540 likes | 712 Views
Firewall & IP Tables . Firewall. IP Tables. 32-4 FIREWALLS.
E N D
Firewall IP Tables
32-4 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system, we need firewalls. A firewall is a device installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. Topics discussed in this section: Packet-Filter FirewallProxy Firewall
What Is Firewall? • a choke point of control and monitoring • interconnects networks with differing trust • imposes restrictions on network services • only authorized traffic is allowed • auditing and controlling access • can implement alarms for abnormal behavior • is itself immune to penetration • provides perimeter defence
What Is Firewall? • cannot protect from attacks bypassing it • Eg. sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) • cannot protect against internal threats • Eg. disgruntled employee • cannot protect against transfer of all virus infected programs or files • Because of huge range of O/S & file types
Types of Firewalls • Packet Filters • Application – Level Gateways • Circuit – Level Gateways
Note A packet-filter firewall filters at the network or transport layer.
Packet Filters • simplest of components • foundation of any firewall system • examine each IP packet (no context) and permit or deny according to rules • hence restrict access to services (ports) • possible default policies • that not expressly permitted is prohibited • that not expressly prohibited is permitted
Attacks on Packet Filters • IP address spoofing • fake source address to be trusted • add filters on router to block • source routing attacks • attacker sets a route other than default • block source routed packets • tiny fragment attacks • split header info over several tiny packets • either discard or reassemble before check
IP Table Stateful Packet Filters • examine each IP packet in context • keeps tracks of client-server sessions • checks each packet validly belongs to one • better able to detect bogus packets out of context
Question - 1 • Can a stateless firewall block TCP connection initiation requests from an external location to any local host, but at the same time allow returning traffic from connections initiated by local hosts? Why or why not?
Question - 1 • Can a stateless firewall block TCP connection initiation requests from an external location to any local host, but at the same time allow returning traffic from connections initiated by local hosts? Why or why not? Answer: Yes. The firewall filters out SYN-packets to a local host, but allows SYNACK and other packets to flow through.
Note A proxy firewall filters at the application layer.
Proxy Firewall • What is the function of the proxy sever in security context? • In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it would 'cache' the first request to the remote server, so it could save the information for later, and make everything as fast as possible.
Firewalls - Application Level Gateway (or Proxy) • use an application specific gateway / proxy • has full access to protocol • user requests service from proxy • proxy validates request as legal • then actions request and returns result to user • need separate proxies for each service • some services naturally support proxying • others are more problematic • custom services generally not supported
Question - 2 • What is an application-level gateway?
Question - 2 • What is an application-level gateway? Answer: An application-level gateway, also called a proxy server, acts as a relay of application-level traffic.
Question - 3 • Explain the difference between packet filters and application layer proxies.
Question - 3 • Explain the difference between packet filters and application layer proxies. Answer: Packet filters look at packets one at a time, while application-layer proxies reconstruct application layer entities, such as email messages, files, and web pages.
Firewalls - Circuit Level Gateway Circuit Level Gateway What is a gateway that we need to across?
Circuit Level Gateway • relays two TCP connections • imposes security by limiting which such connections are allowed • once created usually relays traffic without examining contents • typically used when trust internal users by allowing general outbound connections • SOCKS commonly used for this
Question - 4 • What is a circuit-level gateway? Answer: A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed.
Question - 5 • What is the main security benefit of NAT and why is it useful to combine NAT with a firewall, instead of using separate NAT and firewall devices?
Question - 5 • What is the main security benefit of NAT and why is it useful to combine NAT with a firewall, instead of using separate NAT and firewall devices? Answer: NAT hides the addresses of devices behind the NAT device and prevents attacks that use knowledge of internal network addresses behind the NAT device. Some firewall policies, such as allowing traffic to high-numbered ports only if there was a matching outgoing request, require port numbers and internal addresses. This is easier to determine the firewall also knows the NAT translation table.
Question - 6 • In a distributed firewall, an administrator ships out firewall rules to hosts over an authenticated channel, and each host enforces its own policy. Give one advantage and one disadvantage of a distributed firewall, in comparison with a centralized firewall.
Question - 6 • In a distributed firewall, an administrator ships out firewall rules to hosts over an authenticated channel, and each host enforces its own policy. Give one advantage and one disadvantage of a distributed firewall, in comparison with a centralized firewall. Answer: Advantage: Can filter traffic between internal hosts on the local network. For example, prevent ssh connections from certain internal hosts, avoiding possible attacks if they are compromised. Disadvantage: Cannot protect against external flooding of an internal network – in a DoS attack, the links between local hosts will be flooded, whereas this could be prevented by throttling incoming traffic at a gateway firewall.
Firewall IP Tables
What is netfilter/iptables? • Netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.
Packet Processing in IP Tables • All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain. • There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment. • The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. • The third table is the nat queue which is responsible for network address translation. It has two built-in chain
Processing For Packets Routed By The Firewall 1/2 • You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.
Processing For Packets Routed By The Firewall 2/2 • To help understand iptables, take a look at the way packets are handled by iptables. In figure a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. • The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed. • If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps. • If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table determine whether address translation is required and the rules in the OUTPUT chain of the filter table are then inspected before the packet is routed back to the Internet.
Targets & Jumps • Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. • ACCEPT • iptables stops further processing. • The packet is handed over to the end application or the operating system for processing • DROP • iptables stops further processing. • The packet is blocked. • LOG • The packet information is sent to the syslog daemon for logging. • iptables continues processing with the next rule in the table. • You can't log and drop at the same time ->use two rules. --log-prefix ”reason" • REJECT • Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked --reject-with qualifier Qualifier is an ICMP message
Targets & Jumps • SNAT • Used to do source network address translation rewriting the source IP address of the packet • The source IP address is user defined --to-source <address>[-<address>][:<port>-<port>] • DNAT • Used to do destination network address translation. ie. rewriting the destination IP address of the packet --to-destination ipaddress • MASQUERADE • Used to do Source Network Address Translation. • By default the source IP address is the same as that used by the firewall's interface [--to-ports <port>[-<port>]]
Important Iptables Command Switch Operations • Firewall rules is stored in scripts or databases, most common is scripts. • One row example: • iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT • Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. • iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.
Common TCP and UDP Match Criteria • Example: • iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 --dport 80 -j ACCEPT • iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).
Defense for SYN flood attacks • You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second. • –m limit sets maximum number of SYN packets • iptables is being configured to allow the firewall to accept maxim 5 TCP/SYN packeds per second on interface eth0. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT • If more than 5 SYN packets per second, the packets are dropped. • If source/destination sence dropped packets, it will resend three times • If drops continue after 3 reset packets, source will reduce packet speed.
Saving Your iptables Scripts • For RedHat based distrubutions: • The service iptables save command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration. • The format of the /etc/sysconfig/iptables file is slightly different from that of the scripts shown in this chapter. The initialization of built-in chains is automatic and the string "iptables" is omitted from the rule statements. • Fedora comes with a program called lokkit that you can use to generate a very rudimentary firewall rule set. It prompts for the level of security and then gives you the option of doing simple customizations. It is a good place for beginners to start on a test system so that they can see a general rule structure. • Like the service iptables save command, lokkit saves the firewall rules in a new /etc/sysconfig/iptables file for use on the next reboot. • Once you have become familiar with the iptables syntax, it's best to write scripts that you can comment and then save it to /etc/sysconfig/iptables. It makes them much more manageable and readable.