8.1 Firewalls
Firewall
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules.
Access Control List (ACL)
Filtering rules firewalls use to identify which traffic to allow and which traffic to block. Firewalls use filtering rules, which are sometimes called access control lists (ACLs), to identify allowed and blocked traffic. A rule identifies specific characteristics: The interface the rule applies to The direction of traffic (inbound or outbound) Packet information such as the source IP address, destination IP address, or port number The action to take when the traffic matches the filter criteria Each ACL has an implicit deny specification. This is a line at the end of the ACL stating that packets that don't match any defined rules are dropped. Firewalls do not offer protection against all attacks (such as email spoofing attacks).
Network Ports
Network ports are logical connections provided by the TCP or UDP protocols at the Transport layer. They are used by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers to determine which protocol incoming traffic should be directed to.
The following describes firewall types:
Packet Filtering Firewall - A packet filtering firewall allows and blocks network traffic by examining information in the IP packet heade,r such as source and destination addresses, ports, and service protocols. A packet filtering firewall: Uses ACLs or filter rules to control traffic. Operates at OSI Layer 3 (Network layer). Offers high performance because it examines only the address information in the packet header. Implements features that are included in most routers. Is a popular solution because it is easy to implement and maintain, has a minimal impact on system performance, and is fairly inexpensive. A packet filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject it without considering whether the packet is part of a valid and active session. Circuit-Level Gateway - A circuit-level gateway makes decisions about which traffic to allow based on virtual circuits or sessions. A circuit-level gateway: Operates at OSI Layer 5 (Session layer). Keeps a table of known connections and sessions. Packets directed to known sessions are accepted. Verifies that packets are properly sequenced. Ensures that the TCP three-way handshake process occurs only when appropriate. Does not filter packets. Instead, it allows or denies sessions. A circuit-level gateway is considered a stateful firewall because it keeps track of a session's state A circuit-level gateway can filter traffic that uses dynamic ports because the firewall matches the session information for filtering, not the port numbers. In general, circuit-level gateways are slower than packet filtering firewalls. However, if only the session state is used for filtering, a circuit-level gateway can be faster after the initial session information has been identified. Application-Layer Firewall - An application-layer firewall is capable of filtering by information contained within a packet's data portion. An application-layer firewall: Examines the entirety of the transferred content (not just individual packets). Operates at OSI Layer 7 (Application layer). Understands, or interfaces with, the application-layer protocol. Filters content by user, group, and data (for example, URLs within an HTTP request). Is the slowest form of firewall because entire messages are reassembled at the Application layer. One example of an application-layer firewall is a proxy server. A proxy server is a device that stands as an intermediary between a secure private network and the public. Proxies can be configured to: Control both inbound and outbound traffic. Increase performance by caching frequently accessed content. Content is retrieved from the proxy cache instead of the original server. Filter content and restrict access depending on the user or specific website. Shield or hide a private network. There are two different types of proxy servers: A forward proxy server handles requests from inside a private network out to the internet. A reverse proxy server handles requests from the internet to a server located inside a private network. A reverse proxy can perform load balancing, authentication, and caching.Often, reverse proxies work transparently, meaning that clients requesting specific resources don't know they are using a reverse proxy to access a server. Unified Threat Management (UTM) Device - A unified threat management device combines multiple security features into a single network appliance. A single UTM device can provide several security features: Firewall VPN Ant-spam Antivirus Load balancing By combining several services into one appliance, UTM devices make managing network security much easier. However, they also introduce a single point of failure—if the UTM fails, network security is lost. Additionally, UTM devices aren't as robust as other devices made for a specific use. Because of this, UTM devices are best suited for: Offices where space limits don't allow for multiple security appliances. Satellite offices that need to be managed remotely. Configuration changes need to be made on only one device rather than multiple devices. Smaller businesses that wouldn't benefit from the robust features provided by specific security appliances. Next Generation Firewall (NGFW) - A Next-Generation Firewall (NGFW) combines a traditional firewall with other network device filtering functionalities like an application firewall. An NGFW: Is application-aware Tracks the state of traffic based on layers 2 through 7 Utilizes an intrusion protection system (IPS) Tracks the identity of the local traffic device and user ( LDAP, RADIUS, Active Directory) Can be used in bridged and routed modes Utilizes external intelligence sources
ICANN categorizes ports as follows:
Well known ports range from 0 to 1023 and are assigned to common protocols and services. Registered ports range from 1024 to 49151 and are assigned to a specific service by ICANN. Dynamic (also called private or high) ports range from 49152 to 65535 and can be used by any service on an ad hoc basis. Ports are assigned when a session is established, and ports are released when the session ends.
Firewall Types
You can categorize firewalls by their location on the network: A network-based firewall is installed on the edge of a private network or network segment.Most network-based firewalls are considered hardware firewalls even though they use a combination of hardware and software to protect the network from internet attacks.Network-based firewalls are more expensive and require more configuration than other types of firewalls, but they are much more robust and secure. A host-based firewall is installed on a single computer in a network. Almost all host-based firewalls are software firewalls. A host-based firewall can protect a computer when no network-based firewall exists (in other words, when connected to a public network). Host-based firewalls are less expensive and easier to use than network-based firewalls, but they don't offer the same level of protection or customization.You can use a host-based firewall in addition to a network-based firewall to provide multiple layers of protection.
A common method for using firewalls is to:
define various network zones. Each zone identifies a collection of users who have similar access needs. Firewalls are configured at the edge of these zones to filter incoming and outbound traffic. For example, you can define a zone that includes all hosts on your private network protected from the internet, and you can define another zone within your network for controlled access to specific servers that hold sensitive information.
To protect a server:
ensure that only the necessary ports are open. For example, if the server is only used for email, shut down ports that correspond to FTP, DNS, HTTP, and other protocols.
iptables
iptables is a command line firewall utility for Linux operation systems that uses three different policy chains to allow or block network traffic. When a connection is initiated to your system, iptables looks for a rule in its list to match it to. If it doesn't find one, it resorts to the default action in the tables.iptables almost always comes pre-installed on any Linux distribution. To update or install iptables, just retrieve the iptables package by entering the command: sudo apt install iptables-services. iptables uses three chains - input, forward, and output: Input: This chain controls the behavior for incoming connections. For example, if a user attempts to ping your system, iptables attempts to match the IP address and port to a rule in the input chain. Forward: This chain is used for incoming connections that aren't delivered locally. For example, if iptables are being used on a router, the traffic is not destined for the router, but the router will forward the traffic to the destination device. Output: This chain is used for outgoing connections. For example, if you try to ping testout.com, iptables checks its output chain to see what the rules are regarding ping and testout.com before allowing or denying the ping request. You need to decide what action you want the rules to perform. You can accept, drop, or reject the connections. After you define your accept rules, you should create a rule to drop all other traffic to prevent unauthorized access to the system: Accept: Allows the connection. Drop: Drops the connection. For example, if someone pings your system, the request is dropped, and no response is sent to the user. Reject: Does not allow the connection, but will send a response back. This lets the sender know that he reached a system, but was rejected.
network ports
logical connections provided by the TCP or UDP protocols at the Transport layer. They are used by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers to determine which protocol incoming traffic should be directed to. Ports: Allow a single host with a single IP address to run network services. Each port number identifies a distinct service. Can have over 65,000 ports per IP address. Are regulated by the internet Corporation for Assigned Names and Numbers (ICANN).
These are some examples of the uses and commands for iptables:
sudo iptables -L - Lists all the current rules. sudo iptables -F - Clears all the current rules. sudo /sbin/iptables-save - Saves changes to the iptables on Ubuntu systems. The command may differ on other Linux systems. sudo iptables -A INPUT -j DROP - Drops all incoming traffic. sudo iptables -A INPUT -s 192.168.0.254 -j DROP - Blocks all connections associate with the IP address of 192.168.0.254. sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT - Blocks SMTP mail on port 25. sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT, sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT - Allows SMTP mail on port 25. sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT, sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT - Allows HTTP traffic on port 80 on a web server. To allow HTTPS, you would use port 443. sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT, sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT - Allows both HTTP and HTTPS on ports 80 and 443 on a web server.
The following lists the well-known ports that correspond to common internet services:
20 TCP and UDP, 21 TCP and UDP - File Transfer Protocol (FTP) 22 TCP and UDP - Secure Shell (SSH) 22 TCP and UDP - SSH File Transfer Protocol (also known as Secure File Transfer Protocol or SFTP) 23 TCP - Telnet 25 TCP and UDP - Simple Mail Transfer Protocol (SMTP) 53 TCP and UDP - Domain Name Server (DNS) 67 TCP and UDP, 68 TCP and UDP - Dynamic Host Configuration Protocol (DHCP) 69 TCP and UDP - Trivial File Transfer Protocol (TFTP) 80 TCP and UDP - Hypertext Transfer Protocol (HTTP) 110 TCP - Post Office Protocol (POP3) 119 TCP - Network News Transport Protocol (NNTP) 123 TCP and UDP - Network Time Protocol (NTP) 137 TCP and UDP, 138 TCP and UDP, 139 TCP and UDP - NetBIOS Name Service, NetBIOS Datagram Service, NetBIOS Session Service 143 TCP - internet Message Access Protocol (IMAP4) 161 UDP, 162 TCP and UDP - Simple Network Management Protocol (SNMP) 389 TCP and UDP - Lightweight Directory Access Protocol (LDAP) 443 TCP and UDP - HTTP over Secure Sockets Layer (HTTPS) 445 TCP - Microsoft Server Message Block (SMB) File Sharing 636 TCP and UDP - Lightweight Directory Access Protocol over TLS/SSL (LDAPS) 1720 TCP - H.323 Call Signaling 2427 UDP - Cisco Media Gateway Control Protocol (MGCP) 3389 TCP and UDP - Remote Desktop Protocol (RDP) 5004 TCP and UDP, 5005 TCP and UDP - Real-time Transport Protocol (RTP) DataReal-time Transport Protocol (RTP) Control 5060 TCP and UDP, 5061 TCP - Session Initiation Protocol (SIP), Session Initiation Protocol (SIP) over TLS