Presentation is loading. Please wait.

Presentation is loading. Please wait.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money."— Presentation transcript:

1 Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

2 Why do I need one? A Windows server can not be secured as it stands. Don’t believe anyone who tells you otherwise. MSSQL server should never be placed directly on the Internet. And yes, some people do have too much time on their hands. Anyone remember the Blaster worm?

3 OSI Model Lower Layers Lower layers provide more primitive network-specific functions like routing, addressing, and flow control. Layer II - (Data Link Layer) of the OSI Model Layer III - (Network Layer) of the OSI Model

4 Switch/Hub (Layer II) Switches and Hubs are used to connect various devices to a network. Switches are intelligent, they look at the source and destination of each packet and route them to the appropriate switch port. Hubs are dumb devices that present a copy of each packet that is seen to every other port on the device.

5 Bridge (Layer II) A device that can be used to segment Local Area Networks (LANs). They can be used to control the traffic going between two network segments based on Ethernet addresses. They are essentially transparent devices. They can be replaced with a cross-over cable.

6 Router (Layer III) A network device used for connecting different networks together. They are responsible for intelligently routing packets based on IP address.

7 Firewall A firewall filters packets based on a set of filter rules. Packets that pass the rule set are forwarded through the firewall from one network interface to another. Packets that don’t, are dropped. Packets that pass the rule set are forwarded through the firewall from one network interface to another. Packets that don’t, are dropped. Firewalls can be either Software or Hardware based.

8 Bridging Mode Firewalls A bridge that allows you to filter the packets that pass through its interfaces. Can be placed anywhere in an existing network without disrupting existing services. Can be placed anywhere in an existing network without disrupting existing services. Transparent to your servers.

9 Linux – Bridging Mode Firewall A software based firewall that uses Linux as the operating system. The software is free. Relatively easy to setup. Can run on old hardware.

10 Software Needed Iptables – Software that filters IP based traffic based on a set of rules. Ebtables – Software that allows Iptables to see the packets as they go through the Bridge interface. Bridge-Utils – Software that allows you to create the bridge.

11 Hardware Needed Any old Pentium based computer 128MB of RAM ~1GB Harddrive 2 - Network Cards (Minimum)

12 Example Bridge Script #!/bin/bash # /etc/rc.d/init.d/bridge BRCTL=/usr/sbin/brctlIFCONFIG=/sbin/ifconfigreturn=$rc_done case "$1" in start) echo "Starting service bridge br0" echo "Starting service bridge br0" # Create bridge interface # Create bridge interface $BRCTL addbr br0 || return=$rc_failed $BRCTL addbr br0 || return=$rc_failed # Turn Spanning Tree Protocall off # Turn Spanning Tree Protocall off $BRCTL stp br0 off || return=$rc_failed $BRCTL stp br0 off || return=$rc_failed # Add interfaces to bridge # Add interfaces to bridge $BRCTL addif br0 eth1 || return=$rc_failed $BRCTL addif br0 eth1 || return=$rc_failed $BRCTL addif br0 eth2 || return=$rc_failed $BRCTL addif br0 eth2 || return=$rc_failed # Reset to clean state # Reset to clean state $IFCONFIG eth1 down || return=$rc_failed $IFCONFIG eth1 down || return=$rc_failed $IFCONFIG eth2 down || return=$rc_failed $IFCONFIG eth2 down || return=$rc_failed # Set interfaces to Promiscuous Mode # Set interfaces to Promiscuous Mode $IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed $IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed $IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed $IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed #Bring bridge interface up $IFCONFIG br0 promisc up || return=$rc_failed $IFCONFIG br0 promisc up || return=$rc_failed $BRCTL show echo -e "$return" echo -e "$return" ;; ;;stop) echo "Shutting down service bridge br0" echo "Shutting down service bridge br0" $IFCONFIG br0 down || return=$rc_failed $IFCONFIG br0 down || return=$rc_failed $BRCTL delif br0 eth1 || return=$rc_failed $BRCTL delif br0 eth1 || return=$rc_failed $BRCTL delif br0 eth2 || return=$rc_failed $BRCTL delif br0 eth2 || return=$rc_failed $BRCTL delbr br0 || return=$rc_failed $BRCTL delbr br0 || return=$rc_failed echo -e "$return" echo -e "$return" ;; ;;status) $IFCONFIG br0 $IFCONFIG br0 $BRCTL show $BRCTL show ;; ;;restart) $0 stop && $0 start || return=$rc_failed $0 stop && $0 start || return=$rc_failed ;; ;;*) echo "Usage: $0 {start|stop|status|restart}" echo "Usage: $0 {start|stop|status|restart}" exit 1 exit 1esac test "$return" = "$rc_done" || exit 1 exit 0

13 Example Filter Rules #!/bin/bash # Example Firewall Script IPTABLES="/sbin/iptables -v" # Any Subnet ANY=0.0.0.0/0 # ILLIAD Server ILLIAD=128.193.123.456 #### Flush all rules $IPTABLES -F # Delete all user created chains $IPTABLES -X # Zero all byte counters $IPTABLES -Z # Drop all packets without a rule $IPTABLES -P FORWARD DROP # loopback interface $IPTABLES -A FORWARD -i lo -j ACCEPT # Syn-flood protection: $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # Ping of death: $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # HTTP $IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80 -m state -- state NEW -j ACCEPT $IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m state -- state ESTABLISHED -j ACCEPT

14 Useful Application Ethereal – A powerful network protocol/packet analyzer that can be used to aid in the development of your filter rules.

15 Resources Linux bridging how-to http://bridge.sourceforge.net Ebtables http://ebtables.sourceforge.net Ethereal http://www.ethereal.com/

Download ppt "Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money."

Similar presentations

LAN Devices 5.3 IT Essentials.

LAN Devices 5.3 IT Essentials.
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Chapter 8: Local Area Networks: Internetworking. 2 Objectives List the reasons for interconnecting multiple local area network segments and interconnecting.

Chapter 8: Local Area Networks: Internetworking. 2 Objectives List the reasons for interconnecting multiple local area network segments and interconnecting.
1 I.S. 4123 Introduction to Telecommunication in Business Chapter 6 Network Hardware Components Dr. Jan Clark FALL, 2002.

1 I.S Introduction to Telecommunication in Business Chapter 6 Network Hardware Components Dr. Jan Clark FALL, 2002.
1 Chapter 8 Local Area Networks - Internetworking.

1 Chapter 8 Local Area Networks - Internetworking.
Lesson 5 – Understanding Network Hardware. Repeaters Hubs and concentrators Bridges Routers Switches Gateways Firewalls Short-haul modems OVERVIEW.

Lesson 5 – Understanding Network Hardware. Repeaters Hubs and concentrators Bridges Routers Switches Gateways Firewalls Short-haul modems OVERVIEW.
1 Chapter 8 Local Area Networks - Internetworking Data Communications and Computer Networks: A Business User’s Approach.

1 Chapter 8 Local Area Networks - Internetworking Data Communications and Computer Networks: A Business User’s Approach.
Local Area Networks Part II. 2 Introduction Many times it is necessary to connect a local area network to another local area network or to a wide area.

Local Area Networks Part II. 2 Introduction Many times it is necessary to connect a local area network to another local area network or to a wide area.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.

And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.
Networking Components Christopher Biles LTEC4550.020 Assignment 3.

Networking Components Christopher Biles LTEC Assignment 3.
1 Chapter Overview Network devices. Hubs Broadcast For star topology Same as a repeater Operate at the physical layer 2.

1 Chapter Overview Network devices. Hubs Broadcast For star topology Same as a repeater Operate at the physical layer 2.
Evolution of Networking Devices

Evolution of Networking Devices
LTEC 4560 Summer 2012 Justin Kappel Networking Components.

LTEC 4560 Summer 2012 Justin Kappel Networking Components.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Network Components: Assignment Three

Network Components: Assignment Three
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks

Similar presentations

Ads by Google