Professional Documents
Culture Documents
NSM 05
NSM 05
NSM 05
Cristian-Mihai AMARANDEI
Email: cristian-mihai.amarandei@academic.tuiasi.ro
”Network Service Management” – Course Notes
From: Kenneth Tam, et. al. - UTM Security with Fortinet, Syngress, 2012
NSM Lecture 5 - Firewall 3/58
”Network Service Management” – Course Notes
Firewall
●
A network security system that monitors and controls the
incoming and outgoing network traffic based on
predetermined security rules.
●
a hardware or software appliance that can be configured to block
unauthorized access to a network
●
The systems are configured with a set of rules that
determine which traffic is allowed and which is blocked or
denied
Firewall
●
Firewalls cannot protect:
– against malicious insiders – send proprietary information out of the organization or
copy confidential information on a storage device
– connections that do not go through it – like remote dial-up connections
●
must be combined with Antivirus software & IDPS
– The term firewall does not necessarily refer to a single router, computer, VPN
gateway, or software program.
●
Any network firewall is a combination of software and hardware
components:
– the term firewall perimeter might be more descriptive.
Firewall goals
●
All traffic from outside to inside and vice-versa passes
through the firewall.
●
Only authorized traffic, as defined by local security policy,
will be allowed to pass.
●
The firewall itself is immune to penetration.
Firewalls
●
Installing and configuring a firewalls – must be a security
policy
●
Firewall policies
– Permissive versus restrictive policies
●
Permissive: Allows all traffic through the gateway and then blocks
services on case-by-case basis
●
Restrictive: Denies all traffic by default and then allows services on
case-by-case basis
– Enforcement - through setting up packet-filtering rules
Firewalls policy
Firewall
●
Firewall types
– Software-based firewalls
– Hardware-based firewalls
●
Firewall taxonomy
– Traditional packet filters
●
filters often combined with router, creating a firewall
– Stateful filters
– Application gateways
●
Some firewalls are designed for consumers
– Internet security suite from companies like Symantec, Bitdefender, Comodo, etc
– personal firewalls:
●
Establishing rules for blocking traffic are done case-by-case
●
Prompts whether traffic should be allowed or not
●
Often make use of “default settings” - like let the firewall application decide for you, allow known applications ...
Firewall policy
●
Firewall policy: describes how firewalls should handle application traffic
●
Risk assessment provides a list of applications
– identify associated threats and vulnerabilities
●
steps to create a firewall policy:
– identify network applications that are needed
– determine methods for securing application traffic
– must balance security, user requirements, and cost
– consider all firewalls in your network
– develop a traffic matrix for each location
Software-Based Firewalls
●
require extensive work to configure the software
– !!!! secure the operating system by patching or removing
vulnerable services
●
Free firewall programs
– simplicity
– logging capabilities are not as robust as some commercial
products
– configuration can be difficult and/or ambiguous
Software-Based Firewalls
●
Personal firewalls
– located between the Ethernet adapter driver and the TCP/IP stack
– inspect traffic going between the driver and the stack
●
Enterprise firewalls
– include centralized management option
– some are capable of installing multiple instances from a centralized
location
– can offer user authentication, NAT
Hardware-based firewalls
●
Advantages
– do not depend on conventional OSs
– more scalable than software firewalls
– can handle more data with faster throughput
●
Disadvantages
– depend on non-conventional OSs
– more expensive than software products
Comparison 1
Software - freeware Small file size; ease of installation Only minimal features are offered; lack
of technical support
1
Source: Guide to Network Defense and Countermeasures, 3rd Edition
Packet filtering
●
works by screening traffic that arrives on the network perimeter
●
Stateless packet filters
– determine whether to allow or block packets based on information in protocol headers
– Most often, filtering is based on common features of IP protocol headers:
●
IP address,
●
Ports,
●
TCP flags
– SYN bit set: datagram for connection initiation
– ACK bit set: part of established connection
– vulnerable to IP spoofing attacks, and they have no form of authentication.
●
Stateful Packet Filtering
– Keeps a record of connections a host computer has made with other computers – maintain a state
table
– Allows incoming packets to pass through only from external hosts already connected
Firewall Glossary
●
Drop/Deny – packets are deleted and not performing other actions.
There is nothing transmitted to the source. The packet simply
disappears.
●
Reject – the same idea as drop/deny except that the source is notified.
●
State – a specific state of a packet in comparison with a stream of
packets.
– When a packet arrives first at a firewall is considered NEW; if part of an
already established connection which firewall is aware of, is considered
ESTABLISHED;
– The status is known through the connection tracking system (monitors all
sessions).
Firewall Glossary
●
Chain – A chain contains a set of rules that are applied to packets.
Each chain has a specific goal (what a chain can do) and a specific
set of actions (just redirect packets or only packets destined for a
particular host).
●
Table – Each table has a specific goal (there are 4 table in iptables).
Table Filter is designed specifically for packet filtering.
●
Match - some type of header matches some information.
●
Example: --source means that the source address can be a specific network, or it
can be a particular IP address
– If a packet matches all the rules, the processing then jumps to a particular
rule (example: the packet can be rejected)
Firewall Glossary
●
Target – There is a destination for each rule in the set. If there is a full rule
match, then the specified destination indicates what happens with that packet.
●
Rule – a rule is a set of one or more match to a single destination in iptables.
●
Ruleset – a complete set of rules that are passed to implement packet filter.
●
Jump – a jump instruction is closely related to the destination. A jump instruction
is written exactly as a destination in iptables, except that the destination is the
name of another chain. If a match is made, then the packet will be sent to
another chain where it will be processed.
●
Connection tracking – A firewall which implements connection tracking is able
to track connections and packet flows impacting memory consumption and CPU.
Firewall Glossary
●
Accept – accepting a packet; allows it to pass through the firewall rules. It
is the opposite of Drop/Deny or Reject.
●
Policy – There are two policies to be discussed when trying to implement
a firewall.
●
Chain policy – defines the default behavior of the firewall when it receives
a packet, be heated in not making any matching on existing rules.
●
Security policy – represents the security policy according to written
specifications. Security Policies are documents that need to be studied
before deploying a firewall.
Netfilter – iptables
●
Rules are grouped in chains
– Each chain is a list of rules
– Six chains
●
predefined: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
●
user-defined chain
●
Chains are grouped in tables
– Each table is associated with a different type of packets processing.
– 3 predefined tables:
●
filter — this is the default table.
●
nat — when a packet creates a new connection this is the table that is used.
●
mangle — is used for special altering of packets
Source: http://en.wikibooks.org/wiki/Communication_Networks/IP_Tables
NSM Lecture 5 - Firewall 32/58
”Network Service Management” – Course Notes
Iptables
●
All tables have predefined targets:
– <user-defined-chain> — user-defined chain. The name must be unique. Intended send the
package specified chain.
– ACCEPT – the packet is accepted (default policy for INPUT, OUTPUT and FORWARD)
– DROP – reject the package without sending any message back
– QUEUE – used to queue packets to User-land programs and applications; It is used in
conjunction with programs or utilities that are extraneous to iptables and may be used, for
example, with network accounting
– RETURN – will cause the current packet to stop traveling through the chain where it hit the rule.
– REJECT – basically the same as the DROP target, but it also sends back an error message to
the host sending the packet that was blocked (i.e. “destination unreachable”)
– LOG – logs the packet (usually to syslog)
Iptables
●
The connection-tracking system (--state option in your rules)
– Available options for --state:
●
NEW: for an incoming or outgoing packet, which creates a new
connection
●
ESTABLISHED: for an incoming or outgoing packet, which belongs to an
existing connection.
●
RELATED: for an incoming or outgoing packet, which is related to, but no
part of, an existing connection.
●
INVALID: for an incoming or outgoing packet, which could not be
identified for some reason.
Iptables command
iptables <table> <command> <chain> <command options>
iptables -t tabletype <action/direction> <packet pattern> -j <what to do>
●
Iptables default table is filter
– iptables -t filter -L
– iptables -t filter -L -n
– iptables -t nat -L OUTPUT -v
– iptables -t mangle -L OUTPUT -v -n --line-number
Iptables command
●
Flushing rules
– iptables -t filter -F
– iptables -t nat -F PREROUTING
●
Default table policy
– iptables -t filter -P INPUT DROP
●
a new chain (create, delete, rename)
– iptables -N mychain
– iptables -X
– iptables -X mychain
– iptables -E mychain mynewchain
Iptables
Filtering by source/destination
●
-s ip_address All packets are checked for a specific source IP
address.
●
-d ip_address All packets are checked for a specific destination IP
address.
iptables -A INPUT -s 192.168.75.0/24 -j REJECT
●
send “destination unreachable”
Iptables
●
On EL5 and EL6
– service iptables save
●
Save rules in /etc/sysconfig/iptables file (EL6 only)
– Starting the iptables service
# chkconfig --level 2345 iptables on
# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
●
On EL7
– systemctl enable iptables
– systemctl start/stop/restart iptables
– iptables-save > /etc/sysconfig/iptables
●
Save rules in /etc/sysconfig/iptables file
●
GUI
– system-config-securitylevel (el5)
– system-config-firewall (el6)
IP Forwarding
●
also referred as routing
●
To allow Linux to function as a router, IP forwarding must
be activated
– Located in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
NAT Example
Transparent Firewall
●
Traditionally, a firewall is a routed hop and acts as a
default gateway for hosts that connect to one of its
screened subnets.
●
A transparent firewall is a Layer 2 firewall that acts like a
“bump in the wire” or a “stealth firewall” and is not seen as
a router hop to connected devices. 1
1
https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-firewall-services-module/100773-transparent-firewall.html
Iptables - IP Masquerading
●
masquerading – is a technique that hides an entire IP
address space behind a single IP address in another,
usually public address space
– Eth1 – external interface (IP address obtained via dhcp)
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
SNAT Example
●
Change source addresses to 1.2.3.4.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
●
Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
●
Change source addresses to 1.2.3.4, ports 1-1023
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
DNAT Example
●
Change destination addresses to 5.6.7.8
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8
●
Change destination addresses to 5.6.7.8, 5.6.7.9 or
5.6.7.10.
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
●
Change destination addresses of web traffic to 5.6.7.8,
port 8080.
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 5.6.7.8:8080
FirewallD
●
Just for reference – we are using iptables !!!
– see lab instruction on how to install and enable iptables on your VMs
●
The new userland interface to netfilter in RHEL/CentOS
●
provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network
and its associated connections, interfaces or sources.
●
Resources:
– https://firewalld.org/documentation/
– Red Hat Enterprise Linux 7 Security Guide – Chapter 5
●
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/security_guide/Red_Hat_Enterprise_Linux-7-Security_Guide-en-US.pdf
– Firewalld HowTo:
●
https://people.redhat.com/pladd/Firewalld_NYRHUG-2015-12.pdf
– CentOS / RHEL 7 : Beginners guide to firewalld
●
https://www.thegeekdiary.com/centos-rhel-7-beginners-guide-to-firewalld/
– RHEL7: How to get started with Firewalld.
●
https://www.certdepot.net/rhel7-get-started-firewalld/
– An Introduction to Firewalld
●
https://www.liquidweb.com/kb/an-introduction-to-firewalld/
Reading assignment
●
Securing & Optimizing Linux: The Hacking Solution (v.3.0)
http://www.openna.com/pdfs/Securing-Optimizing-Linux-The-Hacking-Solution-v3.0.pdf
– Chapters 9 and 10
●
Securing & Optimizing Linux: The Ultimate Solution (v.2.0)
http://www.openna.com/pdfs/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf
– Chapters 7,8 and 9
●
Red Hat Enterprise Linux 5 Deployment Guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/pdf/Deployment_Guide/Red_Hat_Enterprise_L
inux-5-Deployment_Guide-en-US.pdf
– Chapter 48.8 (Firewalls)
●
Red Hat Enterprise Linux 6 Security Guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linu
x-6-Security_Guide-en-US.pdf
– Chapter 2.8 (Firewalls)
References
This presentation is intended for lecturing purposes only and it is based on the references listed below. Therefore, the students are encouraged to (and they should) read
thoroughly the original documents listed below in order to improve their skills.
1. http://www.netfilter.org/
2. http://en.wikipedia.org/wiki/Iptables
3. http://en.wikipedia.org/wiki/Netfilter
4. http://en.wikipedia.org/wiki/Network_address_translation
5. Kernel Packet Traveling Diagram http://www.docum.org/docum.org/kptd/
6. Detecting and deceiving network scans http://inai.de/documents/Chaostables.pdf
7. Application Layer Packet Classifier for Linux http://l7-filter.sourceforge.net/
8. conntrack-tools: Netfilter's connection tracking userspace tools - http://conntrack-tools.netfilter.org/
9. ebtables – Linux Ethernet bridge firewalling http://ebtables.sourceforge.net/
10. IPTables Applicable to Centos http://centoshelp.org/networking/iptables-advanced/
11. Netfilter Packet Traversal
● http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
● http://linux-ip.net/nf/nfk-traversal.pdf
12. http://www.danielmiessler.com/study/iptables/
13. https://iximiuz.com/en/posts/laymans-iptables-101/