Lesson 10
A proxy server provides the following services:
Hiding network resources Logging Caching
4 common firewall installation
Screening router single homed bastion dual homed bastion screened subnet
Application-layer proxy
By far the most popular types of proxy servers
Circuit-level gateways often provide...
Network Address Translation (NAT), in which a network host alters the packets of internal network hosts so they can be sent out across the Internet. You will learn more about NAT shortly.
The most popular circuit-level gateway is
SOCKS invented by David Koblas
Masquerading is useful with NAT..
because it allows hosts using private network IP addresses to communicate with hosts on the Internet. A commonly used phrase for masquerading is "packet mangling."
Disadvantages of Single-homed bastion host
increased cost and reduced performance
MASQUERADE
target allows you to establish NAT on a firewall.
Operating system hardening
the firewall's installation program disables or removes all unnecessary services
Chargeback
The concept of billing users for the volume of network traffic they generate.
modprobe -r ipchains
removes all ipchains modules
NAT and vendor terminology
trusting trusted
nat
used for creating NAT Contains the PREROUTING, OUTPUT and POSTROUTING tables.
ipchains forward
used to control packets being masqueraded, or sent to remote hosts
ipchains input
used to control packets entering the interface
Stateful multi-layer inspection
allows packet filters to overcome weaknesses inherent in packet filtering can examine packets in context because the firewall can maintain a database of past connections. allows you to detect and thwart ping and port scans, and help determine if a packet has been spoofed. allows packet filters to inspect packets at all layers of the OSI/RM, not just the network layer.
Screened host firewall (single-homed bastion)
hosts can be configured as either circuit-level or application-level gateways. When using either of these two types, each of which is a proxy server, the bastion host can hide the configuration of the internal network. The single-homed bastion host provides this functionality by using network address translation (NAT). Using NAT allows the network administrators to use any internal IP address scheme.
Dual-homed bastion host
identically to single-homed bastion hosts except that they have at least two network interfaces. serve as application gateways, and as packet filters and circuit gateways as well.
Single-homed bastion host
is a firewall device with only one network interface used for application-level gateway firewalls.
Another name for a choke point
is a network preimeter
Web security gateway
is an application designed to provide security protection from malware by classifying new and dynamic Web content in real-time, determining immediately whether the Web site and its contents are safe.
Proxy server
is an entity that stands for, or acts for and on behalf of, another person or thing. ie: attending a meeting for an absent colleague
The primary advantage of using a circuit-level gateway...
is that it provides NAT, which allows security and network administrators great flexibility when developing an internal IP addressing scheme.
Screened host firewall (dual homed bastion)
it creates a complete physical break between your network and any external one, such as the Internet
Firewall Terminology
Packet filter Proxy Server Network address translation
Logging
A proxy server can log incoming and outgoing access, allowing you to see the details of successful and failed connections.
circuit-level gateway is composed of two hosts:
An encrypted connection exists between the first firewall host and the second, and both work together to process traffic.
A firewall strategy should aim to meet four goals:
Implement a company's security policy Create a choke point Log Internet activity Limit network host exposure
Disadvantages of screening routers
a high degree of TCP/IP knowledge is required to create proper filters. configuration errors within a filter may allow unwanted traffic to pass, or may deny acceptable traffic.
Firewall
A security barrier that controls the flow of information between the Internet and private networks. A firewall prevents outsiders from accessing an enterprise's internal network, which accesses the Internet indirectly through a proxy server.
three types of firewalls
Packet Filter Circuit-level gateway Application-level gateway
Demilitarized zone (DMZ)
mini-network that resides between a company's internal network and the external network. The network is created by a screening router and, sometimes, a choke router. A DMZ is used as an additional buffer to further separate the public network from your internal private network.
Screened subnet firewall (DMZ)
most common method for implementing a firewall is the screened subnet (DMZ) because it creates a fairly secure space, or subnetwork, between the Internet and your network. benefits of this method is the fact that a hacker wanting to access your network must subvert three separate devices without being detected.
Masquerading
n relation to packet-filtering firewalls, masquerading is the process of altering the IP header. ei: alter the IP header so it appears to originate from the firewall, rather than from the original host.
proxy replaces the
network IP address with a single IP address. Multiple systems can use this single IP address.
Triple-homed bastion host
often separates the Internet, the internal network and the demilitarized zone (DMZ). creates a fairly secure space, or subnetwork, to locate servers that are accessed from the Internet, including modem pools, FTP and Web servers.
Circuit-level proxy
operates at the transport layer of the OSI/RM monitors the source and destination of TCP and UDP packets
Disadvantage: Single-homed bastion host
router can be reconfigured to pass information directly to the internal network, completely bypassing the bastion host.
ipchains output
used to control packets leaving the interface
The internal network address ranges are as follows:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Caching
A proxy server can save information obtained from the Internet (for example, Web pages). This cache contains copies of information found on the Internet.
Creating Packet Filter Rules
Because a packet filter is a device that inspects each packet for pre-defined content, you must define rules that tell the packet filter what to block or allow. Although it does not provide error-proof protection, it is almost always the first line of defense.
Type of Service (ToS)
Bits that can help prioritize certain types of traffic. Routers can mark IP packets with certain ToS bits. For example, you can set ToS bits for all HTTP traffic, so that it is processed before any other traffic type.
Three ways exist to provide true NAT:
Configure masquerading on a packet-filtering firewall, such as a Linux system. Configure a circuit-level gateway. Use a proxy server to conduct requests on behalf of internal hosts.
Firewall Configuration Defaults
Deny all traffic, in which case you would specify certain types of traffic to allow in and out of your network. Allow all traffic, in which case you would specify certain types of traffic to deny.
Hiding network resources
Hackers will see only one IP address instead of all exposed systems.
a firewall works both ways:
It controls access to traffic entering and leaving the network.
Firewall Design Principles
Keeping Design Simple Making Contingency Plans
Many systems administrators place.....
Web and DNS servers in a DMZ because it is more convenient. The benefit of this practice is that the screening router provides some protection.
DMZ
a mini-network that resides between a company's internal network and the external network like the internet.
Proxy servers are very important to firewall applications because.....
a proxy replaces the network IP address with a single IP address.
mangle
alters the packets has PREROUTING (alters packets that have entered the system) and OUTPUT (alters packets that have been generated by the local operating system).
screening router
another term for a packet-filtering router that has at least one interface exposed to a public network, such as the Internet. A screening router is different from a bastion host in that it does not use additional services to thoroughly screen packets. A screening router is configured to examine inbound and outbound packets based upon filter rules.
Packet filter
are devices that process network traffic on a packet-by-packet basis.
Internal bastion hosts
can be any of the three common bastion host types. They are standard single-homed or multi-homed bastion hosts, but reside inside your company's internal network.
iptables
command manipulates a special area of the kernel called Netfilter
Screening routers
considered an excellent first line of defense You learned earlier that screening routers can be configured to reject all inbound and outbound traffic based upon IP address and TCP and UDP ports.
filter
contains the INPUT, OUTPUT and FORWARD chains. The default table reports when you list chains using the iptables -L command.
Web security gateway categorizes actual
content on Web sites, not just the sites themselves, which allows users to access Web sites but block portions of sites that are inappropriate or may pose a security risk. they can immediately protect users from malicious Web content.
Security administrators use choke points to limit
external access to their networks. Using a firewall strategy creates choke points, because all traffic must flow through the firewalls.
The primary disadvantage of a circuit-level gateway, however,
is that it requires modified applications. To work with a circuit-level gateway firewall, an application must be specifically written to provide all connection information to the SOCKS server
Network Address Translation (NAT)
is the practice of hiding internal IP addresses from the external network.
choke routers
the internal router (i.e., the router that presents an interface to the internal network) is often called a choke router. defines the point at which a public network can access your internal network. It also defines the point at which your internal network users can access the public network.
Trusted
the network and/or host that is allowed access to the system
Packet filters operate only at..
the network layer of the OSI/RM so they allow or block IP addresses and ports
Trusting
the proxy server that allows traffic from the internal network interface to enter the proxy server's system
Packet filter drawbacks
they cannot discriminate between good and bad packets. cannot tell if the routed packet contains good or malicious data. susceptible to embedded code within a standard packet. usually have to create more than 100 rules to limit and permit network access. Creating all these rules can be time-consuming. susceptibility to spoofing
advantage of using dual-homed bastion hosts
they create a complete break