Certification. Securing Networks

Similar documents
Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Linux System Administration, level 2

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Università Ca Foscari Venezia

iptables and ip6tables An introduction to LINUX firewall

Cisco PCP-PNR Port Usage Information

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Network Address Translation

Introduction to Firewalls using IPTables

This material is based on work supported by the National Science Foundation under Grant No

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

IP Packet. Deny-everything-by-default-policy

RHCSA BOOT CAMP. Network Security

11 aid sheets., A non-programmable calculator.

Firewalls, VPNs, and SSL Tunnels

Firewalls. October 13, 2017

CS Computer and Network Security: Firewalls

IPtables and Netfilter

Packet Filtering and NAT

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalling. Alessandro Barenghi. May 19, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

CSC 474/574 Information Systems Security

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Use this section to help you quickly locate a command.


The Research and Application of Firewall based on Netfilter

Dual-stack Firewalling with husk

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Assignment 3 Firewalls

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2016/2017 NETWORK SECURITY

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

A Technique for improving the scheduling of network communicating processes in MOSIX

Nat & Publish -

THE INTERNET PROTOCOL/1

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

FireHOL Manual. Firewalling with FireHOL. FireHOL Team. Release pre3 Built 28 Oct 2013

Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing

10 A Security Primer. Copyright 2011 by The McGraw-Hill Companies CERTIFICATION OBJECTIVES. Q&A Self Test

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Suricata IDPS and Nftables: The Mixed Mode

Stateless Firewall Implementation

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

CSCI 680: Computer & Network Security

Network Security Fundamentals

Configuring an IP ACL

Linux Firewalls. Frank Kuse, AfNOG / 30

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

History Page. Barracuda NextGen Firewall F

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Written by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45

Kernel Korner A NATural Progression

THE INTERNET PROTOCOL INTERFACES

The Internet Protocol

Configuring IPv6 ACLs

Setting Up a Multihomed System

Implementing Access Lists and Prefix Lists

Basic Linux Desktop Security. Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER NETWORKS AND SECURITY SEMESTER TWO EXAMINATIONS 2017/2018 NETWORK SECURITY

ECE 435 Network Engineering Lecture 23

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Linux 2.4 stateful firewall design

A Practical Guide to Red Hat Linux

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

CIS 192 Linux Lab Exercise

Why Build My Own Router?

Firewall Management With FireWall Synthesizer

There are separate firewall daemons for for IPv4 and IPv6 and hence there are separate commands which are provided below.

Firewall Configuration and Assessment

ECE 435 Network Engineering Lecture 23

Antonio Cianfrani. Access Control List (ACL) Part I

NDN iptables match extension

Network Security. Routing and Firewalls. Radboud University, The Netherlands. Spring 2018

How to use IP Tables

python-iptables Documentation

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

Network Administration

Network and Filesystem Security

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

CSC 4900 Computer Networks: Network Layer

NAT Router Performance Evaluation

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

PXC loves firewalls (and System Admins loves iptables) Written by Marco Tusa Monday, 18 June :00 - Last Updated Wednesday, 18 July :25

TP5 Sécurité IPTABLE. * :sunrpc, localhost :domain,* :ssh, localhost :smtp, localhost:953,*: Tous sont des protocoles TCP

Virtual Lab for CIS 192 & 196 Rich Simms May 27, 2006

FireHOL + FireQOS Reference

Evaluating the performance of Netfilter architecture in Private Realm Gateway

Chapter 4 Software-Based IP Access Control Lists (ACLs)

IPv6 Access Control Lists

Broadcast Infrastructure Cybersecurity - Part 2

Definition of firewall

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Linux Security & Firewall

Implementing Firewall Technologies

Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16

Transcription:

Certification Securing Networks

UNIT 9 Securing Networks 1

Objectives Explain packet filtering architecture Explain primary filtering command syntax Explain Network Address Translation Provide examples Show how to maintain configuration 2

Agenda Introduce packet filtering architecture Describe Netfilter configuration Demonstrate rules by example Describe NAT Making rules persistent 3

Routing and Network Address Translation IP forwarding Effectively makes your Linux box a router Usually used with two network interfaces Configured by editing /etc/sysctl.conf, running redhat-config-proc, or manually through /proc Network Address Translation IP a.b.c.d now equals IP m.n.o.p Also used for masquerading 4

Routing Principles Routers transport packets between different networks Each machine needs a default gateway to reach machines outside the local network Additional routes can be set using the route command Permanent entries can be placed in /etc/sysconfig/static-routes Dynamic routing protocols are used for greater flexibility 5

Netfilter Overview Packet filter architecture for 2.4 kernel Filtering in the kernel: no daemon Assert policies at layers 2, 3 & 4 of the OSI Reference Model Only limited capacity to inspect packets Consists of netfilter modules in kernel, and the iptables user-space software Supercedes ipchains See http://www.netfilter.org/ 6

Netfilter Architecture Table Chain Policy Rule Match Specification Target Base Extension Base Extension 7

Netfilter Tables and Chains Built-in Chains: 8

Netfilter Packet Flow PREROUTING FORWARD POSTROUTING Routing Decision INPUT OUTPUT Kernel = Inspection point Local process 9

Rule Matching Rules in ordered list Packets tested against each rule in turn On first match, the target is evaluated: usually exits the chain Rule may specify multiple criteria for match Every criterion in a specification must be met for the rule to match (logical 'and') Chain policy applies if no match 1 0

Rule Targets Built-in targets: DROP, ACCEPT Extension targets: LOG, REJECT, custom chain REJECT sends a notice returned to sender LOG connects to syslogger kernel facility LOG match does not exit the chain Target is optional, but no more than one per rule and defaults to the chain policy if absent 1 1

Simple Example An INPUT rule for the filter table: Where the rule is checked (CHAIN) The rule iptables -t filter -A INPUT -s 192.168.0.1 -j DROP The match part of the rule The target part of the rule 1 2

Basic Chain Operations Append a rule to the chain (-A) Insert a rule to the chain (-I) -I CHAIN (inserts as the first rule) -I CHAIN 3 (inserts as rule 3) Delete an individual rule (-D) -D CHAIN 3 (deletes rule 3 of the chain) -D CHAIN RULE (deletes rule explicitly) Flush all rules of a chain (-F) List rules in a chain or table (-L) 1 3

Additional Chain Operations Assign chain policy (-P TARGET) ACCEPT (default, a built-in target) DROP (a built-in target) REJECT (not permitted, an extension target) Zero byte and packet counters (-Z [CHAIN]) Useful for monitoring chain statisitics Manage custom chains (-N, -X) -N Your_Chain-Name (adds chain) -X Your_Chain-Name (deletes chain) 1 4

Rules: General Considerations Defaults to mostly open (ACCEPT). Mostly closed is more appropriate iptables -P INPUT DROP Criteria also apply to loopback interface The example rule above will have the side effect of blocking localhost! Rules, like routes, are loaded in memory and must be saved to a file for persistence across reboots 1 5

Match Criteria (filter table) A rule can match many characteristics of a packet: Incoming interface (-i) Outgoing interface(-o) Layer 4 protocol (-p) Source IP address (-s) Destination IP address (-d) The above are base capability 1 6

TCP Match Extensions (filter table) Additional criteria can be used as the basis for packet matching: Protocol -p Source port --sport Destination port --dport TCP flags --tcp-flags Initial connection request --syn 1 7

UDP and ICMP Match Extensions Match source and destination ports with UDP extensions: iptables -A INPUT -m udp -p udp --sport 123 -j DROP Match ICMP types: -p icmp - icmp-type destination-unreachable 1 8

Match Arguments Matches may be made by: IP address, or host name Port number, or service name Arguments may be negated with `!' Inclusive port range may be specified '0:1023' Masks may use VLSN or CIDR notation 1 9

Chain Criteria Outgoing interface (-o) may only be used in the FORWARD, OUTPUT and POSTROUTING chains Incoming interface (-i) may only be used in FORWARD, INPUT and PREROUTING chains Owner match (--*-owner) may only be used in the OUTPUT chain 2 0

Directional Filtering I Scenario: HostA to HostB HostA SYN ACK, SYN ACK HostB Connected CASE 1 }No filtering SYN X iptables -A INPUT -s HostA -j DROP Refused } CASE 2 2 1

Directional Filtering II Scenario: HostB to HostA HostA SYN ACK, SYN HostB iptables -A INPUT -s HostA -j DROP X Refused } CASE 3 Connecte d SYN ACK, SYN ACK iptables -A INPUT -syn -s HostA -j DROP } CASE 4 2 2

Connection Tracking Provides inspection of packet's state a packet can be tested in a specific context Simplifies rule design without connection tracking, rules are usually in pairs(inbound & outbound) Implemented in state match extension Recognized states: NEW, ESTABLISHED, RELATED, INVALID Requires much more memory 2 3

Connection Tracking Example One rule to permit established connections: iptables -A INPUT -m state \ --state ESTABLISHED,RELATED -j ACCEPT Many rules; one for each permitted service: iptables -A INPUT -m state - state NEW \ -p tcp --dport 25 -j ACCEPT Lastly, one rule to block all others inbound: iptables -A INPUT -m state --state NEW \ -j DROP 2 4

Network Address Translation (NAT) nat table Network Address Translation types: Destination NAT (DNAT) Set in the PREROUTING chain where filtering uses translated address Source NAT (SNAT, MASQUERADE) Set in the POSTROUTING chain where filtering never uses translated address 2 5

SNAT Targets MASQUERADE iptables -t nat -A POSTROUTING \ -o eth0 -j MASQUERADE SNAT iptables -t nat -A POSTROUTING \ -j SNAT - to-source 1.2.3.45 2 6

Rules Persistence iptables is not a daemon, but loads rules into memory and exits Rules are not persistent across reboot service iptables save will store rules to /etc/sysconfig/iptables System V management may be used, and is run before networking is configured Conflicts with ipchains 2 7

The Bastion Host Sample /etc/sysconfig/iptables *filter :INPUT DROP [573:46163] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [641:68532] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -s 123.123.123.1 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -s 123.123.123.1 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset COMMIT 2 8

End of Unit 9 Address questions Preparation for Lab 9 Goals Sequences Deliverables Please ask the instructor for assistance when needed 2 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback