Download Internetwork Security: Firewalls and Traffic Control and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!
Firewalls
ECE 4883 - Internetwork Security
Overview^ • Background• General Firewall setup• Iptables Introduction• Iptables commands• “Limit” Function Explanation with icmp
and syn floods
• Zone Alarm
ECE 4883 - Internetwork Security
Benefits^ • Uninhibited internal LAN traffic• Ability to leave internal ports open without
fear of those ports being abused
• Sense of security by filtering WAN
interface for expected traffic
ECE 4883 - Internetwork Security
Traffic Control^ • Three methods used to control traffic
flowing in and out of the network^!
Packet Filtering! Proxy Filtering! Stateful Inspection
ECE 4883 - Internetwork Security
What You’re Protected From
External packets allowed
Security
Level
all packets
LOW
pre-defined ports (web,ssh) and
established connections
MIDDLE
none
HIGH
ECE 4883 - Internetwork Security
What You’re Protected From^ • We allow traffic that is expected
!^
The firewall is responsible for inspectingconnections and packet headers
• We allow all traffic on a few specific ports
!^
Certain ports are forwarded to a server
ECE 4883 - Internetwork Security
Port Forwarding^ • Biggest security hole in our firewall• Opened ports to allow traffic to servers
!^
All incoming data on this specific port isallowed in, and forwarded to server– Hackers could exploit this open port– Hackers could exploit a bug in the software on the
server
ECE 4883 - Internetwork Security
Demilitarized Zone (DMZ)^ • Frontline of protection• “A network added between a protected network
and external network in order to provide anadditional layer of security”-SI Security
• Does not allow external networks to directly
reference internal machines
• Acts as system of checks and balances to make
sure that if any one area goes bad that it cannotcorrupt the whole
ECE 4883 - Internetwork Security
Common Firewall Configurations
•^
The firewall needs only two network cards.
-^
If you control the router you have access toa second set of packet-filtering capabilities.
-^
If you don't control the router, your DMZ istotally exposed to the Internet. Hardening amachine enough to live in the DMZ withoutgetting regularly compromised can betricky.
-^
The exposed DMZ configuration depends ontwo things:^!
an external router !^
multiple IP addresses.
•^
If you connect via PPP (modem dial-up), oryou don't control your external router, oryou want to masquerade your DMZ, or youhave only 1 IP address, you'll need to dosomething else. There are twostraightforward solutions to this, dependingon your particular problem.
http://www.firewall.cx/firewall_topologies.php
ECE 4883 - Internetwork Security
Common Firewall Configurations
-^
One solution is to build a secondrouter/firewall.
-^
Useful if you're connecting via PPP
-^
Exterior router/firewall (Firewall 1)^!
responsible for creating the PPPconnection and controls the accessto our DMZ zone
-^
The other firewall (Firewall 2)^!
is a standard dual-homed host justlike the one we spoke about at thebeginning
-^
The other solution is to create athree-legged firewall, which is whatwe are going to talk about next
http://www.firewall.cx/firewall_topologies.php
ECE 4883 - Internetwork Security
Lab Setup^ • Firewall workstations• One firewall host and two virtual machines
ECE 4883 - Internetwork Security
Iptables Introduction^ • Iptables is a fourth generation firewall
tool for Linux
• Requires kernel 2.3.15 or above with
netfilter framework
• Iptables inserts and deletes rules from the
kernel’s packet filtering table
• Replacement for ipfwadm and ipchains
ECE 4883 - Internetwork Security
How packets traverse the filters(continued)^ • When a packet reaches a circle, that chain
determines the fate of the packet
- The chain can say to DROP the packet or
ACCEPT it.
- If no rules match in chain, the default
policy is used (usually to DROP)
ECE 4883 - Internetwork Security
Network Address Translation
RoutingDecision
PREROUTING
Local Process
POSTROUTING
The table of NAT rules invoked by ‘iptables –t nat’contains PREROUTING and POSTROUTING chains