FIREWALLS 3
Firewalls Firewall means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense administered network public Internet firewall 4
Firewalls: why Prevent denial of service attacks Prevent illegal modification/access of internal data Allow only authorized access to inside network set of authenticated users/hosts Four main types of firewalls: (stateless) packet filters stateful packet filters application gateways / proxies circuit-level gateways 5
Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? Internal network connected to Internet via router firewall Router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits 6
Stateless packet filtering: example Examples of filtering rules: Example 1: block incoming and outgoing datagrams with IP protocol field = 17 (UDP) and TCP segments with either source or dest port = 23 (telnet) all incoming, outgoing UDP flows and telnet connections are blocked Example 2: block inbound TCP segments with SYN=1 prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside 7
Stateless packet filtering: more examples Policy No outside Web access. No incoming TCP connections, except those for institution s public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all outgoing ICMP TTL expired traffic 8
Access control lists / rules / policy ACL: table of rules, applied top to bottom to incoming packets; they define the security policy Recall that TCP/80 = HTTP; UDP/53 = DNS action source address allow 222.22.0.0/16 allow 222.22.0.0/16 allow 222.22.0.0/16 allow 222.22.0.0/16 dest address 222.22.0.0/16 222.22.0.0/16 222.22.0.0/16 222.22.0.0/16 protocol source port dest port TCP > 1023 80 flag bit any TCP 80 > 1023 ACK UDP > 1023 53 --- UDP 53 > 1023 ---- deny all all all all all all 9
Stateful packet filtering stateless packet filter: heavy handed tool admits packets that make no sense, e.g., source port = 80, ACK bit set, even though no TCP connection established 2 nd line from table in previous slide: action source address dest address protocol source port dest port flag bit allow 222.22/16 222.22/16 TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets makes sense can timeout inactive connections at firewall: no longer admit packets 10
Stateful packet filtering ACL/policy augmented to indicate need to check connection state (the context) before admitting packet: action source address allow 222.22/16 allow 222.22/16 allow 222.22/16 dest address 222.22/16 222.22/16 222.22/16 proto source port dest port TCP > 1023 80 flag bit any check connection TCP 80 > 1023 ACK x UDP > 1023 53 --- allow 222.22/16 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all
netfilter / iptables netfilter a packet filtering framework for Linux module of the Linux kernel that supports packet filtering, NAT, iptables program that configures netfilter s rules netfilter/iptables use 4 tables: filter, nat, mangle, raw one per kind of processing we consider only the filter table (default)
iptables Filter table has 3 chains (lists of rules): input, output, forward When a packet reaches a chain, the chain s rules decide the packet s fate: drop (throw it away) or accept (continue) Input chain applied to incoming packet for the host Output chain applied to packet sent by process at the host Forward chain applied to incoming packet to be forwarded routi ng not for this host forward packet is for this host input local process output 13
iptables a simple rule Command to drop ICMP packets from 10.0.0.1 passing through this host (default is accept): iptables -A FORWARD -s 10.0.0.1 -p icmp -j DROP append (-A) to chain FORWARD a rule that says that: packets from source (-s) 10.0.0.1 with protocol (-p) ICMP should be dropped (-j DROP) Packets to be filtered are specified using -s and -p but there is more 14
iptables specifying packets Source (-s) and destination (-d) IP addresses IP addresses or hostnames IP blocks, e.g., 199.95.207.0/24 or 199.95.207.0/255.255.255.0 Any IP: 0/0 Inversion -s and -p can be inverted with! to match addresses other than those; ex: -s! localhost Protocol -p followed by the protocol number (used in the IP header) or name for TCP, UDP, ICMP Interface -i and -o (input and output interface); ex: -i eth1 15
iptables specifying packets ICMP: --icmp-type UDP: --sport, --dport (source/destination ports) TCP: also --sport, --dport; others: --tcp-flags mask flags checks if flags set and mask\flags unset --tcp-flags! mask flags checks the opposite (unset/set) Ex: iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j DROP MAC addresses: -m mac -mac-source mac-address checks if packet has that MAC address Limits: -m limit restricts the rate of matches Ex: -m limit --limit 100/s (100 matches/second) More complicated rules are possible (bursts, etc.) 16
iptables more commands List all rules: iptables -L Delete a rule: iptables -D followed by: Name of chain and position of the rule in the chain The same that was used to create the rule Delete all rules from a chain: iptables -F chain More: man iptables Make rules persistent: /etc/init.d/iptables save 17