Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | darleen-bennett |
View: | 218 times |
Download: | 3 times |
cs490ns - cotter 1
FirewallsFirewallsWhat they do.
How they work.
cs490ns - cotter 2 2
OutlineOutline• What is a firewall?• Architectures
– Stand Alone / application / proxy– Personal / host based– Gateway / packet filters– Enterprise / hardware
• Roles– Bastion– DMZ
• Packet Filtering concepts– IPTables– Stateful filtering
• Packet Forwarding• Ethernet bridge
cs490ns - cotter 3 3
What is a Firewall?What is a Firewall?
• A hardware or software device that monitors (and controls ?) the transmission of packets that attempt to pass through the perimeter of a network (or host).
• Provide 2 basic security functions– Packet Filtering– Application Proxy gateways
• Additional security features– Log unauthorized (and authorized ?) access attempts– Provide VPN Connections– Support user authentication– Shield internal machines from outside view
cs490ns - cotter 4 4
What should a firewall do?What should a firewall do?
• Control the flow of packets to/from Internet
• Block external login as root (?)
• Must distinguish between local and Internet packets (even spoofed addresses)
• Support limited user accounts
• Log all system activities
cs490ns - cotter 5 5
Types of FirewallsTypes of Firewalls
• Stand Alone / application / proxy
• Enterprise / Local
• Hardware / Software
• Gateway / router / packet filter
• Personal / host based– Windows firewall – incoming protection– ZoneAlarm, Linux, etc. – incoming / outgoing
filter
cs490ns - cotter 6 6
Types of FirewallsTypes of Firewalls
Internet
CorporateNetwork
Router / packet filter
StatefulFirewall
ApplicationProxy
Host-basedFirewall
cs490ns - cotter 7 7
Standalone Proxy FirewallsStandalone Proxy FirewallsApplication GatewaysApplication Gateways
• Intended to buffer the interface between an internal application and the Internet– Web Servers– Mail Servers– File Transfer
• Controls flow of packets into and out of local network– Limit access to specific web sites– Cache results for use by other internal hosts– Hide internal IP addresses from network view
cs490ns - cotter 8 8
Enterprise FirewallsEnterprise Firewalls
• Intended to support larger traffic volumes• Provides more sophisticated support
– Stateful filtering, etc.
• Software– Checkpoint Firewall 1, Microsoft ISA, Semantic
Enterprise, etc.
• Hardware– Cisco PIX, SonicWall, Watchguard, etc.
• Expensive!
cs490ns - cotter 9 9
Gateway / Packet FilterGateway / Packet Filter
• May be embedded in sophisticated routers• May be used for SOHO networks
– May be incorporated into small SOHO routers– May be incorporated into a gateway host (Linux
?)
• Provides the ability to monitor and control packets through the gateway / router.– Generally support in / out / through filtering– May not include stateful filtering capabilities
cs490ns - cotter 1010
Host-based FirewallsHost-based Firewalls
• Intended as a last line of defense for the host computer
• Runs as a background process on host– Limited bandwidth available– Generally supports incoming port filtering– Can specify which ports (if any) can support
incoming connection requests.– Occasionally supports outgoing filtering
(looking for worms, trojans, etc.)
cs490ns - cotter 11
Firewall RolesFirewall Roles
• Bastion Hosts– Hardened systems that typically run a firewall
and perhaps an application as well
• DMZ – demilitarized zone– An isolated subnetwork that includes all
services that are offered over the internet (and perhaps to the internal network as well).
cs490ns - cotter 12
Bastion Firewall and HostBastion Firewall and Host
LAN
Internet
Firewall
WebServer
cs490ns - cotter 13
DMZDMZ
LAN
Internet
Web E-mail
DMZ
cs490ns - cotter 1414
What is Packet Filtering?What is Packet Filtering?
• The process of deciding which packets to allow through the filter, based on attributes of the packet– Source / Destination Port– Source / Destination IP Address– Status flags in the packet (syn)– Originating protocol (icmp, tcp, etc.)– Connection state (tcp)
• Linux (2.4+) supports Netfilter (based on iptables)
cs490ns - cotter 1515
How does Packet Filtering How does Packet Filtering Work?Work?
• Define rules to allow or block specific types of packets
• Firewall screens all packet headers to look for matches against the rules
• Apply rules in the order in which they are stored• Allow or block packets based on rule matches.• If a packet matches no rules, apply default
behavior to the packet (usually deny).
cs490ns - cotter 1616
Packet Filtering IssuesPacket Filtering Issues
• Rules are complex. Easy to introduce errors• Filters based on IP addresses. If authorized
sites are hacked, your site is compromised• IP Spoofing can fake authorized (internal?) sites.
• Routers can be hacked to reroute internal
packets• Activities need to be logged• Internal host adresses should be hidden
cs490ns - cotter 1717
IptablesIptables
• Administration tool for IPv4 packet filtering and NAT
• Used to set up, maintain, and inspect the tables of IP packet filtering rules used by the kernel to manage packet flow through the firewall.
• Based on tables that specify the overall task and chains that identify the position of the packet in the packet flow.
cs490ns - cotter 1818
IPTables tablesIPTables tables• Filter table
– Used to control the flow of packets based on packet attributes– Only filter packets, don’t modify packets here.
• Network Address Translation (NAT) table– Used to change the source / destination IP address and / or port
of selected incoming / outgoing packets
• Mangle table– Supports specialized packet handling / routing– Change contents of packet
• Experimental and developing tables …
cs490ns - cotter 1919
Basic Packet FilteringBasic Packet Filtering
Internet
LAN
Input
Output
Forwardfiltertable
RH-Firewall-1-INPUT
cs490ns - cotter 2020
Incoming Packets to FilterIncoming Packets to Filter
• Illegal Incoming Source IP Addresses– Your IP Address– Your LAN Address– Private Network Addresses– Multicast IP Addresses– Loopback Interface Addresses
• Nuisance sites / networks• Remote Source Port Filtering• Local Destination Port Filtering• Incoming TCP connection-state filtering• Probes and Scans• DoS Attacks• Etc.
cs490ns - cotter 2121
Packet Filtering alert listPacket Filtering alert list
• CERT– www.cert.org – Carnegie-Mellon Software Engrg Inst.– www.us-cert.gov –
• Port Filter List (3/08)– DNS zone transfers 53– tftpd 69– link 87– RPC / NFS 111 / 2049– BSD “r” commands 512, 513, 514– lpd 515– uucpd 540– openwindows 2000– X windows 6000 +
cs490ns - cotter 22
Outgoing Packets to FilterOutgoing Packets to Filter
• Why?– Consideration for fair use in Internet– Distribution of private information– Detection of unwanted client programs (Trojans, etc.)
• See http://www.us-cert.gov/cas/tips/ST06-001.html
• What– Legitimate, routable addresses only– Destination IP Addresses– Destination ports– Source Ports
cs490ns - cotter 23
Filter TableFilter Table ChainsChains
• May be associated with any interface (eth0, etc.)• INPUT
– Used to test packets that come into the firewall
• OUTPUT– Used to test packets that are leaving the firewall
• FORWARD– Used to test packets that are passing through the
firewall
• Packets should pass through only 1 chain
cs490ns - cotter 24
Filter table packet flowFilter table packet flow
Routing
InputChain
ForwardChain
OutputChain
Drop
Drop Drop
LocalProcesses
InputChain
Drop
cs490ns - cotter 25
Iptables rule structure
• Iptables –t “table” “action” “chain” rule “target”– Which table are we working with (filter is default)– What action do we want to do to that table (insert,
delete, etc.)– Which chain in that table are we working with– What do we want to do?– Where do we go if we match the rule?
cs490ns - cotter 26
IPTables ActionsIPTables Actions
• Create a new chain (-N).
• Delete an empty chain (-X).
• Change the default policy for a chain. (-P).
• List the rules in a chain (-L).
• Flush the rules out of a chain (-F).
• Zero the packet and byte counters on all rules in a chain (-Z).
cs490ns - cotter 27
IPTables ActionsIPTables Actions
• Append a new rule to the end of a chain (-A). • Insert a new rule at some position in a chain (-I). • Replace a rule at some position in a chain (-R). • Delete a rule at some position in a chain, or the
first that matches (-D).
cs490ns - cotter 28
IPTables targets• ACCEPT
– Stop processing and pass to application / OS• DROP
– Stop processing and block packet• LOG
– Packet info sent to syslog. Continue processing• REJECT
– Stop processing and send reject message to source• DNAT
– Change destination network address• SNAT
– Change source network address• MASQUERADE
– Do source network address translation (PAT)
cs490ns - cotter 29
Example Filter RulesExample Filter Rules
• #Allow traffic on the loopback interface• iptables –A INPUT –i lo –j ACCEPT• iptables –A OUTPUT –i lo –j ACCEPT• # Set Default policy for chain• Iptables --policy INPUT DROP• #Allow all outgoing connections• iptables -A block -m state --state NEW -i ! ppp0 \
-j ACCEPT • #Block incoming attempts to Xwindows• iptables –A INPUT –i eth1 -p tcp --syn \
--destination-port 6000-6003 -j REJECT
cs490ns - cotter 30
Example Filter RulesExample Filter Rules#Allow incoming connections to local web server
Iptables –t filter -A block –p tcp --dport 80 --i eth1 \-j ACCEPT
#Insert a rule that allows incoming udp packets to port 12345
iptables –I block 7 –p udp –dport 12345 –j ACCEPT
#Allow DNS requests NOT from outside
iptables -A block –p tcp --dport 53 -m state --state NEW \ -i ! eth1 -j ACCEPT
#Allow (and redirect) incoming web connections to 192.168.5.6
iptables –t nat –A PREROUTING –d eth1 -p tcp \ --dport 80 -j DNAT --to-destination 192.168.5.6
cs490ns - cotter 31
Simple Firewall tableSimple Firewall table
## Insert connection-tracking modules (not needed if built into kernel).
insmod ip_conntrack
insmod ip_conntrack_ftp
## Make chain that blocks new connections, except if coming from LAN.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
cs490ns - cotter 32
Iptables default config fileIptables default config file/etc/sysconfig/iptables/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT
cs490ns - cotter 33
CentOS 5.5 Firewall – part 1
[rcotter@lserver3 ~]$ sudo iptables -LChain INPUT (policy ACCEPT)target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)target prot opt source destination
cs490ns - cotter 34
CentOS 5.5 Firewall – part 2Chain RH-Firewall-1-INPUT (2 references)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 134.193.12.34 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:137 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:138 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:139 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2069 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3128 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
cs490ns - cotter 35
Filter tableFilter table• Input, forward chains point to custom chain
– RH-Firewall-1-INPUT
• Output chain set to accept all– (allow any outgoing traffic)
• RH-Firewall-1-INPUT chain– Initial 4 rules allow broad classes of packets– Allow multicast DNS– Allow ipp (Internet Printing protocol)– Allow incoming UDP packets to port 12345
• Special server set up for cs423 class
– Allow incoming SSH connections– Reject everything else!
cs490ns - cotter 36
Network Address TranslationNetwork Address Translation
• What?– “Translates” IP addresses and / or ports as
packet passes through firewall– Only first packet of a connection will traverse
the table. All remaining packets are modified the same as the first packet.
• Why?– Private local IP Addresses– Multiple Servers (load sharing)– Transparent Proxying
cs490ns - cotter 37
NAT tableNAT table• Used to map local IP addresses to a set of
routable addresses (NAT)• Used to map local IP addresses to a set of ports
associated with a single routable address (NAPT)
• Used to map local IP addresses to a set of ports associated with a variable routable address (masquerade)– Dial-up connection– Dynamically assigned IP address
• Other
cs490ns - cotter 38
NATNAT
• Two types of NAT– Source NAT (snat) used to translate the
source IP address of a packet (typically outgoing)
– Destination NAT (dnat) used to translate the destination IP address of a packet (typically incoming).
cs490ns - cotter 39
NAT table chainsNAT table chains
• Pre-routing– Used to test / modify the destination
addresses of incoming packets
• Output– Used to change the source (or destination)
address of locally generated packets
• Post-routing– Used to change the source address of
outgoing packets.
cs490ns - cotter 40
NAT table packet flowNAT table packet flow
Routing
InputChain
ForwardChain
OutputChain
Drop
Drop Drop
LocalProcesses
DestinationNAT
Pre-routing
SourceNAT
Post-routing
cs490ns - cotter 41
Simple NAT table rulesSimple NAT table rules
# Masquerade out ppp0 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Disallow NEW & INVALID incoming or forwarded packets from ppp0. iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
# Turn on IP forwarding (in RAM)echo 1 > /proc/sys/net/ipv4/ip_forward # Turn on IP forwarding (in file /etc/sysctl.conf)net.ipv4.ip_forward = 1
cs490ns - cotter 42
Mangle tableMangle table
• Used for special routing and packet modification.– Use TOS (type of service) field in IP header.– TTL– Can be used to set and test markers placed
cs490ns - cotter 43
Mangle Table Routing
AS
Internet
cs490ns - cotter 44
Linux Firewall MgmtLinux Firewall Mgmt
• iptables– Make changes to memory image of firewall rules
• iptables-save– Display a copy of the memory image – Can redirect the copy to a file using output redirection– Iptables-save > /etc/sysconfig/iptables
• iptables-restore– Rebuild memory image from keyboard or file (using redirection)
• Security Level and Firewall Applet (Fedora)– Creates an automatic backup file: /etc/sysconfig/iptables
cs490ns - cotter 45
IPTables ConstraintsIPTables Constraints
• Based on IP – only– Don’t run IPX, appletalk, etc. as these protocols are
not filtered
• Packets traversing the filter table will pass through only 1 chain
cs490ns - cotter 46
Port ForwardingPort Forwarding
Internet
LAN
123.234.56.78:80192.168.3.6:80
HTTPD
cs490ns - cotter 47
SOHO Router Port Range SOHO Router Port Range ForwardingForwarding
cs490ns - cotter 48
IPTables Port ForwardingIPTables Port Forwarding• For incoming packets
– iptables -t nat -A PREROUTING -p tcp -d <published-ip> --dport <published-port> -j DNAT --to-destination <private-ip>:<private-port>
• For returned packets– iptables -m conntrack --ctstate DNAT -t nat -A
POSTROUTING -p tcp -d <private-ip> --dport <private-port> -j SNAT --to-source <published-ip>
• For packets originating on firewall– iptables -t nat -A OUTPUT -p tcp -d <published-ip> --
dport <published-port> -j DNAT --to-destination <private-ip>:<private-port>
cs490ns - cotter 49
IPtables rerouting Issues
• Often, when we re-route packets, we only need to change destination (or source) IP address.
• Sometimes (if we are rerouting to a locally connected destination) we need to change both IP address and MAC address.
• IPtables only filters IP traffic. It cannot change IPX, netBEUI, Appletalk, etc.
cs490ns - cotter 50
EBtables
• Ethernet Bridge tables– Intended to support filtering of packets that
IPtables cannot filter – Ethernet protocol, MAC address, ARP, netBEUI, IPX, etc.
– Basically adds non–IP filtering.– 802.1Q VLAN filtering– MAC address NAT– Frame counters
• Linux bridge-nf code– Passes bridged traffic to IPtables
cs490ns - cotter 51
EBtables Structure
• broute table– BROUTING chain– Choose whether to process packet at layer 2
(bridge) or at layer 3 (route)– e.g. route normal IP traffic and bridge IPX traffic
• filter table– FORWARD, INPUT, OUTPUT chains– Route packets based on MAC addresses
• nat table– PREROUTING, OUTPUT, POSTROUTING chains– Change MAC addresses (redirect based on MAC)
cs490ns - cotter 52
Ethernet Bridge Firewall
Internet
LAN
Linux box configured as a
bridge, with firewall installed
cs490ns - cotter 53
Ethernet Bridge Firewall
• Use bridging firewall (ebtables) to set up rules to pass packets through host. – Since processing happens at Data Link Layer,
there is no need to assign an IP address to host interfaces, so machine is invisible to network scanning.
– Offers better protection, and less configuration of the remaining network.
– Can also be configured with an IDS.
cs490ns - cotter 54
Ethernet Bridge Firewall• Create a virtual Ethernet bridge interface
– brctl addbr br0
• Add our interfaces to the bridge– brctl addif br0 eth0– brctl addif br0 eth1
• Remove the IP configuration from interfaces– Ifconfig eth0 down– Ifconfig eth1 down– Ifconfig eth0 0.0.0.0 up– Ifconfig eth1 0.0.0.0 up
• Configure access for the bridge– Local console, OOB network, configure 1 IP
cs490ns - cotter 55
Ethernet Bridge Firewall (2)
Internet
LAN
cs490ns - cotter 56
Example Firewall Application
• Monitor all outgoing Traffic– Most firewalls only monitor incoming traffic by
default
• Identify what traffic is desired and block the rest.– Many applications generate queries to their
servers – Spyware– Hacks
cs490ns - cotter 57
App development process
• Capture all outgoing traffic– Monitor traffic as it enters or leaves the
network – (Ethernet Bridge)– Use iptables to log traffic.
• -A firewall-win1 –j LOG –log-level 4 –log-prefix “Win1” –log-tcp-options –log-ip-options
– Set up syslog to divert level 4 messages to a separate file (see syslog.conf)
• kern.warning /var/log/iptables.log
– Save data daily to separate file• iptables_log_022011
cs490ns - cotter 58
Primary Firewall
Filter Table
# Generated Manually 8/19/10*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [8183:1429550]:OUTPUT ACCEPT [14722:762210]-N RH-Firewall-1-INPUT # Create separate chains for each host - 8/19/10-N Firewall-Win2-N Firewall-Win1 -N Firewall-lserver3 #new line 8/26/10 - start monitoring this machine-N firewall-bridge-A OUTPUT -j firewall-bridge-A INPUT -j RH-Firewall-1-INPUT -A FORWARD --src 192.168.1.25 -j Firewall-lserver3-A FORWARD --src 192.168.1.35 -j Firewall-Win2-A FORWARD --src 192.168.1.30 -j Firewall-Win1-A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -j DROP
cs490ns - cotter 59
Win1 OutgoingFirewall Chain
-A Firewall-Win1 --dst 192.168.1.0/24 -j ACCEPT-A Firewall-Win1 -p icmp -m icmp --icmp-type any -j ACCEPT -A Firewall-Win1 --dst 134.193.123.45 -j ACCEPT-A Firewall-Win1 --dst 208.67.222.222 -j ACCEPT# Allow queries to Dropbox-A Firewall-Win1 --dst 50.16.0.0/16 -j ACCEPT# Allow queries to Kapersky-A Firewall-Win1 --dst 38.117.98.0/24 -j ACCEPT-A Firewall-Win1 --dst 38.124.168.0/24 -j ACCEPT-A Firewall-Win1 --dst 38.113.165.0/24 -j ACCEPT-A Firewall-Win1 --dst 79.141.216.0/24 -j ACCEPT# Allow queries to Microsoft (update)-A Firewall-Win1 --dst 207.46.206.0/24 -j ACCEPT-A Firewall-Win1 --dst 65.55.200.0/24 -j ACCEPT-A Firewall-Win1 --dst 64.4.30.0/24 -j ACCEPT-A Firewall-Win1 --dst 65.54.221.0/24 -j ACCEPT# Allow queries to dyndns.org-A Firewall-Win1 --dst 91.198.22.0/24 -j ACCEPT-A Firewall-Win1 --dst 204.13.248.0/24 -j ACCEPT-A Firewall-Win1 --dst 208.78.69.0/24 -j ACCEPT# Lots of multicast traffic. Drop it.-A Firewall-Win1 --dst 224.0.0.0/8 -j DROP# Now, log everything else before dropping it-A Firewall-Win1 -m physdev --physdev-in eth1 -j LOG --log-level 4 --log-
prefix "Win1 " --log-tcp-options --log-ip-options#For everything else, reject the traffic.-A Firewall-Win1 -j DROP
cs490ns - cotter 60
Capture Outgoing Traffic
• Data Record – 1 per packet– Feb 19 00:01:03 bridge kernel: Win1 IN=br0
OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=192.168.1.35 DST=66.94.233.186 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=10570 DF PROTO=TCP SPT=2323 DPT=80 WINDOW=65185 RES=0x00 ACK FIN URGP=0
– Records per day ~ 40k to 80k+
cs490ns - cotter 61
Port Scan Attack DetectorPSAD
• Can be configured to detect various network scans, invalid traffic, attacks, etc.
• Can be used to fingerprint source machines• Can be configured to provide active response
based on type of input, numbers of input packets for a predetermined period.
• Can be used to sort and organize logged data.
cs490ns - cotter 62
Summarize traffic
• psad -m /var/log/iptables/iptables_log_022011 --gnuplot --CSV-fields dst src dp:count --gnuplot-graph points --gnuplot-xrange 0:100 --gnuplot-file-prefix test_022011– test_022011.dat– 1, 172, 2 ### 1=12.29.100.148 172=192.168.1.35– :
– 39, 172, 96 ### 39=66.94.233.186 172=192.168.1.35 – :– 246, 171, 1 ### 246=216.191.247.139 171=192.168.1.30
cs490ns - cotter 63
Sort Traffic by Source
• Use script (bash / awk / py / ?) to sort traffic into separate files by source
• Use DNS to get domain name for sites• Win1_022011.lst
– 12.29.100.148: Output was 0– :– 66.94.233.186: r3.ycpi.vip.mud.yahoo.net.– :– 216.137.43.236: server-216-137-43-
236.dfw3.cloudfront.net.
cs490ns - cotter 64
Analyze traffic
• Are addresses identifyable?
• Is the traffic known / expected?
• Why is traffic there?
cs490ns - cotter 65
ReferencesReferences
• Firewalls and VPNs – Principles and Practices– Richard Tibbs / Edward Oakes – Prentice Hall – 2005
• Linux Firewalls – 2nd ed.– Robert Siegler – New Riders Publishing – 2002
• Guide to Firewalls and Network Security– Greg Holden – Thomson/Course Technology – 2004
• EBtables/IPtables Interaction on a bridge - 2003– ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
• Red Hat Fedora Linux Secrets– Naba Barkakati – Wiley - 2005
cs490ns - cotter 66
SummarySummary• What is a firewall?• Architectures
– Stand Alone / application / proxy– Personal / host based– Gateway / packet filters– Enterprise / hardware
• Packet Filtering concepts• Packet Forwarding• Roles
– Bastion– DMZ
• EBtables