Intro to Firewalls

1
Intro to Firewalls

• Jon Krueger

2
Outline

• What is a firewall?
• Who needs a firewall?
• What are the OSI and TCP/IP Network models?
• What different types of firewalls are there?
• What are pros and cons of a firewall?
• What is iptables?

3
What is a firewall?

• Protects networked computers from intentional
  hostile intrusion.
• Junction point between two networks. A private
  and a public network.
• Earliest were simple routers.
• The term come from the concept of firewalls and
  firedoors in buildings. They limit damage that
  could spread from one subnet to another.

4
Hardware Firewall
5
Software Firewall
6
A Firewall

• Can filter traffic based on their source and
  destination addresses, port numbers, protocol
  used, and packet state.
• Cannot prevent individual users with modems from
  dialing in and out of the network.
• Cannot protect against social engineering and
  dumpster diving.

7
Who needs a firewall?

• Anyone who is responsible for a private network
  that is connected to a public network.
• Anyone who connects so much as a single computer
  to the internet via modem.

8
Basic Firewall Operation
9
The OSI and TCP/IP Models
10
Professional Firewall Model
11
Types of Firewalls

• Packet Filter
• Circuit Level Gateways
• Application Level Gateways
• Stateful Multilayer Inspection

12
Packet Filtering Firewall
13
Circuit Level Gateway
14
Application Level Gatway
15
Stateful Multilayer Inspection
16
Implementing your firewall

• Choose the access denial methodology.
• Determine inbound access policy.
• Determine outbound access policy.
• Determine if dial-in or dial-out access is
  required. (VPN)
• Decide whether to buy a complete firewall product
  or implement one yourself.

17
Access denial methodology

• Deny access by default

18
Inbound Access Policy

• May be simple NO ACCESS
• NAT
• NAT protocol filtering
• Complex stateful multilayer inspection

19
Outbound Access Policy

• Open Access
• Per User outbound policy (Proxy)

20
Other Considerations

• Dial-in/out
• Buy a solution
• Hardware -- PIX, Sonicwall, WatchGuard
• Software -- CheckPoint, ISA, Boarder Manager
• Build a solution
• Linux -- IPTables
• BSD -- IPFW, IPFilter, pf

21
IPTables

• In Linux 2.2 can limit spoofed packets.
• In Linux 2.4 can check for suspicious packets
  with unclean extension. Also can check for
  malformed or non-standard packets.
• Can check all TCP Flags. (NEW)

22
IPTables

• Can filter on MAC address.
• Can match TCP or UDP packets based on a series of
  source and destination ports. (NEW)
• Can return packets with original destination
  info. (NEW)

23
IPTable Targets

• Has IPChains REJECT, DENY, ACCEPT
• MIRROR
• TOS, MARK
• MASQUERADE, DNAT, SNAT, REDIRECT

24
IPTables Stateful Inspection

• Associate all the packets of a particular
  connection with each other.
• Tries to make sense out of the higher level
  protocols NFS, HTTP, FTP
• Can be used to block port scans or malicious hack
  attempt.
• Dynamic allocation of arbitrary ports used by
  many protocols for data exchange.

25
IPTables Stateful Inspection

• States
• NEW
• RELATED
• INVALID
• ESTABLISHED
• RELATEDREPLY

26
IPTable Address Translation

• New additions
• DNAT Destination address NAT
• SNAT Source address NAT
• REDIRECT DNAT that alters the destination to
  localhost