Definition of firewall

Similar documents
Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Introduction to Firewalls using IPTables

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Setting the Table When users think about their workstations at home, they often forget about

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

CHAPTER 7 ADVANCED ADMINISTRATION PC

Stateless Firewall Implementation

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

ECE 435 Network Engineering Lecture 23

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

VG422R. User s Manual. Rev , 5

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Dual-stack Firewalling with husk

Network Security Fundamentals

Network Security. Thierry Sans

CSC 474/574 Information Systems Security

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

ECE 435 Network Engineering Lecture 23

Why Firewalls? Firewall Characteristics

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Shorewall Setup Guide

Firewalls, VPNs, and SSL Tunnels

CS Computer and Network Security: Firewalls

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Assignment 3 Firewalls

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Broadband Router DC-202. User's Guide

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

THE INTERNET PROTOCOL INTERFACES

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Computer Security and Privacy

The Internet Protocol

Unit 4: Firewalls (I)

Three interface Router without NAT Cisco IOS Firewall Configuration

Network Security. Routing and Firewalls. Radboud University, The Netherlands. Spring 2018

Università Ca Foscari Venezia

10 Defense Mechanisms

Wireless-G Router User s Guide

11 aid sheets., A non-programmable calculator.

Avaya Port Matrix: Avaya Diagnostic Server 3.0

COSC 301 Network Management

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Sirindhorn International Institute of Technology Thammasat University

CSCI 680: Computer & Network Security

Grandstream Networks, Inc. GWN Firewall Features Advanced NAT Configuration Guide

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Internet Security: Firewall

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Packet Filtering and NAT

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

SoHo 401 VPN. Shared Broadband Internet Access VPN Gateway 3-Port Switching Hub, DMZ Port. Quick Install Guide

Use this section to help you quickly locate a command.

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2016/2017 NETWORK SECURITY

CIS 192 Linux Lab Exercise

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

CSE 565 Computer Security Fall 2018

THE INTERNET PROTOCOL/1

Chapter 8 roadmap. Network Security

CSC 4900 Computer Networks: Network Layer

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Security and Forensic Computing

Firewalls, Tunnels, and Network Intrusion Detection

This material is based on work supported by the National Science Foundation under Grant No

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Avaya Port Matrix: Avaya Aura Appliance Virtualization Platform 7.0

ipro-04n Security Configuration Guide

Advanced Security and Mobile Networks

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Written by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45

CSC Network Security

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Implementing Firewall Technologies

Router Router Microprocessor controlled traffic direction home router DSL modem Computer Enterprise routers Core routers

ADSL2+ 4-Port Modem Router Quick Setup Guide RTA1335

Scenario: V114 Configuration on Vyatta

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

AirLive RS Security Bandwidth Management. Quick Setup Guide

CyberP3i Course Module Series

Broadcast Infrastructure Cybersecurity - Part 2

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Dual WAN VPN Firewall VPN 3000 User s Guide. Version 1.0 Date : 1 July 2005 Please check for the latest version

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

UIP1869V User Interface Guide

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

VPN-against-Firewall Lab: Bypassing Firewalls using VPN

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Broadband Router. User s Manual

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

LevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver

Computer Networking Introduction

Transcription:

Internet Firewalls Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering and session spoofing Port knocking IPtables firewalls Shorewall

Definition of firewall A computer networking firewall implements a security policy either: a. in respect of network traffic traversing a router or gateway operating between 2 networks, or b. on a host computer in respect of network traffic between one or more of that host computer's network connections and the host computer itself.

Security Policy A security policy in this context is a decision about network traffic that should be allowed and/or traffic that should be blocked. "The Net treats censorship as damage and routes around it" John Gilmore While VPNs or circumvention proxies can be used to pierce firewalls, school pupils can be disciplined and residents of dictatorships arrested by police for network security policy evasions. For these purposes a firewall is better seen as a line of defence, and not as the entire defence.

Router A router is a device that routes traffic between networks and which operates at the network layer. In practice firewalls must also be able to make accept or reject decisions in respect of routed packets based on information relevant to the transport layer. http://en.wikipedia.org/wiki/network_layer http://en.wikipedia.org/wiki/transport_layer

Gateway 1 A gateway is a device which intercepts and relays network traffic in respect of a particular application, and which proxies this traffic such that the server providing this application sees client traffic as if it were originating and terminating at the gateway. The location of the gateway might be transparent to the client in some cases, or part of the client configuration in other cases. Where a gateway acts as a network firewall, its security influence will be restricted to the application/s which it proxies.

Gateway 2 A router between the client and a proxy which intercepts and redirects client requests for particular applications, (e.g. HTTP based on port 80 or for outgoing SMTP based on port 25) to specific gateways is acting as an integral part of the firewall provided by this redirecting proxy service. Application gateways might have traffic management and network efficiency purposes in addition to security purposes or both. Gateways can be used to implement higher level security policies. For example a school may restrict the web sites its pupils can visit e.g. based on a restricted sites list.

Marcus Ranum's Ultimate Firewall http://www.ranum.com/security/computer_security/papers/a1-firewall/

Network Address Translation Firewalls Strictly speaking this is a routing technique for the purpose of connecting a LAN using unroutable in-house LAN allocatable addresses to the Internet. Due to the shortage of IP version 4 addresses, this approach is increasingly used for internal networks. The security advantage is that the default SNAT configuration of many consumer- grade (i.e. broadband) routers provides an inherent firewall, which blocks server requests from clients on the WAN side of the router to hosts on the LAN side, while allowing all client requests from the LAN side to be serviced from the WAN side.

NAT Firewalls 2 Given the low cost and security benefits of these devices, and the relative insecurity of most consumer PCs, this approach is recommended as the standard means to connect even a single Windows host to a broadband connection, in preference to direct use of a broadband modem which exposes the PC to external server requests and port scans. An NAT firewall is stateful, as it is concerned with maintaining transport layer connections, as well as translating addresses on network layer packets. Knowing which packets to allow through the firewall depends upon whether these are part of a legitimately initiated session.

( SNAT ) Source NAT Private IP addresses are reserved in RFC 1918 and use netblocks 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8. To allow servers outside the firewall/router to respond to clients inside, the router must: Translate outgoing IP source packet headers from the internal host addresses to the WAN IP address of the router, so that the session is masqueraded as coming from the NAT firewall. Remember the association between service requests and the internal IP addresses these come from. Forward replies from the client service request by the external server to the client. Enable the client-server session or connection to continue on another port as requested by the external server, forwarding any responses by the server to the client.

( DNAT ) Destination NAT DNAT enables servers located inside the firewall protected LAN to be accessed by clients located outside. Here the router must: Translate incoming IP destination packet headers from the firewall/router WAN IP address to the internal address of the server. Remember the association between service requests and the external IP addresses these come from. Forward replies to the client service request by the internal server to the external client. Enable the client-server session or connection to continue on another port as requested by the internal server, forwarding any responses by the client to the server.

Port Address Translation Typical NAT capable firewalls can often usefully change port numbers on SNAT sessions, to enable a server located inside the firewall to provide a particular service, e.g. DNS or SMTP using different or differently-configured server programs to respond to internal LAN requests and to external WAN requests. For example a host might be configured to provide outgoing SMTP service for the LAN on port 25 and incoming SMTP service on port 2525. The firewall will translate the port numbering for DNAT'ed incoming SMTP requests from 25 to 2525 and will also translate outgoing responses on this port intelligently.

NAT firewall compromise via UPnP/IGD The UPnP (Universal Plug and Play) Protocol is intended to enable simple firewall rules to be setup automatically using the Internet Gateway Device service, so that computer users can install more complex services without needing to know anything about these. Unfortunately this protocol isn't authenticated. UPnP assumes LAN requests to be trustworthy. The IGD service can change port forwarding, DNS, WiFi and other configurations on the fly. If a UPnP/IGD user visits a website containing malicious Adobe Flash content this can initiate HTTP requests which will compromise the firewall. An attack of this nature has been reported in connection with BT's Home Hub product.

Packet filtering A packet filtering firewall can operate statelessly based on the legitimacy of the source and destination addresses on IP packets. One problem this solves is IP spoofing. In this kind of attack trust relationships between computers are exploited by sending packets purporting to come from a trusted computer, but where the origin is forged. For a firewall to defeat this attack, packets with origins internal to the network should be blocked if coming from outside (ingress filtering). Packets with origin addresses external to the network should be blocked if coming from the inside (egress filtering). Implementing egress filtering at ISP customer-facing routers helps mitigate DDOS attacks.

Session spoofing Session spoofing involves interpolation of IP packets into a TCP or UDP session presumed to have been initiated between trusted hosts. For example, an attacker can predict when a web server will contact a back end SQL database server based on input to the web server provided by the attacker. For TCP this attack has been made more difficult by making the initial packet numbers within TCP sessions less predictable. Dan Kaminsky's 2008 DNS spoofing attack involves spoofing UDP source addresses and guessing port numbers.

Port Knocking 1 This is a custom technique, which has pros and cons. Those checking their server logs will be aware of automated attempts to "brute force" system logins. This involves guessing popular passwords, typically on a SSH (secure shell) server. The following commands: cd /var/log grep sshd auth.log grep password grep root Showed 209 attempts on the root password - including: Jan 23 21:38:30 copsewood sshd[529]: Failed password for root from ::ffff:82.208.151.245 port 37219

Port Knocking 2 One approach to defeat such attacks is to configure a firewall so that the sshd (secure shell daemon) server program will only allow traffic through the firewall from a particular set of IP addresses. This is going to be too restrictive if you need to fix a server problem when you receive an automated SMS watchdog text message while on holiday and need to use the nearest Internet access point. A more flexible firewall solution is to use a port knocking daemon (PND) which scans firewall logs for a specific and secret sequence of port knocks. When the correct port-knocking sequence is received, the PND will reconfigure the firewall temporarily to allow the IP address from which the knocking pattern was received access to the SSH service port (22)

iptables iptables is a networking administration command-line tool on Linux which interfaces to the kernel-provided Netfilter modules. This allows for stateless and stateful firewalls and NAT. It is useful to think of IPtables as being a specialised firewall-creation programming language. Programs in this language are made up of a set of chains, comparable to a subroutine or function in conventional programming. These chains are made up of individual rules and are contained within particular "tables". A chain can be called from another, and can return to its caller.

Iptables chains flow diagram Source: http://dmiessler.com/i mages/dm_nf.png

Organisation of tables and chains Any user-defined chains can be added to, and called from the above predefined tables and chains.

Iptables targets Each rule has a target, which defines what happens to the packet. Targets are: ACCEPT, DROP, QUEUE, or RETURN, or a target defined by another user-defined chain to which the packet is passed for further processing. The effect of QUEUE is to allow the packet to be processed by a userspace program, e.g. for the purpose of creating a complex tarpit designed to consume massive remote resources in exchange for trivial local resources when malicious packets are received. RETURN allows processing of the packet to continue in the chain's caller module.

Iptables extended targets REJECT - similar to drop but replying with an error ICMP packet. LOG - host kernel logs the packet. ULOG - logs packet using a socket connection to a userspace program. DNAT - rewrites destination address of packet and optionally port, and causes this rule to be applied to all relevant packets in session. SNAT - rewrites source address of packet and optionally port, and causes this rule to be applied to all relevant packets in session. MASQUERADE - similar to SNAT but suited to dynamic host addresses allocated using DHCP.

Iptables script example #!/bin/bash # iptables script to limit sshd attacks. Have to run this as root on bootup. # whitelist iptables -A INPUT -s home.letsystem.org -p tcp -m \ tcp --dport ssh -j ACCEPT # For outsiders, rate-limit and enjoy iptables -A INPUT -p tcp -m tcp --dport ssh \ -m state --state NEW \ -m recent --hitcount 3 --seconds 180 --update -j DROP iptables -A INPUT -p tcp -m tcp --dport ssh \ -m state --state NEW \ -m recent --set -j ACCEPT

Shorewall This application is for compiling an iptables based firewall. It allows a firewall configuration to be managed through a set of text files. This can be done more easily, but less flexibly than with iptables rules directly. Shorewall enables a multi-homed host to be handled as a set of zones, e.g. a DMZ (demilitarised zone), a LAN and a WAN zone connected to different network interfaces. The following example Shorewall configuration show only the parts of the standard files which were changed. The example is taken from a dual Ethernet card Linux PC used as a broadband router for a home network.

/etc/shorewall/interfaces #ZONE INTERFACE BROADCASTOPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect relevant comments # norfc1918 - This interface should not receive any packets whose # source is in one of the ranges reserved by RFC 1918 # (i.e., private or "non-routable"addresses. If packet mangling is # enabled in shorewall.conf, packets whose destination addresses are # reserved by RFC 1918 are also rejected.

/etc/shorewall/masq # You have a simple masquerading setup where eth0 connects # to a DSL or cable modem and eth1 connects to your local # network with subnet 192.168.0.0/24. # Your entry in the file can be either: # eth0 eth1 # or # eth0 192.168.0.0/24 # #INTERFACE SUBNET ADDRESS eth0 eth1

/etc/shorewall/zones # This file determines your network zones. Columns are: # # ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks

/etc/shorewall/policy #This file determines what to do with a new connection # request #SOURCE DEST POLICY LOG LEVEL fw net ACCEPT fw loc ACCEPT loc fw ACCEPT net all DROP info all all REJECT info

/etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL_PORT PORT(S)_ DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Accept Ping Ubiquitously # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 # # All ICMP are accepted fw->all # ACCEPT net fw tcp 22 - ACCEPT net fw tcp 8888 - ACCEPT net fw tcp 9090 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback