Firewalls II

1
Firewalls II

• Review
• Policy
• Masquerading
• Port forwarding
• PIX
• Generality
• Hardware devices
• Functionality
• Configuration

2
Firewalls II

• Review of IPTables

Every chain contains one or more tables. Every
packet goes into some chain(s), depending on its
type (forwarded, input, output) To traverse a
chain, a packet traverses all default tables
inside the specified chain Tables are Mangle
(Ignore this it is beyond scope) Filter
(This is our purpose for using IPTables) NAT
(IPTables can also be used for NAT)
3
Firewalls II

• Review of IPTables

NAT belongs to all chains
Filter belongs to INPUT, OUTPUT and FORWARD
chains
Ignoring NAT, we have INPUT filters, OUTPUT
filters and FORWARD filters
4
Firewalls II

• Review of IPTables

Protected Network
Internet
IPTables Firewall
iptables-append FORWARD -source 150.160.10.10
-proto icmp -icmp-type echo-request -jump
REJECT iptables -append FORWARD -source
150.160.10.10 -proto tcp -dport 21 -jump
REJECT iptables -append FORWARD -source
150.160.10.10 -proto tcp -dport 23 -jump REJECT
Generalize from 150.160.10.10?
Have we really protected our network from icmp,
telnet and ftp?
5
Firewalls II

• Review of IPTables

Protected Network
Internet
IPTables Firewall
If the Firewall is hardened, it will not have
extraneous services running. Otherwise, it may
have a telnet server running. Users can jump from
one system to another. For instance, can ssh to
redwood from home and then telnet to sorrel
sorrel only sees connection from redwood
iptables -append FORWARD -proto tcp -dport 23
-jump REJECT iptables A INPUT -proto tcp
-dport 23 jump REJECT
Make sure you know why this second rule would be
necessary to protect inner network!
6
Firewalls II
Stateful rules will allow more discretion
Flush all chainsiptables --flush Previously
initiated and accepted exchanges bypass rule
checking Allow unlimited outbound
trafficiptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT
-m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT Allow incoming TCP port 22 (ssh) traffic
from officeiptables -A INPUT -p tcp -s
192.168.1.100 --dport 22 -m state --state NEW -j
ACCEPT Drop all other traffic/iptables -A
INPUT -j DROP
7
Firewalls II
Stateful rules will allow more discretion
Flush all chainsiptables --flush Previously
initiated and accepted exchanges bypass rule
checking Allow unlimited outbound
trafficiptables -A INPUT p tcp -m state --state
ESTABLISHED -j ACCEPTiptables -A OUTPUT-p tcp
-m state --state NEW,ESTABLISHED -j ACCEPT
Allow incoming TCP port 22 (ssh) traffic from
officeiptables -A INPUT -p tcp -s 192.168.1.100
--dport 22 -m state --state NEW -j ACCEPT Drop
all other traffic/iptables -A INPUT -j REJECT
iptables -A OUTPUT -p icmp -m state --state
NEW,ESTABLISHED -j ACCEPT iptables -A INPUT    
-p icmp -m state --state ESTABLISHED   -j ACCEPT
Iptables A INPUT j REJECT
8
Firewalls II
Stateful rules will allow more discretion
In the context of iptables, NEW means the
beginning of a tcp, udp or icmp conversation
ESTABLISHED means the rest of a tcp, udp or icmp
conversation
TCP requires a 3-way handshake Client TCP
packet with SYN Server TCP packet with SYN
and ACK TCP packet with ACK Connection is now
established in TCP terms. TCP packets with ACK
to/from the source host/port and destination
host/port are part of that connection.
Eventually, one side will terminate TCP
packet with FIN TCP packet with ACK TCP
packet with FIN TCP packet with ACK
9
Firewalls II
Stateful rules will allow more discretion
In the context of iptables, NEW means the
beginning of a tcp, udp or icmp conversation
ESTABLISHED means the rest of a tcp, udp or icmp
conversation
ICMP implies query-response Client icmp
request Server icmp reply
10
Firewalls II
iptables Policy
Firewall rules implement an enterprises security
policy Policies can be permissive (allow
everything that isnt denied)
or restrictive (deny everything that isnt
permitted)
iptables policy rules determine which of those
policies is to be used on each chain
Set default policiesiptables --policy INPUT
DROPiptables --policy OUTPUT DROPiptables
--policy FORWARD DROP
What would happen if this were the entire ruleset?
Set default policiesiptables --policy INPUT
ACCEPTiptables --policy OUTPUT ACCEPTiptables
--policy FORWARD ACCEPT
11
Firewalls II
Masquerading (Masquerade NAT)
Masquerade NAT is Port-mapped NAT (PAT) Also
called 1many NAT
Pro Only (1) IP address needed (cheap)
Doesn't require special application support
Uses firewall software so your network can become
more secure Con - Requires software
processing - Incoming traffic cannot access your
internal LAN unless the internal LAN initiates
the traffic or specific port forwarding software
is installed. Many NAT servers CANNOT provide
this functionality.
12
Firewalls II
Masquerading (Masquerade NAT)
Masquerade NAT is Port-mapped NAT (PAT) Also
called 1many NAT
Pro Only (1) IP address needed (cheap)
Doesn't require special application support
Uses firewall software (like iptables) Con -
Requires software processing - Incoming traffic
cannot access your internal LAN unless the
internal LAN initiates the traffic or specific
port forwarding software is installed. Many NAT
servers CANNOT provide this functionality.
http//en.tldp.org/HOWTO/IP-Masquerade-HOWTO/what-
is-masq.html
http//www.suse.de/mha/linux-ip-nat/diplom/node7.
htm
13
Firewalls II
Masquerading (Masquerade NAT)
IPTABLES -P INPUT ACCEPT IPTABLES -F INPUT
IPTABLES -P OUTPUT ACCEPT IPTABLES -F OUTPUT
IPTABLES -P FORWARD DROP IPTABLES -F FORWARD
IPTABLES -t nat -F echo " FWD Allow all
connections OUT and only existing and related
ones IN" IPTABLES -A FORWARD -i eth0 -o eth1 -m
state --state ESTABLISHED,RELATED -j ACCEPT
IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
IPTABLES -A FORWARD -j LOG echo " Enabling SNAT
(MASQUERADE) functionality on eth0" IPTABLES -t
nat -A POSTROUTING -o eth0 -j MASQUERADE
eth0 is outside eth1 is inside
http//en.tldp.org/HOWTO/IP-Masquerade-HOWTO/firew
all-examples.html
14
Firewalls II
Port forwarding
Need a picture of port forwarding without ssh
tunneling
15
Firewalls II
Port forwarding
Need an Example. OK... ipchains -P forward DENY
ipchains -A forward -i ppp0 -j MASQ echo 1 gt
/proc/sys/net/ipv4/ip_forward this will clear
all previous port forward rules ipmasqadm portfw
-f this will redirect all web conections (port
80) to your internal server (using the tcp
protocal (proto)) ipmasqadm portfw -a -P tcp -L
194.160.1.1 80 -R 10.10.0.2 80 this will
redirect timed connections ipmasqadm portfw -a
-P udp -L 194.160.1.1 525 -R 10.0.0.2 525
ipmasqadm portfw -l prot localaddr rediraddr
lport rport pcnt pref TCP guardian tricord www
www 6 10 UPD guardian tricord time time 10 10
16
Firewalls II
Cisco PIX 506e firewall
The compact desktop chassis of the Cisco PIX 506E
provides two autosensing Fast Ethernet (10/100)
interfaces. Ideal for securing high-speed
Internet connections, the Cisco PIX 506E delivers
up to 100 Mbps of firewall throughput, 16 Mbps of
Triple Data Encryption Standard (3DES) VPN
throughput, and 30 Mbps of Advanced Encryption
Standard-128 (AES) VPN throughput in a
cost-effective, high-performance solution.
Version 6.3 (latest version as of Nov 2003)
17
Firewalls II
Cisco PIX 506e firewall
The PIX Firewall protects an inside network from
unauthorized access by users on an outside
network, such as the public Internet. Most
PIX Firewall models can optionally protect one or
more perimeter networks, also known as
demilitarized zones (DMZs). Access to the
perimeter network is typically less restricted
than access to the inside network, but more
restricted than access to the outside network.
Connections between the inside, outside, and
perimeter networks are controlled by the
PIX Firewall.
18
Firewalls II
Cisco PIX 506e firewall

• The PIX Firewall protects an inside network from
  unauthorized access by users on an outside
  network, such as the public Internet.
• Most PIX Firewall models can optionally protect
  one or more perimeter networks, also known as
  demilitarized zones (DMZs).
• Access to the perimeter network is typically less
  restricted than access to the inside network, but
  more restricted than access to the outside
  network.
• Connections between the inside, outside, and
  perimeter networks are controlled by the
  PIX Firewall.

19
Firewalls II
Cisco PIX 506e firewall
Packet filtering using Adaptive Security
Algorithm (ASA), which is stateful NAT VPNs (uses
IPSec and IKE) VLANs Routing (OSPF) ActiveX
blocking Java filtering URL filtering (not
recommended) Proxy pinging (control pinging to
firewall interfaces)
20
Firewalls II
Cisco PIX 506e firewall
Nasty Internet emulated by station 9
(150.150.150.200)
150.150.150.150
Access to stations 9 and 12 is via telnet using
their eth1 interfaces. Access to router via its
serial port.
209.165.202.129
Intranet
Trusted intranet computer emulated by station 12
209.165.202.200
Security goal All inside hosts can start
connections. All external hosts are blocked from
initiating connections or sessions on inside
hosts.
21
Firewalls II
Cisco PIX 506e firewall
no dhcpd enable inside no dhcpd address
inside ip address inside 209.165.202.129
255.255.255.0 ip address outside 150.150.150.150
255.255.0.0 nat (inside) 0 0 0 remark no
NAT access-list 100 permit icmp any any
echo-response access-group 100 in interface
outside
22
Firewalls II
Cisco PIX 506e firewall
Nasty Internet emulated by station 10
(150.150.150.200)
Security goal All inside hosts can start
connections. All external hosts are blocked from
initiating connections or sessions on inside
hosts.
23
Firewalls II
no dhcpd enable inside no dhcpd address
inside nameif ethernet0 outside security0
nameif ethernet1 inside security100 interface
ethernet0 100basetx interface ethernet1
100basetx ip address outside 209.165.201.3
255.255.255.224 ip address inside
209.165.202.129 255.255.255.0 names nat
(inside) 0 209.165.201.3 255.255.255.224 route
outside 0.0.0.0 0.0.0.0 209.165.201.1 1
access-list acl_out permit icmp any  any
echo-reply access-group acl_out in interface
outside
Default
Not necessary defaults to 10baset
Configure PIX interfaces