LAB8: Firewalls Sven Relovsky 11.04.2018 «□► < >■ < ■= ► « >OQ.O 4/33 Sven Relovsky LAB8: Firewalls Setup 1. Start VirtualBox, download files from O:\PA197\LAB8 2. Import fw-pal97.ova 3. Load virtual machines «□►OQ.O 5/33 Sven Relovsky LAB8: Firewalls Nmap - Network Mapper ► Free, open source utility for network discovery and security auditing ► Scanning of the network ► What hosts are available ► What services are they offering ► What operating systems ► And more ► Useful for scanning single hosts, and even very large networks (100k+) ► Large support from developers and community ► Well documented «□►OQ.O 6/33 Sven Relovsky LAB8: Firewalls Part 1: Windows Firewal ► Introduced in 2001 for Windows XP Service Pack 2 ► Not capable of controlling outgoing connections ► Vista introduces multiple improvements ► Outbound packet filtering ► More advanced packet-filtering rules - destination IP, port range ► IPsec integration - connections allowed or denied based on security certificate ► Windows 7 uses the same firewall as Vista Minor improvements such as multiple active profiles «□► ^ Monitoring Windows Firewall with Advanced Security on Local Computer Windows Firewall with Advanced Security prcv re? network security fir vYindows computerg. Overview Domain Profile @ Windows Firewall is on. Inbound connections that do not match a rule are blocked. Outbound connections that do not match a rule are allowed. Private Profile 1^$ Windows Firewall is on. Inbound connections that do not match a rule are blocked. Outbound connections that do not match a rule are allowed Public Profile is Active ^ Windows Firewall is on. Q Inbound connections that do not match a rule are blocked. Outbound connections that do not match a rule are allowed. 1 Windows Firewall Properties Getting Started Authenticate communications between computers Create connection security rules to specify how and when connections between computers are authenticated and protected by using Internet Protocol security {IPsec). Connection Security Rules View and create firewall rules Create firewall rules to allow or block connections to specified programs or port?. You can also allow a connection only if it is authenticated, or if it comes from an authorized user, group, or computer. By default, inbound connections are blocked unless they match a rule that allows them, and outbound connections are allowed unless they match a rule that blocks them. 5 Inbound Rules ^ Outbound Rules View current firewall and IPsec policy and activity Act kins cj£] Import Policy... (^] Export Policy.,. Restore Default Policy Diagnose/Repair vievv Refresh Q| Properties Q Help 4 □ ► 4 = ► 8/33 Sven Relovský LAB8: Firewalls Windows Firewall nbound Rules -^3 New Rule... V Filter by Profile V Filter by State Filter by Group ► View ► Refresh Export List... □ Help 9/33 Sven Relovsky LAB8: Firewalls Windows Firewal New Inbound Rule Wizard X Rule Type Select the type of firewall rule to create. Steps: 4 Rule Type What type of rule would you like to create? 4 Protocol and Ports it Action iji Program « Profile Rule that controls connections for a program. 4 Name ® Port Rule that controls connections for a TCP or UDP port. O Predefined: AllJoyn Router Rule that controls connections for a Windows experience. O Custom Custom rule. ^ 10/33 Sven Relovsky LAB8: Firewalls 1 Windows Firewal rij^1 New Inbound Rule Wizard Protocol aod Ports Specify the protocols and porta to which this rule applies. Steps: 4 Rule Type 4 Protocol and Ports 4 Action * Profile 4 Name Does this rule apply to TCP or U DP? ® TCP O UDP Does this rule apply to all local ports or specific local ports? (_) All local ports '•' Specific local ports: SD.443 Example: 80. 443. 5ÖOD-501Ü Sven Relovsky LAB8: Firewalls Windows Firewal rij^1 New Inbound Rule Wizard Action Specify the action to be taken when a connection matches the conditions specified in the rule. Ü Rule Type Ü Protocol and Ports « Action « Profile Ü Name What action should be taken when a connection matches the specified conditions? 1+■ Allow the connection This includes connections that are protected with IPsec as well as those are not. O Allow the connection If It is secure This includes only connections that have been authenticated by using IPsec. Connections will be secured using the settings in IPsec properties and rules in the Connection Security Rule node. Customize. O Block the connection Sven Relovsky LAB8: Firewalls P' 12/33 Windows Firewal rij^ New Inbound Rule Wizard X Profile Specify the profiles for which this rule applies. Steps: t§ Rule Type 4 Protocol and Ports * Action Profile 4 Name When does this rule apply? 0 Domain Applies when a computer is connected to its corporate domain. 0 Frivate Applies when a computer is connected to a private network location, such as a home or work place. Applies when a computer is connected to a public network location. ^ 13/33 Sven Relovsky LAB8: Firewalls Windows Firewal rijf New Inbound Rule Wizard Name Specify the name and description of this rule. Steps: 4 Rule Type 4 Protocol and Ports it Action « Profile J Name X Name: rny_little_HTTP(S)_njle Description (optional): Dear Microsoft Windows. I would like to allow these ports for service that is not even running. Yours. Sven.| ^ 14/33 Sven Relovsky LAB8: Firewalls Windows Firewal Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port ^rnyJittle_HTTP(S]_rule All Yes Allow No Any Any Any TCP 80,443 1 J @{Microsoft.MD,BrokerPlugin_10QQ.105.„ ©{Micro soft.MD.BrokerPlu... Dornai,,. Yes Allow No Any Any Any Any Any OQ.O 15/33 Sven Relovsky LAB8: Firewalls Part 2: Linux IPtables ► Packet filtering, connection tracking, logging, NAT ► Administrator uses tables to define chains of rules for the treatment of packets ► Packets assigned chain based on origin ► Built in chains: INPUT (incoming packets), OUTPUT, FORWARD ► Packet filtering process 1. Matching chain is selected 2. Each rule in the chain is examined for a match 3. If a match is found, the defined action of the rule is performed 4. If no match is found the default chain policy is applied <□► < ^ > < ■= ► < .= ► « <0(\(y 16/33 Sven Relovsky LAB8: Firewalls Part 2: Linux IPtables chainl rulel chain2 rule2 rule3 rule4 ruleS <□► < g ► < ► < ► « Q^O 17/33 Sven Relovsky LAB8: Firewalls Part 2: Linux IPtables ► Listing rules iptables -L ► Appending rules iptables -A INPUT -p tcp —dport 23 -j ACCEPT ► Inserting rules ► Block all communication iptables -A INPUT -j DROP ► Insert rule above previous one iptables -I INPUT 1 -i lo -j ACCEPT ► Replace rule iptables -R INPUT 3 -j ACCEPT ► Flush rules - clear IPtables iptables -F □ [fpl ► < 3" ► 4 = 18/33 Sven Relovsky LAB8: Firewalls Part 2: Linux IPtables Task Company has a simple server running few services. You as a network admi-mistrator were asked to secure the connection. You know that such server should not communicate on its own. You heard about using iptables as stateless firewall and it sounds pretty nice for the job. Sven Relovsky LAB8: Firewalls Scenario Part 2: Linux IPtables Task Set up IPtables with the following conditions http://linux.die.net/man/8/iptables 1. Create stateless rules on orange server, (src/dst address/port for INPUT and OUTPUT) 2. Reject other packets than listed here) 3. Accept SSH (Secure Shell) connection from source 10.0.0.0/24 and 192.168.1.0/24 4. Accept TCP communication through HTTP for all sources 5. Accept ICMP for any source and any destination 6. Accept FTP communication ► Note: Which rules are applied first? 7. Test ► nmap -sS 10.0.10.10 <□► < a1 ► •oaO 22/33 Sven Relovsky LAB8: Firewalls Part 2: Linux IPtables - stateful firewall rules 5. Accept established connections, and connections related to already allowed connections iptables -A INPUT -m conntrack —ctstate RELATED,ESTABLISHED -j ACCEPT 6. Reject invalid packets iptables -A INPUT -m conntrack —ctstate INVALID -j REJECT 7. Protect firewall against Brute Force SSH attacks, limiting incoming SSH requests to 4 per minute 7.1 Create a set of incoming new SSH connections iptables -I INPUT 3 -p tcp —dport 22 -m state —state NEW -m recent —set 7.2 Limit incoming SSH connections to 4 per minute (any more will be dropped) iptables -I INPUT 4 -p tcp —dport 22 -m state —state NEW -m recent —update —seconds 60 —hitcount 5 -j REJECT <□► < ► •OQ,0 26/33 Sven Relovsky LAB8: Firewalls Part 3: Setup firewall using ipFire Set up ipFire with the following conditions 1. Reject other packets than listed here 2. Accept SSH (Secure Shell) connection for source 10.0.0.0/24 192.168.1.0/24 3. Accept TCP communication through HTTP for all 4. Accept ICMP 5. Accept FTP communication with server ► Note: We are using stateful firewall now 6. Test ► nmap -sS 10.0.10.10 □ [fpl ► •< ► 4 = 27/33 Sven Relovsky LAB8: Firewalls Part 3: Setup firewall using ipFire - scapy # scapy »>send(IP(dst=" 192.168.1.2", src=" 10.0.10.10")/TCP(sport=21, dport=10000, flags='S')) 28/33 Sven Relovsky LAB8: Firewalls Part 3: Proxy firewalls - Zorp GPL Proxy Firewalls ► Network security systems that filter communication at the application layer ► Also known as Application firewall or Gateway firewall ► Similarly to a proxy server, application firewalls act as an intermediary between the server and host ► Also monitors layer 7 (application layer) protocols ► Stateful inspection and deep layer packet inspection to protect from incoming attacks Negatives: ► Additional processing overhead can cause bottleneck in the network ► Support for only certain protocols limits which applications can be used within the network <□► << rS ► < ■= ► < ■= ► « ^0,0 29/33 Sven Relovsky LAB8: Firewalls Part 3: Proxy firewalls - Zorp GPL Zorp GPL ► Open source proxy firewall ► Access control ► Based on zones instead of hosts or IP ranges ► Information leakage prevention ► Change or remove information from packets, such as internal IP addresses ► Content filtering ► Used in conjunction with external application (virus scanner, spam filter, . ..) ► Zones - sets of IP subnetworks ► Administrative hierarchy independent of physical network ► Can be linked into a tree hierarchy <□► < rS ► < = ► OQ,0 30/33 Sven Relovsky LAB8: Firewalls Part 3: Proxy firewalls - Zorp GPL ► Accepts rules based on the best match 1. Evaluation order 2. Condition scope ► Services - determines how the desired action is performed ► PFService - Packet Filter services ► Service - Application level services ► DenyService - Reject connections, handle exceptions □ [fpl ► < 3 ► 4 = 31/33 Sven Relovsky LAB8: Firewalls Homework Reading assignment (until exam) <□► < rS1 ► < ► < ► ■= Q^O 32/33 Sven Relovsky LAB8: Firewalls References Nmap ► https://nmap.org/ IPtables ► https://help.ubuntu.com/community/IptablesHowTo ► https://wiki.archlinux.org/index.php/iptables Zorp GPL ► https://www.balabit.com/network-security/zorp-gpl ► http://zorp-gpl-tutorial.readthedocs.org/en/latest/ index.html ► https://github.com/balabit/zorp <□► < g ►