CS490ns Firewalls Sp11 BW

cs490ns - cotter 1
Firewalls
What they do.
How they work.
cs490ns - cotter 2 2
Outline
What is a firewall?
Architectures
Stand Alone / application / proxy
Personal / host based
Gateway / packet filters
Enterprise / hardware
Roles
Bastion
DMZ
Packet Filtering concepts
IPTables
Stateful filtering
Packet Forwarding
Ethernet bridge
What is a Firewall?
A hardware or software device that monitors (and
controls ?) the transmission of packets that attempt to
pass through the perimeter of a network (or host).
Provide 2 basic security functions
Packet Filtering
Application Proxy gateways
Additional security features
Log unauthorized (and authorized ?) access attempts
Provide VPN Connections
Support user authentication
Shield internal machines from outside view
What should a firewall do?
Control the flow of packets to/from Internet
Block external login as root (?)
Must distinguish between local and
Internet packets (even spoofed addresses)
Support limited user accounts
Log all system activities
Types of Firewalls
Enterprise / Local
Hardware / Software
Gateway / router / packet filter
Windows firewall incoming protection
ZoneAlarm, Linux, etc. incoming / outgoing
filter

Types of Firewalls
Internet
Corporate
Network
Router /
packet filter
Stateful
Firewall
Application
Proxy
Host-based
Firewall
Standalone Proxy Firewalls
Application Gateways
Intended to buffer the interface between
an internal application and the Internet
Web Servers
Mail Servers
File Transfer
Controls flow of packets into and out of
local network
Limit access to specific web sites
Cache results for use by other internal hosts
Hide internal IP addresses from network view
Enterprise Firewalls
Intended to support larger traffic volumes
Provides more sophisticated support
Stateful filtering, etc.
Software
Checkpoint Firewall 1, Microsoft ISA, Semantic
Enterprise, etc.
Hardware
Cisco PIX, SonicWall, Watchguard, etc.
Expensive!
Gateway / Packet Filter
May be embedded in sophisticated routers
May be used for SOHO networks
May be incorporated into small SOHO routers
May be incorporated into a gateway host
(Linux ?)
Provides the ability to monitor and control
packets through the gateway / router.
Generally support in / out / through filtering
May not include stateful filtering capabilities
Host-based Firewalls
Intended as a last line of defense for the
host computer
Runs as a background process on host
Limited bandwidth available
Generally supports incoming port filtering
Can specify which ports (if any) can support
incoming connection requests.
Occasionally supports outgoing filtering
(looking for worms, trojans, etc.)
cs490ns - cotter 11
Firewall Roles
Bastion Hosts
Hardened systems that typically run a firewall
and perhaps an application as well
DMZ demilitarized zone
An isolated subnetwork that includes all
services that are offered over the internet
(and perhaps to the internal network as well).
cs490ns - cotter 12
Bastion Firewall and Host
LAN
Internet
Firewall
Web
Server
cs490ns - cotter 13
DMZ
LAN
Internet
Web E-mail
DMZ
What is Packet Filtering?
The process of deciding which packets to allow
through the filter, based on attributes of the
packet
Source / Destination Port
Source / Destination IP Address
Status flags in the packet (syn)
Originating protocol (icmp, tcp, etc.)
Connection state (tcp)
Linux (2.4+) supports Netfilter (based on
iptables)
How does Packet Filtering
Work?
Define rules to allow or block specific types of
packets
Firewall screens all packet headers to look for
matches against the rules
Apply rules in the order in which they are stored
Allow or block packets based on rule matches.
If a packet matches no rules, apply default
behavior to the packet (usually deny).
Packet Filtering Issues
Rules are complex. Easy to introduce errors
Filters based on IP addresses. If authorized
sites are hacked, your site is compromised
IP Spoofing can fake authorized (internal?) sites.
Routers can be hacked to reroute internal
packets
Activities need to be logged
Internal host adresses should be hidden
Iptables
Administration tool for IPv4 packet filtering
and NAT
Used to set up, maintain, and inspect the
tables of IP packet filtering rules used by
the kernel to manage packet flow through
the firewall.
Based on tables that specify the overall
task and chains that identify the position of
the packet in the packet flow.
IPTables tables
Filter table
Used to control the flow of packets based on packet attributes
Only filter packets, dont modify packets here.
Network Address Translation (NAT) table
Used to change the source / destination IP address and / or port
of selected incoming / outgoing packets
Mangle table
Supports specialized packet handling / routing
Change contents of packet
Experimental and developing tables
Basic Packet Filtering
Internet
LAN
Input
Output
Forward
filter
table
RH-Firewall-1-INPUT
Incoming Packets to Filter
Illegal Incoming Source IP Addresses
Your IP Address
Your LAN Address
Private Network Addresses
Multicast IP Addresses
Loopback Interface Addresses
Nuisance sites / networks
Remote Source Port Filtering
Local Destination Port Filtering
Incoming TCP connection-state filtering
Probes and Scans
DoS Attacks
Etc.
Packet Filtering alert list
CERT
www.cert.org Carnegie-Mellon Software Engrg Inst.
www.us-cert.gov
Port Filter List (3/08)
DNS zone transfers 53
tftpd 69
link 87
RPC / NFS 111 / 2049
BSD r commands 512, 513, 514
lpd 515
uucpd 540
openwindows 2000
X windows 6000 +
cs490ns - cotter 22
Outgoing Packets to Filter
Why?
Consideration for fair use in Internet
Distribution of private information
Detection of unwanted client programs (Trojans, etc.)
See http://www.us-cert.gov/cas/tips/ST06-001.html
What
Legitimate, routable addresses only
Destination IP Addresses
Destination ports
Source Ports
cs490ns - cotter 23
Filter Table Chains
May be associated with any interface (eth0, etc.)
INPUT
Used to test packets that come into the firewall
OUTPUT
Used to test packets that are leaving the firewall
FORWARD
Used to test packets that are passing through the
firewall
Packets should pass through only 1 chain
cs490ns - cotter 24
Filter table packet flow
Routing
Input
Chain
Forward
Chain
Output
Chain
Drop
Drop Drop
Local
Processes
Input
Chain
Drop
cs490ns - cotter 25
Iptables rule structure
Iptables t table action chain rule target
Which table are we working with (filter is default)
What action do we want to do to that table (insert,
delete, etc.)
Which chain in that table are we working with
What do we want to do?
Where do we go if we match the rule?
cs490ns - cotter 26
IPTables Actions
Create a new chain (-N).
Delete an empty chain (-X).
Change the default policy for a chain. (-P).
List the rules in a chain (-L).
Flush the rules out of a chain (-F).
Zero the packet and byte counters on all
rules in a chain (-Z).
cs490ns - cotter 27
IPTables Actions
Append a new rule to the end of a chain (-A).
Insert a new rule at some position in a chain (-I).
Replace a rule at some position in a chain (-R).
Delete a rule at some position in a chain, or the
first that matches (-D).

cs490ns - cotter 28
IPTables targets
ACCEPT
Stop processing and pass to application / OS
DROP
Stop processing and block packet
LOG
Packet info sent to syslog. Continue processing
REJECT
Stop processing and send reject message to source
DNAT
Change destination network address
SNAT
Change source network address
MASQUERADE
Do source network address translation (PAT)
cs490ns - cotter 29
Example Filter Rules
#Allow traffic on the loopback interface
iptables A INPUT i lo j ACCEPT
iptables A OUTPUT i lo j ACCEPT
# Set Default policy for chain
Iptables --policy INPUT DROP
#Allow all outgoing connections
iptables -A block -m state --state NEW -i ! ppp0 \
-j ACCEPT
#Block incoming attempts to Xwindows
iptables A INPUT i eth1 -p tcp --syn \
--destination-port 6000-6003 -j REJECT
cs490ns - cotter 30
Example Filter Rules
#Allow incoming connections to local web server
Iptables t filter -A block p tcp --dport 80 --i eth1 \
-j ACCEPT
#Insert a rule that allows incoming udp packets to port 12345
iptables I block 7 p udp dport 12345 j ACCEPT
#Allow DNS requests NOT from outside
iptables -A block p tcp --dport 53 -m state --state NEW \
-i ! eth1 -j ACCEPT
#Allow (and redirect) incoming web connections to 192.168.5.6
iptables t nat A PREROUTING d eth1 -p tcp \
--dport 80 -j DNAT --to-destination 192.168.5.6
cs490ns - cotter 31
Simple Firewall table
## Insert connection-tracking modules (not needed if built into kernel).
insmod ip_conntrack
insmod ip_conntrack_ftp
## Make chain that blocks new connections, except if coming from LAN.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
cs490ns - cotter 32
Iptables default config file
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
cs490ns - cotter 33
CentOS 5.5 Firewall part 1
[rcotter@lserver3 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
cs490ns - cotter 34
CentOS 5.5 Firewall part 2
Chain RH-Firewall-1-INPUT (2 references)
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 134.193.12.34 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:137
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
cs490ns - cotter 35
Filter table
Input, forward chains point to custom chain
RH-Firewall-1-INPUT
Output chain set to accept all
(allow any outgoing traffic)
RH-Firewall-1-INPUT chain
Initial 4 rules allow broad classes of packets
Allow multicast DNS
Allow ipp (Internet Printing protocol)
Allow incoming UDP packets to port 12345
Special server set up for cs423 class
Allow incoming SSH connections
Reject everything else!
cs490ns - cotter 36
Network Address Translation
What?
Translates IP addresses and / or ports as
packet passes through firewall
Only first packet of a connection will traverse
the table. All remaining packets are modified
the same as the first packet.
Why?
Private local IP Addresses
Multiple Servers (load sharing)
Transparent Proxying
cs490ns - cotter 37
NAT table
Used to map local IP addresses to a set of
routable addresses (NAT)
Used to map local IP addresses to a set of ports
associated with a single routable address
(NAPT)
Used to map local IP addresses to a set of ports
associated with a variable routable address
(masquerade)
Dial-up connection
Dynamically assigned IP address
Other
cs490ns - cotter 38
NAT
Two types of NAT
Source NAT (snat) used to translate the
source IP address of a packet (typically
outgoing)
Destination NAT (dnat) used to translate the
destination IP address of a packet (typically
incoming).
cs490ns - cotter 39
NAT table chains
Pre-routing
Used to test / modify the destination
addresses of incoming packets
Output
Used to change the source (or destination)
address of locally generated packets
Post-routing
Used to change the source address of
outgoing packets.
cs490ns - cotter 40
NAT table packet flow
Routing
Input
Chain
Forward
Chain
Output
Chain
Drop
Drop
Drop
Local
Processes
Destination
NAT
Pre-routing
Source
NAT
Post-routing
cs490ns - cotter 41
Simple NAT table rules
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Disallow NEW & INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding (in RAM)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Turn on IP forwarding (in file /etc/sysctl.conf)
net.ipv4.ip_forward = 1

cs490ns - cotter 42
Mangle table
Used for special routing and packet
modification.
Use TOS (type of service) field in IP header.
TTL
Can be used to set and test markers placed
cs490ns - cotter 43
Mangle Table Routing
AS
Internet
cs490ns - cotter 44
Linux Firewall Mgmt
iptables
Make changes to memory image of firewall rules
iptables-save
Display a copy of the memory image
Can redirect the copy to a file using output redirection
Iptables-save > /etc/sysconfig/iptables
iptables-restore
Rebuild memory image from keyboard or file (using redirection)
Security Level and Firewall Applet (Fedora)
Creates an automatic backup file: /etc/sysconfig/iptables
cs490ns - cotter 45
IPTables Constraints
Based on IP only
Dont run IPX, appletalk, etc. as these protocols are
not filtered
Packets traversing the filter table will pass
through only 1 chain
cs490ns - cotter 46
Port Forwarding
Internet
LAN
123.234.56.78:80
192.168.3.6:80
HTTPD
cs490ns - cotter 47
SOHO Router Port Range
Forwarding
cs490ns - cotter 48
IPTables Port Forwarding
For incoming packets
iptables -t nat -A PREROUTING -p tcp -d <published-
ip> --dport <published-port> -j DNAT --to-destination
<private-ip>:<private-port>
For returned packets
iptables -m conntrack --ctstate DNAT -t nat -A
POSTROUTING -p tcp -d <private-ip> --dport
<private-port> -j SNAT --to-source <published-ip>
For packets originating on firewall
iptables -t nat -A OUTPUT -p tcp -d <published-ip> --
dport <published-port> -j DNAT --to-destination
<private-ip>:<private-port>
cs490ns - cotter 49
IPtables rerouting Issues
Often, when we re-route packets, we only
need to change destination (or source) IP
address.
Sometimes (if we are rerouting to a locally
connected destination) we need to change
both IP address and MAC address.
IPtables only filters IP traffic. It cannot
change IPX, netBEUI, Appletalk, etc.
cs490ns - cotter 50
EBtables
Ethernet Bridge tables
Intended to support filtering of packets that
IPtables cannot filter Ethernet protocol,
MAC address, ARP, netBEUI, IPX, etc.
Basically adds nonIP filtering.
802.1Q VLAN filtering
MAC address NAT
Frame counters
Linux bridge-nf code
Passes bridged traffic to IPtables
cs490ns - cotter 51
EBtables Structure
broute table
BROUTING chain
Choose whether to process packet at layer 2
(bridge) or at layer 3 (route)
e.g. route normal IP traffic and bridge IPX traffic
filter table
FORWARD, INPUT, OUTPUT chains
Route packets based on MAC addresses
nat table
PREROUTING, OUTPUT, POSTROUTING chains
Change MAC addresses (redirect based on MAC)
cs490ns - cotter 52
Ethernet Bridge Firewall
Internet
LAN
Linux box
configured as a
bridge, with firewall
installed
cs490ns - cotter 53
Use bridging firewall (ebtables) to set up
rules to pass packets through host.
Since processing happens at Data Link Layer,
there is no need to assign an IP address to
host interfaces, so machine is invisible to
network scanning.
Offers better protection, and less
configuration of the remaining network.
Can also be configured with an IDS.
cs490ns - cotter 54
Create a virtual Ethernet bridge interface
brctl addbr br0
Add our interfaces to the bridge
brctl addif br0 eth0
brctl addif br0 eth1
Remove the IP configuration from interfaces
Ifconfig eth0 down
Ifconfig eth1 down
Ifconfig eth0 0.0.0.0 up
Ifconfig eth1 0.0.0.0 up
Configure access for the bridge
Local console, OOB network, configure 1 IP
cs490ns - cotter 55
Ethernet Bridge Firewall (2)
Internet
LAN
cs490ns - cotter 56
Example Firewall Application
Monitor all outgoing Traffic
Most firewalls only monitor incoming traffic by
default
Identify what traffic is desired and block
the rest.
Many applications generate queries to their
servers
Spyware
Hacks
cs490ns - cotter 57
App development process
Capture all outgoing traffic
Monitor traffic as it enters or leaves the
network (Ethernet Bridge)
Use iptables to log traffic.
-A firewall-win1 j LOG log-level 4 log-prefix
Win1 log-tcp-options log-ip-options
Set up syslog to divert level 4 messages to a
separate file (see syslog.conf)
kern.warning /var/log/iptables.log
Save data daily to separate file
iptables_log_022011
cs490ns - cotter 58
Primary
Firewall
Filter
Table
# Generated Manually 8/19/10
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [8183:1429550]
:OUTPUT ACCEPT [14722:762210]
-N RH-Firewall-1-INPUT
# Create separate chains for each host - 8/19/10
-N Firewall-Win2
-N Firewall-Win1
-N Firewall-lserver3
#new line 8/26/10 - start monitoring this machine
-N firewall-bridge
-A OUTPUT -j firewall-bridge
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD --src 192.168.1.25 -j Firewall-lserver3
-A FORWARD --src 192.168.1.35 -j Firewall-Win2
-A FORWARD --src 192.168.1.30 -j Firewall-Win1
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
cs490ns - cotter 59
Win1
Outgoing
Firewall
Chain
-A Firewall-Win1 --dst 192.168.1.0/24 -j ACCEPT
-A Firewall-Win1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A Firewall-Win1 --dst 134.193.123.45 -j ACCEPT
-A Firewall-Win1 --dst 208.67.222.222 -j ACCEPT
# Allow queries to Dropbox
# Allow queries to Kapersky
# Allow queries to Microsoft (update)
# Allow queries to dyndns.org
# Lots of multicast traffic. Drop it.
-A Firewall-Win1 --dst 224.0.0.0/8 -j DROP
# Now, log everything else before dropping it
-A Firewall-Win1 -m physdev --physdev-in eth1 -j LOG --log-level 4 --log-
prefix "Win1 " --log-tcp-options --log-ip-options
#For everything else, reject the traffic.
-A Firewall-Win1 -j DROP
cs490ns - cotter 60
Capture Outgoing Traffic
Data Record 1 per packet
Feb 19 00:01:03 bridge kernel: Win1 IN=br0
OUT=br0 PHYSIN=eth1 PHYSOUT=eth0
SRC=192.168.1.35 DST=66.94.233.186
LEN=40 TOS=0x00 PREC=0x00 TTL=128
ID=10570 DF PROTO=TCP SPT=2323
DPT=80 WINDOW=65185 RES=0x00 ACK
FIN URGP=0
Records per day ~ 40k to 80k+
cs490ns - cotter 61
Port Scan Attack Detector
PSAD
Can be configured to detect various network
scans, invalid traffic, attacks, etc.
Can be used to fingerprint source machines
Can be configured to provide active response
based on type of input, numbers of input packets
for a predetermined period.
Can be used to sort and organize logged data.
cs490ns - cotter 62
Summarize traffic
psad -m /var/log/iptables/iptables_log_022011 --
gnuplot --CSV-fields dst src dp:count --gnuplot-
graph points --gnuplot-xrange 0:100 --gnuplot-file-
prefix test_022011
test_022011.dat
1, 172, 2 ### 1=12.29.100.148 172=192.168.1.35
:
39, 172, 96 ### 39=66.94.233.186 172=192.168.1.35
:
246, 171, 1 ### 246=216.191.247.139 171=192.168.1.30

cs490ns - cotter 63
Sort Traffic by Source
Use script (bash / awk / py / ?) to sort traffic into
separate files by source
Use DNS to get domain name for sites
Win1_022011.lst
12.29.100.148: Output was 0
:
66.94.233.186: r3.ycpi.vip.mud.yahoo.net.
:
216.137.43.236: server-216-137-43-
236.dfw3.cloudfront.net.
cs490ns - cotter 64
Analyze traffic
Are addresses identifyable?
Is the traffic known / expected?
Why is traffic there?
cs490ns - cotter 65
References
Firewalls and VPNs Principles and Practices
Richard Tibbs / Edward Oakes Prentice Hall 2005
Linux Firewalls 2
nd
ed.
Robert Siegler New Riders Publishing 2002
Guide to Firewalls and Network Security
Greg Holden Thomson/Course Technology 2004
EBtables/IPtables Interaction on a bridge - 2003
ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
Red Hat Fedora Linux Secrets
Naba Barkakati Wiley - 2005
cs490ns - cotter 66
Summary
What is a firewall?
Architectures
Gateway / packet filters
Enterprise / hardware
Packet Filtering concepts
Packet Forwarding
Roles
Bastion
DMZ
EBtables

CS490ns Firewalls Sp11 BW

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS490ns Firewalls Sp11 BW

Uploaded by

Copyright:

Available Formats

cs490ns - cotter 1

You might also like