Transcript Firewalls

Firewalls
What they do.
How they work.
cs490ns - cotter
1
Outline
• What is a firewall?
• Architectures
–
–
–
–
Stand Alone / application / proxy
Personal / host based
Gateway / packet filters
Enterprise / hardware
• Roles
– Bastion
– DMZ
• Packet Filtering concepts
– IPTables
– Stateful filtering
• Packet Forwarding
• Ethernet bridge
cs490ns - cotter
22
What is a Firewall?
• A hardware or software device that monitors (and
controls ?) the transmission of packets that attempt to
pass through the perimeter of a network (or host).
• Provide 2 basic security functions
– Packet Filtering
– Application Proxy gateways
• Additional security features
–
–
–
–
Log unauthorized (and authorized ?) access attempts
Provide VPN Connections
Support user authentication
Shield internal machines from outside view
cs490ns - cotter
33
What should a firewall do?
• Control the flow of packets to/from Internet
• Block external login as root (?)
• Must distinguish between local and
Internet packets (even spoofed addresses)
• Support limited user accounts
• Log all system activities
cs490ns - cotter
44
Types of Firewalls
•
•
•
•
•
Stand Alone / application / proxy
Enterprise / Local
Hardware / Software
Gateway / router / packet filter
Personal / host based
– Windows firewall – incoming protection
– ZoneAlarm, Linux, etc. – incoming / outgoing
filter
cs490ns - cotter
55
Types of Firewalls
Stateful
Firewall
Application
Proxy
cs490ns - cotter
Router /
packet filter
Corporate
Network
Internet
Host-based
Firewall
66
Standalone Proxy Firewalls
Application Gateways
• Intended to buffer the interface between
an internal application and the Internet
– Web Servers
– Mail Servers
– File Transfer
• Controls flow of packets into and out of
local network
– Limit access to specific web sites
– Cache results for use by other internal hosts
– Hide internal IP addresses from network view
cs490ns - cotter
77
Enterprise Firewalls
• Intended to support larger traffic volumes
• Provides more sophisticated support
– Stateful filtering, etc.
• Software
– Checkpoint Firewall 1, Microsoft ISA, Semantic
Enterprise, etc.
• Hardware
– Cisco PIX, SonicWall, Watchguard, etc.
• Expensive!
cs490ns - cotter
88
Gateway / Packet Filter
• May be embedded in sophisticated routers
• May be used for SOHO networks
– May be incorporated into small SOHO routers
– May be incorporated into a gateway host
(Linux ?)
• Provides the ability to monitor and control
packets through the gateway / router.
– Generally support in / out / through filtering
– May not include stateful filtering capabilities
cs490ns - cotter
99
Host-based Firewalls
• Intended as a last line of defense for the
host computer
• Runs as a background process on host
– Limited bandwidth available
– Generally supports incoming port filtering
– Can specify which ports (if any) can support
incoming connection requests.
– Occasionally supports outgoing filtering
(looking for worms, trojans, etc.)
cs490ns - cotter
1010
Firewall Roles
• Bastion Hosts
– Hardened systems that typically run a firewall
and perhaps an application as well
• DMZ – demilitarized zone
– An isolated subnetwork that includes all
services that are offered over the internet (and
perhaps to the internal network as well).
cs490ns - cotter
11
Bastion Firewall and Host
LAN
Internet
Firewall
Web
Server
cs490ns - cotter
12
DMZ
LAN
Internet
DMZ
cs490ns - cotter
Web
E-mail
13
What is Packet Filtering?
• The process of deciding which packets to allow
through the filter, based on attributes of the
packet
–
–
–
–
–
Source / Destination Port
Source / Destination IP Address
Status flags in the packet (syn)
Originating protocol (icmp, tcp, etc.)
Connection state (tcp)
• Linux (2.4+) supports Netfilter (based on
iptables)
cs490ns - cotter
1414
How does Packet Filtering
Work?
• Define rules to allow or block specific types of
packets
• Firewall screens all packet headers to look for
matches against the rules
• Apply rules in the order in which they are stored
• Allow or block packets based on rule matches.
• If a packet matches no rules, apply default
behavior to the packet (usually deny).
cs490ns - cotter
1515
Packet Filtering Issues
• Rules are complex. Easy to introduce errors
• Filters based on IP addresses. If authorized
sites are hacked, your site is compromised
• IP Spoofing can fake authorized (internal?) sites.
• Routers can be hacked to reroute internal
packets
• Activities need to be logged
• Internal host adresses should be hidden
cs490ns - cotter
1616
Iptables
• Administration tool for IPv4 packet filtering
and NAT
• Used to set up, maintain, and inspect the
tables of IP packet filtering rules used by
the kernel to manage packet flow through
the firewall.
• Based on tables that specify the overall
task and chains that identify the position of
the packet in the packet flow.
cs490ns - cotter
1717
IPTables tables
• Filter table
– Used to control the flow of packets based on packet attributes
– Only filter packets, don’t modify packets here.
• Network Address Translation (NAT) table
– Used to change the source / destination IP address and / or port
of selected incoming / outgoing packets
• Mangle table
– Supports specialized packet handling / routing
– Change contents of packet
• Experimental and developing tables …
cs490ns - cotter
1818
Basic Packet Filtering
filter
table
Input
Forward
LAN
Internet
RH-Firewall-1-INPUT
Output
cs490ns - cotter
1919
Incoming Packets to Filter
• Illegal Incoming Source IP Addresses
–
–
–
–
–
•
•
•
•
•
•
•
Your IP Address
Your LAN Address
Private Network Addresses
Multicast IP Addresses
Loopback Interface Addresses
Nuisance sites / networks
Remote Source Port Filtering
Local Destination Port Filtering
Incoming TCP connection-state filtering
Probes and Scans
DoS Attacks
Etc.
cs490ns - cotter
2020
Packet Filtering alert list
• CERT
– www.cert.org – Carnegie-Mellon Software Engrg Inst.
– www.us-cert.gov –
• Port Filter List (3/08)
–
–
–
–
–
–
–
–
–
DNS zone transfers
tftpd
link
RPC / NFS
BSD “r” commands
lpd
uucpd
openwindows
X windows
cs490ns - cotter
53
69
87
111 / 2049
512, 513, 514
515
540
2000
6000 +
2121
Outgoing Packets to Filter
• Why?
– Consideration for fair use in Internet
– Distribution of private information
– Detection of unwanted client programs (Trojans, etc.)
• See http://www.us-cert.gov/cas/tips/ST06-001.html
• What
–
–
–
–
Legitimate, routable addresses only
Destination IP Addresses
Destination ports
Source Ports
cs490ns - cotter
22
Filter TableChains
• May be associated with any interface (eth0, etc.)
• INPUT
– Used to test packets that come into the firewall
• OUTPUT
– Used to test packets that are leaving the firewall
• FORWARD
– Used to test packets that are passing through the
firewall
• Packets should pass through only 1 chain
cs490ns - cotter
23
Filter table packet flow
Routing
Forward
Chain
Drop
Input
Chain
Drop
cs490ns - cotter
Local
Processes
Output
Chain
Drop
24
Iptables rule structure
• Iptables –t “table” “action” “chain” rule “target”
– Which table are we working with (filter is default)
– What action do we want to do to that table (insert,
delete, etc.)
– Which chain in that table are we working with
– What do we want to do?
– Where do we go if we match the rule?
cs490ns - cotter
25
IPTables Actions
•
•
•
•
•
•
Create a new chain (-N).
Delete an empty chain (-X).
Change the default policy for a chain. (-P).
List the rules in a chain (-L).
Flush the rules out of a chain (-F).
Zero the packet and byte counters on all
rules in a chain (-Z).
cs490ns - cotter
26
IPTables Actions
•
•
•
•
Append a new rule to the end of a chain (-A).
Insert a new rule at some position in a chain (-I).
Replace a rule at some position in a chain (-R).
Delete a rule at some position in a chain, or the
first that matches (-D).
cs490ns - cotter
27
IPTables targets
• ACCEPT
– Stop processing and pass to application / OS
• DROP
– Stop processing and block packet
• LOG
– Packet info sent to syslog. Continue processing
• REJECT
– Stop processing and send reject message to source
• DNAT
– Change destination network address
• SNAT
– Change source network address
• MASQUERADE
– Do source network address translation (PAT)
cs490ns - cotter
28
Example Filter Rules
•
•
•
•
•
•
•
#Allow traffic on the loopback interface
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –i lo –j ACCEPT
# Set Default policy for chain
Iptables --policy INPUT DROP
#Allow all outgoing connections
iptables -A block -m state --state NEW -i ! ppp0 \
-j ACCEPT
• #Block incoming attempts to Xwindows
• iptables –A INPUT –i eth1 -p tcp --syn \
--destination-port 6000-6003 -j REJECT
cs490ns - cotter
29
Example Filter Rules
#Allow incoming connections to local web server
Iptables –t filter -A block –p tcp --dport 80 --i eth1 \
-j ACCEPT
#Insert a rule that allows incoming udp packets to port 12345
iptables –I block 7 –p udp –dport 12345 –j ACCEPT
#Allow DNS requests NOT from outside
iptables -A block –p tcp --dport 53 -m state --state NEW \
-i ! eth1 -j ACCEPT
#Allow (and redirect) incoming web connections to 192.168.5.6
iptables –t nat –A PREROUTING –d eth1 -p tcp \
--dport 80 -j DNAT --to-destination 192.168.5.6
cs490ns - cotter
30
Simple Firewall table
## Insert connection-tracking modules (not needed if built into kernel).
insmod ip_conntrack
insmod ip_conntrack_ftp
## Make chain that blocks new connections, except if coming from LAN.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
cs490ns - cotter
31
Iptables default config file
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
cs490ns - cotter
32
CentOS 5.5 Firewall – part 1
[rcotter@lserver3 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
RH-Firewall-1-INPUT all -- anywhere
destination
anywhere
Chain FORWARD (policy ACCEPT)
target
prot opt source
RH-Firewall-1-INPUT all -- anywhere
destination
anywhere
Chain OUTPUT (policy ACCEPT)
target
prot opt source
destination
cs490ns - cotter
33
CentOS 5.5 Firewall – part 2
Chain RH-Firewall-1-INPUT (2 references)
target
prot opt source
destination
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT esp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0
0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0
224.0.0.251
ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0
ACCEPT tcp -- 134.193.12.34 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
REJECT all
-- 0.0.0.0/0
0.0.0.0/0
cs490ns - cotter
icmp type 255
udp dpt:5353
udp dpt:631
tcp dpt:631
state RELATED,ESTABLISHED
state NEW tcp dpt:22
state NEW tcp dpt:22
state NEW udp dpt:137
state NEW udp dpt:138
state NEW tcp dpt:139
state NEW tcp dpt:445
state NEW udp dpt:2069
state NEW tcp dpt:3128
state NEW tcp dpt:3306
reject-with icmp-host-prohibited
34
Filter table
• Input, forward chains point to custom chain
– RH-Firewall-1-INPUT
• Output chain set to accept all
– (allow any outgoing traffic)
• RH-Firewall-1-INPUT chain
–
–
–
–
Initial 4 rules allow broad classes of packets
Allow multicast DNS
Allow ipp (Internet Printing protocol)
Allow incoming UDP packets to port 12345
• Special server set up for cs423 class
– Allow incoming SSH connections
– Reject everything else!
cs490ns - cotter
35
Network Address Translation
• What?
– “Translates” IP addresses and / or ports as
packet passes through firewall
– Only first packet of a connection will traverse
the table. All remaining packets are modified
the same as the first packet.
• Why?
– Private local IP Addresses
– Multiple Servers (load sharing)
– Transparent Proxying
cs490ns - cotter
36
NAT table
• Used to map local IP addresses to a set of
routable addresses (NAT)
• Used to map local IP addresses to a set of ports
associated with a single routable address
(NAPT)
• Used to map local IP addresses to a set of ports
associated with a variable routable address
(masquerade)
– Dial-up connection
– Dynamically assigned IP address
• Other
cs490ns - cotter
37
NAT
• Two types of NAT
– Source NAT (snat) used to translate the
source IP address of a packet (typically
outgoing)
– Destination NAT (dnat) used to translate the
destination IP address of a packet (typically
incoming).
cs490ns - cotter
38
NAT table chains
• Pre-routing
– Used to test / modify the destination
addresses of incoming packets
• Output
– Used to change the source (or destination)
address of locally generated packets
• Post-routing
– Used to change the source address of
outgoing packets.
cs490ns - cotter
39
NAT table packet flow
Destination
NAT
Pre-routing
Routing
Forward
Chain
Source
NAT
Post-routing
Drop
Input
Chain
Drop
cs490ns - cotter
Local
Processes
Output
Chain
Drop
40
Simple NAT table rules
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Disallow NEW & INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
# Turn on IP forwarding (in RAM)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Turn on IP forwarding (in file /etc/sysctl.conf)
net.ipv4.ip_forward = 1
cs490ns - cotter
41
Mangle table
• Used for special routing and packet
modification.
– Use TOS (type of service) field in IP header.
– TTL
– Can be used to set and test markers placed
cs490ns - cotter
42
Mangle Table Routing
Internet
AS
cs490ns - cotter
43
Linux Firewall Mgmt
• iptables
– Make changes to memory image of firewall rules
• iptables-save
– Display a copy of the memory image
– Can redirect the copy to a file using output redirection
– Iptables-save > /etc/sysconfig/iptables
• iptables-restore
– Rebuild memory image from keyboard or file (using redirection)
• Security Level and Firewall Applet (Fedora)
– Creates an automatic backup file: /etc/sysconfig/iptables
cs490ns - cotter
44
IPTables Constraints
• Based on IP – only
– Don’t run IPX, appletalk, etc. as these protocols are
not filtered
• Packets traversing the filter table will pass
through only 1 chain
cs490ns - cotter
45
Port Forwarding
HTTPD
LAN
Internet
123.234.56.78:80
192.168.3.6:80
cs490ns - cotter
46
SOHO Router Port Range
Forwarding
cs490ns - cotter
47
IPTables Port Forwarding
• For incoming packets
– iptables -t nat -A PREROUTING -p tcp -d <publishedip> --dport <published-port> -j DNAT --to-destination
<private-ip>:<private-port>
• For returned packets
– iptables -m conntrack --ctstate DNAT -t nat -A
POSTROUTING -p tcp -d <private-ip> --dport
<private-port> -j SNAT --to-source <published-ip>
• For packets originating on firewall
– iptables -t nat -A OUTPUT -p tcp -d <published-ip> -dport <published-port> -j DNAT --to-destination
<private-ip>:<private-port>
cs490ns - cotter
48
IPtables rerouting Issues
• Often, when we re-route packets, we only
need to change destination (or source) IP
address.
• Sometimes (if we are rerouting to a locally
connected destination) we need to change
both IP address and MAC address.
• IPtables only filters IP traffic. It cannot
change IPX, netBEUI, Appletalk, etc.
cs490ns - cotter
49
EBtables
• Ethernet Bridge tables
– Intended to support filtering of packets that
IPtables cannot filter – Ethernet protocol,
MAC address, ARP, netBEUI, IPX, etc.
– Basically adds non–IP filtering.
– 802.1Q VLAN filtering
– MAC address NAT
– Frame counters
• Linux bridge-nf code
– Passes bridged traffic to IPtables
cs490ns - cotter
50
EBtables Structure
• broute table
– BROUTING chain
– Choose whether to process packet at layer 2
(bridge) or at layer 3 (route)
– e.g. route normal IP traffic and bridge IPX traffic
• filter table
– FORWARD, INPUT, OUTPUT chains
– Route packets based on MAC addresses
• nat table
– PREROUTING, OUTPUT, POSTROUTING chains
– Change MAC addresses (redirect based on MAC)
cs490ns - cotter
51
Ethernet Bridge Firewall
LAN
Internet
Linux box
configured as a
bridge, with firewall
installed
cs490ns - cotter
52
Ethernet Bridge Firewall
• Use bridging firewall (ebtables) to set up
rules to pass packets through host.
– Since processing happens at Data Link Layer,
there is no need to assign an IP address to
host interfaces, so machine is invisible to
network scanning.
– Offers better protection, and less configuration
of the remaining network.
– Can also be configured with an IDS.
cs490ns - cotter
53
Ethernet Bridge Firewall
• Create a virtual Ethernet bridge interface
– brctl addbr br0
• Add our interfaces to the bridge
– brctl addif br0 eth0
– brctl addif br0 eth1
• Remove the IP configuration from interfaces
–
–
–
–
Ifconfig eth0 down
Ifconfig eth1 down
Ifconfig eth0 0.0.0.0 up
Ifconfig eth1 0.0.0.0 up
• Configure access for the bridge
– Local console, OOB network, configure 1 IP
cs490ns - cotter
54
Ethernet Bridge Firewall (2)
LAN
Internet
cs490ns - cotter
55
Example Firewall Application
• Monitor all outgoing Traffic
– Most firewalls only monitor incoming traffic by
default
• Identify what traffic is desired and block
the rest.
– Many applications generate queries to their
servers
– Spyware
– Hacks
cs490ns - cotter
56
App development process
• Capture all outgoing traffic
– Monitor traffic as it enters or leaves the
network – (Ethernet Bridge)
– Use iptables to log traffic.
• -A firewall-win1 –j LOG –log-level 4 –log-prefix
“Win1” –log-tcp-options –log-ip-options
– Set up syslog to divert level 4 messages to a
separate file (see syslog.conf)
• kern.warning
/var/log/iptables.log
– Save data daily to separate file
• iptables_log_022011
cs490ns - cotter
57
# Generated Manually 8/19/10
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [8183:1429550]
:OUTPUT ACCEPT [14722:762210]
-N RH-Firewall-1-INPUT
# Create separate chains for each host - 8/19/10
-N Firewall-Win2
-N Firewall-Win1
-N Firewall-lserver3
#new line 8/26/10 - start monitoring this machine
-N firewall-bridge
-A OUTPUT -j firewall-bridge
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD --src 192.168.1.25 -j Firewall-lserver3
-A FORWARD --src 192.168.1.35 -j Firewall-Win2
-A FORWARD --src 192.168.1.30 -j Firewall-Win1
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
Primary
Firewall
Filter
Table
cs490ns - cotter
58
-A Firewall-Win1 --dst 192.168.1.0/24 -j ACCEPT
-A Firewall-Win1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A Firewall-Win1 --dst 134.193.123.45 -j ACCEPT
-A Firewall-Win1 --dst 208.67.222.222 -j ACCEPT
# Allow queries to Dropbox
-A Firewall-Win1 --dst 50.16.0.0/16 -j ACCEPT
# Allow queries to Kapersky
-A Firewall-Win1 --dst 38.117.98.0/24 -j ACCEPT
-A Firewall-Win1 --dst 38.124.168.0/24 -j ACCEPT
-A Firewall-Win1 --dst 38.113.165.0/24 -j ACCEPT
-A Firewall-Win1 --dst 79.141.216.0/24 -j ACCEPT
# Allow queries to Microsoft (update)
-A Firewall-Win1 --dst 207.46.206.0/24 -j ACCEPT
-A Firewall-Win1 --dst 65.55.200.0/24 -j ACCEPT
-A Firewall-Win1 --dst 64.4.30.0/24 -j ACCEPT
-A Firewall-Win1 --dst 65.54.221.0/24 -j ACCEPT
# Allow queries to dyndns.org
-A Firewall-Win1 --dst 91.198.22.0/24 -j ACCEPT
-A Firewall-Win1 --dst 204.13.248.0/24 -j ACCEPT
-A Firewall-Win1 --dst 208.78.69.0/24 -j ACCEPT
# Lots of multicast traffic. Drop it.
-A Firewall-Win1 --dst 224.0.0.0/8 -j DROP
# Now, log everything else before dropping it
-A Firewall-Win1 -m physdev --physdev-in eth1 -j LOG --log-level 4 --logprefix "Win1 " --log-tcp-options --log-ip-options
#For
everything
cs490ns
- cotter else, reject the traffic.
-A Firewall-Win1 -j DROP
Win1
Outgoing
Firewall
Chain
59
Capture Outgoing Traffic
• Data Record – 1 per packet
– Feb 19 00:01:03 bridge kernel: Win1 IN=br0
OUT=br0 PHYSIN=eth1 PHYSOUT=eth0
SRC=192.168.1.35 DST=66.94.233.186
LEN=40 TOS=0x00 PREC=0x00 TTL=128
ID=10570 DF PROTO=TCP SPT=2323
DPT=80 WINDOW=65185 RES=0x00 ACK
FIN URGP=0
– Records per day ~ 40k to 80k+
cs490ns - cotter
60
Port Scan Attack Detector
PSAD
• Can be configured to detect various network
scans, invalid traffic, attacks, etc.
• Can be used to fingerprint source machines
• Can be configured to provide active response
based on type of input, numbers of input packets
for a predetermined period.
• Can be used to sort and organize logged data.
cs490ns - cotter
61
Summarize traffic
• psad -m /var/log/iptables/iptables_log_022011 -gnuplot --CSV-fields dst src dp:count --gnuplotgraph points --gnuplot-xrange 0:100 --gnuplot-fileprefix test_022011
– test_022011.dat
– 1, 172, 2 ### 1=12.29.100.148 172=192.168.1.35
–:
– 39, 172, 96 ### 39=66.94.233.186 172=192.168.1.35
–:
– 246, 171, 1 ### 246=216.191.247.139 171=192.168.1.30
cs490ns - cotter
62
Sort Traffic by Source
• Use script (bash / awk / py / ?) to sort traffic into
separate files by source
• Use DNS to get domain name for sites
• Win1_022011.lst
–
–
–
–
–
12.29.100.148: Output was 0
:
66.94.233.186: r3.ycpi.vip.mud.yahoo.net.
:
216.137.43.236: server-216-137-43236.dfw3.cloudfront.net.
cs490ns - cotter
63
Analyze traffic
• Are addresses identifyable?
• Is the traffic known / expected?
• Why is traffic there?
cs490ns - cotter
64
References
• Firewalls and VPNs – Principles and Practices
– Richard Tibbs / Edward Oakes – Prentice Hall – 2005
• Linux Firewalls – 2nd ed.
– Robert Siegler – New Riders Publishing – 2002
• Guide to Firewalls and Network Security
– Greg Holden – Thomson/Course Technology – 2004
• EBtables/IPtables Interaction on a bridge - 2003
– ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
• Red Hat Fedora Linux Secrets
– Naba Barkakati – Wiley - 2005
cs490ns - cotter
65
Summary
• What is a firewall?
• Architectures
–
–
–
–
Stand Alone / application / proxy
Personal / host based
Gateway / packet filters
Enterprise / hardware
• Packet Filtering concepts
• Packet Forwarding
• Roles
– Bastion
– DMZ
• EBtables
cs490ns - cotter
66