Linux Network Security: Firewall Implementation and Attack Prevention

USTM17 Linux Network Administration Lesson 8: Firewall Peter CHUNG (cspeter@cse.ust.hk) USTM17 Linux Network Administration - Peter Chung (cspeter) 1

Introduction Security is increasingly important for companies and individuals The Internet provides them with a powerful tool to distribute information about themselves and obtain information from others On the other hand, it also exposes them to dangers Computer crime, information theft, and malicious damage are all potential dangers USTM17 Linux Network Administration - Peter Chung (cspeter) 2

Linux Firewall Linux features for setting up a firewall, known both by its command interface (iptables) and its kernel subsystem name (netfilter) This firewall implementation was new in the 2.4 kernel and works substantially the same way in 2.6 Firewall daemon is the latest Firewall adopted in modern Linux distributions, superseding iptables USTM17 Linux Network Administration - Peter Chung (cspeter) 3

Methods of Attack Here are some of the methods of attack Unauthorized access Exploitation of known weaknesses in programs Denial of service Spoofing Eavesdropping USTM17 Linux Network Administration - Peter Chung (cspeter) 4

Unauthorized Access This simply means that people who shouldn't be allowed to use your computer services are able to connect to and use them For example, people outside your company might try to connect to your company accounting host or to your NFS server. There are various ways to avoid this attack by carefully specifying who can gain access through these services. For example, you can prevent network access to all except the intended users USTM17 Linux Network Administration - Peter Chung (cspeter) 5

Exploitation of known weaknesses in programs Some programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack Example: rlogin, rexec, telnet The best way to protect yourself against this type of attack is to disable any vulnerable services or find alternatives USTM17 Linux Network Administration - Peter Chung (cspeter) 6

Denial of service (DoS) Denial of service (DoS) attacks cause the service or program to cease functioning or prevent others from making use of the service or program Solution: Preventing suspicious network traffic from reaching your hosts and preventing suspicious program commands and requests USTM17 Linux Network Administration - Peter Chung (cspeter) 7

Spoofing This type of attack involves one host or application pretending to be another. Typically the attacker's host pretends to be an innocent host by forging IP addresses in network packets Solution: To protect against this type of attack, verify the authenticity of packets and commands USTM17 Linux Network Administration - Peter Chung (cspeter) 8

Eavesdropping This is the simplest type of attack. A host is configured to "listen" to and capture data not belonging to it Solution To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption USTM17 Linux Network Administration - Peter Chung (cspeter) 9

What Is a Firewall? A firewall is a secure and trusted machine that sits between a private network and a public network Firewalls can be constructed in a variety of ways USTM17 Linux Network Administration - Peter Chung (cspeter) 10

What Is IP Filtering? IP filtering is simply a mechanism that decides which types of IP packets will be processed normally and which will be dropped or rejected Some examples Protocol type: TCP, UDP, ICMP, etc. Port number (for TCP/UPD) Packet type: SYN/ACK, data, ICMP Echo Request, etc. Packet source address: where it came from Packet destination address: where it is going to USTM17 Linux Network Administration - Peter Chung (cspeter) 11

IP filtering IP filtering is a network layer facility Do not understand its application level using the network connections If you only rely on IP filtering, you can't stop them using telnet program with a port that pass through your firewall USTM17 Linux Network Administration - Peter Chung (cspeter) 12

Firewall Management firewalld is firewall management tool that acts as a front-end for the Linux kernel s netfilter framework It provides high-level management of services that are defined to have specific protocol and ports For example, we can allow/block HTTP by specifying HTTP service to firewalld, without knowing the exact traffic signatures of HTTP packets USTM17 Linux Network Administration - Peter Chung (cspeter) 13

Firewall Management firewall-cmd is the command-line client for firewalld Get the list of defined services in firewalld # firewall-cmd --get-services Show the currently allowed services in firewalld # firewall-cmd --list-services USTM17 Linux Network Administration - Peter Chung (cspeter) 14

Firewall Management Allow HTTP service # firewall-cmd --add-service http Block HTTP service # firewall-cmd --remove-service http USTM17 Linux Network Administration - Peter Chung (cspeter) 15

Firewall Management nftablesis the direct frontend of the Linux kernel s netfilter framework It provides more fine-grained control of packet filtering Filter specific protocol Filter packets with specific IP address, ports More control, but more complex than firewalld nft is the command-line client of nftables USTM17 Linux Network Administration - Peter Chung (cspeter) 16

Organization of nftables nftables is comprised of tables, chains and rules A table can have multiple chains A chain can have multiple rules USTM17 Linux Network Administration - Peter Chung (cspeter) 17

Tables in nftables A table applies to packets with particular address family (ip for IPv4, ip6 for IPv6, inet for IPv4 and IPv6 combined, bridge for bridged interfaces, etc List out all tables # nft list tables For example, table ip filter USTM17 Linux Network Administration - Peter Chung (cspeter) 18

Chains in nftables List out the chains and the underlying rules in table ip filter # nft list table ip filter table ip filter { } chain INPUT { } chain FORWARD { } chain OUTPUT { } type filter hook input priority filter; policy accept; type filter hook forward priority filter; policy accept; type filter hook output priority filter; policy accept; USTM17 Linux Network Administration - Peter Chung (cspeter) 19

Chains in nftables 3 chains in table ip filter INPUT FORWARD OUTPUT Each chain specifies the hook in the Linux kernel (bold) Rules added to these chains will be applied when packets reach the specified hook Rules in the INPUT chain would be applied when packets are received Rules in the OUTPUT chain would be applied when packets are sent Rules in the FORWARD chain would be applied when packets are forwarded USTM17 Linux Network Administration - Peter Chung (cspeter) 20

Adding Rules to nftable Add a rule to drop all ICMP packets # nft add rule ip filter INPUT ip protocol icmp drop Add a rule to drop all incoming HTTP traffic # nft add rule ip filter INPUT tcp dport 80 drop Add a rule to drop all outgoing HTTP and HTTPS traffic # nft add rule ip filter OUTPUT tcp dport 80 drop # nft add rule ip filter OUTPUT tcp dport 443 drop USTM17 Linux Network Administration - Peter Chung (cspeter) 21

Removing Rules from nftables Flush the table to remove all rules # nft flush table ip filter USTM17 Linux Network Administration - Peter Chung (cspeter) 22

Any questions so far? USTM17 Linux Network Administration - Peter Chung (cspeter) 23