This action might not be possible to undo. Are you sure you want to continue?
Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering and session spoofing Port knocking IPtables firewalls Shorewall
Definition of firewall
A computer networking firewall implements a security policy either: a. in respect of network traffic traversing a router or gateway operating between 2 networks, or b. on a host computer in respect of network traffic between one or more of that host computer's network connections and the host computer itself.
.Security Policy A security policy in this context is a decision about network traffic that should be allowed and/or traffic that should be blocked. For these purposes a firewall is better seen as a line of defence. "The Net treats censorship as damage and routes around it" John Gilmore While VPNs or circumvention proxies can be used to pierce firewalls. and not as the entire defence. school pupils can be disciplined and residents of dictatorships arrested by police for network security policy evasions.
wikipedia.org/wiki/Transport_layer . http://en. In practice firewalls must also be able to make accept or reject decisions in respect of routed packets based on information relevant to the transport layer.org/wiki/Network_layer http://en.Router A router is a device that routes traffic between networks and which operates at the network layer.wikipedia.
. Where a gateway acts as a network firewall. or part of the client configuration in other cases. its security influence will be restricted to the application/s which it proxies. and which proxies this traffic such that the server providing this application sees client traffic as if it were originating and terminating at the gateway.Gateway 1 A gateway is a device which intercepts and relays network traffic in respect of a particular application. The location of the gateway might be transparent to the client in some cases.
g. For example a school may restrict the web sites its pupils can visit e. Gateways can be used to implement higher level security policies.g. .Gateway 2 A router between the client and a proxy which intercepts and redirects client requests for particular applications. HTTP based on port 80 or for outgoing SMTP based on port 25) to specific gateways is acting as an integral part of the firewall provided by this redirecting proxy service. based on a restricted sites list. (e. Application gateways might have traffic management and network efficiency purposes in addition to security purposes or both.
ranum.Marcus Ranum's Ultimate Firewall http://www.com/security/computer_security/papers/a1-firewall/ .
grade (i. while allowing all client requests from the LAN side to be serviced from the WAN side. broadband) routers provides an inherent firewall. Due to the shortage of IP version 4 addresses. The security advantage is that the default SNAT configuration of many consumer. .e.Network Address Translation Firewalls Strictly speaking this is a routing technique for the purpose of connecting a LAN using unroutable in-house LAN allocatable addresses to the Internet. this approach is increasingly used for internal networks. which blocks server requests from clients on the WAN side of the router to hosts on the LAN side.
as it is concerned with maintaining transport layer connections. . Knowing which packets to allow through the firewall depends upon whether these are part of a legitimately initiated session. in preference to direct use of a broadband modem which exposes the PC to external server requests and port scans.NAT Firewalls 2 Given the low cost and security benefits of these devices. as well as translating addresses on network layer packets. this approach is recommended as the standard means to connect even a single Windows host to a broadband connection. and the relative insecurity of most consumer PCs. An NAT firewall is stateful.
0.0. ● . ● Remember the association between service requests and the internal IP addresses these come from. ● Forward replies from the client service request by the external server to the client.16.0/8.0. forwarding any responses by the server to the client. so that the session is masqueraded as coming from the NAT firewall. To allow servers outside the firewall/router to respond to clients inside.Source NAT (SNAT) Private IP addresses are reserved in RFC 1918 and use netblocks 192.168.0/12 and 10.0/16. 172.0. the router must: Translate outgoing IP source packet headers from the internal host addresses to the WAN IP address of the router. ● Enable the client-server session or connection to continue on another port as requested by the external server.
● Enable the client-server session or connection to continue on another port as requested by the internal server.Destination NAT (DNAT) DNAT enables servers located inside the firewall protected LAN to be accessed by clients located outside. ● Forward replies to the client service request by the internal server to the external client. forwarding any responses by the client to the server. ● Remember the association between service requests and the external IP addresses these come from. ● . Here the router must: Translate incoming IP destination packet headers from the firewall/router WAN IP address to the internal address of the server.
to enable a server located inside the firewall to provide a particular service. For example a host might be configured to provide outgoing SMTP service for the LAN on port 25 and incoming SMTP service on port 2525. .Port Address Translation Typical NAT capable firewalls can often usefully change port numbers on SNAT sessions. e. The firewall will translate the port numbering for DNAT'ed incoming SMTP requests from 25 to 2525 and will also translate outgoing responses on this port intelligently. DNS or SMTP using different or differently-configured server programs to respond to internal LAN requests and to external WAN requests.g.
so that computer users can install more complex services without needing to know anything about these. Unfortunately this protocol isn't authenticated. An attack of this nature has been reported in connection with BT's Home Hub product. The IGD service can change port forwarding.NAT firewall compromise via UPnP/IGD The UPnP (Universal Plug and Play) Protocol is intended to enable simple firewall rules to be setup automatically using the Internet Gateway Device service. DNS. If a UPnP/IGD user visits a website containing malicious Adobe Flash content this can initiate HTTP requests which will compromise the firewall. WiFi and other configurations on the fly. . UPnP assumes LAN requests to be trustworthy.
Packet filtering A packet filtering firewall can operate statelessly based on the legitimacy of the source and destination addresses on IP packets. packets with origins internal to the network should be blocked if coming from outside (ingress filtering). Packets with origin addresses external to the network should be blocked if coming from the inside (egress filtering). For a firewall to defeat this attack. Implementing egress filtering at ISP customer-facing routers helps mitigate DDOS attacks. In this kind of attack trust relationships between computers are exploited by sending packets purporting to come from a trusted computer. but where the origin is forged. . One problem this solves is IP spoofing.
an attacker can predict when a web server will contact a back end SQL database server based on input to the web server provided by the attacker.Session spoofing Session spoofing involves interpolation of IP packets into a TCP or UDP session presumed to have been initiated between trusted hosts. For example. Dan Kaminsky's 2008 DNS spoofing attack involves spoofing UDP source addresses and guessing port numbers. . For TCP this attack has been made more difficult by making the initial packet numbers within TCP sessions less predictable.
Those checking their server logs will be aware of automated attempts to "brute force" system logins. The following commands: cd /var/log grep sshd auth.including: Jan 23 21:38:30 copsewood sshd: Failed password for root from ::ffff:82.log | grep password | grep root Showed 209 attempts on the root password .245 port 37219 .151. This involves guessing popular passwords. which has pros and cons.Port Knocking 1 This is a custom technique. typically on a SSH (secure shell) server.208.
the PND will reconfigure the firewall temporarily to allow the IP address from which the knocking pattern was received access to the SSH service port (22) .Port Knocking 2 One approach to defeat such attacks is to configure a firewall so that the sshd (secure shell daemon) server program will only allow traffic through the firewall from a particular set of IP addresses. A more flexible firewall solution is to use a port knocking daemon (PND) which scans firewall logs for a specific and secret sequence of port knocks. This is going to be too restrictive if you need to fix a server problem when you receive an automated SMS watchdog text message while on holiday and need to use the nearest Internet access point. When the correct port-knocking sequence is received.
and can return to its caller. comparable to a subroutine or function in conventional programming. It is useful to think of IPtables as being a specialised firewall-creation programming language. This allows for stateless and stateful firewalls and NAT.iptables iptables is a networking administration command-line tool on Linux which interfaces to the kernel-provided Netfilter modules. Programs in this language are made up of a set of chains. A chain can be called from another. . These chains are made up of individual rules and are contained within particular "tables".
Iptables chains flow diagram Source: http://dmiessler.PNG .com/ images/DM_NF.
. and called from the above predefined tables and chains.Organisation of tables and chains Any user-defined chains can be added to.
Targets are: ACCEPT. . The effect of QUEUE is to allow the packet to be processed by a userspace program. DROP.g. or a target defined by another user-defined chain to which the packet is passed for further processing. for the purpose of creating a complex tarpit designed to consume massive remote resources in exchange for trivial local resources when malicious packets are received. RETURN allows processing of the packet to continue in the chain's caller module. QUEUE. or RETURN.Iptables targets Each rule has a target. e. which defines what happens to the packet.
rewrites source address of packet and optionally port. ● MASQUERADE . ● SNAT . ● DNAT .logs packet using a socket connection to a userspace program.rewrites destination address of packet and optionally port. and causes this rule to be applied to all relevant packets in session. ● .similar to drop but replying with an error ICMP packet.Iptables extended targets REJECT . and causes this rule to be applied to all relevant packets in session. ● ULOG .similar to SNAT but suited to dynamic host addresses allocated using DHCP.host kernel logs the packet. ● LOG .
org -p tcp -m \ tcp --dport ssh -j ACCEPT # For outsiders. Have to run this as root on bootup.letsystem. # whitelist iptables -A INPUT -s home.Iptables script example #!/bin/bash # iptables script to limit sshd attacks. rate-limit and enjoy iptables -A INPUT -p tcp -m tcp --dport ssh \ -m state --state NEW \ -m recent --hitcount 3 --seconds 180 --update -j DROP iptables -A INPUT -p tcp -m tcp --dport ssh \ -m state --state NEW \ -m recent --set -j ACCEPT .
e. The example is taken from a dual Ethernet card Linux PC used as a broadband router for a home network. It allows a firewall configuration to be managed through a set of text files. This can be done more easily. . Shorewall enables a multi-homed host to be handled as a set of zones. The following example Shorewall configuration show only the parts of the standard files which were changed.g.Shorewall This application is for compiling an iptables based firewall. a DMZ (demilitarised zone). a LAN and a WAN zone connected to different network interfaces. but less flexibly than with iptables rules directly.
conf. . packets whose destination addresses are # reserved by RFC 1918 are also rejected.This interface should not receive any packets whose # source is in one of the ranges reserved by RFC 1918 # (i.norfc1918 loc eth1 detect relevant comments # norfc1918 . private or "non-routable"addresses../etc/shorewall/interfaces #ZONE INTERFACE BROADCASTOPTIONS net eth0 detect dhcp. If packet mangling is # enabled in shorewall.e.routefilter.
/etc/shorewall/masq # You have a simple masquerading setup where eth0 connects # to a DSL or cable modem and eth1 connects to your local # network with subnet 192.168.0.168.0/24 # #INTERFACE SUBNET ADDRESS eth0 eth1 .0.0/24. # Your entry in the file can be either: # eth0 eth1 # or # eth0 192.
/etc/shorewall/zones # This file determines your network zones. Columns are: # # ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks .
/etc/shorewall/policy #This file determines what to do with a new connection # request #SOURCE DEST POLICY LOG LEVEL fw net ACCEPT fw loc ACCEPT loc fw ACCEPT net all DROP info all all REJECT info .
/etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL_PORT PORT(S)_ DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Accept Ping Ubiquitously # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 # # All ICMP are accepted fw->all # ACCEPT net fw tcp 22 ACCEPT net fw tcp 8888 ACCEPT net fw tcp 9090 - .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.