1.05k likes | 1.5k Views
Firewalls in Linux. Rodney Barker Amanda Bolster Jennifer Dixon. Overview. START The Project Objectives Definitions What firewall? What technology? Installation Process Testing Problems encountered END. The Project …. Objectives
E N D
Firewalls in Linux Rodney Barker Amanda Bolster Jennifer Dixon
Overview • START • The Project Objectives • Definitions • What firewall? What technology? • Installation Process • Testing • Problems encountered • END
The Project … • Objectives • Successfully install a firewall on the Linux-Mandrake Operating System • To learn about firewalls • Why? • We haven’t done it before • To Have FUN!!!
What is a Firewall? • “A system designed to prevent unauthorized access to or from a private network” (www.webopedia.com) • Often used to protect Intranets • Set of security criteria to define access to a computer or network of computers
Firewalls and Network Interfaces Firewall Internet Intranet Internal NIC External NIC Firewalls that protect a network from the Internet have two Network Interfaces, one for the Internet, one for the Intranet.
Firewall Techniques • Packet Filter • Based on a set of rules, accept or reject each packet • Application Gateway • Place restrictions on specific applications (eg FTP) • Circuit-Level Gateway • Apply security mechanisms when the connection between computers is established • Proxy Server • Hides true network addresses
Protocols Related to Firewall Security • Different protocols exist at different layers of the OSI (Open System Interconnection) model.
Firewall Security and the OSI Model • Because different protocols exist at different levels of the OSI model, firewalls must also provide security at different levels. • The lower down the OSI model the firewall can provide security, the more effective and efficient the firewall is. • Firewalls provide security at different levels by establishing IP chain rules for each protocol.
Setting the Firewall Scene… • Where? • In the Linux Lab (PIII computer, called Linux1) • When? • On a dark and stormy Sunday • What? • Linux-Mandrake OS • Who? • Rodney, Amanda, and Jennifer
Theoretical Firewall Use • Our group selected an installation and configuration process for setting-up a personal firewall at home, suitable for: • Firewall security for a single personal PC; or • Firewall security for a small network • Therefore, this process is easy for other students and first-time users to understand.
Choosing a Firewall • Use the Firewall included with Linux-Mandrake OS • Only a personal (not network) firewall • Download free firewall from Internet • www.freshmeat.net • www.linux-mandrake.com • Purchase a Firewall • www.linuxiso.org/
PMFirewall • Features • Autodetection of the IP Address and Netmask of each interface. • Blocking of NetBIOS, NetBUS, Back Orifice and Samba attacks. • Protection against IP Spoofing Attacks.
PMFirewall • Features (cont.) • Logging of DENY packets. • Masquerading support is decided during install. • Custom rules can be added to the pmfirewall.rules.local file.
PM Firewall Technology • The technology underlying PMFirewall is known as IP Chain Software. • This is the case for many Firewall packages designed for Linux operating systems. • The configuration of the PMFirewall package automatically configures the underlying IP Chain Software (saving the user from entering the commands manually).
IP Chain Software Description • IP Chain Software is described by its Author Paul Russel as: "...an update to [and hopefully an improvement upon] the 2.0 Linux packet-filtering code, for the 2.2 Linux kernel…” • IP Chain Software allows for the setting up of a Firewall as well as providing access for multiple PCs using a single Internet connection
IP Chain Software Explained • Inbuilt in the kernel of Linux operating system are IP packet filtering capabilities. • IP Chain software is a program that makes use of these facilities. • The program examines the header of a packet to determine what action is suitable for each packet. • Actions include: • DENY (discard the packet silently) • ACCEPT (let the packet through or out) • REJECT (deny and notify the source of the packet)
Obtaining IP Chain Software • Most distributions of Linux come with preinstalled IP Chain Software. • IP Chain Software is also readily available for free all over the Internet, below is just one example. • http://www.rustcorp.com/linux/ipchains/ Incidentally you cannot access this site from within the Bond Network as ITS classifies it as Porn!
IP Chains and Kernels • Certain IP Chain Software is not compatible for certain Linux kernels • (As we found out the IP Chain software used in the Linux Mandrake 8.0 Kernel is not compatible with the PMFirewall Package we were using.) • Setting up IP Chain Software on older Linux Kernels (earlier that 2.2) may require Kernel manipulation and extra configuration.
IP Chains and Kernels • Some newer Linux distributions still require the Kernel to be changed to allow IP Masquerading (e.g SuSe) • This requires changing and recompiling the Kernel source code (!Danger). • This is not required when installing PMFirewall on Linux-Mandrake.
IP Chain Syntax (Briefly) • The Configuration of the PM Firewall does not require knowledge of IP Chain Software. However, for interests, this has been included. • General Format: ipchains <command> <chain> [<options>] • Switches - F : flush a chain so it starts fresh - P : sets default handling - A : adds conditions or rules - L : view all rules • E.g. ipchains -L
IP Chain Syntax • The rule can apply to • Input (incoming traffic) • Output (outgoing traffic) • Forward (forwarding traffic) • More switches • i : Specify Network Card • s: Source Address • d: Destination Address • j: Jump - Specify Action
IP Chain Syntax • The jump switch allows us to specify the action to take with the packet (accept, reject, deny). • If the Firewall is responsible for masquerading an option for this switch can be MASQ. In which case the packet’s IP and port address will be modified.
IP Chains Example ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT • This command adds a rule to REJECT all INCOMING packets to eth0 from the SOURCE address 10.2.x.x going to any DESTINATION address. • All IP Chains rules for the PMFirewall package are automatically generated to avoid doing this.
IP Chains Example Specify network card Specify source address ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT Incoming packets Specify destination address Adds a rule Specify action to take
Downloading PMFirewall • We downloaded PMFirewall from: • www.pmfirewall.com/PMFirewall/ • The package was then transferred to the Linux lab in the school of IT. • The package was unzipped into amanda’s home directory.
Configuring and Starting the Firewall • Our initial configuration and starting of the firewall failed. The error message displayed informed us that the IP Chains in use were incompatible with the kernel. • The package we had selected was compatible with the Linux kernel 2.2 (Linux-Mandrake 7.2). We had assumed that it was compatible with the Linux kernel 2.4 (Linux-Mandrake 8.0). This assumption was wrong. • As a solution we moved to a machine running Linux-Mandrake 7.2, and ensured it was correctly connected to the network.
Configuration Interface • The configuration offered by PMFirewall was command driven. No GUI facilities were offered. • Configuration started by typing sh install.sh in a console window, ensuring we were in the directory of the unpacked Firewall. • Configuration was in a clear question-answer format.
Phases of Configuration Configuration consisted of three phases: • Phase 1: IP blocking and permitting • Phase 2: Setting up underlying IP Chains • Phase 3: Preparing the Linux kernel
Phase 1: IP blocking and permitting • Consisted of a set of questions asking us • To specify the IP Address of any machine we wished to block from all services permanently. As we yet knew no hostile IP addresses, we answered NO to this. • To specify the IP Address of any machine we wished to grant full access to all services permanently. Again, we answered NO to this.
Phase 1 Continued 3. If we wanted our firewall to start on boot-up. For security reasons we answered yes to this. 4. To specify the IP addresses of the internal network card eth0 and the external network card eth1.
Address Assignment Via DHCP • During phase 1 we were asked if our external IP address or our internal IP address was assigned via DHCP. • Dynamic Host Configuration Protocol is a protocol that lets network administrators or ISP’s centrally manage and automate the assignment of IP addresses. • Each time a computer connects to the Internet (or network) the host sends a request to the ISP (or administrator) for an IP address, the ISP (or administrator) automatically checks which addresses are available and replies with the relevant address.
DHCP Continued • As Linux1 has a permanent IP address within the Linux Lab (not assigned with DHCP), we answered NO to this question. • If we were connecting to the Internet through an ISP such as Bigpond, we would answer YES to this question.
Phase 2: Setting up IP Chains • Consisted of a set of questions asking us to specify which protocols we wished our Firewalls to allow. • The package used these question to set up the IP Chains for the Firewall.
IP Chains • We were later able to view the IP Chains list to see how these questions were turned into rules. • This was done by going to the /sbin directory and typing the command • ipchains -L
Phase 3 • Consisted of some questions asking if we wished our Firewall to contain, for example: • Masquerading Masquerading allows outgoing packets from internal hosts to be given the source address of the firewall, rather than their internal IP addresses.
Original Firewall Configuration • The first time we configured our Firewall we disallowed everything • To test if the Firewall was functioning properly we had to test if anything would be allowed by the firewall • In order to do this, the following servers had to be installed on our Firewall: Apache Server, SSH Server, FTP, Finger • We then tested if the Firewall would successfully block these services
Apache Server • Apache is a Web Server Software Application • Delivers (serves) web pages on the Internet
SSH Server • Secure Shell • A program that allows a user to log into another computer over a network • It provides secure communication with encryption
FTP • File Transfer Protocol • A protocol that is used on the Internet for sending/transferring files
Finger • This is a program in UNIX that takes and e-mail address and returns information about the user of that e-mail address, such as; • Is that user currently logged on? • User’s full name • User’s Address • User’s Telephone Number
Testing • Test to see if firewall denied the packets on the ports that were closed • To see if the packets were accepted on the ports that were allowed.
Order • First ping to see if the computer is responding • Ping (Packet Internet Groper) – determines whether an IP Address is accessible by sending a packet to the specified address and waiting for a reply • Test ports to see if the client could access the server
Method • First disallowed access to the server on all ports, except control packets • eg ICMP (Internet Control Message Protocol) – supports packets that contain error, control, and informational messages. ICMP is used by Ping. • Allow one service to clients • Allow multiple services to clients