710 likes | 1.03k Views
Firewalls. What they do. How they work. Outline. What is a firewall? Architectures Stand Alone / application / proxy Personal / host based Gateway / packet filters Enterprise / hardware Roles Bastion DMZ Packet Filtering concepts IPTables Stateful filtering Packet Forwarding
E N D
Firewalls What they do. How they work.
Outline What is a firewall? Architectures Stand Alone / application / proxy Personal / host based Gateway / packet filters Enterprise / hardware Roles Bastion DMZ Packet Filtering concepts IPTables Stateful filtering Packet Forwarding Ethernet bridge 2
What is a Firewall? A hardware or software device that monitors (and controls ?) the transmission of packets that attempt to pass through the perimeter of a network (or host). Provide 2 basic security functions Packet Filtering Application Proxy gateways Additional security features Log unauthorized (and authorized ?) access attempts Provide VPN Connections Support user authentication Shield internal machines from outside view 3
What should a firewall do? Control the flow of packets to/from Internet Block external login as root (?) Must distinguish between local and Internet packets (even spoofed addresses) Support limited user accounts Log all system activities 4
Types of Firewalls Stand Alone / application / proxy Enterprise / Local Hardware / Software Gateway / router / packet filter Personal / host based Windows firewall – incoming protection ZoneAlarm, Linux, etc. – incoming / outgoing filter 5
Types of Firewalls Router / packet filter Stateful Firewall Internet Host-based Firewall Application Proxy Corporate Network 6
Standalone Proxy FirewallsApplication Gateways Intended to buffer the interface between an internal application and the Internet Web Servers Mail Servers File Transfer Controls flow of packets into and out of local network Limit access to specific web sites Cache results for use by other internal hosts Hide internal IP addresses from network view 7
Enterprise Firewalls Intended to support larger traffic volumes Provides more sophisticated support Stateful filtering, etc. Software Checkpoint Firewall 1, Microsoft ISA, Semantic Enterprise, etc. Hardware Cisco PIX, SonicWall, Watchguard, etc. Expensive! 8
Gateway / Packet Filter May be embedded in sophisticated routers May be used for SOHO networks May be incorporated into small SOHO routers May be incorporated into a gateway host (Linux ?) Provides the ability to monitor and control packets through the gateway / router. Generally support in / out / through filtering May not include stateful filtering capabilities 9
Host-based Firewalls Intended as a last line of defense for the host computer Runs as a background process on host Limited bandwidth available Generally supports incoming port filtering Can specify which ports (if any) can support incoming connection requests. Occasionally supports outgoing filtering (looking for worms, trojans, etc.) 10
Firewall Roles Bastion Hosts Hardened systems that typically run a firewall and perhaps an application as well DMZ – demilitarized zone An isolated subnetwork that includes all services that are offered over the internet (and perhaps to the internal network as well).
Bastion Firewall and Host LAN Internet Firewall Web Server
DMZ LAN Internet DMZ Web E-mail
What is Packet Filtering? The process of deciding which packets to allow through the filter, based on attributes of the packet Source / Destination Port Source / Destination IP Address Status flags in the packet (syn) Originating protocol (icmp, tcp, etc.) Connection state (tcp) Linux (2.4+) supports Netfilter (based on iptables) 14
How does Packet Filtering Work? Define rules to allow or block specific types of packets Firewall screens all packet headers to look for matches against the rules Apply rules in the order in which they are stored Allow or block packets based on rule matches. If a packet matches no rules, apply default behavior to the packet (usually deny). 15
Packet Filtering Issues Rules are complex. Easy to introduce errors Filters based on IP addresses. If authorized sites are hacked, your site is compromised IP Spoofing can fake authorized (internal?) sites. Routers can be hacked to reroute internal packets Activities need to be logged Internal host adresses should be hidden 16
Iptables Administration tool for IPv4 packet filtering and NAT Used to set up, maintain, and inspect the tables of IP packet filtering rules used by the kernel to manage packet flow through the firewall. Based on tables that specify the overall task and chains that identify the position of the packet in the packet flow. 17
IPTables tables Filter table Used to control the flow of packets based on packet attributes Only filter packets, don’t modify packets here. Network Address Translation (NAT) table Used to change the source / destination IP address and / or port of selected incoming / outgoing packets Mangle table Supports specialized packet handling / routing Change contents of packet Experimental and developing tables … 18
Basic Packet Filtering filter table Input Forward LAN Internet RH-Firewall-1-INPUT Output 19
Incoming Packets to Filter Illegal Incoming Source IP Addresses Your IP Address Your LAN Address Private Network Addresses Multicast IP Addresses Loopback Interface Addresses Nuisance sites / networks Remote Source Port Filtering Local Destination Port Filtering Incoming TCP connection-state filtering Probes and Scans DoS Attacks Etc. 20
Packet Filtering alert list CERT www.cert.org – Carnegie-Mellon Software Engrg Inst. www.us-cert.gov – Port Filter List (3/08) DNS zone transfers 53 tftpd 69 link 87 RPC / NFS 111 / 2049 BSD “r” commands 512, 513, 514 lpd 515 uucpd 540 openwindows 2000 X windows 6000 + 21
Outgoing Packets to Filter Why? Consideration for fair use in Internet Distribution of private information Detection of unwanted client programs (Trojans, etc.) See http://www.us-cert.gov/cas/tips/ST06-001.html What Legitimate, routable addresses only Destination IP Addresses Destination ports Source Ports
Filter Table Chains May be associated with any interface (eth0, etc.) INPUT Used to test packets that come into the firewall OUTPUT Used to test packets that are leaving the firewall FORWARD Used to test packets that are passing through the firewall Packets should pass through only 1 chain
Filter table packet flow Forward Chain Routing Drop Input Chain Input Chain Local Processes Output Chain Drop Drop Drop
Iptables rule structure • Iptables –t “table” “action” “chain” rule “target” • Which table are we working with (filter is default) • What action do we want to do to that table (insert, delete, etc.) • Which chain in that table are we working with • What do we want to do? • Where do we go if we match the rule?
IPTables Actions Create a new chain (-N). Delete an empty chain (-X). Change the default policy for a chain. (-P). List the rules in a chain (-L). Flush the rules out of a chain (-F). Zero the packet and byte counters on all rules in a chain (-Z).
IPTables Actions Append a new rule to the end of a chain (-A). Insert a new rule at some position in a chain (-I). Replace a rule at some position in a chain (-R). Delete a rule at some position in a chain, or the first that matches (-D).
IPTables targets • ACCEPT • Stop processing and pass to application / OS • DROP • Stop processing and block packet • LOG • Packet info sent to syslog. Continue processing • REJECT • Stop processing and send reject message to source • DNAT • Change destination network address • SNAT • Change source network address • MASQUERADE • Do source network address translation (PAT)
Example Filter Rules #Allow traffic on the loopback interface iptables –A INPUT –i lo –j ACCEPT iptables –A OUTPUT –i lo –j ACCEPT # Set Default policy for chain Iptables --policy INPUT DROP #Allow all outgoing connections iptables -A block -m state --state NEW -i ! ppp0 \-j ACCEPT #Block incoming attempts to Xwindows iptables –A INPUT –i eth1 -p tcp --syn \ --destination-port 6000-6003 -j REJECT
Example Filter Rules #Allow incoming connections to local web server Iptables –t filter -A block –p tcp --dport 80 --i eth1 \-j ACCEPT #Insert a rule that allows incoming udp packets to port 12345 iptables –I block 7 –p udp –dport 12345 –j ACCEPT #Allow DNS requests NOT from outside iptables -A block –p tcp --dport 53 -m state --state NEW \ -i ! eth1 -j ACCEPT #Allow (and redirect) incoming web connections to 192.168.5.6 iptables –t nat –A PREROUTING –d eth1 -p tcp \ --dport 80 -j DNAT --to-destination 192.168.5.6
Simple Firewall table ## Insert connection-tracking modules (not needed if built into kernel). insmod ip_conntrack insmod ip_conntrack_ftp ## Make chain that blocks new connections, except if coming from LAN. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block
Iptables default config file/etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
CentOS 5.5 Firewall – part 1 [rcotter@lserver3 ~]$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
CentOS 5.5 Firewall – part 2 Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 134.193.12.34 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:137 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:138 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:139 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2069 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3128 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Filter table Input, forward chains point to custom chain RH-Firewall-1-INPUT Output chain set to accept all (allow any outgoing traffic) RH-Firewall-1-INPUT chain Initial 4 rules allow broad classes of packets Allow multicast DNS Allow ipp (Internet Printing protocol) Allow incoming UDP packets to port 12345 Special server set up for cs423 class Allow incoming SSH connections Reject everything else!
Network Address Translation What? “Translates” IP addresses and / or ports as packet passes through firewall Only first packet of a connection will traverse the table. All remaining packets are modified the same as the first packet. Why? Private local IP Addresses Multiple Servers (load sharing) Transparent Proxying
NAT table Used to map local IP addresses to a set of routable addresses (NAT) Used to map local IP addresses to a set of ports associated with a single routable address (NAPT) Used to map local IP addresses to a set of ports associated with a variable routable address (masquerade) Dial-up connection Dynamically assigned IP address Other
NAT Two types of NAT Source NAT (snat) used to translate the source IP address of a packet (typically outgoing) Destination NAT (dnat) used to translate the destination IP address of a packet (typically incoming).
NAT table chains Pre-routing Used to test / modify the destination addresses of incoming packets Output Used to change the source (or destination) address of locally generated packets Post-routing Used to change the source address of outgoing packets.
NAT table packet flow Source NAT Post-routing Destination NAT Pre-routing Forward Chain Routing Drop Input Chain Local Processes Output Chain Drop Drop
Simple NAT table rules # Masquerade out ppp0 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Disallow NEW & INVALID incoming or forwarded packets from ppp0. iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP # Turn on IP forwarding (in RAM) echo 1 > /proc/sys/net/ipv4/ip_forward # Turn on IP forwarding (in file /etc/sysctl.conf) net.ipv4.ip_forward = 1
Mangle table Used for special routing and packet modification. Use TOS (type of service) field in IP header. TTL Can be used to set and test markers placed
Mangle Table Routing Internet AS
Linux Firewall Mgmt iptables Make changes to memory image of firewall rules iptables-save Display a copy of the memory image Can redirect the copy to a file using output redirection Iptables-save > /etc/sysconfig/iptables iptables-restore Rebuild memory image from keyboard or file (using redirection) Security Level and Firewall Applet (Fedora) Creates an automatic backup file: /etc/sysconfig/iptables
IPTables Constraints Based on IP – only Don’t run IPX, appletalk, etc. as these protocols are not filtered Packets traversing the filter table will pass through only 1 chain
Port Forwarding HTTPD LAN Internet 123.234.56.78:80 192.168.3.6:80
IPTables Port Forwarding For incoming packets iptables -t nat -A PREROUTING -p tcp -d <published-ip> --dport <published-port> -j DNAT --to-destination <private-ip>:<private-port> For returned packets iptables -m conntrack --ctstate DNAT -t nat -A POSTROUTING -p tcp -d <private-ip> --dport <private-port> -j SNAT --to-source <published-ip> For packets originating on firewall iptables -t nat -A OUTPUT -p tcp -d <published-ip> --dport <published-port> -j DNAT --to-destination <private-ip>:<private-port>
IPtables rerouting Issues • Often, when we re-route packets, we only need to change destination (or source) IP address. • Sometimes (if we are rerouting to a locally connected destination) we need to change both IP address and MAC address. • IPtables only filters IP traffic. It cannot change IPX, netBEUI, Appletalk, etc.
EBtables • Ethernet Bridge tables • Intended to support filtering of packets that IPtables cannot filter – Ethernet protocol, MAC address, ARP, netBEUI, IPX, etc. • Basically adds non–IP filtering. • 802.1Q VLAN filtering • MAC address NAT • Frame counters • Linux bridge-nf code • Passes bridged traffic to IPtables