Firewall Examples. Using a firewall to control traffic in networks



Similar documents
Assignment 3 Firewalls

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Lab Objectives & Turn In

GregSowell.com. Mikrotik Security

Linux Routers and Community Networks

Linux MDS Firewall Supplement

Web Browsing Examples. How Web Browsing and HTTP Works

Cisco Configuring Commonly Used IP ACLs

Linux Networking: IP Packet Filter Firewalling

Building Effective Firewalls with MikroTik P R E S E N T E D B Y: R I C K F R E Y, N E T W O R K E N G I N E E R I P A R C H I T E C H S O P E R AT I

Firewalls. Chien-Chung Shen

+ iptables. packet filtering && firewall

Case Study 2 SPR500 Fall 2009

Firewall Firewall August, 2003

Lab - Observing DNS Resolution

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Policy Based Forwarding

Stateful Firewalls. Hank and Foo

Linux MPS Firewall Supplement

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Linux Firewalls (Ubuntu IPTables) II

Firewalls. Network Security. Firewalls Defined. Firewalls

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Internet Protocol: IP packet headers. vendredi 18 octobre 13

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Lab - Observing DNS Resolution

CS Computer and Network Security: Firewalls

allow all such packets? While outgoing communications request information from a

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Application Monitoring using SNMPc 7.0

IP Address: the per-network unique identifier used to find you on a network

The SpeedTouch and Firewalling

Sample Configuration Using the ip nat outside source static

CS Computer and Network Security: Firewalls

Firewalls P+S Linux Router & Firewall 2013

Internet Security Firewalls

netkit lab load balancer web switch 1.1 Giuseppe Di Battista, Massimo Rimondini Version Author(s)

CIT 480: Securing Computer Systems. Firewalls

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

CSE543 - Computer and Network Security Module: Firewalls

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

CSC574 - Computer and Network Security Module: Firewalls

Lab - Configure a Windows 7 Firewall

Application Note. Onsight Connect Network Requirements v6.3

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Firewalls. Chapter 3

Chapter 7. Firewalls

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CIT 480: Securing Computer Systems. Firewalls

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

FIREWALL AND NAT Lecture 7a

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

Worksheet 9. Linux as a router, packet filtering, traffic shaping

DNS Basics. DNS Basics

Load Balancing Trend Micro InterScan Web Gateway

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

A S B

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

PasserellesNumeriquesCambodia (PNC)

Definition of firewall

CIS 433/533 - Computer and Network Security Firewalls

Implementing Network Address Translation and Port Redirection in epipe

Computer Networks I Laboratory Exercise 1

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Load Balancing Clearswift Secure Web Gateway

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Internet Security Firewalls

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

EXPLORER. TFT Filter CONFIGURATION

Lab - Configure a Windows Vista Firewall

Internet Privacy Options

Cisco QuickVPN Installation Tips for Windows Operating Systems

1. Firewall Configuration

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Load Balancing SIP Quick Reference Guide v1.3.1

NAS 224 Remote Access Manual Configuration

Load Balancing Sophos Web Gateway. Deployment Guide

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Network Traffic Analysis

Unix System Administration

Linux Firewall Wizardry. By Nemus

LESSON Networking Fundamentals. Understand TCP/IP

Network Security Management

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Transcription:

Using a firewall to control traffic in networks 1 1

Example Network 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 2 Consider this example internet which has: 6 subnets (blue ovals), each with unique network addresses, e.g. 1.0/24. 5 routers (yellow circles), with names,, and IP addresses on each interface For example, has IP addresses 1/24 and 1.4/26 9 hosts (green squares), with IP addresses based on network address, e.g. 11/24 and 12/24 in the top left hosts. Although there are just 9 hosts shown, in some of the following examples we may assume there are many more hosts on each subnet. 2

Firewall on 12 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 3 Consider an example of a host-based firewall. Assume 12/24 is your computer and it runs its own firewall. You want to provide some protection by blocking/accepting some traffic. From your computers perspective, all other hosts are potentially malicious (red). 3

Block Ping 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 4 Lets say you want to block ping from working. call that ping uses ICMP: when a computer pings another computer a ICMP Echo request is sent, and ICMP Echo replies are returned. So to stop ping from working, we will need our firewall to block ICMP packets to be sent out of our computer or if ICMP packets are received, block them from being delivered to an application. 4

Block Ping IN: protocol=icmp; action=drop OUT: protocol=icmp; action=drop 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 5 We can write the specification of what we want the firewall to do in some strucutured format. On the slide the two rules say: For packets coming IN to the computer, if the protocol is ICMP then DROP the packet For packets going OUT of the computer, if the protocol is ICMP then DROP the packet We will see that most firewall software uses rules using such conditional statements: if a packet matches some conditions, take some action. 5

Firewall contains rules Each packet is checked against firewall rules If conditions in rule are true then perform action on that packet (eg. DROP, ACCEPT) If no rules match, then perform default action Multiple rules are combined to create a table 6 In simple terms, a firewall checks each packet that passes through it against a set of rules. The rules are created by the administrator of the firewall (you). Rules are made up of conditions and actions. If the conditions are true for that packet, then the action is taken. Normally rules are processed one-by-one, in order. If a packet matches all conditions, then normally the action is taken and no further rules are considered for that packet. If a packet doesn't match the rule conditions, then the next rule is checked. If the packet doesn't match any of the rules in the firewall, there should be some default action to take. The set of rules for a firewall can be considered as a table: packets are checked row-byrow. We will see with different firewall software, there may be multiple tables for different purposes. 6

Firewall on Router 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 7 Now consider a different scenario. In the first example, the firewall was running on a host. But that means for an organisation (such as a company or SIIT), each host must run a firewall and the rules on all hosts must be configured and maintained. It is much easier to instead run a firewall on a router operated by the organisation where all traffic from the hosts pass through that router. Running a firewall on a router is very common for organisations; running firewalls on hosts is more common for home users. In this example, assume the organisation owns the network 1.0/24, including the two hosts and router. To control traffic going to/from the hosts, we will run a firewall on router (purple). Now the network administrator can configure rules on just one firewall to implement the security policies for the entire organisation. We can thing as devices on the organisations network 1.0/24 as internal (green), while all devices on other networks are external (red). There are two types of policies the organisation may implement: Stop external devices from accessing internal resources, e.g. stop computers on the Internet from accessing an internal web server. Stop internal users from access external resources, e.g. stop employees from accessing Facebook. 7

Block Access to SSH Server on 1 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 8 Assume hosts 11 runs a SSH server. It is only for other internal hosts to connect to; we don't want any external hosts connecting. Therefore the firewall on should be configured to block external hosts from access the internal SSH server on 11. 8

Block Access to SSH Server on 1 1 2 1.0/24 1.2.0/24 FORWARD: Dst=11; Protocol=TCP; DstPort=22; Action=DROP.4 1.0.0/16 Rc 5.6 4.0/24 9 The rule on the slide for the firewall says: If a packet is being forwarded through this router, and the destination is 11, and the transport protocol is TCP, and the destination port is 22, then drop the packet. Going backwards on the conditions: SSH servers by default received packets on port 22; therefore if an external host tries to connect the SSH server on an internal hosts, then the destination port will be 22. SSH is an application layer protocol that uses TCP as the transport protocol. We want to block access to the SSH server on 11; we don't necessarily want to block access to SSH servers on other internal hosts (like 12). Routers normally forward packets: that means the packet is going through the router (the router is not the final destination, nor the original source). We will see (on the next slide) that firewall software can usually have different rules depending on how the packet will be processed (forward, in or out). Note that this firewall rule blocks packets going to the SSH server. Most Internet applications are client/server based, where the client initiates communications by sending a packet to the server. Therefore to stop the application from working, all we need to do is block that first packet from getting to the server. 9

Firewall can have different rules INPUT: Applies only to packets destined to this computer OUTPUT: Applies only to packets created by this computer FORWARD: Applies only to packets going through this computer These are called chains 10 iptables is the firewall software used in Linux. It allows separates sets of rules depending on how the packet is processed by the operating system. The three main processing operations, called chains by iptables, are listed above (INPUT, OUTPUT, FORWARD). This allows us to configure rules in a firewall specific to how it will be processed. Normally, if the firewall is on a host, the INPUT and OUTPUT chains are used. If the firewall is on a router, the FORWARD chain is used (although INPUT and OUTPUT may also be used). 10

Block Access to Web Servers on Network for 2 1 2 1.0/24 1.2.0/24.4 1.0.0/16 Rc 5.6 4.0/24 11 Now lets consider another example with the firewall on the router. Another policy of the organisation is to prevent the internal hosts 12 to access web servers on network. Why? Maybe 3.3.3.0 is the network for Facebook, and the person using 12 has been wasting their time on Facebook, when they should be working. So the organisation will use the firewall to block access to Facebook for that specific host only. 11

Block Access to Web Servers on Network for 2 1 2 1.0/24 1.2.0/24 FORWARD: Src=12; Dst=; Protocol=TCP; DstPort=80; Action=DROP.4 1.0.0/16 Rc 5.6 4.0/24 12 The rule says: If a packet is being forwarded through this router, and it is coming from 12, and it is going to any host on network, and the transport protocol is TCP, and the destination port is 80, then drop the packet. Again we use the destination port number to identify the application (web browsing). Web servers receive data on port 80 by default, so if a web browser on 12 sends a HTTP request to a web server on network, then the destination port will be 80. 12

Firewall Rules Viewed as Table Firewall table for FORWARD: Rule Source Dest. Protocol Action 1 * 11:22 TCP DROP 2 12:* :80 TCP DROP Default * * * ACCEPT When packet arrives at firewall, rules are checked row-by-row. If a rule matches, the ACTION is taken and no further rules are checked. Separate tables for INPUT, OUTPUT and FORWARD chains. 13 Now look at our firewall rules on the router, assuming both policies (block access to SSH on 11, and block web access to 3.3.3.0) are to be implemented. The firewall rules are for the FORWARD chain. There are two rules. The above slide summarizes the rules in the form of a table. As a packet comes into the router, and the operating system determines it is a packet to be forwarded, it is passed to the firewall. The firewall checks the packet against the FORWARD rules above. If a rule matches, the action is taken. If a rule does not match, then the next rule in the table is checked. The syntax of * (wildcard) is used to indicate any value. For example, rule 1 says if the source of the packet is any value. Also, for convenience, the IP address and port numbers are combined, separated by a : (colon). Note that the last (3rd) rule in the table we did not create in the previous examples. It is a default action to take if no other rules match. In this example, if the first 2 rules do not match, then by default the packet will be accepted. Most concepts demonstrated through these examples are common to different firewall software/hardware. However, firewall software may implement them differently. In this lab the firewall software used is called iptables it is the main firewall for Linux operating systems. Other handouts will show how to implement firewall rules using iptables. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information