firewall arch by tareq hanaysha

Term Project Presentation by :

Hitesh Arjun

KingsleyTareq

ISSM564-Firewall Fundamentals 1

In our presentation we will introduce :

1. Our network and firewall architecture.2. Then we will go over the public DMZ and the first packet

filter . 3. Last but not least we will give a brief explanations of our

private DMZ .4. Finally we will introduce our internal network with the

possible attacks and the rules we will use in our packet filter`s iptables to harden our network and system against these attacks .


Network Diagram


What Is packet filter?Packet filtering is a network security mechanism that works by

controlling what data can flow to and from a network.


Advantages of using Packet FilterEasy to install Packet filters make use of current network

routers. Therefore implementing a packet filter security system is typically less complicated than other network security solutions.

Supports High Speed With simple network configurations, packet filters can be fast. Since there is a direct connection between internal users and external hosts, data can be transmitted at high speeds.

Makes Security Transparent to End-Users Because packet filters work at the level of the network router, filtering is transparent to the end-user. That makes using client applications much easie


Public DMZ Server Port Ip addressHTTP 80 192.168.10.2DNS 53 192.168.10.3 SMTP/Relay 25 192.168.10.4


Private DMZProxy server is a server which services the request of its

clients by forwarding requests to other servers. A client connects to the proxy server requesting service such as file, connection, web page from different servers.

Transparent proxy is a proxy that does not modify the request or respond beyond what is required for proxy authentication and identification.


Packet Filter 1In our topology no direct traffic is allowed

from global internet to the internal network: ##Traffic from the internet to the public DMZ ## $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_http_ipaddr -p tcp --destination-port 80 -m state --state NEW -j ACCEPT $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_dns_ipaddr -p udp --destination-port 53 -m state --state NEW -j ACCEPT $iptables -A UNTRUSTED_NET -o $public_dmz -d $public_dmz_smtp_ipaddr -p tcp --destination-port 25 -m state --state NEW -j ACCEPT

Traffic is go through global internet through public DMZ and internal network to private DMZ.


Packet Filter 1Traffic is go through global internet through

public DMZ and internal network to private DMZ:

####### Traffic from the internet to the private DMZ$iptables -A UNTRUSTED_NET -o $private_dmz_pf1 -d

$private_dmz_nwaddr -j DROP


Tweaks we will use to prevent possible attacks :Disabling IP Spoofing attacks:IP spoofing is one of the most common forms of on-line

camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine.

echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter


Tweaks we will use to prevent possible attacks :Disabling IP Smurfing attacks:IP Smurfing is a form of network "attack" that can result in

such a large traffic load on your wide-area Internet connection that you may be denied service across this link. This form of attack is also called a Denial of Service attack (DoS Attack), This can be limited by setting timeouts.

echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1800 > /proc/sys/net/ipv4/tcp_keepalive_timeecho 30 > /proc/sys/net/ipv4/tcp_fin_timeout


Tweaks we will use to prevent possible attacks :Block Source Routing:Source routing allows the sender of the packet to specify

the route that a packet must take in traveling to the destination.

So Its better to block source routing from the Gateway itself to prevent discovering the IP addresses of routers within our network.

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


Tweaks we will use to prevent possible attacks :Disable all redirection requests in Gateway machine:

echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

The below command enables bad error message protection

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


Tweaks we will use to prevent possible attacks : Basic Rules of a typical Firewall: Kill INVALID packets with illegal combination flags. $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state

INVALID -j DROP No restrictions to connections from localhost $IPTABLES -A INPUT -i lo -j ACCEPT Reject connections from Outside world to Internal loop back device. $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT No restrictions for traffic generating from legit internal addresses $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT Incase we have to use IPv6 addresses in your environment uncomment the below line: #$IPTABLES -A INPUT -p ipv6 -j ACCEPT Kill all packets from Outside world claiming to be packets generated from Internal network. $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT Block ICMP requests. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT


Tweaks we will use to prevent possible attacks :Trying to prevent SYN flood attacks:A SYN flood is a form of denial-of-service attack in which an attacker sends

a succession of SYN requests to a target's system. One of most important steps is to enable the operating system's built-in

protection mechanisms like SYN cookies. In Linux, we can set the SYN Cookies in the following manner.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies Disable all redirection requests in Gateway machine:echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects The below command enables bad error message protectionecho 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


Tweaks we will use to prevent possible attacks :Prevent Ping flood attacks:$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m

limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP


firewall arch by tareq hanaysha

Technology

dmz d

private dmz proxy server

internal networkto private

packet filters

network router

packet filtering

packet filter easy

packet filter security