1 / 36

Firewalls

Internet. privately administered. firewall. 222.22/16. Firewalls. By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another.

catherineclark
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet privately administered firewall 222.22/16 Firewalls By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. Introduction

  2. Firewall goals: • All traffic from outside to inside and vice-versa passes through the firewall. • Only authorized traffic, as defined by local security policy, will be allowed to pass. • The firewall itself is immune to penetration. Introduction

  3. Traditional packet filters filters often combined with router, creating a firewall Stateful filters Application gateways Firewalls: taxonomy Major firewall vendors: Checkpoint Cisco PIX Introduction

  4. source IP address destination IP address source port destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firewalls often configured to block all UDP direction Is the datagram leaving or entering the internal network? router interface decisions can be different for different interfaces Traditional packet filters Analyzes each datagram going through it; makes drop decision based on: Introduction

  5. Filtering Rules - Examples Introduction

  6. Access control lists Apply rules from top to bottom: Introduction

  7. Access control lists • Each router/firewall interface can have its own ACL • Most firewall vendors provide both command-line and graphical configuration interface Introduction

  8. Advantages and disadvantages of traditional packet filters • Advantages • One screening router can protect entire network • Can be efficient if filtering rules are kept simple • Widely available. Almost any router, even Linux boxes • Disadvantages • Can possibly be penetrated • Cannot enforce some policies. For example, permit certain users. • Rules can get complicated and difficult to test Introduction

  9. Firewall Lab: iptables • Converts linux box into a packet filter. • Included in most linux distributions today. linux host w/ iptables linux host external network your job: configure Introduction

  10. Firewall lab: iptables • iptables • Provides firewall capability to a linux host • Comes installed with most linux distributions • Three types of tables: FILTER, NAT, MANGLE • Let’s only consider FILTER table for now Introduction

  11. linux host w/ iptables protected network Internet network linux host w/ iptables Network or host firewall? Network firewall: linux host with 2 interfaces: filter table Host firewall: linux host with 1 interface: filter table Introduction

  12. linux host w/ iptables network INPUT chain linux host w/ iptables network OUTPUT chain Chain types for host firewall Introduction

  13. INPUT, OUTPUT, FORWARD CHAINS for network firewall • INPUT chain applies for all packets destined to firewall • OUTPUT chain applies for all packets originating from firewall • FORWARD chain applies for all packets passing through firewall. Introduction

  14. linux host w/ iptables linux host w/ iptables linux host w/ iptables protectednetwork protectednetwork protectednetwork Internet Internet Internet Chain types for network firewall INPUT chain OUTPUT chain FORWARD chain Introduction

  15. iptables: Example command iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT • Sets a rule • Accepts packets that enter from interface eth0 and have source address in 232.16.4/24 • Kernel applies the rules in order. • The first rule that matches packet determines the action for that packet • Append: -A • Adds rule to bottom of list of existing rules Introduction

  16. iptables: Example command iptables –A INPUT –i eth0 –j DENY • Sets a rule • Rejects all packets that enter from interface eth0 (except for those accepted by previous rules) Introduction

  17. iptables: More examples iptables –L • list current rules iptables –F • flush all rules iptables –D INPUT 2 • deletes 2nd rule in INPUT chain iptables –I INPUT 1 –p tcp –tcp-flags SYN –s 232.16.4.0/24 –d 0/0:22 –j ACCEPT • -I INPUT 1: insert INPUT rule at top • Accept TCP SYNs to from 232.16.4.0/24 to firewall port 22 (ssh) Introduction

  18. iptables Options -p protocol type (tcp, udp, icmp) -s source IP address & port number -d dest IP address & port number -i interface name (lo, ppp0, eth0) -j target (ACCEPT, DENY) -l log this packet --sport source port --dport dest port --icmp-type Introduction

  19. iptable Table types • FILTER: • What we have been talking about! • 3 chain types: INPUT, OUTPUT, and FORWARD • NAT: • Hide internal network hosts from outside world. Outside world only sees the gateway’s external IP address, and no other internal IP addresses • PREROUTING, POSTROUTING, and others • MANGLE • Don’t worry about it. Introduction

  20. Tables, Chains & Rules • Three types of tables: FILTER, NAT, MANGLE • A table consists of chains. • For example, a filter table can have an INPUT chain, OUTPUT chain, and a FORWARD chain. • A chain consists of a set of rules. Introduction

  21. Firewall Lab m1 m2 m3 Configure m2 with iptables. Introduction

  22. Firewall Lab: Part A • Configure NAT in m2 using NAT table with POSTROUTING chain: • MASQUERADE packets so that internal IP addresses are hidden from external network • From m1 and m3, only allow ssh to external network • This NAT configuration will remain in force throughout the lab Introduction

  23. Firewall Lab: Part B Rules for packets originating from or terminating at m2 (the gateway): • Allow ssh connections originating from m2 and destined to m2. • Allow pings originating from m2 and destined to m2. • Block all other traffic to or from m2. • Hint: Part B requires INPUT and OUTPUT chains but no FORWARD chain Introduction

  24. Firewall Lab: Part C • Flush filter table rules from Part B. • Allow only m1 (and not m3) to initiate an ssh session to hosts in the external network • Reject all other traffic • Hint: Part C requires FORWARD, INPUT and OUTPUT chains Introduction

  25. Stateful Filters • In earlier example, any packet with ACK=1 and source port 80 gets in. • Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments • Stateful filter: Adds more intelligence to the filter decision-making process • Stateful = remember past packets • Memory implemented in a very dynamic state table Introduction

  26. Stateful filters: example • Log each TCP connection initiated through firewall: SYN segment • Timeout entries which see no activity for, say, 60 seconds If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table Stateful filters can also remember outgoing UDP segments Introduction

  27. Stateful example • Packet arrives from outside: SA=37.96.87.123, SP=80,DA=222.22.1.7, DP=12699, SYN=0, ACK=1 • Check filter table ➜ check stateful table 3)Connection is listed in connection table ➜ let packet through Introduction

  28. Application gateways(aka proxy gateways) • Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy. • Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size. • A mail server is an example of an application gateway • Can’t deposit mail in recipient’s mail server without passing through sender’s mail server gateway-to-remote host ftp session host-to-gateway ftp session application gateway Introduction

  29. Configuring client Tools/options/connections/LAN settings/proxies: Introduction

  30. Advantages and disadvantages of proxy gateways • Advantages • Proxy can log all connections, activity in connections • Proxy can provide caching • Proxy can do intelligent filtering based on content • Proxy can perform user-level authentication • Disadvantages • Not all services have proxied versions • May need different proxy server for each service • Requires modification of client • Performance Introduction

  31. Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to ftp outside. gateway-to-remote host ftp session host-to-gateway ftp session router and filter application gateway Application gateways + packet filter 1. Require all ftp users to ftp through gateway. 2. For authorized users, gateway sets up ftp connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all ftp connections not originating from gateway. Introduction

  32. Chaining Proxies proxy 2 proxy 1 Introduction

  33. SOCKS Proxy protocol • Generic proxy protocol • Don’t have to redo all of the code when proxifying an application. • Can be used by HTTP, FTP, telnet, SSL,… • Independent of application layer protocol • Includes authentication, restricting which users/apps/IP addresses can pass through firewall. Introduction

  34. SOCKS proxy protocol 1. For example, let’s assume that browser requests a page 3. The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server. 4. The server receives requests as ordinary HTTP. It does not need a SOCKS library. 2. SOCKS Library is a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon Apache/IIS Firefox/Opera/IE Firewall Application HTTP HTTP SOCKS Daemon SOCKS Library TCP TCP TCP Introduction

  35. Demilitarized Zone (DMZ) application gateway firewall Internet Web server Internal network DNS server FTP server Demilitarized zone Introduction

  36. Firewalls: Summary • Filters • Widely available in routers, linux • Stateful filters • Maintains connection state • Application gateways • Often implemented with SOCKS today Introduction

More Related