Beruflich Dokumente
Kultur Dokumente
Outline
What is a firewall?
Architectures
Roles
Bastion
DMZ
Packet Forwarding
Ethernet bridge
cs490ns - cotter
22
What is a Firewall?
A hardware or software device that monitors (and
controls ?) the transmission of packets that attempt to
pass through the perimeter of a network (or host).
Provide 2 basic security functions
Packet Filtering
Application Proxy gateways
cs490ns - cotter
33
cs490ns - cotter
44
Types of Firewalls
cs490ns - cotter
55
Types of Firewalls
Stateful
Firewall
Application
Proxy
cs490ns - cotter
Router /
packet filter
Corporate
Network
Internet
Host-based
Firewall
66
77
Enterprise Firewalls
Intended to support larger traffic volumes
Provides more sophisticated support
Stateful filtering, etc.
Software
Checkpoint Firewall 1, Microsoft ISA, Semantic
Enterprise, etc.
Hardware
Cisco PIX, SonicWall, Watchguard, etc.
Expensive!
cs490ns - cotter
88
99
Host-based Firewalls
Intended as a last line of defense for the
host computer
Runs as a background process on host
Limited bandwidth available
Generally supports incoming port filtering
Can specify which ports (if any) can support
incoming connection requests.
Occasionally supports outgoing filtering
(looking for worms, trojans, etc.)
cs490ns - cotter
1010
Firewall Roles
Bastion Hosts
Hardened systems that typically run a firewall
and perhaps an application as well
cs490ns - cotter
11
LAN
Internet
Firewall
Web
Server
cs490ns - cotter
12
DMZ
LAN
Internet
DMZ
cs490ns - cotter
Web
13
1414
cs490ns - cotter
1515
cs490ns - cotter
1616
Iptables
Administration tool for IPv4 packet filtering
and NAT
Used to set up, maintain, and inspect the
tables of IP packet filtering rules used by
the kernel to manage packet flow through
the firewall.
Based on tables that specify the overall
task and chains that identify the position of
the packet in the packet flow.
cs490ns - cotter
1717
IPTables tables
Filter table
Used to control the flow of packets based on packet attributes
Only filter packets, dont modify packets here.
Mangle table
Supports specialized packet handling / routing
Change contents of packet
cs490ns - cotter
1818
Input
Forward
LAN
Internet
RH-Firewall-1-INPUT
Output
cs490ns - cotter
1919
Your IP Address
Your LAN Address
Private Network Addresses
Multicast IP Addresses
Loopback Interface Addresses
cs490ns - cotter
2020
cs490ns - cotter
53
69
87
111 / 2049
512, 513, 514
515
540
2000
6000 +
2121
What
cs490ns - cotter
22
Filter Table
Chains
OUTPUT
Used to test packets that are leaving the firewall
FORWARD
Used to test packets that are passing through the
firewall
23
Forward
Chain
Drop
Input
Chain
Drop
cs490ns - cotter
Local
Processes
Output
Chain
Drop
24
cs490ns - cotter
25
IPTables Actions
cs490ns - cotter
26
IPTables Actions
cs490ns - cotter
27
IPTables targets
ACCEPT
Stop processing and pass to application / OS
DROP
Stop processing and block packet
LOG
Packet info sent to syslog. Continue processing
REJECT
Stop processing and send reject message to source
DNAT
Change destination network address
SNAT
Change source network address
MASQUERADE
Do source network address translation (PAT)
cs490ns - cotter
28
29
30
31
32
destination
anywhere
destination
anywhere
destination
cs490ns - cotter
33
udp dpt:5353
udp dpt:631
tcp dpt:631
state RELATED,ESTABLISHED
state NEW tcp dpt:22
state NEW tcp dpt:22
state NEW udp dpt:137
state NEW udp dpt:138
state NEW tcp dpt:139
state NEW tcp dpt:445
state NEW udp dpt:2069
state NEW tcp dpt:3128
state NEW tcp dpt:3306
reject-with icmp-host-prohibited
34
Filter table
Input, forward chains point to custom chain
RH-Firewall-1-INPUT
RH-Firewall-1-INPUT chain
cs490ns - cotter
35
Why?
Private local IP Addresses
Multiple Servers (load sharing)
Transparent Proxying
cs490ns - cotter
36
NAT table
Used to map local IP addresses to a set of
routable addresses (NAT)
Used to map local IP addresses to a set of ports
associated with a single routable address
(NAPT)
Used to map local IP addresses to a set of ports
associated with a variable routable address
(masquerade)
Dial-up connection
Dynamically assigned IP address
Other
cs490ns - cotter
37
NAT
Two types of NAT
Source NAT (snat) used to translate the
source IP address of a packet (typically
outgoing)
Destination NAT (dnat) used to translate the
destination IP address of a packet (typically
incoming).
cs490ns - cotter
38
Output
Used to change the source (or destination)
address of locally generated packets
Post-routing
Used to change the source address of
outgoing packets.
cs490ns - cotter
39
Routing
Forward
Chain
Source
NAT
Post-routing
Drop
Input
Chain
Drop
cs490ns - cotter
Local
Processes
Output
Chain
Drop
40
cs490ns - cotter
41
Mangle table
Used for special routing and packet
modification.
Use TOS (type of service) field in IP header.
TTL
Can be used to set and test markers placed
cs490ns - cotter
42
Internet
AS
cs490ns - cotter
43
iptables-save
Display a copy of the memory image
Can redirect the copy to a file using output redirection
Iptables-save > /etc/sysconfig/iptables
iptables-restore
Rebuild memory image from keyboard or file (using redirection)
44
IPTables Constraints
Based on IP only
Dont run IPX, appletalk, etc. as these protocols are
not filtered
cs490ns - cotter
45
Port Forwarding
HTTPD
LAN
Internet
123.234.56.78:80
192.168.3.6:80
cs490ns - cotter
46
cs490ns - cotter
47
48
49
EBtables
Ethernet Bridge tables
Intended to support filtering of packets that
IPtables cannot filter Ethernet protocol,
MAC address, ARP, netBEUI, IPX, etc.
Basically adds nonIP filtering.
802.1Q VLAN filtering
MAC address NAT
Frame counters
50
EBtables Structure
broute table
BROUTING chain
Choose whether to process packet at layer 2
(bridge) or at layer 3 (route)
e.g. route normal IP traffic and bridge IPX traffic
filter table
FORWARD, INPUT, OUTPUT chains
Route packets based on MAC addresses
nat table
PREROUTING, OUTPUT, POSTROUTING chains
Change MAC addresses (redirect based on MAC)
cs490ns - cotter
51
LAN
Internet
Linux box
configured as a
bridge, with firewall
installed
cs490ns - cotter
52
53
cs490ns - cotter
54
cs490ns - cotter
55
56
/var/log/iptables.log
57
Primary
Firewall
Filter
Table
cs490ns - cotter
58
Win1
Outgoing
Firewall
Chain
59
60
cs490ns - cotter
61
Summarize traffic
psad -m /var/log/iptables/iptables_log_022011 -gnuplot --CSV-fields dst src dp:count --gnuplotgraph points --gnuplot-xrange 0:100 --gnuplot-fileprefix test_022011
test_022011.dat
1, 172, 2 ### 1=12.29.100.148 172=192.168.1.35
:
39, 172, 96 ### 39=66.94.233.186 172=192.168.1.35
:
246, 171, 1 ### 246=216.191.247.139 171=192.168.1.30
cs490ns - cotter
62
cs490ns - cotter
63
Analyze traffic
Are addresses identifyable?
Is the traffic known / expected?
Why is traffic there?
cs490ns - cotter
64
References
Firewalls and VPNs Principles and Practices
Richard Tibbs / Edward Oakes Prentice Hall 2005
65
Summary
What is a firewall?
Architectures
EBtables
cs490ns - cotter
66