1 / 37

Firewalls

Firewalls. Firewalls protect our network from the world Firewalls protect our network from us. Firewall Architecture Basic. External Servers. Public Servers. Internet. Internal Servers. Firewall. External Clients. Internal Clients. Internal Private Network.

ling
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls • Firewalls protect our network from the world • Firewalls protect our network from us

  2. Firewall ArchitectureBasic External Servers Public Servers Internet Internal Servers Firewall External Clients Internal Clients Internal Private Network External public network

  3. Firewall ArchitectureLayered External Servers Public Servers Internal Servers Internet Exterior firewall Interior firewall Internal Clients External Clients Screened Service Network Internal Private Network External Public Network

  4. Firewall ArchitectureEnterprise Public Network Protected Network Internal Servers External DNS SMTP Server Web Server Internal DNS Mail Server IDS Internet Logging Alerting Server Exterior Firewall Interior Firewall Internal Clients

  5. Packet FiltersLinux • IPChains • Static packet inspection • Red Hat 7.3 and earlier • Inspects fields in the packet • Maintains a rule set • IPTables • Statefull packet inspection • Red Hat 7.0 and later • Inspects fields and state consistency of the packet • Maintains a rule set

  6. iptables • Stateful Packet Filters • Keeps track of the state of each connection • Concept of state in common protocols • iptables command

  7. IPTables Uses most of the command structure of ipchains Uses some of the architecture of ipchains Topics Command structure Parameters Simple tables

  8. IPTables • Three tables each consists of one or more chains • filter • nat • mangle

  9. Filter Table • Consists of three chains • FORWARD • For packets forwarded from one network interface to another network interface • INPUT • For packets sent to firewall host • OUTPUT • For packets sent by firewall host

  10. NAT Table • NAT – Network Address Translation • PREROUTING • Destination NAT operations • POSTROUTING • Source NAT operations

  11. Mangle Table • Enables the modification of the TOS or the TTL field and used for load balancing when there are multiple firewalls • PREROUTING, OUTPUT chains • Kernel <= 2.4.17 • PREROUTING, INPUT, FOREWARDING, OUTPUT and POSTROUTING chains • Kernel >= 2.4.18

  12. User Chains • Chains of rules • Associated with a specific table • A packet can be diverted to a user chain • The packet is returned to the step after it's diversion

  13. Packet Path Network mangle PREROUTING filter INPUT filter OUTPUT nat POSTROUTING nat PREROUTING Local Process Mangle OUTPUT route Network filter FORWARD

  14. Command Structure Iptables operation chain specs -j target flags

  15. Rule Operations • -I Add a rule to the head of a chain • -A Appends a rule to the tail of a chain • -D Deletes a rule that matches the specifiers • -R Replaces a rule in a chain Syntax iptables -t table -OPchain specifiers iptables -t table -OPchain line# specifiers iptables -OP chain specifiers

  16. Chain Operations • Listing a chain iptables -t table -L chain iptables -L chain iptables -L • Flags -n addr/port numbers rather than names -v verbose --line-numbers include line numbers in the listing

  17. Chain Operationscont'd • Flushing a chain Deletes all rules associated with a chain iptables -t table -F chain iptables -F chain iptables -F • Setting the default policy of a chain (filter) iptables -P chain policy policy – DROP, ACCEPT, REJECT

  18. Chain Operationscont'd • Creating a user chain iptables -t table -N chain iptables -N chain • Deleting a user chain iptables -t table -X chain iptables -X chain iptables -X • Renaming a user chain iptables -t table -E old new iptables -E old new

  19. Chain Operationscont'd • Chain counter • Iptables maintains a set of counters for each rule • Counts the number of packets and bytes processed by each rule • Zeroing a chain's counters iptables -t table -Z chain iptables -Z chain iptables -Z

  20. Packet characteristicsspecs • Protocol • Source IP • Destination IP • Input Interface • Output interface • Frag flag • TCP Datagrams • Src port • Dest port • Flags • TCP options • UDP Datagrams • Src port • Dest port • ICMP Messages • Type and code

  21. Protocol field • Protocol name: tcp,udp,icmp • /etc/protocols • Protocol number • 0 or all • -p tcp, udp • -p ! tcp • -p all

  22. icmp Type and CodeRFC 792 • -p icmp –icmp-type echo-request • Examples • echo-request • echo-reply • destination-unreachable • source-quench • time-exceeded

  23. Private IP Addresses 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

  24. Source/DestinationIP Address • -s -d - source destination • -s 1.2.3.4 • -s 192.168.0.1/255.255.255.0 • IP address/network mask • Specifies a range of IP addresses • -s 192.168.0.0/24 • Specifies a range of addresses • 192.168.0.0 – 192.168.0.255 • -s ! 10.0.0.0/8 • Everything except 10.0.0.0-10.255.255.255

  25. Interface • -i Input interface • Only in INPUT, FORWARD, PREROUTING chains • -i eth0 • -i ! eth0 except eth0 • -i eth+ all ethernet interfaces • -i lo loop back interface • -o Output interface • Only in OUTPUT, FORWARD, POSTROUTING chains

  26. Fragment • -f frag flag is set • ! -f frag flag is not set

  27. Port specs • --sport Source port • --dport Destination port • -p tcp --sport 80 • -p udp –-dport 53 • -p tcp,udp --sport 0:1023 • -p tcp,udp --sport 1024 • -p tcp,udp –-dport 1024:

  28. SYN • Tests tcp packets for SYN to be set and ACK and FIN not set • -p tcp –-syn Filters all packets requesting tcp connection • -p tcp ! --syn

  29. TCP Flags • -p tcp –tcp-flags SYN,ACK,FIN SYN • Tests SYN, ACK, FIN flags to see if the SYN bit is the only flag set • Possible flags • ACK • FIN • RST • PSH • SYN • URG

  30. Connection State • -m state –-state state-specifier • State-specifiers • NEW • Associated with a connection request • ESTABLISHED • Associated with an established connection • RELATED • Associated with a new connection request related to an established connection (ftp, icmp) • INVALID • Associated with a bad connection or is malformed

  31. Rate Limits -m limit –-limit rate/unit • rate/unit • rate • Packets per unit time • unit • Second, minute, hour, day -m limit –-time-burst number –-limit rate/unit • number – max permitted burst before rate limit is applied

  32. Targets/Actions • Target types • Firewall actions – filter table chains & user defined • ACCEPT, DROP, REJECT, LOG, RETURN • NAT support • DNAT, MASQ, REDIRECT, SNAT • Uncommon targets • MARK, MIRROR, QUEUE, TOS, TTL, ULOG

  33. Firewall Actions • iptables operation specification -j target • If the packet does not match the specification the packet is handed off to the next rule in the chain • If the packet meets the specification then the rule is passed to the target

  34. Firewall Actionscont'd • -j ACCEPT • Lets the packet satisfying the specification pass to the next chain in the packet path • -j DROP • The packet satisfying the specification is dropped with no error packet sent to the sender • Stealth mode – used for packet blocking on sensitive hosts

  35. Firewall Actionscont'd • -j REJECT • The packet satisfying the specification is dropped with an error packet sent to the sender • -j REJECT default error is port unreachable • -j REJECT--reject-with flag • icmp-net-unreachable • icmp-host-unreachable • icmp-port-unreachable • Icmp-proto-unreachable • icmp-net-prohibited • icmp-host-prohibited • tcp-reset • Sends a tcp packet with the RST bit set

  36. Firewall Actionscont'd • -j LOG • Causes the packet satisfying the specification to be logged using the Syslog facility • --log-prefix “IPT description of entry” • IPT identifies the source of the log entry, i.e. Iptables • Description within quotes is limited to 29 characters • --log-ip-options • --log-level • --log-tcp-options • --log-tcp-sequence • To log a dropped packet a log rule must precede the dropping rule

  37. Firewall Actionscont'd • -j user-chain-name • Lets the packet satisfying the specification pass to the named user chain • -j RETURN • Used in the user chain to return to the calling chain

More Related