Download Firewall Labs

Firewall Technologies
黃能富 教授
國立清華大學資訊工程系
[email protected]
Firewall. 1
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 2
What is a Firewall ?
 A firewall isolates organization’s internal net
from larger Internet, allowing some packets to
pass, blocking others.
Internet
privately administered
222.22/16
Firewall. 3
What is a Firewall ?
 A firewall acts as a
security gateway
between two networks
Internet
Usually between
trusted and
untrusted
networks (such as
between a
corporate network
and the Internet)
Corporate Network
Gateway
Corporate
Site
Firewall. 4
What is a Firewall ?
 A firewall tracks and
controls network
communications
Internet
Decides
whether to
pass, reject,
encrypt, or log
communications
(Access Control)
“Allow traffic
Traffic
“Block
to Internet”
from
Internet”
Corporate
Site
Firewall. 5
What is a Firewall?
 A firewall is a security policy enforcement point
that regulates access between computer
networks
 Filters are inherently insecure services
 Controls TCP protocols
 http, smtp, ftp, telnet etc
 Only one of many different security tool’s to
control and regulate network traffic
Firewall. 6
Why Firewalls are Needed
 Prevent attacks from untrusted networks
 Protect data integrity of critical information
 Preserve customer and partner confidence
Firewall. 7
Firewall goals:
 All traffic from outside to inside and vice-versa
passes through the firewall.
 Only authorized traffic, as defined by local
security policy, will be allowed to pass.
 The firewall itself is immune to penetration.
Firewall. 8
What do Firewalls Protect?
 Data
 Proprietary corporate information
 Financial information
 Sensitive employee or customer data
 Resources
 Computing resources
 Time resources
 Bandwidth resources
 Reputation
 Loss of confidence in an organization
 Intruder uses an organization’s network to attack other
sites
Firewall. 9
Common Internet Threats
 Denial of service attacks
 Specific attacks that can cause a server crash
 Flooding the server with traffic to disrupt or deny
service
 Intrusion threats
 Attacks on services/exploits
 The backend server may not be hardened enough
for adequate protection, but the firewall can block
external attacks
 Information threats
Firewall. 10
How Vulnerable are Internet Services?
 E-mail or smtp – Simple Mail Transfer Protocol
 TCP/IP based port 25 (POP 110)
 Risks Include
 E-mail bombing (stalking)
–
–
Anonymous harassment
Large amounts of e-mail to a single user address
 Spamming
–
Messages sent to numerous different users from a host
 Virus download mechanism
–
–
Code Red
Nimda
 Not always traceable

POP and IMAP can be very insecure
Firewall. 11
How Vulnerable are Internet Services?
 FTP - File Transfer Protocol
 TCP/IP based port 20/21
 Risks Include
Unencrypted authentication
–
and data transfers
Usernames and passwords can be”sniffed”
Unencrypted data transfers
–
Data can be viewed
Often part of default installations
Anonymous
ftp is possible
Firewall. 12
How Vulnerable are Internet Services?
 Telnet
 TCP/IP based port 23
 Risks include
Unencrypted authentication
Unencrypted interactive
session
Session hijacking
Included
in default installations
Can allow remote root login
Firewall. 13
How Vulnerable are Internet Services?
 HTTP – Hypertext Transfer Protocol
 TCP/IP based port 80
 Risks Include
Browsers can be used to run dangerous commands
Difficult to secure
Remote execution of commands and execution (server
side)
Non-secure add-on applications
–
–
Java
Cookies
Firewall. 14
How Vulnerable are Internet Services?
 HTTPS – Secure Hypertext Transfer Protocol
 TCP/IP based port 443
 Risks Include
Browsers can be used to run dangerous
Remote execution of commands
commands
and execution (server
side)
Becomes a tunnel
for any data
Can be used to subvert
firewall/security controls
Firewall. 15
How Vulnerable are Internet Services?
 DNS
 TCP and UDP based ports 53 and 1024
 Risks include
DNS cache
–
poisoning
Bad data to redirect valid connections to the
wrong server
DNS spoofing
–
Bad data to redirect valid connections to the
wrong server
Absolutely needed
for network services
Firewall. 16
How Vulnerable are Internet Services?
 SNMP – Simple Network Management Protocol
 UDP based
 Risks include
Unencrypted data transfers
Poor authentication through “community
relationships”
Transfer of highly
Does use access
sensitive data
lists
Firewall. 17
How Vulnerable are Internet Services?
 NFS – Network File System

NFS is a shared file structure

Based on a trust model of network machines
Certain

machines can access shared file systems
Risks include
No “user” authentication
IP Spoofing to gain access
Most secure
NFS is still very insecure
Firewall. 18
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 19
Firewall Hardware Types
 Three basic hardware types
 Appliance based systems
 Purpose built
 Simple
 Highly integrated

3rd Party servers
 General use systems
 Additional support channel
 Greater flexibility

Hybrid servers
 Purpose built for a limited product line
 Often closely integrated with software offerings
 May have separate support channel
 Most have highly integrated components
Firewall. 20
Firewall Hardware Types
 Appliance based system problems
 OS and Kernel hardening and security may be done by
vendor only
 Tightly coupled software and hardware may have
insecure code unknown to user
 Hard to inspect or verify

All security controls are determined through a single
vendor

Appliances are used to simplify implementation and
support efforts causing some loss of administrative
control
Firewall. 21
Firewall Hardware Types
 3rd Party server problems
 OS and Kernel hardening and security must be done
by implementation staff
 Expertise
 procedures

OS software may have many known vulnerabilities/
security holes
 Each must be plugged

All security controls are determined through
corporate policy

3rd party systems require a larger degree of
administration and procedure
Firewall. 22
Firewall Hardware Types
 Hybrid servers
 OS and Kernel hardening is started by vendor and
completed by end user security staff—can help to make
it more robust
 Packaged software and hardware are generally
reviewed for security
 All security controls are determined through a more
partnered structure
 Hybrid servers are also used to simplify implementation
and support efforts without giving away administrative
control
Firewall. 23
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 24
Firewalls Technologies
 Traditional packet filters

filters often combined with router,
creating a firewall

widely available in routers, linux
 Application gateways

often implemented with SOCKS today
 Stateful Inspection filters
 maintains connection state
Firewall. 25
Evolution of Firewalls
Stateful
Inspection
Application
Proxy
Packet
Filter
Stage of Evolution
Firewall. 26
Traditional packet filters
Analyzes each datagram going through it; makes drop
decision based on:
 source IP address
 destination IP address
 source port
 destination port
 TCP or UDP or ICMP

 direction

 TCP flag bits


SYN bit set: datagram for
connection initiation
ACK bit set: part of
established connection
Firewalls often configured
to block all UDP
Is the datagram leaving or
entering the internal
network?
 router interface

decisions can be different
for different interfaces
Firewall. 27
Packet Filter
 Packets examined at the network layer
 Useful “first line” of defense - commonly deployed
on routers
 Simple accept or reject decision model
 No awareness of higher protocol layers
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Firewall. 28
Packet Filtering Firewalls
 Packet filtering is one of the oldest, and one of the most
common types of firewall technologies.
 Packet filters inspect each packet of information
individually, examining the source and destination IP
addresses and ports.
 This information is compared to access control rules to
decide whether the given packet should be allowed
through the firewall.
 Packet filters consider only the most basic attributes of
each packet, and they don't need to remember anything
about the traffic since each packet is examined in isolation.
 For this reason they can decide packet flow very quickly.
Firewall. 29
Packet Filtering Firewalls
 Because every packet of every connection is checked
against the access control rules, larger, complex rule
bases decrease performance.
 And because packet filters can only check low-level
attributes, they are not secure against malicious code
hiding in the other layers.
 Packet filters are often used as a first defense in
combination with other firewall technologies, and their
most common implementation today is seen in the access
control lists of routers at the perimeters of networks.
 For simple protocols or one-sided connections, like ICMP
or SNMP traps, it is still useful to use packet filtering
technology.
Firewall. 30
Packet Filtering Rules - Examples
Policy
Firewall Setting
No outside Web access.
Drop all outgoing packets to
any IP address, port 80
External connections to
public Web server only.
Drop all incoming TCP SYN
packets to any IP except
222.22.44.203, port 80
Prevent IPTV from eating
up the available
bandwidth.
Drop all incoming UDP
packets - except DNS and
router broadcasts.
Prevent your network
from being used for a
Smurf DoS attack.
Drop all ICMP packets going
to a “broadcast” address (eg
222.22.255.255).
Prevent your network
from being tracerouted
Drop all outgoing ICMP
Firewall. 31
Access control lists
Apply rules from top to bottom:
source
address
dest
address
allow
222.22/16
outside of
222.22/16
allow
outside of
222.22/16
allow
222.22/16
allow
outside of
222.22/16
222.22/16
deny
all
all
action
protocol
source
port
flag
bit
any
TCP
> 1023
80
TCP
80
> 1023
ACK
UDP
> 1023
53
---
UDP
53
> 1023
----
all
all
all
all
222.22/16
outside of
222.22/16
dest
port
Firewall. 32
Access control lists
 Each router/firewall interface can have its own
ACL
 Most firewall vendors provide both command-
line and graphical configuration interface
Firewall. 33
Network Address Translation (NAT)
 Converts a network’s illegal IP addresses to legal
or public IP addresses

Hides the true addresses of individual hosts,
protecting them from attack

Allows more devices to be connected to the network
192.172.1.1-192.172.1.254
Internal
IP Addresses
Corporate LAN
219.22.165.1
Internet
Public
IP Address(es)
Firewall. 34
Traditional packet filters
 Advantages

One screening router can protect entire network

Can be efficient if filtering rules are kept simple

Widely available. Almost any router, even Linux boxes
 Disadvantages

Can possibly be penetrated

Cannot enforce some policies. For example, permit
certain users.

Rules can get complicated and difficult to test
Firewall. 35
Application Level Firewalls
 These firewalls, also known as application proxies,
provide the most secure type of data connection
because they can examine every layer of the
communication, including the application data.
 To achieve this security proxies, as their name
suggests, actually mediate connections.
 The connection from a client to a server is
intercepted by the proxy.
Firewall. 36
Application Gateway or Proxy
 Packets examined at the application layer
 Application/Content filtering possible - prevent
FTP “put” commands, for example
 Modest performance
 Scalability limited
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Firewall. 37
Application Level Firewalls
 If the proxy determines that the connection is allowed, it




opens a second connection to the server from itself, on
behalf of the original host.
The data portion of each packet must be stripped off,
examined, rebuilt, and sent again on the second
connection.
This thorough examination and handling of packets
means that proxy firewalls are very secure and generally
slow.
Proxies are also limited as firewalls, because they must
understand the application layer.
As new protocols are developed, new proxies must be
written and implemented to handle them.
Firewall. 38
Application Level Firewalls
 Web Proxy Severs
 Application Proxy Servers
 A mail server is an example of an application
gateway

Can’t deposit mail in recipient’s mail server without
passing through sender’s mail server
 Second Generation Firewall Technology
 Makes connections on behalf of the client
 Not flexible
Firewall. 39
Application gateways (proxy gateways)
 Gateway sits between user on inside and server on
outside. Instead of talking directly, user and server
talk through proxy.
 Allows more fine grained and sophisticated control
than packet filtering. For example, ftp server may
not allow files greater than a set size.
host-to-gateway
ftp session
gateway-to-remote
host ftp session
application
gateway
Firewall. 40
Application gateways + packet filter
 Filters packets on
application data as well as
on IP/TCP/UDP fields.
 Example: allow select
internal users (IP
addresses) to ftp outside.
host-to-gateway
ftp session
gateway-to-remote
host ftp session
router and filter
application
gateway
1. Require all ftp users to ftp through gateway.
2. For authorized users, gateway sets up ftp connection
to dest host. Gateway relays data between 2
connections
3. Router filter blocks all ftp connections not originating
from gateway.
Firewall. 41
Chaining Proxies
proxy 2
proxy 1
Firewall. 42
SOCKS Proxy protocol
 Generic proxy protocol
 Don’t have to redo all of the code when
proxifying an application.
 Can be used by HTTP, FTP, telnet, SSL,…
 Independent of application layer protocol
 Includes authentication, restricting which
users/apps/IP addresses can pass through firewall.
Firewall. 43
SOCKS proxy protocol
1. For example, let’s
assume that browser
requests a page
2. SOCKS Library is a
collection of procedures. It
translates requests into a
specific format and sends
them to SOCKS Daemon
3. The SOCKS Daemon runs
on the firewall host. The
daemon authenticates the 4. The server receives
user and forwards all the requests as ordinary
HTTP. It does not need a
data to the server.
SOCKS library.
Apache/IIS
Firefox/IE
HTTP
SOCKS
Library
TCP
Firewall
Application
HTTP
SOCKS
Daemon
TCP
TCP
Firewall. 44
Proxy gateways
 Advantages

Proxy can log all connections, activity in connections

Proxy can provide caching

Proxy can do intelligent filtering based on content

Proxy can perform user-level authentication
 Disadvantages

Not all services have proxied versions

May need different proxy server for each service

Requires modification of client

Performance
Firewall. 45
Stateful Filters
 Stateful filter: Adds more intelligence to the
filter decision-making process
 Stateful = remember past packets
 Memory implemented in a very dynamic state
table
Firewall. 46
Stateful Inspection
 Packets Inspected between data link layer and network
layer in the OS kernel
 State tables are created to maintain connection context
 Invented by CheckPoint
Applications
Applications
Presentations
Applications
Presentations
Sessions
Presentations
Sessions
Transport
Sessions
Transport
Network
Transport
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
INSPECT Engine
Dynamic
StateDynamic
Tables
StateDynamic
Tables
State Tables
Firewall. 47
Stateful Inspection ©
 Stateful inspection architecture utilizes a unique,
patented INSPECT Engine which enforces the security
policy on the gateway on which it resides.
 The INSPECT Engine looks at all communication layers
and extracts only the relevant data, enabling highly
efficient operation, support for a large number of
protocols and applications, and easy extensibility to new
applications and services.
 The INSPECT Engine is programmable using CheckPoint's
powerful INSPECT Language.
Firewall. 48
Stateful Inspection ©
 This provides important system extensibility, allowing
CheckPoint, as well as its technology partners and endusers, to incorporate new applications, services, and
protocols, without requiring new software to be loaded.
 For most new applications, including most custom
applications developed by end users, the
communication-related behavior of the new application
can be incorporated simply by modifying one of Firewall1's built-in script templates via the graphical user
interface.
 Even the most complex applications can be added
quickly and easily via the INSPECT Language.
Firewall. 49
Stateful filters: example
• Log each TCP connection initiated through firewall: SYN segment
• Timeout entries which see no activity for, say, 60 seconds
source
address
dest
address
source
port
dest
port
222.22.1.7
37.96.87.123
12699
80
199.1.205.23
37654
80
203.77.240.43
48712
80
222.22.93.2
222.22.65.143
If rule table indicates that stateful table must be checked:
check to see if there is already a connection in stateful table
Stateful filters can also remember outgoing UDP segments
Firewall. 50
Stateful example
1) Packet arrives from outside: SA=37.96.87.123, SP=80,
DA=222.22.1.7, DP=12699, SYN=0, ACK=1
2) Check filter table ➜ check stateful table
action
source
address
dest
address
proto
source
port
dest
port
allow
222.22/16
outside of
222.22/16
TCP
> 1023
80
allow
outside of
222.22/16
TCP
80
> 1023
ACK
allow
222.22/16
UDP
> 1023
53
---
allow
outside of
222.22/16
222.22/16
UDP
53
> 1023
----
deny
all
all
all
all
all
all
222.22/16
outside of
222.22/16
flag
bit
check
conxion
any
x
x
3) Connection is listed in connection table ➜ let packet through
Firewall. 51
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 52
Network Firewall Architectures
 Screening Router
 Simple Firewall
 Multi-Legged firewall
 Firewall Sandwich
 Layered Security Architecture
Firewall. 53
Screening Router
 Access Lists provide security
 Routers are not application aware
 Only inspects network level information
 Layer 3 of the OSI model
 Does not provide a great deal of security
 Very fast
 Not commonly used alone for security
Firewall. 54
Screening Router
Internet/
Untrusted
Network
Routes or blocks packets, as
determined by security policy
Screening Router
Internal Trusted Network
Server
Mainframe
Database
Desktop
Firewall. 55
Simple Firewall
 Small Companies with limited security needs
 Only utilizes two interfaces

Trusted

Un-trusted
 Provides modest security
 Does not offer dmz sandbox
 Inherently allows some level of connections
between trusted and un-trusted networks
Firewall. 56
Simple Firewall
Internet/
Untrusted
Network
Routes or blocks packets, as
determined by security policy
Firewall then handles traffic
additionally to maintain more
security
Screening Router
Firewall
Internal Trusted Network
Server
web, smtp
Mainframe
Database
Desktop
Firewall. 57
Multi-Legged Firewall
 Small to large sized business
 Security need is expanded
 Provides stronger security
 Creates a secure sandbox for semi-trusted services
 Flexible and secure
Firewall. 58
Multi-Legged Firewall
Internet/
Untrusted
Network
Routes or blocks packets, as
determined by security policy
Firewall then handles traffic
additionally to maintain more
security
Screening Router
DMZ Semi-Trusted Network
DMZ now offers a secure
sandbox to handle un-trusted
connections to internet services
Firewall
Internal Trusted Network
Web Server SMTP Server
Server
Mainframe
Database
Server
Desktop
Firewall. 59
Demilitarized Zone (DMZ)
application
gateway
firewall
Internet
Internal
network
Web
server
FTP
server
DNS
server
Demilitarized zone
Firewall. 60
Firewall Sandwich
 Medium to large businesses
 Higher costs
 More serious need for security
 Provides a physical separation of networks
 Provides policy segregation between inside and
outside firewalls
 Reduces administrative holes
Firewall. 61
Firewall Sandwitch
Internet/
Untrusted
Network
Screening Router
Routes or blocks packets, as
determined by security policy
Firewall then handles traffic
additionally to maintain more
security
DMZ now offers a secure
network to handle un-trusted
connections to internet services
Outside Firewall
DMZ
Semi-trusted
network
DMZ Semi-Trusted Network
Separation of security policy
controls between inside and
outside firewalls
Web Server SMTP Server
Server
Inside Firewall
Internal Trusted Network
App Server
Mainframe
Database
Desktop
Firewall. 62
Layered Firewall Approach
 Large enterprises with low risk tolerance
 Separates internal environments
 Reduces computer crimes
Most attacks are internally
Deters malicious
based
activities
 Controls overhead administrative traffic
 Allows IDS to work more effectively
Firewall. 63
Layered Firewall
Routes or blocks packets, as
determined by security policy
Firewall then handles traffic
additionally to maintain more
security
Internet /Untrusted Network
DMZ now offers a secure
network to handle un-trusted
connections to internet services
Separation of security policy
controls networks within your
trusted network as well as you
semi and un-trusted networks
Inside Firewall
DMZ
Semi-trusted
network
Fences keep honest people
honest!
Inside Firewall
User Network
Mainframe
Network
HR Network
Internal Firewall
Internal Firewall
Internal Firewall
Development
Network
Firewall. 64
Defense in depth
 Security has no single right answer
 Use every tool available to bolster security
 Layered security is always the best approach
 Strong security controls coupled with audit,
administrative reviews, and an effective security
response plan will provide a strong holistic
defense
Firewall. 65
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 66
Firewall Deployment
 Corporate Network
Gateway
DMZ
Internet
Demilitarized Zone
(DMZ)
Public Servers
 Protect internal
network from
attack
Corporate Network
Gateway
 Most common
Human Resources
Network
deployment point
Corporate
Site
Firewall. 67
Firewall Deployment
 Internal Segment
Gateway



Internet
Protect sensitive
segments (Finance, HR,
Product Development)
Public Servers
Demilitarized Zone
(Publicly-accessible
servers)
Provide second layer of
defense
Ensure protection
against internal attacks
and misuse
Human Resources
Network
Internal Segment Gateway
Corporate
Site
Firewall. 68
Firewall Deployment
 Server-Based
Firewall
Internet
Public Servers
DMZ
 Protect individual
application servers
 Files protect
Human Resources
Network
Server-Based
Firewall
Corporate
Site
SAP
Server
Firewall. 69
Firewall Deployment
 Hardware appliance based firewall
 Single platform, software pre-installed
 Can be used to support small organizations
or branch offices with little IT support
 Software based firewall
 Flexible platform deployment options
 Can scale as organization grows
Firewall. 70
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 71
What is a VPN?
A Corp
Acme
Site Corp
1
 A VPN (Virtual Private
Network) is a private
connection over an open
network
VPN
 A VPN includes
authentication and
encryption to protect
data integrity and
confidentiality
Internet
VPN
A Corp
Site 2
Firewall. 72
Why Use Virtual Private Networks?
 More flexibility
 Leverage ISP point of presence
 Use multiple connection types (cable, DSL, T1,
T3)
 Most attacks originate within an organization
Firewall. 73
Why Use Virtual Private Networks?
 More scalability
 Add new sites, users quickly
 Scale bandwidth to demand
Firewall. 74
Why Use Virtual Private Networks?
 Lower costs
 Reduced frame relay/leased line costs
 Reduced long distance
 Reduced equipment costs (modem banks,
CSU/DSUs)
 Reduced technical support
Firewall. 75
Types of VPNs
 Remote Access VPN
 Provides access to internal
corporate network over
the Internet
Corporate
Site
 Reduces long distance,
modem bank, and technical
support costs

PAP (password authentication
protocol),

CHAP (Challenge-Handshake
Authentication Protocol)

RADIUS (Remote Authentication Dial
In User Service )
Internet
Firewall. 76
Types of VPNs
 Site-to-Site VPN
Corporate
Site
 Connects multiple
offices over Internet
 Reduces
dependencies on
frame relay and
leased lines
Internet
Branch
Office
Firewall. 77
Types of VPNs
 Extranet VPN
Corporate
Site
 Provides business
partners access to
critical information
(leads, sales tools,
etc)
Internet
 Reduces transaction
and operational
costs
Partner #1
Partner #2
Firewall. 78
Types of VPNs
 Client/Server VPN
 Protects sensitive
internal
communications
Database
Server
LAN
clients
Internet
LAN clients with
sensitive data
Firewall. 79
Components of a VPN
 Encryption
 Key management
 Message authentication
 Entity authentication
Firewall. 80
Encryption
Joe’s PC to HR Server
Encrypted
Joe’s PC
Mary’s PC
HR Server
All Other Traffic
Cleartext
E-Mail Server
 Current standards: DES and Triple-DES
 Over 20 years in the field
 AES beginning deployment

New standard

More computationally efficient

Longer keys = more secure
Firewall. 81
Key Management
 Public key cryptosystems
enable secure exchange of
private crypto keys across
open networks
 Re-keying at appropriate intervals
 IKE = Internet Key Exchange protocols
 Incorporates ISAKMP (Internet Security
Association and Key Management Protocol)
Firewall. 82
Authentication
 IPsec standards focus on authentication of
two network devices to each other
 IP address/preshared key
 Digital certificates
 User authentication is added on top if
required
 RADIUS and TACACS+ (Terminal Access Controller
Access-Control System Plus) are the standard
protocols for authentication servers
 XAUTH is being added to the standards to
address user authentication
Firewall. 83
Point-to-Point Tunneling Protocol (PPTP)
 Layer 2 remote access VPN technology


PPTP uses a control channel over TCP and a GRE tunnel operating
to encapsulate PPP packets
RFC 2637
 Authentication and encryption
 Limited user management and scalability
 Known security vulnerabilities
Corporate Network
PPTP RAS Server
Remote PPTP Client
Internet
ISP Remote Access
Switch
Firewall. 84
Layer 2 Tunneling Protocol (L2TP)
 Layer 2 remote access VPN protocol
 Combines and extends PPTP and L2F (Cisco supported
protocol)
 Weak authentication and encryption
 Does not include packet authentication, data integrity, or
key management
 Must be combined with IPSec for enterprise-level security
Corporate Network
Remote L2TP Client
L2TP Server
Internet
ISP L2TP Concentrator
Firewall. 85
Internet Protocol Security (IPSec)
 Layer 3 protocol for remote access, intranet, and
extranet VPNs
 Internet standard for VPNs
 Provides flexible encryption and message
authentication/integrity
 Includes key management
Firewall. 86
Components of an IPSec VPN
 Encryption
 DES, 3DES, and more
 Message
 HMAC-MD5, HMAC-SHA-
Authentication
 Entity
Authentication
 Key
1, or others
 Digital Certificates,
Shared Secrets, Hybrid
Mode IKE
 Internet Key Exchange
Management
(IKE), Public Key
Infrastructure (PKI)
All managed by security associations (SAs)
Firewall. 87
Encryption Explained
 Used to convert data to a secret code for
transmission over an untrusted network
Encrypted Text
Clear Text
“The cow jumped
over the moon”
Encryption
Algorithm
“4hsd4e3mjvd3sd
a1d38esdf2w4d”
Firewall. 88
Symmetric Encryption
 Same key used to encrypt and decrypt message
 Faster than asymmetric encryption
 Examples: DES, 3DES, RC5, Rijndael
Shared Secret Key
Firewall. 89
Asymmetric Encryption
 Different keys used to encrypt and decrypt
message (One public, one private)
 Examples include RSA, DSA, SHA-1, MD-5
Bob
Alice
Alice Public Key
Encrypt
Alice Private Key
Decrypt
Firewall. 90
Contents
 Firewall Introduction
 Firewall Hardware Types
 Firewall Technologies
 Firewall Architecture
 Firewall Deployment
 VPN (Virtual Private Network)
 Firewall Labs : Iptables
Firewall. 91
Firewall Lab: iptables
 Converts linux box into a packet filter.
 Included in most linux distributions today.
linux
host
linux
host w/
iptables
External
network
your job:
configure
Firewall. 92
Firewall lab: iptables
 iptables
 Provides firewall capability to a linux host
 Comes installed with most linux distributions
 Three types of tables: FILTER, NAT, MANGLE
 Let’s only consider FILTER table for now
Firewall. 93
Network or host firewall?
Network firewall: linux host with 2 interfaces:
filter
table
linux
host w/
iptables
protected
network
External
network
Host firewall: linux host with 1 interface:
filter
table
linux
host w/
iptables
network
Firewall. 94
Chain types for host firewall
linux
host w/
iptables
network
linux
host w/
iptables
network
INPUT
chain
OUTPUT
chain
Firewall. 95
INPUT, OUTPUT, FORWARD CHAINS for network firewall
 INPUT chain applies for all packets destined to
firewall
 OUTPUT chain applies for all packets originating
from firewall
 FORWARD chain applies for all packets passing
through firewall.
Firewall. 96
Chain types for network firewall
protected
network
linux
host w/
iptables
protected
network
linux
host w/
iptables
protected
network
linux
host w/
iptables
network
network
network
INPUT
chain
OUTPUT
chain
FORWARD
chain
Firewall. 97
iptables: Example command
iptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT
 Sets a rule

Accepts packets that enter from interface eth0 and
have source address in 232.16.4/24
 Kernel applies the rules in order.

The first rule that matches packet determines the
action for that packet
 Append: -A

Adds rule to bottom of list of existing rules
Firewall. 98
iptables: Example command
iptables –A INPUT –i eth0 –j DENY
 Sets a rule

Rejects all packets that enter from interface eth0
(except for those accepted by previous rules)
Firewall. 99
iptables: More examples
iptables –L

list current rules
iptables –F

flush all rules
iptables –D INPUT 2

deletes 2nd rule in INPUT chain
iptables –I INPUT 1 –p tcp –tcp-flags SYN –s 232.16.4.0/24 –d
0/0:22 –j ACCEPT

-I INPUT 1: insert INPUT rule at top

Accept TCP SYNs to from 232.16.4.0/24 to firewall port
22 (ssh)
Firewall. 100
iptables Options
-p protocol type (tcp, udp, icmp)
-s source IP address & port number
-d dest IP address & port number
-i interface name (lo, ppp0, eth0)
-j target (ACCEPT, DENY)
-l log this packet
--sport source port
--dport dest port
--icmp-type
Firewall. 101
iptable Table types
 FILTER:

What we have been talking about!

3 chain types: INPUT, OUTPUT, and FORWARD
 NAT:

Hide internal network hosts from outside world.
Outside world only sees the gateway’s external IP
address, and no other internal IP addresses

PREROUTING, POSTROUTING, and others
 MANGLE

Don’t worry about it.
Firewall. 102
Tables, Chains & Rules
 Three types of tables: FILTER, NAT, MANGLE
 A table consists of chains.
 For example, a filter table can have an INPUT
chain, OUTPUT chain, and a FORWARD chain.
 A chain consists of a set of rules.
Firewall. 103
Firewall Lab
m1
m2
network
m3
Configure m2 with iptables.
Firewall. 104
Firewall Lab: Part A
 Configure NAT in m2 using NAT table with
POSTROUTING chain:
 MASQUERADE packets so that internal IP
addresses are hidden from external network
 From m1 and m3, only allow ssh to external
network
 This NAT configuration will remain in force
throughout the lab
Firewall. 105
Firewall Lab: Part B
Rules for packets originating from or terminating at
m2 (the gateway):
 Allow ssh connections originating from m2 and
destined to m2.
 Allow pings originating from m2 and destined to
m2.
 Block all other traffic to or from m2.
 Hint: Part B requires INPUT and OUTPUT chains
but no FORWARD chain
Firewall. 106
Firewall Lab: Part C
 Flush filter table rules from Part B.
 Allow only m1 (and not m3) to initiate an ssh
session to hosts in the external network
 Reject all other traffic
 Hint: Part C requires FORWARD, INPUT and
OUTPUT chains
Firewall. 107