Module: Firewalls. Professor Patrick McDaniel Spring 2009. CMPSC443 - Introduction to Computer and Network Security

Similar documents
CIS 433/533 - Computer and Network Security Firewalls

CSE543 - Computer and Network Security Module: Firewalls

CSC574 - Computer and Network Security Module: Firewalls

CS Computer and Network Security: Firewalls

CS Computer and Network Security: Firewalls

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Firewalls. Chien-Chung Shen

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

+ iptables. packet filtering && firewall

CIT 480: Securing Computer Systems. Firewalls

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

How To Understand A Firewall

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

CIT 480: Securing Computer Systems. Firewalls

Chapter 7. Firewalls

Linux: 20 Iptables Examples For New SysAdmins

Network Security Management

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Linux Firewalls (Ubuntu IPTables) II

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewall Firewall August, 2003

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Linux Firewall Wizardry. By Nemus

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Intro to Linux Kernel Firewall

Linux Routers and Community Networks

Firewall implementation and testing

Assignment 3 Firewalls

TECHNICAL NOTES. Security Firewall IP Tables

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Network Security Exercise 10 How to build a wall of fire

Firewalls (IPTABLES)

Definition of firewall

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Main functions of Linux Netfilter

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ipchains and iptables for Firewalling and Routing

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Overview. Firewall Security. Perimeter Security Devices. Routers

FIREWALL AND NAT Lecture 7a

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Matthew Rossmiller 11/25/03

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Network Defense Tools

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Netfilter / IPtables

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Chapter 15. Firewalls, IDS and IPS

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Stateful Firewalls. Hank and Foo

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Pehr Söderman KTH-CSC

Focus on Security. Keeping the bad guys out

Lab Objectives & Turn In

Protecting and controlling Virtual LANs by Linux router-firewall

Topics NS HS12 2 CINS/F1-01

FIREWALLS & CBAC. philip.heimer@hh.se

CSCI Firewalls and Packet Filtering

INTRODUCTION TO FIREWALL SECURITY

How to protect your home/office network?

Introduction to Firewalls

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

CSCE 465 Computer & Network Security

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Manuale Turtle Firewall

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

allow all such packets? While outgoing communications request information from a

Evaluation guide. Vyatta Quick Evaluation Guide

How to Turn a Unix Computer into a Router and Firewall Using IPTables

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Linux Networking: IP Packet Filter Firewalling

Chapter 8 Network Security

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Ahmad Almulhem March 10, 2012

Linux Firewall. Linux workshop #2.

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Using VyOS as a Firewall

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Chapter 11 Cloud Application Development

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls, IDS and IPS

Security Technology: Firewalls and VPNs

Cryptography and network security

Open Source Bandwidth Management: Introduction to Linux Traffic Control

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

About Firewall Protection

Linux MDS Firewall Supplement

Transcription:

CMPSC443 - Introduction to Computer and Network Security Module: Firewalls Professor Patrick McDaniel Spring 2009 1

Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse. 2

Filtering: Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or deny May perform other duties Logging (forensics, SLA) Flagging (intrusion detection) QOS (differentiated services) Application Network Link 3

IP Firewall Policy Specifies what traffic is (not) allowed Maps attributes to address and ports Example: HTTP should be allowed to any external host, but inbound only to web-server 4

X-Listing Blacklisting - specifying specific connectivity that is explicitly disallowed E.g., prevent connections from badguys.com Whitelisting - specifying specific connectivity that explicitly allowed E.g., allow connections from goodguys.com These is useful for IP filtering, SPAM mitigation, Q: What access control policies do these 5

Stateful, Proxy, and Transparent Single packet contains insufficient data to make access control decision Stateful: allows historical context consideration Firewall collects data over time e.g., TCP packet is part of established session Firewalls can affect network traffic Transparent: appear as a single router (network) Proxy: receives, interprets, and reinitiates communication (application) Transparent good for speed (routers), proxies good for complex state (applications) 6

DMZ (De-militarized Zone) (servers) Internet LAN LAN Zone between LAN and Internet (public facing) 7

Practical Issues and Limitations Network layer firewalls are dominant DMZs allow multi-tiered fire-walling Tools are widely available and mature Personal firewalls gaining popularity Issues Network perimeters not quite as clear as before E.g., telecommuters, VPNs, wireless, Every access point must be protected E.g., this is why war-dialing is effective Hard to debug, maintain consistency and correctness Often seen by non-security personnel as impediment E.g., Just open port X so I can use my wonder widget SOAP - why is this protocol an issue? 8

The Wool firewall study.. 12 error classes No default policy, automatic broad tools NetBIOS (the very use of the Win protocol deemed error) Portmapper protocols Use of any wildcards Lack of egress rules Interesting questions: Is the violation of Wool s errors really a problem? DNS attack comment? Why do you think more expensive firewalls had a higher occurrence of errors? Take away: configurations are bad 9

Practical Firewall Implementations Primary task is to filter packets But systems and requirements are complex Consider All the protocols and services Stateless vs. stateful firewalls Network function: NAT, forwarding, etc. Practical implementation: Linux iptables http://www.netfilter.org/documentation/howto/packetfiltering-howto.html http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/chiptables.html 10

Netfilter hook Series of hooks in Linux network protocol stack An iptable rule set is evaluated at each Hook placements: Preroute Routing Forward Postroute Input Output 11

iptables Concepts Table All the firewall rules Chain List of rules associated with the chain identifier E.g., hook name Match When all a rule s field match the packet (protocol-specific) Target Operation to execute on a packet given a match 12

iptables Commands iptables [-t <table_name>] <cmd> <chain> <plist> Commands Append rule to end or specific location in chain Delete a specific rule in a chain Flush a chain List a chain Create a new user-specified chain Replace a rule 13

Test it out PING on localhost ping -c 1 127.0.0.1 Add iptables rule to block iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP Try ping Delete the rule iptables -D INPUT 1 iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP iptables -F INPUT 14

Testing Use loopback to test the rules locally on your machine IP address 127.0.0.1 ICMP submit ping requests to 127.0.0.1 as above TCP submit requests to 127.0.0.1 at specific port server nc -l -p 3750 listen at port 3750 client nc -p 3000 localhost 3750 send from port 3000 to localhost at port 3750 15

iptables Rule Parameters Destination/Source IP address range and netmask Protocol of packet ICMP, TCP, etc Fragmented only Incoming/outgoing interface Target on rule match 16

Per Protocol Options Specialized matching options for rules Specific to protocol TCP Source/destination ports SYN TCP flags 17

Targets Define what to do with the packet at this time ACCEPT/DROP QUEUE for user-space application LOG any packet that matches REJECT drops and returns error packet RETURN enables packet to return to previous chain <user-specified> passes packet to that chain 18

Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT iptables -A INPUT -s 200.200.200.1 -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp --dport telnet -j DROP iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP 19

Match content Different means for matching packet content Lots of different modules Only a few supported on your Playpen (lucky you) To specify a match iptables -A INPUT -p tcp -m string --algo bm --string exe matches to packet with content containing exe iptables -A INPUT -p tcp -m length --length 10:100 matches to packet with length between 10 and 100 bytes Also, can specify greater than 10 by 10: There are many others, but these are what you ll need to know... 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information