Professional Documents
Culture Documents
Himanshu Sharma
http://ethicalhackingtutorials1.blogspot.com/
Outline
Firewall
Definition Types Configuration Lab Exercise (Kerio Personal Firewall) Definition Operation Lab Exercises
IDS
Firewall
What is a Firewall?
A firewall is any device used to prevent outsiders from gaining access to your network. It checks each packet against a list of rules to permit or deny its transmission Firewalls commonly implement exclusionary schemes or rules that sort out wanted and unwanted addresses.
They filter all traffic between a protected (inside) network and a less trustworthy (outside) network
Firewall
Composition?
Firewall
Design Goals
All traffic in both direction must pass through the firewall Only authorized traffic should be allowed to pass Firewall should itself be immune to penetration
Firewall
Types
There are different kinds of firewalls, and each type has its advantages & disadvantages. Firewalls can be classified in two broad categories
Firewall
Network Level Firewalls
Scheme is applied through a technique called packet filtering Network Level Firewalls can be classified as Packet-Filtering Firewalls
The simplest and most effective type of firewalls
Firewall
Packet Filtering
Packet Filtering is the process of examining the packets that come to the router from the outside world. Packet headers are inspected by a firewall or router to make a decision to block the packet or allow access Two Approaches:
Firewall
Stateless Packet Filtering
Ignores the state of the connection Each packet header is examined individually and compared to a rule base
Firewall
Stateful Packet Filtering
Maintains a record of the state of the connection (referred to as state table) Packet is compared against both rule base and state table Some stateful filters can examine both packet header and content Called stateful because it permits outgoing sessions while denying incoming sessions
10
Firewall
Application Gateway Firewall
When a remote user contacts a network running an application gateway, the gateway blocks the remote connection. Instead of passing the connection along, the gateway examines various fields in the request. If these meet a set of predefined rules, the gateway creates a bridge between the remote host and the internal host.
Firewall
Access Policy
A list of rules describing which packets are to be forwarded Each packet is compared against this list The longer the list the greater the latency (delay) Examples:
From any to any port 80 permit From any to any PORT any deny From *.albany.edu to any PORT any DENY
Firewall
Limitations
Firewalls are not a complete solution to all computer security problems, limitations:
The firewall cannot protect against attacks that bypass the firewall The firewall does not protect against internal threats The firewall cannot protect against the transfer of virus-infected programs or files
13
Firewall
Configuration Strategies Screening Router Simple Interface External Filters traffic to internal computers
Internal Interface Provides minimal 192.168.2.1 /24 security 10.1.1.200 /24
Internet
Router
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
14
Firewall
Configuration Strategies Screening Host Host makes Internet request Gateway receives client request and makes a request on behalf of the client
Router
Internet
Application Gateway
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
15
Firewall
Configuration Strategies
Internet
Router
Firewall
Router
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
16
Firewall
Configuration Strategies
Web Server Email Server FTP Server
Internet
10.1.1.4
10.1.1.2
10.1.1.3
DMZ Screened Subnet DMZ sits outside internal network but is connected to the firewall Public can access servers residing in DMZ, but DMZ cannot connect to internal LAN LAN Gateway
192.168.1.1 /24
Router
Firewall
10.1.1.1 /24
Router
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
17
Firewall
Configuration Strategies
Web Server Email Server FTP Server
Internet
10.1.1.4
Two Firewalls, One DMZ First firewall controls traffic between the Internet and DMZ
10.1.1.2
10.1.1.3
Firewall
10.1.1.1 /24
Second firewall controlsDMZ traffic between the internal network and DMZ
LAN Gateway
192.168.1.1 /24 Second firewall can also be a failover firewall
Router
Router
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
18
Firewall
Kerio Personal Firewall (KPF)
Whats KPF?
A software agent builds a barrier between PC and the Internet, to protect PC against hacker attacks and data leaks.
Why KPF?
KPF is designed to protect PC against attacks from both the Internet, and other computers in the local network.
KPF controls all data flow in both directions from the Internet to your computer and vice versa KPF can block all attempted communication allowing only what you choose to permit.
Lab Exercise
Configure Kerio Personal Firewall
20
KPF
How does it work?
KPF
Features
KPF
Features Contd.
Platform:
For Windows 98, Me, NT, 2000 and XP (Win 95 not available any more)
KPF
Installation
System requirements:
CPU Intel Pentium or 100% compatible 64 MB RAM 8 MB hard drive space (for installation only; at least 10 MB of additional space is recommended for logging)
Installation:
Executing the installation archive (kerio-pf-201-en-win.exe) Choose the directory KPF be installed, or leave the default setting (C:\Program Files\Kerio\Personal Firewall) Restart system after installation in order for the low-lever driver to be loaded
KPF
Configuration
Overview list of active and open ports, statistics, user preferences. Network Security rules for network communication of individual applications, Packet filtering, trusted area definitions System Security rules for startup of individual applications Intrusions configuration of parameters which will be used for detection of known intrusion types Web - web content rules (URL filter, pop-ups blocking, control over sent data) Logs & Alters -- logs viewing and settings
KPF
Firewall Engine
The Firewall Engine takes care of all KPF functions It runs as a background application
Firewall Status
Administration
KPF
Configuration Window
KPF
Administration
Test
KPF
Status Window
KPF
Security Settings
Deny Unknown: all communication is denied which is not explicitly permitted by the existing filter rules
KPF
Security Settings Contd.
Test
KPF
Interaction with Users (Incoming)
KPF
Interaction with Users (Outgoing)
KPF
Packet Filtering Rules
Comments
KPF
Application MD5 Signature
KPF
Filter.log File
The filter.log file is used for logging KPF actions on a local computer Filter.log is a text file where each record is placed on a new line. It has the following format:
1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
37
IDS
What Does it Do?
An intrusion detection system (IDS) monitors systems and analyzes network traffic to detect signs of intrusion. An IDS can detect a variety of attacks in progress as well as well as attempts to scan a network for weaknesses. An IDS can be a dedicated network appliance or a software solution installed on a host computer. Two kinds of IDS Systems
Client Based (On a single node) Network Based (Protecting the entire network)
IDS
How does it work?
If configured correctly, a network intrusion detection system (NIDS) can monitor all traffic on a network segment. A NIDS is most effective when used in conjunction with a firewall solution, and having all of its dependent components being properly connected and functioning.
IDS
Configuration
NIDS can be installed on the external routers, the internal routers, or both. Placing NIDS on external routers enables detection of attacks from the Internet Placing NIDS on internal routers enables detection of internal hosts attempting to access the Internet on suspicious ports.
40
IDS
Methods of Detection
A NIDS/IDS mainly use anomaly or pattern detection to identify an intrusion or intrusion attempt. An anomaly example: This involves monitoring resource use, network traffic, user behavior and comparing it against normal levels. If a user that normally only accesses the system between 9 am 5pm, suddenly logs on at 3 am then this may indicate that an intruder has compromised the users account. A NIDS/IDS would then alert administrators to this suspicious activity. A NIDS/IDS can detect hacker attempts to scan your network for intelligence gathering purposes.
IDS
Network Packet Checking
Sits On Network location and checks packets that travel across the network. If a packet contains a certain footprint, then it triggers an alert Audit logs are generated and kept as records of alerts.
IDS
Commonly Used IDS Systems (Windows)
IDS
Vendor Firewalls & Versions (Hardware Based)
Axent: Raptor v6.5 Checkpoint: FW1 v4.1 Cisco: PIX v525 MS: Proxy v2.0
View Demo