FirewallsOverviewWhat is a Firewall?BenefitsTraffic ControlFirewall ConfigurationWhat You’re Protected FromSlide 8Expected TrafficPort ForwardingDemilitarized Zone (DMZ)Common Firewall ConfigurationsSlide 13Slide 14Slide 15Lab SetupIptables IntroductionHow packets traverse the filtersHow packets traverse the filters (continued)Network Address TranslationNAT and iptablesMasqueradingCreating your own rulesCreating your own rules (contd)More iptables commandsIptables commands (contd)State matchingSlide 28Defending against ICMP Ping Floods and tcp syn attackZone AlarmWhat is a zone?What is a zone? (contd.)Hardware FirewallsSlide 34Cisco Firewalls – PIX 515ESlide 36PIX Lab – Network SetupSummaryAcknowledgementsReferences1FirewallsECE 4112 - Internetwork Security2Overview•Background•General Firewall setup•Iptables Introduction•Iptables commands•“Limit” Function Explanation with icmp and syn floods•Zone AlarmECE 4112 - Internetwork Security3What is a Firewall?•Firewall – a hardware, software, or combination of the two that prevents unauthorized access to or from a private network.ECE 4112 - Internetwork Security4Benefits•Uninhibited internal LAN traffic•Ability to leave internal ports open without fear of those ports being abused•Sense of security by filtering WAN interface for expected trafficECE 4112 - Internetwork Security5Traffic Control•Three methods used to control traffic flowing in and out of the network Packet FilteringProxy FilteringStateful InspectionECE 4112 - Internetwork Security6Firewall Configuration•Rules/filters can be defined to look for a number of things, some of these are:IP addresses Domain names Protocols - –IP –TCP –HTTP–FTP–UDP–ICMP–SMTP–SNMP–TelnetPortsSpecific words and phrasesECE 4112 - Internetwork Security7What You’re Protected FromSecurity LevelExternal packets allowedHIGH noneMIDDLE pre-defined ports (web,ssh) and established connectionsLOW all packetsECE 4112 - Internetwork Security8What You’re Protected From•We allow traffic that is expectedThe firewall is responsible for inspecting connections and packet headers•We allow all traffic on a few specific portsCertain ports are forwarded to a serverECE 4112 - Internetwork Security9Expected Traffic•Protects you from floods of packetsTCP/SYN, PING/REPLY, IP SPOOFING•Protects you from scansPort scans and vulnerability probes•Blocks unwanted connectionsTelnet, SSH, FTP, and others can be regulatedECE 4112 - Internetwork Security10Port Forwarding•Biggest security hole in our firewall•Opened ports to allow traffic to serversAll incoming data on this specific port is allowed in, and forwarded to server–Hackers could exploit this open port–Hackers could exploit a bug in the software on the serverECE 4112 - Internetwork Security11Demilitarized Zone (DMZ)•Frontline of protection•“A network added between a protected network and external network in order to provide an additional layer of security”•Does not allow external networks to directly reference internal machines•Acts as system of checks and balances to make sure that if any one area goes bad that it cannot corrupt the wholeECE 4112 - Internetwork Security12Common Firewall Configurations•Firewall takes care of passing packets that pass its filtering rules between the internal network and the Internet, and vice versa. •May use IP masquerading but that's all it does.•Also known as a dual-homed host •The two "homes" refer to the two networks that the firewall machine is part of one interface connected to the outside homethe other connected to the inside home.http://www.firewall.cx/firewall_topologies.phpECE 4112 - Internetwork Security13Common Firewall Configurations•The exposed DMZ configuration depends on two things: 1) an external “Internet” router2) multiple IP addresses.•The firewall needs only two network cards. •If you control the “Internet” router you have access to a second set of packet-filtering capabilities.•If you don't control the “Internet” router, your DMZ is totally exposed to the Internet. Hardening a machine enough to live in the DMZ without getting regularly compromised can be tricky.•If you connect via PPP (modem dial-up), or you don't control your external router, or you want to masquerade your DMZ, or you have only 1 IP address, you'll need to do something else. There are two straightforward solutions to this, depending on your particular problem.http://www.firewall.cx/firewall_topologies.phpECE 4112 - Internetwork Security14Common Firewall Configurations•One solution is to build a second router/firewall. •Useful if you're connecting via PPP•Exterior router/firewall (Firewall 1) responsible for creating the PPP connection and controls the access to our DMZ zone •The other firewall (Firewall 2) is a standard dual-homed host just like the one we spoke about at the beginning•The other solution is to create a three-legged firewall, which is what we are going to talk about next http://www.firewall.cx/firewall_topologies.phpECE 4112 - Internetwork Security15Common Firewall Configurations•Need an additional network adapter in your firewall box for your DMZ. •Firewall is configured to route packets between the outside world and the DMZ differently than between the outside world and the internal network. •You can masquerade the machines in the DMZ too, while keeping them functionally separate from protected internal machines. •The primary disadvantage to the three-legged firewall is the additional complexity. Access to and from the DMZ and to and from the internal network is controlled by one large set of rules. It's pretty easy to get these rules wrong if you're not careful !•On the other hand, if you don't have any control over the “Internet router”, you can exert a lot more control over traffic to and from the DMZ this way. It's good to prevent access into the DMZ if you can.http://www.firewall.cx/firewall_topologies.phpECE 4112 - Internetwork Security16Lab Setup•Firewall workstations •One firewall host and two virtual machinesECE 4112 - Internetwork Security17Iptables Introduction•Iptables is a fourth generation firewall tool for Linux•Requires kernel 2.3.15 or above with netfilter framework•Iptables inserts and deletes rules from the kernel’s packet filtering table•Replacement for ipfwadm and ipchainsECE 4112 - Internetwork
View Full Document