knowplace.org

Disclaimer: Certain things that will follow are false. Hopefully, they are gross simplifications that are useful in making some concepts easier to explain. Other things that will follow may be unintentionally false (if you notice anything, please let me know).

Note that this presentation is NOT copylefted (i.e. under GPL). If you wish to do anything with this presentation (distribute, mirror, quote in publication, etc.), please contact me first.

Introduction to firewalls

What's a firewall?

Without getting into technical explanations, a firewall is simply a host whose main purpose is to protect your network. A firewall restricts certain types of network traffic from the Internet to your protected network(s) - the reverse is also often true.

What a firewall is not

  • Magic - A firewall cannot make your network absolutely secure.
  • A bastion host - In an ideal world, this would be true. However, a firewall is only as secure as the work you put into securing it.
  • A replacement for host security - Every service you allow through the firewall is a potential risk.

Types of exploits

  • Local - There is no security without physical security. If someone has physical access to your box, you've lost. Obviously, a firewall won't help you here.
  • Local privilege escalation - The trojan horse attack. The attacker already has a local account on your box (inside the gates) and obtains root by some means (vulnerability or misconfiguration). A firewall cannot protect again this type of attacks.
  • Remote - Your host is listening on a port that the attacker is able to connect to remotely over a network and exploit a vulnerability somehow. This is the only type of attack a firewall can (hopefully) protect you against. There is another important point here that most firewall howtos neglect. In order for someone to exploit your box remotely, it has to be listening on some ports (i.e. providing a way for an attacker to connect). Therefore, if your host isn't listening on any ports, you are safe from remote exploits (unless the attacker manages to attack the network stack itself).

Why do you need a firewall?

  • Increase your network security - Some services are inherently insecure and impossible to secure on individual hosts. A firewall can help you segment and contain parts of your network to increase security.
  • Network access control - A firewall can help you enforce your network security policies by selectively allowing network services (to all or selected hosts).
  • Logging - Because a firewall must examine all inbound/outbound network traffic, it can help you log network activity (that passes through the firewall).

Types of firewalls

  • Proxying firewall - Proxy servers work by making requests on behalf of your clients.
  • Packet filtering firewall - Packet filters work by examining the IP packets (Netfilter).

What is Netfilter/Iptables?

Netfilter is the framework in Linux 2.4 kernels that allow for firewalling, NAT, and packet mangling. Iptables is the userspace tools that works with the Netfilter framework (technically a lie; Iptables is also a part of the Netfilter framework in the kernel). Think of Netfilter as kernel space, and Iptables as userspace.

Why Netfilter/Iptables instead of Ipchains

  • State matching - Connection tracking (can you trust the remote host to determine whether your firewall will accept a packet?).
  • Automatic fragmentation reassembly - Connection tracking automatically reassembles fragmented packets for examination.
  • Improved matching - Advanced packet matching such as rate limit, string matching (packet data), etc.
  • Improved logging - Customized logging levels and entries, also allows user space logging.
  • Allows packet mangling - Allows for the mangling of any information inside a packet.
  • Userspace queuing - Allows userspace programs access to packets.
  • Built-in support for port forwarding - obviates IPMASQADM.
  • Progress - Inexorable fact of life.
 
Shane Tzen © 2010