Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Firewalls with Mason William Stearns SANS Instructor, proctor, and network administrator

Published byKieran Pleasant Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Firewalls with Mason William Stearns SANS Instructor, proctor, and network administrator"— Presentation transcript:

1 Automated Firewalls with Mason William Stearns SANS Instructor, proctor, and network administrator wstearns@pobox.com http://www.stearns.org/mason/

2 Getting underway Room monitors Evaluation forms Questions at any point Goals Basics of Linux firewalling Learning process Live demo

3 Firewalls One small piece of your network security Only affects traffic going in, out, or through your firewall Can be circumvented TCP/IP tunneling in ssh, email, DNS, http Using allowed ports for blocked traffic types Additional exit points from network Firewall system needs to be locked down tightly!

4 Firewall types Packet filtering Stateful Stateless Proxy Better yet, both!

5 Firewall types, proxies.

6 Choice of firewall platform Stability Network card support Security and Updates Network performance Ability to audit and strip down Cost Ease of setup

7 Linux Packet Filtering Separation of Jobs Kernel Command line tools

8 Linux Packet Filtering types Ipfw (Linux 1.2 kernels) Ipfwadm (Linux 2.0 kernels) Ipchains (Linux 2.2 kernels) Iptables (Linux 2.4 kernels)

9 ipfw First Linux packet filtering support Linux 1.2 kernels Stateless Very limited Only filtered on one port Never integrated into distributions Not supported by Mason Ported from one of the BSD's by Alan Cox

10 ipfwadm Linux 2.0 kernels Stateless Filters on source and destination addresses and ports Only TCP, UDP, and ICMP Masquerading (many-to-one NAT) Jos Vos

11 ipchains Linux 2.2 kernels Stateless Support for ICMP subtypes, protocols other than TCP, UDP and ICMP, and inverse options. Rusty Russell

12 iptables Linux 2.4, 2.5, and upcoming 2.6 kernels Stateful IPV6 support Backwards compatibility modules for ipfwadm and ipchains Extensible tests and actions Fully modular design

13 Setting up firewalls Triple threat; limited background in: Security policies TCP/IP (normal and attack patterns) Connecting the two with packet filtering and other security tools. Risk in getting it wrong. Default allow - easy to get going Default deny - orders of magnitude harder

14 Approaches for creating firewalls Prewritten list of rules Menu interface with small set of choices Menu interface with extensive options Automatic construction of rules based on current network setup. Letting the firewall build itself 

15 Prewritten list of rules +Good if your network matches the assumptions 1.May need a lot of editing if not 2.They tend to be too permissive

16 Menu interface with small set of choices +Good for simple networks 1.Poor for complex networks or non-standard networks 2.Poor for non-standard protocols

17 Menu interface with extensive options +Flexible, good for complex networks 1.Requires a lot of expertise from the administrator

18 Letting the firewall build itself +Flexible +Doesn't require in-depth knowledge of firewall construction +Handles simple and complex networks 1.May take some time to cover all traffic types.

19 The world's most efficient and literal bouncer New bouncer Needs to be taught who can go in or out of the bar Told to note individual's age, whether they're part of the owner's family, which direction they want to go and whether they're carrying firearms, and then ask bar owner.

20 Initial bouncer rules => Write down characteristics, ask owner => block (default policy)

21 Bouncer rules, part II Carrying firearms => block and call police => Write down characteristics, ask owner => block (default policy)

22 Bouncer rules, part III Carrying firearms => block and call police Leaving bar => allow to pass => Write down characteristics, ask owner => block (default policy)

23 Bouncer rules, part IV Carrying firearms => block and call police Leaving bar => allow to pass Entering bar, over 21 => allow to pass => Write down characteristics, ask owner => block (default policy)

24 Bouncer rules, part V Carrying firearms => block and call police Leaving bar => allow to pass Entering bar, over 21 => allow to pass Part of owner's family => allow to pass => Write down characteristics, ask owner => block (default policy)

25 Bouncer rules, part VI Carrying firearms => block and call police Leaving bar => allow to pass Entering bar, over 21 => allow to pass Part of owner's family => allow to pass Entering bar, under 21 => block => Write down characteristics, ask owner => block (default policy)

26 Bouncer rules, part VII Carrying firearms => block and call police Leaving bar => allow to pass Entering bar, over 21 => allow to pass Part of owner's family => allow to pass Entering bar, under 21 => block => block (default policy)

27 Mason and iterative creation Start off with empty firewall Log all unmatched packets Watch logs for new packets Add rule that would have matched that traffic Keep adding rules until all traffic types encountered

28 Iptables log format Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53

29 Iptables rule format /sbin/iptables -A OUTPUT -o lo -p udp -s localhost/32 - -sport 1024:65535 -d localhost/32 - -dport domain -j ACCEPT #domain/udp (O)

30 Live demonstration We'll switch over to a Linux laptop for the demo and rejoin here afterwards.

31 Customization Existing firewall rules Allows administrator to make modifications

32 Starting firewall at boot ntsysv, tksysv, or linuxconf Manually link /etc/rc.d/init.d/firewall

33 Troubleshooting Turn off the firewall, see if the problem persists. Restart the firewall, try test, then run: iptables -L -n -x -v | grep -v '^ *0 *0 ' | less -S to see which rules have matched any packets.

34 Opening packet rules Iptables' stateful nature; use for ESTABLISHED,RELATED. Let Mason build the rules for NEW packets.

35 Potential projects Cisco IOS FreeBSD, OpenBSD and NetBSD - ipfilter http://coombs.anu.edu.au/~avalon/ Other routers and firewalls.

36 Thanks! Linux developers, esp. Rusty Russell Chris Brenton (SANS, Altenet) Steven Northcutt (SANS) ISTS Mason contributors - see the Credits section in the HOWTO.

37 Where to get it Part of some Linux Distributions Debian Krud Redhat Powertools up to 7.0 http://www.stearns.org/mason/ Many other sources

38 References http://www.stearns.org/mason/ http://www.netfilter.org http://www.linuxdoc.org http://www.stearns.org/doc/starting-mason.current.html wstearns@pobox.com Questions?

Download ppt "Automated Firewalls with Mason William Stearns SANS Instructor, proctor, and network administrator"

Similar presentations

BSD Packet Filter (PF) David Liana

BSD Packet Filter (PF) David Liana
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
© 2003 Avik Sengupta. All Rights Reserved. 1 Secure Firewalls using OpenBSD Avik Sengupta CTO Itellix Software Solutions Pvt Ltd.

© 2003 Avik Sengupta. All Rights Reserved. 1 Secure Firewalls using OpenBSD Avik Sengupta CTO Itellix Software Solutions Pvt Ltd.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Transparent Caching The art of caching network traffic without requiring user / browser side configuration.

Transparent Caching The art of caching network traffic without requiring user / browser side configuration.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.
System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.

System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Similar presentations

Ads by Google