Escolar Documentos
Profissional Documentos
Cultura Documentos
Overview
Configuration
IPTables IPChains
Network firewalls are devices or systems that control the flow of network traffic between networks employing different security postures
One usage is to limit/control connectivity to the Internet Another usage in corporate networks is to restrict connectivity to and from internal networks servicing more sensitive functions, like accounting or personnel department
Firewalls that can examine information at more than one layer is more thorough and effective A firewall that works with layers 2 and 3 does deal with specific users A firewall at application layer like an application-proxy gateway firewall can enforce user authentication as well as logging events to specific users.
Firewalls support DHCP so as to allocate IP addresses for those systems that will be the subject of firewall's security control and to simplify network management Firewalls can act as VPN gateways, where the gateway is responsible for encrypting traffic that is leaving its boundary and destined to other systems in the VPN Active content filtering, firewall is capable of filtering actual application data at layer 7
Can filter on content or key words to restrict access to inappropriate sites or domains.
For example, scanning email attachments for viruses, filtering out active content in technologies like Java, JavaScript, ActiveX
Types of Firewalls
Packet Filters Stateful Inspection Firewalls Application-proxy Gateway Firewalls Dedicated proxy servers Hybrid Firewalls Network Address Translation (NAT)
Packet Filters
The basic functionality is designed to provide network access control based on the information at network layer
The access control functionality of a packet filter is decided by a set of directives called as a ruleset
source address of packet, the IP address from which the packet originated destination address of the packet, i.e., the IP address where it is going Type of traffic, i.e., the type of specific network protocol being used to communicate between source and destination Source and destination ports Incoming, outgoing interfaces for the packet filter type of traffic e.g., ICMP traffic the layer 3 protocol is ICMP Prevent attacks that exploit weaknesses in TCP/IP suite
Boundary Router
Packet filter gateways have both speed and flexibility as they examine a limited amount of data, they can operate very quickly The ability to block attacks, filter unwanted protocol, perform access control, block denial-of-service and related attacks, makes it ideal to be placed at the outermost boundary with an un-trusted network.
The boundary router will pass the packets to a more powerful firewall that can perform access control and filtering at higher layers of the OSI stack
E.g., the boundary router accepts packets from un-trusted networks, performs access control according to the policy in place, say, block SNMP, permit HTTP, block ICMP etc.
Boundary Router
192.168.1.0 indicates all addresses in the range 102.168.1.0 to 192.168.1.254 (Firewall has interface: 192.168.1.1) Examines source port, destination port, source address, destination address, basically all information that is necessary for examining the rules in the ruleset Accept: firewall passes the packet through the firewall as requested Deny: drops packet. An error message is returned to the sending system Discard: drops the packet and does not return an error to the source system Rule 1 allows any TCP connections from outside Rule 3 says deny any attempts to connect to firewall from outside Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP (192.168.1.3) servers Last rule is default, if packets dont match any of the above they are denied
Example
Weaknesses
As they don't examine upper-layer data, they cannot prevent attacks that employ application specific vulnerabilities or functions
Logging functionality is limited as packet firewalls work on a small amount of data Most packet filters do not support advanced user authentication schemes Vulnerable to attacks and exploits that take advantage of problems within TCP/IP specification and protocol stack, such as IP spoofing Due to small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configuration These firewalls are suitable for high-speed environments where logging and user authentication with network resources are not important
For example, it cannot block specific application commands: if a packet filter firewall allows a given application, all functions available from that application will be permitted
Address some functionalities of the TCP layer Many clients connect to remote systems from highnumbered ports
E.g., client port is >1023 in most cases Packet filter firewall must allow all communication to happen above this port Allowing so many ports leaves the network vulnerable
Stateful inspection firewall solves this problem by adding the state information of the relevant TCP connection
Only ports having legitimate TCP connections are allowed State table is maintained for every connection
Combine application layer information with lower layer information for filtering purposes Application proxies take over the routing task of packets from inside and outside the network
Each individual application-proxy (proxy agent) interfaces directly with the firewall access control ruleset to determine whether a given traffic should be permitted to transit the firewall
If it fails no packets can pass through the firewall All network packets must traverse the firewall under software control
Authentication of each user is possible based on login-password, source address, bio-metrics etc
They have more extensive logging capabilities as the entire packet is examined
They allow administrators to enforce the required authentication based on the security policy of the organization
IP spoofing can be detected as the attackers need to know more information such as login and password
Disadvantages
They are not flexible in supporting new network applications and protocols
Not suited for high-bandwidth or real-time applications Some work is often offloaded to dedicated proxy servers
They ship with generic support This can allow malicious traffic to tunnel through these generic application without check
Proxy servers are deployed behind traditional firewalls Main firewall will accept inbound traffic and forward the traffic to proxy, if that application is handled by proxy
Proxy servers can also accept outbound traffic from internal systems
Dedicated proxies allow enforcement of user authentication requirements in addition to filtering and logging
Filter or log the traffic accordingly E.g., HTTP proxy that is behind firewall
Prevent email viruses Protect web server updates from internal users
Java applet or application filtering (based on digital signature availability) ActiveX control filtering (same as above) JavaScript filtering (eliminating cross-site scripting attacks) Blocking specific Multipurpose Internet Multimedia Extensions types Virus scanning and removal Application-specific commands like HTTP delete and User-specific controls, including blocking content types for certain users Caching of web pages to reduce incoming traffic
Combining basic packet filters with application-proxy gateway firewalls Combining stateful inspection firewalls with application-proxy functionality to offset weaknesses of existing stateful inspection firewalls
Hiding the real IP addresses in the network prevents many attackers from attacking individual systems Depletion of IP address space has made NAT necessary for most organizations Static Address Translation Hiding Network Address Translation Port Address Translation
Three techniques
Every internal IP has a different routable IP (fixed) Not very frequently used due lack of IPs Very fast and scalable
Sample Table
Hiding NAT
For those addresses that need mapping from outside will require their external addresses for efficiency purposes
Forward inbound connections based on ports Client port is used to identify connection, unlike NAT where IP address is used to identify connection
Each connection internal connection gets a port from the firewall based on the connection When response comes from outside, the firewall looks up the destination port and identifies the client
Other Firewalls
Personal Firewalls to protect PCs Personal Firewall Appliance for protecting small networks like ISP-client connections etc
Integrates with the following devices, cable modem, routing modules, DHCP servers, hubs, switches, SNMP agents, application-proxy agents
DMZ
Created out of a network connecting two firewalls Specifically, for nodes that should not be put in protected internal networks
DMZ