1 / 18

FireWall

FireWall. Grzegorz Śliwiński. Strefy bezpieczeństwa. T ypy zapór ogniowych. Zapora sieciowa filtruj ą ca pakiety (packet-filtering firewall) , Zapora sieciowa z inspekcj ą stanów (stateful-inspection firewall) , Zapora sieciowa po ś rednicz ą ca (application proxy firewall).

eyad
Download Presentation

FireWall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FireWall Grzegorz Śliwiński

  2. Strefy bezpieczeństwa

  3. Typyzapórogniowych • Zapora sieciowa filtrująca pakiety (packet-filtering firewall), • Zapora sieciowa z inspekcją stanów (stateful-inspection firewall), • Zapora sieciowa pośrednicząca (application proxy firewall)

  4. Architektury zapór ogniowych Trzy typy: • Zapora ogniowa z dwiema kartami, • Zapora ogniowa z ruterem ekranującym, • Zapora ogniowa z dwoma ruterami ekranującymi. oraz ich kombinacje.

  5. Firewall z dwiema kartami

  6. Zapora z ruterem ekranującym

  7. Dwa rutery ekranujące

  8. DMZ

  9. Host pośredniczący

  10. Ataki DOS

  11. Bezpieczna poczta

  12. IPCHAINS • Input (wejście) • Output (wyjście) • Forward (przenoszenie)

  13. IPCHAINS :input ACCEPT :forward DENY :output ACCEPT -A input -s 0/0 -d 0/0 8080:8080 -j REDIRECT 8080 -p tcp -A input -s 0/0 -d 0/0 8080:8080 -j REDIRECT 8080 -p udp -A input -s 0/0 -d 0/0 53:53 -j REDIRECT 53 -p tcp -A input -s 0/0 -d 0/0 53:53 -j REDIRECT 53 -p udp -A input -s 213.155.164.2 -j ACCEPT -A input -s 0/0 20:20 -d 217.98.190.90 1024:65535 -j ACCEPT -p tcp -A input -s 0/0 20:20 -d 217.98.190.90 1024:65535 -j ACCEPT -p udp -A input -d 217.98.190.90 21:22 -j ACCEPT -p tcp -A input -d 217.98.190.90 25:25 -j ACCEPT -p tcp -A input -d 217.98.190.90 80:80 -j ACCEPT -p tcp -A input -d 217.98.190.90 443:443 -j ACCEPT -p tcp -A input -s 213.155.164.47 -d 217.98.190.90 2401:2401 -j ACCEPT -p tcp -A input -s 213.155.164.47 -d 217.98.190.90 2401:2401 -j ACCEPT -p udp -A input -s 212.160.88.35 -d 217.98.190.90 2401:2401 -j ACCEPT -p tcp -A input -s 212.160.88.35 -d 217.98.190.90 2401:2401 -j ACCEPT -p udp -A input -s 217.98.190.90 -j ACCEPT -A input -s 192.168.1.1 -j ACCEPT -A input -s 192.168.1.10 -j ACCEPT -A input -d 217.98.190.90 -j DENY -y -p tcp -A forward -s 192.168.1.0/24 -j MASQ

  14. Algorytm pracy IPTABLES

  15. Input

  16. Forward

  17. Output

  18. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [2:328] :OUTPUT ACCEPT [3:388] -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 8080 -A PREROUTING -i eth0 -p udp -m udp --dport 8080 -j REDIRECT --to-ports 8080 -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 -A POSTROUTING -o ppp0 -j SNAT --to-source 217.98.190.90 COMMIT *mangle :PREROUTING ACCEPT [81:13394] :INPUT ACCEPT [79:13247] :FORWARD ACCEPT [2:147] :OUTPUT ACCEPT [73:18301] :POSTROUTING ACCEPT [77:18951] COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [73:18301] -A INPUT -i eth0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 213.155.164.2 -j ACCEPT -A INPUT -d 217.98.190.90 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT -A INPUT -d 217.98.190.90 -p udp -m udp --sport 20 --dport 1024:65535 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s 213.155.164.47 -d 217.98.190.90 -p tcp -m tcp --dport 2401 -j ACCEPT -A INPUT -s 213.155.164.47 -d 217.98.190.90 -p udp -m udp --dport 2401 -j ACCEPT -A INPUT -s 212.160.88.35 -d 217.98.190.90 -p tcp -m tcp --dport 2401 -j ACCEPT -A INPUT -s 212.160.88.35 -d 217.98.190.90 -p udp -m udp --dport 2401 -j ACCEPT -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP -A FORWARD -s 192.168.1.1 -i eth0 -o ppp0 -j ACCEPT -A FORWARD -d 192.168.1.1 -i ppp0 -o eth0 -j ACCEPT -A FORWARD -s 192.168.1.10 -i eth0 -o ppp0 -j ACCEPT -A FORWARD -d 192.168.1.10 -i ppp0 -o eth0 -j ACCEPT -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP COMMIT

More Related