Transcript Document
Automated Firewalls with Mason
• William Stearns
• The Institute for Security Technology
Studies, Dartmouth College
• SANS
• [email protected]
• http://mason.stearns.org
Getting underway…
•
•
•
•
Room monitors
Evaluation forms
Questions at any point
Goals
– Basics of Linux firewalling
– Learning process
– Live demo
Firewalls
• One small piece of your network security
• Only affects traffic going in, out, or through your
firewall
• Can be circumvented
– TCP/IP tunneling in ssh, email, DNS, http
– Using allowed ports for blocked traffic types
– Additional exit points from network
• Firewall system needs to be locked down tightly!
Firewall types
• Packet filtering
– Stateful
– Stateless
• Proxy
• Better yet, both!
Choice of firewall platform
•
•
•
•
•
•
•
Stability
Network card support
Security and Updates
Network performance
Ability to audit and strip down
Cost
Ease of setup
Linux Packet Filtering
• Separation of Jobs
– Kernel
– Command line tools
Linux Packet Filtering types
•
•
•
•
Ipfw (Linux 1.2 kernels)
Ipfwadm (Linux 2.0 kernels)
Ipchains (Linux 2.2 kernels)
Iptables (Linux 2.4 kernels)
ipfw
•
•
•
•
First Linux packet filtering support
Linux 1.2 kernels
Stateless
Very limited
– Only filtered on one port
– Never integrated into distributions
– Not supported by Mason
• Ported from one of the BSD’s by Alan Cox
ipfwadm
• Linux 2.0 kernels
• Stateless
• Filters on source and destination addresses
and ports
• Only TCP, UDP, and ICMP
• Masquerading (many-to-one NAT)
• Jos Vos
ipchains
• Linux 2.2 kernels
• Stateless
• Support for ICMP subtypes, protocols other
than TCP, UDP and ICMP, and inverse
options.
• Rusty Russell
iptables
•
•
•
•
Linux 2.4 kernels
Stateful
IPV6 support
Backwards compatibility modules for
ipfwadm and ipchains
• Extensible tests and actions
• Fully modular design
Setting up firewalls
• Triple threat; limited background in:
– Security policies
– TCP/IP (normal and attack patterns)
– Connecting the two with packet filtering and
other security tools.
• Risk in getting it wrong.
• Default allow – easy to get going
• Default deny – orders of magnitude harder
Approaches for creating firewalls
•
•
•
•
Prewritten list of rules
Menu interface with small set of choices
Menu interface with extensive options
Automatic construction of rules based on
current network setup.
• Letting the firewall build itself
Prewritten list of rules
+ Good if your network matches the
assumptions
– May need a lot of editing if not
– They tend to be too permissive
Menu interface with small set of
choices
+ Good for simple networks
– Poor for complex networks or non-standard
networks
– Poor for non-standard protocols
Menu interface with extensive
options
+ Flexible, good for complex networks
– Requires a lot of expertise from the
administrator
Letting the firewall build itself
+ Flexible
+ Doesn’t require in-depth knowledge of
firewall construction
+ Handles simple and complex networks
– May take some time to cover all traffic
types.
The world’s most efficient and
literal bouncer
• New bouncer
• Needs to be taught who can go in or out of
the bar
• Told to note individual’s age, whether
they’re part of the owner’s family, which
direction they want to go and whether
they’re carrying firearms, and then ask bar
owner.
Initial bouncer rules
• => Write down characteristics, ask owner
• => block (default policy)
Bouncer rules, part II
• Carrying firearms => block and call police
• => Write down characteristics, ask owner
• => block (default policy)
Bouncer rules, part III
• Carrying firearms => block and call police
• Leaving bar => allow to pass
• => Write down characteristics, ask owner
• => block (default policy)
Bouncer rules, part IV
• Carrying firearms => block and call police
• Leaving bar => allow to pass
• Entering bar, over 21 => allow to pass
• => Write down characteristics, ask owner
• => block (default policy)
Bouncer rules, part V
•
•
•
•
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
Part of owner’s family => allow to pass
• => Write down characteristics, ask owner
• => block (default policy)
Bouncer rules, part VI
•
•
•
•
•
•
•
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
Part of owner’s family => allow to pass
Entering bar, under 21 => block
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part VII
•
•
•
•
•
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
Part of owner’s family => allow to pass
Entering bar, under 21 => block
• => block (default policy)
Mason and iterative creation
•
•
•
•
Start off with empty firewall
Log all unmatched packets
Watch logs for new packets
Add rule that would have matched that
traffic
• Keep adding rules until all traffic types
encountered
Iptables log format
Apr 30 21:04:10 sparrow kernel: IN= OUT=lo
SRC=127.0.0.1 DST=127.0.0.1 LEN=73
TOS=0x00 PREC=0x00 TTL=64 ID=11339
DF PROTO=UDP SPT=33272 DPT=53
LEN=53
Iptables rule format
/sbin/iptables –A OUTPUT –o lo –p udp –s
localhost/32 - -sport 1024:65535 –d
localhost/32 - -dport domain –j ACCEPT
#domain/udp (O)
Live demonstration
We’ll switch over to a Linux laptop for the
demo and rejoin here afterwards.
Customization
• Existing firewall rules
• Allows administrator to make modifications
Starting firewall at boot
• ntsysv, tksysv, or linuxconf
• Manually link /etc/rc.d/init.d/firewall
Troubleshooting
• Turn off the firewall, see if the problem
persists.
• Restart the firewall try test, then run:
iptables –L –n –x –v | grep –v ‘^ *0 *0 ‘ | less
–S
to see which rules have matched any packets.
Current and Future projects
•
•
•
•
Cisco IOS
FreeBSD, OpenBSD and NetBSD – ipfilter
http://coombs.anu.edu.au/~avalon/
Other routers and firewalls.
Thanks!
•
•
•
•
•
Linux developers, esp. Rusty Russell
Chris Brenton (SANS, Altenet)
Steven Northcutt (SANS)
ISTS
Mason contributors – see the Credits section
in the HOWTO.
Where to get
• Part of some Linux Distributions
– Debian
– Krud
– Redhat Powertools up to 7.0
• http://mason.stearns.org
• Many other sources
References
•
•
•
•
http://mason.stearns.org
http://netfilter.samba.org
http://www.linuxdoc.org
http://www.linuxmonth.com/issue1/articles/
security/index.html
• [email protected]
• Questions?