Documente Academic
Documente Profesional
Documente Cultură
Philip MacCabe
IT 461R
September 28, 2004
Heavily borrowing and sometimes outright stealing information from
Internet Firewalls: Frequently Asked Questions
by Paul Robertson,
Matt Curtin, and Marcus Ranum
Creative Commons Attribution-NonCommercial-ShareAlike License
Creative Commons Attribution-NonCommercial-ShareAlike License, Philip MacCabe, 28 September 2004
WhatisaFirewall?
ASystemtoenforceanaccesscontrolpolicybetween
twoormorenetworks
TypesofFirewalls
NetworkLayer
ApplicationLayer
Faster
Lessabilitytoperformsophisticatedpacketexamination
Slower
Morecomplexpacketexamination
Hybrid
Thespectruminbetween
Mostcurrentfirewallsaresomewhereinthiscategory
Terminology
AccessRouterArouterthatprovidesaconnectiontoanexternal
network.
BastionHostAsystemthathasbeenhardenedtoresistattack,
onewhichisexpectedtocomeunderattack.
DefenseinDepthASecurityapproachwhereallnetwork
connectedsystemsaresecuredasmuchaspossible.
DMZDeMilitarizedZone,anareaoutsidethefirewallfor
externallyaccessiblehosts.Thesehostsshouldbebastionhosts.
ProxyAsoftwareagentthatactsonbehalfofauseroranother
device,usuallyprovidingsomesortofauthentication.
ScreeningRouterArouterconfiguredtoallowordenyaccess
basedonasetofrulesconfiguredbyanadministrator.
FirewallTopologies
WhydoweneedFirewalls?
WhatprotectiondoesaFirewall
provide?
Whatprotectionisnotprovidedby
Firewalls?
Protectionfromattacksthatdon'tpassthroughthe
firewall(USB,CDROM,dialupaccesstomachines
withinthenetwork,etc.)
Protectionfrompeopleinsidethenetwork&social
engineering
Protectionfrommostviriiandmalware
Tunnellingoverapplicationprotocols
Exploitsofallowedsystems/protocolssuchasIRC
It's silly to build a six-foot thick steel door when you live in a wooden
house...
DesigningaFirewall,Planning
WhatisthepurposeoftheFirewall?
LimitService[]Monitor&Audit
Establishyourrisklevel
Howparanoidareyou?
Determinehowmuchmonitoringandredundancyyou
need
Financial&Management
Whopaysandhow?
Whoisresponsibleforimplementation?maintenance?
TechnicalPlanning
NetworkLevel,ApplicationLevelorBoth
NetworkLevelScreeningRouter
ApplicationLevelExposedProxyServer
Betterauditingispossible
Aproxymustbeconfiguredforeachservice
Both
Usuallyfasteratprocessingdata
Securityofbothbutwithoverheadincostand
configuration
EaseofUsevs.Security
NetworkLayerFirewall
Filtersbasedonaddressingandcontrol
information,the"envelope"ofthepacket
Deniestrafficoncertainportsorfromcertain
addressranges
Imposeslimitationsonpacketstoensurethey
don'toverwhelmthenetwork(TTL,packetsize)
ApplicationLayerFirewall
Proxyserversforeachserviceallowedthrough
thefirewall
Usedwhenitisnecessarytofilterbasedon
content,the"letter"inthepacket
Canbeusedtodetectandpreventknownexploits
ofparticularprotocols
ActsasaManintheMiddle
netfilter/iptables
http://www.netfilter.org/
Linuxfirewallimplementationtoolset
Providespacketfiltering,connectiontracking,
NAT,portforwarding
Providestablesofrulesthroughwhichpacketsare
passedtodeterminewhattodowiththem
Insideatabletherearechainsofruleswhicha
packetmusttraversebeforebeingsentonitsway
ProvidesanAPIforapplicationstointeractwith
andmanagefirewallconfiguration
NetfilterArchitecture
http://www.netfilter.org/documentation/HOWTO//netfilterhackingHOWTO3.html
>PRE>[ROUTE]>FWD>POST>
Conntrack|Mangle^Mangle
Mangle|Filter|NAT(Src)
NAT(Dst)||Conntrack
(QDisc)|[ROUTE]
V|
INFilterOUTConntrack
|Conntrack^Mangle
|Mangle|NAT(Dst)
V|Filter
iptables
filterrulesforDROPingorACCEPTing
packets,thisisthedefaulttable
manglerulesforalteringpackets
INPUT,FORWARD,andOUTPUTchains
PREROUTING,OUTPUT,andPOSTROUTING
chains
natrulesthatperformNATonpackets
PREROUTING,POSTROUTING,OUTPUT,INPUT
andFORWARDchains
SomeExampleCommands
http://iptablestutorial.frozentux.net/iptablestutorial.html
iptablesAINPUTdport80jDROP
iptablesDINPUT1(rulesarenumberedwithinachain)
iptablestnatAPOSTROUTINGptcpoeth0
jSNATtosource194.236.50.155
194.236.50.160:102432000
iptablestmangleAPREROUTINGieth0j
TTLttlset64
iptablesAINPUTpTCPdport22jULOG
ulogprefix"SSHconnectionattempt:"
OtherSourcesofInformation
ontheInternet
Site Security Handbook
The Site Security Handbook is an information IETF document that describes the basic issues that must be
addressed for building good site security. Firewalls are one part of a larger security strategy, as the Site Security Handbook
shows.
Firewall HOWTO
Describes exactly what is needed to build a firewall, particularly using Linux.
OtherSourcesinPrint
Building Internet Firewalls, 2d ed.
Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman
O'Reilly 2000 ISBN 1-56592-871-7
Firewalls and Internet Security: Repelling the Wily Hacker
Bill Cheswick, Steve Bellovin, Avi Rubin
Addison Wesley 2003 ISBN 020163466X
Practical Internet & Unix Security
Simson Garfinkel and Gene Spafford
O'Reilly 1996 ISBN 1-56592-148-8
Internetworking with TCP/IP Vols I, II, and III
Douglas Comer and David Stevens
Prentice-Hall 1991 ISBN 0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2 (III)
Unix System Security--A Guide for Users and System Administrators
David Curry
Addison Wesley 1992 ISBN 0-201-56327-4
Obligatory
AnyQuestions?
Slide