Transcript Firewall
Firewalls
By conventional definition, a firewall is a partition made
of fireproof material designed to prevent the spread
of fire from one part of a building to another.
firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
privately administered
Internet
222.22/16
Polytechnic University
Introduction
1
Firewall goals:
All traffic from outside to inside and vice-
versa passes through the firewall.
Only authorized traffic, as defined by local
security policy, will be allowed to pass.
The firewall itself is immune to
penetration.
Polytechnic University
Introduction
2
Firewalls: taxonomy
1.
Traditional packet
filters
filters often combined
with router, creating a
firewall
Major firewall vendors:
Checkpoint
Cisco PIX
2. Stateful filters
3. Application gateways
Polytechnic University
Introduction
3
Traditional packet filters
Analyzes each datagram going through it; makes drop
decision based on:
source IP address
destination IP address
source port
destination port
TCP flag bits
SYN bit set: datagram
for connection initiation
ACK bit set: part of
established connection
Polytechnic University
TCP or UDP or ICMP
Firewalls often
configured to block all
UDP
direction
Is the datagram leaving
or entering the internal
network?
router interface
decisions can be
different for different
interfaces
Introduction
4
Filtering Rules - Examples
Policy
Firewall Setting
No outside Web access.
Drop all outgoing packets to
any IP address, port 80
External connections to
public Web server only.
Drop all incoming TCP SYN
packets to any IP except
222.22.44.203, port 80
Prevent IPTV from eating
up the available
bandwidth.
Drop all incoming UDP packets
- except DNS and router
broadcasts.
Prevent your network
from being used for a
Smurf DoS attack.
Drop all ICMP packets going
to a “broadcast” address (eg
222.22.255.255).
Prevent your network
from being tracerouted
Drop all outgoing ICMP
Polytechnic University
Introduction
5
Access control lists
Apply rules from top to bottom:
action
allow
allow
allow
allow
deny
source
address
dest
address
222.22/16
outside of
222.22/16
outside of
222.22/16
222.22/16
222.22/16
outside of
222.22/16
outside of
222.22/16
222.22/16
all
all
Polytechnic University
source
protocol
port
dest
port
flag
bit
any
TCP
> 1023
80
TCP
80
> 1023
ACK
UDP
> 1023
53
---
UDP
53
> 1023
----
all
all
all
all
Introduction
6
Access control lists
Each router/firewall interface can have its
own ACL
Most firewall vendors provide both
command-line and graphical configuration
interface
Polytechnic University
Introduction
7
Advantages and disadvantages of
traditional packet filters
Advantages
One screening router can protect entire network
Can be efficient if filtering rules are kept simple
Widely available. Almost any router, even Linux boxes
Disadvantages
Can possibly be penetrated
Cannot enforce some policies. For example, permit
certain users.
Rules can get complicated and difficult to test
Polytechnic University
Introduction
8
Firewall Lab: iptables
Converts linux box into a packet filter.
Included in most linux distributions today.
linux
host
linux
host w/
iptables
external
network
your job:
configure
Polytechnic University
Introduction
9
Firewall lab: iptables
iptables
Provides firewall capability to a linux host
Comes installed with most linux distributions
Three types of tables: FILTER, NAT, MANGLE
Let’s only consider FILTER table for now
Polytechnic University
Introduction
10
Network or host firewall?
Network firewall: linux host with 2 interfaces:
filter
table
linux
host w/
iptables
protected
network
Internet
Host firewall: linux host with 1 interface:
filter
table
linux
host w/
iptables
Polytechnic University
network
Introduction
11
Chain types for host firewall
linux
host w/
iptables
network
linux
host w/
iptables
network
Polytechnic University
INPUT
chain
OUTPUT
chain
Introduction
12
INPUT, OUTPUT, FORWARD
CHAINS for network firewall
INPUT chain applies for all packets
destined to firewall
OUTPUT chain applies for all packets
originating from firewall
FORWARD chain applies for all packets
passing through firewall.
Polytechnic University
Introduction
13
Chain types for network firewall
protected
network
linux
host w/
iptables
Internet
protected
network
linux
host w/
iptables
Internet
protected
network
Polytechnic University
linux
host w/
iptables
Internet
INPUT
chain
OUTPUT
chain
FORWARD
chain
Introduction
14
iptables: Example command
iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT
Sets a rule
Accepts packets that enter from interface eth0
and have source address in 232.16.4/24
Kernel applies the rules in order.
The first rule that matches packet determines
the action for that packet
Append: -A
Adds rule to bottom of list of existing rules
Polytechnic University
Introduction
15
iptables: Example command
iptables –A INPUT –i eth0 –j DENY
Sets a rule
Rejects all packets that enter from interface eth0
(except for those accepted by previous rules)
Polytechnic University
Introduction
16
iptables: More examples
iptables –L
list current rules
iptables –F
flush all rules
iptables –D INPUT 2
deletes 2nd rule in INPUT chain
iptables –I INPUT 1 –p tcp –tcp-flags SYN –s
232.16.4.0/24 –d 0/0:22 –j ACCEPT
-I INPUT 1: insert INPUT rule at top
Accept TCP SYNs to from 232.16.4.0/24 to firewall port
22 (ssh)
Polytechnic University
Introduction
17
iptables Options
-p protocol type (tcp, udp, icmp)
-s source IP address & port number
-d dest IP address & port number
-i interface name (lo, ppp0, eth0)
-j target (ACCEPT, DENY)
-l log this packet
--sport source port
--dport dest port
--icmp-type
Polytechnic University
Introduction
18
iptable Table types
FILTER:
What we have been talking about!
3 chain types: INPUT, OUTPUT, and FORWARD
NAT:
Hide internal network hosts from outside world.
Outside world only sees the gateway’s external
IP address, and no other internal IP addresses
PREROUTING, POSTROUTING, and others
MANGLE
Don’t worry about it.
Polytechnic University
Introduction
19
Tables, Chains & Rules
Three types of tables: FILTER, NAT,
MANGLE
A table consists of chains.
For example, a filter table can have an INPUT
chain, OUTPUT chain, and a FORWARD chain.
A chain consists of a set of rules.
Polytechnic University
Introduction
20
Firewall Lab
m1
m2
m3
Configure m2 with iptables.
Polytechnic University
Introduction
21
Firewall Lab: Part A
Configure NAT in m2 using NAT table with
POSTROUTING chain:
MASQUERADE packets so that internal IP
addresses are hidden from external network
From m1 and m3, only allow ssh to external
network
This NAT configuration will remain in force
throughout the lab
Polytechnic University
Introduction
22
Firewall Lab: Part B
Rules for packets originating from or
terminating at m2 (the gateway):
Allow ssh connections originating from m2
and destined to m2.
Allow pings originating from m2 and
destined to m2.
Block all other traffic to or from m2.
Hint: Part B requires INPUT and OUTPUT
chains but no FORWARD chain
Polytechnic University
Introduction
23
Firewall Lab: Part C
Flush filter table rules from Part B.
Allow only m1 (and not m3) to initiate an
ssh session to hosts in the external
network
Reject all other traffic
Hint: Part C requires FORWARD, INPUT
and OUTPUT chains
Polytechnic University
Introduction
24
Stateful Filters
In earlier example, any packet with ACK=1
and source port 80 gets in.
Attacker could, for example, attempt a
malformed packet attack by sending ACK=1
segments
Stateful filter: Adds more intelligence to
the filter decision-making process
Stateful = remember past packets
Memory implemented in a very dynamic state
table
Polytechnic University
Introduction
25
Stateful filters: example
• Log each TCP connection initiated through firewall: SYN segment
• Timeout entries which see no activity for, say, 60 seconds
source
address
dest
address
source
port
dest
port
222.22.1.7
37.96.87.123
12699
80
199.1.205.23
37654
80
203.77.240.43
48712
80
222.22.93.2
222.22.65.143
If rule table indicates that stateful table must be checked:
check to see if there is already a connection in stateful table
Stateful filters can also remember outgoing UDP segments
Polytechnic University
Introduction
26
Stateful example
1) Packet arrives from outside: SA=37.96.87.123, SP=80,
DA=222.22.1.7, DP=12699, SYN=0, ACK=1
2) Check filter table ➜ check stateful table
action
source
address
dest
address
proto
source
port
dest
port
allow
222.22/16
outside of
222.22/16
TCP
> 1023
80
allow
outside of
222.22/16
TCP
80
> 1023
ACK
allow
222.22/16
UDP
> 1023
53
---
allow
outside of
222.22/16
222.22/16
UDP
53
> 1023
----
deny
all
all
all
all
all
all
222.22/16
outside of
222.22/16
flag
bit
check
conxion
any
x
x
3) Connection is listed in connection table ➜ let packet through
Polytechnic University
Introduction
27
Application gateways
(aka proxy gateways)
Gateway sits between user on
inside and server on outside.
Instead of talking directly,
user and server talk through
proxy.
Allows more fine grained and
sophisticated control than
packet filtering. For example,
ftp server may not allow files
greater than a set size.
A mail server is an example of
an application gateway
host-to-gateway
ftp session
gateway-to-remote
host ftp session
application
gateway
Can’t deposit mail in
recipient’s mail server without
passing through sender’s mail
server
Polytechnic University
Introduction
28
Configuring client
Tools/options/connections/LAN settings/proxies:
Polytechnic University
Introduction
29
Advantages and disadvantages of
proxy gateways
Advantages
Proxy can log all connections, activity in connections
Proxy can provide caching
Proxy can do intelligent filtering based on content
Proxy can perform user-level authentication
Disadvantages
Not all services have proxied versions
May need different proxy server for each service
Requires modification of client
Performance
Polytechnic University
Introduction
30
Application gateways + packet filter
Filters packets on
application data as well
as on IP/TCP/UDP fields.
Example: allow select
internal users to ftp
outside.
host-to-gateway
ftp session
gateway-to-remote
host ftp session
router and filter
application
gateway
1. Require all ftp users to ftp through gateway.
2. For authorized users, gateway sets up ftp connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all ftp connections not originating from
gateway.
Polytechnic University
Introduction
31
Chaining Proxies
proxy 2
proxy 1
Polytechnic University
Introduction
32
SOCKS Proxy protocol
Generic proxy protocol
Don’t have to redo all of the code when
proxifying an application.
Can be used by HTTP, FTP, telnet, SSL,…
Independent
of application layer protocol
Includes authentication, restricting which
users/apps/IP addresses can pass through
firewall.
Polytechnic University
Introduction
33
SOCKS proxy protocol
1. For example, let’s
assume that browser
requests a page 2. SOCKS Library is a
collection of procedures.
It translates requests
into a specific format
and sends them to
SOCKS Daemon
3. The SOCKS Daemon 4. The server
runs on the firewall host. receives requests as
The daemon
ordinary HTTP. It
authenticates the user
does not need a
and forwards all the data
SOCKS library.
to the server.
Apache/IIS
Firefox/Oper
a/IE
HTTP
Firewall
Application
SOCKS
Library
SOCKS
Daemon
TCP
TCP
Polytechnic University
HTTP
TCP
Introduction
34
Demilitarized Zone (DMZ)
application
gateway
Internal
network
Web
server
FTP
server
firewall
Internet
DNS
server
Demilitarized zone
Polytechnic University
Introduction
35
Firewalls: Summary
Filters
Widely available in routers, linux
Stateful filters
Maintains connection state
Application gateways
Often implemented with SOCKS today
Polytechnic University
Introduction
36