Firewall arch by Tareq Hanaysha
Upcoming SlideShare
Loading in...5
×
 

Firewall arch by Tareq Hanaysha

on

  • 302 views

 

Statistics

Views

Total Views
302
Views on SlideShare
301
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Firewall arch by Tareq Hanaysha Firewall arch by Tareq Hanaysha Presentation Transcript

    • Term Project Presentation by : Hitesh Arjun Kingsley Tareq ISSM564-Firewall Fundamentals 1
    • In our presentation we will introduce : Our network and firewall architecture. Then we will go over the public DMZ and the first packet filter . 3. Last but not least we will give a brief explanations of our private DMZ . 4. Finally we will introduce our internal network with the possible attacks and the rules we will use in our packet filter`s iptables to harden our network and system against these attacks . 1. 2. ISSM564-Firewall Fundamentals 2
    • Network Diagram ISSM564-Firewall Fundamentals 3
    • What Is packet filter? Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. ISSM564-Firewall Fundamentals 4
    • Advantages of using Packet Filter Easy to install Packet filters make use of current network routers. Therefore implementing a packet filter security system is typically less complicated than other network security solutions. Supports High Speed With simple network configurations, packet filters can be fast. Since there is a direct connection between internal users and external hosts, data can be transmitted at high speeds. Makes Security Transparent to End-Users Because packet filters work at the level of the network router, filtering is transparent to the end-user. That makes using client applications much easie ISSM564-Firewall Fundamentals 5
    • Public DMZ Server HTTP DNS SMTP/Relay Port 80 53 25 Ip address 192.168.10.2 192.168.10.3 192.168.10.4 ISSM564-Firewall Fundamentals 6
    • Private DMZ Proxy server is a server which services the request of its clients by forwarding requests to other servers. A client connects to the proxy server requesting service such as file, connection, web page from different servers. Transparent proxy is a proxy that does not modify the request or respond beyond what is required for proxy authentication and identification. ISSM564-Firewall Fundamentals 7
    • Packet Filter 1 In our topology no direct traffic is allowed from global internet to the internal network:  ##Traffic from the internet to the public DMZ ##  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_http_ipaddr -p  tcp --destination-port 80 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_dns_ipaddr -p  udp --destination-port 53 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_smtp_ipaddr -p  tcp --destination-port 25 -m state --state NEW -j ACCEPT  Traffic is go through global internet through public DMZ and internal network to private DMZ. ISSM564-Firewall Fundamentals 8
    • Packet Filter 1 Traffic is go through global internet through public DMZ and internal network to private DMZ: ####### Traffic from the internet to the private DMZ $iptables -A UNTRUSTED_NET -o $private_dmz_pf1 -d $private_dmz_nwaddr  -j DROP ISSM564-Firewall Fundamentals 9
    • Tweaks we will use to prevent possible attacks : Disabling IP Spoofing attacks: IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter ISSM564-Firewall Fundamentals 10
    • Tweaks we will use to prevent possible attacks : Disabling IP Smurfing attacks: IP Smurfing is a form of network "attack" that can result in such a large traffic load on your wide-area Internet connection that you may be denied service across this link. This form of attack is also called a Denial of Service attack (DoS Attack), This can be limited by setting timeouts. echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout ISSM564-Firewall Fundamentals 11
    • Tweaks we will use to prevent possible attacks : Block Source Routing: Source routing allows the sender of the packet to specify the route that a packet must take in traveling to the destination. So Its better to block source routing from the Gateway itself to prevent discovering the IP addresses of routers within our network. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route ISSM564-Firewall Fundamentals 12
    • Tweaks we will use to prevent possible attacks : Disable all redirection requests in Gateway machine: echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects The below command enables bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 13
    • Tweaks we will use to prevent possible attacks :  Basic Rules of a typical Firewall:  Kill INVALID packets with illegal combination flags.  $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state             INVALID -j DROP No restrictions to connections from localhost $IPTABLES -A INPUT -i lo -j ACCEPT Reject connections from Outside world to Internal loop back device. $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT No restrictions for traffic generating from legit internal addresses $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT Incase we have to use IPv6 addresses in your environment uncomment the below line: #$IPTABLES -A INPUT -p ipv6 -j ACCEPT Kill all packets from Outside world claiming to be packets generated from Internal network. $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT Block ICMP requests. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT ISSM564-Firewall Fundamentals 14
    • Tweaks we will use to prevent possible attacks : Trying to prevent SYN flood attacks:  A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.  One of most important steps is to enable the operating system's built-in protection mechanisms like SYN cookies. In Linux, we can set the SYN Cookies in the following manner.  echo 1 > /proc/sys/net/ipv4/tcp_syncookies  Disable all redirection requests in Gateway machine:  echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects  The below command enables bad error message protection  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 15
    • Tweaks we will use to prevent possible attacks : Prevent Ping flood attacks: $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP ISSM564-Firewall Fundamentals 16