CSCI 530 LabOverviewFirewallFirewall CapabilitiesFirewall limitationsWhat are you limiting?Network Security StrategiesSecurity StrategiesDefinitionsFirewall – Packet FilteringProxy ServersProxy serversFirewall Architectures Dual-Homed Bastion HostSlide 14NetfilterIPtablesPacket Filtering - IPtablesIPTables ExampleCSCI 530 LabFirewallsOverviewFirewallsCapabilitiesLimitationsWhat are we limiting with a firewall?General Network Security StrategiesPacket FilteringProxy ServersFirewall Architecture examplenetfilter & IPTablesFirewallHardware and/or software device which prevents communication based on a particular policyBasic task is to control traffic between “zones of trust”Example: Filtering traffic between the internet and local intranetFirewall CapabilitiesSeparate your network into logical sectionsEnforce Security policyMany services are intermittently insecureA firewall limits the amount of exposure of particular servicesLogs Internet activityLimits your network exposureFirewall limitationsMost cannot automatically adapt to new threatsCannot stop a malicious user - IDSCannot limit traffic that does not pass through itCannot stop viruses from permeating the networkWhat are you limiting?EmailFile TransferRemote Terminal Access and Command ExecutionHTTPOther information servicesInformation about people,Finger whoisReal time conferencingDomain Name ServiceNetwork management servicesTime ServiceNetwork File SystemNetwork Security StrategiesLeast PrivilegeMost fundamental principalUser or service is given privileges just for performing specific tasksDefense In depthDon’t just depend on one security mechanismChoke pointForces the attacker to use a narrow channelSo now one can monitor activities closelySecurity StrategiesWeakest link or “low hanging fruit”“ a chain is as strong as its weakest link”Attacker is going to go after the weakest linkSo if you cannot eliminate it, be cautious about it.Fail Safe StanceIf a system fails, it should deny access to the attackerDefault Deny StanceThat which is not expressly permitted is prohibitedDefault Permit StanceThat which is not expressly prohibited is PermittedUniversal ParticipationEvery system is involved in defenseDiversity of defenseUse different types of mechanismsDefinitionsHostA computer system attached to the networkDual-Homed HostA host with two network interfacesBastion HostA host which is the portal to a network. It is normally extremely secure. This is normally also a dual-homed host.PacketThe fundamental unit of data, used for communication on the internetFirewall – Packet FilteringSet of rules that either allow or disallow traffic to flow through the firewallCan filter based on any information in the Packet HeaderIP Source AddressIP destination addressProtocolSource PortDestination PortMessage typeInterface the packets arrive on and leaveProxy ServersSpecialized application or server programs that run on a firewall hostNormally a bastion hostThese programs sit in between the internal users and servers outside serving for internet applications like telnet, ftp, http…So instead of talking directly to the external server the requests pass through the proxyAlso called as application level gatewaysProxy serversHow do they workProxy server ‘Ps’Proxy client ‘Pc’ Pc talks to the Ps which intern talks to the real server for it,Before that it checks the security policy and decides whether to go ahead with the connection or not.FirewallDual HomedHost Firewall ArchitecturesDual-Homed Bastion HostINTERNETFirewall ArchitecturesDual-Homed Bastion HostDual homed Host FirewallBuilt around dual homed bastion hostHost are capable of routing packets between networks The host sits between the networks, filtering the traffic between the twoIt only provides services by proxyNetfilter http://www.netfilter.org/The software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series.Enables packet filtering, network address [and port] translation (NA[P]T). It is the re-designed and heavily improved successor of ipchains and ipfwadmset of hooks inside the Linux kernel allows kernel modules to register callback functions with the network stackA registered callback function is then called back for every packet that traverses the respective hook within the network stack.IPtablesan interface to the kernel for firewall rulesinserts and deletes rules from the kernel's packet filtering tableIPtables and netfilter make the backbone of packet-filtering based linux firewallsPacket Filtering - IPtablesA packet is checked against the rule chains and its fate is decided by the chainThree sets of rule ChainsINPUTFORWARDOUTPUTA packet comes in, kernel checks for the destination (routing)If it is for this host, it is passed to INPUT chainIf forwarding enabled, the packet is forwarded to the destination if it is ACCEPTED by the FORWARD chainIf packet is generated in the same box and is being issued out, the OUTPUT chain is referred.Rules are matched in a chain in a chronological order looking for a match,If no match is found till the end, decision is taken according to your security policyIPTables Example iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP -A append the rule to the input chain-s source ip-p protocol-j action to be
View Full Document