firewalls
play

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall - PowerPoint PPT Presentation

Jan 19, 2023 •469 likes •1.06k views

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

  1. Firewalls jnlin

  2. Computer Center, CS, NCTU Firewalls q Firewall • hardware/software • choke point between secured and unsecured network • filter incoming and outgoing traffic • prevent communications which are forbidden by the security policy q What it can be used to do • Incoming: protect and insulate the applications, services and machines Ø Such as telnet, NetBIOS • Outgoing: limit or disable access from the internal network Ø Such as MSN, ssh, ftp, facebook, SC2, D3 • NAT (Network Address Translation) 2

  3. Typical Network Design Computer Center, CS, NCTU 3

  4. Computer Center, CS, NCTU Firewalls – Capabilities q Network Layer Firewalls • Operate at a low level of TCP/IP stack as IP-packet filters. • Filter attributes Ø Source/destination IP Ø Source/destination port Ø TTL Ø Protocols Ø … q Application Layer Firewalls • Work on the application level of the TCP/IP stack. • Inspect all packets for improper content, a complex work! q Application Firewalls • The access control implemented by applications. • TCP Wrapper (libwrap) 4

  5. Computer Center, CS, NCTU Firewalls – Rules q Exclusive • Only block the traffic matching the rulesets q Inclusive • Only allow the traffic matching the rulesets • Offer much better control of the incoming/outgoing traffic • Safer than exclusive one Ø (Y) reduce the risk of allowing unwanted traffic to pass Ø (N) increase the risk to block yourself with wrong configuration q State • Stateful Ø Keep track of which connections are opened through the firewall Ø Be vulnerable to Denial of Service (DoS) attacks • Stateless 5

  6. Computer Center, CS, NCTU Firewalls – DMZ q Demilitarized zone (Perimeter Network) • Between untrusted and trusted networks • Limited access to internal networks • Open service to WAN (Internet) Ø SMTP Ø POP3 Ø HTTP Ø VPN Servers Ø … q A layer of security • Limit the damage if system is compromised 6

  7. Computer Center, CS, NCTU Firewalls – Bastion Host q A workstation allow users connect to internal service • Limit the entry point of the internal network • Do logging and auditing on it • Located in DMZ or behind VPN service 7

  8. Computer Center, CS, NCTU Firewalls – Packages q Linux • iptables (kernel 2.4+) • ipchains (kernel < 2.4) • Firewalld • ufw q FreeBSD • IPFILTER (known as IPF) • IPFIREWALL (known as IPFW) + Dummynet • Packet Filter (known as PF)+ ALTQ Ø migrated from OpenBSD Ø v4.5 (In FreeBSD 9.0) Ø http://www.openbsd.org/faq/pf/ v5.0 8

  9. iptables in Linux

  10. Computer Center, CS, NCTU iptables q User-space software that control Linux kernel firewall • Control Linux kernel Netfilter modules q Support kernel version 2.4+ • Replace ipchains and ipfwadm q iptables allows system administrators to define tables containing chains of rules for the treatment of packets 10

  11. Computer Center, CS, NCTU Packet flow in Netfilter 11

  12. Computer Center, CS, NCTU Xtables Architecture q Xtables • v4, v6, arp, eb • IPv4, IPv6 are different tables q Tables • filter, nat, mangle q Chains • PREROUTING, OUTPUT, FORWARD, INPUT, POSTROUTING q Rules • e.g., iptables -A INPUT -i lo -j ACCEPT 12

  13. Computer Center, CS, NCTU Xtables Architecture – Filter q Filter Table The default table of iptables command For packets filter • INPUT Ø Packets that come in (to local) • OUTPUT Ø Packets that go out (from local) • FORWARD Ø Packets that pass through (from others to others) 13

  14. Computer Center, CS, NCTU Xtables Architecture – NAT q NAT tables For IP masquerade • PREROUTING Ø Packets that will go into the routing tables • POSTROUTING Ø Packets that have left the routing tables • OUTPUT Ø Packets that go out (from local) 14

  15. Computer Center, CS, NCTU Xtables Architecture – Mangle q Mangle Table For special purpose, e.g., add or remove some special tags from packets • PREROUTING • OUTPUT • FORWARD • INPUT • POSTROUTING 15

  16. iptables Flowchart Computer Center, CS, NCTU 16

  17. Computer Center, CS, NCTU iptables – List q iptables • -t tables : Target table • -L : List all rules • -n : Don’t lookup domain names • -v : Show details 17

  18. Computer Center, CS, NCTU iptables – Init q iptables • -F : Flush all rules • -X : Flush all custom chains • -Z : Flush all statistics data for all chains q iptables • -P [INPUT,OUTPUT,FORWARD] [ACCEPT, DROP] Ø Change the default policy of the target chain 18

  19. Computer Center, CS, NCTU iptables – Save and Restore q iptables-restore • Restore from restore file q iptables-save • Export all rules and generate restore file • Some system will load restore file at boot Ø Ex: CentOS /etc/sysconfig/iptables /etc/sysconfig/ip6tables q Restore file syntax • # comments • * table name • : chain default-policy [pkt:byte] • Rules • COMMIT (End of file) 19

  20. Computer Center, CS, NCTU iptables – Module q User may need special rule to filter packets q Split several feature into different module q Stateful • Packets states tracking • Traffic statistics q Use -m to access module • iptables -A INPUT -m conntrack … • iptables -A INPUT -m recent … q http://ipset.netfilter.org/iptables-extensions.man.html 20

  21. Computer Center, CS, NCTU iptables – Rules (1/2) q Modify • -A, --append • -C, --check • -D, --delete • -I, --insert • -R, --replace q Jump • -j, --jump Ø To user-defined chain Ø ACCEPT, DROP, REJECT, RETURN, SNAT, DNAT, MASQUERADE • -g, --goto Ø Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump. 21

  22. Computer Center, CS, NCTU iptables – Rules (2/2) q Filter • -i, -o [if] : incoming interface / outgoing interface Ø -i ens192 -o docker0 • -s, -d [net] : Source / Destination Ø -s 192.168.0.1/24 –d 140.113.1.1 • --sport, --dport [port] : Source port / Destination port Ø --sport 22 --dport 80 • -p [protocol] : tcp, udp, icmp, all Ø -p icmp • ! (not) : Invert matching Ø ! -s 140.113.1.0/24 Ø ! -i eth0 Ø ! -p udp 22

  23. Computer Center, CS, NCTU iptables – Custom chain q Create • -N my-chain • Define in restore file q When iptables reaches the end of user-defined chain, flow returns to the next rule in the calling chain q Ex • -A INPUT -j badguy • -A INPUT -j ACCEPT • -A badguy -s 1.2.3.4 -j DROP • -A badguy -s 140.112.0.0/24 -j DROP • … 23

  24. Computer Center, CS, NCTU Example: Hello world q Allow outgoing packets but deny all incoming packets, except the packets that reply users requests • -A INPUT -i lo -j ACCEPT • -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT q State • NEW : New connection • ESTABLISHED : Old connection • RELATED : New connection create by ESTABLISHED session • INVALID 24

  25. Computer Center, CS, NCTU Example: NAT q Provides NAT from eth0 to eth1 • sysctl -w net.ipv4.ip_forward=1 • -t NAT -A POSTROUTING -i eth0 -o eth1 -j MASQUERADE q Nat • SNAT --to-source : Change Source IP Address • DNAT --to-destination : Change Destination IP Address • MASQUERADE : Change Source IP Address (based on outgoing device IP Address) 25

  26. Computer Center, CS, NCTU Example: Prevent DDoS Attack q Append traffic limit (10 times / 60 sec) to SSH services • -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set -- name RECENT --rsource • -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 10 --name RECENT --rsource -j DROP q xt_recent • Record every connection • Filter connection by connecting history 26

  27. Computer Center, CS, NCTU Other tools q These tools help user to manage iptables rules • UFW (Uncomplicated Firewall) (Ubuntu) Ø Easy to use Ø Hard to customize • Firewalld (Redhat) Ø Another way to manage your firewall q Sometime even with these tools, you still need to understand iptables, otherwise you cannot manage complicated firewall rules like docker network, kubernetes 27

  28. PF in FreeBSD

  29. Computer Center, CS, NCTU Packet Filter (PF) q Functionality • Filtering packets • NAT • Load balance • QoS: (ALTQ: Alternate Queuing) • Failover (pfsync + carp) 29

  30. Computer Center, CS, NCTU PF in FreeBSD – Enable pf* q In /etc/rc.conf (kernel modules loaded automatically) pf_enable= " YES " pflog_enable="YES" pfsync_enable="YES" q Kernel configurations device pf device pflog device pfsync 30

  31. Computer Center, CS, NCTU PF in FreeBSD – Commands q /etc/rc.d/pf • start / stop / restart / status / check / reload / resync q pfctl • -e / -d • -F {nat | rules | state | info | Tables | all | …} • -v -s {nat | rules | state | info | all | Anchors | Tables | …} • -v -n -f /etc/pf.conf • -t <table> -T {add | delete| test} {ip …} • -t <table> -T {show | kill | flush | …} • -k {host | network} [-k {host | network}] • -a {anchor} … Ø Default anchor: -a '*' Ø Ex. -a ‘ftp-proxy/*’ 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin,

501 views • 34 slides
Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Firewalls Characteristics Types Locations Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08,

245 views • 23 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
Network Firewalls the outside world is a poten7al aCack

Network Firewalls the outside world is a poten7al aCack

4/29/14 CSE/ISE 311: Systems Administra5on CSE/ISE 311: Systems Administra5on Firewalls: An Essen7al Tool Previous Lectures: Every service on a system visible

400 views • 4 slides
Session 6 Network Protections: DoS, Firewall and IDS Sbastien Combfis Fall 2019 This work

Session 6 Network Protections: DoS, Firewall and IDS Sbastien Combfis Fall 2019 This work

I5020 Computer Security Session 6 Network Protections: DoS, Firewall and IDS Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Objectives

1.08k views • 53 slides
Advanced SSH(1) Advanced SSH(1) Prerequisites We wont cover these anymore ~/.ssh/config

Advanced SSH(1) Advanced SSH(1) Prerequisites We wont cover these anymore ~/.ssh/config

Advanced SSH(1) Advanced SSH(1) Prerequisites We wont cover these anymore ~/.ssh/config public-key authentication Ed25519 or RSA Port Forwardings scp(1), sftp(1) tar cf - ./files | xz | pv | \ ssh $host cat &quot;&gt;&quot;

1.01k views • 72 slides
Client Puzzles Defending Against Denial-of- Service Attacks with Puzzle Auctions Outline

Client Puzzles Defending Against Denial-of- Service Attacks with Puzzle Auctions Outline

Client Puzzles Defending Against Denial-of- Service Attacks with Puzzle Auctions Outline Motivation Auction Protocol TCP Puzzle Auction TCP Client Puzzle Implementation Experiment Results Questions Defending Against

761 views • 30 slides
Firewalls David Parter University of Wisconsin Computer Sciences Department Computer Systems

Firewalls David Parter University of Wisconsin Computer Sciences Department Computer Systems

Firewalls David Parter University of Wisconsin Computer Sciences Department Computer Systems Lab dparter@cs.wisc.edu November 11, 2010 1 Topics Firewall basics Types of Firewalls Deployment scenarios Related Technologies

965 views • 83 slides
AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used by our faculty, our corporate mobile app users, corporate systems and students, the adoption rate is growing healthy at a steady rate. We are moving

452 views • 17 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Debugging Scalable Applications on the XT May 2nd 2009 Chris Gottbrath Director, Product

Debugging Scalable Applications on the XT May 2nd 2009 Chris Gottbrath Director, Product

Debugging Scalable Applications on the XT May 2nd 2009 Chris Gottbrath Director, Product Management Debugging Scalable Applications Intro Challenges Products Scalability Interactive Subset Debugging Batch

727 views • 30 slides

More recommend