1 / 80

Firewalls in Linux

Firewalls in Linux. Rodney Barker Amanda Bolster Jennifer Dixon. Overview. START The Project Objectives Definitions What firewall? What technology? Installation Process Testing Problems encountered END. The Project …. Objectives

billie
Download Presentation

Firewalls in Linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls in Linux Rodney Barker Amanda Bolster Jennifer Dixon

  2. Overview • START • The Project Objectives • Definitions • What firewall? What technology? • Installation Process • Testing • Problems encountered • END

  3. The Project … • Objectives • Successfully install a firewall on the Linux-Mandrake Operating System • To learn about firewalls • Why? • We haven’t done it before • To Have FUN!!!

  4. What is a Firewall? • “A system designed to prevent unauthorized access to or from a private network” (www.webopedia.com) • Often used to protect Intranets • Set of security criteria to define access to a computer or network of computers

  5. Firewalls and Network Interfaces Firewall Internet Intranet Internal NIC External NIC Firewalls that protect a network from the Internet have two Network Interfaces, one for the Internet, one for the Intranet.

  6. Firewall Techniques • Packet Filter • Based on a set of rules, accept or reject each packet • Application Gateway • Place restrictions on specific applications (eg FTP) • Circuit-Level Gateway • Apply security mechanisms when the connection between computers is established • Proxy Server • Hides true network addresses

  7. Protocols Related to Firewall Security • Different protocols exist at different layers of the OSI (Open System Interconnection) model.

  8. Firewall Security and the OSI Model • Because different protocols exist at different levels of the OSI model, firewalls must also provide security at different levels. • The lower down the OSI model the firewall can provide security, the more effective and efficient the firewall is. • Firewalls provide security at different levels by establishing IP chain rules for each protocol.

  9. Setting the Firewall Scene… • Where? • In the Linux Lab (PIII computer, called Linux1) • When? • On a dark and stormy Sunday • What? • Linux-Mandrake OS • Who? • Rodney, Amanda, and Jennifer

  10. Theoretical Firewall Use • Our group selected an installation and configuration process for setting-up a personal firewall at home, suitable for: • Firewall security for a single personal PC; or • Firewall security for a small network • Therefore, this process is easy for other students and first-time users to understand.

  11. Choosing a Firewall • Use the Firewall included with Linux-Mandrake OS • Only a personal (not network) firewall • Download free firewall from Internet • www.freshmeat.net • www.linux-mandrake.com • Purchase a Firewall • www.linuxiso.org/

  12. PMFirewall • Features • Autodetection of the IP Address and Netmask of each interface. • Blocking of NetBIOS, NetBUS, Back Orifice and Samba attacks. • Protection against IP Spoofing Attacks.

  13. PMFirewall • Features (cont.) • Logging of DENY packets. • Masquerading support is decided during install. • Custom rules can be added to the pmfirewall.rules.local file.

  14. PM Firewall Technology • The technology underlying PMFirewall is known as IP Chain Software. • This is the case for many Firewall packages designed for Linux operating systems. • The configuration of the PMFirewall package automatically configures the underlying IP Chain Software (saving the user from entering the commands manually).

  15. IP Chain Software Description • IP Chain Software is described by its Author Paul Russel as: "...an update to [and hopefully an improvement upon] the 2.0 Linux packet-filtering code, for the 2.2 Linux kernel…” • IP Chain Software allows for the setting up of a Firewall as well as providing access for multiple PCs using a single Internet connection

  16. IP Chain Software Explained • Inbuilt in the kernel of Linux operating system are IP packet filtering capabilities. • IP Chain software is a program that makes use of these facilities. • The program examines the header of a packet to determine what action is suitable for each packet. • Actions include: • DENY (discard the packet silently) • ACCEPT (let the packet through or out) • REJECT (deny and notify the source of the packet)

  17. Obtaining IP Chain Software • Most distributions of Linux come with preinstalled IP Chain Software. • IP Chain Software is also readily available for free all over the Internet, below is just one example. • http://www.rustcorp.com/linux/ipchains/ Incidentally you cannot access this site from within the Bond Network as ITS classifies it as Porn!

  18. IP Chains and Kernels • Certain IP Chain Software is not compatible for certain Linux kernels • (As we found out the IP Chain software used in the Linux Mandrake 8.0 Kernel is not compatible with the PMFirewall Package we were using.) • Setting up IP Chain Software on older Linux Kernels (earlier that 2.2) may require Kernel manipulation and extra configuration.

  19. IP Chains and Kernels • Some newer Linux distributions still require the Kernel to be changed to allow IP Masquerading (e.g SuSe) • This requires changing and recompiling the Kernel source code (!Danger). • This is not required when installing PMFirewall on Linux-Mandrake.

  20. IP Chain Syntax (Briefly) • The Configuration of the PM Firewall does not require knowledge of IP Chain Software. However, for interests, this has been included. • General Format: ipchains <command> <chain> [<options>] • Switches - F : flush a chain so it starts fresh - P : sets default handling - A : adds conditions or rules - L : view all rules • E.g. ipchains -L

  21. IP Chain Syntax • The rule can apply to • Input (incoming traffic) • Output (outgoing traffic) • Forward (forwarding traffic) • More switches • i : Specify Network Card • s: Source Address • d: Destination Address • j: Jump - Specify Action

  22. IP Chain Syntax • The jump switch allows us to specify the action to take with the packet (accept, reject, deny). • If the Firewall is responsible for masquerading an option for this switch can be MASQ. In which case the packet’s IP and port address will be modified.

  23. IP Chains Example ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT • This command adds a rule to REJECT all INCOMING packets to eth0 from the SOURCE address 10.2.x.x going to any DESTINATION address. • All IP Chains rules for the PMFirewall package are automatically generated to avoid doing this.

  24. IP Chains Example Specify network card Specify source address ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT Incoming packets Specify destination address Adds a rule Specify action to take

  25. Installation Process

  26. Downloading PMFirewall • We downloaded PMFirewall from: • www.pmfirewall.com/PMFirewall/ • The package was then transferred to the Linux lab in the school of IT. • The package was unzipped into amanda’s home directory.

  27. Configuring and Starting the Firewall • Our initial configuration and starting of the firewall failed. The error message displayed informed us that the IP Chains in use were incompatible with the kernel. • The package we had selected was compatible with the Linux kernel 2.2 (Linux-Mandrake 7.2). We had assumed that it was compatible with the Linux kernel 2.4 (Linux-Mandrake 8.0). This assumption was wrong. • As a solution we moved to a machine running Linux-Mandrake 7.2, and ensured it was correctly connected to the network.

  28. Configuration Interface • The configuration offered by PMFirewall was command driven. No GUI facilities were offered. • Configuration started by typing sh install.sh in a console window, ensuring we were in the directory of the unpacked Firewall. • Configuration was in a clear question-answer format.

  29. Phases of Configuration Configuration consisted of three phases: • Phase 1: IP blocking and permitting • Phase 2: Setting up underlying IP Chains • Phase 3: Preparing the Linux kernel

  30. Phase 1: IP blocking and permitting • Consisted of a set of questions asking us • To specify the IP Address of any machine we wished to block from all services permanently. As we yet knew no hostile IP addresses, we answered NO to this. • To specify the IP Address of any machine we wished to grant full access to all services permanently. Again, we answered NO to this.

  31. Phase 1 Continued 3. If we wanted our firewall to start on boot-up. For security reasons we answered yes to this. 4. To specify the IP addresses of the internal network card eth0 and the external network card eth1.

  32. Address Assignment Via DHCP • During phase 1 we were asked if our external IP address or our internal IP address was assigned via DHCP. • Dynamic Host Configuration Protocol is a protocol that lets network administrators or ISP’s centrally manage and automate the assignment of IP addresses. • Each time a computer connects to the Internet (or network) the host sends a request to the ISP (or administrator) for an IP address, the ISP (or administrator) automatically checks which addresses are available and replies with the relevant address.

  33. DHCP Continued • As Linux1 has a permanent IP address within the Linux Lab (not assigned with DHCP), we answered NO to this question. • If we were connecting to the Internet through an ISP such as Bigpond, we would answer YES to this question.

  34. Phase 2: Setting up IP Chains • Consisted of a set of questions asking us to specify which protocols we wished our Firewalls to allow. • The package used these question to set up the IP Chains for the Firewall.

  35. IP Chains • We were later able to view the IP Chains list to see how these questions were turned into rules. • This was done by going to the /sbin directory and typing the command • ipchains -L

  36. Phase 3 • Consisted of some questions asking if we wished our Firewall to contain, for example: • Masquerading Masquerading allows outgoing packets from internal hosts to be given the source address of the firewall, rather than their internal IP addresses.

  37. Original Firewall Configuration • The first time we configured our Firewall we disallowed everything • To test if the Firewall was functioning properly we had to test if anything would be allowed by the firewall • In order to do this, the following servers had to be installed on our Firewall: Apache Server, SSH Server, FTP, Finger • We then tested if the Firewall would successfully block these services

  38. Apache Server • Apache is a Web Server Software Application • Delivers (serves) web pages on the Internet

  39. SSH Server • Secure Shell • A program that allows a user to log into another computer over a network • It provides secure communication with encryption

  40. FTP • File Transfer Protocol • A protocol that is used on the Internet for sending/transferring files

  41. Finger • This is a program in UNIX that takes and e-mail address and returns information about the user of that e-mail address, such as; • Is that user currently logged on? • User’s full name • User’s Address • User’s Telephone Number

  42. Testing

  43. Testing • Test to see if firewall denied the packets on the ports that were closed • To see if the packets were accepted on the ports that were allowed.

  44. Order • First ping to see if the computer is responding • Ping (Packet Internet Groper) – determines whether an IP Address is accessible by sending a packet to the specified address and waiting for a reply • Test ports to see if the client could access the server

  45. Method • First disallowed access to the server on all ports, except control packets • eg ICMP (Internet Control Message Protocol) – supports packets that contain error, control, and informational messages. ICMP is used by Ping. • Allow one service to clients • Allow multiple services to clients

  46. Linux Ping

  47. Windows Ping

More Related