Thursday, July 10, 2008

Security and Firewall Basics


There are four ‘pillars’ in Information Security:
Authentication: To verify somebody’s / something’s identity
Access Control: To restrict access to valuable resources
Confidentiality: To ensure the privacy of data
Integrity: To prevent unauthorised changes to data.
Various technologies offer one or more of these for various aspects of IT. Examples of technologies that offer some of these pillars are encryption, physical access-control, biometrics, proxies, PKI and firewalls.
A firewall offers authentication (limited) and access control for IP.
There are three kinds of firewall:
A screening router blocks packet by looking at fields in the packet header.
A proxy firewall offers a virtual service for the server it’s protecting.
A session firewall intercepts the TCP connection to the server it’s protecting.
When exercising access control a screening router can only look at the packet headers (Source IP, Source Port, Destination IP, Destination Port, protocol type and flags). These headers carry limited information and can easily be changed. This can be a major limitation of screening routers in certain environments.
One enhancement of the screening router is stateful inspection. A stateful firewall keeps track of permitted connections in a dynamic state table. A good example of this technology is Firewall-1 from Checkpoint Software. Stateful inspection is more intelligent then standard screening and allows one to effectively handle complex protocols like FTP.
NAT (Network Address Translation) is another (limited) example of a stateful technology. NAT dynamically changes the source and destination addresses in the packet header as it forwards the packet. Thus the packet always seems to be coming from or going to the firewall while on the Internet. On the protected side of the firewall the packet has it’s standard headers, as created by the hosts themselves. NAT hides the architecture of the protected network and allows one to use experimental IP addresses on the protected network. Experimental address may not be routed on the Internet.
Key concepts

NAT: Network Address Translation

Important commands

Firewall commands vary from firewall to firewall. Basic screening technology is available as a standard application on most UNIX systems:

Linux: ipchains

BSD: ipfw

ipfw (BSD)

Use ipfw –l to view the configured screening rules on a hosting running ipwf.

(You must be root to do this)

ipchains (Linux)

Use ipchains –L to view the configured screening rules on a hosting running ipchains.

(You must be root to do this)

man (Unix)

Use man to view the help files for any standard Unix command.

Tips and tricks

Use man ipfw or man ipchains to view the help files for these applications.
Remember that a screening router must consider packets traveling in both directions. Screening technology is not aware of a session or a connection.
You can monitor the SYN flag and the ACK flag to determine if a packet is the first in a new connection, or part of an already established connection. If the SYN flag is set but the ACK flag is not then the packet is establishing a connection.
You can search for this condition using the –y flag (in ipchains) or the established flag in ipfw.
E.g. to allow all packets that are part of an already established connection:

ipchains -A input -p tcp ! -y -j ACCEPT (ipchains)
allow tcp from any to any established (ipfw)
Remember that the source port is not a valid way of doing authentication for IP because the host can select the source port for a connection.


Post a Comment


Subscribe in Bloglines Msn bot last visit powered by MyPagerank.Net Yahoo bot last visit powered by MyPagerank.Net
I heart FeedBurner downtime checker The Ubuntu Counter Project - user number # 31290

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Powered by TadPole