CSCI 530 Lab

Firewalls

Overview

Firewalls Capabilities Limitations

What are we limiting with a firewall? General Network Security Strategies Packet Filtering Proxy Servers Firewall Architecture example netfilter & IPTables

Firewall

Hardware and/or software device which prevents communication based on a particular policy

Basic task is to control traffic between “zones of trust” Example: Filtering traffic between the internet and

local intranet

Firewall Capabilities

Separate your network into logical sections Enforce Security policy

Many services are intermittently insecure A firewall limits the amount of exposure of

particular services Logs Internet activity Limits your network exposure

Firewall limitations

Most cannot automatically adapt to new threats

Cannot stop a malicious user - IDS Cannot limit traffic that does not pass through

it Cannot stop viruses from permeating the

network

What are you limiting? Email File Transfer Remote Terminal Access and Command Execution HTTP Other information services Information about people,

Finger whois Real time conferencing Domain Name Service Network management services Time Service Network File System

Network Security Strategies

Least Privilege Most fundamental principal User or service is given privileges just for

performing specific tasks Defense In depth

Don’t just depend on one security mechanism Choke point

Forces the attacker to use a narrow channel So now one can monitor activities closely

Security Strategies Weakest link or “low hanging fruit”

“ a chain is as strong as its weakest link” Attacker is going to go after the weakest link So if you cannot eliminate it, be cautious about it.

Fail Safe Stance If a system fails, it should deny access to the attacker Default Deny Stance

That which is not expressly permitted is prohibited Default Permit Stance

That which is not expressly prohibited is Permitted Universal Participation

Every system is involved in defense Diversity of defense

Use different types of mechanisms

Definitions Host

A computer system attached to the network Dual-Homed Host

A host with two network interfaces Bastion Host

A host which is the portal to a network. It is normally extremely secure. This is normally also a dual-homed host.

Packet The fundamental unit of data, used for

communication on the internet

Firewall – Packet Filtering

Set of rules that either allow or disallow traffic to flow through the firewall

Can filter based on any information in the Packet Header IP Source Address IP destination address Protocol Source Port Destination Port Message type Interface the packets arrive on and leave

Proxy Servers Specialized application or server programs that run

on a firewall host Normally a bastion host

These programs sit in between the internal users and servers outside serving for internet applications like telnet, ftp, http…

So instead of talking directly to the external server the requests pass through the proxy

Also called as application level gateways

Proxy servers

How do they work Proxy server ‘Ps’ Proxy client ‘Pc’ Pc talks to the Ps which intern talks to the real

server for it, Before that it checks the security policy and

decides whether to go ahead with the connection or not.

FirewallDual HomedHost

Firewall ArchitecturesDual-Homed Bastion Host

INTERNET

Firewall ArchitecturesDual-Homed Bastion Host

Dual homed Host Firewall Built around dual homed bastion host Host are capable of routing packets between

networks The host sits between the networks, filtering the

traffic between the two It only provides services by proxy

Netfilter

http://www.netfilter.org/ The software of the packet filtering framework

inside the Linux 2.4.x and 2.6.x kernel series. Enables packet filtering, network address [and

port] translation (NA[P]T). It is the re-designed and heavily improved successor

of ipchains and ipfwadm set of hooks inside the Linux kernel allows kernel modules to register callback

functions with the network stack A registered callback function is then called back

for every packet that traverses the respective hook within the network stack.

IPtables

an interface to the kernel for firewall rules inserts and deletes rules from the kernel's

packet filtering table IPtables and netfilter make the backbone of

packet-filtering based linux firewalls

Packet Filtering - IPtables A packet is checked against the rule chains and its fate is decided by the

chain Three sets of rule Chains

INPUT FORWARD OUTPUT

A packet comes in, kernel checks for the destination (routing) If it is for this host, it is passed to INPUT chain If forwarding enabled, the packet is forwarded to the destination if it is

ACCEPTED by the FORWARD chain If packet is generated in the same box and is being issued out, the

OUTPUT chain is referred. Rules are matched in a chain in a chronological order looking for a match, If no match is found till the end, decision is taken according to your security

policy

IPTables Example

iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP -A append the rule to the input chain -s source ip -p protocol -j action to be taken