Internetwork Security: Firewalls and Traffic Control, Lab Reports of Electrical and Electronics Engineering

Download Internetwork Security: Firewalls and Traffic Control and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! 1 Firewalls ECE 4883 - Internetwork Security 2 Overview • Background • General Firewall setup • Iptables Introduction • Iptables commands • “Limit” Function Explanation with icmp and syn floods • Zone Alarm ECE 4883 - Internetwork Security 5 Traffic Control • Three methods used to control traffic flowing in and out of the network ! Packet Filtering ! Proxy Filtering ! Stateful Inspection ECE 4883 - Internetwork Security 6 Firewall Configuration • Rules/filters can be defined to look for a number of things, some of these are: ! IP addresses ! Domain names ! Protocols - – IP – TCP – HTTP – FTP – UDP – ICMP – SMTP – SNMP – Telnet ! Ports ! Specific words and phrases ECE 4883 - Internetwork Security 7 What You’re Protected From External packets allowedSecurity Level all packetsLOW pre-defined ports (web,ssh) and established connections MIDDLE noneHIGH ECE 4883 - Internetwork Security 10 Port Forwarding • Biggest security hole in our firewall • Opened ports to allow traffic to servers ! All incoming data on this specific port is allowed in, and forwarded to server – Hackers could exploit this open port – Hackers could exploit a bug in the software on the server ECE 4883 - Internetwork Security 11 Demilitarized Zone (DMZ) • Frontline of protection • “A network added between a protected network and external network in order to provide an additional layer of security” -SI Security • Does not allow external networks to directly reference internal machines • Acts as system of checks and balances to make sure that if any one area goes bad that it cannot corrupt the whole ECE 4883 - Internetwork Security 12 Common Firewall Configurations • Firewall takes care of passing packets that pass its filtering rules between the internal network and the Internet, and vice versa. • May use IP masquerading but that's all it does. • Also known as a dual-homed host • The two "homes" refer to the two networks that the firewall machine is part of ! one interface connected to the outside home ! the other connected to the inside home. http://www.firewall.cx/firewall_topologies.php ECE 4883 - Internetwork Security 15 Common Firewall Configurations • Need an additional network adapter in your firewall box for your DMZ. • Firewall is configured to route packets between the outside world and the DMZ differently than between the outside world and the internal network. • You can masquerade the machine or machines in the DMZ too, while keeping them functionally separate from protected internal machines. • The primary disadvantage to the three- legged firewall is the additional complexity. Access to and from the DMZ and to and from the internal network is controlled by one large set of rules. It's pretty easy to get these rules wrong if you're not careful ! • On the other hand, if you don't have any control over the Internet router, you can exert a lot more control over traffic to and from the DMZ this way. It's good to prevent access into the DMZ if you can. • And I think that just about completes our discussion of Firewall Topologies !http://www.firewall.cx/firewall_topologies.php ECE 4883 - Internetwork Security 16 Lab Setup • Firewall workstations • One firewall host and two virtual machines ECE 4883 - Internetwork Security 17 Iptables Introduction • Iptables is a fourth generation firewall tool for Linux • Requires kernel 2.3.15 or above with netfilter framework • Iptables inserts and deletes rules from the kernel’s packet filtering table • Replacement for ipfwadm and ipchains ECE 4883 - Internetwork Security 20 Network Address Translation Routing DecisionPREROUTING Local Process POSTROUTING The table of NAT rules invoked by ‘iptables –t nat’ contains PREROUTING and POSTROUTING chains ECE 4883 - Internetwork Security 21 NAT and iptables PREROUTING POSTROUTING Routing Decision FORWARD INPUT OUTPUT Local Process ECE 4883 - Internetwork Security 22 Masquerading • Special form of Source NAT • Dynamically changes source address to that of the firewall • Simple one-line rule iptables –A POSTROUTING –t nat –o eth0 –j MASQUERADE ECE 4883 - Internetwork Security 25 More iptables commands • Specifying jump ! If a packet matches a specified rule, jump (-j option) to another chain: iptables –A INPUT –j DROP • Specifying protocol ! Used to specify the protocol, tcp, udp, or icmp (case sensitive) using –p option. iptables –A INPUT –p icmp • Specifying inversion ! Used to invert any rules using the ‘!’ option iptables –A INPUT –p ! tcp ECE 4883 - Internetwork Security 26 Iptables commands (contd) • Specifying interface ! Specified with the ‘-i’ (input) or ‘-o’ (output) iptables –A INPUT –i eth0 #check packets coming in on interface eth0 • Specifying source/destination ! Can be specified in 4 ways: name (www.cnn.com), IP (192.168.1.101), group (162.12.23.22/24), using IP/netmask (192.168.1.105/255.255.255.0). Use ‘-s’ for source, and ‘-d’ for destination. iptables –A INPUT –s 192.168.1.101/24 –d 192.168.1.105 ECE 4883 - Internetwork Security 27 State matching • Different states are checked to analyze packets (need to have ip_conntrack module loaded). • The states that are checked are: ! NEW: A packet that creates a new connection. ! ESTABLISHED: A packet belonging to an existing connection (reply or outgoing packet). ! RELATED: A packet that is related to, but not part of an existing connection (ICMP error). ! INVALID: A packet that could not be identified. ECE 4883 - Internetwork Security 30 Zone Alarm • Firewall for the Windows OS. • Several types of alerts: ! New program alerts: Accept/deny programs to access the internet. ! Repeat program alerts: grant access permission to program that has already requested before. ! Server program alerts: grant server permission to a program. Caution: Some Trojan horses require server access to execute. ! Changed program alerts: If a program has been changed since the last time it access the internet. ECE 4883 - Internetwork Security 31 What is a zone? • Zone Alarm classifies computer and networks that you communicate with into good, bad, and unknown zones. • 3 types: ! Internet Zone: is the “unknown” zone. All computers and networks belong to this zone until you move them to one of the other zones. ! Trusted Zone: is the “good” zone. Contains all computers you trust. ! Blocked Zone: is the “bad” zone. Contains all computers you distrust (only available in Zone Alarm Pro and Zone Alarm Plus version). ECE 4883 - Internetwork Security 32 What is a zone? (contd.) • When another computer wants to communicate with your computer – Zone Alarm looks at what zone it belongs to and decides what to do. ECE 4883 - Internetwork Security 35 Hardware Firewalls • A hardware firewall usually has 3 interfaces ! Inside – Trusted area of the internetwork. ! Outside – Untrusted area of the internetwork ! DMZ – Isolated area of the internetwork with limited access to Outside users. Har dware Fir ewalls ECE 4883 - Internetwork Security 36 ECE 4883 - Internetwork Security 37 Cisco Firewalls – PIX 515E • Different modes of configuration ! Unprivileged Mode ! Privileged Mode ! Configuration Mode ! Monitor Mode • Can type unique short forms of commands in each mode ! Example: config t for configure terminal, write t for write terminal ECE 4883 - Internetwork Security 40 Lab Network - Mini-Net “BAD ISP” AS 64700 EarthLink “UNIVERSITY” AS 64900 Georgia Tech “ENTERPRISE” AS 64800 Cisco “GOOD ISP” AS 64600 Bellsouth.net Version 9 January 19, 2004GTISC Mini-Net “TIER 1” AS 64515 UUNET “TIER 1” AS 64514 Abilene Abilene-rtrCisco 2621-XM Uunet1-rtr Cisco 2621-XM Uunet2-rtr Cisco 3550 Earthlink-rtr Cisco 3550-24-EMI (L3) StorageRus-rtr 1760-K9 ADSL-rtr Cisco 1720 Joe-travel-rtr Cisco 1720 Gateway2-rtr Cisco 3550-24-EMI (L3) Admin-rtr Cisco 1760-K9 CoC2-rtr Cisco 1720 CoC1-rtr Cisco 1720 NAS Dell Network Attached Storage PWR OK WIC0 ACT/CH0 ACT/CH1 WIC0 ACT /CH0 ACT/CH1 ET H ACT COL CoC-vpn Cisco VPN Conc. 3005 Edge-fwall Cisco PIX-515E Edge1-rtr Cisco 1760-K9 Edge2-rtr Cisco 1760-K9 Gateway-rtr Cisco 1760-K9 Accounting-rtr Cisco 1720 Engineering-rtr Cisco 1720 172.16.7.0/24:107 Bellsouth-rtr Cisco 3550-24-EMI (L3) Cingular-site1-rtr Cisco 1760-K9+NAT Cingular-site2-rtr Cisco 1760-K9+NAT Cingular-hq-rtr Cisco 1760-K9+NAT Cingular-intr1-rtr Cisco 1720 Cingular-intr2-rtr Cisco 1720 Cisco Web Server Redhat Apache http://www.cisco.com StrRus Webserver MS IIS http://www.storagerus.com CoC Webserver Redhat Apache http://www.cc.gatech.edu Admin Webserver MS IIS http://www.admin.gatech.edu Gatech Webserver Redhat Apache http://www.gatech.edu Gatech-dns Dell Poweredge Root1-dns Dell Poweredge Earthlink-dns Dell Poweredge Bellsouth-dns Dell Poweredge NETWORK/MASK:VLAN Autonomous System 172.16.5.0/24:105 172.16.4.0/24:104 212.43.0.0/24:100 172.16.2.0/24:102 192.168.0.0/24:101 62.7.245.252/30:308 199.77.32.0/30:300 62.7.200.32/30:309 199.77.33.0/30:303 199.77.31.0/30:301 199.77.250.240/30:302 199.110.254.40/30:307 199.107.254.252/30:304 199.107.12.0/24:305 138.210.251.0/24:200 192.168.110.0/24:209 138.210.237.0/24:207 138.210.238.0/24:208 138.210.235.0/24:205 138.210.236.0/24:206 138.210.232.0/24:202 138.210.233.0/24:203 138.210.234.0/24:204 138.210.231.0/24:201 138.210.240.0/24:210 57.35.0.16/30:252 57.35.10.0/24:260 57.35.5.0/24:258 57.35.6.0/24:259 57.35.4.0/24:257 57.35.3.0/24:256 57.35.2.0/24:255 57.35.1.0/24:254 57.35.0.0/30:253 57.35.0.128/30:251 57.35.7.0/24:250 64.0.1.32/28:151 64.0.1.16/28:152 64.0.2.0/24:153 192.168.10.0/24:161 192.168.20.0/24:162 192.168.10.0/24:163 192.168.20.0/24:164 75.196.18.0/24:160 75.196.17.0/24:159 75.196.15.0/30:157 75.196.14.0/30:156 75.196.10.0/24:155 64.0.1.48/30:150 199.77.30.16/30:306 172.16.8.0/24:108 172.16.6.0/24:106 192.168.30.0/24:154 75.196.16.0/24:158 172.16.3.0/24:103 .1 .2 .4 .1 .10 .2 .1 .1 .1 .1 .1 .2 .2 .1 .1 .2 .254 .2 .253 .1 .241 .33 .1 .1 .242 .17 .18 .41 .2 .1 .253 .254 .34 .2 .1 .1 .1 .5 .2 .3 .4 .1 .1 .1 .100 .1 .1 .1 .1 .2 .42 .1 .254 .151 .1 .1 .1 .1 .17 .129 .1 .1 .1 .1 .1 .10 .16 .254 .130 .18 .2 .42 .254 .1 .13 .49 .33.17 .50 .1 .1 .1 .2 .1 .1 .2 .1 .1 .34.18 .1 .1 .1 .1 EBGP EBGP EBGP EBGP EBGP EBGP EBGP IBGP EBGP RIP OSPF 0 OSPF 0 OSPF 0 OSPF 1 RIP OSPF BGP #23 #22 #24 #25 #4 #2 #20 #21 #19 #18 #1 #11 #8 #10 #7 #6 #12 #14 #15 #13 #17 #16 #26 9 R5 R4 R3 R1 R2 R6 R10 R11 R10 R10 Printer .20 …W1 W20 R10 CoC Ftp Server Redhat .43 R7 Cisco-dns Dell Poweredge .3 R10 OSPF 0 Virtual IP Addresses R2 Terminal .99 ECE 4883 - Internetwork Security 41 References • Cisco Secure PIX Firewalls,David Chapman Jr. and Andy Fox. Cisco Press. 2002. • http://www.cisco.com/univercd/cc/td/doc/ product/iaabu/pix/ • Cisco Security seminar notes.