Transcript Firewalls
CSCI 530 Lab Firewalls Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering Proxy Servers Firewall Architecture example netfilter & IPTables Firewall Hardware and/or software device which prevents communication based on a particular policy Basic task is to control traffic between “zones of trust” Example: Filtering traffic between the internet and local intranet Firewall Capabilities Separate your network into logical sections Enforce Security policy Many services are intermittently insecure A firewall limits the amount of exposure of particular services Logs Internet activity Limits your network exposure Firewall limitations Most cannot automatically adapt to new threats Cannot stop a malicious user - IDS Cannot limit traffic that does not pass through it Cannot stop viruses from permeating the network What are you limiting? Email File Transfer Remote Terminal Access and Command Execution HTTP Other information services Information about people, Finger whois Real time conferencing Domain Name Service Network management services Time Service Network File System Network Security Strategies Least Privilege Defense In depth Most fundamental principal User or service is given privileges just for performing specific tasks Don’t just depend on one security mechanism Choke point Forces the attacker to use a narrow channel So now one can monitor activities closely Security Strategies Weakest link or “low hanging fruit” Fail Safe Stance If a system fails, it should deny access to the attacker Default Deny Stance That which is not expressly permitted is prohibited Default Permit Stance That which is not expressly prohibited is Permitted Universal Participation “ a chain is as strong as its weakest link” Attacker is going to go after the weakest link So if you cannot eliminate it, be cautious about it. Every system is involved in defense Diversity of defense Use different types of mechanisms Definitions Host A computer system attached to the network Dual-Homed Host A host with two network interfaces Bastion Host A host which is the portal to a network. It is normally extremely secure. This is normally also a dual-homed host. Packet The fundamental unit of data, used for communication on the internet Firewall – Packet Filtering Set of rules that either allow or disallow traffic to flow through the firewall Can filter based on any information in the Packet Header IP Source Address IP destination address Protocol Source Port Destination Port Message type Interface the packets arrive on and leave Proxy Servers Specialized application or server programs that run on a firewall host Normally a bastion host These programs sit in between the internal users and servers outside serving for internet applications like telnet, ftp, http… So instead of talking directly to the external server the requests pass through the proxy Also called as application level gateways Proxy servers How do they work Proxy server ‘Ps’ Proxy client ‘Pc’ Pc talks to the Ps which intern talks to the real server for it, Before that it checks the security policy and decides whether to go ahead with the connection or not. Firewall Architectures Dual-Homed Bastion Host INTERNET Firewall Dual Homed Host Firewall Architectures Dual-Homed Bastion Host Dual homed Host Firewall Built around dual homed bastion host Host are capable of routing packets between networks The host sits between the networks, filtering the traffic between the two It only provides services by proxy Netfilter http://www.netfilter.org/ The software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Enables packet filtering, network address [and port] translation (NA[P]T). It is the re-designed and heavily improved successor of ipchains and ipfwadm set of hooks inside the Linux kernel allows kernel modules to register callback functions with the network stack A registered callback function is then called back for every packet that traverses the respective hook within the network stack. IPtables an interface to the kernel for firewall rules inserts and deletes rules from the kernel's packet filtering table IPtables and netfilter make the backbone of packet-filtering based linux firewalls Packet Filtering - IPtables A packet is checked against the rule chains and its fate is decided by the chain Three sets of rule Chains A packet comes in, kernel checks for the destination (routing) If it is for this host, it is passed to INPUT chain If forwarding enabled, the packet is forwarded to the destination if it is ACCEPTED by the FORWARD chain If packet is generated in the same box and is being issued out, the OUTPUT chain is referred. Rules are matched in a chain in a chronological order looking for a match, If no match is found till the end, decision is taken according to your security policy INPUT FORWARD OUTPUT IPTables Example iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP -A append the rule to the input chain -s source ip -p protocol -j action to be taken