SlideShare una empresa de Scribd logo

Lecture 4 firewalls

R
rajakhurram

The document discusses firewalls and iptables firewall configuration on Linux systems. It provides details on firewall types (packet filtering, stateful inspection, proxy-based), configurations (screened host, screened subnet, DMZ), and iptables concepts like tables, chains, rules. It shows examples of iptables commands to implement common firewall rules like accepting loopback traffic and allowing HTTP/HTTPS outbound while blocking all other inbound/outbound traffic. The goal is to provide an overview of firewalls and demonstrate basic Linux firewall configuration using iptables.

EducaciónTecnología
1 de 51
Firewalls Chapter 11
The function of a strong position is to make the forces holding it practically unassailable. - On War,Carl Von Clausewitz 2
Contents • Firewall  Characteristics  Types • Firewall Basing  Bastion Host  Host Based  Personal Firewall • Firewall Location and Configurations 3
Firewalls : Need • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point 4 ET1318 - Network Security
Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security policy) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system) 5
Characteristics: Access Control • 4 general techniques: III. Service control  Determines the types of Internet services that can be accessed, inbound or outbound IV. Direction control  Determines the direction in which particular service requests are allowed to flow V. User control  Controls access to a service according to which user is attempting to access it VI. Behavior control  Controls how particular services are used (e.g. filter e-mail) 6
Characteristics: Capabilities & Limitations • Capabilities  Single Choke  Prohibit potentially vulnerable services from entering or leaving the network  Provides protection from attacks (different kinds)  Provide a location for monitoring security-related events • Limitations  Can not protect against attacks that bypass firewall  May not protect fully against internal threats  Can not secure improperly secured wireless LAN  Can not secure adhoc systems which are already infected 7
Types of Firewalls • 4 common types of Firewalls:  Packet-filtering routers  Stateful Inspection Firewalls  Application-level gateways  Circuit-level gateways 8
Types of Firewalls • Packet-filtering 9
Packet-filtering • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) 10
Packet-filtering  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks 11
Packet-filtering 12
Types of Firewalls • Stateful Inspection Firewall  Most standard applications that run on top of TCP follow client server model  Creates a directory of outbound TCP connections. – An entry for each currently established connection.  Reviews same packet information as packet filtering firewall but also records information about TCP connections  Can keep track TCP sequence number. 13
Stateful Inspection Firewall 14
Types of Firewalls II • Application-level Gateway 15
Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 16
Types of Firewalls III • Circuit-level Gateway 17
Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package 18
Circuit-level Gateway 19
Firewall Basing 20
Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security – Hardware with its own secured version of OS – Only allowable services are installed – May require additional authentication from users for accessing services.  The bastion host serves as a platform for an application-level or circuit-level gateway 21
Host-Based Firewalls • Software Module used to secure an individual host.  Commonly available in OS  Filter and restrict flow of packets  Common location : Server • Advantages  Rules can be tailored  Independent of topology  As independent firewall, may provide extra layer of protection without changing the existing network 22
Personal Firewall • Controls traffic between a personal computer or workstation • May be used in home and in enterprise both • Less complex as primary goal is to deny unauthorized remote access • Can also monitor outgoing activity 23
Locations and Configurations 24
Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 25
Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host 26
Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host 27
Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network 28
Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 29
Firewall Configuration 30
Demilitarized zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 31
Virtual Private Networks 32
Ditributed Firewalls 33
Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list 34
Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets 35
The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)  (Please read the concepts of Bell—LaPadula Confidentiality Model and Biba Integrity Model (Important Reading Assignment) (http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models) 36
The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically) 37
Linux Firewall 38
iptables • Firewall administration program • Implemented within the operating system • Works at the IP network and Transport Protocol Layers • Protects the system by making routing decisions after filtering packets based on information in the IP packet header • Consists of a list of acceptance and denial rules • The rules are stored in kernel tables, in an input output or forward chain 39
Packet-Filtering Concepts • Rules based on:  Specific NIC  Host IP address  Network layer´s source and destination IP addresses  The transport layer´s TCP and UDP service ports  TCP connection flags  The network layer´s ICMP message types  Whether the packet is incoming or outgoing The order in which the rules are defined is important 40
Tables 1. filter table - responsible for filtering - default table  INPUT chain - All packets arriving into the system go through this chain.  OUTPUT chain - All packets leaving the system go through this chain.  FORWARD chain - All packets passing through the system (being routed) go through this chain. 2. nat table - responsible for rewriting packet addresses or ports. consulted when a packet that creates a new connection is encountered  PREROUTING chain - Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).  POSTROUTING chain - Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT). • mangle table - responsible for adjusting packet options, such as quality of service. (Reading Assignment)  PREROUTING chain.  INPUT chain.  FORWARD chain.  OUTPUT chain. 41  POSTROUTING chain.
Firewall Characteristics  The list of rules rules defining what can come in and what can go out are called chains Network Interface  2 chains:  Input chain Incoming packet Match rule3?  Output chain Input chain  ( Forward chain ) No Match rule1? Match rule2? No No Match rule2? Match rule1? No Output chain Match rule3? Outgoing packet 42
Default Packet-filering policy  Each chain has a default policy  If the packet doesn’t match any rule the default policy is applied  2 basic approaches to a firewall: 1. Deny everything by default and explicitly allow selected packets through 2. Accept everything by default and explicitly deny selected packets through 43
Deny-everything-by-default policy Incoming packet FW chain Match rule1? Yes Accept No Match rule2? Yes Accept No Match rule3? Yes Accept No Policy: DENY 44
Accept-everything-by-default policy Incoming packet FW chain Match rule1? Yes Deny No Match rule2? Yes Deny No Match rule3? Yes Deny No Policy: ACCEPT 45
Reject vs Deny Firewall mechanism gives you the option of either rejecting or denying packets Return error Discard to sender Yes Yes Reject? Deny? Packet No No 46
iptables command-line arguments • iptables – A|I|D [chain] [-i interface] [-p protocol] [ [!] --syn] • [-s address [ port [:port] ] ] • [-d adress [ port [:port] ] ] • -j policy [ -l] A | I | S : Append |Insert |Delete • #Set the default policy to deny • iptables –P input DENY • iptables –P output REJECT • iptables –P forward REJECT -P (Chain Target) 47
iptables command-line arguments • # Unlimited traffic on the loopback interface. • iptables -A input -i $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $EXTERNAL_INTERFACE -p icmp • -s $IPADDR -- icmp-type echo-request -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p icmp • --icmp-type echo-reply -d $IPADDR -j ACCEPT 48
iptables command-line arguments • # HTTP Web client • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 80 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 80 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 49
iptables command-line arguments • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 443 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 443 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 50
iptables command-line arguments • # DNS client (53) • iptables -A output -o $EXTERNAL_INTERFACE -p udp • -s $IPADDR --sport $UNPRIVPORTS • -d $NAMESERVER_1--dport 53 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p udp • -s $NAMESERVER_1 --sport 53 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 51

Recomendados

Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2Nzava Luwawa
 
Wireless LAN Design Fundamentals in the Campus
Wireless LAN Design Fundamentals in the CampusWireless LAN Design Fundamentals in the Campus
Wireless LAN Design Fundamentals in the CampusAruba, a Hewlett Packard Enterprise company
 
Static Routing
Static RoutingStatic Routing
Static RoutingKishore Kumar
 
Chassis Cluster Configuration
Chassis Cluster ConfigurationChassis Cluster Configuration
Chassis Cluster ConfigurationKashif Latif
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xEMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xAruba, a Hewlett Packard Enterprise company
 

Recomendados

Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2Nzava Luwawa
 
Wireless LAN Design Fundamentals in the Campus
Wireless LAN Design Fundamentals in the CampusWireless LAN Design Fundamentals in the Campus
Wireless LAN Design Fundamentals in the CampusAruba, a Hewlett Packard Enterprise company
 
Static Routing
Static RoutingStatic Routing
Static RoutingKishore Kumar
 
Chassis Cluster Configuration
Chassis Cluster ConfigurationChassis Cluster Configuration
Chassis Cluster ConfigurationKashif Latif
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xEMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xAruba, a Hewlett Packard Enterprise company
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingEMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingAruba, a Hewlett Packard Enterprise company
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingAruba, a Hewlett Packard Enterprise company
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Securityiberrywifisecurity
 
Network Function Virtualization : Overview
Network Function Virtualization : OverviewNetwork Function Virtualization : Overview
Network Function Virtualization : Overviewsidneel
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Pretty good privacy
Pretty good privacyPretty good privacy
Pretty good privacyPushkar Dutt
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesAruba, a Hewlett Packard Enterprise company
 
802.1x
802.1x802.1x
802.1xakruthi k
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kalin|u - The Open Security Community
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its typesMohammed Maajidh
 
Air group tb 080112_final
Air group tb 080112_finalAir group tb 080112_final
Air group tb 080112_finalAruba, a Hewlett Packard Enterprise company
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Authentication
AuthenticationAuthentication
Authenticationprimeteacher32
 
Subnetting
SubnettingSubnetting
Subnettingswascher
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptxDivyanshu93112
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 

Más contenido relacionado

La actualidad más candente

SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
Network Function Virtualization : Overview
Network Function Virtualization : OverviewNetwork Function Virtualization : Overview
Network Function Virtualization : Overviewsidneel
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Pretty good privacy
Pretty good privacyPretty good privacy
Pretty good privacyPushkar Dutt
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Subnetting
SubnettingSubnetting
Subnettingswascher
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 

La actualidad más candente (20)

SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingEMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
Network Function Virtualization : Overview
Network Function Virtualization : OverviewNetwork Function Virtualization : Overview
Network Function Virtualization : Overview
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
FIREWALL
FIREWALL FIREWALL
FIREWALL
 
Pretty good privacy
Pretty good privacyPretty good privacy
Pretty good privacy
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming Devices
 
802.1x
802.1x802.1x
802.1x
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its types
 
Air group tb 080112_final
Air group tb 080112_finalAir group tb 080112_final
Air group tb 080112_final
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
 
Authentication
AuthenticationAuthentication
Authentication
 
Subnetting
SubnettingSubnetting
Subnetting
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 

Similar a Lecture 4 firewalls

Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptAnuReddy68
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.pptKaushal72
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2rayborg
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ finalpg13tarun_g
 
Firewall (2)
Firewall (2)Firewall (2)
Firewall (2)marghali
 
Firewalls (1).ppt
Firewalls (1).pptFirewalls (1).ppt
Firewalls (1).pptadnanetnzr
 

Similar a Lecture 4 firewalls (20)

Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Seminar
SeminarSeminar
Seminar
 
Firewall
FirewallFirewall
Firewall
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Firewall
FirewallFirewall
Firewall
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
 
Advance firewalls
Advance firewallsAdvance firewalls
Advance firewalls
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ final
 
Firewall (2)
Firewall (2)Firewall (2)
Firewall (2)
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls (1).ppt
Firewalls (1).pptFirewalls (1).ppt
Firewalls (1).ppt
 

Más de rajakhurram

Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious softwarerajakhurram
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi securityrajakhurram
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication rajakhurram
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificatesrajakhurram
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryptionrajakhurram
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryptionrajakhurram
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attackrajakhurram
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction rajakhurram
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail securityrajakhurram
 

Más de rajakhurram (14)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 

Último

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 

Último (20)

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 

Lecture 4 firewalls

  • 2. The function of a strong position is to make the forces holding it practically unassailable. - On War,Carl Von Clausewitz 2
  • 3. Contents • Firewall  Characteristics  Types • Firewall Basing  Bastion Host  Host Based  Personal Firewall • Firewall Location and Configurations 3
  • 4. Firewalls : Need • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point 4 ET1318 - Network Security
  • 5. Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security policy) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system) 5
  • 6. Characteristics: Access Control • 4 general techniques: III. Service control  Determines the types of Internet services that can be accessed, inbound or outbound IV. Direction control  Determines the direction in which particular service requests are allowed to flow V. User control  Controls access to a service according to which user is attempting to access it VI. Behavior control  Controls how particular services are used (e.g. filter e-mail) 6
  • 7. Characteristics: Capabilities & Limitations • Capabilities  Single Choke  Prohibit potentially vulnerable services from entering or leaving the network  Provides protection from attacks (different kinds)  Provide a location for monitoring security-related events • Limitations  Can not protect against attacks that bypass firewall  May not protect fully against internal threats  Can not secure improperly secured wireless LAN  Can not secure adhoc systems which are already infected 7
  • 8. Types of Firewalls • 4 common types of Firewalls:  Packet-filtering routers  Stateful Inspection Firewalls  Application-level gateways  Circuit-level gateways 8
  • 9. Types of Firewalls • Packet-filtering 9
  • 10. Packet-filtering • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) 10
  • 11. Packet-filtering  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks 11
  • 13. Types of Firewalls • Stateful Inspection Firewall  Most standard applications that run on top of TCP follow client server model  Creates a directory of outbound TCP connections. – An entry for each currently established connection.  Reviews same packet information as packet filtering firewall but also records information about TCP connections  Can keep track TCP sequence number. 13
  • 15. Types of Firewalls II • Application-level Gateway 15
  • 16. Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 16
  • 17. Types of Firewalls III • Circuit-level Gateway 17
  • 18. Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package 18
  • 21. Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security – Hardware with its own secured version of OS – Only allowable services are installed – May require additional authentication from users for accessing services.  The bastion host serves as a platform for an application-level or circuit-level gateway 21
  • 22. Host-Based Firewalls • Software Module used to secure an individual host.  Commonly available in OS  Filter and restrict flow of packets  Common location : Server • Advantages  Rules can be tailored  Independent of topology  As independent firewall, may provide extra layer of protection without changing the existing network 22
  • 23. Personal Firewall • Controls traffic between a personal computer or workstation • May be used in home and in enterprise both • Less complex as primary goal is to deny unauthorized remote access • Can also monitor outgoing activity 23
  • 25. Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 25
  • 26. Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host 26
  • 27. Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host 27
  • 28. Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network 28
  • 29. Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 29
  • 31. Demilitarized zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 31
  • 34. Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list 34
  • 35. Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets 35
  • 36. The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)  (Please read the concepts of Bell—LaPadula Confidentiality Model and Biba Integrity Model (Important Reading Assignment) (http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models) 36
  • 37. The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically) 37
  • 39. iptables • Firewall administration program • Implemented within the operating system • Works at the IP network and Transport Protocol Layers • Protects the system by making routing decisions after filtering packets based on information in the IP packet header • Consists of a list of acceptance and denial rules • The rules are stored in kernel tables, in an input output or forward chain 39
  • 40. Packet-Filtering Concepts • Rules based on:  Specific NIC  Host IP address  Network layer´s source and destination IP addresses  The transport layer´s TCP and UDP service ports  TCP connection flags  The network layer´s ICMP message types  Whether the packet is incoming or outgoing The order in which the rules are defined is important 40
  • 41. Tables 1. filter table - responsible for filtering - default table  INPUT chain - All packets arriving into the system go through this chain.  OUTPUT chain - All packets leaving the system go through this chain.  FORWARD chain - All packets passing through the system (being routed) go through this chain. 2. nat table - responsible for rewriting packet addresses or ports. consulted when a packet that creates a new connection is encountered  PREROUTING chain - Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).  POSTROUTING chain - Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT). • mangle table - responsible for adjusting packet options, such as quality of service. (Reading Assignment)  PREROUTING chain.  INPUT chain.  FORWARD chain.  OUTPUT chain. 41  POSTROUTING chain.
  • 42. Firewall Characteristics  The list of rules rules defining what can come in and what can go out are called chains Network Interface  2 chains:  Input chain Incoming packet Match rule3?  Output chain Input chain  ( Forward chain ) No Match rule1? Match rule2? No No Match rule2? Match rule1? No Output chain Match rule3? Outgoing packet 42
  • 43. Default Packet-filering policy  Each chain has a default policy  If the packet doesn’t match any rule the default policy is applied  2 basic approaches to a firewall: 1. Deny everything by default and explicitly allow selected packets through 2. Accept everything by default and explicitly deny selected packets through 43
  • 44. Deny-everything-by-default policy Incoming packet FW chain Match rule1? Yes Accept No Match rule2? Yes Accept No Match rule3? Yes Accept No Policy: DENY 44
  • 45. Accept-everything-by-default policy Incoming packet FW chain Match rule1? Yes Deny No Match rule2? Yes Deny No Match rule3? Yes Deny No Policy: ACCEPT 45
  • 46. Reject vs Deny Firewall mechanism gives you the option of either rejecting or denying packets Return error Discard to sender Yes Yes Reject? Deny? Packet No No 46
  • 47. iptables command-line arguments • iptables – A|I|D [chain] [-i interface] [-p protocol] [ [!] --syn] • [-s address [ port [:port] ] ] • [-d adress [ port [:port] ] ] • -j policy [ -l] A | I | S : Append |Insert |Delete • #Set the default policy to deny • iptables –P input DENY • iptables –P output REJECT • iptables –P forward REJECT -P (Chain Target) 47
  • 48. iptables command-line arguments • # Unlimited traffic on the loopback interface. • iptables -A input -i $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $EXTERNAL_INTERFACE -p icmp • -s $IPADDR -- icmp-type echo-request -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p icmp • --icmp-type echo-reply -d $IPADDR -j ACCEPT 48
  • 49. iptables command-line arguments • # HTTP Web client • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 80 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 80 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 49
  • 50. iptables command-line arguments • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 443 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 443 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 50
  • 51. iptables command-line arguments • # DNS client (53) • iptables -A output -o $EXTERNAL_INTERFACE -p udp • -s $IPADDR --sport $UNPRIVPORTS • -d $NAMESERVER_1--dport 53 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p udp • -s $NAMESERVER_1 --sport 53 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 51