Transcript Firewalls
CSCI 530 Lab
Firewalls
Overview
Firewalls
Capabilities
Limitations
What are we limiting with a firewall?
General Network Security Strategies
Packet Filtering
Proxy Servers
Firewall Architecture example
netfilter & IPTables
Firewall
Hardware and/or software device which
prevents communication based on a
particular policy
Basic task is to control traffic between “zones
of trust”
Example: Filtering traffic between the internet and
local intranet
Firewall Capabilities
Separate your network into logical sections
Enforce Security policy
Many services are intermittently insecure
A firewall limits the amount of exposure of
particular services
Logs Internet activity
Limits your network exposure
Firewall limitations
Most cannot automatically adapt to new
threats
Cannot stop a malicious user - IDS
Cannot limit traffic that does not pass through
it
Cannot stop viruses from permeating the
network
What are you limiting?
Email
File Transfer
Remote Terminal Access and Command Execution
HTTP
Other information services
Information about people,
Finger whois
Real time conferencing
Domain Name Service
Network management services
Time Service
Network File System
Network Security Strategies
Least Privilege
Defense In depth
Most fundamental principal
User or service is given privileges just for
performing specific tasks
Don’t just depend on one security mechanism
Choke point
Forces the attacker to use a narrow channel
So now one can monitor activities closely
Security Strategies
Weakest link or “low hanging fruit”
Fail Safe Stance
If a system fails, it should deny access to the attacker
Default Deny Stance
That which is not expressly permitted is prohibited
Default Permit Stance
That which is not expressly prohibited is Permitted
Universal Participation
“ a chain is as strong as its weakest link”
Attacker is going to go after the weakest link
So if you cannot eliminate it, be cautious about it.
Every system is involved in defense
Diversity of defense
Use different types of mechanisms
Definitions
Host
A computer system attached to the network
Dual-Homed Host
A host with two network interfaces
Bastion Host
A host which is the portal to a network. It is
normally extremely secure. This is normally
also a dual-homed host.
Packet
The fundamental unit of data, used for
communication on the internet
Firewall – Packet Filtering
Set of rules that either allow or disallow traffic to flow
through the firewall
Can filter based on any information in the Packet
Header
IP Source Address
IP destination address
Protocol
Source Port
Destination Port
Message type
Interface the packets arrive on and leave
Proxy Servers
Specialized application or server programs that run
on a firewall host
Normally a bastion host
These programs sit in between the internal users
and servers outside serving for internet applications
like telnet, ftp, http…
So instead of talking directly to the external server
the requests pass through the proxy
Also called as application level gateways
Proxy servers
How do they work
Proxy server ‘Ps’
Proxy client ‘Pc’
Pc talks to the Ps which intern talks to the real
server for it,
Before that it checks the security policy and
decides whether to go ahead with the connection
or not.
Firewall Architectures
Dual-Homed Bastion Host
INTERNET
Firewall
Dual Homed
Host
Firewall Architectures
Dual-Homed Bastion Host
Dual homed Host Firewall
Built around dual homed bastion host
Host are capable of routing packets between
networks
The host sits between the networks, filtering the
traffic between the two
It only provides services by proxy
Netfilter
http://www.netfilter.org/
The software of the packet filtering framework
inside the Linux 2.4.x and 2.6.x kernel series.
Enables packet filtering, network address [and
port] translation (NA[P]T).
It is the re-designed and heavily improved successor
of ipchains and ipfwadm
set of hooks inside the Linux kernel
allows kernel modules to register callback
functions with the network stack
A registered callback function is then called back
for every packet that traverses the respective
hook within the network stack.
IPtables
an interface to the kernel for firewall rules
inserts and deletes rules from the kernel's
packet filtering table
IPtables and netfilter make the backbone of
packet-filtering based linux firewalls
Packet Filtering - IPtables
A packet is checked against the rule chains and its fate is decided by the
chain
Three sets of rule Chains
A packet comes in, kernel checks for the destination (routing)
If it is for this host, it is passed to INPUT chain
If forwarding enabled, the packet is forwarded to the destination if it is
ACCEPTED by the FORWARD chain
If packet is generated in the same box and is being issued out, the
OUTPUT chain is referred.
Rules are matched in a chain in a chronological order looking for a match,
If no match is found till the end, decision is taken according to your security
policy
INPUT
FORWARD
OUTPUT
IPTables Example
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
-A append the rule to the input chain
-s source ip
-p protocol
-j action to be taken