Transcript Firewalls

CSCI 530 Lab
Firewalls
Overview

Firewalls








Capabilities
Limitations
What are we limiting with a firewall?
General Network Security Strategies
Packet Filtering
Proxy Servers
Firewall Architecture example
netfilter & IPTables
Firewall


Hardware and/or software device which
prevents communication based on a
particular policy
Basic task is to control traffic between “zones
of trust”

Example: Filtering traffic between the internet and
local intranet
Firewall Capabilities


Separate your network into logical sections
Enforce Security policy




Many services are intermittently insecure
A firewall limits the amount of exposure of
particular services
Logs Internet activity
Limits your network exposure
Firewall limitations




Most cannot automatically adapt to new
threats
Cannot stop a malicious user - IDS
Cannot limit traffic that does not pass through
it
Cannot stop viruses from permeating the
network
What are you limiting?






Email
File Transfer
Remote Terminal Access and Command Execution
HTTP
Other information services
Information about people,






Finger whois
Real time conferencing
Domain Name Service
Network management services
Time Service
Network File System
Network Security Strategies

Least Privilege



Defense In depth


Most fundamental principal
User or service is given privileges just for
performing specific tasks
Don’t just depend on one security mechanism
Choke point


Forces the attacker to use a narrow channel
So now one can monitor activities closely
Security Strategies

Weakest link or “low hanging fruit”




Fail Safe Stance




If a system fails, it should deny access to the attacker
Default Deny Stance
 That which is not expressly permitted is prohibited
Default Permit Stance
 That which is not expressly prohibited is Permitted
Universal Participation


“ a chain is as strong as its weakest link”
Attacker is going to go after the weakest link
So if you cannot eliminate it, be cautious about it.
Every system is involved in defense
Diversity of defense

Use different types of mechanisms
Definitions




Host
 A computer system attached to the network
Dual-Homed Host
 A host with two network interfaces
Bastion Host
 A host which is the portal to a network. It is
normally extremely secure. This is normally
also a dual-homed host.
Packet
 The fundamental unit of data, used for
communication on the internet
Firewall – Packet Filtering


Set of rules that either allow or disallow traffic to flow
through the firewall
Can filter based on any information in the Packet
Header







IP Source Address
IP destination address
Protocol
Source Port
Destination Port
Message type
Interface the packets arrive on and leave
Proxy Servers

Specialized application or server programs that run
on a firewall host




Normally a bastion host
These programs sit in between the internal users
and servers outside serving for internet applications
like telnet, ftp, http…
So instead of talking directly to the external server
the requests pass through the proxy
Also called as application level gateways
Proxy servers

How do they work




Proxy server ‘Ps’
Proxy client ‘Pc’
Pc talks to the Ps which intern talks to the real
server for it,
Before that it checks the security policy and
decides whether to go ahead with the connection
or not.
Firewall Architectures
Dual-Homed Bastion Host
INTERNET
Firewall
Dual Homed
Host
Firewall Architectures
Dual-Homed Bastion Host

Dual homed Host Firewall




Built around dual homed bastion host
Host are capable of routing packets between
networks
The host sits between the networks, filtering the
traffic between the two
It only provides services by proxy
Netfilter
http://www.netfilter.org/


The software of the packet filtering framework
inside the Linux 2.4.x and 2.6.x kernel series.
Enables packet filtering, network address [and
port] translation (NA[P]T).




It is the re-designed and heavily improved successor
of ipchains and ipfwadm
set of hooks inside the Linux kernel
allows kernel modules to register callback
functions with the network stack
A registered callback function is then called back
for every packet that traverses the respective
hook within the network stack.
IPtables



an interface to the kernel for firewall rules
inserts and deletes rules from the kernel's
packet filtering table
IPtables and netfilter make the backbone of
packet-filtering based linux firewalls
Packet Filtering - IPtables


A packet is checked against the rule chains and its fate is decided by the
chain
Three sets of rule Chains




A packet comes in, kernel checks for the destination (routing)
If it is for this host, it is passed to INPUT chain
 If forwarding enabled, the packet is forwarded to the destination if it is
ACCEPTED by the FORWARD chain
 If packet is generated in the same box and is being issued out, the
OUTPUT chain is referred.
Rules are matched in a chain in a chronological order looking for a match,
If no match is found till the end, decision is taken according to your security
policy



INPUT
FORWARD
OUTPUT
IPTables Example
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP




-A append the rule to the input chain
-s source ip
-p protocol
-j action to be taken