Firewalls. October 13, 2017

Similar documents
Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Certification. Securing Networks

Introduction to Firewalls using IPTables

Università Ca Foscari Venezia

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2016/2017 NETWORK SECURITY

IPtables and Netfilter

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

11 aid sheets., A non-programmable calculator.

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Network Address Translation

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Network sniffing packet capture and analysis

Assignment 3 Firewalls

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Linux System Administration, level 2

The Research and Application of Firewall based on Netfilter

Firewall Management With FireWall Synthesizer

Network Security Fundamentals

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

CS Computer and Network Security: Firewalls

Dual-stack Firewalling with husk

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

CSCI 680: Computer & Network Security

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Cisco PCP-PNR Port Usage Information

iptables and ip6tables An introduction to LINUX firewall

CIS 192 Linux Lab Exercise

CSC 4900 Computer Networks: Network Layer

Use this section to help you quickly locate a command.

Chapter 4 Network Layer: The Data Plane

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

in-the-middle attack

CSC 474/574 Information Systems Security

Firewalls, VPNs, and SSL Tunnels

Chapter 8 roadmap. Network Security

Definition of firewall

Inexpensive Firewalls

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER NETWORKS AND SECURITY SEMESTER TWO EXAMINATIONS 2017/2018 NETWORK SECURITY

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Why Build My Own Router?

Sirindhorn International Institute of Technology Thammasat University

CSE 565 Computer Security Fall 2018

Basic Linux Desktop Security. Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer

Communication protocols and services

Network and Filesystem Security

Configuring Advanced Firewall Settings

VG422R. User s Manual. Rev , 5

BIG-IP Local Traffic Management: Basics. Version 12.1

Packet Filtering and NAT

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

A Technique for improving the scheduling of network communicating processes in MOSIX

NAT Router Performance Evaluation

ECE 435 Network Engineering Lecture 23

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Firewall Stateful Inspection of ICMP

PVS Deployment in the Cloud. Last Updated: June 17, 2016

Suricata IDPS and Nftables: The Mixed Mode

Linux Firewalls. Frank Kuse, AfNOG / 30

Loadbalancer.org Virtual Appliance quick start guide v6.3

COSC 301 Network Management

Broadcast Infrastructure Cybersecurity - Part 2

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Lecture 8. Network Layer (cont d) Network Layer 1-1

THE INTERNET PROTOCOL INTERFACES

Optimization of Firewall Rules

Why Firewalls? Firewall Characteristics

The Internet Protocol

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP


Linux Security & Firewall

THE INTERNET PROTOCOL/1

Network Control, Con t

Appliance Quick Start Guide. v7.5

Security and network design

Network Security. Routing and Firewalls. Radboud University, The Netherlands. Spring 2018

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing

RHCSA BOOT CAMP. Network Security

This material is based on work supported by the National Science Foundation under Grant No

Distributed Systems Security

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

CMPE 150/L : Introduction to Computer Networks. Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 12

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Internet Security: Firewall

Protection of Communication Infrastructures

CALIFORNIA SOFTWARE LABS

Lecture 3. The Network Layer (cont d) Network Layer 1-1

How to use IP Tables

Computer Security and Privacy

Firewalling. Alessandro Barenghi. May 19, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Transcription:

Firewalls October 13, 2017 Administrative submittal instructions answer the lab assignment s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) email to csci530l@usc.edu exact subject title must be firewallslab deadline is start of your lab session the following week reports not accepted (zero for lab) if late you did not attend the lab (except DEN or prior arrangement) email subject title deviates 1

DETER preparations this lab is remote, on the DETER testbed accounts for DETER were created previously auto-generated an email message to you please make profile changes requested in the that message you received, if you didn t yet if you are unfamiliar with DETER mechanics, set up and use a simple experiment as outlined at the get/use an account link on our website I demo d it at the end of our 9/29 lecture may be useful: http://docs.deterlab.net/education/guidelines-for-students/ Same Friday due dates for everybody on the DETER labs note: no meeting in OHE406 for a DETER lab, since it is remote instead 2

Administrative when to do firewall lab do it on DETER during Fri 10/13 Fri 10/27 inclusive (there is a node reservation for CS530 for that interval) no meeting for it in OHE406, since it is remote instead Firewall types Packet filter linux, iptables-based BSD, PF subsystem Windows s built-in (since XP) router device built-ins single TCP conversation Proxy server specialized server program on internal machine client talks to it instead of desired external server it conducts conversation with external server for client and plays relay middleman between them subject to policy 2 separate TCP conversations 3

Linux Netfilter Firewalling Packet filter, not proxy Centerpiece command: iptables Starting point: packet structure details IP packet structure Source Address Destination Address Protocol Number IP s Data Payload 4

Payload types - subprotocols Src Dest 17 UDP (17) datagram Src Dest 1 ICMP (1) message Src Dest 6 TCP (6) packet and others UDP datagram structure Source Port Destination Port UDP s Data Payload 5

TCP packet structure Source Port Sequence # Destination Port Acknowledgment TCP s Data Payload ICMP message structure ICMP-type Code Checksum header of subject/wayward IP packet or other ICMP-type dependent payload 6

Firewall = ruleset An in-memory datastructure by whose elements packets that appear at interfaces are evaluated A corresponding series of commands, each invocation of which populates the table with a single element Elements are called rules Firewall - iptables iptables single invocation creates single rule firewall is product of multiple invocations 7

Iptables organization Tables (have chains) filter table nat table Chains (contain rules) filter nat INPUT chain OUTPUT FORWARD PREROUTING chain POSTROUTING An Individual Rule condition - examines and qualifies a packet action - operates on the packet if it qualifies compare programming language if structure 8

What a Rule says If a packet s header looks like this, then here s what to do with the packet looks like this e.g. goes to a certain (range of) address(es) or uses the telnet port, 23 or is an ICMP packet what to do e.g. pass it discard it iptables -t t filter -A OUTPUT -o o eth1 -p tcp --sport 23 --dport 1024:65535 -s s 192.168.4.0/24 -d d 0.0.0.0/0 j j ACCEPT Table for this rule Rule action -A add rule to chain/list -D delete rule from chain/list -P default policy for chain/list Rule chain/list (tables contain chains) INPUT OUTPUT FORWARD PREROUTING POSTROUTING Packet qualifiers by interface and direction protocol source port number(s) destination port number(s) source address (range) destination address (range) Packet disposition ACCEPT DROP REJECT SNAT DNAT 9

What a Chain is ordered checklist of regulatory rules Multiple rules, for packets with particular characteristics Single rule for default (catch-all) policy operation Packet tested against rules in succession First matching rule determines what to do to packet If packet matches no rule Chain s default policy determines what to do to packet Operationally comparable if [ condition A ] action Alpha; exit endif if [condition B ] action Beta; exit endif if [condition C ] action Gamma; exit endif... action <default>; exit What happens? action for first true condition (if any) otherwise default action 10

Multiple chains Input chain When arriving at an interface, do we let a packet come in? Output chain When departing from an interface, do we let a packet go out? Forwarding chain When traversing this machine to another, do we let a packet pass between interfaces? Filter traversal by packets incoming routing decision FORWARD outgoing INPUT OUTPUT local process local process 11

A 4-rule 4 filtering firewall iptables -t t filter -A INPUT -i i eth1 -p tcp --sport 1024:65535 --dport 23 -s s 0.0.0.0/0 -d d 192.168.4.1/32 j j ACCEPT iptables -t t filter -A OUTPUT -o o eth1 -p tcp --sport 23 --dport 1024:65535 -s s 192.168.4.1/32 -d d 0.0.0.0/0 j j ACCEPT iptables -t t filter -P INPUT DROP iptables -t t filter -P OUTPUT DROP Executed in chronological sequence as shown, resultant 2-chain firewall permits telnet access between this machine 192.168.4.1 and others via eth1. And nothing else. (0.0.0.0/0 matches any address; aa.bb.cc.dd/32, the single address aa.bb.cc.dd) Priority of chronology = priority of effect iptables -t t filter -A INPUT -i i eth1 -p tcp --sport 1024:65535 --dport 23 -s s 64.1.1.1/32 -d d 192.168.4.1/32 j j DROP iptables -t t filter -A INPUT -i i eth1 -p tcp --sport 1024:65535 --dport 23 -s s 0.0.0.0/0 -d d 192.168.4.1/32 j j ACCEPT iptables -t t filter -A OUTPUT -o o eth1 -p tcp --sport 23 --dport 1024:65535 -s s 192.168.4.1/32 -d d 0.0.0.0/0 j j ACCEPT iptables -t t filter -P INPUT DROP iptables -t t filter -P OUTPUT DROP EXCEPT no telnet from machine 64.1.1.1, because first rule eclipses second since it preceded it. (Second not reached, never applied.) 12

nat table: rules that alter packet Masquerading iptables -t nat -A POSTROUTING -o o eth1 -s s 10.0.0.0/8 -j j SNAT --to 216.83.185.193 Pinholing (port forwarding) iptables -t nat -A PREROUTING -i i eth1 -d d 216.83.185.193/32 -p tcp --dport 5631 -j j DNAT --to 10.0.0.15 Parallel ways to do the same thing (port forward) iptables -t nat -A PREROUTING -i i eth1 -d d 216.83.185.193/32 -p tcp --dport 5631 -j j DNAT --to 192.168.1.15:22 13

Firewall ruleset philosophies Optimistic/lax that which is not expressly prohibited is permitted set everything open apply selective closures Pessimistic/strict that which is not expressly permitted is prohibited set everything closed apply selective openings Setting everything closed policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP 14

Looking further conventional filter criteria limited to header fields only two further kinds of possible criteria SPI stateful packet inspection DPI deep packet inspection SPI interrelates packets can tie an incoming packet to an earlier outgoing request, accept for that reason DPI penetrates and examines payload (higher prototcol data) can see use of port 80 for non-http traffic, drop for that reason can see use of e.g. peer-to-peer file sharing, drop for that reason tends to overlap with function of intrusion detection software Firewall persistence firewall is memory-resident volatile across reboot reconstruct at bootime by init script containing individual iptables commands or iptables-restore and iptables-save 15

Start at boot - init script basics Unix has a conventional method to uniformly start/stop services (SysV init, systemd in some recent distros, launchd in Apple) one script per service in /etc/rc.d/init.d (distro dependent) scripts accept parameters start, stop, or restart SysV init method (older) systemd method (recent) if firewall s script is: /etc/rc.d/init.d/firewall /lib/systemd/system/firewall start it with: /etc/rc.d/init.d/firewall start service firewall start or systemctl start firewall Avoid a vulnerability interval first, call script to erect firewall (SysV init method) /etc/rc.d/init.d/firewall only then, call script to activate/address NICs /etc/rc.d/init.d/network calling order controlled by numbering of symbolic links found in /etc/rc.d/rc?.d directories * * newer systemd replacement for SysV init in many linux distributions has a similar After/Before dependency system for ordering startup units 16

Other packet filter firewalls same all are software all construct a reference data structure all compare packets to structure for decisions interfaces differ Windows XP built-in in an INPUT firewall that s pessimistic with exceptions equivalent to iptables -P INPUT DROP with additional iptables -A INPUT -j ACCEPT rules for point permission 17

Netgear WGR614 router built-in in 1. Is a computer* 2. Plugs in to two LANs Network A / internal Network B / external * a router is a computer. It contains a CPU, operating system, memory. It runs software (e.g. firewall!!) This one has 2 NIC interfaces. Don t be deceived by the lack of keyboard and monitor. option to pass through A-to-B & B-to-A FIREWALL HERE Netgear WGR614 router built-in in an in-to-out FORWARD firewall that s optimistic with exceptions equivalent to iptables -P FORWARD ACCEPT with additional iptables -A FORWARD -j DROP rules for point obstruction 18

Filter traversal by packets incoming routing decision FORWARD outgoing INPUT OUTPUT local process local process in the router appliance, firewall is here in the Windows machine, firewall is here What do these 2 firewalls protect? Windows the very machine itself that s running Windows Netgear router not the router itself machines networked to the router raises concept of firewall architecture what wiring connection geometry do you adopt? on which of the computers do you run a firewall? to protect which computers? 19

Architectures screened subnet Architectures merged routers 20

Netgear WGR614 router the router is not the firewall this is (the interface to) the firewall Why do they call it a hardware firewall? it s a firewall it s inside a box the box is hard 21

Hardware firewalls http://www.pdhonline.org/courses/g125/g125.htm But in computer science Firewalls are software! get it? it s not so hard. 22

Please see http://www.iptables.org/ Linux Firewalls, Michael Rash, No Starch Press, 2007 The Book of PF, Peter Nahsteen, No Starch Press, 2008 Older favorites I learned from, still useful: Linux Firewalls, 2 nd edition, Robert Zeigler, New Riders, 2002 Building Internet Firewalls, Zwicky et.al., O Reilly, 2000 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback