730 likes | 745 Views
Learn about the fundamentals of network and system security risk assessment with a focus on firewalls. Discover key concepts such as the goals of a firewall, taxonomy of firewalls, major firewall vendors, filtering rules, advantages and disadvantages of traditional packet filters versus stateful filters, and demilitarized zone (DMZ) application gateways. Dive into practical examples and explore Linux firewall management using IPtables. Understand how IPtables work, the benefits of stateful packet inspection, filtering based on MAC addresses and TCP header flags, network address translation, and more.
E N D
Network and System Security Risk Assessment --Firewall
About redirect again • Compare the attacking effect of netwox and our redirect • Network unreachable caused by the missing gateway • We can have a little more control over our system and network
For example: • Give the attacking machine the ability to forward packet • Su • echo 1 >/proc/sys/net/ipv4/ip_forward • sudo service networking restart • For the victim • Route add default gw * eth0 • The machine reaches network again!
Internet privately administered firewall 222.22/16 Firewalls By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
Firewall goals: • All traffic from outside to inside and vice-versa passes through the firewall. • Only authorized traffic, as defined by local security policy, will be allowed to pass. • The firewall itself is immune to penetration.
Firewalls: taxonomy • Traditional packet filters • filters often combined with router, creating a firewall • Stateful filters • Application gateways Major firewall vendors: Checkpoint Cisco PIX
Traditional packet filters Analyzes each datagram going through it; makes drop decision based on: • source IP address • destination IP address • source port • destination port • TCP flag bits • SYN bit set: datagram for connection initiation • ACK bit set: part of established connection • TCP or UDP or ICMP • Firewalls often configured to block all UDP • direction • Is the datagram leaving or entering the internal network? • router interface • decisions can be different for different interfaces
Access control lists Apply rules from top to bottom:
Access control lists • Each router/firewall interface can have its own ACL • Most firewall vendors provide both command-line and graphical configuration interface
Advantages and disadvantages of traditional packet filters • Advantages • One screening router can protect entire network • Can be efficient if filtering rules are kept simple • Widely available. Almost any router, even Linux boxes • Disadvantages • Can possibly be penetrated • Cannot enforce some policies. For example, permit certain users. • Rules can get complicated and difficult to test
Stateful Filters • In earlier example, any packet with ACK=1 and source port 80 gets in. • Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments • Stateful filter: Adds more intelligence to the filter decision-making process • Stateful = remember past packets • Memory implemented in a very dynamic state table
Stateful filters: example • Log each TCP connection initiated through firewall: SYN segment • Timeout entries which see no activity for, say, 60 seconds If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table Stateful filters can also remember outgoing UDP segments
Stateful example • Packet arrives from outside: SA=37.96.87.123, SP=80,DA=222.22.1.7, DP=12698, SYN=1, ACK=1 • Check filter table ➜ check stateful table 3)Connection is listed in connection table ➜ let packet through
Demilitarized Zone (DMZ) application gateway firewall Internet Web server Internal network DNS server FTP server Demilitarized zone
Firewalls: Summary • Filters • Widely available in routers, linux • Stateful filters • Maintains connection state
Iptables -- Linux Firewall
IPtables • Objectives • to learn the basics of iptables • Contents • Start and stop IPtables • Checking IPtables status • Input and Output chain • Pre and Post routing • Forward of address and port • Firewall standard rules • Lading/Unloading kernel driver modules • Connection tracking modules • Practicals • working with iptables • Summary
What Is iptables? • Stateful packet inspection. • The firewall can keep track of each connection passing through it, This is an important feature in the support of active FTP and VoIP. • Filtering packets based on a MAC address IPv4 / IPv6 Very important in WLAN’s and similar enviroments. • Filtering packets based the values of the flags in the TCP header • Helpful in preventing attacks using malformed packets and in restricting access. • Network address translation and Port translating NAT/NAPT Building DMZ and more flexible NAT enviroments to increase security.
What is Iptables? • Source and stateful routing and failover functions • Route traffic more efficient and faster than regular IP routers. • System logging of network activities • Provides the option of adjusting the level of detail of the reporting • A rate limiting feature • Helps to block some types of denial of service (DoS) attacks. • Packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header • Mark and classify packets dependent on rules. First step in QoS
IP filtering terms • Drop/Deny • When a packet is dropped or denied, it is simply deleted, and no further actions are taken. • Reject • basically the same as a drop or deny target or policy, except that it also send a reply to the host sending the packet that was dropped. • State • A specific state of a packet in comparison to a whole stream of packets. For example, if the packet is the first that the firewall sees or knows about, it is considered new (the SYN packet in a TCP connection), or if it is part of an already established connection that the firewall knows about, it is considered to be established.
IP filtering terms • Table • Each table has a specific purpose, and in iptables there are 4 tables. The raw, nat, mangle and filter tables. • Chain • A chain contains a ruleset of rules that are applied on packets that traverses the chain. Each chain has a specific purpose (e.g., which table it is connected to, which specifies what this chain is able to do), as well as a specific application area (e.g., only forwarded packets, or only packets destined for this host).
IP Filter Terms • Jump • The jump instruction is closely related to a target. A jump instruction is written exactly the same as a target in iptables, with the exception that instead of writing a target name, you write the name of another chain.
IP Filter Terms • Connection tracking • A firewall which implements connection tracking is able to track connections/streams simply put. The ability to do so is often done at the impact of lots of processor and memory usage. • Accept • To accept a packet and to let it through the firewall rules. This is the opposite of the drop or deny targets, as well as the reject target. • Policy • the chain policies, which tells the firewall implementation the default behaviour to take on a packet if there was no rule that matched it.
Download And Install The Iptables Package • Most Linux dialects already have iptables • UsUally iptables is classified by and dependent on kernel versions: • Pre 2.4 lack some modern functionality, still popular in soho routers • After 2.4 mainstream of iptables, most popular and well tested
How To Start iptables • You can start, stop, and restart iptables after booting by using the commands: • Starting IPtables service iptables start • Stopping IPtables service iptables stop • Restaring IPtables service iptables restart • Checking IP ables status (rulechains) service iptables status • iptables itself is a command which we will see soon. • To show all current rule chains: iptables –-list • To drop all current rule chains: iptables –-flush
Ufw: the uncomplicated firewall • sudo ufw allow ssh • sudo ufw enable • to turn on ufw • By default, ufw starts with a default policy that blocks all inbound traffic and allows outbound traffic • sudo ufw status verbose • gufw
NAT • Basically, NAT allows a host or several hosts to share the same IP address in a way • NAT server receives the packet, rewrites the source and/or destination address and then recalculates the checksum of the packet. • SNAT (Source Network Address Translation) : use one of the private IP ranges for our local network (for example, 192.168.1.0/24), and then we turn on SNAT for local network. SNAT will then turn all 192.168.1.0 addresses into it's own public IP (for example, 217.115.95.34). • DNAT, which can be extremely helpful when it comes to setting up servers
Packet Processing In iptables • IP tables is complex for the beginner. • four builtin tables (queues) for processing: 1. MANGLE: manipulate QoS bits in TCP header 2. FILTER: packet filtering, has three builtin chains (your firewall policy rules) Forward chain: filters packets to servers protected by firewall Input chain: filters packets destinated for the firewall Output chain: filters packets orginating from the firewall 3. NAT: network adress translation, has two builtin chains Pre-routing: NAT packets when destination address need changes Post-routing: NAT packets when source address need changes 4. Raw table: raw table is mainly only used for one thing, and that is to set a mark on packets that they should not be handled by the connection tracking system. This is done by using the NOTRACK target on the packet.
Incoming Packet Journey through Linux Firewall NIC to Internet (eth0) iptables -t nat -A PREROUTING -p TCP -i eth0 -d 128.168.60.12 --dport 80 -j DNAT --to-destination 192.168.10.2 nat TablePREROUTING Chain RoutingDecision filter TableFORWARD Chain Iptables -A FORWARD –p ALL -s 128.199.66.1 -j REJECTiptables -A FORWARD -p ALL -s 128.200.0.2 -j LOG --log-prefix "bad guy:"iptables -A FORWARD -p ALL -s 128.200.0.2 -j DROP nat TablePOSTROUTING Chain NIC to Intranet
DNAT and Iptables command • DNAT: Destination Network Address Translation. • Deal with packets from Internet to our Internet exposed servers. • It translates the destination (external) IP addresses to the corresponding internal IP address of DMZ servers. • iptables -t nat -A PREROUTING -p TCP -i eth0 -d 128.168.60.12 --dport 80 -j DNAT --to-destination 192.168.10.2 • -t specify the type of tables-A Append to a specific chain-p specify the protocol-i specify the incoming interface-d specify the matched destination IP address in packet-j specify the “target” or operation to be performed.--to-destination substitute the destination IP address.
Outgoing Packet Journey through Linux Firewall NIC to Intranet nat TablePREROUTING Chain RoutingDecision filter TableFORWARD Chain Iptables -A FORWARD -s 192.168.10.10 -j REJECTCertain system in Intranet not allowed out nat TablePOSTROUTING Chain iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE NIC to Internet (eth0)
Targets And Jumps 1/2 • ACCEPT • iptables stops further processing. • The packet is handed over to the end application or the operating system for processing • DROP • iptables stops further processing. • The packet is blocked. • LOG • The packet information is sent to the syslog daemon for logging. • iptables continues processing with the next rule in the table. • You can't log and drop at the same time ->use two rules. --log-prefix ”reason" • REJECT • Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked --reject-with qualifier Qualifier is an ICMP message
Targets And Jumps 2/2 • SNAT • Used to do source network address translation rewriting the source IP address of the packet • The source IP address is user defined --to-source <address>[-<address>][:<port>-<port>] • DNAT • Used to do destination network address translation. ie. rewriting the destination IP address of the packet --to-destination ipaddress • MASQUERADE • Used to do Source Network Address Translation. • By default the source IP address is the same as that used by the firewall's interface [--to-ports <port>[-<port>]]
Important Iptables Command Switch Operations 2/2 • We try to define a rule that will accept all packages on interface eth0 that uses TCP and has destination address 192.168.1.1. • We first define the MATCH criterias: • Use default filter table (absense of –t ) • Append a rule to end of INPUT chain (-A INPUT ) • Match on source address can be any 0/0 address (-s 0/0 ) • Input interface used is eth0 (-i eth0 ) • Match on destination address 192.168.1.1 (-d 192.168.1.1) • Match Protocol TCP (-p TCP ) • If all matches is fulfilled, then jump to ACCEPT chain. (-j ACCEPT ) • iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
Common ICMP (Ping) Match Criteria • Allow ping request and reply • iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT • Put limit on ping to prevent flood pings iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT
Defense for SYN flood attacks • –m limit sets maximum number of SYN packets • iptables is being configured to allow the firewall to accept maxim 5 TCP/SYN packeds per second on interface eth0. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT • If more than 5 SYN packets per second, the packets are dropped. • If source/destination sense dropped packets, it will resend three times • If drops continue after 3 reset packets, source will reduce packet speed.
Common Extended Match Criteria 2/2 • Allow both port 80 and 443 for the webserver on inside: iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT • The return traffic from webbserver is allowed, but only of sessions are opened: iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT
Example • iptables -P INPUT DROP • An "iptables -P" command is used to set the default policy for a chain of packet filtering rules.
Example • let's assume a firewall for a machine with two network interfaces, eth0 and eth1. The eth0 network card is connected to our LAN, while the eth1 network card is attached to the Internet. • iptables -P INPUT DROP • iptables -A INPUT –I ! eth1 -j ACCEPT
Example • Traditional firewall • Iptables -A INPUT --sport 80 -j ACCEPT • while most Web traffic originates from port 80, some doesn't. • http://www.foo.com:81 • What is more, the source port of a packet is not something that we have any control over, and it can be easily altered by an intruder
Example: • Traditional (old-fashioned) firewalls only look at the individual packets, not connections • State: • New • Established • Related : multi-connection • invalid
example • Adding a stateful rule • iptables -P INPUT DROP • iptables -A INPUT -i ! eth1 -j ACCEPT • iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Using User Defined Chains • Define fast input queue: iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue • Define fast output queue: iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue • Use defined queues and define two icmp queue’s: iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out • Finally we use the queue’s to define a two rules: iptables -A icmp-queue-out -p icmp --icmp-type echo-request \ -m state --state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT