firewall. 1 firewall technologies 黃能富 教授 國立清華大學資訊工程系...
TRANSCRIPT
Firewall. 2
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 3
What is a Firewall ? A firewall isolates organization’s
internal net from larger Internet, allowing some packets to pass, blocking others.
privately administered
222.22/16
Internet
Firewall. 4
What is a Firewall ? A firewall acts as
a security gateway between two networks
Usually between trusted and untrusted networks (such as between a corporate network and the Internet)
Internet
Corporate Site
Corporate Network Gateway
Firewall. 5
What is a Firewall ?
A firewall tracks and controls network communications
Decides whether to pass, reject, encrypt, or log communications (Access Control) Corporate
Site
“Allow Trafficto Internet”
Internet
“Block traffic from Internet”
Firewall. 6
What is a Firewall?
A firewall is a security policy enforcement point that regulates access between computer networks
Filters are inherently insecure services
Controls TCP protocols http, smtp, ftp, telnet etc
Only one of many different security tool’s to control and regulate network traffic
Firewall. 7
Why Firewalls are Needed
Prevent attacks from untrusted networks
Protect data integrity of critical information
Preserve customer and partner confidence
Firewall. 8
Firewall goals:
All traffic from outside to inside and vice-versa passes through the firewall.
Only authorized traffic, as defined by local security policy, will be allowed to pass.
The firewall itself is immune to penetration.
Firewall. 9
What do Firewalls Protect? Data
Proprietary corporate information Financial information Sensitive employee or customer data
Resources Computing resources Time resources Bandwidth resources
Reputation Loss of confidence in an organization Intruder uses an organization’s network
to attack other sites
Firewall. 10
Common Internet Threats Denial of service attacks
Specific attacks that can cause a server crash
Flooding the server with traffic to disrupt or deny service
Intrusion threats Attacks on services/exploits
The backend server may not be hardened enough for adequate protection, but the firewall can block external attacks
Information threats
Firewall. 11
How Vulnerable are Internet Services?
E-mail or smtp – Simple Mail Transfer Protocol TCP/IP based port 25 (POP 110) Risks Include
E-mail bombing (stalking)– Anonymous harassment– Large amounts of e-mail to a single user address
Spamming– Messages sent to numerous different users from a
host Virus download mechanism
– Code Red– Nimda
Not always traceable POP and IMAP can be very insecure
Firewall. 12
FTP - File Transfer Protocol TCP/IP based port 20/21 Risks Include
Unencrypted authentication and data transfers– Usernames and passwords can
be”sniffed” Unencrypted data transfers
– Data can be viewed Often part of default installations Anonymous ftp is possible
How Vulnerable are Internet Services?
Firewall. 13
How Vulnerable are Internet Services?
Telnet TCP/IP based port 23 Risks include
Unencrypted authentication Unencrypted interactive session Session hijacking Included in default installations Can allow remote root login
Firewall. 14
How Vulnerable are Internet Services?
HTTP – Hypertext Transfer Protocol TCP/IP based port 80 Risks Include
Browsers can be used to run dangerous commands
Difficult to secure Remote execution of commands and
execution (server side) Non-secure add-on applications
– Java– Cookies
Firewall. 15
How Vulnerable are Internet Services?
HTTPS – Secure Hypertext Transfer Protocol TCP/IP based port 443 Risks Include
Browsers can be used to run dangerous commands
Remote execution of commands and execution (server side)
Becomes a tunnel for any data Can be used to subvert firewall/security
controls
Firewall. 16
How Vulnerable are Internet Services?
DNS TCP and UDP based ports 53 and
1024 Risks include
DNS cache poisoning– Bad data to redirect valid connections
to the wrong server DNS spoofing
– Bad data to redirect valid connections to the wrong server
Absolutely needed for network services
Firewall. 17
How Vulnerable are Internet Services?
SNMP – Simple Network Management Protocol UDP based Risks include
Unencrypted data transfers Poor authentication through “community
relationships” Transfer of highly sensitive data Does use access lists
Firewall. 18
How Vulnerable are Internet Services?
NFS – Network File System NFS is a shared file structure Based on a trust model of network
machines Certain machines can access shared file
systems Risks include
No “user” authentication IP Spoofing to gain access Most secure NFS is still very insecure
Firewall. 19
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 20
Firewall Hardware Types Three basic hardware types
Appliance based systems Purpose built Simple Highly integrated
3rd Party servers General use systems Additional support channel Greater flexibility
Hybrid servers Purpose built for a limited product line Often closely integrated with software
offerings May have separate support channel Most have highly integrated components
Firewall. 21
Firewall Hardware Types
Appliance based system problems OS and Kernel hardening and security
may be done by vendor only Tightly coupled software and hardware
may have insecure code unknown to user Hard to inspect or verify
All security controls are determined through a single vendor
Appliances are used to simplify implementation and support efforts causing some loss of administrative control
Firewall. 22
Firewall Hardware Types
3rd Party server problems OS and Kernel hardening and security
must be done by implementation staff Expertise procedures
OS software may have many known vulnerabilities/ security holes Each must be plugged
All security controls are determined through corporate policy
3rd party systems require a larger degree of administration and procedure
Firewall. 23
Firewall Hardware Types
Hybrid servers OS and Kernel hardening is started by
vendor and completed by end user security staff—can help to make it more robust
Packaged software and hardware are generally reviewed for security
All security controls are determined through a more partnered structure
Hybrid servers are also used to simplify implementation and support efforts without giving away administrative control
Firewall. 24
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 25
Firewalls Technologies
Traditional packet filters filters often combined with
router, creating a firewall widely available in routers, linux
Application gateways often implemented with SOCKS
today
Stateful Inspection filtersmaintains connection state
Firewall. 26
Evolution of Firewalls
PacketFilter
StatefulInspection
Stage of Evolution
ApplicationProxy
Firewall. 27
Traditional packet filters
source IP address destination IP
address source port destination port TCP flag bits
SYN bit set: datagram for connection initiation
ACK bit set: part of established connection
TCP or UDP or ICMP Firewalls often
configured to block all UDP
direction Is the datagram
leaving or entering the internal network?
router interface decisions can be
different for different interfaces
Analyzes each datagram going through it; makes dropdecision based on:
Firewall. 28
Packets examined at the network layer
Useful “first line” of defense - commonly deployed on routers
Simple accept or reject decision model No awareness of higher protocol
layers
Packet Filter
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
Firewall. 29
Packet Filtering Firewalls
Packet filtering is one of the oldest, and one of the most common types of firewall technologies.
Packet filters inspect each packet of information individually, examining the source and destination IP addresses and ports.
This information is compared to access control rules to decide whether the given packet should be allowed through the firewall.
Packet filters consider only the most basic attributes of each packet, and they don't need to remember anything about the traffic since each packet is examined in isolation.
For this reason they can decide packet flow very quickly.
Firewall. 30
Packet Filtering Firewalls Because every packet of every connection
is checked against the access control rules, larger, complex rule bases decrease performance.
And because packet filters can only check low-level attributes, they are not secure against malicious code hiding in the other layers.
Packet filters are often used as a first defense in combination with other firewall technologies, and their most common implementation today is seen in the access control lists of routers at the perimeters of networks.
For simple protocols or one-sided connections, like ICMP or SNMP traps, it is still useful to use packet filtering technology.
Firewall. 31
Packet Filtering Rules - Examples
Policy Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP address, port 80
External connections to public Web server only.
Drop all incoming TCP SYN packets to any IP except 222.22.44.203, port 80
Prevent IPTV from eating up the available bandwidth.
Drop all incoming UDP packets - except DNS and router broadcasts.
Prevent your network from being used for a Smurf DoS attack.
Drop all ICMP packets going to a “broadcast” address (eg 222.22.255.255).
Prevent your network from being tracerouted
Drop all outgoing ICMP
Firewall. 32
Access control lists
actionsourceaddres
s
destaddres
s
protocol
source
port
destport
flagbit
allow 222.22/16
outside of
222.22/16
TCP>
102380
any
allowoutside
of222.22/
16
222.22/16 TCP 80
> 1023
ACK
allow 222.22/16
outside of
222.22/16
UDP>
102353 ---
allowoutside
of222.22/
16
222.22/16 UDP 53
> 1023
----
deny all all all all all all
Apply rules from top to bottom:
Firewall. 33
Access control lists
Each router/firewall interface can have its own ACL
Most firewall vendors provide both command-line and graphical configuration interface
Firewall. 34
Network Address Translation (NAT)
Converts a network’s illegal IP addresses to legal or public IP addresses Hides the true addresses of individual
hosts, protecting them from attack Allows more devices to be connected to
the network
Internet
InternalIP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
PublicIP Address(es)
Firewall. 35
Traditional packet filters
Advantages One screening router can protect entire
network Can be efficient if filtering rules are kept
simple Widely available. Almost any router, even
Linux boxes
Disadvantages Can possibly be penetrated Cannot enforce some policies. For
example, permit certain users. Rules can get complicated and difficult to
test
Firewall. 36
Application Level Firewalls
These firewalls, also known as application proxies, provide the most secure type of data connection because they can examine every layer of the communication, including the application data.
To achieve this security proxies, as their name suggests, actually mediate connections.
The connection from a client to a server is intercepted by the proxy.
Firewall. 37
Application Gateway or Proxy
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network NetworkNetwork
Presentations
Sessions
Transport
Applications
Packets examined at the application layer
Application/Content filtering possible - prevent FTP “put” commands, for example
Modest performance Scalability limited
Firewall. 38
Application Level Firewalls
If the proxy determines that the connection is allowed, it opens a second connection to the server from itself, on behalf of the original host.
The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection.
This thorough examination and handling of packets means that proxy firewalls are very secure and generally slow.
Proxies are also limited as firewalls, because they must understand the application layer.
As new protocols are developed, new proxies must be written and implemented to handle them.
Firewall. 39
Application Level Firewalls
Web Proxy Severs Application Proxy Servers A mail server is an example of an
application gateway Can’t deposit mail in recipient’s mail
server without passing through sender’s mail server
Second Generation Firewall Technology Makes connections on behalf of the
client Not flexible
Firewall. 40
Application gateways (proxy gateways)
Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy.
Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size.host-to-gateway
ftp session
gateway-to-remote host ftp session
applicationgateway
Firewall. 41
Application gateways + packet filter
Filters packets on application data as well as on IP/TCP/UDP fields.
Example: allow select internal users (IP addresses) to ftp outside.1. Require all ftp users to ftp through
gateway.2. For authorized users, gateway sets up
ftp connection to dest host. Gateway relays data between 2 connections
3. Router filter blocks all ftp connections not originating from gateway.
host-to-gatewayftp session
gateway-to-remote host ftp session
applicationgateway
router and filter
Firewall. 43
SOCKS Proxy protocol
Generic proxy protocol Don’t have to redo all of the code
when proxifying an application. Can be used by HTTP, FTP, telnet, SSL,
… Independent of application layer
protocol Includes authentication, restricting
which users/apps/IP addresses can pass through firewall.
Firewall. 44
SOCKS proxy protocol
HTTP
SOCKS Library
TCP
SOCKS Daemon
TCP
Apache/IIS
Firefox/IE
HTTP
TCP
Firewall Application
1. For example, let’s assume that browser requests a page 2. SOCKS Library is
a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon
3. The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server.
4. The server receives requests as ordinary HTTP. It does not need a SOCKS library.
Firewall. 45
Proxy gateways Advantages
Proxy can log all connections, activity in connections
Proxy can provide caching Proxy can do intelligent filtering based on
content Proxy can perform user-level
authentication
Disadvantages Not all services have proxied versions May need different proxy server for each
service Requires modification of client Performance
Firewall. 46
Stateful Filters
Stateful filter: Adds more intelligence to the filter decision-making process Stateful = remember past packets Memory implemented in a very
dynamic state table
Firewall. 47
Stateful Inspection
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic State TablesDynamic
State TablesDynamic State Tables
Packets Inspected between data link layer and network layer in the OS kernel
State tables are created to maintain connection context
Invented by CheckPoint
Firewall. 48
Stateful Inspection © Stateful inspection architecture utilizes a
unique, patented INSPECT Engine which enforces the security policy on the gateway on which it resides.
The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly efficient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.
The INSPECT Engine is programmable using CheckPoint's powerful INSPECT Language.
Firewall. 49
Stateful Inspection © This provides important system
extensibility, allowing CheckPoint, as well as its technology partners and end-users, to incorporate new applications, services, and protocols, without requiring new software to be loaded.
For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of Firewall-1's built-in script templates via the graphical user interface.
Even the most complex applications can be added quickly and easily via the INSPECT Language.
Firewall. 50
Stateful filters: example
sourceaddress
destaddress
sourceport
destport
222.22.1.7 37.96.87.123 12699 80
222.22.93.2199.1.205.23 37654 80
222.22.65.143 203.77.240.43 48712 80
If rule table indicates that stateful table must be checked:check to see if there is already a connection in stateful table
• Log each TCP connection initiated through firewall: SYN segment• Timeout entries which see no activity for, say, 60 seconds
Stateful filters can also remember outgoing UDP segments
Firewall. 51
Stateful example
actionsourceaddress
destaddress
protosource
portdestport
flagbit
check conxion
allow 222.22/16outside of222.22/16
TCP > 1023 80any
allow outside of222.22/16
222.22/16TCP 80 > 1023 ACK x
allow 222.22/16outside of222.22/16
UDP > 1023 53 ---
allow outside of222.22/16
222.22/16UDP 53 > 1023 ---- x
deny all all all all all all
1) Packet arrives from outside: SA=37.96.87.123, SP=80,DA=222.22.1.7, DP=12699, SYN=0, ACK=1
2) Check filter table ➜ check stateful table
3) Connection is listed in connection table ➜ let packet through
Firewall. 52
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 53
Network Firewall Architectures
Screening Router Simple Firewall Multi-Legged firewall Firewall Sandwich Layered Security Architecture
Firewall. 54
Screening Router
Access Lists provide security Routers are not application aware
Only inspects network level information
Layer 3 of the OSI model Does not provide a great deal of
security Very fast Not commonly used alone for security
Firewall. 55
Screening Router
Internet/UntrustedNetwork
Internal Trusted Network
ServerDesktop
Mainframe Database
Routes or blocks packets, asdetermined by security policy
Screening Router
Firewall. 56
Simple Firewall
Small Companies with limited security needs
Only utilizes two interfaces Trusted Un-trusted
Provides modest security Does not offer dmz sandbox Inherently allows some level of
connections between trusted and un-trusted networks
Firewall. 57
Simple Firewall
Screening Router
Internet/UntrustedNetwork
Internal Trusted Network
Serverweb, smtp
DesktopMainframe Database
Routes or blocks packets, asdetermined by security policy
Firewall then handles trafficadditionally to maintain more
security
Firewall
Firewall. 58
Multi-Legged Firewall
Small to large sized business Security need is expanded Provides stronger security Creates a secure sandbox for semi-
trusted services Flexible and secure
Firewall. 59
Multi-Legged Firewall
Screening Router
Internet/UntrustedNetwork
Internal Trusted Network
ServerDesktop
Mainframe Database
Routes or blocks packets, asdetermined by security policy
Firewall then handles trafficadditionally to maintain more
security
DMZ now offers a securesandbox to handle un-trusted
connections to internet servicesFirewall
DMZ Semi-Trusted Network
Web Server SMTP Server Server
Firewall. 60
Demilitarized Zone (DMZ)
Webserver
FTPserver
DNSserver
applicationgateway
Internet
Demilitarized zone
Internalnetwork
firewall
Firewall. 61
Firewall Sandwich
Medium to large businesses Higher costs
More serious need for security Provides a physical separation of
networks Provides policy segregation between
inside and outside firewalls Reduces administrative holes
Firewall. 62
Firewall Sandwitch
Screening Router
Internet/UntrustedNetwork
Internal Trusted Network
App ServerDesktop
Mainframe Database
Routes or blocks packets, asdetermined by security policy
Firewall then handles trafficadditionally to maintain more
security
DMZ now offers a securenetwork to handle un-trusted
connections to internet services
Separation of security policycontrols between inside and
outside firewalls
Inside Firewall
Outside Firewall
DMZSemi-trusted
networkDMZ Semi-Trusted Network
Web Server SMTP Server Server
Firewall. 63
Layered Firewall Approach
Large enterprises with low risk tolerance Separates internal environments Reduces computer crimes
Most attacks are internally basedDeters malicious activities
Controls overhead administrative traffic
Allows IDS to work more effectively
Firewall. 64
Layered Firewall
DevelopmentNetwork
User Network HR Network
Internet /Un-trusted Network
DMZSemi-trusted
network
Inside Firewall
Inside Firewall
Internal Firewall
Internal Firewall
MainframeNetwork
Internal Firewall
Routes or blocks packets, asdetermined by security policy
Firewall then handles trafficadditionally to maintain more
security
DMZ now offers a securenetwork to handle un-trusted
connections to internet services
Separation of security policycontrols networks within yourtrusted network as well as yousemi and un-trusted networks
Fences keep honest peoplehonest!
Firewall. 65
Defense in depth
Security has no single right answer Use every tool available to bolster
security Layered security is always the best
approach Strong security controls coupled with
audit, administrative reviews, and an effective security response plan will provide a strong holistic defense
Firewall. 66
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 67
Firewall Deployment
Corporate Network Gateway Protect
internal network from attack
Most common deployment point
Internet
Human Resources Network
Corporate Site
Demilitarized Zone(DMZ)
Public Servers
DMZ
Corporate Network Gateway
Firewall. 68
Firewall Deployment
Internal Segment Gateway Protect sensitive
segments (Finance, HR, Product Development)
Provide second layer of defense
Ensure protection against internal attacks and misuse
Internet
Human Resources Network
Corporate Site
Public Servers
Demilitarized Zone(Publicly-accessible
servers)
Internal Segment Gateway
Firewall. 69
Firewall Deployment
Server-Based Firewall Protect
individual application servers
Files protect
Internet
Human Resources Network
Corporate Site
Server-BasedFirewall
SAP Server
Public ServersDMZ
Firewall. 70
Firewall Deployment
Hardware appliance based firewall Single platform, software pre-
installed Can be used to support small
organizations or branch offices with little IT support
Software based firewall Flexible platform deployment
options Can scale as organization grows
Firewall. 71
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 72
What is a VPN?
A VPN (Virtual Private Network) is a private connection over an open network
A VPN includes authentication and encryption to protect data integrity and confidentiality
VPN
VPN
Internet
Acme Corp
A CorpSite 2
A CorpSite 1
Firewall. 73
Why Use Virtual Private Networks?
More flexibility Leverage ISP point of presence Use multiple connection types
(cable, DSL, T1, T3) Most attacks originate within an
organization
Firewall. 74
Why Use Virtual Private Networks?
More scalabilityAdd new sites, users quicklyScale bandwidth to demand
Firewall. 75
Why Use Virtual Private Networks?
Lower costsReduced frame relay/leased
line costsReduced long distanceReduced equipment costs
(modem banks, CSU/DSUs)Reduced technical support
Firewall. 76
Types of VPNs Remote Access VPN
Provides access to internal corporate network over the Internet
Reduces long distance, modem bank, and technical support costs
PAP (password authentication protocol),
CHAP (Challenge-Handshake Authentication Protocol)
RADIUS (Remote Authentication Dial In User Service )
Internet
CorporateSite
Firewall. 77
Types of VPNs
Site-to-Site VPN Connects
multiple offices over Internet
Reduces dependencies on frame relay and leased lines
Internet
BranchOffice
CorporateSite
Firewall. 78
Types of VPNs
Extranet VPN Provides
business partners access to critical information (leads, sales tools, etc)
Reduces transaction and operational costs
CorporateSite
Internet
Partner #1Partner #2
Firewall. 79
Types of VPNs
Client/Server VPN Protects sensitive
internal communications
Internet
LAN clients
Database Server
LAN clients with sensitive
data
Firewall. 80
Components of a VPN
Encryption Key management Message authentication Entity authentication
Firewall. 81
Encryption
Current standards: DES and Triple-DES Over 20 years in the field
AES beginning deployment New standard More computationally efficient Longer keys = more secure
HR Server
E-Mail Server
Joe’s PC to HR Server
All Other TrafficCleartext
EncryptedEncrypted
Mary’s PC
Joe’s PC
Firewall. 82
Key Management
Public key cryptosystems enable secure exchange of private crypto keys across open networks
Re-keying at appropriate intervals
IKE = Internet Key Exchange protocolsIncorporates ISAKMP (Internet
Security Association and Key Management Protocol)
Firewall. 83
Authentication
IPsec standards focus on authentication of two network devices to each other IP address/preshared key Digital certificates
User authentication is added on top if required RADIUS and TACACS+ (Terminal
Access Controller Access-Control System Plus) are the standard protocols for authentication servers
XAUTH is being added to the standards to address user authentication
Firewall. 84
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 remote access VPN technology PPTP uses a control channel over TCP
and a GRE tunnel operating to encapsulate PPP packets
RFC 2637 Authentication and encryption Limited user management and scalability Known security vulnerabilities
InternetRemote PPTP Client
ISP Remote AccessSwitch
PPTP RAS Server
Corporate Network
Firewall. 85
Layer 2 Tunneling Protocol (L2TP)
Layer 2 remote access VPN protocol Combines and extends PPTP and L2F (Cisco
supported protocol) Weak authentication and encryption Does not include packet authentication,
data integrity, or key management Must be combined with IPSec for enterprise-
level security
Internet
Remote L2TP Client
ISP L2TP Concentrator
L2TP Server
Corporate Network
Firewall. 86
Internet Protocol Security (IPSec)
Layer 3 protocol for remote access, intranet, and extranet VPNs Internet standard for VPNs Provides flexible encryption and
message authentication/integrity Includes key management
Firewall. 87
Components of an IPSec VPN
Encryption Message
Authentication Entity
Authentication Key
Management
DES, 3DES, and more
HMAC-MD5, HMAC-SHA-1, or others
Digital Certificates, Shared Secrets, Hybrid Mode IKE
Internet Key Exchange (IKE), Public Key Infrastructure (PKI)
All managed by security associations (SAs)
Firewall. 88
Encryption Explained
Used to convert data to a secret code for transmission over an untrusted network
EncryptionAlgorithm
“The cow jumped over the moon”
“4hsd4e3mjvd3sda1d38esdf2w4d”
Clear Text Encrypted Text
Firewall. 89
Symmetric Encryption
Same key used to encrypt and decrypt message
Faster than asymmetric encryption Examples: DES, 3DES, RC5, Rijndael
Shared Secret Key
Firewall. 90
Asymmetric Encryption
Different keys used to encrypt and decrypt message (One public, one private)
Examples include RSA, DSA, SHA-1, MD-5
Alice Public KeyEncrypt
Alice Private KeyDecrypt
Bob Alice
Firewall. 91
Contents
Firewall Introduction Firewall Hardware Types Firewall Technologies Firewall Architecture Firewall Deployment VPN (Virtual Private Network) Firewall Labs : Iptables
Firewall. 92
Firewall Lab: iptables
Converts linux box into a packet filter. Included in most linux distributions
today.
linuxhost
linuxhost w/iptables
your job:configure
Externalnetwork
Firewall. 93
Firewall lab: iptables
iptables Provides firewall capability to a
linux host Comes installed with most linux
distributions Three types of tables: FILTER, NAT,
MANGLE Let’s only consider FILTER table for
now
Firewall. 94
Network or host firewall?
linuxhost w/iptables
protectednetwork
Network firewall: linux host with 2 interfaces:
Host firewall: linux host with 1 interface:
linuxhost w/iptables
filtertable
filtertable
Externalnetwork
network
Firewall. 95
Chain types for host firewall
linuxhost w/iptables
linuxhost w/iptables
INPUTchain
OUTPUTchain
network
network
Firewall. 96
INPUT, OUTPUT, FORWARD CHAINS for network firewall
INPUT chain applies for all packets destined to firewall
OUTPUT chain applies for all packets originating from firewall
FORWARD chain applies for all packets passing through firewall.
Firewall. 97
Chain types for network firewall
linuxhost w/iptables
protectednetwork
FORWARDchain
linuxhost w/iptables
protectednetwork
linuxhost w/iptables
protectednetwork OUTPUT
chain
INPUTchainnetwork
network
network
Firewall. 98
iptables: Example command
iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT
Sets a rule Accepts packets that enter from interface
eth0 and have source address in 232.16.4/24
Kernel applies the rules in order. The first rule that matches packet
determines the action for that packet Append: -A
Adds rule to bottom of list of existing rules
Firewall. 99
iptables: Example command
iptables –A INPUT –i eth0 –j DENY
Sets a rule Rejects all packets that enter from
interface eth0 (except for those accepted by previous rules)
Firewall. 100
iptables: More examples
iptables –L list current rules
iptables –F flush all rules
iptables –D INPUT 2 deletes 2nd rule in INPUT chain
iptables –I INPUT 1 –p tcp –tcp-flags SYN –s 232.16.4.0/24 –d 0/0:22 –j ACCEPT -I INPUT 1: insert INPUT rule at top Accept TCP SYNs to from 232.16.4.0/24 to
firewall port 22 (ssh)
Firewall. 101
iptables Options
-p protocol type (tcp, udp, icmp)
-s source IP address & port number
-d dest IP address & port number
-i interface name (lo, ppp0, eth0)
-j target (ACCEPT, DENY)
-l log this packet
--sport source port
--dport dest port
--icmp-type
Firewall. 102
iptable Table types FILTER:
What we have been talking about! 3 chain types: INPUT, OUTPUT, and
FORWARD NAT:
Hide internal network hosts from outside world. Outside world only sees the gateway’s external IP address, and no other internal IP addresses
PREROUTING, POSTROUTING, and others MANGLE
Don’t worry about it.
Firewall. 103
Tables, Chains & Rules
Three types of tables: FILTER, NAT, MANGLE
A table consists of chains. For example, a filter table can have
an INPUT chain, OUTPUT chain, and a FORWARD chain.
A chain consists of a set of rules.
Firewall. 105
Firewall Lab: Part A
Configure NAT in m2 using NAT table with POSTROUTING chain: MASQUERADE packets so that
internal IP addresses are hidden from external network
From m1 and m3, only allow ssh to external network
This NAT configuration will remain in force throughout the lab
Firewall. 106
Firewall Lab: Part B
Rules for packets originating from or terminating at m2 (the gateway):
Allow ssh connections originating from m2 and destined to m2.
Allow pings originating from m2 and destined to m2.
Block all other traffic to or from m2. Hint: Part B requires INPUT and
OUTPUT chains but no FORWARD chain