Professional Documents
Culture Documents
Network Security
Chapter 20 Firewalls
Fourth Edition
by William Stallings
Lecture slides by Lawrie Brown
extended and adopted by Hans
Hedbom
Chapter 20 Firewalls
The function of a strong position is to make
the forces holding it practically
unassailable
On War, Carl Von Clausewitz
Introduction
What is a Firewall?
a
auditing
provide
Firewall Limitations
cannot
cannot
cannot
Forward
Drop
Alarm
Log
Reject
Screening policies
There
rules
address spoofing
fake source address to be trusted
add filters on router to block
source
tiny
routing attacks
fragment attacks
stateful
hence
Advantage/Disadvantage
13
need
Different modes
Proxy-aware router
15
Advantage/Disadvantage
Proxies can do
intelligent filtering
Proxies can provide
logging and caching
Proxies can provide
user-level
authentication
19
20
Modes
Static
allocation
Dynamic
Dynamic
21
allocation of addresses
allocation of addresses and ports
Advantage/Disadvantage
22
Bastion Host
Firewall Configurations
Firewall Configurations
Firewall Configurations
Independent
27
subnet
Screened Subnets
n Screened Subnets
Internet
DMZ
DMZ
Application
DMZ
DMZ
DMZ
Database
Employee Lan
28
DMZ
Back End
Evaluating a Firewall
Scalability
Reliability
and Redundancy
Auditability
Price (Hardware, Software, Setup,
Maintenance)
Management and Configuration
29
30
31
IP- Tables
IP Tables is the
standard kernel firewall
system for Linux since
Kernel 2.4.x
Packet Filtering and
NAT for linux
32
Rule
iptables [-t table] command [match] [traget/jump]
-t
33
table
Nat (PREROUTING, POSTROUTING)
Mangle (PREROUTING, POSTROUTING)
Filter (default) (FORWARD, INPUT, OUTPUT)
Rule
iptables [-t table] command [match] [traget/jump]
Command
34
-P, --policy
-A, --append
-D, --delete
-R, --replace
-L, --list
...
Rule
iptables [-t table] command [match] [traget/jump]
Match (generic)
35
Rule
iptables [-t table] command [match] [traget/jump]
Target/jump
36
-j ACCEPT
-j DROP
-j LOG
-j MAQUERADE
...
Example Rules
37
Additional Literature
Building
Internet Firewalls
Zwicky, Cooper
ISBN 1565928717; OReilly
iptables Tutorial 1.1.16
Oskar Andreasson
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
38