Title: Basics of Firewall Red Hat India
1Basics of FirewallRed Hat India
V4a
2Overview
- What is computer security?
- Kind of security services one might desire
- What kind of attacks should we try to protect a
computer against? - What are the available protection strategies
available? - What can we expect for the future?
3What is computer security?
- A computer is secure if you can depend on it and
its software to behave as you expect. - If you do not know what you are protecting, why
you are protecting it, and what you are
protecting it from, your task will be rather
difficult!
4Kind of security one might desire
- Authentication
- Confidentiality (Privacy)
- Integrity
- Availability
- Non-Repudation
- Auditing
5Authentication
- Authentication is the process of reliably
verifying the identity of someone (or something)
by means of - A secret (password one-time, ...)
- An object (smart card, ...)
- Physical characteristics (fingerprint, retina,
...) - Trust
- Do not mistake authentication for authorization!
6Integrity Vs Confidentiality
- Integrity
- Protecting information from being deleted or
altered in any way without the permission of the
owner of that information. - Confidentiality
- Protecting information from being read or copied
by anyone who has not been explicitly authorized
by the owner of that information.
7Availability
- If the system is unavailable when an authorized
user needs it, the result can be as bad as having
the information that resides on the system
deleted!
8Non repudiation
- The ability of the receiver of something to prove
to a third party that the sender really did send
the message.
9Auditing
- The ability to record events that might have some
security relevance. In such cases, you need to
determine what was affected. In some cases, the
audit trail may be extensive enough to allow
undo operations to help restore the system to a
correct state.
10What kind of attacks should we try to protect a
computer against ?
- Physical Security
- Lockers, BIOS, , weather...
- Personnel security
- Operating System security
- Network security
11Personnel security
- All the security violations have one common
characteristic - They are caused by people!
- Training, Auditing, Least Privilege, ...
12Operating System Security (1/3)
- To fix bugs into applications/O.S. takes longer
than writing the applications/O.S. themselves. - What does it mean !?!?!?
13Operating System Security (2/3)
- Users, Groups and Passwords
- Shadow suite
- The root account needs special care
- Securetty, wheel, su restrictions
- Variable delay on failures (denial, ...)
- Restricted shells
- Linux (UNIX) filesystem
- Restricted filesystem
- Access control lists (ACLs)
- Append only / Immutable files
- Permissions
- SUID/GUID files (scripts)
14Operating System Security (3/3)
15Some of the most common network services
- DNS
- Apache
- NFS
- NIS/NIS
- Samba
- Telnet
- FTP
- Mail
- ... ... ...
16Network Security common attacks
- Interception
- Modification
- Intrusion
- Modification, Fabrication
- Denial of service
- Interruption
- Information theft
17Security tools
- Cryptography
- Symmetric Vs Asymmetric (Certificates ...)
- Kerberous Vs Secure RPC
- SSL (Secure Socket Layer) / SSH (Secure shell)
- IP Sec
- Firewalls Proxyes
- Ipchains/Iptable ...
- TCP Wrappers UDP Relayers
- Pluggable Authentication Module
- It is a suite of shared libraries that enable the
local system administrator to choose how
applications authenticate users - Kernel Level Security
- Log files (/var/log/)
18Cryptography the solution for privacy
The security is based on the secrecy of the key
and sometimes of the algorithms too.
19CryptographySymmetric Vs Asymmetric
- Symmetric (Character based Vs Key based)
- The same password is used to both encrypt and
decrypt - Faster algorithms
- PROBLEM key management is not easy
- Asymmetric (also called pubblic key algorithms)
- The password used to encrypt is different from
the one needed to decrypt - More secure
- It allows to have non-repudiation
20Data Encryption Standard(DES)
- It is a symmetric algorithm
- Designed by IBM for the U.S. Government in 1977
- It is based ona 56 bit key (why only 56?)
- Hardware Vs Software implementation
- How secure is DES?
- How much would a Des-Breaking engine would cost?
- Is it possible to make DES harder to break in?
- How does it work?
21RSA(Rivest, Shamin, Adleman)
- It is an asymmetric algorithm
- Variable Key Length (512 default)
- It is based on the fact that it is VERY hard
(impossible?) to factor a big number in a
reasonable amount of time - It has NOT been demonstrated to be safe, but ...
22Secure Shell (ssh)
- It is a secure protocol for secure remote login
over an insecure network - It can provide
- Multiple strong authentication methods
- Authentication of both ends of connection
- Pubblic key Password Host
- Encryption and compression of data
- Tunnelling and encryption of arbitrary
connections - Negotiations
23Secure Socket Layer (SSL)
- It is a protocol developed by Netscape for secure
transactions across the Web - It is based on a public encryption algorithm
- There are free SSL implementations
- Many servers have not SSL built in, and there is
a reason for that!
24Wrappers
- Main idea
- Limit the amount of information reaching a
network-capable progam/application. - Why should we use wrappers?
- Two common wrappers
- TCP Wrapper
- Socks
25What can you do with the TCP-Wrapper?
- Remote warning banner
- Double reverse lookup of the IP address
- Access Control List (/etc/hosts.allow
/etc/hosts.deny) - Identd protocol
- Advanced use of the Syslog logger
- Run a command
- Additional wrappers
- PROCESS OPTION
26TCP-Wrapper downside
- Poor UDP handling
- IP Spoofing
- The destination IP address is not used
27Socks
- It is a system that allows computers behind a
firewall to access services on the Internet - (Only TCP based services)
28What is a Firewall?
- A firewall is hardware, software, or a
combination of both that is used to prevent
unauthorized programs or Internet users from
accessing a private network and/or a single
computer - The goal is to reduce the risk of a security
attack from the - outside
29The Word The term "fire wall" originally meant,
and still means, a fireproof wall intended to
prevent the spread of fire from one room or area
of a building to another. The Internet is a
volatile and unsafe environment when viewed from
a computer-security perspective, therefore
"firewall" is an excellent metaphor for network
security. In computer networking, the term
firewall is not merely descriptive of a general
idea. It has come to mean some very precise
things.
30Location, Location, Location The most important
aspect of a firewall is that it is at the entry
point of the networked system it protects. In the
case of Packet Filtering, it is at the lowest
level, or "layer" in the hierarchy ("stack") of
network processes, called the Network Layer or
the Internet Layer. This means essentially that
the firewall is the first program or process that
receives and handles incoming network traffic,
and it is the last program to handle outgoing
traffic. The logic is simple a firewall must be
positioned to control all incoming and outgoing
traffic. If some other program has that control,
there is no firewall.
31(No Transcript)
32Hardware vs. Software Firewalls
- Hardware Firewalls
- Protect an entire network
- Implemented on the router level
- Usually more expensive, harder to configure
- Software Firewalls
- Protect a single computer
- Usually less expensive, easier to configure
33How does a software firewall work?
- Inspects each individual packet of data as it
arrives at either side of the firewall - Inbound to or outbound from your computer
- Determines whether it should be allowed to pass
through or if it should be blocked
34Firewall Rules
- Allow traffic that flows automatically because
it has been deemed as safe - Block traffic that is blocked because it has
been deemed dangerous to your computer - Ask asks the user whether or not the traffic is
allowed to pass through
35What a firewall can do
- The most basic type firewall performs Packet
Filtering. - A second type of firewall, which provides
additional security, is called a Circuit Relay. - Another and still more involved approach is the
Application Level Gateway. - Stop hackers from accessing your computer
- Protects your personal information
- Blocks pop up ads and certain cookies
- Determines which programs can access the Internet
36What a firewall cannot do
- Cannot prevent e-mail viruses
- Only an antivirus product with updated
definitions can prevent e-mail viruses - After setting it initially, you can forget about
it - The firewall will require periodic updates to the
rulesets and the software itself
37Firewall Bastion Host (2/3)
38Firewall Packet filtering (3/3)
39Considerations when using firewall software
- If you did not initialize an action and your
firewall picks up something, you should most
likely deny it and investigate it - Its a learning process (Ex. Spooler Subsystem
App) - If you notice you cannot do something you did
prior to the installation, there is a good chance
it might be because of your firewall