Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.

Similar presentations


Presentation on theme: "Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least."— Presentation transcript:

1 Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least two nic cards (to be a ‘true’ firewall) –The OS running the firewall needs to be “Hardened” –Sometimes called a Bastion Host The “network traffic” is the packets of data between a trusted network and an un-trusted network –Trusted – Your LAN –Un-trusted – The internet

2 Firewall Rules There are 4 types of firewalls –Packet-Filtering Works on the network layer (IP, ICMP, IGMP) Looks at the source, destination, and service fields of the packets If the packet doesn’t adhere to the set of rules the packet can be dropped or denied. –Dropped »Delete the packet with no response to the sender –Denied »Delete the packet but send an ICMP error back to the sender Doesn’t reassemble a packet into it original message to enact a rule FAST! Quite secure if configured correctly –Often a firewall will “drift” open as time and changes occur Subject to packet spoofing

3 Firewall Rules There are 4 types of firewalls –Stateful-Inspection Can work on all layers of the OSI model It adds port, and state to the list of rules to be used State keeps track of tcp transactions. –Adds a port to a list of “open” ports when a connection starts from the inside. –Removes a port from the list when the tcp connection is terminated Reassembles the packets to get the original message BEFORE making an assessment against the rules Can be slow, because of the reassemble, full message analysis, and the open port lookup.

4 Firewall Rules There are 4 types of firewalls –Proxy-Based A connection to the internet is always handled by an intermediary – the proxy server The client connects to the proxy server which then connects to the actual server No actual connection takes place to any machines outside of the network. The proxy does the connection on our behalf. Very slow because all connections are store and forward. Easy to identify – they have MANY ports open They can cache data and serve it directly without contacting the actual server.

5 Firewall Rules There are 4 types of firewalls –Circuit-Level (Virtual Private Network) When data is routed to another network, the data is –Encoded –Sent to the other network –Decoded –Sent inside the network to the correct machine Connects two secure networks via the insecure internet All communications between the two side takes place via the VPN No other network traffic is allowed to pass. Usually used between two office sites Can be used with telecommuters –Problem is the home user may not be secure. –VPN’s assume the remote network is secure –A hacker can gain access to the remote network then access the corporate network using the VPN connection.

6 Network Address Translation (NAT) Many firewalls also provide network address translation (NAT) On one side of the firewall is a legal ip address and on the other is an internal ip scheme NAT does a reconfiguration of the TCP/IP header as it passes through the firewall from the internal scheme to a legal ip address. It can open a standard port and forward packets it receives to an internal machine with a different port number

7 Firewall Architecture Single-Homed –The Firewall has one nic –The firewall is actually just software –Sandwiches it self between the nic and the packet generating/receiving software –Lets packet pass to/from the packet software if the rules are met –Difficult to manage with more then just a few hosts –Usually used in home systems –Can be used to do application firewalling

8 Firewall Architecture Dual-Homed –The Firewall has two nic cards. –One connected to the trusted, one to the untrusted network –Packets are passed from one nic to the next if the rules are met –Well know services are within your trusted network which can be compromised –Used where money is an issue, or where there are no well know services being provided.

9 Firewall Architecture Segmented (single firewall) –The firewall has 3 nic cards –One connected to the trusted network, one to the untrusted network, and one to a network of machines providing well know services. –The network providing well know services is called the Demilitarized Zone (DMZ). –If the firewall is configured correctly, if a well know service machine is compromised, the internal network should still be fine. –Still leaves one system to compromise to gain access to the trusted network

10 Firewall Architecture Segmented (multiple firewalls) –At lease 2 firewalls –One firewall is connected to the untrusted network and the other to the DMZ –The next firewall connects the DMZ to the trusted network

11 150.5.5 150.4.4 150.3.3 150.2.2 150.1.1 150.4.4.1150.5.5.1 148.61.162.181

12 IP Tables IPtables is a built in firewall in linux It is part of the kernel. (at least it has kernel modules) –The kernel portion of iptables is called Netfilter. Iptables only understands TCP/IP, UDP/IP, IGMP, ICMP, ARP, and RARP. It doesn’t handle appletalk, IPX, netBios, etc… –Make sure your kernel does not except anything besides what the firewall can understand. –Make sure your kernel does not have the fast switch option enables as it routes packes at a lower level then iptables, thus bypassing the firewall all together. The iptable command manipulates the firewall rules

13 IP Tables There are three tables within iptables –Each packet is evaluated by all three tables Each table has chains associated with it –Each packet is evaluated by ONLY ONE chain in the table –Every rule in the chain will be applied to the packet until a match is found or there are no more rules.

14 IP Tables - Tables Filter table –The basic packet-filter and state-full inspection filter –There are 3 chains inside the table INPUT –This rule chain is evaluated ONLY if the packet’s destination is the local machine OUTPUT –This is chain is evaluated ONLY if the packet’s source is the local machine FORWARD –This is chain is evaluated is the packet is being forwarded through the machine

15 IP Tables - Tables Nat table –Performs network address translation –It also has 3 built in chains PREROUTING –Alters packets as soon as they come in –Used for packets originating from the unsecured network POSTROUTING –Alters packets just before they leave –Used for packets originating from the secure network OUTPUT –Alters locally generated packets before routing

16 Table/Chain Order For a packet not generated by the computer: Incoming PREROUTING routing INPUT computer FORWARD POSTROUTINGout

17 Table/Chain Order For a packet generated by the computer: Computer OUTPUT(nat) OUTPUT(filter) POSTROUTINGout

18 IP Tables – Rules Chains are made of rules Rules are the tests each packet must pass to determine the packets outcome Think of the rules as a series of if/then statements Order of the rules matters Generally the more specific rules are at the top and the more general rules are at the bottom There is a default rule, which is a catch all. I.e. no rule above caught the packet.

19 IP Tables – Commands Default Policy –iptables [–t table] –P Chain Target Where table is filter, nat, or mangle (filter is the default) Chain is INPUT, OUTPUT, FORWARD, PREROUTING or POSTROUTING (The chain must exist for the table) Target is ACCEPT or DROP –It is a generally excepted practice to drop anything that makes it through the firewall rule set. –You should also log any packet that makes it to the default policy –Example: iptables –t filter –P INPUT DROP

20 IP Tables – Commands Listing rules iptables [–t filter] –L [chain] [options] –If the chain is not specified all the chains are displayed –Options include: -v More verbose on the output --line-numbersDisplay line numbers next to each rule –Example iptables –t filter –L INPUT - -line-numbers

21 IP Tables – Commands Removing all rules from a chain (flush) iptables [-t filter] –F chain Delete one rule from a chain iptables [-t filter] –D chain rule_number rule_number is the location of the rule in the chain Insert a rule in a chain iptables [-t filter] –I chain [rule_number] rule If the rule_number is specified, the rule is inserted at that location. If it is not given the rule is inserted at the top of the rule set.

22 IP Tables – Commands Append a rule to the chain iptables [-t filter] –A chain rule Adds the rule to end of the rule set Zero the packet/byte count iptables [-t filter] -Z

23 IP Tables - Protocol Rules Most argument to the rules take a “!” to invert the condition -p tcp|udp|icmp|all –Match a packet with a protocol as stated –May be a comma separated list -p major rules takes sub rules: --destination-port port -- dport port or --source-port port -- sport where port is a number or service name (from /etc/services) and a number range using a “:” to separate the ranges.

24 IP Tables – Source/Destination Rules -s address -d address –Matches a packet with the source or destination set to the address –Multiple address can be set up: As a comma separated list As a range using the “-” between the start and end ip addresses Using a mask (see the man page for details)

25 IP Tables – icmp Rules -p icmp Major rule takes --icmp-type type Where type is an icmp type. The types can be listed using the command iptables –p icmp –h

26 IP Tables – Interface Rules -i interface -o interface –Matches a packet that came from or is going to a particular interface (eth0, lo, ppp) –May also be a comma separated list –Adding a suffix of “+” to the interface name, matches all interfaces that start with the name Ie: eth+ matches eth0, eth1, eth2,… –The –i rule is only valid in a INPUT, FORWARD, or PREROUTING chain. –The –o rule is only valid is an OUTPUT, FORWARD, or POSTROUTING chain.

27 IP Tables – State Rules -m state --state NEW|ESTABLISHED|RELATED|INVALID NEW: The packet has the syn flag only ESTABLISHED: The packet belong to an existing connection, or part 2 of the 3-way hand shake RELATED: the packet is related to another established connection (side communication) INVALID: the packet is not a valid tcp/ip flag combination

28 IP Tables – Targets Targets are the “then” section of the rule. They determine what happens to a packet if the packet matches the rule Argument -j target The target can be ACCEPT, DROP, LOG, REJECT, MIRROR, SNAT or DNAT. All targets except LOG terminate the chain ACCEPT – accept the packet and sends it to the application DROP – discard the packet. The source of the packet is not notified of the failure

29 IP Tables – Targets LOG – Log much of the header info to the system log. –A useful sub-option is --log-prefix prefix which adds the prefix to the log which makes it easier to find in the system logs –The LOG target logs then continues down chain.

30 IP Tables – Targets REJECT – discards the packet but also sends a message back to the source of the packet. –Valid only in the INPUT, OUTPUT, FORWARD chains –Takes the sub-option --reject-with type –Type can be: icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited and if the packet is a tcp packet tcp-reset. icmp-port-unreachable is the default.

31 IP Tables – Targets MIRROR – swaps the source and destination addresses and sends the packet back to the source. –Only valid in the INPUT, FORWARD, and PREROUTING chains –The outgoing packet from this rule will not be evaluated by the filter or nat table, nor any rule using the match state option. –Use with caution. You maybe attacking an innocent machine (hacked by someone else)

32 IP Tables – Targets SNAT --to-source address –Valid only in the nat table POSTROUTING chain –Converts the source address of the packet to the address specified –Once the first packet is snatted, the returning packets have the destination address changed to the original source address of the first packet. –The address may be a range to give a simple distribution across multiple addresses –State is implied

33 IP Tables – Targets DNAT –to-destination address –Valid only in the net table, PREROUTING and OUTPUT chains –Functions like the SNAT but with the destination address –If a range of addresses are given, a basic load sharing can be achieved.

34 Example A server runs a web server on port 80. The server has a single homed firewall. What rules needs to be added to allow outside machines to access the web server? No other services should be made available. The server should not be able to connect to any outside service.

35 Example iptables –t filter –P INPUT DROP iptables –t filter –P OUTPUT DROP iptables –t filter –A INPUT –p tcp --dport 80 –j ACCEPT iptables –t filter –A OUTPUT –p tcp --sport 80 -m state --state ESTABLISHED –j ACCEPT iptables –t filter –A INPUT –j LOG --log-prefix “iptables INPUT rule default” iptables –t filter –A OUTPUT –j LOG --log- prefix “iptables OUTPUT rule default”


Download ppt "Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least."

Similar presentations


Ads by Google