SlideShare a Scribd company logo

Lecture 4 firewalls

R
rajakhurram

The document discusses firewalls and iptables firewall configuration on Linux systems. It provides details on firewall types (packet filtering, stateful inspection, proxy-based), configurations (screened host, screened subnet, DMZ), and iptables concepts like tables, chains, rules. It shows examples of iptables commands to implement common firewall rules like accepting loopback traffic and allowing HTTP/HTTPS outbound while blocking all other inbound/outbound traffic. The goal is to provide an overview of firewalls and demonstrate basic Linux firewall configuration using iptables.

EducationTechnology
1 of 51
Firewalls Chapter 11
The function of a strong position is to make the forces holding it practically unassailable. - On War,Carl Von Clausewitz 2
Contents • Firewall  Characteristics  Types • Firewall Basing  Bastion Host  Host Based  Personal Firewall • Firewall Location and Configurations 3
Firewalls : Need • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point 4 ET1318 - Network Security
Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security policy) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system) 5
Characteristics: Access Control • 4 general techniques: III. Service control  Determines the types of Internet services that can be accessed, inbound or outbound IV. Direction control  Determines the direction in which particular service requests are allowed to flow V. User control  Controls access to a service according to which user is attempting to access it VI. Behavior control  Controls how particular services are used (e.g. filter e-mail) 6
Characteristics: Capabilities & Limitations • Capabilities  Single Choke  Prohibit potentially vulnerable services from entering or leaving the network  Provides protection from attacks (different kinds)  Provide a location for monitoring security-related events • Limitations  Can not protect against attacks that bypass firewall  May not protect fully against internal threats  Can not secure improperly secured wireless LAN  Can not secure adhoc systems which are already infected 7
Types of Firewalls • 4 common types of Firewalls:  Packet-filtering routers  Stateful Inspection Firewalls  Application-level gateways  Circuit-level gateways 8
Types of Firewalls • Packet-filtering 9
Packet-filtering • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) 10
Packet-filtering  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks 11
Packet-filtering 12
Types of Firewalls • Stateful Inspection Firewall  Most standard applications that run on top of TCP follow client server model  Creates a directory of outbound TCP connections. – An entry for each currently established connection.  Reviews same packet information as packet filtering firewall but also records information about TCP connections  Can keep track TCP sequence number. 13
Stateful Inspection Firewall 14
Types of Firewalls II • Application-level Gateway 15
Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 16
Types of Firewalls III • Circuit-level Gateway 17
Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package 18
Circuit-level Gateway 19
Firewall Basing 20
Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security – Hardware with its own secured version of OS – Only allowable services are installed – May require additional authentication from users for accessing services.  The bastion host serves as a platform for an application-level or circuit-level gateway 21
Host-Based Firewalls • Software Module used to secure an individual host.  Commonly available in OS  Filter and restrict flow of packets  Common location : Server • Advantages  Rules can be tailored  Independent of topology  As independent firewall, may provide extra layer of protection without changing the existing network 22
Personal Firewall • Controls traffic between a personal computer or workstation • May be used in home and in enterprise both • Less complex as primary goal is to deny unauthorized remote access • Can also monitor outgoing activity 23
Locations and Configurations 24
Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 25
Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host 26
Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host 27
Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network 28
Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 29
Firewall Configuration 30
Demilitarized zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 31
Virtual Private Networks 32
Ditributed Firewalls 33
Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list 34
Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets 35
The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)  (Please read the concepts of Bell—LaPadula Confidentiality Model and Biba Integrity Model (Important Reading Assignment) (http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models) 36
The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically) 37
Linux Firewall 38
iptables • Firewall administration program • Implemented within the operating system • Works at the IP network and Transport Protocol Layers • Protects the system by making routing decisions after filtering packets based on information in the IP packet header • Consists of a list of acceptance and denial rules • The rules are stored in kernel tables, in an input output or forward chain 39
Packet-Filtering Concepts • Rules based on:  Specific NIC  Host IP address  Network layer´s source and destination IP addresses  The transport layer´s TCP and UDP service ports  TCP connection flags  The network layer´s ICMP message types  Whether the packet is incoming or outgoing The order in which the rules are defined is important 40
Tables 1. filter table - responsible for filtering - default table  INPUT chain - All packets arriving into the system go through this chain.  OUTPUT chain - All packets leaving the system go through this chain.  FORWARD chain - All packets passing through the system (being routed) go through this chain. 2. nat table - responsible for rewriting packet addresses or ports. consulted when a packet that creates a new connection is encountered  PREROUTING chain - Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).  POSTROUTING chain - Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT). • mangle table - responsible for adjusting packet options, such as quality of service. (Reading Assignment)  PREROUTING chain.  INPUT chain.  FORWARD chain.  OUTPUT chain. 41  POSTROUTING chain.
Firewall Characteristics  The list of rules rules defining what can come in and what can go out are called chains Network Interface  2 chains:  Input chain Incoming packet Match rule3?  Output chain Input chain  ( Forward chain ) No Match rule1? Match rule2? No No Match rule2? Match rule1? No Output chain Match rule3? Outgoing packet 42
Default Packet-filering policy  Each chain has a default policy  If the packet doesn’t match any rule the default policy is applied  2 basic approaches to a firewall: 1. Deny everything by default and explicitly allow selected packets through 2. Accept everything by default and explicitly deny selected packets through 43
Deny-everything-by-default policy Incoming packet FW chain Match rule1? Yes Accept No Match rule2? Yes Accept No Match rule3? Yes Accept No Policy: DENY 44
Accept-everything-by-default policy Incoming packet FW chain Match rule1? Yes Deny No Match rule2? Yes Deny No Match rule3? Yes Deny No Policy: ACCEPT 45
Reject vs Deny Firewall mechanism gives you the option of either rejecting or denying packets Return error Discard to sender Yes Yes Reject? Deny? Packet No No 46
iptables command-line arguments • iptables – A|I|D [chain] [-i interface] [-p protocol] [ [!] --syn] • [-s address [ port [:port] ] ] • [-d adress [ port [:port] ] ] • -j policy [ -l] A | I | S : Append |Insert |Delete • #Set the default policy to deny • iptables –P input DENY • iptables –P output REJECT • iptables –P forward REJECT -P (Chain Target) 47
iptables command-line arguments • # Unlimited traffic on the loopback interface. • iptables -A input -i $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $EXTERNAL_INTERFACE -p icmp • -s $IPADDR -- icmp-type echo-request -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p icmp • --icmp-type echo-reply -d $IPADDR -j ACCEPT 48
iptables command-line arguments • # HTTP Web client • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 80 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 80 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 49
iptables command-line arguments • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 443 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 443 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 50
iptables command-line arguments • # DNS client (53) • iptables -A output -o $EXTERNAL_INTERFACE -p udp • -s $IPADDR --sport $UNPRIVPORTS • -d $NAMESERVER_1--dport 53 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p udp • -s $NAMESERVER_1 --sport 53 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 51

Recommended

Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introductionDr.Florence Dayana
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Authentication service security
Authentication service securityAuthentication service security
Authentication service securityG Prachi
 

Recommended

Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introductionDr.Florence Dayana
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Authentication service security
Authentication service securityAuthentication service security
Authentication service securityG Prachi
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 
Firewall
FirewallFirewall
Firewallnayakslideshare
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationyogendrasinghchahar
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkitNikhil Pandit
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrimepatelripal99
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptOECLIB Odisha Electronics Control Library
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Firewalls in network security
Firewalls in network securityFirewalls in network security
Firewalls in network securityVikram Khanna
 
WEP
WEPWEP
WEPSudeep Kulkarni
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptxDivyanshu93112
 
Seminar
SeminarSeminar
SeminarAbhinav Kushwah
 

More Related Content

What's hot

System hacking
System hackingSystem hacking
System hackingCAS
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrimepatelripal99
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Firewalls in network security
Firewalls in network securityFirewalls in network security
Firewalls in network securityVikram Khanna
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 

What's hot (20)

System hacking
System hackingSystem hacking
System hacking
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
 
Firewall
FirewallFirewall
Firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layer
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Firewalls in network security
Firewalls in network securityFirewalls in network security
Firewalls in network security
 
WEP
WEPWEP
WEP
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 

Similar to Lecture 4 firewalls

Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptAnuReddy68
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.pptKaushal72
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2rayborg
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ finalpg13tarun_g
 
Firewall (2)
Firewall (2)Firewall (2)
Firewall (2)marghali
 
Firewalls (1).ppt
Firewalls (1).pptFirewalls (1).ppt
Firewalls (1).pptadnanetnzr
 

Similar to Lecture 4 firewalls (20)

Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
 
Seminar
SeminarSeminar
Seminar
 
Firewall
FirewallFirewall
Firewall
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Firewall
FirewallFirewall
Firewall
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
 
Firewall
FirewallFirewall
Firewall
 
Advance firewalls
Advance firewallsAdvance firewalls
Advance firewalls
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ final
 
Firewall (2)
Firewall (2)Firewall (2)
Firewall (2)
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls (1).ppt
Firewalls (1).pptFirewalls (1).ppt
Firewalls (1).ppt
 

More from rajakhurram

Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious softwarerajakhurram
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi securityrajakhurram
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication rajakhurram
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificatesrajakhurram
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryptionrajakhurram
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryptionrajakhurram
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attackrajakhurram
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction rajakhurram
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail securityrajakhurram
 

More from rajakhurram (14)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 

Recently uploaded

Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 

Lecture 4 firewalls

  • 2. The function of a strong position is to make the forces holding it practically unassailable. - On War,Carl Von Clausewitz 2
  • 3. Contents • Firewall  Characteristics  Types • Firewall Basing  Bastion Host  Host Based  Personal Firewall • Firewall Location and Configurations 3
  • 4. Firewalls : Need • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point 4 ET1318 - Network Security
  • 5. Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security policy) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system) 5
  • 6. Characteristics: Access Control • 4 general techniques: III. Service control  Determines the types of Internet services that can be accessed, inbound or outbound IV. Direction control  Determines the direction in which particular service requests are allowed to flow V. User control  Controls access to a service according to which user is attempting to access it VI. Behavior control  Controls how particular services are used (e.g. filter e-mail) 6
  • 7. Characteristics: Capabilities & Limitations • Capabilities  Single Choke  Prohibit potentially vulnerable services from entering or leaving the network  Provides protection from attacks (different kinds)  Provide a location for monitoring security-related events • Limitations  Can not protect against attacks that bypass firewall  May not protect fully against internal threats  Can not secure improperly secured wireless LAN  Can not secure adhoc systems which are already infected 7
  • 8. Types of Firewalls • 4 common types of Firewalls:  Packet-filtering routers  Stateful Inspection Firewalls  Application-level gateways  Circuit-level gateways 8
  • 9. Types of Firewalls • Packet-filtering 9
  • 10. Packet-filtering • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) 10
  • 11. Packet-filtering  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks 11
  • 13. Types of Firewalls • Stateful Inspection Firewall  Most standard applications that run on top of TCP follow client server model  Creates a directory of outbound TCP connections. – An entry for each currently established connection.  Reviews same packet information as packet filtering firewall but also records information about TCP connections  Can keep track TCP sequence number. 13
  • 15. Types of Firewalls II • Application-level Gateway 15
  • 16. Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 16
  • 17. Types of Firewalls III • Circuit-level Gateway 17
  • 18. Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package 18
  • 21. Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security – Hardware with its own secured version of OS – Only allowable services are installed – May require additional authentication from users for accessing services.  The bastion host serves as a platform for an application-level or circuit-level gateway 21
  • 22. Host-Based Firewalls • Software Module used to secure an individual host.  Commonly available in OS  Filter and restrict flow of packets  Common location : Server • Advantages  Rules can be tailored  Independent of topology  As independent firewall, may provide extra layer of protection without changing the existing network 22
  • 23. Personal Firewall • Controls traffic between a personal computer or workstation • May be used in home and in enterprise both • Less complex as primary goal is to deny unauthorized remote access • Can also monitor outgoing activity 23
  • 25. Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 25
  • 26. Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host 26
  • 27. Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host 27
  • 28. Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network 28
  • 29. Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 29
  • 31. Demilitarized zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 31
  • 34. Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list 34
  • 35. Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets 35
  • 36. The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)  (Please read the concepts of Bell—LaPadula Confidentiality Model and Biba Integrity Model (Important Reading Assignment) (http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models) 36
  • 37. The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically) 37
  • 39. iptables • Firewall administration program • Implemented within the operating system • Works at the IP network and Transport Protocol Layers • Protects the system by making routing decisions after filtering packets based on information in the IP packet header • Consists of a list of acceptance and denial rules • The rules are stored in kernel tables, in an input output or forward chain 39
  • 40. Packet-Filtering Concepts • Rules based on:  Specific NIC  Host IP address  Network layer´s source and destination IP addresses  The transport layer´s TCP and UDP service ports  TCP connection flags  The network layer´s ICMP message types  Whether the packet is incoming or outgoing The order in which the rules are defined is important 40
  • 41. Tables 1. filter table - responsible for filtering - default table  INPUT chain - All packets arriving into the system go through this chain.  OUTPUT chain - All packets leaving the system go through this chain.  FORWARD chain - All packets passing through the system (being routed) go through this chain. 2. nat table - responsible for rewriting packet addresses or ports. consulted when a packet that creates a new connection is encountered  PREROUTING chain - Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).  POSTROUTING chain - Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT). • mangle table - responsible for adjusting packet options, such as quality of service. (Reading Assignment)  PREROUTING chain.  INPUT chain.  FORWARD chain.  OUTPUT chain. 41  POSTROUTING chain.
  • 42. Firewall Characteristics  The list of rules rules defining what can come in and what can go out are called chains Network Interface  2 chains:  Input chain Incoming packet Match rule3?  Output chain Input chain  ( Forward chain ) No Match rule1? Match rule2? No No Match rule2? Match rule1? No Output chain Match rule3? Outgoing packet 42
  • 43. Default Packet-filering policy  Each chain has a default policy  If the packet doesn’t match any rule the default policy is applied  2 basic approaches to a firewall: 1. Deny everything by default and explicitly allow selected packets through 2. Accept everything by default and explicitly deny selected packets through 43
  • 44. Deny-everything-by-default policy Incoming packet FW chain Match rule1? Yes Accept No Match rule2? Yes Accept No Match rule3? Yes Accept No Policy: DENY 44
  • 45. Accept-everything-by-default policy Incoming packet FW chain Match rule1? Yes Deny No Match rule2? Yes Deny No Match rule3? Yes Deny No Policy: ACCEPT 45
  • 46. Reject vs Deny Firewall mechanism gives you the option of either rejecting or denying packets Return error Discard to sender Yes Yes Reject? Deny? Packet No No 46
  • 47. iptables command-line arguments • iptables – A|I|D [chain] [-i interface] [-p protocol] [ [!] --syn] • [-s address [ port [:port] ] ] • [-d adress [ port [:port] ] ] • -j policy [ -l] A | I | S : Append |Insert |Delete • #Set the default policy to deny • iptables –P input DENY • iptables –P output REJECT • iptables –P forward REJECT -P (Chain Target) 47
  • 48. iptables command-line arguments • # Unlimited traffic on the loopback interface. • iptables -A input -i $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $EXTERNAL_INTERFACE -p icmp • -s $IPADDR -- icmp-type echo-request -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p icmp • --icmp-type echo-reply -d $IPADDR -j ACCEPT 48
  • 49. iptables command-line arguments • # HTTP Web client • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 80 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 80 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 49
  • 50. iptables command-line arguments • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 443 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 443 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 50
  • 51. iptables command-line arguments • # DNS client (53) • iptables -A output -o $EXTERNAL_INTERFACE -p udp • -s $IPADDR --sport $UNPRIVPORTS • -d $NAMESERVER_1--dport 53 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p udp • -s $NAMESERVER_1 --sport 53 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 51