Firewall arch by Tareq Hanaysha
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Firewall arch by Tareq Hanaysha

on

  • 341 views

 

Statistics

Views

Total Views
341
Views on SlideShare
340
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Firewall arch by Tareq Hanaysha Presentation Transcript

  • 1. Term Project Presentation by : Hitesh Arjun Kingsley Tareq ISSM564-Firewall Fundamentals 1
  • 2. In our presentation we will introduce : Our network and firewall architecture. Then we will go over the public DMZ and the first packet filter . 3. Last but not least we will give a brief explanations of our private DMZ . 4. Finally we will introduce our internal network with the possible attacks and the rules we will use in our packet filter`s iptables to harden our network and system against these attacks . 1. 2. ISSM564-Firewall Fundamentals 2
  • 3. Network Diagram ISSM564-Firewall Fundamentals 3
  • 4. What Is packet filter? Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. ISSM564-Firewall Fundamentals 4
  • 5. Advantages of using Packet Filter Easy to install Packet filters make use of current network routers. Therefore implementing a packet filter security system is typically less complicated than other network security solutions. Supports High Speed With simple network configurations, packet filters can be fast. Since there is a direct connection between internal users and external hosts, data can be transmitted at high speeds. Makes Security Transparent to End-Users Because packet filters work at the level of the network router, filtering is transparent to the end-user. That makes using client applications much easie ISSM564-Firewall Fundamentals 5
  • 6. Public DMZ Server HTTP DNS SMTP/Relay Port 80 53 25 Ip address 192.168.10.2 192.168.10.3 192.168.10.4 ISSM564-Firewall Fundamentals 6
  • 7. Private DMZ Proxy server is a server which services the request of its clients by forwarding requests to other servers. A client connects to the proxy server requesting service such as file, connection, web page from different servers. Transparent proxy is a proxy that does not modify the request or respond beyond what is required for proxy authentication and identification. ISSM564-Firewall Fundamentals 7
  • 8. Packet Filter 1 In our topology no direct traffic is allowed from global internet to the internal network:  ##Traffic from the internet to the public DMZ ##  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_http_ipaddr -p  tcp --destination-port 80 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_dns_ipaddr -p  udp --destination-port 53 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_smtp_ipaddr -p  tcp --destination-port 25 -m state --state NEW -j ACCEPT  Traffic is go through global internet through public DMZ and internal network to private DMZ. ISSM564-Firewall Fundamentals 8
  • 9. Packet Filter 1 Traffic is go through global internet through public DMZ and internal network to private DMZ: ####### Traffic from the internet to the private DMZ $iptables -A UNTRUSTED_NET -o $private_dmz_pf1 -d $private_dmz_nwaddr  -j DROP ISSM564-Firewall Fundamentals 9
  • 10. Tweaks we will use to prevent possible attacks : Disabling IP Spoofing attacks: IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter ISSM564-Firewall Fundamentals 10
  • 11. Tweaks we will use to prevent possible attacks : Disabling IP Smurfing attacks: IP Smurfing is a form of network "attack" that can result in such a large traffic load on your wide-area Internet connection that you may be denied service across this link. This form of attack is also called a Denial of Service attack (DoS Attack), This can be limited by setting timeouts. echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout ISSM564-Firewall Fundamentals 11
  • 12. Tweaks we will use to prevent possible attacks : Block Source Routing: Source routing allows the sender of the packet to specify the route that a packet must take in traveling to the destination. So Its better to block source routing from the Gateway itself to prevent discovering the IP addresses of routers within our network. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route ISSM564-Firewall Fundamentals 12
  • 13. Tweaks we will use to prevent possible attacks : Disable all redirection requests in Gateway machine: echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects The below command enables bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 13
  • 14. Tweaks we will use to prevent possible attacks :  Basic Rules of a typical Firewall:  Kill INVALID packets with illegal combination flags.  $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state             INVALID -j DROP No restrictions to connections from localhost $IPTABLES -A INPUT -i lo -j ACCEPT Reject connections from Outside world to Internal loop back device. $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT No restrictions for traffic generating from legit internal addresses $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT Incase we have to use IPv6 addresses in your environment uncomment the below line: #$IPTABLES -A INPUT -p ipv6 -j ACCEPT Kill all packets from Outside world claiming to be packets generated from Internal network. $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT Block ICMP requests. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT ISSM564-Firewall Fundamentals 14
  • 15. Tweaks we will use to prevent possible attacks : Trying to prevent SYN flood attacks:  A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.  One of most important steps is to enable the operating system's built-in protection mechanisms like SYN cookies. In Linux, we can set the SYN Cookies in the following manner.  echo 1 > /proc/sys/net/ipv4/tcp_syncookies  Disable all redirection requests in Gateway machine:  echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects  The below command enables bad error message protection  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 15
  • 16. Tweaks we will use to prevent possible attacks : Prevent Ping flood attacks: $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP ISSM564-Firewall Fundamentals 16