Pertemuan-12 Firewall Jaringan Komputer Jaringan Komputer MOCHAMAD SIRODJUDIN, S.Kom, MM MOCHAMAD SIRODJUDIN, S.Kom, MM www.sirodjudin.com www.sirodjudin.com Teknik Informatika Universitas Yudharta Pasuruan 2012
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Pertemuan-12Firewall
Jaringan KomputerJaringan Komputer
MOCHAMAD SIRODJUDIN, S.Kom, MMMOCHAMAD SIRODJUDIN, S.Kom, MMwww.sirodjudin.comwww.sirodjudin.com
Teknik InformatikaUniversitas Yudharta Pasuruan2012
04/10/23 2
What is a firewall?
A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network.
In general, firewalls are installed to prevent attacks.
04/10/23 3
What’s a DMZ?
A DMZ is a demilitarized zone. The DMZ is where corporate servers reside, protected from
both external and internal attacks.
In our case, internal attacks could come from compromised machines.
That never happens, does it…
04/10/23 4
What is an attack?
Attack covers many things:
1. Someone probing a network for computers.
2. Someone attempting to crash services on a computer.
3. Someone attempting to crash a computer(Win nuke).
4. Someone attempting to gain access to a computer to use resources or information.
04/10/23 5
Diagram of a firewall on a network.Without a DMZ
04/10/23 6
Diagram of a firewall on a network.With a DMZ
DMZ
04/10/23 7
Edge Firewall
An edge firewall is usually software running on a server or workstation. An edge firewall protects a single computer from attacks directed against it.
Examples of these firewalls are:ZoneAlarmBlackIceIPFW on OSX
04/10/23 8
Firewall Appliance
An appliance firewall is a device whose sole function is to act as a firewall. Examples of these firewalls are:
Cisco PIX.
Netscreen series.
04/10/23 9
Network Firewall
• Router/Bridge based Firewall– A firewall running on a bridge or a router protects from a
group of devices to an entire network. Cisco has firewall feature sets in their IOS operating system.
• Computer-based Network Firewall– A network firewall runs on a computer (such as a PC or
Unix computer). These firewalls are some of the most flexible. Many free products are available including IPFilter (the first package we tried), PF (the current package we are using found on OpenBSD 3.0 and later) and IPTables (found on Linux). Commercial products include: Checkpoint Firewall-1. Apple OSX includes IPFW (included in an operating system you gotta purchase).
04/10/23 10
Why use a firewall?
• Protect a wide range of machines from general probes and many attacks.
• Provides some protection for machines lacking in security.
04/10/23 11
Great first line of defense.
• Having a firewall is a necessary evil. It’s like living in a gated community. The gate may stop 99% of unwanted visitors. The locks on your doors stop the remaining 1% (maybe, but you get the idea).
• Don’t let the firewall give you a false sense of security. Harden your machines by turning off services you don’t need.
04/10/23 12
How does a firewall work?
Blocks packets based on:Source IP Address or range of addresses.Source IP PortDestination IP Address or range of addresses.Destination IP PortSome allow higher layers up the OSI model.Other protocols (How would you filter DecNET anyway?).
Common ports80 HTTP443 HTTPS20 & 21 FTP (didn’t know 20 was for FTP, did you?)23 Telnet22 SSH25 SMTP
04/10/23 13
Sample firewall rules
Protected server: 134.71.1.25
Protected subnet: 134.71.1.0/24
$internal refers to the internal network interface on the firewall.
$external refers to the external network interface on the firewall.
04/10/23 14
Sample rules:Can you find the problem?
(For this example, when a packet matches a rule, rule processing stops.)
Pass in on $external from any proto tcp to 134.71.1.25 port = 80Pass in on $external from any proto tcp to 134.71.1.25 port = 53Pass in on $external from any proto udp to 134.71.1.25 port = 53Pass in on $external from any proto tcp to 134.71.1.25 port = 25Block in log on $external from any to 134.71.1.25Block in on $external from any to 134.71.1.0/24 Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state
04/10/23 15
Sample rules:Can you find the problem?
(For this example, when a rules matches a packet, rule processing stops.)
Pass in on $external from any proto tcp to 134.71.1.25 port = 80Pass in on $external from any proto tcp to 134.71.1.25 port = 53Pass in on $external from any proto udp to 134.71.1.25 port = 53Pass in on $external from any proto tcp to 134.71.1.25 port = 25Block in log on $external from any to 134.71.1.25Block in on $external from any to 134.71.1.0/24Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state
The SSH rule would never have a chance to be evaluated. All traffic to 134.71.1.25 is block with the previous two rules.
04/10/23 16
To log or not to log…
Logging is both good and bad.
If you set your rules to log too much, your logs will not be examined. If you log too little, you
won’t see things you need. If you don’t log, you have no information on how your firewall is
operating.
04/10/23 17
Sample log fileJul 31 11:00:06 kd2 ipmon[14110]: 11:00:06.786765 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN Jul 31 11:00:07 kd2 ipmon[14110]: 11:00:07.366515 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN Jul 31 11:00:08 kd2 ipmon[14110]: 11:00:08.526751 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN Jul 31 11:00:10 kd2 ipmon[14110]: 11:00:10.856705 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN Jul 31 11:00:15 kd2 ipmon[14110]: 11:00:15.515785 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN Jul 31 11:50:02 kd2 ipmon[14110]: 11:50:02.619311 xl0 @0:3 b 213.244.12.136,4588 -> 134.71.202.37,80 PR tcp len 20 44 -S IN Jul 31 11:50:02 kd2 ipmon[14110]: 11:50:02.629271 xl0 @0:3 b 213.244.12.136,4597 -> 134.71.202.44,80 PR tcp len 20 44 -S IN Jul 31 11:50:02 kd2 ipmon[14110]: 11:50:02.642610 xl0 @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN Jul 31 11:50:05 kd2 ipmon[14110]: 11:50:05.633338 xl0 @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN Jul 31 11:50:17 kd2 ipmon[14110]: 11:50:16.882433 xl0 @0:3 b 213.244.12.136,1406 -> 134.71.203.35,80 PR tcp len 20 44 -S IN Jul 31 11:50:20 kd2 ipmon[14110]: 11:50:20.401561 xl0 @0:3 b 213.244.12.136,1688 -> 134.71.203.47,80 PR tcp len 20 44 -S IN Jul 31 11:50:20 kd2 ipmon[14110]: 11:50:20.414682 xl0 @0:3 b 213.244.12.136,1701 -> 134.71.203.60,80 PR tcp len 20 44 -S IN Jul 31 11:50:24 kd2 ipmon[14110]: 11:50:24.127364 xl0 @0:3 b 213.244.12.136,1944 -> 134.71.203.103,80 PR tcp len 20 44 -S IN Jul 31 11:50:24 kd2 ipmon[14110]: 11:50:24.144581 xl0 @0:3 b 213.244.12.136,1957 -> 134.71.203.108,80 PR tcp len 20 44 -S IN Jul 31 11:50:27 kd2 ipmon[14110]: 11:50:27.761458 xl0 @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN Jul 31 11:50:27 kd2 ipmon[14110]: 11:50:27.778617 xl0 @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN Jul 31 11:50:30 kd2 ipmon[14110]: 11:50:30.771581 xl0 @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN Jul 31 11:50:30 kd2 ipmon[14110]: 11:50:30.772833 xl0 @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN Jul 31 11:52:48 kd2 ipmon[14110]: 11:52:47.511993 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:52:51 kd2 ipmon[14110]: 11:52:50.501969 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:52:54 kd2 ipmon[14110]: 11:52:53.501498 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:52:56 kd2 ipmon[14110]: 11:52:55.703527 xl0 @1:10 b 142.163.9.225,6346 -> 134.71.202.57,3343 PR tcp len 20 40 -A IN Jul 31 11:52:57 kd2 ipmon[14110]: 11:52:56.500682 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:53:00 kd2 ipmon[14110]: 11:52:59.500694 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 12:00:24 kd2 ipmon[14110]: 12:00:24.220209 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:26 kd2 ipmon[14110]: 12:00:26.040009 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:28 kd2 ipmon[14110]: 12:00:28.794944 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:34 kd2 ipmon[14110]: 12:00:34.302899 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:46 kd2 ipmon[14110]: 12:00:45.284181 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
04/10/23 18
Had enough yet?Jul 31 12:00:58 kd2 ipmon[14110]: 12:00:58.200613 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:01 kd2 ipmon[14110]: 12:01:00.236672 xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:01 kd2 ipmon[14110]: 12:01:01.192960 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:03 kd2 ipmon[14110]: 12:01:02.868846 xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:03 kd2 ipmon[14110]: 12:01:03.161480 xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:05 kd2 ipmon[14110]: 12:01:05.010881 xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:05 kd2 ipmon[14110]: 12:01:05.282234 xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:06 kd2 ipmon[14110]: 12:01:05.796431 xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:07 kd2 ipmon[14110]: 12:01:07.240923 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:07 kd2 ipmon[14110]: 12:01:07.251735 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:08 kd2 ipmon[14110]: 12:01:07.963357 xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:08 kd2 ipmon[14110]: 12:01:08.229151 xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:09 kd2 ipmon[14110]: 12:01:09.209297 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 65 -R IN Jul 31 12:01:09 kd2 ipmon[14110]: 12:01:09.212097 xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:12 kd2 ipmon[14110]: 12:01:11.704343 xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:14 kd2 ipmon[14110]: 12:01:13.969454 xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:14 kd2 ipmon[14110]: 12:01:14.230632 xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:28 kd2 ipmon[14110]: 12:01:28.256761 xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:29 kd2 ipmon[14110]: 12:01:29.105610 xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:36 kd2 ipmon[14110]: 12:01:36.257674 xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:01:39 kd2 ipmon[14110]: 12:01:39.338642 xl0 @1:10 b 134.71.204.115,3792 -> 134.71.202.57,1065 PR udp len 20 36 IN Jul 31 12:02:02 kd2 ipmon[14110]: 12:02:02.588716 xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:02:05 kd2 ipmon[14110]: 12:02:05.555511 xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:02:10 kd2 ipmon[14110]: 12:02:10.610751 xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:02:11 kd2 ipmon[14110]: 12:02:11.565107 xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:02:13 kd2 ipmon[14110]: 12:02:13.530261 xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:02:14 kd2 ipmon[14110]: 12:02:14.729242 2x xl0 @0:3 b 134.71.203.92,138 -> 134.71.203.255,138 PR udp len 20 269 IN Jul 31 12:02:20 kd2 ipmon[14110]: 12:02:19.529568 xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:07:59 kd2 ipmon[14110]: 12:07:58.606378 xl0 @1:10 b 65.80.163.98,60325 -> 134.71.202.57,9074 PR tcp len 20 48 -S IN Jul 31 12:33:33 kd2 ipmon[14110]: 12:33:32.920644 xl0 @0:3 b 80.145.78.83,4286 -> 134.71.202.47,80 PR tcp len 20 48 -S IN
04/10/23 19
What is a state?
When your computer makes a connection with another computer on the network, several things are exchanged
including the source and destination ports. In a standard firewall configuration, most inbound ports are blocked. This would normally cause a problem with return traffic
since the source port is randomly assigned (different from the destination port).
A state is a dynamic rule created by the firewall containing the source-destination port combination,
allowing the desired return traffic to pass the firewall.
04/10/23 20
How many states can a computer have?
A single computer could have hundreds of states depending on the number of established
connections. Consider a server supporting POP3, FTP, WWW and Telnet/SSH access. It
could have thousands of states.
04/10/23 21
What happens without state?
Without state, your request for traffic would leave the firewall but the reply would be
blocked.
04/10/23 22
Sample state table.kd2.ec.csupomona.edu - IP Filter: v3.4.28 - state top 07:50:50Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytesSource IP Destination IP ST PR #pkts #bytes ttl134.71.202.57,4738 64.160.215.222,1677 4/4 tcp 551 368024 119:59:56134.71.202.57,4744 64.160.215.222,1677 4/4 tcp 399 258160 119:59:59134.71.202.57,1039 134.71.204.115,1410 4/4 tcp 33 6872 119:59:16134.71.203.168,138 134.71.203.255,138 0/0 udp 2 458 0:06134.71.202.57,4727 64.160.215.222,1677 0/6 tcp 5 200 1:58:03134.71.203.168,137 134.71.203.255,137 0/0 udp 2 156 0:13134.71.202.57 239.255.255.250 0/0 igmp 1 32 1:20134.71.202.57,137 134.71.203.255,137 0/0 udp 62 5844 1:51134.71.202.57,1028 134.71.4.100,53 0/0 udp 35 4910 0:11134.71.202.57,1038 216.136.175.142,5050 4/4 tcp 35 4208 119:59:59134.71.202.57,138 134.71.203.255,138 0/0 udp 16 3520 1:49134.71.203.168,138 134.71.203.255,138 0/0 udp 14 3026 2:00134.71.203.168,137 134.71.203.255,137 0/0 udp 16 1536 1:59134.71.202.57,1036 239.255.255.250,1900 0/0 udp 7 1127 1:58134.71.202.57 239.255.255.250 0/0 igmp 10 320 1:54134.71.202.57,4727 64.160.215.222,1677 0/6 tcp 5 200 1:53:26134.71.202.57,1031 134.71.184.58,445 2/0 tcp 3 128 0:47134.71.202.57,1033 134.71.184.58,445 2/0 tcp 3 128 0:48
04/10/23 23
Where does a firewall fit in the security model?
The firewall is the first layer of defense in any security model. It should not be the only layer. A firewall can stop many attacks from reaching
target machines. If an attack can’t reach its target, the attack is defeated.
04/10/23 24
Ruleset design
Two main approaches to designing a ruleset are:
1. Block everything then open holes.
2. Block nothing then close holes.
04/10/23 25
Ruleset design – Block Everything
Blocking everything provides the strongest security but the most inconvenience. Things
break and people complain.
The block everything method covers all bases but creates more work in figuring out how to make some applications work then opening
holes.
04/10/23 26
Ruleset design – Block Nothing
Blocking nothing provides minimal security by only closing holes you can identify. Blocking nothing provides the least
inconvenience to our users.
Blocking nothing means you must spend time figuring out what you want to protect yourself from then closing each hole.
04/10/23 27
What is IDS?
IDS is an Intrusion Detection System.
IDS can identify many attacks and traffic patterns crossing a border device.
04/10/23 28
An IDS sounds good. Is it?
Yes and no.An IDS can identify port scans, different web
attacks, known buffer overflow attacks, etc. An IDS can also produce many false positive hits. AOL Instant Messenger triggers port scan hits
because it talks to several AOL Ad servers within a few seconds. An IDS can create more information on a small network than a network
administrator can deal with.
04/10/23 29
Filtering between VLANs
Tired of being scanned and attacked from people on-campus? Join the club. We are working on
firewall features on our new routers. Our current routers lack the horsepower to handle the extra
load.
Designing an inter-VLAN firewall configuration will take a great deal of planning and discussion
to ensure desired traffic isn’t blocked.
04/10/23 30
Filtering bad traffic(RFC 1918, bad headers, options, etc.)
Sending bad traffic or malformed packets is a form of attack easily blocked at a firewall. The firewall inspects every packet and rejects those that are not properly formed or are intentionally
malformed, protecting devices that may be succeptible.
04/10/23 31
Filtering bad traffic(RFC 1918, bad headers, options, etc.)
Private IP address traffic should never be seen on our network. Our network uses a registered,
valid, legal block of IP addresses.
Private IP address blocks (RFC 1918):– 10.0.0.0 – 10.255.255.255 (255.0.0.0 mask)– 172.16.0.0 – 172.240.0.0 (255.240.0.0 mask)– 192.168.0.0 – 192.168.255.255 (255.255.0.0
mask)
04/10/23 32
NAT(a small detour)
Some firewalls provide a feature call Network Address Translation (NAT for
short). NAT allows the use of an RFC1918 address on the Internet by tunneling the
traffic through one or more valid addresses.
04/10/23 33
Black hole or Return-RST(or how to respond to things you don’t want.)
Should you tell a sending machine that their traffic was blocked or let them wait until they timeout? For some traffic, it’s better to let the
sending machine wait. This slows down the rate of attack. For other traffic (such as SMTP) it
may be nice to tell the sender that the SMTP port is closed.
04/10/23 34
Poking holesHow to allow traffic and expose yourself.
OK. You’ve decided to block traffic. Do you have to block all traffic? No. You can allow
select traffic in. The criteria for allowing traffic are the same as blocking traffic.
04/10/23 35
Compromised Machines
Just a note about compromised machines:
When a machine is compromised, you have no way to determine exactly what was hacked. Cleaning what you think is the
problem may not rid yourself of everything. Most instances require a reformat and
reinstall of the operating system for proper cleaning.
04/10/23 36
Honey Pots
A honey pot is a machine sitting on the network for people to hack into. It allows
you to watch how a machine can be hacked and (hopefully) learn from the experience.
04/10/23 37
Where does the Campus Go from Here?
• Campus border firewall.
• Inter-VLAN firewall.
• E-mail filtering through main campus servers.
• Edge firewalls for now.
04/10/23 38
PF on OpenBSD
Our current firewall is a PC (really high powered) running OpenBSD 3.1. Since
OpenBSD 3.0, PF (packet filter) has replaced IPF as the firewall of choice. PF provides
stateful filtering of IP packets along with the ability to bridge between interfaces.
04/10/23 39
Where can I find more information?
• www.securityfocus.com
• www.snort.org
• www.arin.net
• www.iana.org
• www.sans.org
Related Documents
