Inexpensive Firewalls

Similar documents
CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

10 Defense Mechanisms

Computer Security and Privacy

CSC 474/574 Information Systems Security

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Why Firewalls? Firewall Characteristics

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Firewalls. October 13, 2017

Introduction to Firewalls using IPTables

Linux Security & Firewall

Internet Security: Firewall

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

ICS 451: Today's plan

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

TCP wrappers and IP filtering (UKERNA security workshop)

CSCI 680: Computer & Network Security

iptables and ip6tables An introduction to LINUX firewall

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

CIT 480: Securing Computer Systems

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Unit 4: Firewalls (I)

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Definition of firewall

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

How to Stay Safe on Public Wi-Fi Networks

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Global Information Assurance Certification Paper

Introduction to UNIX/LINUX Security. Hu Weiwei

Chapter 8 roadmap. Network Security

Application Firewalls

ELEC5616 COMPUTER & NETWORK SECURITY

Firewall and IDS/IPS. What is a firewall?

Stateless Firewall Implementation

Firewall and IDS/IPS. What is a firewall? Ingress vs. Egress firewall. M.Aime, A.Lioy - Politecnico di Torino ( ) 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

CHAPTER 7 ADVANCED ADMINISTRATION PC

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CISCO CONTEXT-BASED ACCESS CONTROL

ICS 351: Networking Protocols

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

CS 326: Operating Systems. Networking. Lecture 17

Firewall and IDS/IPS. What is a firewall?

CE Advanced Network Security

ISA 674 Understanding Firewalls & NATs

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

History Page. Barracuda NextGen Firewall F

Protection of Communication Infrastructures

Systems Programming. The Unix/Linux Operating System

Cisco IOS Access Lists: Help For Network Administrators By Jeff Sedayao READ ONLINE

RX3041. User's Manual

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

20-CS Cyber Defense Overview Fall, Network Basics

ch02 True/False Indicate whether the statement is true or false.

LOGICAL ADDRESSING. Faisal Karim Shaikh.

CHAPTER 8 FIREWALLS. Firewall Design Principles

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

Certification. Securing Networks

Exam : SCNS_EN. Title : SCNS SCNS Tactical Perimeter Defense. Version : Demo

Firewall Simulation COMP620

Data Plane Protection. The googles they do nothing.

Firewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.

CyberP3i Course Module Series

Where we are in the Course

Security and network design

Setting the Table When users think about their workstations at home, they often forget about

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CSC Network Security

VG422R. User s Manual. Rev , 5

2. INTRUDER DETECTION SYSTEMS

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Defending Yourself Against The Wily Wireless Hacker

Context Based Access Control (CBAC): Introduction and Configuration

The Bro Cluster The Bro Cluster

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Setting-up WAN Emulation using WAN-Bridge Live-CD v1.10

ECE 435 Network Engineering Lecture 23

Three interface Router without NAT Cisco IOS Firewall Configuration


Static routing lab KTH/CSC. Juniper version. Group Nr. Name 1. Name 2. Name 3. Name 4. Date. Grade. Instructor s Signature

Implementing Firewall Technologies

Chapter 7 Internet Protocol Version 4 (IPv4) Kyung Hee University

SE 4C03 Winter 2005 Network Firewalls

Network Security. Thierry Sans

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Broadband Router. User s Manual

Wireless-G Router User s Guide

INSTALLING AN SSH / X-WINDOW ENVIRONMENT ON A WINDOWS PC. Nicholas Fitzkee Mississippi State University Updated May 19, 2017

The Research and Application of Firewall based on Netfilter

Replacing Windows Servers with Linux

Transcription:

Inexpensive Firewalls Simon Cooper <sc@sgi.com> Lisa 1999 11 November 1999 http://reality.sgi.com/sc/papers/lisa-1999.pdf - or - http://www.sfik.com/papers/lisa-1999.pdf 1 of 37

A Firewall? 2 of 37

What is an inexpensive Firewall? a specific use device an all in one firewall (filters + apps) uses readily available hardware uses an OS you are familiar with uses free or affordable tools 3 of 37

What an inexpensive firewall isn t... NOT a high performance firewall NOT a high reliability firewall NOT a maximum security firewall NOT a no cost firewall NOT a plug and play firewall 4 of 37

What are they good for? a departmental network a lab network a small business a home a personal domain 5 of 37

Agenda Ingredients Hardware OS Filtering and Services Administration Tips for building Experiences Q&A 6 of 37

Ingredients know what you want to run on or pass through your firewall old or cheap hardware a suitable and familiar operating system free or affordable tools your time 7 of 37

Know what you want to do who do you want to let in who do you want to try and keep out is it in alignment with your security policy what services will be offered 8 of 37

Hardware Use what you have Suns, PCs 1, SGIs Laptops Quiet, compact, built in UPS Last generation hardware Has two network interfaces 1.Don t re-use hardware your organization has rejected because of Y2K issues unless you can show it will continue to work. 9 of 37

Hardware Issues Know which is the inside interface choose the primary/first to be inside CDROM drive check if it can read CD-R and CD-RW (this is worth a small investment) Power supplies, disks and fans wear out 10 of 37

Operating System The operating system you use will need packet filtering free or affordable software for what you want to do to be familiar to you continued and active support an active security community Linux 11 of 37

Operating System Examples NT A BSD variant IRIX Solaris AIX 12 of 37

Hardening the OS Philosophy - disable/remove everything that is not needed Secure distributions exist freefire (pointers) Linux Router Project, picobsd Can do it yourself Keep a written log. Write a script Don t build your firewall on the network you are going to protect! 13 of 37

Hardening the OS There are cheat sheets on the web for many OS. Search for keywords and combinations like hardening, securing, bastion, <OS Name> Sites with particular OS information seem to be on the increase - try searching there first. Some security news sites carry articles on securing a specific OS. Check the OS release with the information you find - don t completely rely on one information source. 14 of 37

The Kernel Things to watch out for and protect against IP denial of service attacks IP forwarding off when system boots Packet filtering failure modes IP fragmentation - do re-assembly 15 of 37

Remote OS Logging For unix syslog For NT some can be made send only can send encrypted packets use TCP rather than UDP A free syslog like tool, but simulates the behaviour. Not real time. 16 of 37

Checklist Turn off all services you won t be using Secure the file system update file permissions remove pieces you won t be using Apply Kernel changes/patches Run your initial integrity check now! 17 of 37

Filtering Topics Desired features What is available ipfilterd ipchains Filtering issues Example 18 of 37

Filtering: Desired Features The wish list input & output rules for each interface interface forwarding rules ability to rewrite packets (masquerading) knowledge of ICMP, ability to rewrite logging of rejected or flagged packets hierarchical (user defined) rules there is more... 19 of 37

Filtering: Desired Features (continued) handling of idle TCP sessions configurable handling of UDP detailed knowledge about some protocols (DNS, traceroute) configurable default policy 20 of 37

Filtering No operating system has it all NT ipfilterd (IRIX, AIX), ipfilter (Solaris) ipchains (Linux, BSD Variants) 21 of 37

ipchains What can it do in/out filters for each interface by protocol, port and addresses separate forwarding rules user defined rules support for packet rewriting (masquerading) understands ICMP packet types default policy 22 of 37

ipchains - weaknesses weak on logging only logs a packet synopsis rules are built incrementally 23 of 37

Filtering Issues icmp path MTU discovery auth/identd - reject but allow a response REJECT or DROP protect yourself from mishaps don t assume inside is always inside 24 of 37

Example (input) ipchains -F input ipchains -P input reject # Protect against IP address spoofing ipchains -A input -i eth0 -s $inet -d $any -j ACCEPT ipchains -A input -i eth1 -s $inet -d $any -l -j REJECT # Allow incoming SMTP ipchains -A input -i eth1 -p tcp -s $any -d $me 25 -j \ ACCEPT # Catch all rule ipchains -A input -s $any -d $any -l -j REJECT 25 of 37

Example (output) # Protect against spoofing or routing errors ipchains -F output ipchains -P output REJECT ipchains -A output -i eth0 -s $any -d $inet -j ACCEPT ipchains -A output -i eth1 -s $any -d $inet -l -j REJECT # Allow SMTP out ipchains -A output -i eth1 -p tcp -s $me 25 -d $any -j \ ACCEPT # Catch everything else ipchains -A output -s $any -d $any -l -j REJECT 26 of 37

Resources for Creating Filters Building Internet Firewalls, 2nd Edition, O Reilly and Associates By Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman Sometime in the 2nd quarter of 2000. Has handy tables of port numbers and details on the packets flow direction Bigger than before and includes information for NT Linux HOWTOs for ipchains and masquerading 27 of 37

Services Unix NT Mail - Postfix Web Proxy/Server - Apache Proxy - SOCKS Transparency/masquerading Mail - Sendmail for NT (not free) Web Server - Apache for NT Proxy - Microsoft Proxy Server 28 of 37

Masquerading How does it work? intercepts forwarded packets re-writes outgoing and return packets does it transparently can add dynamically loaded modules for complicated protocols 29 of 37

Masquerading Example # Allow all non-blocked internal traffic to be # masqueraded ipchains -F forward ipchains -P forward DENY ipchains -A forward -i eth0 -s $inet -d $any -j MASQ ipchains -A forward -s $any -d $any -l -j REJECT # Allow direct SSH from external site to an internal # system ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $local 22 -R $internal 22 30 of 37

Administration ssh non-reusable passwords? How about using a PDA 31 of 37

Administration Be certain of the integrity of the system will save you time and worry use tripwire or equivalent Can get tripwire for NT (commercial) store the database on CD-R under unix statically link the binary and store on the CD-R 32 of 37

Tips for Building Use a CD-R or CD-RW. CD-RW can be used to get the process right Recent hardware can boot directly from CD Tools exist under unix to create bootable CDs Use automated installation tools SGI RoboInst Only connect your system to dangerous networks when you have finished building it 33 of 37

Experiences Small company using a Sun IPX SOCKS + DNS Connects to the Internet via DSL Personal Domain using a pre-built $400 PC ipchains and masquerading Postfix, Web Server and DNS 34 of 37

Conclusion You can build and run a firewall for those places that should have some protection but they have perhaps been overlooked because it was too expensive or time consuming to purchase and install a commercial firewall 35 of 37

Q/A A copy of the slides are available at, http://reality.sgi.com/sc/papers/lisa-1999.pdf - or - http://www.sfik.com/papers/lisa-1999.pdf 36 of 37

An Inexpensive Firewal NOTE: Please do not test my firewall 37 of 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback