Skip to main content

Firewalls

  • Hardware or software system
  • Prevents unauthorised access of packets from one network to another
  • All data leaving any subnet must pass through it
  • Implements 'single point' security measures
  • Event monitoring through packet analysis and logging
  • Network-based access control through implementation of a rule set

Location

Network Firewalls - Placed between a subnet and the internet. Home network Host-based Firewalls - Placed on individual machines

DMZ

  • A demilitarized zone is a small subnet that separates externally facing services from the internal network

More Firewalls

  • Not enough, cannot protect against attacks that bypass the firewall (Tunnelling)
  • Cannot protect against internal threats or insiders. Might help a bit by egress filtering
  • Network firewalls cannot always protect against the transfer of virus-infected programs or files

Packet Filters

  • Specify which packets are allowed or dropped
  • Rules based on Source and TCP/UDP port numbers
  • Possible for both inbound and outbound traffic
  • Can be implemented in a router by only examining packet headers

Rules

  • Rule execution depends on implementation;
    • IPTABLES - First rule to match is applied
    • PF: All rules are examined, the last match is applied
  • Rules are organised in chains, which are logical subgroups of rules
  • Depending on the packet, different chains are activated

IPTables

IPTABLES - An application that provides access to the Linux firewall

  • Not actually a firewall, but configures the firewall
  • The firewall is mostly implemented as netfilter modules

IPTABLES uses tables to store chains. Default is the filtering table

  • Chains are ordered lists of rules. Match or they don't
  • Matches result in a jump, else we check the next rule
  • There can be multiple chains per table
  • Jumps can go to ACCEPT, DROP, LOG or another chain
  • Complex behaviour can be built up

Defaults

Four built-in tables in IPTABLES:

  • Filter
  • NAT
  • Mangle - Packet Alteration
  • Raw - Skips connection tracking The default table is the filtering table, including Input, Output and Forward chains

Policies

Permissive - Allow everything except dangerous services. Easy to make a mistake Restrictive - Block everything except designated useful services. Easy to DoS yourself.

Issues

  • Filters are simple, low level and have high assurance
  • But, they cannot:
    • Prevent attacks that employ application-specific vulnerabilities
    • Do not support higher-level authentication schemes
    • Easy to accidently allow or deny packets incorrectly

Stateful Packet Filters

  • Understand requests and replies (ACK/SYN)
  • Dynamically generate rules
  • Can support polices for a wider range or protocols

IPTables have modules for stateful packet filtering ACK packets are used to keep track of the session - the connection is ongoing Packets without the ACK are the connection establishment messages

Application-level Gateways

  • Packer filters have limited criteria that allow data in and out
  • An application gateway considers the application-layer protocol that is in use
  • Some protocols, like HTTP and SSH will be allowed, others may be blocked
  • Can perform more complex port control than fixed rules

Proxy Servers

  • Imitate a connection on our behalf
  • Can block certain access, and scan for malicious files or web pages

Issues

  • Large overhead per connection
  • More expensive than packet filtering
  • Configuration is complex
  • A separate server is required for each service

Network Address Translation

  • The shortage of IP addresses mean that most routers now perform NAT automatically
  • The implicit advantage in NAT is that your own machine is almost totally hidden from the internet
  • Only established connections are forwarded to your internal machine (or specific port forwarding rules)
  • This prevents any unsolicited attacks on random ports, but no other types of attack