© Michael Hamm, Service Informatique, CRP Henri Tudor page 1 of 52Linuxdasys 2003: Linux Security Tutorial10. Firewall10.1 What is a Firewall10.2 NAT Network Address Translation10.3 Packet Filter10.4 Statefull Packet Filter10.6 Firewall Architectures10.7 how iptables work10.8 using iptable10.9 Exercise iptables© Michael Hamm, Service Informatique, CRP Henri Tudor page 2 of 52Linuxdasys 2003: Linux Security Tutorial10.1 What is a FirewallWhat is a Firewall?- a network device for access control;- to deny unauthorized access to an internal network,- work as a single point of access control;What to protect?- private Data: - confidentiality, - integrity;- availability;- resources;- reputation;What to protect against?- break ins;- Denial of Service;- lost (steal) of information;© Michael Hamm, Service Informatique, CRP Henri Tudor page 3 of 52Linuxdasys 2003: Linux Security Tutorial10.1 What is a FirewallWhat a Firewall can do?- very important security measure to roll out the security policy;- log important internet activities,- minimize to point of access for an attacker;What a Firewall CAN NOT do?- protect against bad-willing internal users,- can not protect other ways into you network;- can not protect against absolutely new dangerous;- can not be setup and be managed on its own;Problems with Firewalls:- disturb the common way, users access the internet, making usersangry;- internal problem almost are more important than external problems;© Michael Hamm, Service Informatique, CRP Henri Tudor page 4 of 52Linuxdasys 2003: Linux Security Tutorial10.2 NAT Network Address Translation- static NAT 1:1;- Hidden NAT / Masquerading (*:1);Internet10.1.11.210.1.11.310.1.11.410.1.12.0/24172.23.20.2172.23.20.3172.23.20.4172.23.20.5© Michael Hamm, Service Informatique, CRP Henri Tudor page 5 of 52Linuxdasys 2003: Linux Security Tutorial10.3 Packet FilterPhysicalLayerPhysicalLayerRouter BobAlicePhysicalLayerData LinkLayerData LinkLayerData LinkLayerNetworkLayer (IP)NetworkLayer (IP)NetworkLayer (IP)Transport Layer (TCP/UDP)Transport Layer (TCP/UDP)Application LayerWebBrowser, eMail Client…Application LayerWebBrowser, eMail Client…TCP/IPTransport Layer (TCP/UDP)© Michael Hamm, Service Informatique, CRP Henri Tudor page 6 of 52Linuxdasys 2003: Linux Security Tutorial10.4 Statefull Packet FilterExample:FTP File Transfer ProtocollFTP Server2021FTP Client10002 10001ControlPort 10002OKTCP ACKData Channelactive mode172.23.20.210.1.11.100AHA, I dynamically have to generate a rule:allow incoming from172.23.20.2:20 to 10.1.11.100:10002© Michael Hamm, Service Informatique, CRP Henri Tudor page 7 of 52Linuxdasys 2003: Linux Security Tutorial10.5 Application Layer GatewayPhysicalLayerPhysicalLayerRouter BobAlicePhysicalLayerData LinkLayerData LinkLayerData LinkLayerNetworkLayer (IP)NetworkLayer (IP)NetworkLayer (IP)Transport Layer (TCP/UDP)Transport Layer (TCP/UDP)Application LayerWebBrowser, eMail Client…Application LayerWebBrowser, eMail Client…TCP/IPTransport Layer (TCP/UDP)Application Layer© Michael Hamm, Service Informatique, CRP Henri Tudor page 8 of 52Linuxdasys 2003: Linux Security Tutorial10.5 Application Layer Gateway2345172.23.20.1 10.1.11.101Internet10.1.11.1 1. Client like to visit 172.23.20.2:80, Proxy is 10.1.11.1:31282. Client open a connection to 10.1.11.1:31283. Proxy open a connection to 172.23.20.2:804. 172.23.20.2 send the answer to 172.23.20.15. Proxy send the answer to 10.1.11.1011© Michael Hamm, Service Informatique, CRP Henri Tudor page 9 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesUnsafe NetworkTo safe NetworkPacket Filter© Michael Hamm, Service Informatique, CRP Henri Tudor page 10 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesUnsafe NetworkTo safe NetworkApplicatonGatewayUnsafe NetworkTo safe NetworkApplicatonGatewayDual - homed Application GatewaySingle - homed Application Gateway© Michael Hamm, Service Informatique, CRP Henri Tudor page 11 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesUnsafe NetworkTo safe NetworkApplicatonGatewayPacket FilterUnsafe NetworkTo safe NetworkApplicatonGatewayPacket Filter© Michael Hamm, Service Informatique, CRP Henri Tudor page 12 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesUnsafe NetworkTo safe NetworkApplicatonGatewayPacket FilterUnsafe NetworkTo safe NetworkApplicatonGatewayPacket Filter© Michael Hamm, Service Informatique, CRP Henri Tudor page 13 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesScreened Subnet (DMZ)De-Militarised Zone:Unsafe NetworkTo safe NetworkPacket FilterPacket FilterLANDMZ© Michael Hamm, Service Informatique, CRP Henri Tudor page 14 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesDMZ with Singel - Homed or Dual - Homed Application Gateway:Unsafe NetworkTo safe NetworkPacket FilterPacket FilterDMZApplicatonGatewayUnsafe NetworkTo safe NetworkPacket FilterPacket FilterDMZApplicatonGateway© Michael Hamm, Service Informatique, CRP Henri Tudor page 15 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesDMZ with Internet Server:Unsafe NetworkTo safe NetworkPacket FilterPacket FilterDMZApplicatonGateway© Michael Hamm, Service Informatique, CRP Henri Tudor page 16 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesDMZ with Intranet Server:Unsafe NetworkTo safe NetworkPacket FilterPacket FilterDMZApplicatonGateway© Michael Hamm, Service Informatique, CRP Henri Tudor page 17 of 52Linuxdasys 2003: Linux Security Tutorial10.6 Firewall ArchitecturesDMZ with a complex Mail and DNS concept:Unsafe NetworkTo safe NetworkPacket FilterPacket FilterDMZApplicatonGatewayMAIL DNSInternal ServerMAIL DNSExternal Server© Michael Hamm, Service Informatique, CRP Henri Tudor page 18 of 52Linuxdasys 2003: Linux Security Tutorial10.7 how iptables work1. One packet enters the network interface;2. Interface unpack the Data Link Layer information3. Interface forward the packet to the kernel4. The kernel investigate the packet and choose to reject, drop or accept© Michael Hamm, Service Informatique, CRP Henri Tudor page 19 of 52Linuxdasys 2003: Linux Security Tutorial10.7 how iptables work© Michael Hamm, Service Informatique, CRP Henri Tudor page 20 of 52Linuxdasys 2003: Linux Security Tutorial10.8 using iptablesTo view all rules presently loaded into netfilter, we use this command: iptables –listWe can also specify a single chain to
View Full Document