Network Security

1
Network Security
Firewall
2
Firewalls
What is a Firewall What are the components of a
firewall? Types of Firewalls Packet Filtering
Tools Application-Proxy Firewalls/Application
Gateways Firewalls Generally Building a Firewall
what you need to know Identifying topology and
protocol needs Are Firewall Foolproof? Commercial
Firewalls
3
Methods of Attack

• It is necessary to understand the nature of
  potential attacks on
• computer security. Some methods of attacks are
• Unauthorized Access
• Exploitation of known weaknesses in programs
• Denial of service
• Spoofing
• Eavesdropping
• IP firewalling is very useful in preventing or
  reducing unauthorized
• access, network layer denial of service and IP
  spoofing attacks.

4
What Is a Firewall?

• A firewall is a secure and trusted machine that
  sits between a private network and a public
  network.
• The firewall machine is configured with a set of
  rules that determine which network traffic will
  be allowed to pass and which will be blocked or
  refused.

5
Firewalls can be constructed in quite a variety
of ways.

• The most sophisticated arrangement involves a
  number of separate machines.
• Two machines act as filters called chokes to
  allow only certain types of network traffic to
  pass, between these chokes reside network servers
  such as a mail gateway or proxy server.
• This configuration can be very safe and easily
  allows quite a great range of control over who
  can connect both from inside to the outside and
  vice versa.

6

• Typically though, firewalls are single machines
  that serve all of these functions.
• These are little less secure, because if there
  is some weakness in the firewall machine itself
  that allows
• people to gain access of it, the whole network
  security will be destroyed.

7
Application Server
Internet
Intranet
IP Filter
Application Server
LAN
Intranet
Internet
IP Filter Application Server
The two major classes of firewall design
8
Role of Linux in Firewall

• The Linux kernel provides a range of built-in
  features that allow it to function quite nicely
  as a IP firewall.
• The network implementation includes code to do IP
  filtering in a number of different ways, and
  provides a mechanism to quite accurately
  configure what sort of rules youd like to put in
  place.
• The Linux firewall is flexible enough to make it
  very useful in either of the configurations
  mentioned before.

9
What Is IP Filtering ?

• IP filtering is simply a mechanism that decides
  which type of IP datagrams will be processed
  normally and which will be discarded.
• You can apply many different sorts of criteria to
• determine which data grams you wish to
  filter.
• Protocol type TCP, UDP, ICMP etc.
• Socket Number (for TCP/UDP)
• Datagram Type SYN/ACK, data, ICMP Echo
• Datagram source and destination Address
• IP filtering is a network layer facility.

10
Location of the packet filters
Higher protocols
IP
IP out
IP in
IP packet filters
Network
11
Setting Up Linux for Firewalling

• To build a Linux IP firewall, it is necessary to
  have a kernel built with IP firewall support and
  the appropriate configuration utility.
• In all production kernels prior to the 2.2
  series, you would use the ipfwadm utility.
• The 2.2.x kernels marked the release of the third
  generation of IP firewall for linux called
  ipchains
• Linux kernels 2.3.15 and later supports the
  fourth generation of Linux IP firewall utility
  called iptables.

12
The ipfwadm Utility

• The ipfwadm (IP Firewall Administration)
  utility is the tool used to build the firewall
  rules for all kernels prior to 2.2.0.Its command
  syntax can be very confusing because it can do
  such a complicated range of things.

13
The ipchains Utility

• Just as for the ipfwadm utility, the ipchains
  utility can be somewhat baffling to use at first.
  It provides all of the flexibility of ipfwadm
  with a simplified command syntax and additionally
  provides a chaining mechanism that allows you
  to manage multiple rulesets and link them
  together.
• IPChains is a stateless firewall.

14
The iptables Utility

• The syntax of iptables utility is quite similar
  to that of the ipchains syntax. The changes are
  the improvements.
• An iptables firewall consists of several tables,
  each with a default policy and builtin chains of
  rules. Further rule chains can optionally be
  created in each table. Different tables and
  chains are traversed according to the source and
  destination of the packet.
• IPTables is a stateful firewall.

15

• Filtering mechanism
• The IP datagram is received (1)
• The incoming IP datagram is examined to determine
  if it is
• destined for a process on this machine.
• If the datagram is for this machine, it is
  processed locally. (2)
• If it is not destined for this machine, a search
  is made of the
• routing table for an appropriate route and the
  datagram is
• forwarded to the appropriate interface or
  dropped if no more
• can be found. (3)
• Datagrams from local processes are sent to the
  routing software
• for forwarding to the appropriate interface.
  (4)
• The outgoing IP datagram is examined to determine
  if there is a
• valid route for it to take, if not, it is
  dropped.
• The IP datagram is transmitted. (5)

16
The stages of IP datagram processing
17
The Linux firewall is capable of applying
filtering at various stages in this process. You
can filter the IP datagrams that come into
your machine, filter those datagrams being
forwarded across your machine and filter those
datagrams that are ready to be transmitted. In
ipfwadm and ipchains an Input rule applies to
flow 1, a forwarding rule to flow 3, and an
output rule to flow 5. The netfilter applies
an Input rule at flow 2 and an Output rule at
flow 4.
18
Working with iptables

• Before you can use the iptables command, you must
  load the netfilter kernel module that provides
  support for it.
• The iptables command is used to configure both IP
  filtering and Network Address Translation.
• To facilitate this, there are two tables of rules
  called filter and nat.The filter table is assumed
  if you do not use the option t to override it.
• It has three commonly used builtin chains. Those
  chains are INPUT, OUTPUT, and FORWARD.

19
Syntax of iptables command

• The general syntax of most iptables command is

iptables command rule-specification
extensions
20
Commands

• Some of the commands are
• -A chain - Append one or more rules to the end
  of the nominated chain.
• -I chain rulenum - Insert one or more rules to
  the start of the nominated chain.
• -D chain - Delete one or more rules from the
  specified chain matching the rule specification.
• -R chain rulenum - Replace the rule residing at
  position rulenum in the specific chain with the
  supplied rule specification.
• -L chain - List the rules of the specified
  chain, or for all no chain is specified.

21
Example

• iptables -F FORWARD
• iptables -P FORWARD DROP
• iptables -A FORWARD -m tcp p tcp s
  0/0 --sport 80 -d 172.16.1.0/24 / --syn
  -j DROP
• iptables -A FORWARD -m tcp p tcp s
  172.16.1.0/24 / --sport / 80 -d 0/0 -j
  ACCEPT
• iptables -A FORWARD -m tcp p tcp d
  172.16.1.0/24 --dport 80 -s 0/0 -j /
  ACCEPT

22
Types of Firewalls A stateless firewall is
one which does not keep any state
information between packets. Each packet is
examined and handled based only on the
information contained within that packet.   A
stateful firewall keeps track of "sessions"
between packets. The most common name for this
is "stateful packet inspection", or SPI. You
might also see "connection tracking" or "protocol
inspection or other variations on that
theme.   In the case of FTP, a stateful firewall
would monitor the control channel, and look for
the PASV or PORT commands used to open the TCP
connection for the data channel. It would then
allow that TCP connection through as well. A
stateful firewall is therefore more secure than a
stateless firewall.
23
Packet Filtering Tools TCP_Wrappers Capability
to monitor connections, screen out unwanted
networks and IP addresses. NetGate Rule based
packet filtering system. Internet packet Filter
Functionality to discard packet and
comprehensive testing tool. Audit and Logging
Tools Packet filter when used in conjunction
with powerful auditing tools, can assist in
protecting network and identifying
intruders. Argus Netlog Netman
24
Commercial Firewalls The Eagle Family of
firewalls - Raptor systems Check Point Firewall -
Check Point Software Technologies Ltd. Sunscreen
- Sun Microsystems IBM internet Connection
Secured Network Gateway- IBM Cisco PIX Firewall -
Cisco systems
25
Network Address Translation (NAT) NAT describes
the process of modifying the network
addresses contained with datagram headers while
they are in transit. IP masquerade is one type
of NAT that allows all of the hosts on a private
network to use the internet at the the price of a
single IP address. IP masquerading allows you to
use a private (reserved) IP network address on
your LAN and have your Linux-based router
perform some clever, real time translation of IP
addresses and ports.
26
A typical IP masquerade configuration
192.168.1.0 / 255.255.255.0
192.168.1.2
L A N
eth0 192.168.1.1
ppp0 203.10.23.1 ppp
Internet
192.168.1.3
Linux Masquerade Router
Original request From 192.168.1.3 port 1234
Masqueraded request From 203.10.23.1 port 1035
Demasqueraded reply To 192.168.1.3 port 1234
Original reply To 203.10.23.1 port 1035
27
Configuring Firewall
28
Positioning Of Firewall in Network
If your organization uses a firewall to protect
its internal network from external attacks, you
have a number of choices of where to locate your
web server.

• A server located outside a firewall
• A server located inside a firewall
• A server located between an internal firewall
  and an
• external firewall

29
A server located outside a firewall
Sample 1
Internet
Server
Firewall
Network
30
A server located inside a firewall
Sample 2
Internet
Firewall
Network
Server
31
A server located between an internal firewall and
an external firewall
Sample 3
Internet
Server
Firewall
Firewall
Network
32
Diagram of a Sample Firewall Setup
Firewall PC
Network B
eth0
Network A
eth1
33
Steps For Setting Firewall

• Configure a PC as router which acts as a firewall
  later.
• Check the router is configured properly by
  pinging between two networks.
• Check the router PC has the iptables utility
  installed.
• Use the iptables command to configure the
  firewall in the router PC.

34
Sample Configuration
Firewall PC
H 1
H 3
IP 169.254.0.1 Eth0 IP 192.168.0.1 eth1
IP 192.168.0.149 GW 192.168.0.1
IP 169.254.0.23 GW 169.254.0.1
35
Blocking the communication between H1 H3 using
iptables

• iptables -A FORWARD -t filter -s
  169.254.0.23 -d 192.168.0.149 -j DROP

Note - After issuing these commands, the
communication between 169.254.0.23 and
192.168.0.149 will be blocked.
36
Testing the Firewall
H2 (Firewall PC)
IP 169.254.0.1 IP 192.168.0.1 Eth0 eth1
H3 IP 192.168.0.149 GW 192.168.0.1
H1 IP 169.254.0.23 GW 169.254.0.1
Command from H1 ping 192.168.0.149
Command from H3 ping 169.254.0.23
37
Observations

• On issuing the ping command from H1 to H3,
  there will be packet loss

root_at_Linux-1 /root ping 169.254.0.23 PING
169.254.0.23 (169.254.0.23) from 192.168.0.149
56(84) bytes of data. From 169.254.0.23
Destination Host Unreachable From 169.254.0.23
Destination Host Unreachable From 169.254.0.23
Destination Host Unreachable
Note- If there is no packet loss then recheck
your firewall configurations.
38
Observations

• On issuing the ping command from H1 or H3, to
  any other PC, the connectivity should be there.

root_at_Linux-1 /root ping 169.254.0.33 PING
169.254.0.33 (169.254.0.33) from 192.168.0.149
56(84) bytes of data. Warning time of day goes
back, taking countermeasures. 64 bytes from
169.254.0.33 icmp_seq0 ttl128 time755 usec 64
bytes from 169.254.0.33 icmp_seq1 ttl128
time480 usec 64 bytes from 169.254.0.33
icmp_seq2 ttl128 time446 usec