CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a...
-
Upload
blanche-george -
Category
Documents
-
view
213 -
download
0
Transcript of CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a...
CSCI 530 Lab
Firewalls
Overview
Firewalls Capabilities Limitations
What are we limiting with a firewall? General Network Security Strategies Packet Filtering Proxy Servers Firewall Architecture example netfilter & IPTables
Firewall
Hardware and/or software device which prevents communication based on a particular policy
Basic task is to control traffic between “zones of trust” Example: Filtering traffic between the internet and
local intranet
Firewall Capabilities
Separate your network into logical sections Enforce Security policy
Many services are intermittently insecure A firewall limits the amount of exposure of
particular services Logs Internet activity Limits your network exposure
Firewall limitations
Most cannot automatically adapt to new threats
Cannot stop a malicious user - IDS Cannot limit traffic that does not pass through
it Cannot stop viruses from permeating the
network
What are you limiting? Email File Transfer Remote Terminal Access and Command Execution HTTP Other information services Information about people,
Finger whois Real time conferencing Domain Name Service Network management services Time Service Network File System
Network Security Strategies
Least Privilege Most fundamental principal User or service is given privileges just for
performing specific tasks Defense In depth
Don’t just depend on one security mechanism Choke point
Forces the attacker to use a narrow channel So now one can monitor activities closely
Security Strategies Weakest link or “low hanging fruit”
“ a chain is as strong as its weakest link” Attacker is going to go after the weakest link So if you cannot eliminate it, be cautious about it.
Fail Safe Stance If a system fails, it should deny access to the attacker Default Deny Stance
That which is not expressly permitted is prohibited Default Permit Stance
That which is not expressly prohibited is Permitted Universal Participation
Every system is involved in defense Diversity of defense
Use different types of mechanisms
Definitions Host
A computer system attached to the network Dual-Homed Host
A host with two network interfaces Bastion Host
A host which is the portal to a network. It is normally extremely secure. This is normally also a dual-homed host.
Packet The fundamental unit of data, used for
communication on the internet
Firewall – Packet Filtering
Set of rules that either allow or disallow traffic to flow through the firewall
Can filter based on any information in the Packet Header IP Source Address IP destination address Protocol Source Port Destination Port Message type Interface the packets arrive on and leave
Proxy Servers Specialized application or server programs that run
on a firewall host Normally a bastion host
These programs sit in between the internal users and servers outside serving for internet applications like telnet, ftp, http…
So instead of talking directly to the external server the requests pass through the proxy
Also called as application level gateways
Proxy servers
How do they work Proxy server ‘Ps’ Proxy client ‘Pc’ Pc talks to the Ps which intern talks to the real
server for it, Before that it checks the security policy and
decides whether to go ahead with the connection or not.
FirewallDual HomedHost
Firewall ArchitecturesDual-Homed Bastion Host
INTERNET
Firewall ArchitecturesDual-Homed Bastion Host
Dual homed Host Firewall Built around dual homed bastion host Host are capable of routing packets between
networks The host sits between the networks, filtering the
traffic between the two It only provides services by proxy
Netfilter
http://www.netfilter.org/ The software of the packet filtering framework
inside the Linux 2.4.x and 2.6.x kernel series. Enables packet filtering, network address [and
port] translation (NA[P]T). It is the re-designed and heavily improved successor
of ipchains and ipfwadm set of hooks inside the Linux kernel allows kernel modules to register callback
functions with the network stack A registered callback function is then called back
for every packet that traverses the respective hook within the network stack.
IPtables
an interface to the kernel for firewall rules inserts and deletes rules from the kernel's
packet filtering table IPtables and netfilter make the backbone of
packet-filtering based linux firewalls
Packet Filtering - IPtables A packet is checked against the rule chains and its fate is decided by the
chain Three sets of rule Chains
INPUT FORWARD OUTPUT
A packet comes in, kernel checks for the destination (routing) If it is for this host, it is passed to INPUT chain If forwarding enabled, the packet is forwarded to the destination if it is
ACCEPTED by the FORWARD chain If packet is generated in the same box and is being issued out, the
OUTPUT chain is referred. Rules are matched in a chain in a chronological order looking for a match, If no match is found till the end, decision is taken according to your security
policy
IPTables Example
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP -A append the rule to the input chain -s source ip -p protocol -j action to be taken