Automated firewalls with mason
Download
1 / 38

Automated Firewalls with Mason - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Automated Firewalls with Mason. William Stearns SANS Instructor, proctor, and network administrator [email protected] http://www.stearns.org/mason/. Getting underway. Room monitors Evaluation forms Questions at any point Goals Basics of Linux firewalling Learning process Live demo.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Automated Firewalls with Mason' - hashim


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Automated firewalls with mason
Automated Firewalls with Mason

  • William Stearns

  • SANS Instructor, proctor, and network administrator

  • [email protected]

  • http://www.stearns.org/mason/


Getting underway
Getting underway

  • Room monitors

  • Evaluation forms

  • Questions at any point

  • Goals

    • Basics of Linux firewalling

    • Learning process

    • Live demo


Firewalls
Firewalls

  • One small piece of your network security

  • Only affects traffic going in, out, or through your firewall

  • Can be circumvented

    • TCP/IP tunneling in ssh, email, DNS, http

    • Using allowed ports for blocked traffic types

    • Additional exit points from network

  • Firewall system needs to be locked down tightly!


Firewall types
Firewall types

  • Packet filtering

    • Stateful

    • Stateless

  • Proxy

  • Better yet, both!



Choice of firewall platform
Choice of firewall platform

  • Stability

  • Network card support

  • Security and Updates

  • Network performance

  • Ability to audit and strip down

  • Cost

  • Ease of setup


Linux packet filtering
Linux Packet Filtering

  • Separation of Jobs

    • Kernel

    • Command line tools


Linux packet filtering types
Linux Packet Filtering types

  • Ipfw (Linux 1.2 kernels)

  • Ipfwadm (Linux 2.0 kernels)

  • Ipchains (Linux 2.2 kernels)

  • Iptables (Linux 2.4 kernels)


ipfw

  • First Linux packet filtering support

  • Linux 1.2 kernels

  • Stateless

  • Very limited

    • Only filtered on one port

    • Never integrated into distributions

    • Not supported by Mason

  • Ported from one of the BSD's by Alan Cox


Ipfwadm
ipfwadm

  • Linux 2.0 kernels

  • Stateless

  • Filters on source and destination addresses and ports

  • Only TCP, UDP, and ICMP

  • Masquerading (many-to-one NAT)

  • Jos Vos


Ipchains
ipchains

  • Linux 2.2 kernels

  • Stateless

  • Support for ICMP subtypes, protocols other than TCP, UDP and ICMP, and inverse options.

  • Rusty Russell


Iptables
iptables

  • Linux 2.4, 2.5, and upcoming 2.6 kernels

  • Stateful

  • IPV6 support

  • Backwards compatibility modules for ipfwadm and ipchains

  • Extensible tests and actions

  • Fully modular design


Setting up firewalls
Setting up firewalls

  • Triple threat; limited background in:

    • Security policies

    • TCP/IP (normal and attack patterns)

    • Connecting the two with packet filtering and other security tools.

  • Risk in getting it wrong.

  • Default allow - easy to get going

  • Default deny - orders of magnitude harder


Approaches for creating firewalls
Approaches for creating firewalls

  • Prewritten list of rules

  • Menu interface with small set of choices

  • Menu interface with extensive options

  • Automatic construction of rules based on current network setup.

  • Letting the firewall build itself :-)


Prewritten list of rules
Prewritten list of rules

  • Good if your network matches the assumptions

  • May need a lot of editing if not

  • They tend to be too permissive


Menu interface with small set of choices
Menu interface with small set of choices

  • Good for simple networks

  • Poor for complex networks or non-standard networks

  • Poor for non-standard protocols


Menu interface with extensive options
Menu interface with extensive options

  • Flexible, good for complex networks

  • Requires a lot of expertise from the administrator


Letting the firewall build itself
Letting the firewall build itself

  • Flexible

  • Doesn't require in-depth knowledge of firewall construction

  • Handles simple and complex networks

  • May take some time to cover all traffic types.


The world s most efficient and literal bouncer
The world's most efficient and literal bouncer

  • New bouncer

  • Needs to be taught who can go in or out of the bar

  • Told to note individual's age, whether they're part of the owner's family, which direction they want to go and whether they're carrying firearms, and then ask bar owner.


Initial bouncer rules
Initial bouncer rules

  • => Write down characteristics, ask owner

  • => block (default policy)


Bouncer rules part ii
Bouncer rules, part II

  • Carrying firearms => block and call police

  • => Write down characteristics, ask owner

  • => block (default policy)


Bouncer rules part iii
Bouncer rules, part III

  • Carrying firearms => block and call police

  • Leaving bar => allow to pass

  • => Write down characteristics, ask owner

  • => block (default policy)


Bouncer rules part iv
Bouncer rules, part IV

  • Carrying firearms => block and call police

  • Leaving bar => allow to pass

  • Entering bar, over 21 => allow to pass

  • => Write down characteristics, ask owner

  • => block (default policy)


Bouncer rules part v
Bouncer rules, part V

  • Carrying firearms => block and call police

  • Leaving bar => allow to pass

  • Entering bar, over 21 => allow to pass

  • Part of owner's family => allow to pass

  • => Write down characteristics, ask owner

  • => block (default policy)


Bouncer rules part vi
Bouncer rules, part VI

  • Carrying firearms => block and call police

  • Leaving bar => allow to pass

  • Entering bar, over 21 => allow to pass

  • Part of owner's family => allow to pass

  • Entering bar, under 21 => block

  • => Write down characteristics, ask owner

  • => block (default policy)


Bouncer rules part vii
Bouncer rules, part VII

  • Carrying firearms => block and call police

  • Leaving bar => allow to pass

  • Entering bar, over 21 => allow to pass

  • Part of owner's family => allow to pass

  • Entering bar, under 21 => block

  • => block (default policy)


Mason and iterative creation
Mason and iterative creation

  • Start off with empty firewall

  • Log all unmatched packets

  • Watch logs for new packets

  • Add rule that would have matched that traffic

  • Keep adding rules until all traffic types encountered


Iptables log format
Iptables log format

Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53


Iptables rule format
Iptables rule format

/sbin/iptables -A OUTPUT -o lo -p udp -s localhost/32 - -sport 1024:65535 -d localhost/32 - -dport domain -j ACCEPT #domain/udp (O)


Live demonstration
Live demonstration

We'll switch over to a Linux laptop for the demo and rejoin here afterwards.


Customization
Customization

  • Existing firewall rules

  • Allows administrator to make modifications


Starting firewall at boot
Starting firewall at boot

  • ntsysv, tksysv, or linuxconf

  • Manually link /etc/rc.d/init.d/firewall


Troubleshooting
Troubleshooting

  • Turn off the firewall, see if the problem persists.

  • Restart the firewall, try test, then run:

  • iptables -L -n -x -v | grep -v '^ *0 *0 ' | less -S

  • to see which rules have matched any packets.


Opening packet rules
Opening packet rules

  • Iptables' stateful nature; use for ESTABLISHED,RELATED.

  • Let Mason build the rules for NEW packets.


Potential projects
Potential projects

  • Cisco IOS

  • FreeBSD, OpenBSD and NetBSD - ipfilter

  • http://coombs.anu.edu.au/~avalon/

  • Other routers and firewalls.


Thanks
Thanks!

  • Linux developers, esp. Rusty Russell

  • Chris Brenton (SANS, Altenet)

  • Steven Northcutt (SANS)

  • ISTS

  • Mason contributors - see the Credits section in the HOWTO.


Where to get it
Where to get it

  • Part of some Linux Distributions

    • Debian

    • Krud

    • Redhat Powertools up to 7.0

  • http://www.stearns.org/mason/

  • Many other sources


References
References

  • http://www.stearns.org/mason/

  • http://www.netfilter.org

  • http://www.linuxdoc.org

  • http://www.stearns.org/doc/starting-mason.current.html

  • [email protected]

  • Questions?


ad