Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comparing Linux Firewalls

Published byDorthy Waters Modified over 6 years ago

Similar presentations

Presentation on theme: "Comparing Linux Firewalls"— Presentation transcript:

1 Comparing Linux Firewalls
Jesse Schuettinger SUNY Polytechnic Institute TEST PROCEDURE Each test in this experiment utilized the tools below by embedding them into a batch script which produced a csv file that I can easily copy to my spreadsheet of data. Iperf – This tool is used to provide active measurements of bandwidth, throughput, and latency on IP networks. For this experiment, I used a UDP stream from one end of the network to the other to determine the throughput and latency of the network. Both sides need iperf installed for this to work. One side would be listening for the packets, the other would send them. To prevent any variables that would affect the results, the script will not establish a remote connection to allow the listening for iperf traffic. This will be done manually before the script is run. Wily-possum – This tool utilizes scapy, a custom packet generator, to determine if a connection holds a stateful or stateless firewall configuration. It does this by generating packets with specific flags turned on that stateful firewalls would more than likely drop. X-mas Tree Attack – This is a feature that nmap is bundled with. How the attack works is it sends an nmap scan, but the packets generated have the FIN, URG, and PSH flags turned on. This is a very unlikely combination, which has caused network devices, even firewalls, to reboot or cause some amount of Denial of Service. The script I wrote for this uses tshark, a cli-based version of wireshark, to capture a response packet that would result in the attack being successful. ABSTRACT A firewall is a requirement for enterprise-level organizations and is recommended in any network environment. In some cases, a firewall may be necessary, but purchasing a hardware firewall might be out of the scope of the organization’s budget. In this case, depending on the amount of traffic that is expected to traverse the network, an existing unused desktop computer or rack mounted server could become the hardware firewall, reducing the overall cost of the firewall protection. This can be accomplished with a Linux-Based Firewall Operating System. So, to determine what firewall is a best fit for the network, I created a series of tests. These tests will provide comparable data in both an unconfigured and configured firewall environment. With this information, we can better determine which Linux-Based Firewall Operating System would be best for our needs. THE PROBLEM… There are many factors that come into play when choosing the best firewall for a given network, and it’s a big problem. This project will focus on a few crucial factors such as throughput, response time, vulnerabilities, and specializations. Throughput is a very important asset in network infrastructure. The more devices are connected to a given network, the more throughput is required to satisfy the needs of each user. Like any other device, adding a firewall can cause some bottlenecking as traffic reaches outside the LAN. Although the amount of throughput reduction may be small and almost negligible, that slight reduction can easily become significant on a network under load. Firewalls must be able to respond to threats quickly and efficiently. In the best case, a firewall should be able to detect and respond to threats as they come in to prevent malicious data from leaking into the internal network. In some cases, an attacker might try to manipulate packets to mask them from detection as though it appeared to be a legitimate packet that was whitelisted on the firewall. The firewall would need to be smart enough to know if a packet is legitimate or not. The firewall needs to be updated frequently to keep up with any new potential threats that may exist. It is also very important to go over the default settings of a firewall before configuring it. If any default setting is overlooked, it may leave vulnerabilities from which hackers can exploit to send malicious code through the firewall. Once those vulnerabilities are discovered and eliminated, it will greatly reduce the chances of infiltration. While researching and testing these firewalls, it is important to see what that particular firewall is specialized in as well. For example, the firewall of choice may specialize in intrusion detection, or perhaps it specializes in wireless network security, and so on. The goal of this project is to have a better understanding of how Linux Firewalls work and to create an awareness of the various firewalls that are available to the public. What should be gleaned from this project is that when considering adding a firewall to the network, first ask what needs to be protected. Then, find firewalls that have features that would match the needs. Not only that, but being open to different hardware firewall solutions other than focusing on one company line may return favorable results. The testing environment was created within the NCS club’s Proxmox Server, which provided me with virtual machines that will not be affected by my personal desktop or laptop hardware limitations when running multiple virtual machines at once. X-MAS TREE ATTACK TESTING SCRIPT FIREWALLS Ipfire – This firewall is designed with security as a very high priority. Doesn’t come as much of a surprise, but ipfire does take their security very seriously. In my experiment, and based on their website, this open-sourced firewall implicitly blocks practically anything that tries to establish a connection from the outside. ClearOS – Out of all three firewalls I’ve chosen for this experiment, this one was “clearly” the outlier of the bunch. After playing around with this one, I had first thought that there wasn’t a command line interface associated with this build. It has an interactive menu that can be accessed directly, and has a user-friendly web interface as well. After some research and further interaction, I discovered that there is a command line. So, I was able to implement the configurations into the system. There is also a paid version of this software available that is geared towards enterprise-level customers. Ipcop – It is very similar to ipfire, but it is geared towards SOHO environments. Making it one of the most user-friendly open-sourced firewalls available. IPERF TESTING SCRIPT RESULTS WILY-POSSUM PYTHON SCRIPT The following is where I obtained the information I needed to provide the necessary results. Each case is a custom packet with a specific flag turned on. Percentage is what this author used to determine if a firewall was stateful or stateless. If it is below 70%, the test considers the connection to be stateful. If it’s higher than that, it’s stateless Baseline Default ipfire Default ClearOS Default ipcop Configured ipfire Configured ClearOS Configured ipcop Throughput Test 1 (Mb/s) 410 382 290 344 276 370 Throughput Test 2 (Mb/s) 408 375 286 391 348 270 367 Throughput Test 3 (Mb/s) 398 376 289 384 345 273 377 Throughput Test 4 (Mb/s) 406 383 287 392 350 272 Throughput Test 5 (Mb/s) 403 368 388 362 Average Score: 405 376.8 287.6 387.4 347 272.2 370.2 Latency Test 1 (ms) 0.057 0.071 0.059 0.045 0.04 0.044 Latency Test 2 (ms) 0.046 0.042 0.067 0.043 0.047 0.051 Latency Test 3 (ms) 0.05 0.036 0.049 0.063 Latency Test 4 (ms) 0.041 0.088 0.056 0.061 Latency Test 5 (ms) 12.479 12.982 0.08 0.068 2.5366 2.6494 0.0428 0.0544 0.06 wily-possum test 1 88.89% 0.00% 44.44% wily-possum test 2 wily-possum test 3 wily-possum test 4 wily-possum test 5 X-mas Tree test 1 1 X-mas Tree test 2 X-mas Tree test 3 X-mas Tree test 4 X-mas Tree test 5 Success Rate: (Out of 5) 5 WILY-POSSUM TESTING SCRIPT CONCLUSION Iperf Ipfire displayed a significant drop in throughput and latency. Every time I ran the test, it came up with at least one outlier giving a latency of at least 12 ms. Wily-Possum As expected from what ipfire claims to do, it was successful in blocking all of wily-possum’s generated packets, making it 100% stateful. X-mas Tree Attack As expected, the attack was blocked by the firewall, unconfigured. CITATIONS Tools Iperf - Wily-possum - Scapy - X-mas tree attack - Tshark - Firewalls Ipfire - Ipcop - ClearOS - For additional information please contact: Jesse Schuettinger

Download ppt "Comparing Linux Firewalls"

Similar presentations

Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.

Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Installing software on personal computer

Installing software on personal computer
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google