Internetwork Security: Firewalls and Traffic Control, Lab Reports of Electrical and Electronics Engineering

An overview of internetwork security, focusing on the benefits of using a firewall, methods of traffic control, and what you're protected from. It also covers common firewall configurations, such as demilitarized zones (dmz) and nat, and how to create your own rules using iptables.

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-1zx-1
koofers-user-1zx-1 🇺🇸

10 documents

1 / 41

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Firewalls
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29

Partial preview of the text

Download Internetwork Security: Firewalls and Traffic Control and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

Firewalls

ECE 4883 - Internetwork Security

Overview^ • Background• General Firewall setup• Iptables Introduction• Iptables commands• “Limit” Function Explanation with icmp

and syn floods

• Zone Alarm

ECE 4883 - Internetwork Security

Benefits^ • Uninhibited internal LAN traffic• Ability to leave internal ports open without

fear of those ports being abused

• Sense of security by filtering WAN

interface for expected traffic

ECE 4883 - Internetwork Security

Traffic Control^ • Three methods used to control traffic

flowing in and out of the network^!

Packet Filtering! Proxy Filtering! Stateful Inspection

ECE 4883 - Internetwork Security

What You’re Protected From

External packets allowed

Security

Level

all packets

LOW

pre-defined ports (web,ssh) and

established connections

MIDDLE

none

HIGH

ECE 4883 - Internetwork Security

What You’re Protected From^ • We allow traffic that is expected

!^

The firewall is responsible for inspectingconnections and packet headers

• We allow all traffic on a few specific ports

!^

Certain ports are forwarded to a server

ECE 4883 - Internetwork Security

Port Forwarding^ • Biggest security hole in our firewall• Opened ports to allow traffic to servers

!^

All incoming data on this specific port isallowed in, and forwarded to server– Hackers could exploit this open port– Hackers could exploit a bug in the software on the

server

ECE 4883 - Internetwork Security

Demilitarized Zone (DMZ)^ • Frontline of protection• “A network added between a protected network

and external network in order to provide anadditional layer of security”-SI Security

• Does not allow external networks to directly

reference internal machines

• Acts as system of checks and balances to make

sure that if any one area goes bad that it cannotcorrupt the whole

ECE 4883 - Internetwork Security

Common Firewall Configurations

•^

The firewall needs only two network cards.

-^

If you control the router you have access toa second set of packet-filtering capabilities.

-^

If you don't control the router, your DMZ istotally exposed to the Internet. Hardening amachine enough to live in the DMZ withoutgetting regularly compromised can betricky.

-^

The exposed DMZ configuration depends ontwo things:^!

  1. an external router !^

  2. multiple IP addresses.

•^

If you connect via PPP (modem dial-up), oryou don't control your external router, oryou want to masquerade your DMZ, or youhave only 1 IP address, you'll need to dosomething else. There are twostraightforward solutions to this, dependingon your particular problem.

http://www.firewall.cx/firewall_topologies.php

ECE 4883 - Internetwork Security

Common Firewall Configurations

-^

One solution is to build a secondrouter/firewall.

-^

Useful if you're connecting via PPP

-^

Exterior router/firewall (Firewall 1)^!

responsible for creating the PPPconnection and controls the accessto our DMZ zone

-^

The other firewall (Firewall 2)^!

is a standard dual-homed host justlike the one we spoke about at thebeginning

-^

The other solution is to create athree-legged firewall, which is whatwe are going to talk about next

http://www.firewall.cx/firewall_topologies.php

ECE 4883 - Internetwork Security

Lab Setup^ • Firewall workstations• One firewall host and two virtual machines

ECE 4883 - Internetwork Security

Iptables Introduction^ • Iptables is a fourth generation firewall

tool for Linux

• Requires kernel 2.3.15 or above with

netfilter framework

• Iptables inserts and deletes rules from the

kernel’s packet filtering table

• Replacement for ipfwadm and ipchains

ECE 4883 - Internetwork Security

How packets traverse the filters(continued)^ • When a packet reaches a circle, that chain

determines the fate of the packet

  • The chain can say to DROP the packet or

ACCEPT it.

  • If no rules match in chain, the default

policy is used (usually to DROP)

ECE 4883 - Internetwork Security

Network Address Translation

RoutingDecision

PREROUTING

Local Process

POSTROUTING

The table of NAT rules invoked by ‘iptables –t nat’contains PREROUTING and POSTROUTING chains