SlideShare a Scribd company logo

Firewall arch by Tareq Hanaysha

Download as PPT, PDF
Hanaysha
Hanaysha
Technology
1 of 16
Term Project Presentation by : Hitesh Arjun Kingsley Tareq ISSM564-Firewall Fundamentals 1
In our presentation we will introduce : Our network and firewall architecture. Then we will go over the public DMZ and the first packet filter . 3. Last but not least we will give a brief explanations of our private DMZ . 4. Finally we will introduce our internal network with the possible attacks and the rules we will use in our packet filter`s iptables to harden our network and system against these attacks . 1. 2. ISSM564-Firewall Fundamentals 2
Network Diagram ISSM564-Firewall Fundamentals 3
What Is packet filter? Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. ISSM564-Firewall Fundamentals 4
Advantages of using Packet Filter Easy to install Packet filters make use of current network routers. Therefore implementing a packet filter security system is typically less complicated than other network security solutions. Supports High Speed With simple network configurations, packet filters can be fast. Since there is a direct connection between internal users and external hosts, data can be transmitted at high speeds. Makes Security Transparent to End-Users Because packet filters work at the level of the network router, filtering is transparent to the end-user. That makes using client applications much easie ISSM564-Firewall Fundamentals 5
Public DMZ Server HTTP DNS SMTP/Relay Port 80 53 25 Ip address 192.168.10.2 192.168.10.3 192.168.10.4 ISSM564-Firewall Fundamentals 6
Private DMZ Proxy server is a server which services the request of its clients by forwarding requests to other servers. A client connects to the proxy server requesting service such as file, connection, web page from different servers. Transparent proxy is a proxy that does not modify the request or respond beyond what is required for proxy authentication and identification. ISSM564-Firewall Fundamentals 7
Packet Filter 1 In our topology no direct traffic is allowed from global internet to the internal network:  ##Traffic from the internet to the public DMZ ##  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_http_ipaddr -p  tcp --destination-port 80 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_dns_ipaddr -p  udp --destination-port 53 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_smtp_ipaddr -p  tcp --destination-port 25 -m state --state NEW -j ACCEPT  Traffic is go through global internet through public DMZ and internal network to private DMZ. ISSM564-Firewall Fundamentals 8
Packet Filter 1 Traffic is go through global internet through public DMZ and internal network to private DMZ: ####### Traffic from the internet to the private DMZ $iptables -A UNTRUSTED_NET -o $private_dmz_pf1 -d $private_dmz_nwaddr  -j DROP ISSM564-Firewall Fundamentals 9
Tweaks we will use to prevent possible attacks : Disabling IP Spoofing attacks: IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter ISSM564-Firewall Fundamentals 10
Tweaks we will use to prevent possible attacks : Disabling IP Smurfing attacks: IP Smurfing is a form of network "attack" that can result in such a large traffic load on your wide-area Internet connection that you may be denied service across this link. This form of attack is also called a Denial of Service attack (DoS Attack), This can be limited by setting timeouts. echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout ISSM564-Firewall Fundamentals 11
Tweaks we will use to prevent possible attacks : Block Source Routing: Source routing allows the sender of the packet to specify the route that a packet must take in traveling to the destination. So Its better to block source routing from the Gateway itself to prevent discovering the IP addresses of routers within our network. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route ISSM564-Firewall Fundamentals 12
Tweaks we will use to prevent possible attacks : Disable all redirection requests in Gateway machine: echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects The below command enables bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 13
Tweaks we will use to prevent possible attacks :  Basic Rules of a typical Firewall:  Kill INVALID packets with illegal combination flags.  $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state             INVALID -j DROP No restrictions to connections from localhost $IPTABLES -A INPUT -i lo -j ACCEPT Reject connections from Outside world to Internal loop back device. $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT No restrictions for traffic generating from legit internal addresses $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT Incase we have to use IPv6 addresses in your environment uncomment the below line: #$IPTABLES -A INPUT -p ipv6 -j ACCEPT Kill all packets from Outside world claiming to be packets generated from Internal network. $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT Block ICMP requests. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT ISSM564-Firewall Fundamentals 14
Tweaks we will use to prevent possible attacks : Trying to prevent SYN flood attacks:  A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.  One of most important steps is to enable the operating system's built-in protection mechanisms like SYN cookies. In Linux, we can set the SYN Cookies in the following manner.  echo 1 > /proc/sys/net/ipv4/tcp_syncookies  Disable all redirection requests in Gateway machine:  echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects  The below command enables bad error message protection  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 15
Tweaks we will use to prevent possible attacks : Prevent Ping flood attacks: $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP ISSM564-Firewall Fundamentals 16

Recommended

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Remote VPN
Remote VPNRemote VPN
Remote VPNNetwax Lab
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPNNetwax Lab
 
CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014Đồng Quốc Vương
 

Recommended

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Remote VPN
Remote VPNRemote VPN
Remote VPNNetwax Lab
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPNNetwax Lab
 
CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014Đồng Quốc Vương
 
Snort
SnortSnort
SnortFadwa Gmiden
 
Aircrack
AircrackAircrack
AircrackMuhammadHanzalah6
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Firewall
FirewallFirewall
FirewallAngga Racing
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentalsTariq kanher
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
SIEM
SIEMSIEM
SIEMNapier University
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asteriskMohsin Zahid
 
All about routers
All about routersAll about routers
All about routersagwanna
 
Proxy servers-firewalls
Proxy servers-firewallsProxy servers-firewalls
Proxy servers-firewallsAli Asgar Patanwala
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneetguest575e9c
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsüremin_oz
 
Diamond chip
Diamond chipDiamond chip
Diamond chipPRADEEP Cheekatla
 

More Related Content

What's hot

Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentalsTariq kanher
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asteriskMohsin Zahid
 
All about routers
All about routersAll about routers
All about routersagwanna
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneetguest575e9c
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 

What's hot (20)

Snort
SnortSnort
Snort
 
Aircrack
AircrackAircrack
Aircrack
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Firewall
FirewallFirewall
Firewall
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-Security
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
SIEM
SIEMSIEM
SIEM
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asterisk
 
All about routers
All about routersAll about routers
All about routers
 
Proxy servers-firewalls
Proxy servers-firewallsProxy servers-firewalls
Proxy servers-firewalls
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneet
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 

Viewers also liked

Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsüremin_oz
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slidesrahul kundu
 
FireWall
FireWallFireWall
FireWallrubal_9
 
My Top 10 slides on presentations
My Top 10 slides on presentationsMy Top 10 slides on presentations
My Top 10 slides on presentationsAlexei Kapterev
 

Viewers also liked (8)

Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsür
 
Diamond chip
Diamond chipDiamond chip
Diamond chip
 
Firewall
FirewallFirewall
Firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slides
 
FireWall
FireWallFireWall
FireWall
 
Firewall
Firewall Firewall
Firewall
 
My Top 10 slides on presentations
My Top 10 slides on presentationsMy Top 10 slides on presentations
My Top 10 slides on presentations
 

Similar to Firewall arch by Tareq Hanaysha

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
04-post-connection-attacks.pdf
04-post-connection-attacks.pdf04-post-connection-attacks.pdf
04-post-connection-attacks.pdfxasako1838
 
Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02devidas shinde
 
Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02shivendra pratap singh
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasuresdkaya
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkRiyaj Shamsudeen
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 

Similar to Firewall arch by Tareq Hanaysha (20)

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
04-post-connection-attacks.pdf
04-post-connection-attacks.pdf04-post-connection-attacks.pdf
04-post-connection-attacks.pdf
 
Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02
 
Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Firewalls
FirewallsFirewalls
Firewalls
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
Linta
LintaLinta
Linta
 
Linta
LintaLinta
Linta
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Day4
Day4Day4
Day4
 

More from Hanaysha

Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planingHanaysha
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...Hanaysha
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
VPN security standards - Tareq Hanaysha
VPN security standards - Tareq HanayshaVPN security standards - Tareq Hanaysha
VPN security standards - Tareq HanayshaHanaysha
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaHanaysha
 
Group report for IRAM - Tareq Hanaysha
Group report for IRAM - Tareq HanayshaGroup report for IRAM - Tareq Hanaysha
Group report for IRAM - Tareq HanayshaHanaysha
 
Disaster Recovery with Acronis true image
Disaster Recovery with Acronis true imageDisaster Recovery with Acronis true image
Disaster Recovery with Acronis true imageHanaysha
 
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq HanayshaVPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq HanayshaHanaysha
 

More from Hanaysha (11)

Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq Hanaysha
 
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
VPN security standards - Tareq Hanaysha
VPN security standards - Tareq HanayshaVPN security standards - Tareq Hanaysha
VPN security standards - Tareq Hanaysha
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq Hanaysha
 
Group report for IRAM - Tareq Hanaysha
Group report for IRAM - Tareq HanayshaGroup report for IRAM - Tareq Hanaysha
Group report for IRAM - Tareq Hanaysha
 
Disaster Recovery with Acronis true image
Disaster Recovery with Acronis true imageDisaster Recovery with Acronis true image
Disaster Recovery with Acronis true image
 
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq HanayshaVPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
 

Recently uploaded

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Firewall arch by Tareq Hanaysha

  • 1. Term Project Presentation by : Hitesh Arjun Kingsley Tareq ISSM564-Firewall Fundamentals 1
  • 2. In our presentation we will introduce : Our network and firewall architecture. Then we will go over the public DMZ and the first packet filter . 3. Last but not least we will give a brief explanations of our private DMZ . 4. Finally we will introduce our internal network with the possible attacks and the rules we will use in our packet filter`s iptables to harden our network and system against these attacks . 1. 2. ISSM564-Firewall Fundamentals 2
  • 4. What Is packet filter? Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. ISSM564-Firewall Fundamentals 4
  • 5. Advantages of using Packet Filter Easy to install Packet filters make use of current network routers. Therefore implementing a packet filter security system is typically less complicated than other network security solutions. Supports High Speed With simple network configurations, packet filters can be fast. Since there is a direct connection between internal users and external hosts, data can be transmitted at high speeds. Makes Security Transparent to End-Users Because packet filters work at the level of the network router, filtering is transparent to the end-user. That makes using client applications much easie ISSM564-Firewall Fundamentals 5
  • 7. Private DMZ Proxy server is a server which services the request of its clients by forwarding requests to other servers. A client connects to the proxy server requesting service such as file, connection, web page from different servers. Transparent proxy is a proxy that does not modify the request or respond beyond what is required for proxy authentication and identification. ISSM564-Firewall Fundamentals 7
  • 8. Packet Filter 1 In our topology no direct traffic is allowed from global internet to the internal network:  ##Traffic from the internet to the public DMZ ##  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_http_ipaddr -p  tcp --destination-port 80 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_dns_ipaddr -p  udp --destination-port 53 -m state --state NEW -j ACCEPT  $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_smtp_ipaddr -p  tcp --destination-port 25 -m state --state NEW -j ACCEPT  Traffic is go through global internet through public DMZ and internal network to private DMZ. ISSM564-Firewall Fundamentals 8
  • 9. Packet Filter 1 Traffic is go through global internet through public DMZ and internal network to private DMZ: ####### Traffic from the internet to the private DMZ $iptables -A UNTRUSTED_NET -o $private_dmz_pf1 -d $private_dmz_nwaddr  -j DROP ISSM564-Firewall Fundamentals 9
  • 10. Tweaks we will use to prevent possible attacks : Disabling IP Spoofing attacks: IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter ISSM564-Firewall Fundamentals 10
  • 11. Tweaks we will use to prevent possible attacks : Disabling IP Smurfing attacks: IP Smurfing is a form of network "attack" that can result in such a large traffic load on your wide-area Internet connection that you may be denied service across this link. This form of attack is also called a Denial of Service attack (DoS Attack), This can be limited by setting timeouts. echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout ISSM564-Firewall Fundamentals 11
  • 12. Tweaks we will use to prevent possible attacks : Block Source Routing: Source routing allows the sender of the packet to specify the route that a packet must take in traveling to the destination. So Its better to block source routing from the Gateway itself to prevent discovering the IP addresses of routers within our network. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route ISSM564-Firewall Fundamentals 12
  • 13. Tweaks we will use to prevent possible attacks : Disable all redirection requests in Gateway machine: echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects The below command enables bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 13
  • 14. Tweaks we will use to prevent possible attacks :  Basic Rules of a typical Firewall:  Kill INVALID packets with illegal combination flags.  $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state             INVALID -j DROP No restrictions to connections from localhost $IPTABLES -A INPUT -i lo -j ACCEPT Reject connections from Outside world to Internal loop back device. $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT No restrictions for traffic generating from legit internal addresses $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT Incase we have to use IPv6 addresses in your environment uncomment the below line: #$IPTABLES -A INPUT -p ipv6 -j ACCEPT Kill all packets from Outside world claiming to be packets generated from Internal network. $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT Block ICMP requests. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT ISSM564-Firewall Fundamentals 14
  • 15. Tweaks we will use to prevent possible attacks : Trying to prevent SYN flood attacks:  A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.  One of most important steps is to enable the operating system's built-in protection mechanisms like SYN cookies. In Linux, we can set the SYN Cookies in the following manner.  echo 1 > /proc/sys/net/ipv4/tcp_syncookies  Disable all redirection requests in Gateway machine:  echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects  The below command enables bad error message protection  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ISSM564-Firewall Fundamentals 15
  • 16. Tweaks we will use to prevent possible attacks : Prevent Ping flood attacks: $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP ISSM564-Firewall Fundamentals 16