CSCI 530 Lab Firewalls

CSCI 530 Lab Firewalls

Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering Proxy Servers Firewall Architecture example netfilter & IPTables

Firewall Hardware and/or software device which prevents communication based on a particular policy Basic task is to control traffic between “zones of trust” Example: Filtering traffic between the internet and local intranet

Firewall Capabilities Separate your network into logical sections Enforce Security policy Many services are intermittently insecure A firewall limits the amount of exposure of particular services Logs Internet activity Limits your network exposure

Firewall limitations Most cannot automatically adapt to new threats Cannot stop a malicious user - IDS Cannot limit traffic that does not pass through it Cannot stop viruses from permeating the network

What are you limiting? Email File Transfer Remote Terminal Access and Command Execution HTTP Other information services Information about people, Finger whois Real time conferencing Domain Name Service Network management services Time Service Network File System

Network Security Strategies Least Privilege Most fundamental principal User or service is given privileges just for performing specific tasks Defense Don’t just depend on one security mechanism Choke In depth point Forces the attacker to use a narrow channel So now one can monitor activities closely

Security Strategies Weakest link or “low hanging fruit” Fail Safe Stance If a system fails, it should deny access to the attacker Default Deny Stance That which is not expressly permitted is prohibited Default Permit Stance That which is not expressly prohibited is Permitted Universal Participation “ a chain is as strong as its weakest link” Attacker is going to go after the weakest link So if you cannot eliminate it, be cautious about it. Every system is involved in defense Diversity of defense Use different types of mechanisms

Definitions Host A computer system attached to the network Dual-Homed Host A host with two network interfaces Bastion Host A host which is the portal to a network. It is normally extremely secure. This is normally also a dual-homed host. Packet The fundamental unit of data, used for communication on the internet

Firewall – Packet Filtering Set of rules that either allow or disallow traffic to flow through the firewall Can filter based on any information in the Packet Header IP Source Address IP destination address Protocol Source Port Destination Port Message type Interface the packets arrive on and leave

Proxy Servers Specialized application or server programs that run on a firewall host Normally a bastion host These programs sit in between the internal users and servers outside serving for internet applications like telnet, ftp, http So instead of talking directly to the external server the requests pass through the proxy Also called as application level gateways

Proxy servers How do they work Proxy server ‘Ps’ Proxy client ‘Pc’ Pc talks to the Ps which intern talks to the real server for it, Before that it checks the security policy and decides whether to go ahead with the connection or not.

Firewall Architectures Dual-Homed Bastion Host INTERNET Firewall Dual Homed Host

Firewall Architectures Dual-Homed Bastion Host Dual homed Host Firewall Built around dual homed bastion host Host are capable of routing packets between networks The host sits between the networks, filtering the traffic between the two It only provides services by proxy

Netfilter http://www.netfilter.org/ The software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Enables packet filtering, network address [and port] translation (NA[P]T). It is the re-designed and heavily improved successor of ipchains and ipfwadm set of hooks inside the Linux kernel allows kernel modules to register callback functions with the network stack A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

IPtables an interface to the kernel for firewall rules inserts and deletes rules from the kernel's packet filtering table IPtables and netfilter make the backbone of packet-filtering based linux firewalls

Packet Filtering - IPtables A packet is checked against the rule chains and its fate is decided by the chain Three sets of rule Chains A packet comes in, kernel checks for the destination (routing) If it is for this host, it is passed to INPUT chain If forwarding enabled, the packet is forwarded to the destination if it is ACCEPTED by the FORWARD chain If packet is generated in the same box and is being issued out, the OUTPUT chain is referred. Rules are matched in a chain in a chronological order looking for a match, If no match is found till the end, decision is taken according to your security policy INPUT FORWARD OUTPUT

IPTables Example iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP -A append the rule to the input chain -s source ip -p protocol -j action to be taken