1 Firewall & IP Tables

2 Firewall IP Tables

FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system, we need firewalls. A firewall is a device installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. Packet-Filter Firewall Proxy Firewall Topics discussed in this section:

4 a choke point of control and monitoring interconnects networks with differing trust imposes restrictions on network services only authorized traffic is allowed auditing and controlling access can implement alarms for abnormal behavior is itself immune to penetration provides perimeter defence What Is Firewall?

5 cannot protect from attacks bypassing it Eg. sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) cannot protect against internal threats Eg. disgruntled employee cannot protect against transfer of all virus infected programs or files Because of huge range of O/S & file types What Is Firewall?

6 Figure Firewall

7 Types of Firewalls Packet Filters Application – Level Gateways Circuit – Level Gateways

8 There is a Packet Filter in the front

9 Packet Filters

10 A packet-filter firewall filters at the network or transport layer. Note

11 Packet Filters simplest of components foundation of any firewall system examine each IP packet (no context) and permit or deny according to rules hence restrict access to services (ports) possible default policies that not expressly permitted is prohibited that not expressly prohibited is permitted

12 Packet-filter firewall

13 Packet Filters

14 Attacks on Packet Filters IP address spoofing fake source address to be trusted add filters on router to block source routing attacks attacker sets a route other than default block source routed packets tiny fragment attacks split header info over several tiny packets either discard or reassemble before check

15 IP Table Stateful Packet Filters examine each IP packet in context keeps tracks of client-server sessions checks each packet validly belongs to one better able to detect bogus packets out of context

16 Question Can a stateless firewall block TCP connection initiation requests from an external location to any local host, but at the same time allow returning traffic from connections initiated by local hosts? Why or why not?

17 Question Can a stateless firewall block TCP connection initiation requests from an external location to any local host, but at the same time allow returning traffic from connections initiated by local hosts? Why or why not? Answer: Yes. The firewall filters out SYN-packets to a local host, but allows SYNACK and other packets to flow through.

18 What is a proxy honey?

19 Application Level Gateway (or Proxy)

20 A proxy firewall filters at the application layer. Note

21 Proxy firewall

22 What is the function of the proxy sever in security context? In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it would 'cache' the first request to the remote server, so it could save the information for later, and make everything as fast as possible. Proxy Firewall

23 Firewalls - Application Level Gateway (or Proxy) use an application specific gateway / proxy has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user need separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported

24 Question What is an application-level gateway?

25 Question What is an application-level gateway? Answer: An application-level gateway, also called a proxy server, acts as a relay of application-level traffic.

26 Question Explain the difference between packet filters and application layer proxies.

27 Question Explain the difference between packet filters and application layer proxies. Answer: Packet filters look at packets one at a time, while application-layer proxies reconstruct application layer entities, such as messages, files, and web pages.

28 Firewalls - Circuit Level Gateway What is a gateway that we need to across? Circuit Level Gateway

29 Firewalls - Circuit Level Gateway

30 Circuit Level Gateway relays two TCP connections imposes security by limiting which such connections are allowed once created usually relays traffic without examining contents typically used when trust internal users by allowing general outbound connections SOCKS commonly used for this

31 Question What is a circuit-level gateway? Answer: A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed.

32 Question What is the main security benefit of NAT and why is it useful to combine NAT with a firewall, instead of using separate NAT and firewall devices?

33 Question What is the main security benefit of NAT and why is it useful to combine NAT with a firewall, instead of using separate NAT and firewall devices? Answer: NAT hides the addresses of devices behind the NAT device and prevents attacks that use knowledge of internal network addresses behind the NAT device. Some firewall policies, such as allowing traffic to high-numbered ports only if there was a matching outgoing request, require port numbers and internal addresses. This is easier to determine the firewall also knows the NAT translation table.

34 Question In a distributed firewall, an administrator ships out firewall rules to hosts over an authenticated channel, and each host enforces its own policy. Give one advantage and one disadvantage of a distributed firewall, in comparison with a centralized firewall.

35 Question In a distributed firewall, an administrator ships out firewall rules to hosts over an authenticated channel, and each host enforces its own policy. Give one advantage and one disadvantage of a distributed firewall, in comparison with a centralized firewall. Answer: Advantage: Can filter traffic between internal hosts on the local network. For example, prevent ssh connections from certain internal hosts, avoiding possible attacks if they are compromised. Disadvantage: Cannot protect against external flooding of an internal network – in a DoS attack, the links between local hosts will be flooded, whereas this could be prevented by throttling incoming traffic at a gateway firewall.

36 Firewall IP Tables

37

38 Netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. What is netfilter/iptables?

39 All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain. There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment. The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. The third table is the nat queue which is responsible for network address translation. It has two built-in chain Packet Processing in IP Tables

40 You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default. Processing For Packets Routed By The Firewall 1/2

41 Processing For Packets Routed By The Firewall 1/2

42 To help understand iptables, take a look at the way packets are handled by iptables. In figure a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed. If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps. If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table determine whether address translation is required and the rules in the OUTPUT chain of the filter table are then inspected before the packet is routed back to the Internet. Processing For Packets Routed By The Firewall 2/2

43 Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. ACCEPT iptables stops further processing. The packet is handed over to the end application or the operating system for processing DROP iptables stops further processing. The packet is blocked. LOG The packet information is sent to the syslog daemon for logging. iptables continues processing with the next rule in the table. You can't log and drop at the same time ->use two rules. --log-prefix ”reason" REJECT Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked --reject-with qualifierQualifier is an ICMP message Targets & Jumps

44 SNAT Used to do source network address translation rewriting the source IP address of the packet The source IP address is user defined --to-source [- ][: - ] DNAT Used to do destination network address translation. ie. rewriting the destination IP address of the packet --to-destination ipaddress MASQUERADE Used to do Source Network Address Translation. By default the source IP address is the same as that used by the firewall's interface [--to-ports [- ]] Targets & Jumps

45 Firewall rules is stored in scripts or databases, most common is scripts. One row example: iptables -A INPUT -s 0/0 -i eth0 -d p TCP -j ACCEPT Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of The 0/0 representation of an IP address means any. Important Iptables Command Switch Operations

46 Important Iptables Command Switch Operations

47 Common TCP and UDP Match Criteria

48 Example: iptables -A FORWARD -s 0/0 -i eth0 -d o eth1 -p TCP \ --sport 1024: dport 80 -j ACCEPT iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of that is reachable via interface eth1. The source port is in the range 1024 to and the destination port is port 80 (www/http). Common TCP and UDP Match Criteria

49 You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second. –m limit sets maximum number of SYN packets iptables is being configured to allow the firewall to accept maxim 5 TCP/SYN packeds per second on interface eth0. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT If more than 5 SYN packets per second, the packets are dropped. If source/destination sence dropped packets, it will resend three times If drops continue after 3 reset packets, source will reduce packet speed. Defense for SYN flood attacks

50 For RedHat based distrubutions: The service iptables save command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables -restore program reads the configuration and makes it the active configuration. The format of the /etc/sysconfig/iptables file is slightly different from that of the scripts shown in this chapter. The initialization of built-in chains is automatic and the string "iptables" is omitted from the rule statements. Fedora comes with a program called lokkit that you can use to generate a very rudimentary firewall rule set. It prompts for the level of security and then gives you the option of doing simple customizations. It is a good place for beginners to start on a test system so that they can see a general rule structure. Like the service iptables save command, lokkit saves the firewall rules in a new /etc/sysconfig/iptables file for use on the next reboot. Once you have become familiar with the iptables syntax, it's best to write scripts that you can comment and then save it to /etc/sysconfig/iptables. It makes them much more manageable and readable. Saving Your iptables Scripts

51 The iptables application requires you to load certain kernel modules to activate some of its functions. Whenever any type of NAT is required, the iptable_nat module needs to be loaded. The ip_conntrack_ftp module needs to be added for FTP support and should always be loaded with the ip_conntrack module which tracks TCP connection states. As most scripts probably will keep track of connection states, the ip_conntrack module will be needed in any case. The ip_nat_ftp module also needs to be loaded for FTP servers behind a NAT firewall. Loading kernel modules extends it functionallity Generally kernel modules is like plugins, they add functionallity: /lib/modules/ /kernel/net/ Manually loading/unloading modules modprobe (search for module and dependencies) insmod (force load module, dont care) rmmod (remove module) lsmod(List modules loaded) Load some common modules: modprobe ip_conntrack(tracking connections) modprobe ip_conntrack_ftp (transparent proxy for active ftp) modprobe iptable_nat (for all kind of NAT operations) modprobe ip_nat_ftp (for ftp server behind nat) Loading Kernel Modules Needed By iptables

52 Most basic firewall settings Everything from inside is allowed to pass out Everything from outside is denied to pass in Optionally firewalls directly offer security levels More or less protocols are accepted, most common is SSHSMTPWWWVPN FTPDHCPSMBTELNET Optionally firewalls directly offer security levels Levels are usally 3: No securityMediumHigh No Security=Firewall is passing everything or is disables Medium=SMTP, SSH, DHCP, FTP HIGH=SSH Basic Firewall settings

53 Summary have considered: firewalls types of firewalls IP Tables

54 How Do You Want Protect Your Network System Thank You