Automated Firewalls with Mason

1
Automated Firewalls with Mason

• William Stearns
• SANS Instructor, proctor, and network
  administrator
• wstearns_at_pobox.com
• http//www.stearns.org/mason/

2
Getting underway

• Room monitors
• Evaluation forms
• Questions at any point
• Goals
• Basics of Linux firewalling
• Learning process
• Live demo

3
Firewalls

• One small piece of your network security
• Only affects traffic going in, out, or through
  your firewall
• Can be circumvented
• TCP/IP tunneling in ssh, email, DNS, http
• Using allowed ports for blocked traffic types
• Additional exit points from network
• Firewall system needs to be locked down tightly!

4
Firewall types

• Packet filtering
• Stateful
• Stateless
• Proxy
• Better yet, both!

5
Firewall types, proxies.
6
Choice of firewall platform

• Stability
• Network card support
• Security and Updates
• Network performance
• Ability to audit and strip down
• Cost
• Ease of setup

7
Linux Packet Filtering

• Separation of Jobs
• Kernel
• Command line tools

8
Linux Packet Filtering types

• Ipfw (Linux 1.2 kernels)
• Ipfwadm (Linux 2.0 kernels)
• Ipchains (Linux 2.2 kernels)
• Iptables (Linux 2.4 kernels)

9
ipfw

• First Linux packet filtering support
• Linux 1.2 kernels
• Stateless
• Very limited
• Only filtered on one port
• Never integrated into distributions
• Not supported by Mason
• Ported from one of the BSD's by Alan Cox

10
ipfwadm

• Linux 2.0 kernels
• Stateless
• Filters on source and destination addresses and
  ports
• Only TCP, UDP, and ICMP
• Masquerading (many-to-one NAT)
• Jos Vos

11
ipchains

• Linux 2.2 kernels
• Stateless
• Support for ICMP subtypes, protocols other than
  TCP, UDP and ICMP, and inverse options.
• Rusty Russell

12
iptables

• Linux 2.4, 2.5, and upcoming 2.6 kernels
• Stateful
• IPV6 support
• Backwards compatibility modules for ipfwadm and
  ipchains
• Extensible tests and actions
• Fully modular design

13
Setting up firewalls

• Triple threat limited background in
• Security policies
• TCP/IP (normal and attack patterns)
• Connecting the two with packet filtering and
  other security tools.
• Risk in getting it wrong.
• Default allow - easy to get going
• Default deny - orders of magnitude harder

14
Approaches for creating firewalls

• Prewritten list of rules
• Menu interface with small set of choices
• Menu interface with extensive options
• Automatic construction of rules based on current
  network setup.
• Letting the firewall build itself -)

15
Prewritten list of rules

• Good if your network matches the assumptions
• May need a lot of editing if not
• They tend to be too permissive

16
Menu interface with small set of choices

• Good for simple networks
• Poor for complex networks or non-standard
  networks
• Poor for non-standard protocols

17
Menu interface with extensive options

• Flexible, good for complex networks
• Requires a lot of expertise from the administrator

18
Letting the firewall build itself

• Flexible
• Doesn't require in-depth knowledge of firewall
  construction
• Handles simple and complex networks
• May take some time to cover all traffic types.

19
The world's most efficient and literal bouncer

• New bouncer
• Needs to be taught who can go in or out of the
  bar
• Told to note individual's age, whether they're
  part of the owner's family, which direction they
  want to go and whether they're carrying firearms,
  and then ask bar owner.

20
Initial bouncer rules

• gt Write down characteristics, ask owner
• gt block (default policy)

21
Bouncer rules, part II

• Carrying firearms gt block and call police
• gt Write down characteristics, ask owner
• gt block (default policy)

22
Bouncer rules, part III

• Carrying firearms gt block and call police
• Leaving bar gt allow to pass
• gt Write down characteristics, ask owner
• gt block (default policy)

23
Bouncer rules, part IV

• Carrying firearms gt block and call police
• Leaving bar gt allow to pass
• Entering bar, over 21 gt allow to pass
• gt Write down characteristics, ask owner
• gt block (default policy)

24
Bouncer rules, part V

• Carrying firearms gt block and call police
• Leaving bar gt allow to pass
• Entering bar, over 21 gt allow to pass
• Part of owner's family gt allow to pass
• gt Write down characteristics, ask owner
• gt block (default policy)

25
Bouncer rules, part VI

• Carrying firearms gt block and call police
• Leaving bar gt allow to pass
• Entering bar, over 21 gt allow to pass
• Part of owner's family gt allow to pass
• Entering bar, under 21 gt block
• gt Write down characteristics, ask owner
• gt block (default policy)

26
Bouncer rules, part VII

• Carrying firearms gt block and call police
• Leaving bar gt allow to pass
• Entering bar, over 21 gt allow to pass
• Part of owner's family gt allow to pass
• Entering bar, under 21 gt block
• gt block (default policy)

27
Mason and iterative creation

• Start off with empty firewall
• Log all unmatched packets
• Watch logs for new packets
• Add rule that would have matched that traffic
• Keep adding rules until all traffic types
  encountered

28
Iptables log format

• Apr 30 210410 sparrow kernel IN OUTlo
  SRC127.0.0.1 DST127.0.0.1 LEN73 TOS0x00
  PREC0x00 TTL64 ID11339 DF PROTOUDP SPT33272
  DPT53 LEN53

29
Iptables rule format

• /sbin/iptables -A OUTPUT -o lo -p udp -s
  localhost/32 - -sport 102465535 -d
  localhost/32 - -dport domain -j ACCEPT
  domain/udp (O)

30
Live demonstration

• We'll switch over to a Linux laptop for the demo
  and rejoin here afterwards.

31
Customization

• Existing firewall rules
• Allows administrator to make modifications

32
Starting firewall at boot

• ntsysv, tksysv, or linuxconf
• Manually link /etc/rc.d/init.d/firewall

33
Troubleshooting

• Turn off the firewall, see if the problem
  persists.
• Restart the firewall, try test, then run
• iptables -L -n -x -v grep -v ' 0 0 ' less
  -S
• to see which rules have matched any packets.

34
Opening packet rules

• Iptables' stateful nature use for
  ESTABLISHED,RELATED.
• Let Mason build the rules for NEW packets.

35
Potential projects

• Cisco IOS
• FreeBSD, OpenBSD and NetBSD - ipfilter
• http//coombs.anu.edu.au/avalon/
• Other routers and firewalls.

36
Thanks!

• Linux developers, esp. Rusty Russell
• Chris Brenton (SANS, Altenet)
• Steven Northcutt (SANS)
• ISTS
• Mason contributors - see the Credits section in
  the HOWTO.

37
Where to get it

• Part of some Linux Distributions
• Debian
• Krud
• Redhat Powertools up to 7.0
• http//www.stearns.org/mason/
• Many other sources

38
References

• http//www.stearns.org/mason/
• http//www.netfilter.org
• http//www.linuxdoc.org
• http//www.stearns.org/doc/starting-mason.current.
  html
• wstearns_at_pobox.com
• Questions?