Your SlideShare is downloading. ×
0
Poor Man’s Firewall  <ul><li>A firewall that can be setup and implemented with a minimum amount of time and money. </li></ul>
Why do I need one? <ul><li>A Windows server can  not  be secured as it stands.  Don’t believe anyone who tells you otherwi...
OSI Model Lower Layers <ul><li>Lower layers provide more primitive network-specific functions like routing, addressing, an...
Switch/Hub (Layer II) <ul><li>Switches and Hubs are used to connect various devices to a network. </li></ul><ul><li>Switch...
Bridge (Layer II) <ul><li>A device that can be used to segment Local Area Networks (LANs).  </li></ul><ul><li>They can be ...
Router (Layer III) <ul><li>A network device used for connecting different networks together.  </li></ul><ul><li>They are r...
Firewall <ul><li>A firewall filters packets based on a set of filter rules.  </li></ul><ul><li>Packets that pass the rule ...
Bridging Mode Firewalls <ul><li>A bridge that allows you to filter the packets that pass through its interfaces. </li></ul...
Linux – Bridging Mode Firewall <ul><li>A software based firewall that uses Linux as the operating system. </li></ul><ul><l...
Software Needed <ul><li>Iptables – Software that filters IP based traffic based on a set of rules. </li></ul><ul><li>Ebtab...
Hardware Needed <ul><li>Any old Pentium based computer </li></ul><ul><li>128MB of RAM </li></ul><ul><li>~1GB Harddrive </l...
Example Bridge Script <ul><li>#!/bin/bash </li></ul><ul><li># /etc/rc.d/init.d/bridge </li></ul><ul><li>BRCTL=/usr/sbin/br...
Example Filter Rules <ul><li>#!/bin/bash </li></ul><ul><li># Example Firewall Script </li></ul><ul><li>IPTABLES=&quot;/sbi...
Useful Application <ul><li>Ethereal – A powerful network protocol/packet analyzer that can be used to aid in the developme...
Resources <ul><li>Linux bridging how-to </li></ul><ul><li>http://bridge. sourceforge .net </li></ul><ul><li>Ebtables </li>...
Upcoming SlideShare
Loading in...5
×

Firewalls ppt

905

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
905
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
54
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Firewalls ppt"

  1. 1. Poor Man’s Firewall <ul><li>A firewall that can be setup and implemented with a minimum amount of time and money. </li></ul>
  2. 2. Why do I need one? <ul><li>A Windows server can not be secured as it stands. Don’t believe anyone who tells you otherwise. </li></ul><ul><li>MSSQL server should never be placed directly on the Internet. </li></ul><ul><li>And yes, some people do have too much time on their hands. Anyone remember the Blaster worm? </li></ul>
  3. 3. OSI Model Lower Layers <ul><li>Lower layers provide more primitive network-specific functions like routing, addressing, and flow control. </li></ul><ul><li>Layer II - (Data Link Layer) of the OSI Model </li></ul><ul><li>Layer III - (Network Layer) of the OSI Model </li></ul>
  4. 4. Switch/Hub (Layer II) <ul><li>Switches and Hubs are used to connect various devices to a network. </li></ul><ul><li>Switches are intelligent, they look at the source and destination of each packet and route them to the appropriate switch port. </li></ul><ul><li>Hubs are dumb devices that present a copy of each packet that is seen to every other port on the device. </li></ul>
  5. 5. Bridge (Layer II) <ul><li>A device that can be used to segment Local Area Networks (LANs). </li></ul><ul><li>They can be used to control the traffic going between two network segments based on Ethernet addresses. </li></ul><ul><li>They are essentially transparent devices. They can be replaced with a cross-over cable. </li></ul>
  6. 6. Router (Layer III) <ul><li>A network device used for connecting different networks together. </li></ul><ul><li>They are responsible for intelligently routing packets based on IP address. </li></ul>
  7. 7. Firewall <ul><li>A firewall filters packets based on a set of filter rules. </li></ul><ul><li>Packets that pass the rule set are forwarded through the firewall from one network interface to another. Packets that don’t, are dropped. </li></ul><ul><li>Firewalls can be either Software or Hardware based. </li></ul>
  8. 8. Bridging Mode Firewalls <ul><li>A bridge that allows you to filter the packets that pass through its interfaces. </li></ul><ul><li>Can be placed anywhere in an existing network without disrupting existing services. </li></ul><ul><li>Transparent to your servers. </li></ul>
  9. 9. Linux – Bridging Mode Firewall <ul><li>A software based firewall that uses Linux as the operating system. </li></ul><ul><li>The software is free. </li></ul><ul><li>Relatively easy to setup. </li></ul><ul><li>Can run on old hardware. </li></ul>
  10. 10. Software Needed <ul><li>Iptables – Software that filters IP based traffic based on a set of rules. </li></ul><ul><li>Ebtables – Software that allows Iptables to see the packets as they go through the Bridge interface. </li></ul><ul><li>Bridge-Utils – Software that allows you to create the bridge. </li></ul>
  11. 11. Hardware Needed <ul><li>Any old Pentium based computer </li></ul><ul><li>128MB of RAM </li></ul><ul><li>~1GB Harddrive </li></ul><ul><li>2 - Network Cards (Minimum) </li></ul>
  12. 12. Example Bridge Script <ul><li>#!/bin/bash </li></ul><ul><li># /etc/rc.d/init.d/bridge </li></ul><ul><li>BRCTL=/usr/sbin/brctl </li></ul><ul><li>IFCONFIG=/sbin/ifconfig </li></ul><ul><li>return=$rc_done </li></ul><ul><li>case &quot;$1&quot; in </li></ul><ul><li>start) </li></ul><ul><li> echo &quot;Starting service bridge br0&quot; </li></ul><ul><li> # Create bridge interface </li></ul><ul><li> $BRCTL addbr br0 || return=$rc_failed </li></ul><ul><li> # Turn Spanning Tree Protocall off </li></ul><ul><li> $BRCTL stp br0 off || return=$rc_failed </li></ul><ul><li> # Add interfaces to bridge </li></ul><ul><li> $BRCTL addif br0 eth1 || return=$rc_failed </li></ul><ul><li> $BRCTL addif br0 eth2 || return=$rc_failed </li></ul><ul><li> # Reset to clean state </li></ul><ul><li> $IFCONFIG eth1 down || return=$rc_failed </li></ul><ul><li> $IFCONFIG eth2 down || return=$rc_failed </li></ul><ul><li> # Set interfaces to Promiscuous Mode </li></ul><ul><li> $IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed </li></ul><ul><li> $IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed </li></ul><ul><li>#Bring bridge interface up </li></ul><ul><li> $IFCONFIG br0 promisc up || return=$rc_failed </li></ul><ul><li> </li></ul>$BRCTL show echo -e &quot;$return&quot; ;; stop) echo &quot;Shutting down service bridge br0&quot; $IFCONFIG br0 down || return=$rc_failed $BRCTL delif br0 eth1 || return=$rc_failed $BRCTL delif br0 eth2 || return=$rc_failed $BRCTL delbr br0 || return=$rc_failed echo -e &quot;$return&quot; ;; status) $IFCONFIG br0 $BRCTL show ;; restart) $0 stop && $0 start || return=$rc_failed ;; *) echo &quot;Usage: $0 {start|stop|status|restart}&quot; exit 1 esac test &quot;$return&quot; = &quot;$rc_done&quot; || exit 1 exit 0
  13. 13. Example Filter Rules <ul><li>#!/bin/bash </li></ul><ul><li># Example Firewall Script </li></ul><ul><li>IPTABLES=&quot;/sbin/iptables -v&quot; </li></ul><ul><li># Any Subnet </li></ul><ul><li>ANY=0.0.0.0/0 </li></ul><ul><li># ILLIAD Server </li></ul><ul><li>ILLIAD=128.193.123.456 </li></ul><ul><li>#### Flush all rules </li></ul><ul><li>$IPTABLES -F </li></ul><ul><li># Delete all user created chains </li></ul><ul><li>$IPTABLES -X </li></ul><ul><li># Zero all byte counters </li></ul><ul><li>$IPTABLES -Z </li></ul><ul><li># Drop all packets without a rule </li></ul><ul><li>$IPTABLES -P FORWARD DROP </li></ul><ul><li># loopback interface </li></ul><ul><li>$IPTABLES -A FORWARD -i lo -j ACCEPT </li></ul><ul><li># Syn-flood protection: </li></ul><ul><li>$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT </li></ul><ul><li># Ping of death: </li></ul><ul><li>$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT </li></ul><ul><li># HTTP </li></ul><ul><li>$IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80 -m state --state NEW -j ACCEPT </li></ul><ul><li>$IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT </li></ul>
  14. 14. Useful Application <ul><li>Ethereal – A powerful network protocol/packet analyzer that can be used to aid in the development of your filter rules. </li></ul>
  15. 15. Resources <ul><li>Linux bridging how-to </li></ul><ul><li>http://bridge. sourceforge .net </li></ul><ul><li>Ebtables </li></ul><ul><li>http://ebtables.sourceforge.net </li></ul><ul><li>Ethereal </li></ul><ul><li>http://www.ethereal.com/ </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×