Università Ca Foscari Venezia

Similar documents
Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Certification. Securing Networks

Network security Exercise 9 How to build a wall of fire Linux Netfilter

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

iptables and ip6tables An introduction to LINUX firewall

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2016/2017 NETWORK SECURITY

Network Security Fundamentals

Firewall Management With FireWall Synthesizer

IPtables and Netfilter

Quick Note 05. Configuring Port Forwarding to access an IP camera user interface on a TransPort LR54. 7 November 2017

Mignis: A semantic based tool for firewall configuration

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Assignment 3 Firewalls

Introduction to Firewalls using IPTables

The Research and Application of Firewall based on Netfilter

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Network Address Translation

CS Computer and Network Security: Firewalls

A Technique for improving the scheduling of network communicating processes in MOSIX

11 aid sheets., A non-programmable calculator.

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER NETWORKS AND SECURITY SEMESTER TWO EXAMINATIONS 2017/2018 NETWORK SECURITY

Firewalling. Alessandro Barenghi. May 19, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Dual-stack Firewalling with husk

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Linux Firewalls. Frank Kuse, AfNOG / 30

Firewalls. October 13, 2017

Linux System Administration, level 2

Suricata IDPS and Nftables: The Mixed Mode

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

PXC loves firewalls (and System Admins loves iptables) Written by Marco Tusa Monday, 18 June :00 - Last Updated Wednesday, 18 July :25

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Packet Filtering and NAT

Firewalls, VPNs, and SSL Tunnels

Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing

TP5 Sécurité IPTABLE. * :sunrpc, localhost :domain,* :ssh, localhost :smtp, localhost:953,*: Tous sont des protocoles TCP

Cisco PCP-PNR Port Usage Information

IP Packet. Deny-everything-by-default-policy

Kernel Korner A NATural Progression

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

CSCI 680: Computer & Network Security

Definition of firewall

Distributed Systems Security

CSC 474/574 Information Systems Security

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Security and network design

ECE 435 Network Engineering Lecture 23

Formal Analysis of Firewalls

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

python-iptables Documentation

Basic Linux Desktop Security. Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer

Eaton Intelligent Power Manager as a Virtual Appliance Deployment s Guide

Written by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45

Network and Filesystem Security

FireHOL Manual. Firewalling with FireHOL. FireHOL Team. Release pre3 Built 28 Oct 2013

Docker Networking: From One to Many. Don Mills

Stateless Firewall Implementation

A Unified Firewall Model for Web Security

ECE 435 Network Engineering Lecture 23

Nat & Publish -

Linux Security & Firewall

Firewall Configuration and Assessment

How to use IP Tables

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Why Build My Own Router?

Configure. Version: Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso


This material is based on work supported by the National Science Foundation under Grant No

Network Administration

CIS 192 Linux Lab Exercise

Linux 2.4 stateful firewall design

NAT and Tunnels. Alessandro Barenghi. May 25, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Optimization of Firewall Rules

THE INTERNET PROTOCOL INTERFACES

The Internet Protocol

Firewall : Filter & NAT. Divisi Training PT UFOAKSES SUKSES LUARBIASA Jakarta

AIconnect Multi-Purpose, Modular Application Line Card Configuration Guide

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

Sirindhorn International Institute of Technology Thammasat University

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

NDN iptables match extension

Virtual Lab for CIS 192 & 196 Rich Simms May 27, 2006

Communication protocols and services

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Grandstream Networks, Inc. GWN Firewall Features Advanced NAT Configuration Guide

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Replacing Firewall (Brocade 5600 vrouter) with Firewall (vsrx)

RHCSA BOOT CAMP. Network Security

Firewall Evasion Lab: Bypassing Firewalls using VPN

10 A Security Primer. Copyright 2011 by The McGraw-Hill Companies CERTIFICATION OBJECTIVES. Q&A Self Test

THE INTERNET PROTOCOL/1

How to Configure Virus Scanning in the Firewall for FTP Traffic

Use this section to help you quickly locate a command.

Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Masquerading Made Simple HOWTO

Transcription:

Firewalls Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it

Networks are complex (image from https://netcube.ru) 2

Example: traversal control Three subnetworks: Sensitive, Trusted and Untrusted Untrusted network should reach the Internet only 1. through fw3 and 2. when connecting to the Web (port 80) 3

Example: traversal control port 80 4

Typical firewall operations 5

Drop 6

Accept 7

Destination NAT 8

Source NAT 9

netfilter Standard firewall tool in Linux Netfilter allows for: Packet filtering Network address translation (NAT) Packet mangling (packet transformation) Netfilter can be configured through iptables, a very powerful and flexible tool 10

Tables netfilter is based on tables Tables group rules depending on the kind of action The three most commonly used tables are: filter for packet filtering nat for NATs mangle for packet alteration 11

Chains Chains are lists of rules that are inspected sequentially There are five predefined chains that are inspected in specific moments of a packet (p) life cycle: PREROUTING when p reaches the host FORWARD when p is routed through the host; POSTROUTING when p is about to leave the host; INPUT when p is routed to the host OUTPUT when p is generated by the host 12

Tables and chains 13

Rules Rules (in a chain) are inspected one after the other If matched then p is processed along the rule target Otherwise the next rule in the chain is examined. The most commonly used targets are: ACCEPT, for accepting the packet DROP, for dropping it DNAT, for destination NAT SNAT for source NAT A default policy is triggered if no rule matches 14

User-defined chains Target can also be a jump into a different chain, defined by users Similar to function calls Powerful and flexible but configurations become often complex and hard to maintain Ordering of rules (and tables) is fundamental to decide the fate of a packet 15

Demotivating example iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t mangle -P PREROUTING DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT iptables -t mangle -A PREROUTING -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT iptables -t mangle -A PREROUTING -i eth0 -s 10.0.0.0/24 -j ACCEPT iptables -t mangle -A PREROUTING -i lo -s 127.0.0.1 -j ACCEPT iptables -A FORWARD -i eth0 -d 5.6.7.8 -j DROP iptables -t mangle -A PREROUTING -i eth1 -d 10.0.0.2 -p tcp --dport 22 -m state --state NEW -j DROP iptables -A FORWARD -i eth1 -d 10.0.0.2 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -s 10.0.0.2 -p tcp --sport 22 -o eth1 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.4 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.2:22 iptables -t mangle -A PREROUTING -i eth1 -d 10.0.0.2 -p tcp --dport 80 -m state --state NEW -j DROP iptables -A FORWARD -i eth1 -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -s 10.0.0.2 -p tcp --sport 80 -o eth1 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE 16

Default policy # iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -t specifies the table (filter is the default) -L stands for list 17

Configuring a firewall Least privilege principle: set the default policy to DROP and only enable packets that are necessary IMPORTANT: do not cut you off! Remember to enable ssh before you change the default policy to DROP! 18

Enable ssh iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT -A stands for append -p tcp specifies tcp protocol -dport and -sport specify destination and source port -j ACCEPT specifies the ACCEPT target Notice that both directions are necessary 19

Enable ssh # iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target 57 3844 ACCEPT prot opt in out source destination tcp any anywhere anywhere -- any tcp dpt:ssh Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target 25 2740 ACCEPT prot opt in out source destination tcp any anywhere anywhere -- any tcp spt:ssh Packets are matching the two rules (we can observe this through -v option) 20

Least privilege iptables -P INPUT DROP Drops any incoming packet except SSH: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out 126 8632 ACCEPT tcp -- any any source anywhere destination anywhere tcp dpt:ssh What happens if we issue the following? iptables -A INPUT -p tcp --dport 22 -j DROP Rules are inspected sequentially: this rule will never be matched, since ssh packets will be accepted by the previous one! 21

Stateful firewall Suppose we connect to a web server (port 80) Since OUTPUT policy is ACCEPT the connections goes through Q: What happens to the server answer? A: The answer is dropped! Recall that we only admit ssh incoming connections! 22

Connection tracking netfilter tracks connections: when a new connection starts the packet has state NEW packets belonging to the same connection has state ESTABLISHED some protocols start new connections (e.g. ftp). These packets have state RELATED address translation is also tracked (see next slides) iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 23

DNAT example Forward web-traffic to a local server iptables -t nat -A PREROUTING -p tcp -d 157.138.7.88 --dport 80 -j DNAT --to-destination 192.168.0.100:80 Packets to 157.138.7.88:80 go to 192.168.0.100:80 instead Answers from 192.168.0.100 will appear to be from 157.138.7.88 (in order to be accepted by the browser) Translation is applied to all packets on the same connection 24

Maintaining a configuration 1) iptables... --source N1 -j ACCEPT 2) iptables... --dport 80 -j DROP 3) iptables... --source N2 -j ACCEPT 4) iptables... --dport 22 -j DROP 5) iptables... --source N3 -j ACCEPT Q1: Where can the packets from N2 go? A1: Everywhere except port 80 (context dependent) 25

Maintaining a configuration 1) iptables... --source N1 -j ACCEPT 2) iptables... --dport 80 -j DROP 3) iptables... --source N2 -j ACCEPT 4) iptables... --dport 22 -j DROP 5) iptables... --source N3 -j ACCEPT Q2: how can we accept packets from N4 that are not addressed to port 80? A2: 3a) iptables... --source N4 -j ACCEPT 26

Maintaining a configuration 1) iptables... --source N1 -j ACCEPT 2) iptables... --dport 80 -j DROP 3) iptables... --source N2 -j ACCEPT 4) iptables... --dport 22 -j DROP 5) iptables... --source N3 -j ACCEPT Q3: how can we accept packets from N5 that are not addressed to port 22? A3: 1a)iptables... --source N5 --dport 22 -j DROP 1b)iptables... --source N5 -j ACCEPT. 27

Maintaining a configuration is hard no fixed structure order matters, ACCEPT and DROP can alternate semantics depends on tables and chains to drop a packet, one must be sure that the rule is placed before all the ACCEPT rules (same chain) policy can be default ACCEPT or default DROP real configurations easily have more than 1000 lines! real configurations grow over time, and are maintained by different systems administrators. 28

Mignis Mignis is a tool for firewall configuration that supports: Network Address Translation (NAT) Least privilege Declarative style: order of the rules is irrelevant! Explicit rejects (with precedence over positive rules) Simple formal semantics (proof of correctness) Developed by secgroup@unive: https://github.com/secgroup/mignis 29

Mignis rules 30

ssh example revisited Mignis rule: * > local:22 tcp corresponds to: iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT DROP iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 31

iptables vs Mignis 1) iptables... --source N1 -j ACCEPT 1a)iptables... --source N5 --dport 22 -j DROP 1b)iptables... --source N5 -j ACCEPT 2) iptables... --dport 80 -j DROP 3) iptables... --source N2 -j ACCEPT 3a)iptables... --source N4 -j ACCEPT 4) iptables... --dport 22 -j DROP 5) iptables... --source N3 -j ACCEPT N1 N2 N3 N4 N5 > > > > > * *:*\80 *:*\(80,22) *:*\80 *:*\22 32

The demotivating example iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t mangle -P PREROUTING DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT iptables -t mangle -A PREROUTING -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT iptables -t mangle -A PREROUTING -i eth0 -s 10.0.0.0/24 -j ACCEPT iptables -t mangle -A PREROUTING -i lo -s 127.0.0.1 -j ACCEPT iptables -A FORWARD -i eth0 -d 5.6.7.8 -j DROP iptables -t mangle -A PREROUTING -i eth1 -d 10.0.0.2 -p tcp --dport 22 -m state --state NEW -j DROP iptables -A FORWARD -i eth1 -d 10.0.0.2 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -s 10.0.0.2 -p tcp --sport 22 -o eth1 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.4 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.2:22 iptables -t mangle -A PREROUTING -i eth1 -d 10.0.0.2 -p tcp --dport 80 -m state --state NEW -j DROP iptables -A FORWARD -i eth1 -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -s 10.0.0.2 -p tcp --sport 80 -o eth1 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE 33

in Mignis ALIASES mypc 10.0.0.2 router_ip 1.2.3.4 malicious_host 5.6.7.8 FIREWALL lan [.] > ext ext > [router_ip:80] mypc:80 tcp ext > [router_ip:22] mypc:22 tcp lan / malicious_host 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback