Family name: Chaparro Gonzalez First name: Diego E-mail: dchaparro@acm.org 2002: Homework 4 : Firewalls ---------------------------------------------------------- 1.- Terms and concepts =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) == · Similarities: With both systems hosts can be protected from attacks. · Differences: With area protection some hosts are protected using different methods, as firewall, packet filter, ... With host protection a host is protected with methods as intrusion detection (checksums, rootkits, ...), antivirus, ... [1] · Benefits: Both systems have their own purpose, and is good to use both to protect hosts from attacks. b) == · Similarities: Both are used to mediate traffic between a protected network and the internet. · Differences: A transparent proxy service is transparent to the users and the applications, they don't know about the existence of the proxy. But with a proxy the users must configure their applications to use the proxy.[1] · Benefits: A transparent proxy service is more confortable to the users and applications, because the applications don't have to be configured to use the proxy service. c) == · Similarities: Both are used to pass data packets from one side/interface to another. · Differences: A transparent bridge works at level 2 and a packet filter works at level 3. A packet filter could select which packets can pass across it, but the bridge doesn't. · Benefits: A packet filter can be used to block some kinds of packets. d) == · Similarities: Both are intermediates between the packets from the users and internet. · Differences: A packet filter doesn't modify the packets from the users, only forward the packets or block them. A proxy service receive packets from users, and establish a new connection from the proxy to the other host of the communication. · Benefits: A packet filter is useful to block some kinds of packets. A proxy service is useful to avoid direct connections from the users to another hosts in internet. 2.- Progressive firewall =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= 2.1) ==== a) With a NAPT, all the hosts are hidden to internet, only connections from the subnetwork are allowed, connections with origin in internet are not allowed.[2] b) Furthermore in this case all the ports that are not going to be used are closed.[2] c) With the proxies we can log all the connections from/to the subnet, and an attacker have to pass across two packet filtering to reach the hosts in the subnetwork. 2.2) ==== a) The NAPT covers from direct attacks from internet to the hosts in the subnet, because the address of the hosts are private and are hidden by the NAPT, then the hosts in internet cannot initiate an attack agains the hosts in the subnet. But if a host in the subnet starts a connection to a web site that has a malicious applications, the NAPT cannot do anything with that.[3] And can be other kinds of attacks, for example a malicious application in a host in the subnet can initiate connections to send data to an external host. b) In this case we can avoid attacks from malicious applications inside the subnetwork that try to connect to external hosts to send data across ports which are not vital, because the packet filter only allow some kind of vital network services. It's possible that a host in the subnetwork initiate a connection to a web site that has a malicious applications. c) In this case we can double protection if an attacker try to access to a host in the subnetwork, because he has to pass across two packet filters. The proxies give more security because the proxies hide the origin of the connection, and all connections appears to start in the same host. NAT provides no virus protection at all. 2.3) ==== With this configuration there is not possible to put a web server in the subnetwork, because to do this we need bi-directional mode of NAT.[3] Some applications don't work very well with NAT, for example SNMP, because it has address content in payload. Other kind of applications that doesn't work well with NAT are applications such as H.323.[2] 3.- Packet filtering =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) == SERVICE FROM TO ------- ---- -- icmp any any ssh (22) 10.0.0.0/8 (eth0) any dns (53) 10.0.0.0/8 (eth0) any http(80) 10.0.0.0/8 (eth0) any irc (6666-6669) 10.0.0.0/8 (eth0) any *any any (eth1) 10.0.0.0/8 smtp(25) any firewall imap2(143) any firewall smtp(25) firewall any (eth1) * Only the packets associated with a connection ESTABLISED (meaning that the packet is associated with a connection which has seen packets in both directions) or RELATED (meaning that the packet is starting a new connection, but is associated with an existing connection). [4] b) == It's necessary to add the following four rules (active and passive ftp is allowed): iptables -A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport 20 -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT c) == The firewall is a router that forward packets from/to the network 10.0.0.0/8 in the interface eth0. The firewall has a SMTP server and an IMAP2 server. d) == The FTP service can be put inside the subnetwork 10.0.0.0/8, in the firewall, or outside the firewall. I think that the most suitable place is outside the firewall to protect the hosts in the subnetwork and the firewall from possible attacks. 4.- Feedback =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= I have been doing this assignment about eight or ten hours. I think it has been ok, neither too easy nor too difficult. REFERENCES: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= [1] Curtin, M and Ranum, M, Internet Firewalls: Frequently Asked Questions URL: http://www.interhack.net/pubs/fwfaq/ [2] Srisuresh P., RFC2663, IP Network Address Translator (NAT) Terminology and Considerations URL: http://www.faqs.org/rfcs/rfc2663.html [3] Foreman, T, Network Address Translation - Not a Security Panacea URL: http://rr.sans.org/firewall/net_add2.php [4] Herve Eychenne, IPTABLES Manual page URL: http://www.dis.uniroma1.it/~liberato/struct/man/manscript.cgi?iptables.8