cs490ns firewalls sp11 bw
TRANSCRIPT
-
8/10/2019 CS490ns Firewalls Sp11 Bw
1/66
cs490ns - cotter 1
FirewallsWhat they do.
How they work.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
2/66
cs490ns - cotter 2 2
Outline
What is a firewall? Architectures
Stand Alone / application / proxy Personal / host based Gateway / packet filters Enterprise / hardware
Roles Bastion DMZ
Packet Filtering concepts IPTables Stateful filtering
Packet Forwarding Ethernet bridge
-
8/10/2019 CS490ns Firewalls Sp11 Bw
3/66
cs490ns - cotter 3 3
What is a Firewall?
A hardware or software device that monitors (andcontrols ?) the transmission of packets that attempt topass through the perimeter of a network (or host).
Provide 2 basic security functions Packet Filtering
Application Proxy gateways
Additional security features Log unauthorized (and authorized ?) access attempts
Provide VPN Connections Support user authentication
Shield internal machines from outside view
-
8/10/2019 CS490ns Firewalls Sp11 Bw
4/66
cs490ns - cotter 4 4
What should a firewall do?
Control the flow of packets to/from Internet
Block external login as root (?)
Must distinguish between local andInternet packets (even spoofed addresses)
Support limited user accounts
Log all system activities
-
8/10/2019 CS490ns Firewalls Sp11 Bw
5/66
cs490ns - cotter 5 5
Types of Firewalls
Stand Alone / application / proxy
Enterprise / Local
Hardware / Software Gateway / router / packet filter
Personal / host based
Windows firewallincoming protection ZoneAlarm, Linux, etc.incoming / outgoing
filter
-
8/10/2019 CS490ns Firewalls Sp11 Bw
6/66
cs490ns - cotter 6 6
Types of Firewalls
Internet
Corporate
Network
Router /packet filter
StatefulFirewall
ApplicationProxy
Host-basedFirewall
-
8/10/2019 CS490ns Firewalls Sp11 Bw
7/66
cs490ns - cotter 7 7
Standalone Proxy Firewalls
Application Gateways Intended to buffer the interface betweenan internal application and the Internet Web Servers
Mail Servers File Transfer
Controls flow of packets into and out of
local network Limit access to specific web sites Cache results for use by other internal hosts
Hide internal IP addresses from network view
-
8/10/2019 CS490ns Firewalls Sp11 Bw
8/66
cs490ns - cotter 8 8
Enterprise Firewalls
Intended to support larger traffic volumes
Provides more sophisticated support
Stateful filtering, etc. Software
Checkpoint Firewall 1, Microsoft ISA, SemanticEnterprise, etc.
Hardware Cisco PIX, SonicWall, Watchguard, etc.
Expensive!
-
8/10/2019 CS490ns Firewalls Sp11 Bw
9/66
cs490ns - cotter 9 9
Gateway / Packet Filter
May be embedded in sophisticated routers
May be used for SOHO networks
May be incorporated into small SOHO routers May be incorporated into a gateway host(Linux ?)
Provides the ability to monitor and controlpackets through the gateway / router.
Generally support in / out / through filtering
May not include stateful filtering capabilities
-
8/10/2019 CS490ns Firewalls Sp11 Bw
10/66
cs490ns - cotter 1010
Host-based Firewalls
Intended as a last line of defense for thehost computer
Runs as a background process on host
Limited bandwidth available
Generally supports incoming port filtering
Can specify which ports (if any) can support
incoming connection requests.
Occasionally supports outgoing filtering(looking for worms, trojans, etc.)
-
8/10/2019 CS490ns Firewalls Sp11 Bw
11/66
cs490ns - cotter 11
Firewall Roles
Bastion Hosts
Hardened systems that typically run a firewalland perhaps an application as well
DMZdemilitarized zone
An isolated subnetwork that includes allservices that are offered over the internet
(and perhaps to the internal network as well).
-
8/10/2019 CS490ns Firewalls Sp11 Bw
12/66
cs490ns - cotter 12
Bastion Firewall and Host
LAN
Internet
Firewall
WebServer
-
8/10/2019 CS490ns Firewalls Sp11 Bw
13/66
cs490ns - cotter 13
DMZ
LAN
Internet
Web E-mail
DMZ
-
8/10/2019 CS490ns Firewalls Sp11 Bw
14/66
cs490ns - cotter 1414
What is Packet Filtering?
The process of deciding which packets to allowthrough the filter, based on attributes of thepacket Source / Destination Port
Source / Destination IP Address
Status flags in the packet (syn)
Originating protocol (icmp, tcp, etc.)
Connection state (tcp)
Linux (2.4+) supports Netfilter (based oniptables)
-
8/10/2019 CS490ns Firewalls Sp11 Bw
15/66
cs490ns - cotter 1515
How does Packet FilteringWork?
Define rules to allow or block specific types ofpackets
Firewall screens all packet headers to look for
matches against the rules Apply rules in the order in which they are stored
Allow or block packets based on rule matches.
If a packet matches no rules, apply default
behavior to the packet (usually deny).
-
8/10/2019 CS490ns Firewalls Sp11 Bw
16/66
cs490ns - cotter 1616
Packet Filtering Issues
Rules are complex. Easy to introduce errors
Filters based on IP addresses. If authorizedsites are hacked, your site is compromised
IP Spoofing can fake authorized (internal?) sites. Routers can be hacked to reroute internal
packets
Activities need to be logged
Internal host adresses should be hidden
-
8/10/2019 CS490ns Firewalls Sp11 Bw
17/66
cs490ns - cotter 1717
Iptables
Administration tool for IPv4 packet filteringand NAT
Used to set up, maintain, and inspect thetables of IP packet filtering rules used bythe kernel to manage packet flow throughthe firewall.
Based on tables that specify the overalltask and chains that identify the position ofthe packet in the packet flow.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
18/66
cs490ns - cotter 1818
IPTables tables
Filter table Used to control the flow of packets based on packet attributes
Only filter packets, dont modify packets here.
Network Address Translation (NAT) table Used to change the source / destination IP address and / or port
of selected incoming / outgoing packets
Mangle table Supports specialized packet handling / routing
Change contents of packet
Experimental and developing tables
-
8/10/2019 CS490ns Firewalls Sp11 Bw
19/66
cs490ns - cotter 1919
Basic Packet Filtering
Internet
LAN
Input
Output
Forwardfiltertable
RH-Firewall-1-INPUT
-
8/10/2019 CS490ns Firewalls Sp11 Bw
20/66
cs490ns - cotter 2020
Incoming Packets to Filter
Illegal Incoming Source IP Addresses Your IP Address Your LAN Address Private Network Addresses Multicast IP Addresses
Loopback Interface Addresses Nuisance sites / networks Remote Source Port Filtering Local Destination Port Filtering
Incoming TCP connection-state filtering Probes and Scans DoS Attacks Etc.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
21/66
cs490ns - cotter 2121
Packet Filtering alert list
CERT www.cert.orgCarnegie-Mellon Software Engrg Inst.
www.us-cert.gov
Port Filter List (3/08) DNS zone transfers 53 tftpd 69
link 87
RPC / NFS 111 / 2049
BSD r commands 512, 513, 514 lpd 515
uucpd 540
openwindows 2000
X windows 6000 +
http://www.cert.org/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://www.cert.org/ -
8/10/2019 CS490ns Firewalls Sp11 Bw
22/66
cs490ns - cotter 22
Outgoing Packets to Filter
Why? Consideration for fair use in Internet
Distribution of private information
Detection of unwanted client programs (Trojans, etc.) See http://www.us-cert.gov/cas/tips/ST06-001.html
What Legitimate, routable addresses only
Destination IP Addresses
Destination ports
Source Ports
-
8/10/2019 CS490ns Firewalls Sp11 Bw
23/66
cs490ns - cotter 23
Filter Table Chains
May be associated with any interface (eth0, etc.)
INPUT
Used to test packets that come into the firewall
OUTPUT Used to test packets that are leaving the firewall
FORWARD
Used to test packets that are passing through thefirewall
Packets should pass through only 1 chain
-
8/10/2019 CS490ns Firewalls Sp11 Bw
24/66
cs490ns - cotter 24
Filter table packet flow
Routing
InputChain
ForwardChain
OutputChain
Drop
Drop Drop
LocalProcessesInputChain
Drop
-
8/10/2019 CS490ns Firewalls Sp11 Bw
25/66
cs490ns - cotter 25
Iptables rule structure
Iptablest table action chain rule target
Which table are we working with (filter is default)
What action do we want to do to that table (insert,
delete, etc.) Which chain in that table are we working with
What do we want to do?
Where do we go if we match the rule?
-
8/10/2019 CS490ns Firewalls Sp11 Bw
26/66
cs490ns - cotter 26
IPTables Actions
Create a new chain (-N).
Delete an empty chain (-X).
Change the default policy for a chain. (-P). List the rules in a chain (-L).
Flush the rules out of a chain (-F).
Zero the packet and byte counters on allrules in a chain (-Z).
-
8/10/2019 CS490ns Firewalls Sp11 Bw
27/66
cs490ns - cotter 27
IPTables Actions
Append a new rule to the end of a chain (-A).
Insert a new rule at some position in a chain (-I).
Replace a rule at some position in a chain (-R). Delete a rule at some position in a chain, or the
first that matches (-D).
-
8/10/2019 CS490ns Firewalls Sp11 Bw
28/66
cs490ns - cotter 28
IPTables targets
ACCEPT Stop processing and pass to application / OS
DROP Stop processing and block packet
LOG
Packet info sent to syslog. Continue processing REJECT
Stop processing and send reject message to source
DNAT Change destination network address
SNAT Change source network address
MASQUERADE Do source network address translation (PAT)
-
8/10/2019 CS490ns Firewalls Sp11 Bw
29/66
cs490ns - cotter 29
Example Filter Rules
#Allow traffic on the loopback interface
iptablesA INPUTi loj ACCEPT
iptablesA OUTPUTi loj ACCEPT
# Set Default policy for chain Iptables --policy INPUT DROP
#Allow all outgoing connections
iptables -A block -m state --state NEW -i ! ppp0 \
-j ACCEPT #Block incoming attempts to Xwindows
iptablesA INPUTi eth1 -p tcp --syn \--destination-port 6000-6003 -j REJECT
-
8/10/2019 CS490ns Firewalls Sp11 Bw
30/66
cs490ns - cotter 30
Example Filter Rules
#Allow incoming connections to local web serverIptablest filter -A blockp tcp --dport 80 --i eth1 \
-j ACCEPT
#Insert a rule that allows incoming udp packets to port 12345
iptablesI block 7p udpdport 12345j ACCEPT#Allow DNS requests NOT from outside
iptables -A blockp tcp --dport 53 -m state --state NEW \-i ! eth1 -j ACCEPT
#Allow (and redirect) incoming web connections to 192.168.5.6
iptablest natA PREROUTINGd eth1 -p tcp \--dport 80 -j DNAT --to-destination 192.168.5.6
-
8/10/2019 CS490ns Firewalls Sp11 Bw
31/66
cs490ns - cotter 31
Simple Firewall table
## Insert connection-tracking modules (not needed if built into kernel).
insmod ip_conntrack
insmod ip_conntrack_ftp
## Make chain that blocks new connections, except if coming from LAN.iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
-
8/10/2019 CS490ns Firewalls Sp11 Bw
32/66
cs490ns - cotter 32
Iptables default config file/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo-j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any-j ACCEPT-A RH-Firewall-1-INPUT -p 50-j ACCEPT-A RH-Firewall-1-INPUT -p 51-j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631-j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631-j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22-j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT
-
8/10/2019 CS490ns Firewalls Sp11 Bw
33/66
cs490ns - cotter 33
CentOS 5.5 Firewallpart 1
[rcotter@lserver3 ~]$ sudo iptables -LChain INPUT(policy ACCEPT)target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD(policy ACCEPT)target prot opt source destinationRH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT(policy ACCEPT)target prot opt source destination
-
8/10/2019 CS490ns Firewalls Sp11 Bw
34/66
cs490ns - cotter 34
CentOS 5.5 Firewallpart 2Chain RH-Firewall-1-INPUT (2 references)target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22ACCEPT tcp -- 134.193.12.34 0.0.0.0/0 state NEW tcp dpt:22ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:137ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:138
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:139ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2069ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3128ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
8/10/2019 CS490ns Firewalls Sp11 Bw
35/66
cs490ns - cotter 35
Filter table
Input, forward chains point to custom chain RH-Firewall-1-INPUT
Output chain set to accept all (allow any outgoing traffic)
RH-Firewall-1-INPUT chain Initial 4 rules allow broad classes of packets
Allow multicast DNS
Allow ipp (Internet Printing protocol)
Allow incoming UDP packets to port 12345 Special server set up for cs423 class
Allow incoming SSH connections
Reject everything else!
-
8/10/2019 CS490ns Firewalls Sp11 Bw
36/66
cs490ns - cotter 36
Network Address Translation
What? Translates IP addresses and / or ports as
packet passes through firewall
Only first packet of a connection will traversethe table. All remaining packets are modifiedthe same as the first packet.
Why?
Private local IP Addresses Multiple Servers (load sharing)
Transparent Proxying
-
8/10/2019 CS490ns Firewalls Sp11 Bw
37/66
cs490ns - cotter 37
NAT table
Used to map local IP addresses to a set ofroutable addresses (NAT)
Used to map local IP addresses to a set of portsassociated with a single routable address
(NAPT) Used to map local IP addresses to a set of ports
associated with a variable routable address(masquerade)
Dial-up connection Dynamically assigned IP address
Other
-
8/10/2019 CS490ns Firewalls Sp11 Bw
38/66
cs490ns - cotter 38
NAT
Two types of NAT
Source NAT (snat) used to translate thesource IP address of a packet (typically
outgoing) Destination NAT (dnat) used to translate the
destination IP address of a packet (typicallyincoming).
-
8/10/2019 CS490ns Firewalls Sp11 Bw
39/66
cs490ns - cotter 39
NAT table chains
Pre-routing
Used to test / modify the destinationaddresses of incoming packets
Output Used to change the source (or destination)
address of locally generated packets
Post-routing Used to change the source address of
outgoing packets.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
40/66
-
8/10/2019 CS490ns Firewalls Sp11 Bw
41/66
cs490ns - cotter 41
Simple NAT table rules
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Disallow NEW & INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
# Turn on IP forwarding (in RAM)
echo 1 > /proc/sys/net/ipv4/ip_forward# Turn on IP forwarding (in file /etc/sysctl.conf)
net.ipv4.ip_forward = 1
-
8/10/2019 CS490ns Firewalls Sp11 Bw
42/66
cs490ns - cotter 42
Mangle table
Used for special routing and packetmodification.
Use TOS (type of service) field in IP header.
TTL
Can be used to set and test markers placed
-
8/10/2019 CS490ns Firewalls Sp11 Bw
43/66
cs490ns - cotter 43
Mangle Table Routing
AS
Internet
-
8/10/2019 CS490ns Firewalls Sp11 Bw
44/66
cs490ns - cotter 44
Linux Firewall Mgmt
iptables Make changes to memory image of firewall rules
iptables-save
Display a copy of the memory image Can redirect the copy to a file using output redirection
Iptables-save > /etc/sysconfig/iptables
iptables-restore
Rebuild memory image from keyboard or file (using redirection) Security Level and Firewall Applet (Fedora)
Creates an automatic backup file: /etc/sysconfig/iptables
-
8/10/2019 CS490ns Firewalls Sp11 Bw
45/66
cs490ns - cotter 45
IPTables Constraints
Based on IPonly
Dont run IPX, appletalk, etc. as these protocols are
not filtered
Packets traversing the filter table will passthrough only 1 chain
-
8/10/2019 CS490ns Firewalls Sp11 Bw
46/66
cs490ns - cotter 46
Port Forwarding
Internet
LAN
123.234.56.78:80192.168.3.6:80
HTTPD
SOHO R t P t R
-
8/10/2019 CS490ns Firewalls Sp11 Bw
47/66
cs490ns - cotter 47
SOHO Router Port RangeForwarding
-
8/10/2019 CS490ns Firewalls Sp11 Bw
48/66
cs490ns - cotter 48
IPTables Port Forwarding
For incoming packets iptables -t nat -A PREROUTING -p tcp -d --dport -j DNAT --to-destination:
For returned packets iptables -m conntrack --ctstate DNAT -t nat -A
POSTROUTING -p tcp -d --dport -j SNAT --to-source
For packets originating on firewall iptables -t nat -A OUTPUT -p tcp -d --
dport -j DNAT --to-destination:
-
8/10/2019 CS490ns Firewalls Sp11 Bw
49/66
cs490ns - cotter 49
IPtables rerouting Issues
Often, when we re-route packets, we onlyneed to change destination (or source) IPaddress.
Sometimes (if we are rerouting to a locallyconnected destination) we need to changeboth IP address and MAC address.
IPtables only filters IP traffic. It cannotchange IPX, netBEUI, Appletalk, etc.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
50/66
cs490ns - cotter 50
EBtables
Ethernet Bridge tables Intended to support filtering of packets that
IPtables cannot filterEthernet protocol,
MAC address, ARP, netBEUI, IPX, etc. Basically adds nonIP filtering.
802.1Q VLAN filtering
MAC address NAT
Frame counters
Linux bridge-nf code Passes bridged traffic to IPtables
-
8/10/2019 CS490ns Firewalls Sp11 Bw
51/66
cs490ns - cotter 51
EBtables Structure
broutetable BROUTINGchain
Choose whether to process packet at layer 2(bridge) or at layer 3 (route)
e.g. route normal IP traffic and bridge IPX traffic
filtertable FORWARD, INPUT, OUTPUTchains
Route packets based on MAC addresses
nattable PREROUTING, OUTPUT, POSTROUTINGchains
Change MAC addresses (redirect based on MAC)
-
8/10/2019 CS490ns Firewalls Sp11 Bw
52/66
cs490ns - cotter 52
Ethernet Bridge Firewall
Internet
LAN
Linux boxconfigured as a
bridge, with firewallinstalled
-
8/10/2019 CS490ns Firewalls Sp11 Bw
53/66
cs490ns - cotter 53
Ethernet Bridge Firewall
Use bridging firewall (ebtables) to set uprules to pass packets through host.
Since processing happens at Data Link Layer,
there is no need to assign an IP address tohost interfaces, so machine is invisible tonetwork scanning.
Offers better protection, and lessconfiguration of the remaining network.
Can also be configured with an IDS.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
54/66
cs490ns - cotter 54
Ethernet Bridge Firewall
Create a virtual Ethernet bridge interface brctl addbr br0
Add our interfaces to the bridge brctl addif br0 eth0
brctl addif br0 eth1 Remove the IP configuration from interfaces
Ifconfig eth0 down
Ifconfig eth1 down
Ifconfig eth0 0.0.0.0 up Ifconfig eth1 0.0.0.0 up
Configure access for the bridge Local console, OOB network, configure 1 IP
-
8/10/2019 CS490ns Firewalls Sp11 Bw
55/66
cs490ns - cotter 55
Ethernet Bridge Firewall (2)
Internet
LAN
-
8/10/2019 CS490ns Firewalls Sp11 Bw
56/66
cs490ns - cotter 56
Example Firewall Application
Monitor all outgoing Traffic Most firewalls only monitor incoming traffic by
default
Identify what traffic is desired and blockthe rest. Many applications generate queries to their
servers
Spyware Hacks
-
8/10/2019 CS490ns Firewalls Sp11 Bw
57/66
cs490ns - cotter 57
App development process
Capture all outgoing traffic Monitor traffic as it enters or leaves the
network(Ethernet Bridge)
Use iptables to log traffic. -A firewall-win1j LOGlog-level 4log-prefixWin1 log-tcp-optionslog-ip-options
Set up syslog to divert level 4 messages to a
separate file (see syslog.conf) kern.warning /var/log/iptables.log
Save data daily to separate file iptables_log_022011
# Generated Manually 8/19/10*filter
-
8/10/2019 CS490ns Firewalls Sp11 Bw
58/66
cs490ns - cotter 58
Primary
FirewallFilterTable
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [8183:1429550]
:OUTPUT ACCEPT [14722:762210]
-N RH-Firewall-1-INPUT
# Create separate chains for each host - 8/19/10
-N Firewall-Win2
-N Firewall-Win1
-N Firewall-lserver3
#new line 8/26/10 - start monitoring this machine
-N firewall-bridge
-A OUTPUT -j firewall-bridge
-A INPUT -j RH-Firewall-1-INPUT-A FORWARD --src 192.168.1.25 -j Firewall-lserver3
-A FORWARD --src 192.168.1.35 -j Firewall-Win2
-A FORWARD --src 192.168.1.30 -j Firewall-Win1
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
-A Firewall-Win1 --dst 192.168.1.0/24 -j ACCEPT
A Firewall Win1 p icmp m icmp icmp type any j ACCEPT
-
8/10/2019 CS490ns Firewalls Sp11 Bw
59/66
cs490ns - cotter 59
Win1OutgoingFirewall
Chain
-A Firewall-Win1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A Firewall-Win1 --dst 134.193.123.45 -j ACCEPT
-A Firewall-Win1 --dst 208.67.222.222 -j ACCEPT
# Allow queries to Dropbox
-A Firewall-Win1 --dst 50.16.0.0/16 -j ACCEPT
# Allow queries to Kapersky-A Firewall-Win1 --dst 38.117.98.0/24 -j ACCEPT
-A Firewall-Win1 --dst 38.124.168.0/24 -j ACCEPT
-A Firewall-Win1 --dst 38.113.165.0/24 -j ACCEPT
-A Firewall-Win1 --dst 79.141.216.0/24 -j ACCEPT
# Allow queries to Microsoft (update)
-A Firewall-Win1 --dst 207.46.206.0/24 -j ACCEPT
-A Firewall-Win1 --dst 65.55.200.0/24 -j ACCEPT
-A Firewall-Win1 --dst 64.4.30.0/24 -j ACCEPT
-A Firewall-Win1 --dst 65.54.221.0/24 -j ACCEPT
# Allow queries to dyndns.org
-A Firewall-Win1 --dst 91.198.22.0/24 -j ACCEPT
-A Firewall-Win1 --dst 204.13.248.0/24 -j ACCEPT
-A Firewall-Win1 --dst 208.78.69.0/24 -j ACCEPT# Lots of multicast traffic. Drop it.
-A Firewall-Win1 --dst 224.0.0.0/8 -j DROP
# Now, log everything else before dropping it
-A Firewall-Win1 -m physdev --physdev-in eth1 -j LOG --log-level 4 --log-prefix "Win1 " --log-tcp-options --log-ip-options
#For everything else, reject the traffic.
-A Firewall-Win1 -j DROP
-
8/10/2019 CS490ns Firewalls Sp11 Bw
60/66
cs490ns - cotter 60
Capture Outgoing Traffic
Data Record1 per packet
Feb 19 00:01:03 bridge kernel: Win1 IN=br0OUT=br0 PHYSIN=eth1 PHYSOUT=eth0
SRC=192.168.1.35 DST=66.94.233.186LEN=40 TOS=0x00 PREC=0x00 TTL=128ID=10570 DF PROTO=TCP SPT=2323DPT=80 WINDOW=65185 RES=0x00 ACK
FIN URGP=0 Records per day ~ 40k to 80k+
P t S Att k D t t
-
8/10/2019 CS490ns Firewalls Sp11 Bw
61/66
cs490ns - cotter 61
Port Scan Attack DetectorPSAD
Can be configured to detect various networkscans, invalid traffic, attacks, etc.
Can be used to fingerprint source machines Can be configured to provide active response
based on type of input, numbers of input packetsfor a predetermined period.
Can be used to sort and organize logged data.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
62/66
cs490ns - cotter 62
Summarize traffic
psad -m /var/log/iptables/iptables_log_022011 --gnuplot --CSV-fields dst src dp:count --gnuplot-graph points --gnuplot-xrange 0:100 --gnuplot-file-
prefix test_022011 test_022011.dat 1, 172, 2 ### 1=12.29.100.148 172=192.168.1.35
:
39, 172, 96 ### 39=66.94.233.186 172=192.168.1.35 :
246, 171, 1 ### 246=216.191.247.139 171=192.168.1.30
-
8/10/2019 CS490ns Firewalls Sp11 Bw
63/66
cs490ns - cotter 63
Sort Traffic by Source
Use script (bash / awk / py / ?) to sort traffic intoseparate files by source
Use DNS to get domain name for sites
Win1_022011.lst 12.29.100.148: Output was 0 :
66.94.233.186: r3.ycpi.vip.mud.yahoo.net.
: 216.137.43.236: server-216-137-43-236.dfw3.cloudfront.net.
-
8/10/2019 CS490ns Firewalls Sp11 Bw
64/66
cs490ns - cotter 64
Analyze traffic
Are addresses identifyable?
Is the traffic known / expected?
Why is traffic there?
-
8/10/2019 CS490ns Firewalls Sp11 Bw
65/66
cs490ns - cotter 65
References
Firewalls and VPNsPrinciples and Practices Richard Tibbs / Edward OakesPrentice Hall2005
Linux Firewalls2nded.
Robert SieglerNew Riders Publishing2002 Guide to Firewalls and Network Security
Greg HoldenThomson/Course Technology2004
EBtables/IPtables Interaction on a bridge - 2003
ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
Red Hat Fedora Linux Secrets
Naba BarkakatiWiley - 2005
-
8/10/2019 CS490ns Firewalls Sp11 Bw
66/66
Summary
What is a firewall? Architectures
Stand Alone / application / proxy Personal / host based
Gateway / packet filters Enterprise / hardware
Packet Filtering concepts Packet Forwarding
Roles Bastion DMZ
EBtables