Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Igor Santos.  Firewalls  Types of firewall ▪ Packet filtering vs. Application filtering ▪ 'Stateless' vs. ‘Stateful'  Netfilter/IPTables  IDS.

Similar presentations

Presentation on theme: "Dr. Igor Santos.  Firewalls  Types of firewall ▪ Packet filtering vs. Application filtering ▪ 'Stateless' vs. ‘Stateful'  Netfilter/IPTables  IDS."— Presentation transcript:

1 Dr. Igor Santos

2  Firewalls  Types of firewall ▪ Packet filtering vs. Application filtering ▪ 'Stateless' vs. ‘Stateful'  Netfilter/IPTables  IDS  NIDS  HIDS  VPN 2

3 Firewalls 3

4  A system that filters traffic between networks it, at least two of them  It can be a physical device or a software running on an operating system  A device with two or more network interfaces where filtering rules are established and with them decides whether a connection can be established or not 4

5  A firewall system contains a set of default rules for:  Authorize the connection (allow)  Block the connection (deny)  Reject the connection request without informing to the sender (deny / ignore) 5

6  Types regarding functionality  Network layer packet filtering ▪ It works at the network layer (layer 3) ▪ Often also allow filtering at the transport level (level 4) or data link layer (Layer 2)  Application Layer ▪ It works at the application level (level 7) ▪ Application Proxy firewall ▪ Eg HTTP Traffic - filtered by URL → PROXY 6

7 7 Application Presentation Session Transport Network Link Physical HTTP URL IP MAC Protocol+Port Application Layer Firewall Packet filtering Firewall

8  Software Firewalls  Software that runs over a general-puropose software  Advantages ▪ Highly customizable Settings ▪ Inexpensive flexible and omnipresent hardware  Disadvantages ▪ Difficult to fortify ▪ Several require specific hardware 8

9  Hardware firewall  It consists of a black box or 'appliance'  Advantages ▪ It offers more security (Depending on the reliability of the manufacturer)  Disadvantages ▪ More expensive ▪ Less flexible / customizable 9

10  Scheme of typical firewall between local network and internet 10

11  Scheme firewall between LAN and internet with DMZ zone for exposed servers 11

12  Scheme of a firewall between LAN and internet with DMZ zone for exposed servers created with double firewall (perimeter) 12

13  ‘Stateless’ firewalls  Analyzes network traffic and filters packets based on source and destination addresses and other static values ​​ (network layer - level 3)  Doesn’t process patterns or data streams  Uses simple rules 13

14  It does not understand the concept of TCP connection ▪ It does not take into account the possibility of receiving a package that claims to be something that has not been asked ▪ Eg: ACK from source port 80 to port 22  Examples of 'stateless’ firewall rules : ▪ Allow IP packets with network source / 8 ▪ Allow UDP packets with destination port 53 14

15  ‘Statefull’ firewalls  It does understand the concept of TCP connection  The conditions of the rules can be specified in terms of connections, not only in terms of packets  For example: ▪ Allow related packets through established connections from the internal network ▪ Allow incoming connections to port 80 (http) 15

16  Security Policies  Deny ▪ The default is to deny all except those communications that expressly authorized  Accept  They accept and reject all explicitly forbidden communications  Deny is the safest  However, it requires a precise and restrictive communication 16

17  Netfilter/IPTables  ‘Statefull' packet filtering firewall ▪ Netfilter is the part in the kernel and is responsible for packet filtering ▪ Iptables is the user tool to manage Netfilter  Firewalls created this way, are just shell scripts with many calls to the iptables command 17

18  iptables: Usage  iptables receives a packet, analyzes their headers and sends it to one of their treatment chaing  Once the package is in a chain, the rules and policies of that chain are checked and once one is satisfied, the associated action is executed (typically ACCEPT, REJECT or DROP)  The order in which rules are written is very important ▪ If the package does not meet the first rule, the next is checked 18

19  The changes performed in iptables are not permantly stored in any file  The rules must be written in a shell script and run it at startup 19

20  Three important chains  INPUT: incoming packets whose destination address our firewall and are not modified by  cortafuegos y no son modificados por NAT  OUTPUT: output packets  FORWARD: packets with no source nor destination the firewall itself, but pass through the firewall, and can be modified or not (eg doing NAT: Network Address Translation) 20

21  Very simplified diagram of what happens when a packet arrives to iptables 21

22  Example ▪ A TCP packet arrived to the 80 port for our machine ▪ iptables sends this pakect to the INPUT chain, because it is an input packet for our machine ▪ In the INPUT chain, there is no defined rule for the port number 80, so the policy of INPUT is applied, which is DROP (discard) 22

23  Set the default policy (ACCEPT or DROP) for one chain (INPUT, OUTPUT, FORWARD)  iptables -P INPUT DROP  iptables -P OUTPUT ACCEPT 23

24  Parameters to add rules to a chain  -A: adds a rule to a chain (at the end)  -s : IP of the source machine of a packet  -d:I P of the destiny machine of a packet  -i: interface through which the packet arrives  -o: interface through which the packet is sent 24

25  -p: IP protocol of the packet (tcp, udp, icmp)  --sport: origin port of paquete  --dport: destination port of paquete  -j: determines that to do with packets that match a rule  ACCEPT  DROP  REJECT  -L: displays the current firewall rules 25

26  Allow access to our web server  iptables -A INPUT -p TCP --dport 80 - j ACCEPT  Allow access to our FTP server  iptables -A INPUT -p TCP --dport 21 - j ACCEPT  Add a rule to deny all the output packets directed to the IP  iptables -A OUTPUT -d j DROP 26

27  Add a rule so our machine cannot be pinged  iptables -A INPUT -p icmp -j DROP  Allow the machine with IP connect with our machine through SSH  iptables -A INPUT -s p TCP --dport 22 -j ACCEPT  iptables -A OUTPUT -d p TCP --sport 22 -j ACCEPT 27

28  Tutorial  tutorial/iptables-tutorial.html tutorial/iptables-tutorial.html 28

29 29 Intrusion Detection System IDS

30  IDS: Intrusion Detection System  Program used to detect the unauthorized accesses to a computer or a network  It is based in network traffic analysis  They usually have a database of patterns or signatures of known attacks  It neither protects or filters, only detects 30

31  2types:  Network Intrusion Detection System (NIDS)  Host-Based Intrusion Detection System (HIDS) 31

32  NIDS  Use packet sniffers (sensors) to capture network traffic  The content of each packet is analyzed for malicious patterns  The sensors are usually located at critical points in the network that have to be monitored: ▪ The DMZ ▪ Network Endpoints 32

33 33 Read the traffic Network Traffic Rule Engine RULES Search for a pattern A pattern matches Opmitized packet for the engine Alert detected Notify Store in DB or plain text Filter attacker IP in the firewall (IPS)

34 34  Ejemplo NIDS: Snort  Example NIDS: Snort  It works as a network sniffer  Detects attacks on the basis of a set of rules  Save the alerts in a database mysql 

35  Managing and viewing alerts  ACID - Analysis Console for Intrusion Databases 35

36  HIDS  The sensor consists of a software agent that monitors all the activity on the host on which it is installed  Search local information sources on the host, such as system logs ▪ User Sessions ▪ Privileged user activities ▪ Changes to the file system ▪... 36

37  Ejemplo HIDS: OSSEC  Free, open source host-based intrusion detection system (HIDS)  Performs log analysis, integrity checking, Windows registry monitorizacón, rootkit detection, real-time alerts,...  Available for Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows  37

38  Problemas IDS  False positives and false negatives  Its effectiveness depends largely on its configuration  They are not easy to implement  Falsos positivos y falsos negativos 38

39  Otros enfoques  IPS (Intrusion Prevention System): besides detection, it takes action  Event Correlator: safety knowledge inferred from IDS, IPS, firewalls, AV, etc.. 39

40 40

41 41 VPN - Virtual Private Network

42  VPN: Virtual Private Network  Technology that allows to implement a local area network (LAN) within a wide area network (Internet, for example) securely  It requires ▪ Encapsulated traffic (IP over TCP, for example) ▪ Traffic Encryption ▪ Traffic compression 42

43  Advantages  Comfortable for end users  Cheaper than a dedicated node  High level of scalability (eg going from 2-10 nodes)  Security 43

44  disadvantages  Overload on the client side (encapsulation, encryption, data compression)  Less reliable than a dedicated node  More complex credential management (certificates)  The VPN server can easily suffer DoS attacks (by overloading cryptograpy) 44

45  VPN types  Remote access VPN (“road warriors”) ▪ Remote and disperse clients connected to a corporate LAN through a VPN server  Point to point VPN ▪ Two or more nodes remotely interconnected to the Internet through encrypted tunnels  VPN over LAN ▪ Implements a secure LAN within a LAN which is considered unsafe (eg Academic Management network within the University network) 45

46  Typical protocolos  PPTP: Point-to-Point Tunneling Protocol  L2F: Layer-2 Forwarding (CISCO)  L2TP: Layer-2 Tunneling Protocol  IPSec: Internet Protocol Security  SSL/TLS: Secure Sockets Layer/Transport Layer Security  SSH: Secure Shell  The de facto standard is IPSec, although the others are used to be more straightforward to implement 46

47  Encrypted Tunnels with SSH  SSH (Secure Shell) ▪ Encrypts every connection ▪ Allows port-forwarding  It is possible to create encrypted tunnels for insecure protocols ▪ Example: HTTP ▪ HTTP traffic is encapsulated into SSH protocol ▪ All HTTP traffic is encrypted 47

48  Tools  putty (windows) ▪ wnload.html wnload.html  ssh (Unix) ▪ aptitude install ssh 48

49 49

50 50

51 51

52  Client configuration of putty 52

53 53

54  Firefox configuration 54

55  Images    55

Download ppt "Dr. Igor Santos.  Firewalls  Types of firewall ▪ Packet filtering vs. Application filtering ▪ 'Stateless' vs. ‘Stateful'  Netfilter/IPTables  IDS."

Similar presentations

Ads by Google