Firewalls: General Principles & Configuration (in Linux)

Slides:

Advertisements

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Guide to Network Defense and Countermeasures Second Edition

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

IUT– Network Security Course 1 Network Security Firewalls.

FIREWALLS Chapter 11.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Lecture 14 Firewalls modified from slides of Lawrie Brown.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Firewall Slides by John Rouda

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

A Brief Taxonomy of Firewalls

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Chapter 6: Packet Filtering

Chapter 13 – Network Security

Common Devices Used In Computer Networks

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Access Control List (ACL)

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Access-Lists Securing Your Router and Protecting Your Network.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Security fundamentals Topic 10 Securing the network perimeter.

Implementing Firewall Technologies

Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Defining Network Infrastructure and Network Security Lesson 8.

Security fundamentals

Computer Data Security & Privacy

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Introduction to Networking

Access Control Lists CCNA 2 v3 – Module 11

Firewalls Purpose of a Firewall Characteristic of a firewall

Firewalls Chapter 8.

AbbottLink™ - IP Address Overview

Introduction to Network Security

Presentation transcript:

Firewalls: General Principles & Configuration (in Linux) Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad

Overview General Principles of Firewalls Types Issues in design and deployment Rules, conflicts and performance issues Configuration IPTables IPChains

Relevant OSI Layers for Firewall Operation

General Principles of Firewalls Network firewalls are devices or systems that control the flow of network traffic between networks employing different security postures One usage is to limit/control connectivity to the Internet Another usage in corporate networks is to restrict connectivity to and from internal networks servicing more sensitive functions, like accounting or personnel department Firewalls operate at different layers in network Firewalls that can examine information at more than one layer is more thorough and effective A firewall that works with layers 2 and 3 does deal with specific users A firewall at application layer like an application-proxy gateway firewall can enforce user authentication as well as logging events to specific users.

Add-ons Supported by Firewalls NAT, DHCP, encryption for VPNs, and application content filtering Firewalls support DHCP so as to allocate IP addresses for those systems that will be the subject of firewall's security control and to simplify network management Firewalls can act as VPN gateways, where the gateway is responsible for encrypting traffic that is leaving its boundary and destined to other systems in the VPN Active content filtering, firewall is capable of filtering actual application data at layer 7 For example, scanning email attachments for viruses, filtering out active content in technologies like Java, JavaScript, ActiveX Can filter on content or key words to restrict access to inappropriate sites or domains.

Types of Firewalls Packet Filters Stateful Inspection Firewalls Application-proxy Gateway Firewalls Dedicated proxy servers Hybrid Firewalls Network Address Translation (NAT)

Packet Filters

Packet Filter Firewalls Packet filters operate at layer 2/3 of OSI The basic functionality is designed to provide network access control based on the information at network layer source address of packet, the IP address from which the packet originated destination address of the packet, i.e., the IP address where it is going Type of traffic, i.e., the type of specific network protocol being used to communicate between source and destination Source and destination ports Incoming, outgoing interfaces for the packet filter type of traffic e.g., ICMP traffic the layer 3 protocol is ICMP Prevent attacks that exploit weaknesses in TCP/IP suite The access control functionality of a packet filter is decided by a set of directives called as a ruleset

Boundary Router Packet filters also called boundary routers Packet filter gateways have both speed and flexibility as they examine a limited amount of data, they can operate very quickly The ability to block attacks, filter unwanted protocol, perform access control, block denial-of-service and related attacks, makes it ideal to be placed at the outermost boundary with an un-trusted network. E.g., the boundary router accepts packets from un-trusted networks, performs access control according to the policy in place, say, block SNMP, permit HTTP, block ICMP etc. The boundary router will pass the packets to a more powerful firewall that can perform access control and filtering at higher layers of the OSI stack

Boundary Router

Sample Packet Filter Ruleset

Examining the Rule Set Some notes on the ruleset Actions taken are 192.168.1.0 indicates all addresses in the range 102.168.1.0 to 192.168.1.254 (Firewall has interface: 192.168.1.1) Examines source port, destination port, source address, destination address, basically all information that is necessary for examining the rules in the ruleset Actions taken are Accept: firewall passes the packet through the firewall as requested Deny: drops packet. An error message is returned to the sending system Discard: drops the packet and does not return an error to the source system Example Rule 1 allows any TCP connections from outside Rule 3 says deny any attempts to connect to firewall from outside Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP (192.168.1.3) servers Last rule is default, if packets don’t match any of the above they are denied

Weaknesses As they don't examine upper-layer data, they cannot prevent attacks that employ application specific vulnerabilities or functions For example, it cannot block specific application commands: if a packet filter firewall allows a given application, all functions available from that application will be permitted Logging functionality is limited as packet firewalls work on a small amount of data Most packet filters do not support advanced user authentication schemes Vulnerable to attacks and exploits that take advantage of problems within TCP/IP specification and protocol stack, such as IP spoofing Due to small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configuration These firewalls are suitable for high-speed environments where logging and user authentication with network resources are not important

Stateful Inspection Firewalls

Stateful Inspection Firewalls Address some functionalities of the TCP layer Many clients connect to remote systems from high-numbered ports E.g., client port is >1023 in most cases Packet filter firewall must allow all communication to happen above this port Allowing so many ports leaves the network vulnerable Stateful inspection firewall solves this problem by adding the state information of the relevant TCP connection Only ports having legitimate TCP connections are allowed State table is maintained for every connection

Sample State Table

Application-Proxy Gateway Firewalls

Application-proxy Gateway Firewalls Combine application layer information with lower layer information for filtering purposes Application proxies take over the routing task of packets from inside and outside the network If it fails no packets can pass through the firewall All network packets must traverse the firewall under software control Each individual application-proxy (proxy agent) interfaces directly with the firewall access control ruleset to determine whether a given traffic should be permitted to transit the firewall Authentication of each user is possible based on login-password, source address, bio-metrics etc

Advantages Over Previous Firewalls They have more extensive logging capabilities as the entire packet is examined E.g., malicious commands like su – root from outside can be logged They allow administrators to enforce the required authentication based on the security policy of the organization IP spoofing can be detected as the attackers need to know more information such as login and password

Typical Proxy Agents

Disadvantages Needing to read entire packet makes these firewalls slow Not suited for high-bandwidth or real-time applications Some work is often offloaded to dedicated proxy servers They are not flexible in supporting new network applications and protocols They ship with generic support This can allow malicious traffic to tunnel through these generic application without check

Dedicated Proxy Servers Proxy servers are deployed behind traditional firewalls Main firewall will accept inbound traffic and forward the traffic to proxy, if that application is handled by proxy E.g., email proxy server Proxy servers can also accept outbound traffic from internal systems Filter or log the traffic accordingly E.g., HTTP proxy that is behind firewall Dedicated proxies allow enforcement of user authentication requirements in addition to filtering and logging Prevent email viruses Protect web server updates from internal users

Email and Content Scanning Java applet or application filtering (based on digital signature availability) ActiveX control filtering (same as above) JavaScript filtering (eliminating cross-site scripting attacks) Blocking specific Multipurpose Internet Multimedia Extensions types Virus scanning and removal Application-specific commands like HTTP “delete” and User-specific controls, including blocking content types for certain users Caching of web pages to reduce incoming traffic

Sample Proxy Configuration

Hybrid Firewall Technologies Combining basic packet filters with application-proxy gateway firewalls Combining stateful inspection firewalls with application-proxy functionality to offset weaknesses of existing stateful inspection firewalls

Network Address Translation Two reasons for NAT: Hiding the real IP addresses in the network prevents many attackers from attacking individual systems Depletion of IP address space has made NAT necessary for most organizations Three techniques Static Address Translation Hiding Network Address Translation Port Address Translation

Static Address Translation Every internal IP has a different routable IP (fixed) Not very frequently used due lack of IPs Very fast and scalable

Sample Table

Hiding NAT All Internal IP addresses share the SAME external IP address E.g., All systems connecting to Internet through a proxy For those addresses that need mapping from outside will require their external addresses for efficiency purposes

Port Address Translation Forward inbound connections based on ports Client port is used to identify connection, unlike NAT where IP address is used to identify connection Each connection internal connection gets a port from the firewall based on the connection When response comes from outside, the firewall looks up the destination port and identifies the client

Sample PAT Table

Other Firewalls Host-based firewalls in Linux based systems for application servers Server application is protected better A separate hardware/software is not necessary Personal Firewalls to protect PCs Personal Firewall Appliance for protecting small networks like ISP-client connections etc Integrates with the following devices, cable modem, routing modules, DHCP servers, hubs, switches, SNMP agents, application-proxy agents

DMZ Created out of a network connecting two firewalls Specifically, for nodes that should not be put in protected internal networks

DMZ