Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com
What is Firewall? A firewall is a network security system, either hardware or software based, that controls incoming and outgoing network traffic based on a set of rules. Acting as a barrier between a trusted network and other untrusted networks -- such as the Internet -- or lesstrusted networks
How firewall works? When someone on the Internet or on a network tries to connect to your computer, we call that attempt an "unsolicited request." When your computer gets an unsolicited request, Windows Firewall blocks the connection. If you choose to unblock the connection, Windows Firewall creates an exception so that the firewall won't bother you when that program needs to receive information in the future.
Type 1: Hardware Firewall A hardware firewall prevents inceptions from any outside intruders. As the hardware firewall do not operate on your computers, the system performance and speed is not affected. Protect an entire network Implemented on the router level Usually more expensive, harder to configure
Type 2: Software Firewall Software firewalls are installed on your computer (like any software) and you can customize it; allowing you some control over its function and protection features. A software firewall will protect your computer from outside attempts to control or gain access your computer. Software firewalls utilize more system resources, like disk space and memory than hardware firewalls, this might reduce the speed of your system. Usually less expensive, easier to configure Protect a single computer
Examples Software Firewall Windows Firewall ZoneAlarm Comodo Firewall Norton Internet Security Outpost BlackICE Macfee Internet Security Hardware Firewall Cisco PIX Fortiguard Cyberoam Check Point NetScreen NetD WatchGuard
Firewall Rules Allow traffic that flows automatically because it has been deemed Block traffic that is blocked because it has been deemed dangerous to your computer Ask asks the user whether or not the traffic is allowed to pass through
Firewall Features Policy-Based Access Control Packet Filtering Network Address Translation Proxy Encryption Tunneling Virtual Private Networking
Firewall Characteristics STATEFUL vs. STATELESS RULES BASED vs. POLICY BASED PACKET INSPECTION vs. PACKET FILTERING STATEFUL PACKET INSPECTION PROXIES Network Address Translation (NAT/NAT with Overload) Virtual Private Networking (VPN)
Packet Firewall Data travels on the internet in small pieces; these are called packets. Each packet has certain metadata attached, like where it is coming from, and where it should be sent to. The easiest thing to do is to look at the metadata. Based on rules, certain packets are then dropped or rejected. The earliest firewalls functioned as packet filters, inspecting the packets that are transferred between computers on the Internet.
When a packet passes through a packet-filter firewall, its source and destination address, protocol, and destination port number are checked against the firewall's rule set. Any packets that aren't specifically allowed onto the network are dropped (i.e., not forwarded to their destination). For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for TCP port number 23, the port where a Telnet server application would be listening. Packet inspection involves opening IP packets, looking beyond the basic network protocol information such as source and destination IP address and other packet header information. Using TCP/IP as an example, a packet inspecting firewall can tell the difference between a web request (TCP port 80), a Telnet request (TCP port 23) and a DNS lookup (UDP port 53).
Firewall v/s Packet Filters A firewall is a computer connected to both a private (protected) network and a public (unprotected) network, which receives and resubmits specific kinds of network requests on behalf of network clients on either the private or public network. A packet filter is a set of rules, applied to a stream of data packets, which is used to decide whether to permit or deny the forwarding of each packet. These rules are usually on a router.
Stateful v/s Stateless Firewall STATELESS Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not aware of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall pretending to be something you asked for. STATEFUL Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established), it can tell if the MTU has changed, whether packets have fragmented etc.
Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications.
Network Address Translation (NAT) Firewalls have low security areas (the outside) and high security areas (the inside) attached to their network interfaces. Network Address Translation (NAT) is a protocol that firewalls use to translate publicly routable IP addresses on the 'outside' to private IP addresses which are not routable on the Internet on the inside. This makes it more difficult for attackers to connect to a host protected by the firewall. A firewall providing NAT will receive a request from a protected host, strip the non-routable private IP address from the IP datagram and replace that address with a public IP address that is routable on the Internet. Thus, external hosts cannot directly connect to protected hosts as the private IP addresses are blocked within the architecture of the Internet itself. NAT with Overload (Port Address Translation) When an outside IP address is used by multiple hosts on different virtual ports, the NAT process is often referred to as NAT with Overload. This allows multiple hosts to use one outside address and to share the virtual port numbers available to the firewall. TCP /IP supports up to 64,000 virtual ports so many hosts can easily share the single external IP address. This is sometimes called Proxy Address Translation or Port Address Translation.
Fig. Network Address Translation
Port Forwarding For a packet to reach its destination, it must have an IP address (a host on the network) and a port (a socket on that host). TCP assigns 16-bit port numbers for connections Range of ports 0-65535 Well-known services like e-mail and the Web have predefined destination port numbers; e-mail uses port 25 (SMTP), and the Web uses 80 (HTTP) and 443 (HTTPS). Operating systems select source ports from a reserved range(0 to 1024). The port range of 1024-49151 is referred to as the group of registered ports. The range from 49152-65535 contains the dynamic.
Systems on the Internet must have unique, public (i.e., routable ) IP addresses. This ensures that packets for a web site or a gaming server always go to the right destination. If the same public IP address were permitted to be used for different, unrelated servers, then traffic control would be a nightmare of congestion and security problems. Port forwarding, or tunneling, is the behind-the-scenes process of intercepting data traffic headed for a computer's IP/port combination and redirecting it to a different IP and/or port. A program that's running on the destination computer (host) usually causes the redirection, but sometimes it can also be an intermediate hardware component, such as a router, proxy server or firewall.
Virtual Private Networking (VPN) A Virtual Private Networking (VPN) connection is an encrypted connection that allow secure access to a local network from a remote location. This is typically done using IP Security tunnels and encryption protocols such as DES. A VPN user will use special software to open a connection to the VPN network access server, provide authentication credentials and then after validating the user's identity, be permitted to access network resources.
VPN provides confidentiality and integrity. By combining the capabilities of a firewall, a NAT device, and a VPN in one network device, you can greatly improve the external security of your internal network without losing convenience or productivity.
Linux Firewall Any command or configuration file that is configured to block data from coming into your system or LAN is a firewall. The Linux has 2 built-in firewalls Ipchains and Iptables. Iptables is easy to configure and manage thus widely used. Iptables commands are connected in chains. Each command is used to block or allow data associated with specific protocol.
Configuring IPtables The Iptables command is based on regulating data traffic in 3 directions In Out Through You can configure Iptables to stop data from coming in from an outside network. You can configure Iptables to stop data from going out. And you can configure Iptables to regulate data that is forwarded.
Windows Firewall Windows Firewall is a software component of Microsoft Windows that provides firewalling and packet filtering functions. It was first included in Windows XP and Windows Server 2003. Prior to the release of Windows XP Service Pack 2 in 2004, it was known as Internet Connection Firewall. A firewall, at its most basic level, permits or denies communications between computers, between networks, or between computers and networks based on the firewall s configuration rules. You can access the settings for Windows Firewall through the Network and Security section in the Control Panel. Almost all computers and networks communicate by establishing connections between two hosts using an IP address and a port.
Although there are many types of firewalls, the most common type of firewall (and the type used in Windows 7, provided by Windows Firewall) permits or denies communications based on IP address and port information. Only connections that are explicitly allowed, using firewall rules, are permitted. Windows Firewall, by default, allows all outbound connections, and permits only established inbound connections
Windows Firewall Snap
Introduction to Intrusion Detection System
Introduction to SNORT IDS One of the biggest concern of any security conscious network administrator is to keep intruders off the network. It can be accomplished through good security practices, such as restrictive policies Updating the software's frequently also keeps intruders away. In such case you need to know about these incidents. This is where an intrusion detection system (IDS) comes into play. An IDS alerts you when someone has penetrated your defenses (or in some cases when someone is attempting to penetrate your defenses). There are a lot of very good IDS systems are available, but they may prove to be costly.
Introduction to SNORT IDS In such cases snort works out to be a very cost effective option. Snort is an open source IDS which is available for download for free. Snort is available for various OS platforms including windows. Snort can be downloaded from the site http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching or matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, OS fingerprinting attempts, and more. Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user-specified files, a UNIX socket, or WinPopupmessages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.
As stated in the last window snort requires a program called WinPcap. WinPcap is Windows Packet Capture Library. It provides certain types of network access that Snort needs for its IDS and packet sniffing functions. Snort is mostly a command based tool. All the snort commands are stored in the bin directory under the snort installation directory. Thus it is a good idea to add this directory in the PATH variable. Now executing the command snort provides help. Now snort is ready for use. Snort can be used as a packet sniffer.
To make snort work as a packet sniffer issue the following command. Snort -v However administrative privilege is required for the user who executes the above command. Press Ctrl + C to terminate snort output as snort will display sniffed packet information continuously. The command snort -l LogDir will make the snort work as a packet sniffer but the command output is not displayed to the screen but logged to a file within the specified directory. Again Ctrl + C will terminate snort. The rules change frequently, keeping up with (or at least trying to) the various types of attacks that are going on. The command snort -A, which puts Snort in alert mode. A modification to snort.conf file is required to make snort work as IDS according to the requirements.
Need of IDS Identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. Identifying problems with security policies Documenting existing threats Preventing individuals from violating security policies. Notifying security administrators of important observed events. This notification, known as an alert, may take the form of audible signals, e-mails, pager notifications, or log entries. A notification message typically includes only basic information regarding an event; administrators need to access the IDPS for additional information.
Conclusion Device that provides secure connectivity between networks. Used to implement and enforce a security policy for communication between networks. Firewalls can protect against some problems (viruses and attacks) that come from the internet. They cannot protect against viruses, that come from infected media (like an infected office document on an USB flash drive).