Saturday, October 6, 2018

Firewalls

Security Policy
service
groups
service access allowed/restricted by group

2 types of firewalls

filtering - block selected packets at network layer by type, address, port
no password control - by ip so limited

proxy -
   application proxies
   SOCKS proxies - like a switch board

Firewall Architecture

There are lots of ways to structure your network to protect your systems using a firewall.
If you have a dedicated connections to the Internet through a router, you could plug the router directly into your firewall system. Or, you could go through a hub to provide for full access servers outside your firewall.

Dial-up Architecture

You may be using a dialup service like an ISDN line. In this case you might use a third network card to provide provide a filtered DMZ. This gives you full control over your Internet services and still separates them from your regular network.

                  __________
   _/\__/\_      |          |          _______________
  |        |     | Firewall |  (LAN)  |               |
 / Internet \----|  System  |--(HUB)--| Workstation/s |
 \_  _  _  _/    |__________|         |_______________|
   \/ \/ \/           |
                    (DMZ)
                    (HUB)

Single Router Architecture

If there is a router or cable modem between you and the Internet. If you own the router you could setup some hard filter rules in the router. If this router is owned by your ISP so you may not the have the needed controls. You can ask your ISP to put in filters.

                  _________           __________
   _/\__/\_      | Router  |         |          |          _______________
  |        |     |   or    |  (DMZ)  | Firewall |  (LAN)  |               |
 / Internet \----|Cable Mdm|--(HUB)--|  System  |--(HUB)--| Workstation/s |
 \_  _  _  _/    |_________|    |    |__________|         |_______________|
   \/ \/ \/                     |  
                            (Outside)    
                            (Server)

Firewall with Proxy Server

If you need to monitor where users of your network are going and your network is small, you can intergrate a proxy server into your firewall. ISP's some times do this to create interest list of their users to resell to marketing agencies.

                   __________
    _/\__/\_      | Proxy /  |          _______________
   |        |     | Firewall |  (LAN)  |               |
  / Internet \----|  System  |--(HUB)--| Workstation/s |
  \_  _  _  _/    |__________|         |_______________|
    \/ \/ \/
You can put the proxy server on your LAN as will. In this case the firewall should have rules to only allow the proxy server to connect to the Internet for the services it is providing. This way the users can get to the Internet only through the proxy.

                  __________
   _/\__/\_      |          |          _______________
  |        |     | Firewall |  (LAN)  |               |
 / Internet \----|  System  |--(HUB)--| Workstation/s |
 \_  _  _  _/    |__________|    |    |_______________|
   \/ \/ \/                      |     ______________
                                 |    |              |
                                 +----| Proxy Server |
                                      |______________|

Redundent Internet Configuration

If you are going to run a service like YAHOO or maybe SlashDot you may want to make your system by using redundant routers and firewalls. (Check out the High Availability HowTo.)
By using a round-robin DNS techniques to provide access to multipule web servers from one URL and multiple ISP's, routers and firewalls using High Avaibility technics you can create a 100% uptime service.

   _/\__/\_                                     _/\__/\_  
  |        |                                   |        | 
 /  ISP #1  \______                 (WAN)_____/ Partners \
 \_  _  _  _/      |                (HUB)     \_  _  _  _/
   \/ \/ \/        |               ___|____     \/ \/ \/  
                 __|___           |_______ |
   _/\__/\_     |_____ |         |Firewall||          ______
  |        |   |      ||  (DMZ)  | System ||  (LAN)  |      |
 /  ISP #2  \--|Router||--(HUB)--|  (VPN) ||--(HUB)--| WS/s |
 \_  _  _  _/  |______|     |    |________|     |    |______|
   \/ \/ \/                 |         |         |     ______
          |             (Outside)  (Shared)     |    |      |
  ------  |             (Server)   (Server)     +----|Proxy |
 | WS/s | |                                          |______|
 | VPN  |-+
 |______|
It is easy to let your network get out of hand. Keep control of every connection. It only takes a user with a modem to compromise your LAN.

roll your own
After making all the setting you need you should recompile, reinstall the kernel and reboot.
I use the command:
make dep;make clean;make bzlilo;make modules;make modules_install;init 6 to accomplish all of this in one step.

secure the firewall
Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.
You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.
To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP <pid>", where <pid> is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.

Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services off.
telnet localhost 19
You can also create the file /etc/nologin. Put a few line of text in it like (BUZZ OFF). When this file exists, login will not allow user to logon. They will see the contents of this file and their logins refused. Only root can logon.
You can also edit the file /etc/securetty. If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility. With both of these controls in place the only way to logon to the firewall will be as root from the console.
NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote root access SSH (Secure Shell). You might even turn off telnet.
If you are really paranoid you need to be using lids (Linux Intrusion Detect System). It is an intrusion detection system patch for the Linux kernel; it can protect important files from being changed. When it's in effect, no one (including root) can change the protected files or directories and their sub-directories. You have to reboot the system with a security=1 LILO setting to modify secure files. (I'd also boot into single user mode.)

IP filtering setup (IPCHAINS)

Linux ipchains is a rewrite of the Linux IPv4 firewalling code and a rewrite of ipfwadm, which was a rewrite of BSD's ipfw, I believe. It is required to administer the IP packet filters in Linux kernel versions 2.1.102 and above.
The older code doesn't deal with fragments, has 32-bit counters (on Intel at least), doesn't allow specification of protocols other than TCP, UDP or ICMP, can't make large changes atomically, can't specify inverse rules, has some quirks, and can be tough to manage (making it prone to user error). Or so the author says.
I'm not going to get real deep into how to control an IPChains firewall because there is a GREAT!! HOWTO on it athttp://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html. I'd just end up duplicating it here. Here are the basics.
You work with chains by name. You start with three built-in chains input, output and forward which you can't delete. You can create chains of your own. Rules can then be added and deleted from these rule sets.

webmin



Posted by at No comments:
Subscribe to: Posts (Atom)