2. In our presentation we will introduce :
Our network and firewall architecture.
Then we will go over the public DMZ and the first packet
filter .
3. Last but not least we will give a brief explanations of our
private DMZ .
4. Finally we will introduce our internal network with the
possible attacks and the rules we will use in our packet
filter`s iptables to harden our network and system
against these attacks .
1.
2.
ISSM564-Firewall Fundamentals
2
4. What Is packet filter?
Packet filtering is a network security mechanism that works by
controlling what data can flow to and from a network.
ISSM564-Firewall Fundamentals
4
5. Advantages of using Packet Filter
Easy to install Packet filters make use of current network
routers. Therefore implementing a packet filter security
system is typically less complicated than other network
security solutions.
Supports High Speed With simple network configurations,
packet filters can be fast. Since there is a direct connection
between internal users and external hosts, data can be
transmitted at high speeds.
Makes Security Transparent to End-Users Because packet
filters work at the level of the network router, filtering is
transparent to the end-user. That makes using client
applications much easie
ISSM564-Firewall Fundamentals
5
7. Private DMZ
Proxy server is a server which services the request of its
clients by forwarding requests to other servers. A client
connects to the proxy server requesting service such as
file, connection, web page from different servers.
Transparent proxy is a proxy that does not modify the
request or respond beyond what is required for proxy
authentication and identification.
ISSM564-Firewall Fundamentals
7
8. Packet Filter 1
In our topology no direct traffic is allowed
from global internet to the internal network:
##Traffic from the internet to the public DMZ ##
$iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_http_ipaddr -p
tcp --destination-port 80 -m state --state NEW -j ACCEPT
$iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_dns_ipaddr -p
udp --destination-port 53 -m state --state NEW -j ACCEPT
$iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_smtp_ipaddr -p
tcp --destination-port 25 -m state --state NEW -j ACCEPT
Traffic is go through global internet through public DMZ and internal network
to private DMZ.
ISSM564-Firewall Fundamentals
8
9. Packet Filter 1
Traffic is go through global internet through
public DMZ and internal network to private
DMZ:
####### Traffic from the internet to the private DMZ
$iptables -A UNTRUSTED_NET -o $private_dmz_pf1 -d
$private_dmz_nwaddr
-j DROP
ISSM564-Firewall Fundamentals
9
10. Tweaks we will use to prevent
possible attacks :
Disabling IP Spoofing attacks:
IP spoofing is one of the most common forms of on-line
camouflage. In IP spoofing, an attacker gains
unauthorized access to a computer or a network by
making it appear that a malicious message has come
from a trusted machine by “spoofing” the IP address of
that machine.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
ISSM564-Firewall Fundamentals
10
11. Tweaks we will use to prevent
possible attacks :
Disabling IP Smurfing attacks:
IP Smurfing is a form of network "attack" that can result in
such a large traffic load on your wide-area Internet connection
that you may be denied service across this link. This form of
attack is also called a Denial of Service attack (DoS Attack),
This can be limited by setting timeouts.
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
ISSM564-Firewall Fundamentals
11
12. Tweaks we will use to prevent
possible attacks :
Block Source Routing:
Source routing allows the sender of the packet to specify
the route that a packet must take in traveling to the
destination.
So Its better to block source routing from the Gateway
itself to prevent discovering the IP addresses of routers
within our network.
echo 0 >
/proc/sys/net/ipv4/conf/all/accept_source_route
ISSM564-Firewall Fundamentals
12
13. Tweaks we will use to prevent
possible attacks :
Disable all redirection requests in Gateway machine:
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
The below command enables bad error message
protection
echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
ISSM564-Firewall Fundamentals
13
14. Tweaks we will use to prevent
possible attacks :
Basic Rules of a typical Firewall:
Kill INVALID packets with illegal combination flags.
$IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state
INVALID -j DROP
No restrictions to connections from localhost
$IPTABLES -A INPUT -i lo -j ACCEPT
Reject connections from Outside world to Internal loop back device.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
No restrictions for traffic generating from legit internal addresses
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT
Incase we have to use IPv6 addresses in your environment uncomment the below line:
#$IPTABLES -A INPUT -p ipv6 -j ACCEPT
Kill all packets from Outside world claiming to be packets generated from Internal network.
$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT
Block ICMP requests.
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT
ISSM564-Firewall Fundamentals
14
15. Tweaks we will use to prevent
possible attacks :
Trying to prevent SYN flood attacks:
A SYN flood is a form of denial-of-service attack in which an attacker sends
a succession of SYN requests to a target's system.
One of most important steps is to enable the operating system's built-in
protection mechanisms like SYN cookies. In Linux, we can set the SYN
Cookies in the following manner.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Disable all redirection requests in Gateway machine:
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
The below command enables bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
ISSM564-Firewall Fundamentals
15
16. Tweaks we will use to prevent
possible attacks :
Prevent Ping flood attacks:
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp
--icmp-type echo-request -j DROP
ISSM564-Firewall Fundamentals
16