1 / 15

Poor Man’s Firewall

Poor Man’s Firewall . A firewall that can be setup and implemented with a minimum amount of time and money. Why do I need one?. A Windows server can not be secured as it stands. Don’t believe anyone who tells you otherwise. MSSQL server should never be placed directly on the Internet.

marion
Download Presentation

Poor Man’s Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Poor Man’s Firewall • A firewall that can be setup and implemented with a minimum amount of time and money.

  2. Why do I need one? • A Windows server can not be secured as it stands. Don’t believe anyone who tells you otherwise. • MSSQL server should never be placed directly on the Internet. • And yes, some people do have too much time on their hands. Anyone remember the Blaster worm?

  3. OSI Model Lower Layers • Lower layers provide more primitive network-specific functions like routing, addressing, and flow control. • Layer II - (Data Link Layer) of the OSI Model • Layer III - (Network Layer) of the OSI Model

  4. Switch/Hub (Layer II) • Switches and Hubs are used to connect various devices to a network. • Switches are intelligent, they look at the source and destination of each packet and route them to the appropriate switch port. • Hubs are dumb devices that present a copy of each packet that is seen to every other port on the device.

  5. Bridge (Layer II) • A device that can be used to segment Local Area Networks (LANs). • They can be used to control the traffic going between two network segments based on Ethernet addresses. • They are essentially transparent devices. They can be replaced with a cross-over cable.

  6. Router (Layer III) • A network device used for connecting different networks together. • They are responsible for intelligently routing packets based on IP address.

  7. Firewall • A firewall filters packets based on a set of filter rules. • Packets that pass the rule set are forwarded through the firewall from one network interface to another. Packets that don’t, are dropped. • Firewalls can be either Software or Hardware based.

  8. Bridging Mode Firewalls • A bridge that allows you to filter the packets that pass through its interfaces. • Can be placed anywhere in an existing network without disrupting existing services. • Transparent to your servers.

  9. Linux – Bridging Mode Firewall • A software based firewall that uses Linux as the operating system. • The software is free. • Relatively easy to setup. • Can run on old hardware.

  10. Software Needed • Iptables – Software that filters IP based traffic based on a set of rules. • Ebtables – Software that allows Iptables to see the packets as they go through the Bridge interface. • Bridge-Utils – Software that allows you to create the bridge.

  11. Hardware Needed • Any old Pentium based computer • 128MB of RAM • ~1GB Harddrive • 2 - Network Cards (Minimum)

  12. Example Bridge Script #!/bin/bash # /etc/rc.d/init.d/bridge BRCTL=/usr/sbin/brctl IFCONFIG=/sbin/ifconfig return=$rc_done case "$1" in start) echo "Starting service bridge br0" # Create bridge interface $BRCTL addbr br0 || return=$rc_failed # Turn Spanning Tree Protocall off $BRCTL stp br0 off || return=$rc_failed # Add interfaces to bridge $BRCTL addif br0 eth1 || return=$rc_failed $BRCTL addif br0 eth2 || return=$rc_failed # Reset to clean state $IFCONFIG eth1 down || return=$rc_failed $IFCONFIG eth2 down || return=$rc_failed # Set interfaces to Promiscuous Mode $IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed $IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed #Bring bridge interface up $IFCONFIG br0 promisc up || return=$rc_failed $BRCTL show echo -e "$return" ;; stop) echo "Shutting down service bridge br0" $IFCONFIG br0 down || return=$rc_failed $BRCTL delif br0 eth1 || return=$rc_failed $BRCTL delif br0 eth2 || return=$rc_failed $BRCTL delbr br0 || return=$rc_failed echo -e "$return" ;; status) $IFCONFIG br0 $BRCTL show ;; restart) $0 stop && $0 start || return=$rc_failed ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 esac test "$return" = "$rc_done" || exit 1 exit 0

  13. Example Filter Rules #!/bin/bash # Example Firewall Script IPTABLES="/sbin/iptables -v" # Any Subnet ANY=0.0.0.0/0 # ILLIAD Server ILLIAD=128.193.123.456 #### Flush all rules $IPTABLES -F # Delete all user created chains $IPTABLES -X # Zero all byte counters $IPTABLES -Z # Drop all packets without a rule $IPTABLES -P FORWARD DROP # loopback interface $IPTABLES -A FORWARD -i lo -j ACCEPT # Syn-flood protection: $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # Ping of death: $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # HTTP $IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

  14. Useful Application • Ethereal – A powerful network protocol/packet analyzer that can be used to aid in the development of your filter rules.

  15. Resources • Linux bridging how-to http://bridge.sourceforge.net • Ebtables http://ebtables.sourceforge.net • Ethereal http://www.ethereal.com/

More Related