PPT - International Institute of Information Technology, Hyderabad
Download
Report
Transcript PPT - International Institute of Information Technology, Hyderabad
Firewalls: General Principles
& Configuration (in Linux)
Bruhadeshwar Bezawada
International Institute of Information
Technology, Hyderabad
Overview
General Principles of Firewalls
Types
Issues in design and deployment
Rules, conflicts and performance issues
Configuration
IPTables
IPChains
Relevant OSI Layers for Firewall
Operation
General Principles of Firewalls
Network firewalls are devices or systems that control the flow of
network traffic between networks employing different security
postures
One usage is to limit/control connectivity to the Internet
Another usage in corporate networks is to restrict connectivity to and
from internal networks servicing more sensitive functions, like
accounting or personnel department
Firewalls operate at different layers in network
Firewalls that can examine information at more than one layer is more
thorough and effective
A firewall that works with layers 2 and 3 does deal with specific users
A firewall at application layer like an application-proxy gateway firewall
can enforce user authentication as well as logging events to specific users.
Add-ons Supported by Firewalls
NAT, DHCP, encryption for VPNs, and application content
filtering
Firewalls support DHCP so as to allocate IP addresses for those
systems that will be the subject of firewall's security control and
to simplify network management
Firewalls can act as VPN gateways, where the gateway is
responsible for encrypting traffic that is leaving its boundary and
destined to other systems in the VPN
Active content filtering, firewall is capable of filtering actual
application data at layer 7
For example, scanning email attachments for viruses, filtering out
active content in technologies like Java, JavaScript, ActiveX
Can filter on content or key words to restrict access to
inappropriate sites or domains.
Types of Firewalls
Packet Filters
Stateful Inspection Firewalls
Application-proxy Gateway Firewalls
Dedicated proxy servers
Hybrid Firewalls
Network Address Translation (NAT)
Packet Filters
Packet Filter Firewalls
Packet filters operate at layer 2/3 of OSI
The basic functionality is designed to provide network access
control based on the information at network layer
source address of packet, the IP address from which the packet
originated
destination address of the packet, i.e., the IP address where it is
going
Type of traffic, i.e., the type of specific network protocol being
used to communicate between source and destination
Source and destination ports
Incoming, outgoing interfaces for the packet
filter type of traffic e.g., ICMP traffic the layer 3 protocol is ICMP
Prevent attacks that exploit weaknesses in TCP/IP suite
The access control functionality of a packet filter is decided by
a set of directives called as a ruleset
Boundary Router
Packet filters also called boundary routers
Packet filter gateways have both speed and flexibility as they
examine a limited amount of data, they can operate very
quickly
The ability to block attacks, filter unwanted protocol, perform
access control, block denial-of-service and related attacks,
makes it ideal to be placed at the outermost boundary with an
un-trusted network.
E.g., the boundary router accepts packets from un-trusted
networks, performs access control according to the policy in place,
say, block SNMP, permit HTTP, block ICMP etc.
The boundary router will pass the packets to a more
powerful firewall that can perform access control and
filtering at higher layers of the OSI stack
Boundary Router
Sample Packet Filter Ruleset
Examining the Rule Set
Some notes on the ruleset
Actions taken are
192.168.1.0 indicates all addresses in the range 102.168.1.0 to 192.168.1.254
(Firewall has interface: 192.168.1.1)
Examines source port, destination port, source address, destination address,
basically all information that is necessary for examining the rules in the ruleset
Accept: firewall passes the packet through the firewall as requested
Deny: drops packet. An error message is returned to the sending system
Discard: drops the packet and does not return an error to the source system
Example
Rule 1 allows any TCP connections from outside
Rule 3 says deny any attempts to connect to firewall from outside
Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP
(192.168.1.3) servers
Last rule is default, if packets don’t match any of the above they are denied
Weaknesses
As they don't examine upper-layer data, they cannot prevent attacks that
employ application specific vulnerabilities or functions
For example, it cannot block specific application commands: if a packet filter
firewall allows a given application, all functions available from that application
will be permitted
Logging functionality is limited as packet firewalls work on a small amount
of data
Most packet filters do not support advanced user authentication schemes
Vulnerable to attacks and exploits that take advantage of problems within
TCP/IP specification and protocol stack, such as IP spoofing
Due to small number of variables used in access control decisions, packet
filter firewalls are susceptible to security breaches caused by improper
configuration
These firewalls are suitable for high-speed environments where logging and
user authentication with network resources are not important
Stateful Inspection Firewalls
Stateful Inspection Firewalls
Address some functionalities of the TCP layer
Many clients connect to remote systems from highnumbered ports
E.g., client port is >1023 in most cases
Packet filter firewall must allow all communication to happen
above this port
Allowing so many ports leaves the network vulnerable
Stateful inspection firewall solves this problem by adding
the state information of the relevant TCP connection
Only ports having legitimate TCP connections are allowed
State table is maintained for every connection
Sample State Table
Application-Proxy Gateway Firewalls
Application-proxy Gateway Firewalls
Combine application layer information with lower layer
information for filtering purposes
Application proxies take over the routing task of packets
from inside and outside the network
If it fails no packets can pass through the firewall
All network packets must traverse the firewall under software
control
Each individual application-proxy (proxy agent)
interfaces directly with the firewall access control ruleset
to determine whether a given traffic should be permitted
to transit the firewall
Authentication of each user is possible based on login-password,
source address, bio-metrics etc
Advantages Over Previous Firewalls
They have more extensive logging capabilities as
the entire packet is examined
E.g., malicious commands like su – root from outside
can be logged
They allow administrators to enforce the
required authentication based on the security
policy of the organization
IP spoofing can be detected as the attackers need to
know more information such as login and password
Typical Proxy Agents
Disadvantages
Needing to read entire packet makes these
firewalls slow
Not suited for high-bandwidth or real-time
applications
Some work is often offloaded to dedicated proxy
servers
They are not flexible in supporting new network
applications and protocols
They ship with generic support
This can allow malicious traffic to tunnel through
these generic application without check
Dedicated Proxy Servers
Proxy servers are deployed behind traditional firewalls
Main firewall will accept inbound traffic and forward the traffic to
proxy, if that application is handled by proxy
Proxy servers can also accept outbound traffic from internal systems
E.g., email proxy server
Filter or log the traffic accordingly
E.g., HTTP proxy that is behind firewall
Dedicated proxies allow enforcement of user authentication
requirements in addition to filtering and logging
Prevent email viruses
Protect web server updates from internal users
Email and Content Scanning
Java applet or application filtering (based on digital
signature availability)
ActiveX control filtering (same as above)
JavaScript filtering (eliminating cross-site scripting
attacks)
Blocking specific Multipurpose Internet Multimedia
Extensions types
Virus scanning and removal
Application-specific commands like HTTP “delete” and
User-specific controls, including blocking content types
for certain users
Caching of web pages to reduce incoming traffic
Sample Proxy Configuration
Hybrid Firewall Technologies
Combining basic packet filters with
application-proxy gateway firewalls
Combining stateful inspection firewalls
with application-proxy functionality to
offset weaknesses of existing stateful
inspection firewalls
Network Address Translation
Two reasons for NAT:
Hiding the real IP addresses in the network prevents
many attackers from attacking individual systems
Depletion of IP address space has made NAT
necessary for most organizations
Three techniques
Static Address Translation
Hiding Network Address Translation
Port Address Translation
Static Address Translation
Every internal IP has a different routable
IP (fixed)
Not very frequently used due lack of IPs
Very fast and scalable
Sample Table
Hiding NAT
All Internal IP addresses share the SAME
external IP address
E.g., All systems connecting to Internet
through a proxy
For those addresses that need mapping
from outside will require their external
addresses for efficiency purposes
Port Address Translation
Forward inbound connections based on ports
Client port is used to identify connection, unlike
NAT where IP address is used to identify
connection
Each connection internal connection gets a port from
the firewall based on the connection
When response comes from outside, the firewall looks
up the destination port and identifies the client
Sample PAT Table
Other Firewalls
Host-based firewalls in Linux based systems for
application servers
Server application is protected better
A separate hardware/software is not necessary
Personal Firewalls to protect PCs
Personal Firewall Appliance for protecting small
networks like ISP-client connections etc
Integrates with the following devices, cable modem,
routing modules, DHCP servers, hubs, switches,
SNMP agents, application-proxy agents
DMZ
Created out of a network connecting two
firewalls
Specifically, for nodes that should not be
put in protected internal networks
DMZ