Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls.

Published byBrittney Chandler Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls."— Presentation transcript:

1 Firewalls

2 ECE 4112 - Internetwork Security
Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation with icmp and syn floods Zone Alarm ECE Internetwork Security

3 ECE 4112 - Internetwork Security
What is a Firewall? Firewall – a hardware, software, or combination of the two that prevents unauthorized access to or from a private network. ECE Internetwork Security

4 ECE 4112 - Internetwork Security
Benefits Uninhibited internal LAN traffic Ability to leave internal ports open without fear of those ports being abused Sense of security by filtering WAN interface for expected traffic ECE Internetwork Security

5 ECE 4112 - Internetwork Security
Traffic Control Three methods used to control traffic flowing in and out of the network Packet Filtering Proxy Filtering Stateful Inspection ECE Internetwork Security

6 Firewall Configuration
Rules/filters can be defined to look for a number of things, some of these are: IP addresses Domain names Protocols - IP TCP HTTP FTP UDP ICMP SMTP SNMP Telnet Ports Specific words and phrases ECE Internetwork Security

7 What You’re Protected From
Security Level External packets allowed HIGH none MIDDLE pre-defined ports (web,ssh) and established connections LOW all packets ECE Internetwork Security

8 What You’re Protected From
We allow traffic that is expected The firewall is responsible for inspecting connections and packet headers We allow all traffic on a few specific ports Certain ports are forwarded to a server ECE Internetwork Security

9 ECE 4112 - Internetwork Security
Expected Traffic Protects you from floods of packets TCP/SYN, PING/REPLY, IP SPOOFING Protects you from scans Port scans and vulnerability probes Blocks unwanted connections Telnet, SSH, FTP, and others can be regulated ECE Internetwork Security

10 ECE 4112 - Internetwork Security
Port Forwarding Biggest security hole in our firewall Opened ports to allow traffic to servers All incoming data on this specific port is allowed in, and forwarded to server Hackers could exploit this open port Hackers could exploit a bug in the software on the server ECE Internetwork Security

11 Demilitarized Zone (DMZ)
Frontline of protection “A network added between a protected network and external network in order to provide an additional layer of security” Does not allow external networks to directly reference internal machines Acts as system of checks and balances to make sure that if any one area goes bad that it cannot corrupt the whole ECE Internetwork Security

12 Common Firewall Configurations
Firewall takes care of passing packets that pass its filtering rules between the internal network and the Internet, and vice versa. May use IP masquerading but that's all it does. Also known as a dual-homed host The two "homes" refer to the two networks that the firewall machine is part of one interface connected to the outside home the other connected to the inside home. ECE Internetwork Security

13 Common Firewall Configurations
The exposed DMZ configuration depends on two things: 1) an external “Internet” router 2) multiple IP addresses. The firewall needs only two network cards. If you control the “Internet” router you have access to a second set of packet-filtering capabilities. If you don't control the “Internet” router, your DMZ is totally exposed to the Internet. Hardening a machine enough to live in the DMZ without getting regularly compromised can be tricky. If you connect via PPP (modem dial-up), or you don't control your external router, or you want to masquerade your DMZ, or you have only 1 IP address, you'll need to do something else. There are two straightforward solutions to this, depending on your particular problem. ECE Internetwork Security

14 Common Firewall Configurations
One solution is to build a second router/firewall. Useful if you're connecting via PPP Exterior router/firewall (Firewall 1) responsible for creating the PPP connection and controls the access to our DMZ zone The other firewall (Firewall 2) is a standard dual-homed host just like the one we spoke about at the beginning The other solution is to create a three-legged firewall, which is what we are going to talk about next ECE Internetwork Security

15 Common Firewall Configurations
Need an additional network adapter in your firewall box for your DMZ. Firewall is configured to route packets between the outside world and the DMZ differently than between the outside world and the internal network. You can masquerade the machines in the DMZ too, while keeping them functionally separate from protected internal machines. The primary disadvantage to the three-legged firewall is the additional complexity. Access to and from the DMZ and to and from the internal network is controlled by one large set of rules. It's pretty easy to get these rules wrong if you're not careful ! On the other hand, if you don't have any control over the “Internet router”, you can exert a lot more control over traffic to and from the DMZ this way. It's good to prevent access into the DMZ if you can. ECE Internetwork Security

16 ECE 4112 - Internetwork Security
Lab Setup Firewall workstations One firewall host and two virtual machines ECE Internetwork Security

17 Iptables Introduction
Iptables is a fourth generation firewall tool for Linux Requires kernel or above with netfilter framework Iptables inserts and deletes rules from the kernel’s packet filtering table Replacement for ipfwadm and ipchains ECE Internetwork Security

18 How packets traverse the filters
3 default chains: INPUT, FORWARD, OUTPUT Incoming Outgoing Routing Decision FORWARD OUTPUT INPUT Local Process ECE Internetwork Security

19 How packets traverse the filters (continued)
When a packet reaches a circle, that chain determines the fate of the packet The chain can say to DROP the packet or ACCEPT it. If no rules match in chain, the default policy is used (usually to DROP) ECE Internetwork Security

20 Network Address Translation
The table of NAT rules invoked by ‘iptables –t nat’ contains PREROUTING and POSTROUTING chains Routing Decision PREROUTING POSTROUTING Local Process ECE Internetwork Security

21 ECE 4112 - Internetwork Security
NAT and iptables ECE Internetwork Security

22 ECE 4112 - Internetwork Security
Masquerading Special form of Source NAT Dynamically changes source address to that of the firewall Simple one-line rule iptables –A POSTROUTING –t nat –o eth0 –j MASQUERADE ECE Internetwork Security

23 Creating your own rules
Adding/Deleting rules: Append a new rule to an existing chain: iptables –A <chain> iptables -A PREROUTING -t nat -p tcp -d dport 80 -j / DNAT --to :80 Deleting a rule from an existing chain: iptables –D <chain> <rule info> iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1 Changing chains: Creating a new chain: iptables –N <name> iptables –N PERMISSION ECE Internetwork Security

24 Creating your own rules (contd)
Delete an empty chain: iptables –X <name> iptables –X PERMISSION List the rules of a chain: iptables –L <name> iptables –L PERMISSION Flush a chain (delete all rules in a chain): iptables –F <name> iptables –F PERMISSION ECE Internetwork Security

25 More iptables commands
Specifying jump If a packet matches a specified rule, jump (-j option) to another chain: iptables –A INPUT –j DROP Specifying protocol Used to specify the protocol, tcp, udp, or icmp (case sensitive) using –p option. iptables –A INPUT –p icmp Specifying inversion Used to invert any rules using the ‘!’ option iptables –A INPUT –p ! tcp ECE Internetwork Security

26 Iptables commands (contd)
Specifying interface Specified with the ‘-i’ (input) or ‘-o’ (output) iptables –A INPUT –i eth0 #check packets coming in on interface eth0 Specifying source/destination Can be specified in 4 ways: name ( IP ( ), group ( /24), using IP/netmask ( / ). Use ‘-s’ for source, and ‘-d’ for destination. iptables –A INPUT –s /24 –d ECE Internetwork Security

27 ECE 4112 - Internetwork Security
State matching Different states are checked to analyze packets (need to have ip_conntrack module loaded). The states that are checked are: NEW: A packet that creates a new connection. ESTABLISHED: A packet belonging to an existing connection (reply or outgoing packet). RELATED: A packet that is related to, but not part of an existing connection (ICMP error). INVALID: A packet that could not be identified. ECE Internetwork Security

28 ECE 4112 - Internetwork Security
Port Forwarding Using NAT table, destination address is changed based on the port iptables –A PREROUTING –t nat –d –p tcp \ --dport 80 –j DNAT --to :80 ECE Internetwork Security

29 Defending against ICMP Ping Floods and tcp syn attack
Using limit module specified with ‘-m limit’ packets can be restricted based on rate of matches iptables –A INPUT –p icmp –-icmp-type echo-request \ –m limit –-limit 1/s –-limit-burst 5 –j ACCEPT Limit burst “recharges” 1 packet every second. This is based on the 1/s limit specified. ECE Internetwork Security

30 ECE 4112 - Internetwork Security
Zone Alarm Firewall for the Windows OS. Several types of alerts: New program alerts: Accept/deny programs to access the internet. Repeat program alerts: grant access permission to program that has already requested before. Server program alerts: grant server permission to a program. Caution: Some Trojan horses require server access to execute. Changed program alerts: If a program has been changed since the last time it access the internet. ECE Internetwork Security

31 ECE 4112 - Internetwork Security
What is a zone? Zone Alarm classifies computer and networks that you communicate with into good, bad, and unknown zones. 3 types: Internet Zone: is the “unknown” zone. All computers and networks belong to this zone until you move them to one of the other zones. Trusted Zone: is the “good” zone. Contains all computers you trust. Blocked Zone: is the “bad” zone. Contains all computers you distrust (only available in Zone Alarm Pro and Zone Alarm Plus version). ECE Internetwork Security

32 ECE 4112 - Internetwork Security
What is a zone? (contd.) When another computer wants to communicate with your computer – Zone Alarm looks at what zone it belongs to and decides what to do. ECE Internetwork Security

33 ECE 4112 - Internetwork Security
Hardware Firewalls A hardware firewall usually has 3 interfaces Inside – Trusted area of the internetwork. Outside – Untrusted area of the internetwork DMZ – Isolated area of the internetwork with limited access to Outside users. ECE Internetwork Security

34 ECE 4112 - Internetwork Security
Hardware Firewalls ECE Internetwork Security

35 ECE 4112 - Internetwork Security
Cisco Firewalls – PIX 515E Different modes of configuration Unprivileged Mode Privileged Mode Configuration Mode Monitor Mode Can type unique short forms of commands in each mode Example: config t for configure terminal, write t for write terminal ECE Internetwork Security

36 ECE 4112 - Internetwork Security
Cisco Firewalls – PIX 515E ASA – Adaptive Security Algorithm Data Flow relative to security levels Security Level 100 – For trusted Inside interface and internal traffic Security Level 0 – For un-trusted Outside interface Security Level 1-99 – Can be assigned to perimeter interfaces like DMZ ECE Internetwork Security

37 ECE 4112 - Internetwork Security
PIX Lab – Network Setup Need to get an ECE UNIX account Can only access firewall from ECE machines ssh into digiconsole.ece-int.gatech.edu ssh into Actual digital console Controls all routers and other hardware Need a terminal to the normal lab network ECE Internetwork Security

38 ECE 4112 - Internetwork Security
Summary Firewalls filter unwanted traffic. Port Forwarding: big security hole. Network Address Translation. Use iptables to setup filters. State checking. Zone Alarm: Firewall for Windows OS. Hardware Firewalls ECE Internetwork Security

39 ECE 4112 - Internetwork Security
Acknowledgements “Firewall Topologies”, Russell, Rusty, “Linux 2.4 Packet Filtering HOWTO” Startup script and basis for rules Stephens , James C. Steams, William “Adaptive Firewalls with IP Tables” Tyson, Jeff, “How Firewalls Work” Young, Scott “Designing a DMZ” ZoneAlarm tutorial information provided from ECE Internetwork Security

40 ECE 4112 - Internetwork Security
References Cisco Secure PIX Firewalls,David Chapman Jr. and Andy Fox. Cisco Press Cisco Security seminar notes. ECE Internetwork Security

Download ppt "Firewalls."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Similar presentations

Ads by Google