firewall. 1 firewall technologies 黃能富教授國立清華大學資訊工程系...

Firewall. 1

Firewall Technologies

黃能富教授國立清華大學資訊工程系

[email protected]

Firewall. 2

Contents

Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables

Firewall. 3

What is a Firewall ? A firewall isolates organization’s

internal net from larger Internet, allowing some packets to pass, blocking others.

privately administered

222.22/16

Internet

Firewall. 4

What is a Firewall ? A firewall acts as

a security gateway between two networks

Usually between trusted and untrusted networks (such as between a corporate network and the Internet)

Internet

Corporate Site

Corporate Network Gateway

Firewall. 5

What is a Firewall ?

A firewall tracks and controls network communications

Decides whether to pass, reject, encrypt, or log communications (Access Control) Corporate

Site

“Allow Trafficto Internet”

Internet

“Block traffic from Internet”

Firewall. 6

What is a Firewall?

A firewall is a security policy enforcement point that regulates access between computer networks

Filters are inherently insecure services

Controls TCP protocols http, smtp, ftp, telnet etc

Only one of many different security tool’s to control and regulate network traffic

Firewall. 7

Why Firewalls are Needed

Prevent attacks from untrusted networks

Protect data integrity of critical information

Preserve customer and partner confidence

Firewall. 8

Firewall goals:

All traffic from outside to inside and vice-versa passes through the firewall.

Only authorized traffic, as defined by local security policy, will be allowed to pass.

The firewall itself is immune to penetration.

Firewall. 9

What do Firewalls Protect? Data

Proprietary corporate information Financial information Sensitive employee or customer data

Resources Computing resources Time resources Bandwidth resources

Reputation Loss of confidence in an organization Intruder uses an organization’s network

to attack other sites

Firewall. 10

Common Internet Threats Denial of service attacks

Specific attacks that can cause a server crash

Flooding the server with traffic to disrupt or deny service

Intrusion threats Attacks on services/exploits

The backend server may not be hardened enough for adequate protection, but the firewall can block external attacks

Information threats

Firewall. 11

How Vulnerable are Internet Services?

E-mail or smtp – Simple Mail Transfer Protocol TCP/IP based port 25 (POP 110) Risks Include

E-mail bombing (stalking)– Anonymous harassment– Large amounts of e-mail to a single user address

Spamming– Messages sent to numerous different users from a

host Virus download mechanism

– Code Red– Nimda

Not always traceable POP and IMAP can be very insecure

Firewall. 12

FTP - File Transfer Protocol TCP/IP based port 20/21 Risks Include

Unencrypted authentication and data transfers– Usernames and passwords can

be”sniffed” Unencrypted data transfers

– Data can be viewed Often part of default installations Anonymous ftp is possible


Firewall. 13


Telnet TCP/IP based port 23 Risks include

Unencrypted authentication Unencrypted interactive session Session hijacking Included in default installations Can allow remote root login

Firewall. 14


HTTP – Hypertext Transfer Protocol TCP/IP based port 80 Risks Include

Browsers can be used to run dangerous commands

Difficult to secure Remote execution of commands and

execution (server side) Non-secure add-on applications

– Java– Cookies

Firewall. 15


HTTPS – Secure Hypertext Transfer Protocol TCP/IP based port 443 Risks Include

Browsers can be used to run dangerous commands

Remote execution of commands and execution (server side)

Becomes a tunnel for any data Can be used to subvert firewall/security

controls

Firewall. 16


DNS TCP and UDP based ports 53 and

1024 Risks include

DNS cache poisoning– Bad data to redirect valid connections

to the wrong server DNS spoofing

– Bad data to redirect valid connections to the wrong server

Absolutely needed for network services

Firewall. 17


SNMP – Simple Network Management Protocol UDP based Risks include

Unencrypted data transfers Poor authentication through “community

relationships” Transfer of highly sensitive data Does use access lists

Firewall. 18


NFS – Network File System NFS is a shared file structure Based on a trust model of network

machines Certain machines can access shared file

systems Risks include

No “user” authentication IP Spoofing to gain access Most secure NFS is still very insecure

Firewall. 19

Contents


Firewall. 20

Firewall Hardware Types Three basic hardware types

Appliance based systems Purpose built Simple Highly integrated

3rd Party servers General use systems Additional support channel Greater flexibility

Hybrid servers Purpose built for a limited product line Often closely integrated with software

offerings May have separate support channel Most have highly integrated components

Firewall. 21

Firewall Hardware Types

Appliance based system problems OS and Kernel hardening and security

may be done by vendor only Tightly coupled software and hardware

may have insecure code unknown to user Hard to inspect or verify

All security controls are determined through a single vendor

Appliances are used to simplify implementation and support efforts causing some loss of administrative control

Firewall. 22


3rd Party server problems OS and Kernel hardening and security

must be done by implementation staff Expertise procedures

OS software may have many known vulnerabilities/ security holes Each must be plugged

All security controls are determined through corporate policy

3rd party systems require a larger degree of administration and procedure

Firewall. 23


Hybrid servers OS and Kernel hardening is started by

vendor and completed by end user security staff—can help to make it more robust

Packaged software and hardware are generally reviewed for security

All security controls are determined through a more partnered structure

Hybrid servers are also used to simplify implementation and support efforts without giving away administrative control

Firewall. 24

Contents


Firewall. 25

Firewalls Technologies

Traditional packet filters filters often combined with

router, creating a firewall widely available in routers, linux

Application gateways often implemented with SOCKS

today

Stateful Inspection filtersmaintains connection state

Firewall. 26

Evolution of Firewalls

PacketFilter

StatefulInspection

Stage of Evolution

ApplicationProxy

Firewall. 27

Traditional packet filters

source IP address destination IP

address source port destination port TCP flag bits

SYN bit set: datagram for connection initiation

ACK bit set: part of established connection

TCP or UDP or ICMP Firewalls often

configured to block all UDP

direction Is the datagram

leaving or entering the internal network?

router interface decisions can be

different for different interfaces

Analyzes each datagram going through it; makes dropdecision based on:

Firewall. 28

Packets examined at the network layer

Useful “first line” of defense - commonly deployed on routers

Simple accept or reject decision model No awareness of higher protocol

layers

Packet Filter

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network

Presentations

Sessions

Transport

Applications

Network Network

Firewall. 29

Packet Filtering Firewalls

Packet filtering is one of the oldest, and one of the most common types of firewall technologies.

Packet filters inspect each packet of information individually, examining the source and destination IP addresses and ports.

This information is compared to access control rules to decide whether the given packet should be allowed through the firewall.

Packet filters consider only the most basic attributes of each packet, and they don't need to remember anything about the traffic since each packet is examined in isolation.

For this reason they can decide packet flow very quickly.

Firewall. 30

Packet Filtering Firewalls Because every packet of every connection

is checked against the access control rules, larger, complex rule bases decrease performance.

And because packet filters can only check low-level attributes, they are not secure against malicious code hiding in the other layers.

Packet filters are often used as a first defense in combination with other firewall technologies, and their most common implementation today is seen in the access control lists of routers at the perimeters of networks.

For simple protocols or one-sided connections, like ICMP or SNMP traps, it is still useful to use packet filtering technology.

Firewall. 31

Packet Filtering Rules - Examples

Policy Firewall Setting

No outside Web access.

Drop all outgoing packets to any IP address, port 80

External connections to public Web server only.

Drop all incoming TCP SYN packets to any IP except 222.22.44.203, port 80

Prevent IPTV from eating up the available bandwidth.

Drop all incoming UDP packets - except DNS and router broadcasts.

Prevent your network from being used for a Smurf DoS attack.

Drop all ICMP packets going to a “broadcast” address (eg 222.22.255.255).

Prevent your network from being tracerouted

Drop all outgoing ICMP

Firewall. 32

Access control lists

actionsourceaddres

s

destaddres

s

protocol

source

port

destport

flagbit

allow 222.22/16

outside of

222.22/16

TCP>

102380

any

allowoutside

of222.22/

16

222.22/16 TCP 80

> 1023

ACK

allow 222.22/16

outside of

222.22/16

UDP>

102353 ---

allowoutside

of222.22/

16

222.22/16 UDP 53

> 1023

----

deny all all all all all all

Apply rules from top to bottom:

Firewall. 33

Access control lists

Each router/firewall interface can have its own ACL

Most firewall vendors provide both command-line and graphical configuration interface

Firewall. 34

Network Address Translation (NAT)

Converts a network’s illegal IP addresses to legal or public IP addresses Hides the true addresses of individual

hosts, protecting them from attack Allows more devices to be connected to

the network

Internet

InternalIP Addresses

219.22.165.1

Corporate LAN

192.172.1.1-192.172.1.254

PublicIP Address(es)

Firewall. 35

Traditional packet filters

Advantages One screening router can protect entire

network Can be efficient if filtering rules are kept

simple Widely available. Almost any router, even

Linux boxes

Disadvantages Can possibly be penetrated Cannot enforce some policies. For

example, permit certain users. Rules can get complicated and difficult to

test

Firewall. 36

Application Level Firewalls

These firewalls, also known as application proxies, provide the most secure type of data connection because they can examine every layer of the communication, including the application data.

To achieve this security proxies, as their name suggests, actually mediate connections.

The connection from a client to a server is intercepted by the proxy.

Firewall. 37

Application Gateway or Proxy

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network NetworkNetwork

Presentations

Sessions

Transport

Applications

Packets examined at the application layer

Application/Content filtering possible - prevent FTP “put” commands, for example

Modest performance Scalability limited

Firewall. 38


If the proxy determines that the connection is allowed, it opens a second connection to the server from itself, on behalf of the original host.

The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection.

This thorough examination and handling of packets means that proxy firewalls are very secure and generally slow.

Proxies are also limited as firewalls, because they must understand the application layer.

As new protocols are developed, new proxies must be written and implemented to handle them.

Firewall. 39


Web Proxy Severs Application Proxy Servers A mail server is an example of an

application gateway Can’t deposit mail in recipient’s mail

server without passing through sender’s mail server

Second Generation Firewall Technology Makes connections on behalf of the

client Not flexible

Firewall. 40

Application gateways (proxy gateways)

Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy.

Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size.host-to-gateway

ftp session

gateway-to-remote host ftp session

applicationgateway

Firewall. 41

Application gateways + packet filter

Filters packets on application data as well as on IP/TCP/UDP fields.

Example: allow select internal users (IP addresses) to ftp outside.1. Require all ftp users to ftp through

gateway.2. For authorized users, gateway sets up

ftp connection to dest host. Gateway relays data between 2 connections

3. Router filter blocks all ftp connections not originating from gateway.

host-to-gatewayftp session

gateway-to-remote host ftp session

applicationgateway

router and filter

Firewall. 42

Chaining Proxies

proxy 1

proxy 2

Firewall. 43

SOCKS Proxy protocol

Generic proxy protocol Don’t have to redo all of the code

when proxifying an application. Can be used by HTTP, FTP, telnet, SSL,

… Independent of application layer

protocol Includes authentication, restricting

which users/apps/IP addresses can pass through firewall.

Firewall. 44

SOCKS proxy protocol

HTTP

SOCKS Library

TCP

SOCKS Daemon

TCP

Apache/IIS

Firefox/IE

HTTP

TCP

Firewall Application

1. For example, let’s assume that browser requests a page 2. SOCKS Library is

a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon

3. The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server.

4. The server receives requests as ordinary HTTP. It does not need a SOCKS library.

Firewall. 45

Proxy gateways Advantages

Proxy can log all connections, activity in connections

Proxy can provide caching Proxy can do intelligent filtering based on

content Proxy can perform user-level

authentication

Disadvantages Not all services have proxied versions May need different proxy server for each

service Requires modification of client Performance

Firewall. 46

Stateful Filters

Stateful filter: Adds more intelligence to the filter decision-making process Stateful = remember past packets Memory implemented in a very

dynamic state table

Firewall. 47

Stateful Inspection

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network Network

Network

Presentations

Sessions

Transport

INSPECT Engine

Applications

Dynamic State TablesDynamic

State TablesDynamic State Tables

Packets Inspected between data link layer and network layer in the OS kernel

State tables are created to maintain connection context

Invented by CheckPoint

Firewall. 48

Stateful Inspection © Stateful inspection architecture utilizes a

unique, patented INSPECT Engine which enforces the security policy on the gateway on which it resides.

The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly efficient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.

The INSPECT Engine is programmable using CheckPoint's powerful INSPECT Language.

Firewall. 49

Stateful Inspection © This provides important system

extensibility, allowing CheckPoint, as well as its technology partners and end-users, to incorporate new applications, services, and protocols, without requiring new software to be loaded.

For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of Firewall-1's built-in script templates via the graphical user interface.

Even the most complex applications can be added quickly and easily via the INSPECT Language.

Firewall. 50

Stateful filters: example

sourceaddress

destaddress

sourceport

destport

222.22.1.7 37.96.87.123 12699 80

222.22.93.2199.1.205.23 37654 80

222.22.65.143 203.77.240.43 48712 80

If rule table indicates that stateful table must be checked:check to see if there is already a connection in stateful table

• Log each TCP connection initiated through firewall: SYN segment• Timeout entries which see no activity for, say, 60 seconds

Stateful filters can also remember outgoing UDP segments

Firewall. 51

Stateful example

actionsourceaddress

destaddress

protosource

portdestport

flagbit

check conxion

allow 222.22/16outside of222.22/16

TCP > 1023 80any

allow outside of222.22/16

222.22/16TCP 80 > 1023 ACK x

allow 222.22/16outside of222.22/16

UDP > 1023 53 ---

allow outside of222.22/16

222.22/16UDP 53 > 1023 ---- x

deny all all all all all all

1) Packet arrives from outside: SA=37.96.87.123, SP=80,DA=222.22.1.7, DP=12699, SYN=0, ACK=1

2) Check filter table ➜ check stateful table

3) Connection is listed in connection table ➜ let packet through

Firewall. 52

Contents


Firewall. 53

Network Firewall Architectures

Screening Router Simple Firewall Multi-Legged firewall Firewall Sandwich Layered Security Architecture

Firewall. 54

Screening Router

Access Lists provide security Routers are not application aware

Only inspects network level information

Layer 3 of the OSI model Does not provide a great deal of

security Very fast Not commonly used alone for security

Firewall. 55

Screening Router

Internet/UntrustedNetwork

Internal Trusted Network

ServerDesktop

Mainframe Database

Routes or blocks packets, asdetermined by security policy

Screening Router

Firewall. 56

Simple Firewall

Small Companies with limited security needs

Only utilizes two interfaces Trusted Un-trusted

Provides modest security Does not offer dmz sandbox Inherently allows some level of

connections between trusted and un-trusted networks

Firewall. 57

Simple Firewall

Screening Router



Serverweb, smtp

DesktopMainframe Database


Firewall then handles trafficadditionally to maintain more

security

Firewall

Firewall. 58

Multi-Legged Firewall

Small to large sized business Security need is expanded Provides stronger security Creates a secure sandbox for semi-

trusted services Flexible and secure

Firewall. 59

Multi-Legged Firewall

Screening Router



ServerDesktop

Mainframe Database



security

DMZ now offers a securesandbox to handle un-trusted

connections to internet servicesFirewall

DMZ Semi-Trusted Network

Web Server SMTP Server Server

Firewall. 60

Demilitarized Zone (DMZ)

Webserver

FTPserver

DNSserver

applicationgateway

Internet

Demilitarized zone

Internalnetwork

firewall

Firewall. 61

Firewall Sandwich

Medium to large businesses Higher costs

More serious need for security Provides a physical separation of

networks Provides policy segregation between

inside and outside firewalls Reduces administrative holes

Firewall. 62

Firewall Sandwitch

Screening Router



App ServerDesktop

Mainframe Database



security

DMZ now offers a securenetwork to handle un-trusted

connections to internet services

Separation of security policycontrols between inside and

outside firewalls

Inside Firewall

Outside Firewall

DMZSemi-trusted

networkDMZ Semi-Trusted Network

Web Server SMTP Server Server

Firewall. 63

Layered Firewall Approach

Large enterprises with low risk tolerance Separates internal environments Reduces computer crimes

Most attacks are internally basedDeters malicious activities

Controls overhead administrative traffic

Allows IDS to work more effectively

Firewall. 64

Layered Firewall

DevelopmentNetwork

User Network HR Network

Internet /Un-trusted Network

DMZSemi-trusted

network

Inside Firewall

Inside Firewall

Internal Firewall

Internal Firewall

MainframeNetwork

Internal Firewall



security

DMZ now offers a securenetwork to handle un-trusted

connections to internet services

Separation of security policycontrols networks within yourtrusted network as well as yousemi and un-trusted networks

Fences keep honest peoplehonest!

Firewall. 65

Defense in depth

Security has no single right answer Use every tool available to bolster

security Layered security is always the best

approach Strong security controls coupled with

audit, administrative reviews, and an effective security response plan will provide a strong holistic defense

Firewall. 66

Contents


Firewall. 67

Firewall Deployment

Corporate Network Gateway Protect

internal network from attack

Most common deployment point

Internet

Human Resources Network

Corporate Site

Demilitarized Zone(DMZ)

Public Servers

DMZ

Corporate Network Gateway

Firewall. 68

Firewall Deployment

Internal Segment Gateway Protect sensitive

segments (Finance, HR, Product Development)

Provide second layer of defense

Ensure protection against internal attacks and misuse

Internet


Corporate Site

Public Servers

Demilitarized Zone(Publicly-accessible

servers)

Internal Segment Gateway

Firewall. 69

Firewall Deployment

Server-Based Firewall Protect

individual application servers

Files protect

Internet


Corporate Site

Server-BasedFirewall

SAP Server

Public ServersDMZ

Firewall. 70

Firewall Deployment

Hardware appliance based firewall Single platform, software pre-

installed Can be used to support small

organizations or branch offices with little IT support

Software based firewall Flexible platform deployment

options Can scale as organization grows

Firewall. 71

Contents


Firewall. 72

What is a VPN?

A VPN (Virtual Private Network) is a private connection over an open network

A VPN includes authentication and encryption to protect data integrity and confidentiality

VPN

VPN

Internet

Acme Corp

A CorpSite 2

A CorpSite 1

Firewall. 73

Why Use Virtual Private Networks?

More flexibility Leverage ISP point of presence Use multiple connection types

(cable, DSL, T1, T3) Most attacks originate within an

organization

Firewall. 74


More scalabilityAdd new sites, users quicklyScale bandwidth to demand

Firewall. 75


Lower costsReduced frame relay/leased

line costsReduced long distanceReduced equipment costs

(modem banks, CSU/DSUs)Reduced technical support

Firewall. 76

Types of VPNs Remote Access VPN

Provides access to internal corporate network over the Internet

Reduces long distance, modem bank, and technical support costs

PAP (password authentication protocol),

CHAP (Challenge-Handshake Authentication Protocol)

RADIUS (Remote Authentication Dial In User Service )

Internet

CorporateSite

Firewall. 77

Types of VPNs

Site-to-Site VPN Connects

multiple offices over Internet

Reduces dependencies on frame relay and leased lines

Internet

BranchOffice

CorporateSite

Firewall. 78

Types of VPNs

Extranet VPN Provides

business partners access to critical information (leads, sales tools, etc)

Reduces transaction and operational costs

CorporateSite

Internet

Partner #1Partner #2

Firewall. 79

Types of VPNs

Client/Server VPN Protects sensitive

internal communications

Internet

LAN clients

Database Server

LAN clients with sensitive

data

Firewall. 80

Components of a VPN

Encryption Key management Message authentication Entity authentication

Firewall. 81

Encryption

Current standards: DES and Triple-DES Over 20 years in the field

AES beginning deployment New standard More computationally efficient Longer keys = more secure

HR Server

E-Mail Server

Joe’s PC to HR Server

All Other TrafficCleartext

EncryptedEncrypted

Mary’s PC

Joe’s PC

Firewall. 82

Key Management

Public key cryptosystems enable secure exchange of private crypto keys across open networks

Re-keying at appropriate intervals

IKE = Internet Key Exchange protocolsIncorporates ISAKMP (Internet

Security Association and Key Management Protocol)

Firewall. 83

Authentication

IPsec standards focus on authentication of two network devices to each other IP address/preshared key Digital certificates

User authentication is added on top if required RADIUS and TACACS+ (Terminal

Access Controller Access-Control System Plus) are the standard protocols for authentication servers

XAUTH is being added to the standards to address user authentication

Firewall. 84

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 remote access VPN technology PPTP uses a control channel over TCP

and a GRE tunnel operating to encapsulate PPP packets

RFC 2637 Authentication and encryption Limited user management and scalability Known security vulnerabilities

InternetRemote PPTP Client

ISP Remote AccessSwitch

PPTP RAS Server

Corporate Network

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

http://en.wikipedia.org/wiki/Point-to-Point_Protocol

Firewall. 85

Layer 2 Tunneling Protocol (L2TP)

Layer 2 remote access VPN protocol Combines and extends PPTP and L2F (Cisco

supported protocol) Weak authentication and encryption Does not include packet authentication,

data integrity, or key management Must be combined with IPSec for enterprise-

level security

Internet

Remote L2TP Client

ISP L2TP Concentrator

L2TP Server

Corporate Network

Firewall. 86

Internet Protocol Security (IPSec)

Layer 3 protocol for remote access, intranet, and extranet VPNs Internet standard for VPNs Provides flexible encryption and

message authentication/integrity Includes key management

Firewall. 87

Components of an IPSec VPN

Encryption Message

Authentication Entity

Authentication Key

Management

DES, 3DES, and more

HMAC-MD5, HMAC-SHA-1, or others

Digital Certificates, Shared Secrets, Hybrid Mode IKE

Internet Key Exchange (IKE), Public Key Infrastructure (PKI)

All managed by security associations (SAs)

Firewall. 88

Encryption Explained

Used to convert data to a secret code for transmission over an untrusted network

EncryptionAlgorithm

“The cow jumped over the moon”

“4hsd4e3mjvd3sda1d38esdf2w4d”

Clear Text Encrypted Text

Firewall. 89

Symmetric Encryption

Same key used to encrypt and decrypt message

Faster than asymmetric encryption Examples: DES, 3DES, RC5, Rijndael

Shared Secret Key

Firewall. 90

Asymmetric Encryption

Different keys used to encrypt and decrypt message (One public, one private)

Examples include RSA, DSA, SHA-1, MD-5

Alice Public KeyEncrypt

Alice Private KeyDecrypt

Bob Alice

Firewall. 91

Contents


Firewall. 92

Firewall Lab: iptables

Converts linux box into a packet filter. Included in most linux distributions

today.

linuxhost

linuxhost w/iptables

your job:configure

Externalnetwork

Firewall. 93

Firewall lab: iptables

iptables Provides firewall capability to a

linux host Comes installed with most linux

distributions Three types of tables: FILTER, NAT,

MANGLE Let’s only consider FILTER table for

now

Firewall. 94

Network or host firewall?


protectednetwork

Network firewall: linux host with 2 interfaces:

Host firewall: linux host with 1 interface:


filtertable

filtertable

Externalnetwork

network

Firewall. 95

Chain types for host firewall



INPUTchain

OUTPUTchain

network

network

Firewall. 96

INPUT, OUTPUT, FORWARD CHAINS for network firewall

INPUT chain applies for all packets destined to firewall

OUTPUT chain applies for all packets originating from firewall

FORWARD chain applies for all packets passing through firewall.

Firewall. 97

Chain types for network firewall


protectednetwork

FORWARDchain


protectednetwork


protectednetwork OUTPUT

chain

INPUTchainnetwork

network

network

Firewall. 98

iptables: Example command

iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT

Sets a rule Accepts packets that enter from interface

eth0 and have source address in 232.16.4/24

Kernel applies the rules in order. The first rule that matches packet

determines the action for that packet Append: -A

Adds rule to bottom of list of existing rules

Firewall. 99

iptables: Example command

iptables –A INPUT –i eth0 –j DENY

Sets a rule Rejects all packets that enter from

interface eth0 (except for those accepted by previous rules)

Firewall. 100

iptables: More examples

iptables –L list current rules

iptables –F flush all rules

iptables –D INPUT 2 deletes 2nd rule in INPUT chain

iptables –I INPUT 1 –p tcp –tcp-flags SYN –s 232.16.4.0/24 –d 0/0:22 –j ACCEPT -I INPUT 1: insert INPUT rule at top Accept TCP SYNs to from 232.16.4.0/24 to

firewall port 22 (ssh)

Firewall. 101

iptables Options

-p protocol type (tcp, udp, icmp)

-s source IP address & port number

-d dest IP address & port number

-i interface name (lo, ppp0, eth0)

-j target (ACCEPT, DENY)

-l log this packet

--sport source port

--dport dest port

--icmp-type

Firewall. 102

iptable Table types FILTER:

What we have been talking about! 3 chain types: INPUT, OUTPUT, and

FORWARD NAT:

Hide internal network hosts from outside world. Outside world only sees the gateway’s external IP address, and no other internal IP addresses

PREROUTING, POSTROUTING, and others MANGLE

Don’t worry about it.

Firewall. 103

Tables, Chains & Rules

Three types of tables: FILTER, NAT, MANGLE

A table consists of chains. For example, a filter table can have

an INPUT chain, OUTPUT chain, and a FORWARD chain.

A chain consists of a set of rules.

Firewall. 104

Firewall Lab

m1

m3

m2

Configure m2 with iptables.

network

Firewall. 105

Firewall Lab: Part A

Configure NAT in m2 using NAT table with POSTROUTING chain: MASQUERADE packets so that

internal IP addresses are hidden from external network

From m1 and m3, only allow ssh to external network

This NAT configuration will remain in force throughout the lab

Firewall. 106

Firewall Lab: Part B

Rules for packets originating from or terminating at m2 (the gateway):

Allow ssh connections originating from m2 and destined to m2.

Allow pings originating from m2 and destined to m2.

Block all other traffic to or from m2. Hint: Part B requires INPUT and

OUTPUT chains but no FORWARD chain

Firewall. 107

Firewall Lab: Part C

Flush filter table rules from Part B. Allow only m1 (and not m3) to initiate

an ssh session to hosts in the external network

Reject all other traffic Hint: Part C requires FORWARD,

INPUT and OUTPUT chains

firewall. 1 firewall technologies 黃能富 教授 國立清華大學資訊工程系...

Documents

firewall. 1 firewall technologies 黃能富教授國立清華大學資訊工程系...