Firewall
Download
1 / 56

FIREWALL - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

FIREWALL. Konsep Firewall. salah satu lapisan pertahanan yang mengatur hubungan komputer dengan dunia luar melalui interogasi setiap traffic, packet, dan port-port yang diatur dengan rule-rule yang ada Dilakukan dengan cara : Menyaring membatasi menolak.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' FIREWALL' - duante


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Konsep firewall
Konsep Firewall

  • salah satu lapisan pertahanan yang mengatur hubungan komputer dengan dunia luar melalui interogasi setiap traffic, packet, dan port-port yang diatur dengan rule-rule yang ada

  • Dilakukan dengan cara :

    Menyaring

    membatasi

    menolak

hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya


Konfigurasi sederhana

Boleh lewat mbak ? Nih surat-suratnya

Anak kecil ga boleh keluar.. sudah malam

Firewall

Konfigurasi Sederhana

pc (jaringan local) <==> firewall <==> internet (jaringan lain)


Firewall topologi basic two interface firewall no dmz
Firewall Topologi :Basic Two-interface Firewall (no DMZ)

  • Connects to ISP using DSL, Cable Modem, ISDN, Dial-up, …

  • Provides for “Internet Connection Sharing” of a single public IP address for a local network using SNAT/Masquerading


Firewall topologi three interface firewall with dmz
Firewall Topologi :Three-interface Firewall (with DMZ)

  • Provides internet connection sharing of one or more public IP addresses.

  • Had a DMZ containing servers that are exposed to the internet.

  • If a server is hacked, the Firewall and the Local network aren’t compromised.


Tipe firewall
Tipe Firewall

Berdasarkan mekanisme cara kerja :

  • Packet Filtering

    • Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number

  • Application Level

    • Biasa disebut proxy firewall, filter bisa berdasarkan content paket

  • Circuit Level Gateway

    • Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake.

    • Terdapat sesi NEW/ESTABLISH

  • Statefull Multilayer Inspection Firewall

    • Kombinasi dari ketiga tipe firewall diatas


Circuit level stateful inspection firewalls
Circuit Level / Stateful Inspection Firewalls

  • Default Behavior

    Permit connections initiated by an internal host

    Deny connections initiated by an external host

    Can change default behavior with ACL

  • For DMZ Implementation

Automatically Accept Connection Attempt

Internet

Router

Automatically Deny Connection Attempt


Dmz configuration

internet

Firewall

Web Server

DMZ Configuration

  • Place web servers in the “DMZ” network

  • Only allow web ports (TCP ports 80 and 443)


Dmz configuration1

Mas ..yang merah gak boleh lewat lho

internet

Firewall

Web Server

DMZ Configuration

  • Don’t allow web servers access to your network

  • Allow local network to manage web servers (SSH)

  • Don’t allow servers to connect to the Internet

  • Patching is not convenient



Iptables1
IPTABLES

  • iptables is a networking administration command-line tool on Linux which interfaces to the kernel-provided Netfilter modules. This allows for stateless and stateful firewalls and NAT. It is useful to think of IPtables as being a specialised firewall-creation programming language.


Prinsip kerja iptables
Prinsip Kerja iptables

  • Paket masuk diproses berdasarkan tujuan :

    • Destination IP untuk Firewall  masuk proses input

    • Destination IP bukan untuk firewall tapi diteruskan  masuk proses FORWARD

  • Selanjutnya dicocokkan berdasarkan tabel policy yang dipunyai firewall apakah di-accept atau di-drop


Prinsip kerja firewall
Prinsip Kerja Firewall

Firewall Machine


Sintaks iptables
Sintaks IPTABLES

  • Opsi

    • -A, menambah satu aturan baru ditempatkan pada posisi terakhir

      iptables –A INPUT …

    • -D, menghapus rule

      iptables –D INPUT 1

      iptables –D –s 202.154.178.2 …

    • -I, menambah aturan baru penempatan bisa disisipkan sesuai nomor

      iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT

    • -R, mengganti rule

      iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT

    • -F, menghapus seluruh rule

      iptables –F

    • -L, melihat Rule

      iptables -L


Parameter
Parameter

  • -p [!] protocol, protokol yang akan dicek

    Iptables –A INPUT –p tcp …

  • -s [!] address/[mask], memeriksa kecocokan sumber paket

    Iptables –A INPUT –s 10.252.44.145 …

  • -d [!] address/[mask], memerika kecocokan tujuan paket

    Iptables –A INPUT –d 202.154.178.2 …

  • -j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT

    Iptables –A INPUT –d 202.154.178 –j DROP

  • -i [!] interface_name, identifikasi kartu jaringan tempat masuknya data

    Iptables –A INPUT –i etho ….

  • -o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket

    Iptables –A OUTPUT –o eth1 ….


Match iptables
Match iptables

  • --mac address, matching paket berdasarkan nomor MAC Address

    Iptables –m mac –mac-address 44:45:53:54:00:FF

  • Multiport, mendifinisikan banyak port

    Iptables –m multiport –source-port 22,25,110,80 –j ACCEPT

  • State, mendefinisikan state dari koneksi

    Iptables –A INPUT –m state –state NEW, ESTABLISH –j ACCEPT


Target jump iptables
Target/Jump iptables

  • ACCEPT, setiap paket langsung diterima

    Iptables –A INPUT –p tcp –dport 80 –j ACCEPT

  • DROP, paket datang langsung dibuang

    Iptables –A INPUT –p tcp –dport 21 –j DROP

  • REJECT, paket yang ditolak akan dikirimi pesan ICMP error

    Iptables –A INPUT –p tcp –dport 21 –j REJECT

  • SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet

    Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2

  • DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal, supaya internet bisa tetap akses diubah ke publik

    Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –to-destination 192.168.1.1

  • MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai mapping ip lokal ke publik

    Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE

  • REDIRECT, sigunakan untuk transparent proxy

    Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080

  • LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa dibuka /etc/syslog.conf

    Iptables –A FORWARD –j LOG –log-level-debug

    Iptables –A FORWARD –j LOG –log-tcp-options


Firewall option
Firewall Option

  • # Mengeluarkan Modul-modul Iptables

  • /sbin/modprobe ip_tables

  • /sbin/modprobe ip_conntrack

  • /sbin/modprobe iptable_filter

  • /sbin/modprobe iptable_mangle

  • /sbin/modprobe iptable_nat

  • /sbin/modprobe ipt_LOG

  • /sbin/modprobe ipt_limit

  • /sbin/modprobe ipt_state

  • /sbin/modprobe ip_conntrack_ftp

  • /sbin/modprobe ip_conntrack_irc

  • /sbin/modprobe ip_nat_ftp

  • /sbin/modprobe ip_nat_irc


Menghapus rule iptables
Menghapus Rule iptables

  • # Menghapus aturan iptables

    $IPTABLES -F

    $IPTABLES -t nat -F

    $IPTABLES -t mangle -F

  • # Menghapus nama kolom yg dibuat manual

    $IPTABLES -X

    $IPTABLES -t nat -X

    $IPTABLES -t mangle -X





Forward
Forward

  • iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j MASQUERADE

  • #iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT

  • Iptables –A INPUT –p imcp –s 0/0 –j DROP

  • #iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d 192.168.108.5 –j ACCEPT

  • #iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j REJECT


Studi kasus 1
Studi Kasus 1

  • Bangun Jaringan sendiri

  • Install web server dan FTP Server pada jaringan Internet (10.252.105.xxx)

  • Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP


Setting komputer router pc1
Setting Komputer Router PC1

  • Setting Ip_forward

    #echo 1> /proc/sys/net/ipv4/ip_forward

  • Setting menggunakan NAT

    iptables –t nat –A POSTROUTING –o eth0 –s IP_number -d 0/0 –j MASQUERADE

  • Setting IP

    Eth0  192.168.105.109 Bcast:192.168.105.255 Mask:255.255.255.0

    Eth0:1  192.168.108.1 Bcast:192.168.108.255 Mask:255.255.255.0

  • Setting Routing

    # route add default gw 192.168.105.1


Setting setiap client
Setting Setiap Client

  • PC2

    Setting IP

    inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0

  • PC3

    Setting IP

    inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0

  • PC4

    Setting IP

    inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0

  • Setting Gateway untuk PC2, PC3 & PC4

    route add default gw 192.168.108.1


Test konektifitas
Test Konektifitas

  • Router PC 1

    ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4

  • PC 2

    ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4

  • PC 3

    ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4

  • PC 4

    ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5, ping 192.168.105.1, ping 202.154.187.4


Rule firewall
Rule Firewall

  • Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP

    #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport www, -j REJECT

    #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport ftp, -j REJECT

    #iptables –restore, iptables save


Studi kasus 2 dmz
Studi Kasus 2 - DMZ

  • eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system

  • eth1 with 202.54.1.1 public IP address - WAN connected to ISP router

  • eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers


Routing traffic between public and dmz server
Routing traffic between public and DMZ server

  • To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.

  • This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):


Routing traffic between public and dmz server1
Routing traffic between public and DMZ server

### end init firewall .. Start DMZ stuff ####

# forward traffic between DMZ and LAN

iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward traffic between DMZ and WAN servers SMTP, Mail etc

iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2

# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3

# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4

### End DMZ .. Add other rules ###


  • Where,

  • -i eth1 : Wan network interface

  • -d 202.54.1.1 : Wan public IP address

  • --dport 25 : SMTP Traffic

  • -j DNAT : DNAT target used set the destination address of the packet with --to-destination

  • --to-destination 192.168.2.2: Mail server ip address (private IP)


Multi port redirection
Multi port redirection

  • You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3:

  • iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3





Shorewall2
Shorewall

  • Shorewall

    tools for building a firewall

    variable : interfaces, zones, rules

  • Konfigurasi Shorewall terdapat pada direktori /etc/shorewall, yang minimal terdiri dari zone, interfaces, rule, policy, dan shorewall.conf.



Zone

  • Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan di /etc/shorewall/zones

  • diibaratkan komputer terdiri dari dua interfaces maka akan kita buat menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones sbb:

  • #ZONE TYPE OPTIONS IN OUT

  • # OPTIONS OPTIONS

  • fw firewall

  • net ipv4

  • loc ipv4

    • Zone net adalah zona internet

    • zone loc adalah zona lokal

    • Zona fw mendeskripsikan mesin firewall itu sendiri.

  • Penamaan zona terserah kepada kita.


Interfaces
Interfaces

  • Kemudian kita definisikan interfaces apa saja yang akan kita terapkan zona tadi pada /etc/shorewall/interfaces, konfigurasinya kira-kira seperti :

    #ZONE INTERFACE BROADCAST OPTIONS

    net eth0 detect norfc1918

    loc eth1 detect


Rules
Rules

  • Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh konfigurasi /etc/shorewall/rules :

  • #ACTION SOURCE DEST PROTO DEST PORT(S)

  • Ping/ACCEPT loc:192.168.0.1 $FW

  • ACCEPT $FW all icmp

  • Web/ACCEPT all $FW

  • SSH/ACCEPT loc:192.168.0.1 $FW


Policy
Policy

  • Policy adalah kebijakan umum yang diterapkan untuk hubungan masing-masing zone jika nanti tidak ada rule yang mendeskripsikannya , misalkan :

  • #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST

  • loc net ACCEPT

  • net all DROP info

  • all all REJECT info



Installation
Installation kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples

  • Remove

    :~# apt-get remove portmap

    :~# apt-get remove nfs-common

    :~# apt-get remove pidentd


Installation1
Installation kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples

  • Install Shorewall

    :~# apt-get install shorewall

  • Install documentation

    :~# apt-get install shorewall-doc


Configuration
Configuration kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples

  • goto shorewall directory

    :~# cd /etc/shorewall

  • look inside

    :/etc/shorewall# ls


Configuration1
Configuration kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples

  • Change /etc/default/shorewall from

    startup=0

    to

    startup=1

  • # vim /etc/default/shorewall

    change the startup


Activate the firewall
Activate the firewall kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples

  • do this

    # /etc/init.d/shorewall start

  • watch your firewall

    # iptables –nL | less


Configure shorewall dari webmin
Configure shorewall dari webmin kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples


ad