Firewalls 1
Overview Background General Firewall setup Iptables Introduction Iptables commands Limit Function Explanation with icmp and syn floods Zone Alarm ECE 4883 - Internetwork Security 2
What is a Firewall? Firewall a hardware, software, or combination of the two that prevents unauthorized access to or from a private network. ECE 4883 - Internetwork Security 3
Benefits Uninhibited internal LAN traffic Ability to leave internal ports open without fear of those ports being abused Sense of security by filtering WAN interface for expected traffic ECE 4883 - Internetwork Security 4
Traffic Control Three methods used to control traffic flowing in and out of the network! Packet Filtering! Proxy Filtering! Stateful Inspection ECE 4883 - Internetwork Security 5
Firewall Configuration Rules/filters can be defined to look for a number of things, some of these are:! IP addresses! Domain names! Protocols - IP TCP HTTP FTP UDP ICMP SMTP SNMP Telnet! Ports! Specific words and phrases ECE 4883 - Internetwork Security 6
What You re Protected From Security Level HIGH MIDDLE LOW External packets allowed none pre-defined ports (web,ssh) and established connections all packets ECE 4883 - Internetwork Security 7
What You re Protected From We allow traffic that is expected! The firewall is responsible for inspecting connections and packet headers We allow all traffic on a few specific ports! Certain ports are forwarded to a server ECE 4883 - Internetwork Security 8
Expected Traffic Protects you from floods of packets! TCP/SYN, PING/REPLY, IP SPOOFING Protects you from scans! Port scans and vulnerability probes Blocks unwanted connections! Telnet, SSH, FTP, and others can be regulated ECE 4883 - Internetwork Security 9
Port Forwarding Biggest security hole in our firewall Opened ports to allow traffic to servers! All incoming data on this specific port is allowed in, and forwarded to server Hackers could exploit this open port Hackers could exploit a bug in the software on the server ECE 4883 - Internetwork Security 10
Demilitarized Zone (DMZ) Frontline of protection A network added between a protected network and external network in order to provide an additional layer of security -SI Security Does not allow external networks to directly reference internal machines Acts as system of checks and balances to make sure that if any one area goes bad that it cannot corrupt the whole ECE 4883 - Internetwork Security 11
Common Firewall Configurations http://www.firewall.cx/firewall_topologies.php Firewall takes care of passing packets that pass its filtering rules between the internal network and the Internet, and vice versa. May use IP masquerading but that's all it does. Also known as a dual-homed host The two "homes" refer to the two networks that the firewall machine is part of! one interface connected to the outside home! the other connected to the inside home. ECE 4883 - Internetwork Security 12
Common Firewall Configurations http://www.firewall.cx/firewall_topologies.php The firewall needs only two network cards. If you control the router you have access to a second set of packet-filtering capabilities. If you don't control the router, your DMZ is totally exposed to the Internet. Hardening a machine enough to live in the DMZ without getting regularly compromised can be tricky. The exposed DMZ configuration depends on two things:! 1) an external router! 2) multiple IP addresses. If you connect via PPP (modem dial-up), or you don't control your external router, or you want to masquerade your DMZ, or you have only 1 IP address, you'll need to do something else. There are two straightforward solutions to this, depending on your particular problem. ECE 4883 - Internetwork Security 13
Common Firewall Configurations http://www.firewall.cx/firewall_topologies.php One solution is to build a second router/firewall. Useful if you're connecting via PPP Exterior router/firewall (Firewall 1)! responsible for creating the PPP connection and controls the access to our DMZ zone The other firewall (Firewall 2)! is a standard dual-homed host just like the one we spoke about at the beginning The other solution is to create a three-legged firewall, which is what we are going to talk about next ECE 4883 - Internetwork Security 14
Common Firewall Configurations http://www.firewall.cx/firewall_topologies.php Need an additional network adapter in your firewall box for your DMZ. Firewall is configured to route packets between the outside world and the DMZ differently than between the outside world and the internal network. You can masquerade the machine or machines in the DMZ too, while keeping them functionally separate from protected internal machines. The primary disadvantage to the threelegged firewall is the additional complexity. Access to and from the DMZ and to and from the internal network is controlled by one large set of rules. It's pretty easy to get these rules wrong if you're not careful! On the other hand, if you don't have any control over the Internet router, you can exert a lot more control over traffic to and from the DMZ this way. It's good to prevent access into the DMZ if you can. And I think that just about completes our discussion of Firewall Topologies! ECE 4883 - Internetwork Security 15
Lab Setup Firewall workstations One firewall host and two virtual machines ECE 4883 - Internetwork Security 16
Iptables Introduction Iptables is a fourth generation firewall tool for Linux Requires kernel 2.35 or above with netfilter framework Iptables inserts and deletes rules from the kernel s packet filtering table Replacement for ipfwadm and ipchains ECE 4883 - Internetwork Security 17
How packets traverse the filters 3 default chains: INPUT, FORWARD, OUTPUT Incoming Routing Decision FORWARD Outgoing INPUT OUTPUT Local Process ECE 4883 - Internetwork Security 18
How packets traverse the filters (continued) When a packet reaches a circle, that chain determines the fate of the packet The chain can say to DROP the packet or ACCEPT it. If no rules match in chain, the default policy is used (usually to DROP) ECE 4883 - Internetwork Security 19
Network Address Translation The table of NAT rules invoked by iptables t nat contains PREROUTING and POSTROUTING chains PREROUTING Routing Decision POSTROUTING Local Process ECE 4883 - Internetwork Security 20
NAT and iptables PREROUTING Routing Decision FORWARD POSTROUTING INPUT OUTPUT Local Process ECE 4883 - Internetwork Security 21
Masquerading Special form of Source NAT Dynamically changes source address to that of the firewall Simple one-line rule iptables A POSTROUTING t nat o eth0 j MASQUERADE ECE 4883 - Internetwork Security 22
Creating your own rules Adding/Deleting rules:! Append a new rule to an existing chain: iptables A <chain> iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j \ DNAT --to 19268:80! Deleting a rule from an existing chain: iptables D <chain> <rule info> iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1 Changing chains:! Creating a new chain: iptables N <name> iptables N PERMISSION ECE 4883 - Internetwork Security 23
Creating your own rules (contd)! Delete an empty chain: iptables X <name> iptables X PERMISSION! List the rules of a chain: iptables L <name> iptables L PERMISSION! Flush a chain (delete all rules in a chain): iptables F <name> iptables F PERMISSION ECE 4883 - Internetwork Security 24
More iptables commands Specifying jump! If a packet matches a specified rule, jump (-j option) to another chain: iptables A INPUT j DROP Specifying protocol! Used to specify the protocol, tcp, udp, or icmp (case sensitive) using p option. iptables A INPUT p icmp Specifying inversion! Used to invert any rules using the! option iptables A INPUT p! tcp ECE 4883 - Internetwork Security 25
Iptables commands (contd) Specifying interface! Specified with the -i (input) or -o (output) iptables A INPUT i eth0 #check packets coming in on interface eth0 Specifying source/destination! Can be specified in 4 ways: name (www.cnn.com), IP (1926801), group (1622.23.22/24), using IP/netmask (1926805/255.255.255.0). Use -s for source, and -d for destination. iptables A INPUT s 1926801/24 d 1926805 ECE 4883 - Internetwork Security 26
State matching Different states are checked to analyze packets (need to have ip_conntrack module loaded). The states that are checked are:! NEW: A packet that creates a new connection.! ESTABLISHED: A packet belonging to an existing connection (reply or outgoing packet).! RELATED: A packet that is related to, but not part of an existing connection (ICMP error).! INVALID: A packet that could not be identified. ECE 4883 - Internetwork Security 27
Port Forwarding Using NAT table, destination address is changed based on the port iptables A PREROUTING t nat d 10.0 p tcp \ --dport 80 j DNAT --to 19268.3:80 ECE 4883 - Internetwork Security 28
Defending against ICMP Ping Floods and tcp syn attack Using limit module specified with -m limit packets can be restricted based on rate of matches iptables A INPUT p icmp -icmp-type echo-request \ m limit -limit 1/s -limit-burst 5 j ACCEPT Limit burst recharges 1 packet every second. This is based on the 1/s limit specified. ECE 4883 - Internetwork Security 29
Zone Alarm Firewall for the Windows OS. Several types of alerts:! New program alerts: Accept/deny programs to access the internet.! Repeat program alerts: grant access permission to program that has already requested before.! Server program alerts: grant server permission to a program. Caution: Some Trojan horses require server access to execute.! Changed program alerts: If a program has been changed since the last time it access the internet. ECE 4883 - Internetwork Security 30
What is a zone? Zone Alarm classifies computer and networks that you communicate with into good, bad, and unknown zones. 3 types:! Internet Zone: is the unknown zone. All computers and networks belong to this zone until you move them to one of the other zones.! Trusted Zone: is the good zone. Contains all computers you trust.! Blocked Zone: is the bad zone. Contains all computers you distrust (only available in Zone Alarm Pro and Zone Alarm Plus version). ECE 4883 - Internetwork Security 31
What is a zone? (contd.) When another computer wants to communicate with your computer Zone Alarm looks at what zone it belongs to and decides what to do. ECE 4883 - Internetwork Security 32
Summary Firewalls filter unwanted traffic. Port Forwarding: big security hole. Network Address Translation. Use iptables to setup filters. State checking. Zone Alarm: Firewall for Windows OS. ECE 4883 - Internetwork Security 33
Acknowledgements Firewall Topologies, http://www.firewall.cx/firewall_topologies.php Russell, Rusty, Linux 2.4 Packet Filtering HOWTO http://www.netfilter.org/documentation/howto/packet-filtering-howto.html Startup script and basis for rules Stephens, James C. http://www.sns.ias.edu/~jns/security/iptables/ Steams, William Adaptive Firewalls with IP Tables http://www.ists.dartmouth.edu/iria/knowledge_base/adaptive_firewalls.htm Tyson, Jeff, How Firewalls Work http://computer.howstuffworks.com/firewall.htm/ Young, Scott Designing a DMZ http://www.sans.org/rr/firewall/dmz.php ZoneAlarm tutorial information provided from http://www.zonelabs.com ECE 4883 - Internetwork Security 34
Hardware Firewalls A hardware firewall usually has 3 interfaces! Inside Trusted area of the internetwork.! Outside Untrusted area of the internetwork! DMZ Isolated area of the internetwork with limited access to Outside users. ECE 4883 - Internetwork Security 35
Hardware Firewalls ECE 4883 - Internetwork Security 36
Cisco Firewalls PIX 515E Different modes of configuration! Unprivileged Mode! Privileged Mode! Configuration Mode! Monitor Mode Can type unique short forms of commands in each mode! Example: config t for configure terminal, write t for write terminal ECE 4883 - Internetwork Security 37
Cisco Firewalls PIX 515E ASA Adaptive Security Algorithm Data Flow relative to security levels! Security Level 100 For trusted Inside interface and internal traffic! Security Level 0 For untrusted Outside interface! Security Level 1-99 Can be assigned to perimeter interfaces like DMZ ECE 4883 - Internetwork Security 38
PIX Lab Network Setup Need to get an ECE UNIX account! Can only access firewall from ECE machines ssh into digiconsole.ece-int.gatech.edu ssh into 19268.254.2! Actual digital console! Controls all routers and other hardware Need a terminal to the normal lab network ECE 4883 - Internetwork Security 39
PWR OK WI C 0 ACT/CH0 ACT/CH1 WI C 0 ACT/CH0 ACT/CH1 ETH ACT COL Lab Network - Mini-Net GTISC Mini-Net NETWORK/MASK:VLAN Autonomous System RIP OSPF BGP Version 9 January 19, 2004 Accounting-rtr Cisco 1720 #11.2 1726.7.0/24:107.2.2 #10 Engineering-rtr Cisco 1720 ENTERPRISE AS 64800 Cisco UNIVERSITY AS 64900 Georgia Tech 1726.6.0/24:106 1726.4.0/24:104 1726.5.0/24:105 1726.8.0/24:108 OSPF 0 R3 51 Gatech Webserver Redhat Apache http://www.gatech.edu R10.2 #8 Gateway-rtr Cisco 1760-K9 1726.3.0/24:103 R2 Terminal R2 1726.2.0/24:102 #6 Edge1-rtr Cisco 1760-K9 138.210.240.0/24:210.3 Cisco-dns Dell Poweredge.99.254 TIER 1 AS 64514 Abilene 19268.0.0/24:101 Edge-fwall Cisco PIX-515E 212.43.0.0/24:100 62.7.245.252/30:308 EBGP 9 OSPF 0.4 EBGP 62.7.200.32/30:309 Virtual IP Addresses.2.253 0 Edge2-rtr Cisco 1760-K9 #1.241.33 Abilene-rtr Cisco 2621-XM Cisco Web Server Redhat Apache http://www.cisco.com #7.2 R1 EBGP EBGP 199.77.32.0/30:300 EBGP 199.77.31.0/30:301 199.77.250.240/30:302 199.77.33.0/30:303 R10 3 192680.0/24:161 Bellsouth-dns Dell Poweredge 64.0.2.0/24:153.2 #2 Uunet1-rtr 8 Cisco 2621-XM 199.77.306/30:306 EBGP.253.242 7 #4.41 19268.20.0/24:162 19268.30.0/24:154 7.33 Cingular-hq-rtr Cisco 1760-K9+NAT.49 #12 64.0.48/30:150.254 Bellsouth-rtr.50 #13 Cisco 3550-24-EMI (L3) 19907.254.252/30:304 IBGP Uunet2-rtr Cisco 3550 #14 #15 Cingular-site1-rtr 8.34 Cisco 1760-K9+NAT 64.06/28:152 199072.0/24:305.254 Root1-dns Dell Poweredge 19910.254.40/30:307 R10 TIER 1 AS 64515 UUNET 192680.0/24:163 OSPF 0 64.0.32/28:151 57.35.7.0/24:250 19268.20.0/24:164 Cingular-site2-rtr Cisco 1760-K9+NAT 75960.0/24:155.254 R10 Earthlink-dns Dell Poweredge 75968.0/24:160 Cingular-intr1-rtr Cisco 1720 75967.0/24:159 #17.2 75965.0/30:157 75964.0/30:156 Cingular-intr2-rtr Cisco 1720 #16.2 75966.0/24:158 OSPF 1 GOOD ISP AS 64600 Bellsouth.net BAD ISP AS 64700 EarthLink CoC1-rtr Cisco 1720.3 #20 138.210.237.0/24:207 138.210.238.0/24:208.42.43 R4 R7 CoC Webserver CoC Ftp Server Redhat Apache Redhat http://www.cc.gatech.edu.34 Gateway2-rtr.2 EBGP Cisco 3550-24-EMI (L3) #18.5 138.210.251.0/24:200 138.210.231.0/24:201 R10 #26.4 CoC-vpn Cisco VPN Conc. 3005 Gatech-dns Admin-rtr Cisco 1760-K9 Dell Poweredge.254.2 138.210.232.0/24:202 #19 138.210.233.0/24:203 1926810.0/24:209 57.350.0/24:260 138.210.234.0/24:204 R5 0.20.2 138.210.235.0/24:205 00 R11 #21 Admin Webserver Printer NAS CoC2-rtr MS IIS 138.210.236.0/24:206 OSPF 0 Dell Network Cisco 1720 http://www.admin.gatech.edu Attached Storage RIP 57.35.0/24:254.42 EBGP 29 30 57.35.028/30:251 #22 7 #25 Earthlink-rtr Cisco 3550-24-EMI (L3) Joe-travel-rtr 57.35.2.0/24:255 Cisco 1720 57.35.0.0/30:253.2 StorageRus-rtr 57.35.06/30:252 1760-K9 8 #23 #24 57.35.5.0/24:258 ADSL-rtr Cisco 1720 57.35.3.0/24:256 R6 57.35.6.0/24:259 6 57.35.4.0/24:257 StrRus Webserver MS IIS http://www.storagerus.com W1 W20 ECE 4883 - Internetwork Security 40
References Cisco Secure PIX Firewalls,David Chapman Jr. and Andy Fox. Cisco Press. 2002. http://www.cisco.com/univercd/cc/td/doc/ product/iaabu/pix/ Cisco Security seminar notes. ECE 4883 - Internetwork Security 41