SlideShare une entreprise Scribd logo

Lecture 4 firewalls

R
rajakhurram

The document discusses firewalls and iptables firewall configuration on Linux systems. It provides details on firewall types (packet filtering, stateful inspection, proxy-based), configurations (screened host, screened subnet, DMZ), and iptables concepts like tables, chains, rules. It shows examples of iptables commands to implement common firewall rules like accepting loopback traffic and allowing HTTP/HTTPS outbound while blocking all other inbound/outbound traffic. The goal is to provide an overview of firewalls and demonstrate basic Linux firewall configuration using iptables.

FormationTechnologie
1  sur  51
Firewalls Chapter 11
The function of a strong position is to make the forces holding it practically unassailable. - On War,Carl Von Clausewitz 2
Contents • Firewall  Characteristics  Types • Firewall Basing  Bastion Host  Host Based  Personal Firewall • Firewall Location and Configurations 3
Firewalls : Need • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point 4 ET1318 - Network Security
Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security policy) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system) 5
Characteristics: Access Control • 4 general techniques: III. Service control  Determines the types of Internet services that can be accessed, inbound or outbound IV. Direction control  Determines the direction in which particular service requests are allowed to flow V. User control  Controls access to a service according to which user is attempting to access it VI. Behavior control  Controls how particular services are used (e.g. filter e-mail) 6
Characteristics: Capabilities & Limitations • Capabilities  Single Choke  Prohibit potentially vulnerable services from entering or leaving the network  Provides protection from attacks (different kinds)  Provide a location for monitoring security-related events • Limitations  Can not protect against attacks that bypass firewall  May not protect fully against internal threats  Can not secure improperly secured wireless LAN  Can not secure adhoc systems which are already infected 7
Types of Firewalls • 4 common types of Firewalls:  Packet-filtering routers  Stateful Inspection Firewalls  Application-level gateways  Circuit-level gateways 8
Types of Firewalls • Packet-filtering 9
Packet-filtering • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) 10
Packet-filtering  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks 11
Packet-filtering 12
Types of Firewalls • Stateful Inspection Firewall  Most standard applications that run on top of TCP follow client server model  Creates a directory of outbound TCP connections. – An entry for each currently established connection.  Reviews same packet information as packet filtering firewall but also records information about TCP connections  Can keep track TCP sequence number. 13
Stateful Inspection Firewall 14
Types of Firewalls II • Application-level Gateway 15
Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 16
Types of Firewalls III • Circuit-level Gateway 17
Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package 18
Circuit-level Gateway 19
Firewall Basing 20
Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security – Hardware with its own secured version of OS – Only allowable services are installed – May require additional authentication from users for accessing services.  The bastion host serves as a platform for an application-level or circuit-level gateway 21
Host-Based Firewalls • Software Module used to secure an individual host.  Commonly available in OS  Filter and restrict flow of packets  Common location : Server • Advantages  Rules can be tailored  Independent of topology  As independent firewall, may provide extra layer of protection without changing the existing network 22
Personal Firewall • Controls traffic between a personal computer or workstation • May be used in home and in enterprise both • Less complex as primary goal is to deny unauthorized remote access • Can also monitor outgoing activity 23
Locations and Configurations 24
Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 25
Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host 26
Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host 27
Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network 28
Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 29
Firewall Configuration 30
Demilitarized zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 31
Virtual Private Networks 32
Ditributed Firewalls 33
Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list 34
Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets 35
The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)  (Please read the concepts of Bell—LaPadula Confidentiality Model and Biba Integrity Model (Important Reading Assignment) (http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models) 36
The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically) 37
Linux Firewall 38
iptables • Firewall administration program • Implemented within the operating system • Works at the IP network and Transport Protocol Layers • Protects the system by making routing decisions after filtering packets based on information in the IP packet header • Consists of a list of acceptance and denial rules • The rules are stored in kernel tables, in an input output or forward chain 39
Packet-Filtering Concepts • Rules based on:  Specific NIC  Host IP address  Network layer´s source and destination IP addresses  The transport layer´s TCP and UDP service ports  TCP connection flags  The network layer´s ICMP message types  Whether the packet is incoming or outgoing The order in which the rules are defined is important 40
Tables 1. filter table - responsible for filtering - default table  INPUT chain - All packets arriving into the system go through this chain.  OUTPUT chain - All packets leaving the system go through this chain.  FORWARD chain - All packets passing through the system (being routed) go through this chain. 2. nat table - responsible for rewriting packet addresses or ports. consulted when a packet that creates a new connection is encountered  PREROUTING chain - Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).  POSTROUTING chain - Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT). • mangle table - responsible for adjusting packet options, such as quality of service. (Reading Assignment)  PREROUTING chain.  INPUT chain.  FORWARD chain.  OUTPUT chain. 41  POSTROUTING chain.
Firewall Characteristics  The list of rules rules defining what can come in and what can go out are called chains Network Interface  2 chains:  Input chain Incoming packet Match rule3?  Output chain Input chain  ( Forward chain ) No Match rule1? Match rule2? No No Match rule2? Match rule1? No Output chain Match rule3? Outgoing packet 42
Default Packet-filering policy  Each chain has a default policy  If the packet doesn’t match any rule the default policy is applied  2 basic approaches to a firewall: 1. Deny everything by default and explicitly allow selected packets through 2. Accept everything by default and explicitly deny selected packets through 43
Deny-everything-by-default policy Incoming packet FW chain Match rule1? Yes Accept No Match rule2? Yes Accept No Match rule3? Yes Accept No Policy: DENY 44
Accept-everything-by-default policy Incoming packet FW chain Match rule1? Yes Deny No Match rule2? Yes Deny No Match rule3? Yes Deny No Policy: ACCEPT 45
Reject vs Deny Firewall mechanism gives you the option of either rejecting or denying packets Return error Discard to sender Yes Yes Reject? Deny? Packet No No 46
iptables command-line arguments • iptables – A|I|D [chain] [-i interface] [-p protocol] [ [!] --syn] • [-s address [ port [:port] ] ] • [-d adress [ port [:port] ] ] • -j policy [ -l] A | I | S : Append |Insert |Delete • #Set the default policy to deny • iptables –P input DENY • iptables –P output REJECT • iptables –P forward REJECT -P (Chain Target) 47
iptables command-line arguments • # Unlimited traffic on the loopback interface. • iptables -A input -i $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $EXTERNAL_INTERFACE -p icmp • -s $IPADDR -- icmp-type echo-request -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p icmp • --icmp-type echo-reply -d $IPADDR -j ACCEPT 48
iptables command-line arguments • # HTTP Web client • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 80 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 80 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 49
iptables command-line arguments • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 443 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 443 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 50
iptables command-line arguments • # DNS client (53) • iptables -A output -o $EXTERNAL_INTERFACE -p udp • -s $IPADDR --sport $UNPRIVPORTS • -d $NAMESERVER_1--dport 53 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p udp • -s $NAMESERVER_1 --sport 53 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 51

Recommandé

Ipv4 and Ipv6
Ipv4 and Ipv6Ipv4 and Ipv6
Ipv4 and Ipv6rahul kundu
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp pptHema Dhariwal
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
MAC & IP addresses
MAC & IP addressesMAC & IP addresses
MAC & IP addressesNetProtocol Xpert
 
MAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itMAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itAsya Karapetyan
 
Virtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptVirtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptOECLIB Odisha Electronics Control Library
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
7- How to Configure Disk Quota
7- How to Configure Disk Quota7- How to Configure Disk Quota
7- How to Configure Disk QuotaFahad Al-Balushi
 

Recommandé

Ipv4 and Ipv6
Ipv4 and Ipv6Ipv4 and Ipv6
Ipv4 and Ipv6rahul kundu
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp pptHema Dhariwal
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
MAC & IP addresses
MAC & IP addressesMAC & IP addresses
MAC & IP addressesNetProtocol Xpert
 
MAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itMAC Address – All you Need to Know About it
MAC Address – All you Need to Know About itAsya Karapetyan
 
Virtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptVirtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptOECLIB Odisha Electronics Control Library
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
7- How to Configure Disk Quota
7- How to Configure Disk Quota7- How to Configure Disk Quota
7- How to Configure Disk QuotaFahad Al-Balushi
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyNapier University
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
802.1x
802.1x802.1x
802.1xakruthi k
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Subnetting
SubnettingSubnetting
Subnettingselvakumar_b1985
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash AlgorithmVishakha Agarwal
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Cisco Router Basic Configuration
Cisco Router Basic ConfigurationCisco Router Basic Configuration
Cisco Router Basic ConfigurationProf. Erwin Globio
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
SNMP
SNMPSNMP
SNMPOECLIB Odisha Electronics Control Library
 
The Transport Layer
The Transport LayerThe Transport Layer
The Transport Layeradil raja
 
IP addressing seminar ppt
IP addressing seminar pptIP addressing seminar ppt
IP addressing seminar pptSmriti Rastogi
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
Vlan
Vlan Vlan
Vlan sanss40
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
Virtualization in cloud computing
Virtualization in cloud computingVirtualization in cloud computing
Virtualization in cloud computingMohammad Ilyas Malik
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptxDivyanshu93112
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 

Contenu connexe

Tendances

Security models
Security models Security models
Security models LJ PROJECTS
 
Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Cisco Router Basic Configuration
Cisco Router Basic ConfigurationCisco Router Basic Configuration
Cisco Router Basic ConfigurationProf. Erwin Globio
 
The Transport Layer
The Transport LayerThe Transport Layer
The Transport Layeradil raja
 
IP addressing seminar ppt
IP addressing seminar pptIP addressing seminar ppt
IP addressing seminar pptSmriti Rastogi
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 

Tendances (20)

WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
Security models
Security models Security models
Security models
 
Network address translation
Network address translationNetwork address translation
Network address translation
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
802.1x
802.1x802.1x
802.1x
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Subnetting
SubnettingSubnetting
Subnetting
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Cisco Router Basic Configuration
Cisco Router Basic ConfigurationCisco Router Basic Configuration
Cisco Router Basic Configuration
 
Firewalls
FirewallsFirewalls
Firewalls
 
SNMP
SNMPSNMP
SNMP
 
The Transport Layer
The Transport LayerThe Transport Layer
The Transport Layer
 
IP addressing seminar ppt
IP addressing seminar pptIP addressing seminar ppt
IP addressing seminar ppt
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Vlan
Vlan Vlan
Vlan
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)
 
Virtualization in cloud computing
Virtualization in cloud computingVirtualization in cloud computing
Virtualization in cloud computing
 

Similaire à Lecture 4 firewalls

Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptAnuReddy68
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.pptKaushal72
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2rayborg
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ finalpg13tarun_g
 
Firewall (2)
Firewall (2)Firewall (2)
Firewall (2)marghali
 

Similaire à Lecture 4 firewalls (20)

Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Seminar
SeminarSeminar
Seminar
 
Firewall
FirewallFirewall
Firewall
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Firewall
FirewallFirewall
Firewall
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
 
Firewall
FirewallFirewall
Firewall
 
Advance firewalls
Advance firewallsAdvance firewalls
Advance firewalls
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ final
 
Firewall (2)
Firewall (2)Firewall (2)
Firewall (2)
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 

Plus de rajakhurram

Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious softwarerajakhurram
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi securityrajakhurram
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication rajakhurram
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificatesrajakhurram
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryptionrajakhurram
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryptionrajakhurram
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attackrajakhurram
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction rajakhurram
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail securityrajakhurram
 

Plus de rajakhurram (14)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 

Dernier

Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 

Dernier (20)

Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 

Lecture 4 firewalls

  • 2. The function of a strong position is to make the forces holding it practically unassailable. - On War,Carl Von Clausewitz 2
  • 3. Contents • Firewall  Characteristics  Types • Firewall Basing  Bastion Host  Host Based  Personal Firewall • Firewall Location and Configurations 3
  • 4. Firewalls : Need • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point 4 ET1318 - Network Security
  • 5. Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security policy) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system) 5
  • 6. Characteristics: Access Control • 4 general techniques: III. Service control  Determines the types of Internet services that can be accessed, inbound or outbound IV. Direction control  Determines the direction in which particular service requests are allowed to flow V. User control  Controls access to a service according to which user is attempting to access it VI. Behavior control  Controls how particular services are used (e.g. filter e-mail) 6
  • 7. Characteristics: Capabilities & Limitations • Capabilities  Single Choke  Prohibit potentially vulnerable services from entering or leaving the network  Provides protection from attacks (different kinds)  Provide a location for monitoring security-related events • Limitations  Can not protect against attacks that bypass firewall  May not protect fully against internal threats  Can not secure improperly secured wireless LAN  Can not secure adhoc systems which are already infected 7
  • 8. Types of Firewalls • 4 common types of Firewalls:  Packet-filtering routers  Stateful Inspection Firewalls  Application-level gateways  Circuit-level gateways 8
  • 9. Types of Firewalls • Packet-filtering 9
  • 10. Packet-filtering • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) 10
  • 11. Packet-filtering  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks 11
  • 13. Types of Firewalls • Stateful Inspection Firewall  Most standard applications that run on top of TCP follow client server model  Creates a directory of outbound TCP connections. – An entry for each currently established connection.  Reviews same packet information as packet filtering firewall but also records information about TCP connections  Can keep track TCP sequence number. 13
  • 15. Types of Firewalls II • Application-level Gateway 15
  • 16. Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 16
  • 17. Types of Firewalls III • Circuit-level Gateway 17
  • 18. Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package 18
  • 21. Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security – Hardware with its own secured version of OS – Only allowable services are installed – May require additional authentication from users for accessing services.  The bastion host serves as a platform for an application-level or circuit-level gateway 21
  • 22. Host-Based Firewalls • Software Module used to secure an individual host.  Commonly available in OS  Filter and restrict flow of packets  Common location : Server • Advantages  Rules can be tailored  Independent of topology  As independent firewall, may provide extra layer of protection without changing the existing network 22
  • 23. Personal Firewall • Controls traffic between a personal computer or workstation • May be used in home and in enterprise both • Less complex as primary goal is to deny unauthorized remote access • Can also monitor outgoing activity 23
  • 25. Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 25
  • 26. Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host 26
  • 27. Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host 27
  • 28. Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network 28
  • 29. Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 29
  • 31. Demilitarized zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 31
  • 34. Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list 34
  • 35. Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets 35
  • 36. The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)  (Please read the concepts of Bell—LaPadula Confidentiality Model and Biba Integrity Model (Important Reading Assignment) (http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models) 36
  • 37. The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically) 37
  • 39. iptables • Firewall administration program • Implemented within the operating system • Works at the IP network and Transport Protocol Layers • Protects the system by making routing decisions after filtering packets based on information in the IP packet header • Consists of a list of acceptance and denial rules • The rules are stored in kernel tables, in an input output or forward chain 39
  • 40. Packet-Filtering Concepts • Rules based on:  Specific NIC  Host IP address  Network layer´s source and destination IP addresses  The transport layer´s TCP and UDP service ports  TCP connection flags  The network layer´s ICMP message types  Whether the packet is incoming or outgoing The order in which the rules are defined is important 40
  • 41. Tables 1. filter table - responsible for filtering - default table  INPUT chain - All packets arriving into the system go through this chain.  OUTPUT chain - All packets leaving the system go through this chain.  FORWARD chain - All packets passing through the system (being routed) go through this chain. 2. nat table - responsible for rewriting packet addresses or ports. consulted when a packet that creates a new connection is encountered  PREROUTING chain - Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).  POSTROUTING chain - Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT). • mangle table - responsible for adjusting packet options, such as quality of service. (Reading Assignment)  PREROUTING chain.  INPUT chain.  FORWARD chain.  OUTPUT chain. 41  POSTROUTING chain.
  • 42. Firewall Characteristics  The list of rules rules defining what can come in and what can go out are called chains Network Interface  2 chains:  Input chain Incoming packet Match rule3?  Output chain Input chain  ( Forward chain ) No Match rule1? Match rule2? No No Match rule2? Match rule1? No Output chain Match rule3? Outgoing packet 42
  • 43. Default Packet-filering policy  Each chain has a default policy  If the packet doesn’t match any rule the default policy is applied  2 basic approaches to a firewall: 1. Deny everything by default and explicitly allow selected packets through 2. Accept everything by default and explicitly deny selected packets through 43
  • 44. Deny-everything-by-default policy Incoming packet FW chain Match rule1? Yes Accept No Match rule2? Yes Accept No Match rule3? Yes Accept No Policy: DENY 44
  • 45. Accept-everything-by-default policy Incoming packet FW chain Match rule1? Yes Deny No Match rule2? Yes Deny No Match rule3? Yes Deny No Policy: ACCEPT 45
  • 46. Reject vs Deny Firewall mechanism gives you the option of either rejecting or denying packets Return error Discard to sender Yes Yes Reject? Deny? Packet No No 46
  • 47. iptables command-line arguments • iptables – A|I|D [chain] [-i interface] [-p protocol] [ [!] --syn] • [-s address [ port [:port] ] ] • [-d adress [ port [:port] ] ] • -j policy [ -l] A | I | S : Append |Insert |Delete • #Set the default policy to deny • iptables –P input DENY • iptables –P output REJECT • iptables –P forward REJECT -P (Chain Target) 47
  • 48. iptables command-line arguments • # Unlimited traffic on the loopback interface. • iptables -A input -i $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $LOOPBACK_INTERFACE -j ACCEPT • iptables -A output -o $EXTERNAL_INTERFACE -p icmp • -s $IPADDR -- icmp-type echo-request -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p icmp • --icmp-type echo-reply -d $IPADDR -j ACCEPT 48
  • 49. iptables command-line arguments • # HTTP Web client • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 80 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 80 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 49
  • 50. iptables command-line arguments • iptables -A output -o $EXTERNAL_INTERFACE -p tcp • -s $IPADDR --sport $UNPRIVPORTS • --dport 443 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn • -sport 443 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 50
  • 51. iptables command-line arguments • # DNS client (53) • iptables -A output -o $EXTERNAL_INTERFACE -p udp • -s $IPADDR --sport $UNPRIVPORTS • -d $NAMESERVER_1--dport 53 -j ACCEPT • iptables -A input -i $EXTERNAL_INTERFACE -p udp • -s $NAMESERVER_1 --sport 53 • -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT 51