L30 - Statelesss Firewalls

8/10/2019 L30 - Statelesss Firewalls

1/76

Stateless firewalls 3-1

Intrusion Detection and Firewall Security

Stateless firewallsHrek Haugerud, A. Professor & Senior [email protected]

Paal Engelstad, [email protected]


2/76


Outline

Firewall overview:

What is it and why do we need it?

Some typical firewall network topologies

Linux firewalls

Overview

iptables

Firewall design and System policy

Setting up a stateless personal firewall from scratch


3/76


Network firewall filters traffic going between networks

Personal/host/local firewall filters traffic between host and network

A firewall filters network traffic goingover a computer interface

!"#$ &'$(")*

+,)'(-..

&'$(")* / &'$(")* 0

+,)'(-..

!" $"%&'%()*+,


4/76


Firewall assumptions

All traffic between outside and inside should pass throughthe firewall

inside and outside often defined by different levels of trust

Only authorized traffic should be allowed to pass Authorized traffic is defined by local security policy

The firewall itself should ideally be immune to penetration

However, any software might have bugs and vulnerabilities

1,2#,3'4

56,76') .'8'. "9 $):#$;

1":$#,3'4

5."(') .'8'. "9 $):#$;+,)'(-..


5/76


6/76


Firewall as a packet filter

Inspects packets as they transverse

Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session #

Performs actions (like accept, drop, etc) based on a rule

defined by you (e.g. with the iptables command on a Linux system)

Accept

Drop


7/76


Filtering can be based on:

Packet header info source IP address

destination IP address

source port

destination port

protocol & flags TCP

SYN bit

ACK bit

... etc...

UDP

ICMP icmp-type flag

Direction /interfaces Is the datagram leaving

or entering the internalnetwork?

decisions can bedifferent for differentinterfaces

State (for stateful

firewalls) NEW, ESTABLISHED,

RELATED, INVALID


10/76


11/76


TCP/IP Recap:TCP 3-way Handshake

Client ServerSYN (1200)

SYN (4800), ACK (1201)

ACK (4801)

ACK, [DATA]

ACK (4900), FIN (1300)

ACK (1301)

ACK (1301), FIN (4900)

ACK (4901)

PassiveOpen

ConnectionEstablished

ServerClose

ActiveOpen

ConnectionEstablished

ClientClose


13/76


RECAP: Some ICMP Message types

Q: Which types/codes seen in your traceroute assignment?

!"#$

L UC6" )'>.T

I=H V'#')8'3

S F'#Q2-Q"2 :2)'-C6-G.'

K D":)C' P:'2C6

< V'3,)'C$

J UC6" )'P:'#$

W V":$') -38')Q#'R'2$

IL V":$') #".,C,$-Q"2

II ?,R' 'XC''3'3

IH A-)-R'$') >)"G.'R

ISYIK ?,R'#$-R> )'P:'#$ Y )'>.T

I.T

'$C]

&'($ )$*+,-#.'/

L F'#Q2-Q"2 2'$(")* :2)'-C6-G.'

I F'#Q2-Q"2 6"#$ :2)'-C6-G.'

H F'#Q2-Q"2 >)"$"C". :2)'-C6-G.'

S F'#Q2-Q"2 >")$ :2)'-C6-G.'

K +)-7R'2$-Q"2 )'P:,)'3^ -23 F+ B-7#'$

< D":)C' )":$' 9-,.'3

Z F'#Q2-Q"2 2'$(")* :2*2"(2

[ F'#Q2-Q"2 6"#$ :2*2"(2J D":)C' 6"#$ ,#".-$'3

W &'$(")* -3R,2,#$)-Q8'.T >)"6,G,$'3

IL !"#$ -3R,2,#$)-Q8'.T >)"6,G,$'3

II &'$(")* :2)'-C6-G.' 9") ?_D

IH !"#$ :2)'-C6-G.' 9") ?_D

IS @"RR:2,C-Q"2 -3R,2,#$)-Q8'.T >)"6,G,$'3

IK !"#$ A)'C'3'2C' `,".-Q"2

I< A)'C'3'2C' C:$"a ,2 'a'C$

&'($ )$*+,-#.'/

L ??b 'X>,)'3 ,2 $)-2#,$

I +)-7R'2$ )'-##'RG.T QR' 'XC''3'3


14/76


Filtering a packet

The usual reaction to a packet is: Accept it

Drop it (silently discard it)

Reject it (discard and send ICMP notification)

Log it

Change header information (e.g. NAT)

Drop or reject?


15/76


Why would you need a firewall?

Increased network security First line of defense

Access Control (Network/Transport Level)

Logging


16/76


Firewall Basics:

What is NOT a Firewall?A firewall is NOT:

The only thing for security

Does not solves other aspect of information security (e.g. human,insiders, mis-configuration)

You still have to let traffic in and out

install and leave it Need to manage it for the ever-changing network environment

Need to monitor it. Stay on guard!

100% safe

Any software might have bugs and vulnerabilities, so does any firewall


17/76


Outline

Firewall overview:

What is it and why do we need it?


Linux firewalls

Overview

iptables




18/76


Firewall/Gateway: For subnets withoutpublic services

Often combined with NAT

several hosts on the LAN can share one public IP address and a singlebroadband connection to the ISP.

Typical for

home/ smallnetworks (i.e.

no webserveror SSH access)

Using restrictive

policy

E.g. no incoming

connection

requests at all.

E2$')2-. A),8-$'

&'$(")*Y 012

@:#$"R')

!-C*')

UX$')2-. A:G.,C

&'$(")*Y 32!4524!

!-C*')

+,)'(-..

5c-$'(-T;

&/?d

D')8')

@.,'2$

@.,'2$


19/76


DMZ (De-Militarized Zone): Forsubnets with public services

Typical for larger organizations

The network is split into two zones:

1. DMZ: Containing servers accessible from the Internet

e.g. Web servers

2.

LAN: Network with a more restrictive rule-set

in case DMZ-servers get compromised

Different levels of trust between LAN and DMZ

Needs a firewall in between

Let us look at two different models of network with aDMZ...


20/76


DMZ: Example 1

DMZ= A part your LAN with other restrictions, e.g. allowing

publicly available services (web servers, mail etc.)

E2$')2-. A),8-$'

&'$(")*Y 012 )67

+,)'(-..

5@6"*';

e'G

D')8')@:#$"R')

!-C*')

UX$')2-. A:G.,C

&'$(")*Y 32!4524!

f>

D')8')

!-C*')+,)'(-..

5c-$'(-T;

D')8')

@.,'2$

@.,'2$


21/76


DMZ : Example 1I

Often combined with local firewalls on hosts within LAN, to

protect against other possibly infected hosts on LAN

E2$')2-. A),8-$' &'$(")*Y 012

)67

e'G

D')8')@:#$"R')

!-C*')D')8')@.,'2$@.,'2$

UX$')2-. A:G.,C

&'$(")*Y 32!4524!

f>

D')8')

!-C*')

+,)'(-..

,9I

,9H


22/76


Outline

Firewall overview: What is it and why do we need it?


Linux firewalls

Overview

iptables




23/76


Firewalls with Linux

netfilter: The actual firewall Operates in Kernel space

iptables: The configuration tool

Operates in user space

Note: iptablesis only a tool for the managing and setting

of rules. It won't work without packet filtering (netfilter)support in the kernel.

Ubuntu: iptables& netfilterare installed by default

TinyCore: Use ab iptables command to install it

By default netfilter allows all traffic, so you wont notice itspresence, before you start using iptablesto configure netfilter


24/76


iptables usage

iptables [-t table] {-A|-D} chain rule-specificationiptables [-t table] -Ichain [rulenum] rule-specification

iptables [-t table] -Rchain rulenum rule-specification

iptables [-t table] -Dchain rulenum

iptables [-t table] {-L|-F|-Z} [chain] [options]

iptables [-t table] -Nchain

iptables [-t table] -X[chain]

iptables [-t table] -Pchain target

iptables [-t table] -Eold-chain-name new-chain-name

First, let us consider packet filtering (firewall) usage

Then, we must set table=filter

Or we can omit it all together, because filter is default No table specified, means that filtering is implied


25/76


iptables usage for packet filtering (I)

iptables -t filter {-A|-D} chain rule-specificationiptables -t filter -Ichain [rulenum] rule-specification

iptables -t filter -Rchain rulenum rule-specification

iptables -t filter -Dchain rulenum

iptables -t filter {-L|-F|-Z} [chain] [options]

iptables -t filter -Nchain

iptables -t filter -X[chain]

iptables -t filter -Pchain target

iptables -t filter -Eold-chain-name new-chain-name





26/76


iptables usage for packet filtering (II)

iptables {-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification

iptables -Rchain rulenum rule-specification

iptables -Dchain rulenum

iptables {-L|-F|-Z} [chain] [options]

iptables -Nchain

iptables -X[chain]

iptables -Pchain target

iptables -Eold-chain-name new-chain-name





27/76


28/76


iptablesis simply the linux command

iptables{-A|-D} chain rule-specificationiptables-Ichain [rulenum] rule-specification

iptables-Rchain rulenum rule-specification

iptables-Dchain rulenum

iptables{-L|-F|-Z} [chain] [options]

iptables-Nchain

iptables-X[chain]

iptables-Pchain target

iptables-Eold-chain-name new-chain-name

The command takes different input parameters andswitches


29/76


iptables command is primarily used toadd/remove packet filtering rules





iptables -Nchain

iptables -X[chain]



rule-specification = [matches...] [target] target = -j targetname

targetname = {DROP|REJECT|ACCEPT|LOG}

Simple examples of rule-specifications: -i eth0 -j DROP

Drop packets passing the eth0 interface -s 128.39.13.6 p tcp -j ACCEPT

Accept tcp packets with source ip-address 128.39.13.6

So what is chain and what is rulenum...?


30/76


iptables commands to add/removerules into these lists (chains)





iptables -Nchain

iptables -X[chain]



-A, --append : Append one or more rules to end of chain.

-D, --delete : Delete rule from chain.

-I, --insert : Insert rule into chain (default rulenum = 1)

-R, --replace : Replace a rule in the chain with another one.

-L, --list : List out all rules in the chain (default = all chains).

-F, --flush : Flush (delete all) rules from a chain

-Z, --zero : Zero packet and byte counter of a chain (or all chains)


31/76


Example: Append new packet filteringrules to a chain

iptables{-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification




iptables -Nchain

iptables -X[chain]



rule-specification = [matches...] [-j {DROP|REJECT|ACCEPT|LOG}]

Simple examples of rule-specifications: iptables A OUTPUT -o eth0 -j DROP

Drop outgoing packets passing the eth0 interface

iptables A INPUT -s 128.39.13.6 p tcp -j ACCEPT Accept incoming tcp packets with source ip-address 128.39.13.6


32/76


Rules are organized into numbered listsof rules. These lists are called chains

iptables {-A|-D} chainrule-specificationiptables -Ichain[rulenum] rule-specification

iptables -Rchainrulenumrule-specification

iptables -Dchainrulenum


iptables -Nchain

iptables -X[chain]



Rules are numbered starting at one (i.e. rulenum=1)

When appended/inserted, each rule obtains a rule number,according to its order in the chain

Displayed by the --list (-L) command, for example: iptables -L -v - - line-numbers


33/76


Default chains for packet filtering:INPUT, OUTPUT, FORWARD

iptables {-A|-D} chainrule-specificationiptables -Ichain[rulenum] rule-specification

iptables -Rchainrulenumrule-specification

iptables -Dchainrulenum


iptables -Nchain

iptables -X[chain]



Built-in chains (= non-user-defined chains):

INPUTchain: These rules apply to all packets destined to firewall

OUTPUTchain: Applies to all packets originating from firewall

FORWARDchain: Applies to all packets passing through firewall-router Next week.

+ User-defined chains with user-defined names


34/76


More on rule-specification (matches)

[!] -p, --protocolprotocol

(The "! inverts the test, e.g.:iptables A INPUT ! p tcp j DROP )

[!] -s, --source, --srcaddress[/mask]

[!] -d, --destination, --dstaddress[/mask]

[!] --sport port[:port]

[!] --dport port[:port]

[!] -i, --in-interfacename

[!] -o, --out-interfacename

-m, --matchmatch

The protocol of the packet, e.g. tcp, udp,

udplite, icmp, esp, ah, sctp, or it can be anumeric value, see /etc/protocols.

Addressis typically a network IP address

(with /mask), or a plain IP address.

Same syntax as for the -s(source) flag

Match on source port (or port-range)

Match on destination port (or port-range)

name = eth0, eth1, lo etc...

name = eth0, eth1, lo etc...

Use extension module to tests for specific property


35/76


Examples: Manipulating rules in chains





iptables -Nchain

iptables -X[chain]



iptables F flushing (deleting) all rules in all chains (OUTPUT, INPUT, FORWARD)

iptables F OUTPUT flushing (deleting) all rules in the OUTPUT chain

iptables D INPUT 3 deleting rule number 3 in the INPUT chain

iptables L FORWARD list out all rules in the FORWARD chain

iptables L list out all rules in all chains


36/76


Manipulating the chains





iptables -Nchain

iptables -X[chain]



-N, --new-chain : Create a new user-defined chain by the given name.

-X, --delete-chain : Delete user-defined chain (must be empty, i.e. rules flushed).Default=all user-defined chains.

-P, --policy : Set the policy for built-in chain.(No policy can be set for user-defined chains)

-E, --rename-chain : Rename user-defined chain


37/76


Example: Setting the policy

iptables --policy INPUT ACCEPTiptables --policy OUTPUT ACCEPT

iptables --policy FORWARD ACCEPT

OR:

iptables --policy INPUT DROP

iptables --policy OUTPUT DROP

iptables --policy FORWARD DROP

The policy specifies what will happen (e.g DROP or ACCEPT) to packetthat do not find any match in a built-in chain. In iptables -P chain target, the target-part refers to e.g. DROP or ACCEPT

More about target later


38/76


Personal firewall (One interface)

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

h.$') C6-,2#

All outgoing packets arefiltered by the rules inthe OUTPUT chain

All incoming packets arefiltered by the rules inthe INPUT chain

'$6L

3)"> 3)">

/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;

-*./)01.%2 &E@


39/76


Personal firewall (One interface)

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

h.$') C6-,2#

All outgoing packets arefiltered by the rules inthe OUTPUT chain

All incoming packets arefiltered by the rules inthe INPUT chain

'$6L

3)"> 3)">

/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;

b"C-.>)"C'##'#

-*./)01.%2 &E@


40/76


Troubleshooting using tcpdump

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

h.$') C6-,2#

tcpdump is capturing

outgoing packets justbefore they go to NIC

(after filtering etc.)

tcpdump is capturing

incoming packets just after

they come from NIC(before filtering etc.)

'$6L

3)"> 3)">

/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;

b"C-.

>)"C'##'#

&E@

"#$%&'$

3'45.1

6'718%.

94"7: )*$";


41/76


42/76


Personal firewall w/ loopback-interface

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

h.$') C6-,2#

Drawing it a little

more conveniently (Of course, lois

not a part ofnetfilter)

."">G-C* 5.";

'$6L

3)"> 3)">

/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;

b"C-.

>)"C'##'#

-*./)01.%2 &E@


43/76


Example: Accepting loopback traffic

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

/>>.,C-Q"2#5'\7\ />-C6'^ ##6\\\;

b,2:X +,)'(-.. '$6L

A*$#."

iptables A INPUT i lo j ACCEPT

iptables A OUTPUT o lo j ACCEPT


44/76


Network firewall (router): Left to right

All packets passing

through are filteredby the rules in the

FORWARD chain

Routing decision:

dest.IP = local_IP Send to INPUT

dest.IP != local_IP

Send to FORWARD

+_Ve/VF

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

h.$') C6-,2#'$6I

."">G-C* 5.";

'$6L

V":Q27

3'C,#,"2

3)">

/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;

b"C-.

>)"C'##'#

+_Ve/VF

3)"> 3)">

-*./)01.%2 &E@&E@


45/76


Network firewall (router): Both ways

+_Ve/VF

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

h.$') C6-,2#'$6I

."">G-C* 5.";

'$6L

V":Q27

3'C,#,"2V":Q27

3'C,#,"2

/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;

b"C-.

>)"C'##'#

+_Ve/VF

3)"> 3)"> 3)">

-*./)01.%2 &E@&E@


46/76


h.$') C6-,2#

iptablesused to configure netfilter

+_Ve/VF

_g?Ag?

E&Ag?

_D=*')2'.

5?@AYEA #$-C*;

'$6I

."">G-C* 5.";

'$6L

V":Q27

3'C,#,"2V":Q27

3'C,#,"2

+_Ve/VF

3)"> 3)"> 3)">

-*./)01.%2

/>>.,C-Q"2#5'\7\ (((^ ##6^ \\\;

-#89:;$*

!"#$%&'()"#

+,-.(/012 3"44(#526

&E@&E@


47/76


Outline



Linux firewalls

Overview

iptables




48/76


Firewall design

A word of caution /Disclaimer:There are almost as manyopinions about network administration as there are networkadministrators. Things are done differently almost everywhere

Often decisions regarding infrastructure and equipment are alreadytaken Then, you have to customize and make the best out of what you've got.

The following section is an approach to gain insight into the trafficflow of a network. It is not meant as a disclosure of the topic.

We will concentrate on traffic-shaping and filtering, since that is

central in this course. Other courses have this topic from theirpoint of view.


49/76


System policy

Constitutes a detailed plan

A clear policy to avoid misunderstandings several people working on the firewall / network

others that need to understand

Defining the system policy

Define hosts, servers and services

Define privileges

Translate services into port numbers Drawing cases

Setting up firewalls Install and configure surveillance tools

Test, test, test

Re-evaluate earlier decisions


50/76


System policy





Define hosts, servers and services Define privileges



Test, test, test



51/76


52/76


Defining hosts, servers and services(example)

Hosts and serversClass "Internet" = All non-local machinesClass "Webserver" = Our local webserver (192.168.1.2)Class "Workstations" = Workstations (192.168.1.16/29)Class "Nameserver" = "Our local nameserver (192.168.1.3)

Class "Mailserver = "Our local mailserver (192.168.1.4)

ServicesClass "WWW" = "http, https"Class "DNS" = "dns"Class "SSH" " = "ssh"

Class "MAIL" = "pop3, smtp"


53/76


System policy








Test, test, test



54/76


Defining privileges

Not all machines on your network are entitled touse all services offered in your network.

Perhaps the web server is the only one with access tothe database or mail can only be sent from theworkstations.

These privileges can be displayed with a table. In the following example, we use the term

"Internet" of all machines except the ones on ournetwork. Granting WWW to the Internet doesnot include WWW to local machines. It can be

useful to define such classes for simplicity.


55/76


56/76


System policy








Test, test, test



57/76


Translate services into port numbers

For every service to allow (SSH, WWW, FTP ...)identify ports and protocol

In order to define your ruleset

iptables does not know anything about web surfing,but can identify TCP packets heading for port 80.

Some services are a bit tricky, e.g.:

FTP works with several ports

Non-standard applications (gaming, chat) that useundocumented ports Network analysis to figure it out.

You should finally have a list of port which shouldbe open on every host. This will make it easier foryou when you shall construct the actual rule-set.


58/76


System policy








Test, test, test



59/76


Drawing cases

The table with the privileges did not take into accountthe route those connections actually take through yournetwork. Which route they choose outside yourdomain is not in your hands.

For monitoring later on, it could be useful to drawsome Cases which display actual traffic. These cases donot have to follow a special standard. The aim is todraw something that shows you what to expect where.It also shows which firewall is responsible for what.


60/76


Drawing cases (example)


61/76


62/76


Setting up the firewall

The next task is to actually configure thefirewalls. If you already are familiar with the

filtering technology you wish to use and havedone solid groundwork in the previous steps,

this should be straight forward.


63/76


64/76


65/76


Outline



Linux firewalls

Overview

iptables



S l l f ll


66/76


Setting up a stateless personal firewallfrom scratch

Assumptions/prerequisites: A Linux system with one network interface.

The running kernel has netfilter support.

See how rules change as you add new rules. It is very useful to learn some tricks early on. This line

shows a nice way to watch over your current rules andwhich way the packets go:

watch -n 2 iptables -L v -n --line-numbers

watch: n

iptables -L : -v = verbose, -n = numeric IP/ports

This command monitors the rules and additionally shows

what packets go where in the different chains. Write all iptables commands to a script

Run the script


67/76


Steps for stateless firewall setup

Steps (simplified) in your script Define symbolic constants

Flush any pre-existing rules

Allow loopback traffic

Set policy on chains: DROP

Allowing in and out rules

for selected services:

DNS, Mail (SMTP, IMAP), WWW (http), SSH

etc...


68/76


Define symbolic constants

Example:

The IP-address of the network interface is

stored in the variable: $MY_IP MY_IP=192.168.10.10


69/76



iptables -t filter -F iptables -t nat -F

iptables -t mangle -F

If there are any user-defined chains as well,they should be removed too.

iptables --delete-chain

iptables -t nat --delete-chain

iptables -t mangle --delete-chain


70/76


Allow loopback traffic

The loopback device must not be filtered,since it is for private use, and some software

systems depend on this for their functioning.

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT


71/76

All i i / t l f l t d


72/76


Allowing in/out rules for selectedservices

Examples:

WHAT IS THIS?

iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out.

... AND THIS? iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT

For DNS, we have specified the interface card explicitly. This is useful whenmore than one card.



73/76



Examples:

Allowing ssh in



... AND THIS? iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT





74/76



Examples:

Allowing ssh in



Allowing DNS out iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT




75/76


Filtering malformed packets

Until now, we have focused on the rulesregarding correct packages. But attacks and

scans often rely on malformed packages.

A firewall script has usually a set of rules inthe beginning to take care of everything that is

not according to protocol.

An extensive list can be found in Ziegler: Linux

Firewalls.


76/76

Summary: stateless firewall setup

Steps (simplified) in your script Define symbolic constants


Accept loopback traffic

Set policy on chains: DROP

Drop malformed packets (bad addresses,common unprivileged ports, bad flags....)

Accept in and out traffic for selected

services: DNS, Mail (smtp, imap), WWW (http), SSH, etc...

L30 - Statelesss Firewalls

Documents

Transcript of L30 - Statelesss Firewalls