that protects an internal network resources d) Program capable of analyzing packets with the purpouse of modify them, block them or resend them to its destination e) Mechanism to filter packets based on the information of the headers

Device that filters traffic between an external network (not trustworthy) and an internal network (protected) Device that filters traffic between an external network (not trustworthy) and an internal network (protected) Firewall

Two types of behavior (Policy) “Everything which is not forbidden is allowed” –Default: Allow input packets –Regular users “Everything which is not allowed is forbidden” –Default: deny input –Experts The administrator decides

Hello world! In the Net Dest MAC Sourc e MAC CRC Dest Port Source Port Data Dest IP Source IP

We have access to: –MAC addressess –IP address –Ports –Header Fields Protocol: TCP, UDP, ICMP, ARP Flags, etc –Application Data Dest Mac Source MAC CRC Dest IP Source IP Dest Port Source Port Data

Filter traffic MAC address –Block/allow individual machines IP address –Block/allow individual machines or groups Port number –Block/allow services (http, ftp, smtp, etc.)‏ Protcol –TCP, UDP, ICMP –e.g.: block “ping” Ping, the application programmed with ICMP

Firewalls: Basic architecture Internal network Internet

Firewalls: Architecture with DMZ Internal Network Internet DMZ DMZ: Demilitarized Zone (Perimeter Network)

Firewalls: Dual architecture with DMZ Internal Network Internet DMZ

Types of firewalls Packet filtering State analizer Application Proxy Guards Personal

Packet filtering Simple Efective Just looks at the headers, not inside Filtering is done based on addresses –MAC, IP, Port Input/Output blocking

Personal Firewall

Netfilter/Iptables Kernel 2.0 – ipfwadm Kernel 2.2 – ipchains Kernel 2.4 – netfilter/iptables –netfilter: part of the kernel –Iptables: tool to create rules (functions) and kook them upto the kernel by means of netfilter Rules define the handling of the packets: Filter, NAT, mangle

Tables Each table define a wide funcionality –Filter filter (default) –NAT nat –Modification Mangle – Raw Tables are composed of chains – Integrated and user defined

Chains Chains for filter – INPUT, OUTPUT, FORWARD Chains for nat – PREROUTING, OUTPUT, POSTROUTING Chains for mangle – PREROUTING, OUTPUT

Chains for filter INPUT –For packets entering the machine/network OUTPUT –For packets going out fo the machine/network FORWARD –For packets that are routed by the machine –Connection between two networks

Tables, chains, rules, parameters and targets

Relationships Each packet received or sent is processed by a table (at least) A table contains chains that process the packets in a specific form Chains have rules which are applied to every packet Each rule has a one or more parameters (matches) that are compared qith data of the packet In the moment that a packet matches a rule (parameter by parameter) a target is applied

Targets ACCEPT, DROP, REJECT, LOG, RETURN Each rule has a policy by default that is applied if no rule is a match – ACCEPT, DROP

Targets ACCEPT –The packet is accepted for the machine DROP –Dicards the packet and it is not processed further –It is like the packet never was sent or arrived LOG –It is writen in the syslog REJECT –Discards the packet and sends an appropiate response RETURN –Continue processing the packet in the chain

Some parameters -p --protocol –Protocol used: udp, tcp, icmp -s --source –Source IP address -d --destination –Destination IP address -i --in-interface –Input network card

More parameters --source-port --sport --destination-port--dport --tcp-flags – SYN, ACK, PSH, URG, FIN, RST, ALL -- icmp-type – Type of ICMP message – 0: echo-reply, 8: echo-request, 3: port unreachable

Some commands -A(Append) –Append a rule at the end of the chain -Inumber(Insert) –Insert a rule, just before rule number -D number(Delete) –Delete the rule number -F chain(Flush) –Delete all the rules in a chain -Lchain(List) –List all the rules in a chain

Some commands -N chain(New) –Creates a new chain -X chain –Delete a chain -P chain target(Policy) –Creates a default target –In case no rule was a match for the packet

Some options --line-numbers –Used with -- list to see the numbers of the rules -n –Used with -- list to use numbers instead numbers –80 instead of http –22 instead of ssh

Rules iptables -A INPUT -s p tcp – destination-port telnet -j DROP iptables -A INPUT -p tcp –-dport 23 j DROP iptables -A INPUT -p icmp –icmp-type 8 j DROP iptables -I INPUT 1 -p icmp –icmp-type 8 j DROP iptables -I INPUT 1 -p icmp –icmp-type 8 j REJECT

Rules iptables -A INPUT -s j DROP iptables -A INPUT -s atacante.losmalos.com -j DROP iptables -A INPUT -s /24 -j DROP iptables -A INPUT -s / j DROP iptables -A INPUT -s 0/0 -j DROP iptables -A INPUT -j DROP

Commands iptables -L – Lists all the active rules of every table and their chains iptables -L -n – The rules are displayed with IP addresses and ports as number instead of names iptables -L -t filter – Display all the rulesof a specific tables – Filter is the default iptables -L –line-numbers – Display all the rules numbered – Useful when applying INSERT

Commands iptables -F – Deletes all the rules of the chains in table filter iptables -F INPUT – Deletes all the rules of the chain INPUT in table filter iptables -D INPUT 7 – Deletes the 7 th rule of the chain INPUT of the table filter iptables -P INPUT DROP – All the packets that do not match a rule will be discarded, with no response

Session iptables -F iptables -A INPUT -s 0/0 -p tcp –-dport 22 -j ACCEPT iptables -A OUTPUT -d 0/0 -p tcp --sport 22 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP Delete all the rules of filter Accept input and output packets of ssh Use DROP policy for input and output packet, in case a packet does not match any rule The machine is completed isolated of the netwrok, with the exception of remote secure shell connections from any computer in the Internet

Session iptables -A INPUT -s 0/0 -p tcp –-dport 80 -j ACCEPT iptables -A OUTPUT -d 0/0 -p tcp –-sport 80 -j ACCEPT iptables -A INPUT -p tcp –-dport http -j ACCEPT iptables -A OUTPUT -p tcp –-sport http -j ACCEPT Same as: The web server can accept requests and serve pages iptables -A INPUT -s 0/0 -p tcp –-dport j ACCEPT iptables -A OUTPUT -d 0/0 -p tcp –-sport j ACCEPT

Session iptables -A INPUT -p icmp –icmp-type 8 -j REJECT iptables -A OUTPUT -p icmp –icmp-type 3 -j ACCEPT Reject “pings” with an adequated message: “destination port unreachable”. Instead of ignoring the packet

Permanent changes The changes to the tables (new ruless) are activated right away with the iptables commands, but are kept in memory iptables-save [>file] –Stores all the tables in file or /etc/sysconfig/iptables if no file is specified iptables-restore file –Bring the tables in file to memory

Firewalls They can protect the network if they controlled the entire perimeter –A user connecting by modem or from the Internet They cannot protect data or programs outside the network –Once outside They are the most visible part of the network and very atractive for attacks –It is not wise to depend on this as the only protection –Defense in depth

Firewalls They must be properly configured Update configuration on any change of the network Constantly reading of the logs Keep it simple –They are preferred targets, so keep them simple in case of an attack No control over data –Must use other means to keep data rigth or programs without malicious infections

More information man iptables

Is a firewall enough?