Transcript History - ECE Users Pages

Firewalls
1
Overview
•
•
•
•
•
Background
General Firewall setup
Iptables Introduction
Iptables commands
“Limit” Function Explanation with icmp
and syn floods
• Zone Alarm
ECE 4112 - Internetwork Security
2
What is a Firewall?
• Firewall – a hardware,
software, or
combination of the
two that prevents
unauthorized access
to or from a private
network.
ECE 4112 - Internetwork Security
3
Benefits
• Uninhibited internal LAN traffic
• Ability to leave internal ports open without
fear of those ports being abused
• Sense of security by filtering WAN
interface for expected traffic
ECE 4112 - Internetwork Security
4
Traffic Control
• Three methods used to control traffic
flowing in and out of the network
 Packet Filtering
 Proxy Filtering
 Stateful Inspection
ECE 4112 - Internetwork Security
5
Firewall Configuration
• Rules/filters can be defined to look for a number of things, some of
these are:
 IP addresses
 Domain names
 Protocols –
–
–
–
–
–
–
–
–
IP
TCP
HTTP
FTP
UDP
ICMP
SMTP
SNMP
Telnet
 Ports
 Specific words and phrases
ECE 4112 - Internetwork Security
6
What You’re Protected From
Security
Level
External packets allowed
HIGH
none
MIDDLE
pre-defined ports (web,ssh) and
established connections
all packets
LOW
ECE 4112 - Internetwork Security
7
What You’re Protected From
• We allow traffic that is expected
 The firewall is responsible for inspecting
connections and packet headers
• We allow all traffic on a few specific ports
 Certain ports are forwarded to a server
ECE 4112 - Internetwork Security
8
Expected Traffic
• Protects you from floods of packets
 TCP/SYN, PING/REPLY, IP SPOOFING
• Protects you from scans
 Port scans and vulnerability probes
• Blocks unwanted connections
 Telnet, SSH, FTP, and others can be regulated
ECE 4112 - Internetwork Security
9
Port Forwarding
• Biggest security hole in our firewall
• Opened ports to allow traffic to servers
 All incoming data on this specific port is
allowed in, and forwarded to server
– Hackers could exploit this open port
– Hackers could exploit a bug in the software on the
server
ECE 4112 - Internetwork Security
10
Demilitarized Zone (DMZ)
• Frontline of protection
• “A network added between a protected network
and external network in order to provide an
additional layer of security”
• Does not allow external networks to directly
reference internal machines
• Acts as system of checks and balances to make
sure that if any one area goes bad that it cannot
corrupt the whole
ECE 4112 - Internetwork Security
11
Common Firewall Configurations
•
•
•
•
http://www.firewall.cx/firewall_topologies.php
Firewall takes care of passing
packets that pass its filtering
rules between the internal
network and the Internet,
and vice versa.
May use IP masquerading but
that's all it does.
Also known as a dual-homed
host
The two "homes" refer to the
two networks that the
firewall machine is part of
 one interface connected to
the outside home
 the other connected to the
inside home.
ECE 4112 - Internetwork Security
12
Common Firewall Configurations
•
•
•
•
•
http://www.firewall.cx/firewall_topologies.php
The exposed DMZ configuration depends on
two things:


1) an external “Internet” router
2) multiple IP addresses.
The firewall needs only two network cards.
If you control the “Internet” router you
have access to a second set of packetfiltering capabilities.
If you don't control the “Internet” router,
your DMZ is totally exposed to the Internet.
Hardening a machine enough to live in the
DMZ without getting regularly compromised
can be tricky.
If you connect via PPP (modem dial-up), or
you don't control your external router, or
you want to masquerade your DMZ, or you
have only 1 IP address, you'll need to do
something else. There are two
straightforward solutions to this, depending
on your particular problem.
ECE 4112 - Internetwork Security
13
Common Firewall Configurations
•
•
•
One solution is to build a second
router/firewall.
Useful if you're connecting via PPP
Exterior router/firewall (Firewall 1)
 responsible for creating the PPP
connection and controls the access
to our DMZ zone
•
The other firewall (Firewall 2)
•
The other solution is to create a
three-legged firewall, which is what
we are going to talk about next
 is a standard dual-homed host just
like the one we spoke about at the
beginning
http://www.firewall.cx/firewall_topologies.php
ECE 4112 - Internetwork Security
14
Common Firewall Configurations
•
•
•
•
•
Need an additional network adapter in your
firewall box for your DMZ.
Firewall is configured to route packets
between the outside world and the DMZ
differently than between the outside world
and the internal network.
You can masquerade the machines in the
DMZ too, while keeping them functionally
separate from protected internal machines.
The primary disadvantage to the threelegged firewall is the additional complexity.
Access to and from the DMZ and to and
from the internal network is controlled by
one large set of rules. It's pretty easy to get
these rules wrong if you're not careful !
On the other hand, if you don't have any
control over the “Internet router”, you can
exert a lot more control over traffic to and
from the DMZ this way. It's good to prevent
access into the DMZ if you can.
http://www.firewall.cx/firewall_topologies.php
ECE 4112 - Internetwork Security
15
Lab Setup
• Firewall workstations
• One firewall host and two virtual machines
ECE 4112 - Internetwork Security
16
Iptables Introduction
• Iptables is a fourth generation firewall tool
for Linux
• Requires kernel 2.3.15 or above with
netfilter framework
• Iptables inserts and deletes rules from the
kernel’s packet filtering table
• Replacement for ipfwadm and ipchains
ECE 4112 - Internetwork Security
17
How packets traverse the filters
3 default chains: INPUT, FORWARD, OUTPUT
Incoming
Routing
Decision
Outgoing
FORWARD
OUTPUT
INPUT
Local Process
ECE 4112 - Internetwork Security
18
How packets traverse the filters
(continued)
• When a packet reaches a circle, that chain
determines the fate of the packet
• The chain can say to DROP the packet or
ACCEPT it.
• If no rules match in chain, the default
policy is used (usually to DROP)
ECE 4112 - Internetwork Security
19
Network Address Translation
The table of NAT rules invoked by ‘iptables –t nat’
contains PREROUTING and POSTROUTING chains
PREROUTING
Routing
Decision
POSTROUTING
Local Process
ECE 4112 - Internetwork Security
20
NAT and iptables
PREROUTING
Routing
Decision
FORWARD
POSTROUTING
OUTPUT
INPUT
Local Process
ECE 4112 - Internetwork Security
21
Masquerading
• Special form of Source NAT
• Dynamically changes source address to
that of the firewall
• Simple one-line rule
iptables –A POSTROUTING –t nat –o eth0 –j MASQUERADE
ECE 4112 - Internetwork Security
22
Creating your own rules
•
Adding/Deleting rules:
 Append a new rule to an existing chain:
iptables –A <chain>
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j /
DNAT --to 192.168.1.1:80
 Deleting a rule from an existing chain:
iptables –D <chain> <rule info>
iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
•
Changing chains:

Creating a new chain:
iptables –N <name>
iptables –N PERMISSION
ECE 4112 - Internetwork Security
23
Creating your own rules (contd)
 Delete an empty chain:
iptables –X <name>
iptables –X PERMISSION
 List the rules of a chain:
iptables –L <name>
iptables –L PERMISSION
 Flush a chain (delete all rules in a chain):
iptables –F <name>
iptables –F PERMISSION
ECE 4112 - Internetwork Security
24
More iptables commands
• Specifying jump
 If a packet matches a specified rule, jump (-j option) to another chain:
iptables –A INPUT –j DROP
• Specifying protocol
 Used to specify the protocol, tcp, udp, or icmp (case sensitive) using –p
option.
iptables –A INPUT –p icmp
• Specifying inversion
 Used to invert any rules using the ‘!’ option
iptables –A INPUT –p ! tcp
ECE 4112 - Internetwork Security
25
Iptables commands (contd)
• Specifying interface
 Specified with the ‘-i’ (input) or ‘-o’ (output)
iptables –A INPUT –i eth0
#check packets coming in on interface eth0
• Specifying source/destination
 Can be specified in 4 ways: name (www.cnn.com), IP
(192.168.1.101), group (162.12.23.22/24), using IP/netmask
(192.168.1.105/255.255.255.0). Use ‘-s’ for source, and ‘-d’ for
destination.
iptables –A INPUT –s 192.168.1.101/24 –d 192.168.1.105
ECE 4112 - Internetwork Security
26
State matching
• Different states are checked to analyze
packets (need to have ip_conntrack
module loaded).
• The states that are checked are:
 NEW: A packet that creates a new connection.
 ESTABLISHED: A packet belonging to an existing connection (reply or
outgoing packet).
 RELATED: A packet that is related to, but not part of an existing
connection (ICMP error).
 INVALID: A packet that could not be identified.
ECE 4112 - Internetwork Security
27
Port Forwarding
• Using NAT table, destination address is
changed based on the port
iptables –A PREROUTING –t nat –d 10.1.0.1 –p tcp \
--dport 80 –j DNAT --to 192.168.1.3:80
ECE 4112 - Internetwork Security
28
Defending against ICMP Ping
Floods and tcp syn attack
• Using limit module specified with ‘-m limit’ packets can
be restricted based on rate of matches
iptables –A INPUT –p icmp –-icmp-type echo-request \
–m limit –-limit 1/s –-limit-burst 5 –j ACCEPT
Limit burst “recharges” 1 packet every second.
is based on the 1/s limit specified.
ECE 4112 - Internetwork Security
This
29
Zone Alarm
• Firewall for the Windows OS.
• Several types of alerts:
 New program alerts: Accept/deny programs to access the internet.
 Repeat program alerts: grant access permission to program that has
already requested before.
 Server program alerts: grant server permission to a program.
Caution: Some Trojan horses require server access to execute.
 Changed program alerts: If a program has been changed since the last
time it access the internet.
ECE 4112 - Internetwork Security
30
What is a zone?
• Zone Alarm classifies computer and
networks that you communicate with into
good, bad, and unknown zones.
• 3 types:
 Internet Zone: is the “unknown” zone. All computers and networks
belong to this zone until you move them to one of the other zones.
 Trusted Zone: is the “good” zone. Contains all computers you trust.
 Blocked Zone: is the “bad” zone. Contains all computers you distrust
(only available in Zone Alarm Pro and Zone Alarm Plus version).
ECE 4112 - Internetwork Security
31
What is a zone? (contd.)
• When another computer wants to
communicate with your computer – Zone
Alarm looks at what zone it belongs to
and decides what to do.
ECE 4112 - Internetwork Security
32
Hardware Firewalls
• A hardware firewall usually has 3
interfaces
 Inside – Trusted area of the internetwork.
 Outside – Untrusted area of the internetwork
 DMZ – Isolated area of the internetwork with
limited access to Outside users.
ECE 4112 - Internetwork Security
33
Hardware Firewalls
ECE 4112 - Internetwork Security
34
Cisco Firewalls – PIX 515E
• Different modes of configuration




Unprivileged Mode
Privileged Mode
Configuration Mode
Monitor Mode
• Can type unique short forms of
commands in each mode
 Example: config t for configure
terminal, write t for write terminal
ECE 4112 - Internetwork Security
35
Cisco Firewalls – PIX 515E
• ASA – Adaptive Security Algorithm
• Data Flow relative to security levels
 Security Level 100 – For trusted Inside
interface and internal traffic
 Security Level 0 – For un-trusted Outside
interface
 Security Level 1-99 – Can be assigned to
perimeter interfaces like DMZ
ECE 4112 - Internetwork Security
36
PIX Lab – Network Setup
• Need to get an ECE UNIX account
 Can only access firewall from ECE machines
• ssh into digiconsole.ece-int.gatech.edu
• ssh into 192.168.254.2
 Actual digital console
 Controls all routers and other hardware
• Need a terminal to the normal lab network
ECE 4112 - Internetwork Security
37
Summary
•
•
•
•
•
•
•
Firewalls filter unwanted traffic.
Port Forwarding: big security hole.
Network Address Translation.
Use iptables to setup filters.
State checking.
Zone Alarm: Firewall for Windows OS.
Hardware Firewalls
ECE 4112 - Internetwork Security
38
Acknowledgements
“Firewall Topologies”, http://www.firewall.cx/firewall_topologies.php
Russell, Rusty, “Linux 2.4 Packet Filtering HOWTO”
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
Startup script and basis for rules
Stephens , James C. http://www.sns.ias.edu/~jns/security/iptables/
Steams, William “Adaptive Firewalls with IP Tables”
http://www.ists.dartmouth.edu/IRIA/knowledge_base/adaptive_firewalls.htm
Tyson, Jeff, “How Firewalls Work”
http://computer.howstuffworks.com/firewall.htm/
Young, Scott “Designing a DMZ” http://www.sans.org/rr/firewall/DMZ.php
ZoneAlarm tutorial information provided from
http://www.zonelabs.com
ECE 4112 - Internetwork Security
39
References
• Cisco Secure PIX Firewalls,David Chapman
Jr. and Andy Fox. Cisco Press. 2002.
• http://www.cisco.com/univercd/cc/td/doc/
product/iaabu/pix/
• Cisco Security seminar notes.
ECE 4112 - Internetwork Security
40