automated firewalls with mason

36
Automated Firewalls with Mason • William Stearns • The Institute for Security Technology Studies, Dartmouth College • SANS [email protected] http://mason.stearns.org

Upload: ginger-rogers

Post on 31-Dec-2015

22 views

Category:

Documents


1 download

DESCRIPTION

Automated Firewalls with Mason. William Stearns The Institute for Security Technology Studies, Dartmouth College SANS [email protected] http://mason.stearns.org. Getting underway…. Room monitors Evaluation forms Questions at any point Goals Basics of Linux firewalling Learning process - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Automated Firewalls with Mason

Automated Firewalls with Mason

• William Stearns

• The Institute for Security Technology Studies, Dartmouth College

• SANS

[email protected]

• http://mason.stearns.org

Page 2: Automated Firewalls with Mason

Getting underway…

• Room monitors

• Evaluation forms

• Questions at any point

• Goals– Basics of Linux firewalling– Learning process– Live demo

Page 3: Automated Firewalls with Mason

Firewalls

• One small piece of your network security• Only affects traffic going in, out, or through your

firewall• Can be circumvented

– TCP/IP tunneling in ssh, email, DNS, http

– Using allowed ports for blocked traffic types

– Additional exit points from network

• Firewall system needs to be locked down tightly!

Page 4: Automated Firewalls with Mason

Firewall types

• Packet filtering– Stateful– Stateless

• Proxy

• Better yet, both!

Page 5: Automated Firewalls with Mason

Choice of firewall platform

• Stability

• Network card support

• Security and Updates

• Network performance

• Ability to audit and strip down

• Cost

• Ease of setup

Page 6: Automated Firewalls with Mason

Linux Packet Filtering

• Separation of Jobs– Kernel– Command line tools

Page 7: Automated Firewalls with Mason

Linux Packet Filtering types

• Ipfw (Linux 1.2 kernels)

• Ipfwadm (Linux 2.0 kernels)

• Ipchains (Linux 2.2 kernels)

• Iptables (Linux 2.4 kernels)

Page 8: Automated Firewalls with Mason

ipfw

• First Linux packet filtering support• Linux 1.2 kernels• Stateless• Very limited

– Only filtered on one port– Never integrated into distributions– Not supported by Mason

• Ported from one of the BSD’s by Alan Cox

Page 9: Automated Firewalls with Mason

ipfwadm

• Linux 2.0 kernels

• Stateless

• Filters on source and destination addresses and ports

• Only TCP, UDP, and ICMP

• Masquerading (many-to-one NAT)

• Jos Vos

Page 10: Automated Firewalls with Mason

ipchains

• Linux 2.2 kernels

• Stateless

• Support for ICMP subtypes, protocols other than TCP, UDP and ICMP, and inverse options.

• Rusty Russell

Page 11: Automated Firewalls with Mason

iptables

• Linux 2.4 kernels

• Stateful

• IPV6 support

• Backwards compatibility modules for ipfwadm and ipchains

• Extensible tests and actions

• Fully modular design

Page 12: Automated Firewalls with Mason

Setting up firewalls

• Triple threat; limited background in:– Security policies– TCP/IP (normal and attack patterns)– Connecting the two with packet filtering and

other security tools.

• Risk in getting it wrong. • Default allow – easy to get going• Default deny – orders of magnitude harder

Page 13: Automated Firewalls with Mason

Approaches for creating firewalls

• Prewritten list of rules

• Menu interface with small set of choices

• Menu interface with extensive options

• Automatic construction of rules based on current network setup.

• Letting the firewall build itself

Page 14: Automated Firewalls with Mason

Prewritten list of rules

+ Good if your network matches the assumptions

– May need a lot of editing if not

– They tend to be too permissive

Page 15: Automated Firewalls with Mason

Menu interface with small set of choices

+ Good for simple networks

– Poor for complex networks or non-standard networks

– Poor for non-standard protocols

Page 16: Automated Firewalls with Mason

Menu interface with extensive options

+ Flexible, good for complex networks

– Requires a lot of expertise from the administrator

Page 17: Automated Firewalls with Mason

Letting the firewall build itself

+ Flexible

+ Doesn’t require in-depth knowledge of firewall construction

+ Handles simple and complex networks

– May take some time to cover all traffic types.

Page 18: Automated Firewalls with Mason

The world’s most efficient and literal bouncer

• New bouncer• Needs to be taught who can go in or out of

the bar• Told to note individual’s age, whether

they’re part of the owner’s family, which direction they want to go and whether they’re carrying firearms, and then ask bar owner.

Page 19: Automated Firewalls with Mason

Initial bouncer rules

• => Write down characteristics, ask owner

• => block (default policy)

Page 20: Automated Firewalls with Mason

Bouncer rules, part II

• Carrying firearms => block and call police

• => Write down characteristics, ask owner

• => block (default policy)

Page 21: Automated Firewalls with Mason

Bouncer rules, part III

• Carrying firearms => block and call police

• Leaving bar => allow to pass

• => Write down characteristics, ask owner

• => block (default policy)

Page 22: Automated Firewalls with Mason

Bouncer rules, part IV

• Carrying firearms => block and call police

• Leaving bar => allow to pass

• Entering bar, over 21 => allow to pass

• => Write down characteristics, ask owner

• => block (default policy)

Page 23: Automated Firewalls with Mason

Bouncer rules, part V

• Carrying firearms => block and call police

• Leaving bar => allow to pass

• Entering bar, over 21 => allow to pass

• Part of owner’s family => allow to pass

• => Write down characteristics, ask owner

• => block (default policy)

Page 24: Automated Firewalls with Mason

Bouncer rules, part VI

• Carrying firearms => block and call police

• Leaving bar => allow to pass

• Entering bar, over 21 => allow to pass

• Part of owner’s family => allow to pass

• Entering bar, under 21 => block

• => Write down characteristics, ask owner

• => block (default policy)

Page 25: Automated Firewalls with Mason

Bouncer rules, part VII

• Carrying firearms => block and call police

• Leaving bar => allow to pass

• Entering bar, over 21 => allow to pass

• Part of owner’s family => allow to pass

• Entering bar, under 21 => block

• => block (default policy)

Page 26: Automated Firewalls with Mason

Mason and iterative creation

• Start off with empty firewall

• Log all unmatched packets

• Watch logs for new packets

• Add rule that would have matched that traffic

• Keep adding rules until all traffic types encountered

Page 27: Automated Firewalls with Mason

Iptables log format

Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53

Page 28: Automated Firewalls with Mason

Iptables rule format

/sbin/iptables –A OUTPUT –o lo –p udp –s localhost/32 - -sport 1024:65535 –d localhost/32 - -dport domain –j ACCEPT #domain/udp (O)

Page 29: Automated Firewalls with Mason

Live demonstration

We’ll switch over to a Linux laptop for the demo and rejoin here afterwards.

Page 30: Automated Firewalls with Mason

Customization

• Existing firewall rules

• Allows administrator to make modifications

Page 31: Automated Firewalls with Mason

Starting firewall at boot

• ntsysv, tksysv, or linuxconf

• Manually link /etc/rc.d/init.d/firewall

Page 32: Automated Firewalls with Mason

Troubleshooting

• Turn off the firewall, see if the problem persists.

• Restart the firewall try test, then run:

iptables –L –n –x –v | grep –v ‘^ *0 *0 ‘ | less –S

to see which rules have matched any packets.

Page 33: Automated Firewalls with Mason

Current and Future projects

• Cisco IOS

• FreeBSD, OpenBSD and NetBSD – ipfilter

• http://coombs.anu.edu.au/~avalon/

• Other routers and firewalls.

Page 34: Automated Firewalls with Mason

Thanks!

• Linux developers, esp. Rusty Russell

• Chris Brenton (SANS, Altenet)

• Steven Northcutt (SANS)

• ISTS

• Mason contributors – see the Credits section in the HOWTO.

Page 35: Automated Firewalls with Mason

Where to get

• Part of some Linux Distributions– Debian– Krud– Redhat Powertools up to 7.0

• http://mason.stearns.org

• Many other sources

Page 36: Automated Firewalls with Mason

References

• http://mason.stearns.org

• http://netfilter.samba.org

• http://www.linuxdoc.org

• http://www.linuxmonth.com/issue1/articles/security/index.html

[email protected]

• Questions?