Firewalls
This presentation is the property of its rightful owner.
Sponsored Links
1 / 66

Firewalls PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on
  • Presentation posted in: General

Firewalls. What they do. How they work. Outline. What is a firewall? Architectures Stand Alone / application / proxy Personal / host based Gateway / packet filters Enterprise / hardware Roles Bastion DMZ Packet Filtering concepts IPTables Stateful filtering Packet Forwarding

Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Firewalls

Firewalls

What they do.

How they work.


Outline

Outline

What is a firewall?

Architectures

Stand Alone / application / proxy

Personal / host based

Gateway / packet filters

Enterprise / hardware

Roles

Bastion

DMZ

Packet Filtering concepts

IPTables

Stateful filtering

Packet Forwarding

Ethernet bridge

2


What is a firewall

What is a Firewall?

A hardware or software device that monitors (and controls ?) the transmission of packets that attempt to pass through the perimeter of a network (or host).

Provide 2 basic security functions

Packet Filtering

Application Proxy gateways

Additional security features

Log unauthorized (and authorized ?) access attempts

Provide VPN Connections

Support user authentication

Shield internal machines from outside view

3


What should a firewall do

What should a firewall do?

Control the flow of packets to/from Internet

Block external login as root (?)

Must distinguish between local and Internet packets (even spoofed addresses)

Support limited user accounts

Log all system activities

4


Types of firewalls

Types of Firewalls

Stand Alone / application / proxy

Enterprise / Local

Hardware / Software

Gateway / router / packet filter

Personal / host based

Windows firewall – incoming protection

ZoneAlarm, Linux, etc. – incoming / outgoing filter

5


Types of firewalls1

Types of Firewalls

Router / packet filter

Stateful

Firewall

Internet

Host-based

Firewall

Application

Proxy

Corporate

Network

6


Standalone proxy firewalls application gateways

Standalone Proxy FirewallsApplication Gateways

Intended to buffer the interface between an internal application and the Internet

Web Servers

Mail Servers

File Transfer

Controls flow of packets into and out of local network

Limit access to specific web sites

Cache results for use by other internal hosts

Hide internal IP addresses from network view

7


Enterprise firewalls

Enterprise Firewalls

Intended to support larger traffic volumes

Provides more sophisticated support

Stateful filtering, etc.

Software

Checkpoint Firewall 1, Microsoft ISA, Semantic Enterprise, etc.

Hardware

Cisco PIX, SonicWall, Watchguard, etc.

Expensive!

8


Gateway packet filter

Gateway / Packet Filter

May be embedded in sophisticated routers

May be used for SOHO networks

May be incorporated into small SOHO routers

May be incorporated into a gateway host (Linux ?)

Provides the ability to monitor and control packets through the gateway / router.

Generally support in / out / through filtering

May not include stateful filtering capabilities

9


Host based firewalls

Host-based Firewalls

Intended as a last line of defense for the host computer

Runs as a background process on host

Limited bandwidth available

Generally supports incoming port filtering

Can specify which ports (if any) can support incoming connection requests.

Occasionally supports outgoing filtering (looking for worms, trojans, etc.)

10


Firewall roles

Firewall Roles

Bastion Hosts

Hardened systems that typically run a firewall and perhaps an application as well

DMZ – demilitarized zone

An isolated subnetwork that includes all services that are offered over the internet (and perhaps to the internal network as well).


Bastion firewall and host

Bastion Firewall and Host

LAN

Internet

Firewall

Web

Server


Firewalls

DMZ

LAN

Internet

DMZ

Web

E-mail


What is packet filtering

What is Packet Filtering?

The process of deciding which packets to allow through the filter, based on attributes of the packet

Source / Destination Port

Source / Destination IP Address

Status flags in the packet (syn)

Originating protocol (icmp, tcp, etc.)

Connection state (tcp)

Linux (2.4+) supports Netfilter (based on iptables)

14


How does packet filtering work

How does Packet Filtering Work?

Define rules to allow or block specific types of packets

Firewall screens all packet headers to look for matches against the rules

Apply rules in the order in which they are stored

Allow or block packets based on rule matches.

If a packet matches no rules, apply default behavior to the packet (usually deny).

15


Packet filtering issues

Packet Filtering Issues

Rules are complex. Easy to introduce errors

Filters based on IP addresses. If authorized sites are hacked, your site is compromised

IP Spoofing can fake authorized (internal?) sites.

Routers can be hacked to reroute internal packets

Activities need to be logged

Internal host adresses should be hidden

16


Iptables

Iptables

Administration tool for IPv4 packet filtering and NAT

Used to set up, maintain, and inspect the tables of IP packet filtering rules used by the kernel to manage packet flow through the firewall.

Based on tables that specify the overall task and chains that identify the position of the packet in the packet flow.

17


Iptables tables

IPTables tables

Filter table

Used to control the flow of packets based on packet attributes

Only filter packets, don’t modify packets here.

Network Address Translation (NAT) table

Used to change the source / destination IP address and / or port of selected incoming / outgoing packets

Mangle table

Supports specialized packet handling / routing

Change contents of packet

Experimental and developing tables …

18


Basic packet filtering

Basic Packet Filtering

filter

table

Input

Forward

LAN

Internet

RH-Firewall-1-INPUT

Output

19


Incoming packets to filter

Incoming Packets to Filter

Illegal Incoming Source IP Addresses

Your IP Address

Your LAN Address

Private Network Addresses

Multicast IP Addresses

Loopback Interface Addresses

Nuisance sites / networks

Remote Source Port Filtering

Local Destination Port Filtering

Incoming TCP connection-state filtering

Probes and Scans

DoS Attacks

Etc.

20


Packet filtering alert list

Packet Filtering alert list

CERT

www.cert.org – Carnegie-Mellon Software Engrg Inst.

www.us-cert.gov –

Port Filter List (3/08)

DNS zone transfers53

tftpd69

link87

RPC / NFS111 / 2049

BSD “r” commands512, 513, 514

lpd515

uucpd540

openwindows2000

X windows6000 +

21


Outgoing packets to filter

Outgoing Packets to Filter

Why?

Consideration for fair use in Internet

Distribution of private information

Detection of unwanted client programs (Trojans, etc.)

See http://www.us-cert.gov/cas/tips/ST06-001.html

What

Legitimate, routable addresses only

Destination IP Addresses

Destination ports

Source Ports


Filter table chains

Filter TableChains

May be associated with any interface (eth0, etc.)

INPUT

Used to test packets that come into the firewall

OUTPUT

Used to test packets that are leaving the firewall

FORWARD

Used to test packets that are passing through the firewall

Packets should pass through only 1 chain


Filter table packet flow

Filter table packet flow

Forward

Chain

Routing

Drop

Input

Chain

Input

Chain

Local

Processes

Output

Chain

Drop

Drop

Drop


Iptables rule structure

Iptables rule structure

  • Iptables –t “table” “action” “chain” rule “target”

    • Which table are we working with (filter is default)

    • What action do we want to do to that table (insert, delete, etc.)

    • Which chain in that table are we working with

    • What do we want to do?

    • Where do we go if we match the rule?


Iptables actions

IPTables Actions

Create a new chain (-N).

Delete an empty chain (-X).

Change the default policy for a chain. (-P).

List the rules in a chain (-L).

Flush the rules out of a chain (-F).

Zero the packet and byte counters on all rules in a chain (-Z).


Iptables actions1

IPTables Actions

Append a new rule to the end of a chain (-A).

Insert a new rule at some position in a chain (-I).

Replace a rule at some position in a chain (-R).

Delete a rule at some position in a chain, or the first that matches (-D).


Iptables targets

IPTables targets

  • ACCEPT

    • Stop processing and pass to application / OS

  • DROP

    • Stop processing and block packet

  • LOG

    • Packet info sent to syslog. Continue processing

  • REJECT

    • Stop processing and send reject message to source

  • DNAT

    • Change destination network address

  • SNAT

    • Change source network address

  • MASQUERADE

    • Do source network address translation (PAT)


Example filter rules

Example Filter Rules

#Allow traffic on the loopback interface

iptables –A INPUT –i lo –j ACCEPT

iptables –A OUTPUT –i lo –j ACCEPT

# Set Default policy for chain

Iptables --policy INPUT DROP

#Allow all outgoing connections

iptables -A block -m state --state NEW -i ! ppp0 \-j ACCEPT

#Block incoming attempts to Xwindows

iptables –A INPUT –i eth1 -p tcp --syn \ --destination-port 6000-6003 -j REJECT


Example filter rules1

Example Filter Rules

#Allow incoming connections to local web server

Iptables –t filter -A block –p tcp --dport 80 --i eth1 \-j ACCEPT

#Insert a rule that allows incoming udp packets to port 12345

iptables –I block 7 –p udp –dport 12345 –j ACCEPT

#Allow DNS requests NOT from outside

iptables -A block –p tcp --dport 53 -m state --state NEW \ -i ! eth1 -j ACCEPT

#Allow (and redirect) incoming web connections to 192.168.5.6

iptables –t nat –A PREROUTING –d eth1 -p tcp \ --dport 80 -j DNAT --to-destination 192.168.5.6


Simple firewall table

Simple Firewall table

## Insert connection-tracking modules (not needed if built into kernel).

insmod ip_conntrack

insmod ip_conntrack_ftp

## Make chain that blocks new connections, except if coming from LAN.

iptables -N block

iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT

iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.

iptables -A INPUT -j block

iptables -A FORWARD -j block


Iptables default config file etc sysconfig iptables

Iptables default config file/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT


Centos 5 5 firewall part 1

CentOS 5.5 Firewall – part 1

[[email protected] ~]$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination


Centos 5 5 firewall part 2

CentOS 5.5 Firewall – part 2

Chain RH-Firewall-1-INPUT (2 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255

ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0

ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT tcp -- 134.193.12.34 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:137

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:138

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:139

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2069

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3128

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


Filter table

Filter table

Input, forward chains point to custom chain

RH-Firewall-1-INPUT

Output chain set to accept all

(allow any outgoing traffic)

RH-Firewall-1-INPUT chain

Initial 4 rules allow broad classes of packets

Allow multicast DNS

Allow ipp (Internet Printing protocol)

Allow incoming UDP packets to port 12345

Special server set up for cs423 class

Allow incoming SSH connections

Reject everything else!


Network address translation

Network Address Translation

What?

“Translates” IP addresses and / or ports as packet passes through firewall

Only first packet of a connection will traverse the table. All remaining packets are modified the same as the first packet.

Why?

Private local IP Addresses

Multiple Servers (load sharing)

Transparent Proxying


Nat table

NAT table

Used to map local IP addresses to a set of routable addresses (NAT)

Used to map local IP addresses to a set of ports associated with a single routable address (NAPT)

Used to map local IP addresses to a set of ports associated with a variable routable address (masquerade)

Dial-up connection

Dynamically assigned IP address

Other


Firewalls

NAT

Two types of NAT

Source NAT (snat) used to translate the source IP address of a packet (typically outgoing)

Destination NAT (dnat) used to translate the destination IP address of a packet (typically incoming).


Nat table chains

NAT table chains

Pre-routing

Used to test / modify the destination addresses of incoming packets

Output

Used to change the source (or destination) address of locally generated packets

Post-routing

Used to change the source address of outgoing packets.


Nat table packet flow

NAT table packet flow

Source

NAT

Post-routing

Destination

NAT

Pre-routing

Forward

Chain

Routing

Drop

Input

Chain

Local

Processes

Output

Chain

Drop

Drop


Simple nat table rules

Simple NAT table rules

# Masquerade out ppp0

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Disallow NEW & INVALID incoming or forwarded packets from ppp0.

iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP

iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding (in RAM)

echo 1 > /proc/sys/net/ipv4/ip_forward

# Turn on IP forwarding (in file /etc/sysctl.conf)

net.ipv4.ip_forward = 1


Mangle table

Mangle table

Used for special routing and packet modification.

Use TOS (type of service) field in IP header.

TTL

Can be used to set and test markers placed


Mangle table routing

Mangle Table Routing

Internet

AS


Linux firewall mgmt

Linux Firewall Mgmt

iptables

Make changes to memory image of firewall rules

iptables-save

Display a copy of the memory image

Can redirect the copy to a file using output redirection

Iptables-save > /etc/sysconfig/iptables

iptables-restore

Rebuild memory image from keyboard or file (using redirection)

Security Level and Firewall Applet (Fedora)

Creates an automatic backup file: /etc/sysconfig/iptables


Iptables constraints

IPTables Constraints

Based on IP – only

Don’t run IPX, appletalk, etc. as these protocols are not filtered

Packets traversing the filter table will pass through only 1 chain


Port forwarding

Port Forwarding

HTTPD

LAN

Internet

123.234.56.78:80

192.168.3.6:80


Soho router port range forwarding

SOHO Router Port Range Forwarding


Iptables port forwarding

IPTables Port Forwarding

For incoming packets

iptables -t nat -A PREROUTING -p tcp -d <published-ip> --dport <published-port> -j DNAT --to-destination <private-ip>:<private-port>

For returned packets

iptables -m conntrack --ctstate DNAT -t nat -A POSTROUTING -p tcp -d <private-ip> --dport <private-port> -j SNAT --to-source <published-ip>

For packets originating on firewall

iptables -t nat -A OUTPUT -p tcp -d <published-ip> --dport <published-port> -j DNAT --to-destination <private-ip>:<private-port>


Iptables rerouting issues

IPtables rerouting Issues

  • Often, when we re-route packets, we only need to change destination (or source) IP address.

  • Sometimes (if we are rerouting to a locally connected destination) we need to change both IP address and MAC address.

  • IPtables only filters IP traffic. It cannot change IPX, netBEUI, Appletalk, etc.


Ebtables

EBtables

  • Ethernet Bridge tables

    • Intended to support filtering of packets that IPtables cannot filter – Ethernet protocol, MAC address, ARP, netBEUI, IPX, etc.

    • Basically adds non–IP filtering.

    • 802.1Q VLAN filtering

    • MAC address NAT

    • Frame counters

  • Linux bridge-nf code

    • Passes bridged traffic to IPtables


Ebtables structure

EBtables Structure

  • broute table

    • BROUTINGchain

    • Choose whether to process packet at layer 2 (bridge) or at layer 3 (route)

    • e.g. route normal IP traffic and bridge IPX traffic

  • filter table

    • FORWARD, INPUT, OUTPUT chains

    • Route packets based on MAC addresses

  • nat table

    • PREROUTING, OUTPUT, POSTROUTING chains

    • Change MAC addresses (redirect based on MAC)


Ethernet bridge firewall

Ethernet Bridge Firewall

LAN

Internet

Linux box configured as a bridge, with firewall installed


Ethernet bridge firewall1

Ethernet Bridge Firewall

  • Use bridging firewall (ebtables) to set up rules to pass packets through host.

    • Since processing happens at Data Link Layer, there is no need to assign an IP address to host interfaces, so machine is invisible to network scanning.

    • Offers better protection, and less configuration of the remaining network.

    • Can also be configured with an IDS.


Ethernet bridge firewall2

Ethernet Bridge Firewall

  • Create a virtual Ethernet bridge interface

    • brctl addbr br0

  • Add our interfaces to the bridge

    • brctl addif br0 eth0

    • brctl addif br0 eth1

  • Remove the IP configuration from interfaces

    • Ifconfig eth0 down

    • Ifconfig eth1 down

    • Ifconfig eth0 0.0.0.0 up

    • Ifconfig eth1 0.0.0.0 up

  • Configure access for the bridge

    • Local console, OOB network, configure 1 IP


Ethernet bridge firewall 2

Ethernet Bridge Firewall (2)

LAN

Internet


Example firewall application

Example Firewall Application

  • Monitor all outgoing Traffic

    • Most firewalls only monitor incoming traffic by default

  • Identify what traffic is desired and block the rest.

    • Many applications generate queries to their servers

    • Spyware

    • Hacks


App development process

App development process

  • Capture all outgoing traffic

    • Monitor traffic as it enters or leaves the network – (Ethernet Bridge)

    • Use iptables to log traffic.

      • -A firewall-win1 –j LOG –log-level 4 –log-prefix “Win1” –log-tcp-options –log-ip-options

    • Set up syslog to divert level 4 messages to a separate file (see syslog.conf)

      • kern.warning/var/log/iptables.log

    • Save data daily to separate file

      • iptables_log_022011


Primary firewall filter table

Primary Firewall Filter Table

# Generated Manually 8/19/10

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [8183:1429550]

:OUTPUT ACCEPT [14722:762210]

-N RH-Firewall-1-INPUT

# Create separate chains for each host - 8/19/10

-N Firewall-Win2

-N Firewall-Win1

-N Firewall-lserver3

#new line 8/26/10 - start monitoring this machine

-N firewall-bridge

-A OUTPUT -j firewall-bridge

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD --src 192.168.1.25 -j Firewall-lserver3

-A FORWARD --src 192.168.1.35 -j Firewall-Win2

-A FORWARD --src 192.168.1.30 -j Firewall-Win1

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -j DROP


Win1 outgoing firewall chain

Win1 OutgoingFirewall Chain

-A Firewall-Win1 --dst 192.168.1.0/24 -j ACCEPT

-A Firewall-Win1 -p icmp -m icmp --icmp-type any -j ACCEPT

-A Firewall-Win1 --dst 134.193.123.45 -j ACCEPT

-A Firewall-Win1 --dst 208.67.222.222 -j ACCEPT

# Allow queries to Dropbox

-A Firewall-Win1 --dst 50.16.0.0/16 -j ACCEPT

# Allow queries to Kapersky

-A Firewall-Win1 --dst 38.117.98.0/24 -j ACCEPT

-A Firewall-Win1 --dst 38.124.168.0/24 -j ACCEPT

-A Firewall-Win1 --dst 38.113.165.0/24 -j ACCEPT

-A Firewall-Win1 --dst 79.141.216.0/24 -j ACCEPT

# Allow queries to Microsoft (update)

-A Firewall-Win1 --dst 207.46.206.0/24 -j ACCEPT

-A Firewall-Win1 --dst 65.55.200.0/24 -j ACCEPT

-A Firewall-Win1 --dst 64.4.30.0/24 -j ACCEPT

-A Firewall-Win1 --dst 65.54.221.0/24 -j ACCEPT

# Allow queries to dyndns.org

-A Firewall-Win1 --dst 91.198.22.0/24 -j ACCEPT

-A Firewall-Win1 --dst 204.13.248.0/24 -j ACCEPT

-A Firewall-Win1 --dst 208.78.69.0/24 -j ACCEPT

# Lots of multicast traffic. Drop it.

-A Firewall-Win1 --dst 224.0.0.0/8 -j DROP

# Now, log everything else before dropping it

-A Firewall-Win1 -m physdev --physdev-in eth1 -j LOG --log-level 4 --log-prefix "Win1 " --log-tcp-options --log-ip-options

#For everything else, reject the traffic.

-A Firewall-Win1 -j DROP


Capture outgoing traffic

Capture Outgoing Traffic

  • Data Record – 1 per packet

    • Feb 19 00:01:03 bridge kernel: Win1 IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=192.168.1.35 DST=66.94.233.186 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=10570 DF PROTO=TCP SPT=2323 DPT=80 WINDOW=65185 RES=0x00 ACK FIN URGP=0

    • Records per day ~ 40k to 80k+


Port scan attack detector psad

Port Scan Attack DetectorPSAD

  • Can be configured to detect various network scans, invalid traffic, attacks, etc.

  • Can be used to fingerprint source machines

  • Can be configured to provide active response based on type of input, numbers of input packets for a predetermined period.

  • Can be used to sort and organize logged data.


Summarize traffic

Summarize traffic

  • psad -m /var/log/iptables/iptables_log_022011 --gnuplot --CSV-fields dst src dp:count --gnuplot-graph points --gnuplot-xrange 0:100 --gnuplot-file-prefix test_022011

    • test_022011.dat

    • 1, 172, 2 ### 1=12.29.100.148 172=192.168.1.35

    • :

    • 39, 172, 96 ### 39=66.94.233.186 172=192.168.1.35

    • :

    • 246, 171, 1 ### 246=216.191.247.139 171=192.168.1.30


Sort traffic by source

Sort Traffic by Source

  • Use script (bash / awk / py / ?) to sort traffic into separate files by source

  • Use DNS to get domain name for sites

  • Win1_022011.lst

    • 12.29.100.148: Output was 0

    • :

    • 66.94.233.186: r3.ycpi.vip.mud.yahoo.net.

    • :

    • 216.137.43.236: server-216-137-43-236.dfw3.cloudfront.net.


Analyze traffic

Analyze traffic

  • Are addresses identifyable?

  • Is the traffic known / expected?

  • Why is traffic there?


References

References

Firewalls and VPNs – Principles and Practices

Richard Tibbs / Edward Oakes – Prentice Hall – 2005

Linux Firewalls – 2nd ed.

Robert Siegler – New Riders Publishing – 2002

Guide to Firewalls and Network Security

Greg Holden – Thomson/Course Technology – 2004

EBtables/IPtables Interaction on a bridge - 2003

ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

Red Hat Fedora Linux Secrets

Naba Barkakati – Wiley - 2005


Summary

Summary

What is a firewall?

Architectures

Stand Alone / application / proxy

Personal / host based

Gateway / packet filters

Enterprise / hardware

Packet Filtering concepts

Packet Forwarding

Roles

Bastion

DMZ

EBtables


  • Login