Beruflich Dokumente
Kultur Dokumente
1
Disclaimer:
Batteries not included, some assembly required, dont operate heavy equipment while reading this, not
all buyers will qualify, must take delivery before 1/1/1980, your mileage may vary, no user serviceable
parts inside, big brother may be watching.
2
Goals
(Besides killing an hour and a half)
3
What is a firewall?
4
What is an attack?
5
Edge Firewall
6
Firewall Appliance
7
Network Firewall
Router/Bridge based Firewall
A firewall running on a bridge or a router protects from a group of
devices to an entire network. Cisco has firewall feature sets in
their IOS operating system.
Computer-based Network Firewall
A network firewall runs on a computer (such as a PC or Unix
computer). These firewalls are some of the most flexible. Many
free products are available including IPFilter (the first package we
tried), PF (the current package we are using found on OpenBSD
3.0 and later) and IPTables (found on Linux). Commercial
products include: Checkpoint Firewall-1. Apple OSX includes
IPFW (included in an operating system you gotta purchase).
8
Why use a firewall?
9
Great first line of defense.
10
How does a firewall work?
Blocks packets based on:
Source IP Address or range of addresses.
Source IP Port
Destination IP Address or range of addresses.
Destination IP Port
Some allow higher layers up the OSI model.
Other protocols (How would you filter DecNET anyway?).
Common ports
80 HTTP
443 HTTPS
20 & 21 FTP (didnt know 20 was for FTP, did you?)
23 Telnet
22 SSH
25 SMTP
11
Sample firewall rules
12
Sample rules:
Can you find the problem?
(For this example, when a packet matches a rule, rule processing stops.)
13
Sample rules:
Can you find the problem?
(For this example, when a rules matches a packet, rule processing stops.)
The SSH rule would never have a chance to be evaluated. All traffic to
134.71.1.25 is blocked with the previous two rules.
14
To log or not to log
If you set your rules to log too much, your logs will
not be examined. If you log too little, you wont see
things you need. If you dont log, you have no
information on how your firewall is operating.
15
Sample log file
Jul 31 11:00:06 kd2 ipmon[14110]: 11:00:06.786765 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
Jul 31 11:00:07 kd2 ipmon[14110]: 11:00:07.366515 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
Jul 31 11:00:08 kd2 ipmon[14110]: 11:00:08.526751 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
Jul 31 11:00:10 kd2 ipmon[14110]: 11:00:10.856705 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
Jul 31 11:00:15 kd2 ipmon[14110]: 11:00:15.515785 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
Jul 31 11:50:02 kd2 ipmon[14110]: 11:50:02.619311 xl0 @0:3 b 213.244.12.136,4588 -> 134.71.202.37,80 PR tcp len 20 44 -S IN
Jul 31 11:50:02 kd2 ipmon[14110]: 11:50:02.629271 xl0 @0:3 b 213.244.12.136,4597 -> 134.71.202.44,80 PR tcp len 20 44 -S IN
Jul 31 11:50:02 kd2 ipmon[14110]: 11:50:02.642610 xl0 @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN
Jul 31 11:50:05 kd2 ipmon[14110]: 11:50:05.633338 xl0 @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN
Jul 31 11:50:17 kd2 ipmon[14110]: 11:50:16.882433 xl0 @0:3 b 213.244.12.136,1406 -> 134.71.203.35,80 PR tcp len 20 44 -S IN
Jul 31 11:50:20 kd2 ipmon[14110]: 11:50:20.401561 xl0 @0:3 b 213.244.12.136,1688 -> 134.71.203.47,80 PR tcp len 20 44 -S IN
Jul 31 11:50:20 kd2 ipmon[14110]: 11:50:20.414682 xl0 @0:3 b 213.244.12.136,1701 -> 134.71.203.60,80 PR tcp len 20 44 -S IN
Jul 31 11:50:24 kd2 ipmon[14110]: 11:50:24.127364 xl0 @0:3 b 213.244.12.136,1944 -> 134.71.203.103,80 PR tcp len 20 44 -S IN
Jul 31 11:50:24 kd2 ipmon[14110]: 11:50:24.144581 xl0 @0:3 b 213.244.12.136,1957 -> 134.71.203.108,80 PR tcp len 20 44 -S IN
Jul 31 11:50:27 kd2 ipmon[14110]: 11:50:27.761458 xl0 @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN
Jul 31 11:50:27 kd2 ipmon[14110]: 11:50:27.778617 xl0 @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN
Jul 31 11:50:30 kd2 ipmon[14110]: 11:50:30.771581 xl0 @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN
Jul 31 11:50:30 kd2 ipmon[14110]: 11:50:30.772833 xl0 @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN
Jul 31 11:52:48 kd2 ipmon[14110]: 11:52:47.511993 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 11:52:51 kd2 ipmon[14110]: 11:52:50.501969 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 11:52:54 kd2 ipmon[14110]: 11:52:53.501498 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 11:52:56 kd2 ipmon[14110]: 11:52:55.703527 xl0 @1:10 b 142.163.9.225,6346 -> 134.71.202.57,3343 PR tcp len 20 40 -A IN
Jul 31 11:52:57 kd2 ipmon[14110]: 11:52:56.500682 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 11:53:00 kd2 ipmon[14110]: 11:52:59.500694 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 12:00:24 kd2 ipmon[14110]: 12:00:24.220209 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:00:26 kd2 ipmon[14110]: 12:00:26.040009 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:00:28 kd2 ipmon[14110]: 12:00:28.794944 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:00:34 kd2 ipmon[14110]: 12:00:34.302899 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:00:46 kd2 ipmon[14110]: 12:00:45.284181 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
16
Had enough yet?
Jul 31 12:00:58 kd2 ipmon[14110]: 12:00:58.200613 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:01 kd2 ipmon[14110]: 12:01:00.236672 xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:01 kd2 ipmon[14110]: 12:01:01.192960 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:03 kd2 ipmon[14110]: 12:01:02.868846 xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:03 kd2 ipmon[14110]: 12:01:03.161480 xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:05 kd2 ipmon[14110]: 12:01:05.010881 xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:05 kd2 ipmon[14110]: 12:01:05.282234 xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:06 kd2 ipmon[14110]: 12:01:05.796431 xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:07 kd2 ipmon[14110]: 12:01:07.240923 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:07 kd2 ipmon[14110]: 12:01:07.251735 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:08 kd2 ipmon[14110]: 12:01:07.963357 xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:08 kd2 ipmon[14110]: 12:01:08.229151 xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:09 kd2 ipmon[14110]: 12:01:09.209297 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 65 -R IN
Jul 31 12:01:09 kd2 ipmon[14110]: 12:01:09.212097 xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:12 kd2 ipmon[14110]: 12:01:11.704343 xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:14 kd2 ipmon[14110]: 12:01:13.969454 xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:14 kd2 ipmon[14110]: 12:01:14.230632 xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:28 kd2 ipmon[14110]: 12:01:28.256761 xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:29 kd2 ipmon[14110]: 12:01:29.105610 xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:36 kd2 ipmon[14110]: 12:01:36.257674 xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:01:39 kd2 ipmon[14110]: 12:01:39.338642 xl0 @1:10 b 134.71.204.115,3792 -> 134.71.202.57,1065 PR udp len 20 36 IN
Jul 31 12:02:02 kd2 ipmon[14110]: 12:02:02.588716 xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:02:05 kd2 ipmon[14110]: 12:02:05.555511 xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:02:10 kd2 ipmon[14110]: 12:02:10.610751 xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:02:11 kd2 ipmon[14110]: 12:02:11.565107 xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:02:13 kd2 ipmon[14110]: 12:02:13.530261 xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:02:14 kd2 ipmon[14110]: 12:02:14.729242 2x xl0 @0:3 b 134.71.203.92,138 -> 134.71.203.255,138 PR udp len 20 269 IN
Jul 31 12:02:20 kd2 ipmon[14110]: 12:02:19.529568 xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
Jul 31 12:07:59 kd2 ipmon[14110]: 12:07:58.606378 xl0 @1:10 b 65.80.163.98,60325 -> 134.71.202.57,9074 PR tcp len 20 48 -S IN
Jul 31 12:33:33 kd2 ipmon[14110]: 12:33:32.920644 xl0 @0:3 b 80.145.78.83,4286 -> 134.71.202.47,80 PR tcp len 20 48 -S IN
17
What is a state?
18
How many states can a computer have?
19
What happens without state?
20
Sample state table.
kd2.ec.csupomona.edu - IP Filter: v3.4.28 - state top 07:50:50
Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytes
Source IP Destination IP ST PR #pkts #bytes ttl
134.71.202.57,4738 64.160.215.222,1677 4/4 tcp 551 368024 119:59:56
134.71.202.57,4744 64.160.215.222,1677 4/4 tcp 399 258160 119:59:59
134.71.202.57,1039 134.71.204.115,1410 4/4 tcp 33 6872 119:59:16
134.71.203.168,138 134.71.203.255,138 0/0 udp 2 458 0:06
134.71.202.57,4727 64.160.215.222,1677 0/6 tcp 5 200 1:58:03
134.71.203.168,137 134.71.203.255,137 0/0 udp 2 156 0:13
134.71.202.57 239.255.255.250 0/0 igmp 1 32 1:20
134.71.202.57,137 134.71.203.255,137 0/0 udp 62 5844 1:51
134.71.202.57,1028 134.71.4.100,53 0/0 udp 35 4910 0:11
134.71.202.57,1038 216.136.175.142,5050 4/4 tcp 35 4208 119:59:59
134.71.202.57,138 134.71.203.255,138 0/0 udp 16 3520 1:49
134.71.203.168,138 134.71.203.255,138 0/0 udp 14 3026 2:00
134.71.203.168,137 134.71.203.255,137 0/0 udp 16 1536 1:59
134.71.202.57,1036 239.255.255.250,1900 0/0 udp 7 1127 1:58
134.71.202.57 239.255.255.250 0/0 igmp 10 320 1:54
134.71.202.57,4727 64.160.215.222,1677 0/6 tcp 5 200 1:53:26
134.71.202.57,1031 134.71.184.58,445 2/0 tcp 3 128 0:47
134.71.202.57,1033 134.71.184.58,445 2/0 tcp 3 128 0:48
21
Where does a firewall fit in the security
model?
22
Ruleset design
23
Ruleset design Block Everything
24
Ruleset design Block Nothing
26
An IDS sounds good. Is it?
28
Filtering bad traffic
(RFC 1918, bad headers, options, etc.)
29
Black hole or Return-RST
(or how to respond to things you dont want.)
30
Poking holes
How to allow traffic and expose yourself.
31
Compromised Machines
32