Post on 14-Dec-2015
Automated Firewalls with Mason
William Stearns
SANS Instructor, proctor, and network administrator
wstearns@pobox.com
http://www.stearns.org/mason/
Getting underway
Room monitors
Evaluation forms
Questions at any point
Goals
Basics of Linux firewalling
Learning process
Live demo
Firewalls
One small piece of your network security
Only affects traffic going in, out, or through your firewall
Can be circumvented
TCP/IP tunneling in ssh, email, DNS, http
Using allowed ports for blocked traffic types
Additional exit points from network
Firewall system needs to be locked down tightly!
Firewall types
Packet filtering
Stateful
Stateless
Proxy
Better yet, both!
Firewall types, proxies.
Choice of firewall platform
Stability
Network card support
Security and Updates
Network performance
Ability to audit and strip down
Cost
Ease of setup
Linux Packet Filtering
Separation of Jobs
Kernel
Command line tools
Linux Packet Filtering types
Ipfw (Linux 1.2 kernels)
Ipfwadm (Linux 2.0 kernels)
Ipchains (Linux 2.2 kernels)
Iptables (Linux 2.4 kernels)
ipfw
First Linux packet filtering support
Linux 1.2 kernels
Stateless
Very limitedOnly filtered on one portNever integrated into distributionsNot supported by Mason
Ported from one of the BSD's by Alan Cox
ipfwadm
Linux 2.0 kernels
Stateless
Filters on source and destination addresses and ports
Only TCP, UDP, and ICMP
Masquerading (many-to-one NAT)
Jos Vos
ipchains
Linux 2.2 kernels
Stateless
Support for ICMP subtypes, protocols other than TCP, UDP and ICMP, and inverse options.
Rusty Russell
iptables
Linux 2.4, 2.5, and upcoming 2.6 kernels
Stateful
IPV6 support
Backwards compatibility modules for ipfwadm and ipchains
Extensible tests and actions
Fully modular design
Setting up firewalls
Triple threat; limited background in:Security policiesTCP/IP (normal and attack patterns)Connecting the two with packet filtering and other security tools.
Risk in getting it wrong.
Default allow - easy to get going
Default deny - orders of magnitude harder
Approaches for creating firewalls
Prewritten list of rules
Menu interface with small set of choices
Menu interface with extensive options
Automatic construction of rules based on current network setup.
Letting the firewall build itself
Prewritten list of rules
+ Good if your network matches the assumptions
1. May need a lot of editing if not
2. They tend to be too permissive
Menu interface with small set of choices
+ Good for simple networks
1. Poor for complex networks or non-standard networks
2. Poor for non-standard protocols
Menu interface with extensive options
+ Flexible, good for complex networks
1. Requires a lot of expertise from the administrator
Letting the firewall build itself
+ Flexible
+ Doesn't require in-depth knowledge of firewall construction
+ Handles simple and complex networks
1. May take some time to cover all traffic types.
The world's most efficient and literal bouncer
New bouncer
Needs to be taught who can go in or out of the bar
Told to note individual's age, whether they're part of the owner's family, which direction they want to go and whether they're carrying firearms, and then ask bar owner.
Initial bouncer rules
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part II
Carrying firearms => block and call police
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part III
Carrying firearms => block and call police
Leaving bar => allow to pass
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part IV
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part V
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
Part of owner's family => allow to pass
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part VI
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
Part of owner's family => allow to pass
Entering bar, under 21 => block
=> Write down characteristics, ask owner
=> block (default policy)
Bouncer rules, part VII
Carrying firearms => block and call police
Leaving bar => allow to pass
Entering bar, over 21 => allow to pass
Part of owner's family => allow to pass
Entering bar, under 21 => block
=> block (default policy)
Mason and iterative creation
Start off with empty firewall
Log all unmatched packets
Watch logs for new packets
Add rule that would have matched that traffic
Keep adding rules until all traffic types encountered
Iptables log format
Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53
Iptables rule format
/sbin/iptables -A OUTPUT -o lo -p udp -s localhost/32 - -sport 1024:65535 -d localhost/32 - -dport domain -j ACCEPT #domain/udp (O)
Live demonstration
We'll switch over to a Linux laptop for the demo and rejoin here afterwards.
Customization
Existing firewall rules
Allows administrator to make modifications
Starting firewall at boot
ntsysv, tksysv, or linuxconf
Manually link /etc/rc.d/init.d/firewall
Troubleshooting
Turn off the firewall, see if the problem persists.
Restart the firewall, try test, then run:
iptables -L -n -x -v | grep -v '^ *0 *0 ' | less -S
to see which rules have matched any packets.
Opening packet rules
Iptables' stateful nature; use for ESTABLISHED,RELATED.
Let Mason build the rules for NEW packets.
Potential projects
Cisco IOS
FreeBSD, OpenBSD and NetBSD - ipfilter
http://coombs.anu.edu.au/~avalon/
Other routers and firewalls.
Thanks!
Linux developers, esp. Rusty Russell
Chris Brenton (SANS, Altenet)
Steven Northcutt (SANS)
ISTS
Mason contributors - see the Credits section in the HOWTO.
Where to get it
Part of some Linux Distributions
Debian
Krud
Redhat Powertools up to 7.0
http://www.stearns.org/mason/
Many other sources
References
http://www.stearns.org/mason/
http://www.netfilter.org
http://www.linuxdoc.org
http://www.stearns.org/doc/starting-mason.current.html
wstearns@pobox.com
Questions?