Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Firewalls: Philip Maccabe It 461R September 28, 2004

    Încărcat de

    Xozan
    25 vizualizări18 pagini
    Firewalls (11)

    Titlu original

    Firewalls (11)

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PPT, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Firewalls (11)

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    25 vizualizări18 pagini

    Firewalls: Philip Maccabe It 461R September 28, 2004

    Încărcat de

    Xozan
    Firewalls (11)

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 18

    Firewalls

    Philip MacCabe
    IT 461R
    September 28, 2004
    Heavily borrowing and sometimes outright stealing information from
    Internet Firewalls: Frequently Asked Questions
    by Paul Robertson,
    Matt Curtin, and Marcus Ranum
    Creative Commons Attribution-NonCommercial-ShareAlike License
    Creative Commons Attribution-NonCommercial-ShareAlike License, Philip MacCabe, 28 September 2004

    WhatisaFirewall?

    ASystemtoenforceanaccesscontrolpolicybetween
    twoormorenetworks
    TypesofFirewalls

    NetworkLayer

    ApplicationLayer

    Faster
    Lessabilitytoperformsophisticatedpacketexamination
    Slower
    Morecomplexpacketexamination

    Hybrid

    Thespectruminbetween
    Mostcurrentfirewallsaresomewhereinthiscategory

    Terminology

    AccessRouterArouterthatprovidesaconnectiontoanexternal
    network.
    BastionHostAsystemthathasbeenhardenedtoresistattack,
    onewhichisexpectedtocomeunderattack.
    DefenseinDepthASecurityapproachwhereallnetwork
    connectedsystemsaresecuredasmuchaspossible.
    DMZDeMilitarizedZone,anareaoutsidethefirewallfor
    externallyaccessiblehosts.Thesehostsshouldbebastionhosts.
    ProxyAsoftwareagentthatactsonbehalfofauseroranother
    device,usuallyprovidingsomesortofauthentication.
    ScreeningRouterArouterconfiguredtoallowordenyaccess
    basedonasetofrulesconfiguredbyanadministrator.

    FirewallTopologies

    Images from Iptables Tutorial 1.1.19

    WhydoweneedFirewalls?

    To limit access to internal networks and network services

    As a security blanket for managers.

    Historically, firewalls have acted as sources for public information for


    a network or organization.

    WhatprotectiondoesaFirewall
    provide?

    A "choke point" for imposing security restrictions


    and audits
    Limitation of the attack surface of a network by
    limiting connections on unused ports
    Filtering of traffic to implement security checks
    and denial of suspicious or unauthorized traffic
    Isolation of internal addresses from external
    through NAT, port forwarding, etc.

    Whatprotectionisnotprovidedby
    Firewalls?

    Protectionfromattacksthatdon'tpassthroughthe
    firewall(USB,CDROM,dialupaccesstomachines
    withinthenetwork,etc.)
    Protectionfrompeopleinsidethenetwork&social
    engineering

    Protectionfrommostviriiandmalware

    Tunnellingoverapplicationprotocols

    Exploitsofallowedsystems/protocolssuchasIRC

    It's silly to build a six-foot thick steel door when you live in a wooden
    house...

    DesigningaFirewall,Planning

    WhatisthepurposeoftheFirewall?

    LimitService[]Monitor&Audit

    Establishyourrisklevel

    Howparanoidareyou?

    Determinehowmuchmonitoringandredundancyyou
    need

    Financial&Management

    Whopaysandhow?

    Whoisresponsibleforimplementation?maintenance?

    TechnicalPlanning

    NetworkLevel,ApplicationLevelorBoth

    NetworkLevelScreeningRouter

    ApplicationLevelExposedProxyServer

    Betterauditingispossible

    Aproxymustbeconfiguredforeachservice

    Both

    Usuallyfasteratprocessingdata

    Securityofbothbutwithoverheadincostand
    configuration

    EaseofUsevs.Security

    NetworkLayerFirewall

    Filtersbasedonaddressingandcontrol
    information,the"envelope"ofthepacket
    Deniestrafficoncertainportsorfromcertain
    addressranges
    Imposeslimitationsonpacketstoensurethey
    don'toverwhelmthenetwork(TTL,packetsize)

    ApplicationLayerFirewall

    Proxyserversforeachserviceallowedthrough
    thefirewall
    Usedwhenitisnecessarytofilterbasedon
    content,the"letter"inthepacket
    Canbeusedtodetectandpreventknownexploits
    ofparticularprotocols
    ActsasaManintheMiddle

    netfilter/iptables
    http://www.netfilter.org/

    Linuxfirewallimplementationtoolset
    Providespacketfiltering,connectiontracking,
    NAT,portforwarding
    Providestablesofrulesthroughwhichpacketsare
    passedtodeterminewhattodowiththem
    Insideatabletherearechainsofruleswhicha
    packetmusttraversebeforebeingsentonitsway
    ProvidesanAPIforapplicationstointeractwith
    andmanagefirewallconfiguration

    NetfilterArchitecture

    http://www.netfilter.org/documentation/HOWTO//netfilterhackingHOWTO3.html

    >PRE>[ROUTE]>FWD>POST>
    Conntrack|Mangle^Mangle
    Mangle|Filter|NAT(Src)
    NAT(Dst)||Conntrack
    (QDisc)|[ROUTE]
    V|
    INFilterOUTConntrack
    |Conntrack^Mangle
    |Mangle|NAT(Dst)
    V|Filter

    iptables

    filterrulesforDROPingorACCEPTing
    packets,thisisthedefaulttable

    manglerulesforalteringpackets

    INPUT,FORWARD,andOUTPUTchains
    PREROUTING,OUTPUT,andPOSTROUTING
    chains

    natrulesthatperformNATonpackets

    PREROUTING,POSTROUTING,OUTPUT,INPUT
    andFORWARDchains

    SomeExampleCommands
    http://iptablestutorial.frozentux.net/iptablestutorial.html

    iptablesAINPUTdport80jDROP

    iptablesDINPUT1(rulesarenumberedwithinachain)

    iptablestnatAPOSTROUTINGptcpoeth0
    jSNATtosource194.236.50.155
    194.236.50.160:102432000
    iptablestmangleAPREROUTINGieth0j
    TTLttlset64
    iptablesAINPUTpTCPdport22jULOG
    ulogprefix"SSHconnectionattempt:"

    OtherSourcesofInformation
    ontheInternet
    Site Security Handbook
    The Site Security Handbook is an information IETF document that describes the basic issues that must be
    addressed for building good site security. Firewalls are one part of a larger security strategy, as the Site Security Handbook
    shows.

    Firewalls Mailing List


    The internet firewalls mailing list is a forum for firewall administrators and implementors.

    Firewall-Wizards Mailing List


    The Firewall Wizards Mailing List is a moderated firewall and security related list that is more like a journal than a public
    soapbox.

    Firewall HOWTO
    Describes exactly what is needed to build a firewall, particularly using Linux.

    Firewall Toolkit (FWTK) & Firewall Papers


    Marcus Ranum's Firewall Publications
    Texas A&M Universtity Security Tools
    COAST Project Internet Firewalls Page
    Iptables Tutorial 1.1.19
    Oskar Andreasson explains how to setup and configure a firewall using netfilter/iptables

    OtherSourcesinPrint
    Building Internet Firewalls, 2d ed.
    Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman
    O'Reilly 2000 ISBN 1-56592-871-7
    Firewalls and Internet Security: Repelling the Wily Hacker
    Bill Cheswick, Steve Bellovin, Avi Rubin
    Addison Wesley 2003 ISBN 020163466X
    Practical Internet & Unix Security
    Simson Garfinkel and Gene Spafford
    O'Reilly 1996 ISBN 1-56592-148-8
    Internetworking with TCP/IP Vols I, II, and III
    Douglas Comer and David Stevens
    Prentice-Hall 1991 ISBN 0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2 (III)
    Unix System Security--A Guide for Users and System Administrators
    David Curry
    Addison Wesley 1992 ISBN 0-201-56327-4

    Obligatory
    AnyQuestions?
    Slide

    S-ar putea să vă placă și