automated firewalls with mason william stearns sans instructor, proctor, and network administrator...

Automated Firewalls with Mason

William Stearns

SANS Instructor, proctor, and network administrator

[email protected]

http://www.stearns.org/mason/

Getting underway

Room monitors

Evaluation forms

Questions at any point

Goals

Basics of Linux firewalling

Learning process

Live demo

Firewalls

One small piece of your network security

Only affects traffic going in, out, or through your firewall

Can be circumvented

TCP/IP tunneling in ssh, email, DNS, http

Using allowed ports for blocked traffic types

Additional exit points from network

Firewall system needs to be locked down tightly!

Firewall types

Packet filtering

Stateful

Stateless

Proxy

Better yet, both!

Firewall types, proxies.

Choice of firewall platform

Stability

Network card support

Security and Updates

Network performance

Ability to audit and strip down

Cost

Ease of setup

Linux Packet Filtering

Separation of Jobs

Kernel

Command line tools

Linux Packet Filtering types

Ipfw (Linux 1.2 kernels)

Ipfwadm (Linux 2.0 kernels)

Ipchains (Linux 2.2 kernels)

Iptables (Linux 2.4 kernels)

ipfw

First Linux packet filtering support

Linux 1.2 kernels

Stateless

Very limitedOnly filtered on one portNever integrated into distributionsNot supported by Mason

Ported from one of the BSD's by Alan Cox

ipfwadm

Linux 2.0 kernels

Stateless

Filters on source and destination addresses and ports

Only TCP, UDP, and ICMP

Masquerading (many-to-one NAT)

Jos Vos

ipchains

Linux 2.2 kernels

Stateless

Support for ICMP subtypes, protocols other than TCP, UDP and ICMP, and inverse options.

Rusty Russell

iptables

Linux 2.4, 2.5, and upcoming 2.6 kernels

Stateful

IPV6 support

Backwards compatibility modules for ipfwadm and ipchains

Extensible tests and actions

Fully modular design

Setting up firewalls

Triple threat; limited background in:Security policiesTCP/IP (normal and attack patterns)Connecting the two with packet filtering and other security tools.

Risk in getting it wrong.

Default allow - easy to get going

Default deny - orders of magnitude harder

Approaches for creating firewalls

Prewritten list of rules

Menu interface with small set of choices

Menu interface with extensive options

Automatic construction of rules based on current network setup.

Letting the firewall build itself

Prewritten list of rules

+ Good if your network matches the assumptions

1. May need a lot of editing if not

2. They tend to be too permissive

Menu interface with small set of choices

+ Good for simple networks

1. Poor for complex networks or non-standard networks

2. Poor for non-standard protocols

Menu interface with extensive options

+ Flexible, good for complex networks

1. Requires a lot of expertise from the administrator

Letting the firewall build itself

+ Flexible

+ Doesn't require in-depth knowledge of firewall construction

+ Handles simple and complex networks

1. May take some time to cover all traffic types.

The world's most efficient and literal bouncer

New bouncer

Needs to be taught who can go in or out of the bar

Told to note individual's age, whether they're part of the owner's family, which direction they want to go and whether they're carrying firearms, and then ask bar owner.

Initial bouncer rules

=> Write down characteristics, ask owner

=> block (default policy)

Bouncer rules, part II

Carrying firearms => block and call police



Bouncer rules, part III


Leaving bar => allow to pass



Bouncer rules, part IV



Entering bar, over 21 => allow to pass



Bouncer rules, part V




Part of owner's family => allow to pass



Bouncer rules, part VI





Entering bar, under 21 => block



Bouncer rules, part VII





Entering bar, under 21 => block


Mason and iterative creation

Start off with empty firewall

Log all unmatched packets

Watch logs for new packets

Add rule that would have matched that traffic

Keep adding rules until all traffic types encountered

Iptables log format

Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53

Iptables rule format

/sbin/iptables -A OUTPUT -o lo -p udp -s localhost/32 - -sport 1024:65535 -d localhost/32 - -dport domain -j ACCEPT #domain/udp (O)

Live demonstration

We'll switch over to a Linux laptop for the demo and rejoin here afterwards.

Customization

Existing firewall rules

Allows administrator to make modifications

Starting firewall at boot

ntsysv, tksysv, or linuxconf

Manually link /etc/rc.d/init.d/firewall

Troubleshooting

Turn off the firewall, see if the problem persists.

Restart the firewall, try test, then run:

iptables -L -n -x -v | grep -v '^ *0 *0 ' | less -S

to see which rules have matched any packets.

Opening packet rules

Iptables' stateful nature; use for ESTABLISHED,RELATED.

Let Mason build the rules for NEW packets.

Potential projects

Cisco IOS

FreeBSD, OpenBSD and NetBSD - ipfilter

http://coombs.anu.edu.au/~avalon/

Other routers and firewalls.

Thanks!

Linux developers, esp. Rusty Russell

Chris Brenton (SANS, Altenet)

Steven Northcutt (SANS)

ISTS

Mason contributors - see the Credits section in the HOWTO.

Where to get it

Part of some Linux Distributions

Debian

Krud

Redhat Powertools up to 7.0


Many other sources

References


http://www.netfilter.org

http://www.linuxdoc.org

http://www.stearns.org/doc/starting-mason.current.html

[email protected]

Questions?

automated firewalls with mason william stearns sans instructor, proctor, and network administrator...

Documents

permissive slide

kernels ipfwadm linux

kernels ipchains linux

kernels iptables linux

modular design slide

alan cox slide

rusty russell slide

cost ease of setup slide