summaryrefslogtreecommitdiff
path: root/2002/firewalling-knf-2002/firewall.mgp
diff options
context:
space:
mode:
Diffstat (limited to '2002/firewalling-knf-2002/firewall.mgp')
-rw-r--r--2002/firewalling-knf-2002/firewall.mgp312
1 files changed, 312 insertions, 0 deletions
diff --git a/2002/firewalling-knf-2002/firewall.mgp b/2002/firewalling-knf-2002/firewall.mgp
new file mode 100644
index 0000000..d277a35
--- /dev/null
+++ b/2002/firewalling-knf-2002/firewall.mgp
@@ -0,0 +1,312 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+TCP/IP Firewalling Basics
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@sunbeam.franken.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Contents
+
+ Introduction
+
+ Networking Basics
+
+ Potential Security Problems
+
+ Solution 1: Packet Filters
+
+ Solution 2: Proxies
+
+ Comparison
+
+ Summary
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Introduction
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Networking Basics
+
+ 7 layer OSI model used to abstract networking protocols
+ layer 7: application layer: e.g. telnet/ftp
+ layer 6: presentation layer:
+ layer 5: session layer:
+ layer 4: transport layer: e.g. TCP/UDP
+ layer 3: network layer: e.g. IP
+ layer 2: data link layer: e.g. Ethernet
+ layer 1: physical layer: e.g. Wire
+ Layer 1 + 2 embedded in hardware
+ Layer 3 + 4 implemented in operating system
+ Layer 5+ embedded in application program
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Networking Basics
+
+ Layer 2: Ethernet
+ enables two hosts within same pysical net to exchange packets
+ unreliable
+ adressing granularity: host
+ fixed hardware adresses (MAC adress, 48bit)
+
+ Layer 3: Internet Protocol (IP)
+ enables two hosts in diferent physical networks to exchange packets
+ unreliable, best effort
+ packet reordering
+ packet loss
+ adressing granularity: host
+ logical adresses (IP Adress, 32bit)
+ checksum protects only IP header
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Networking Basics
+
+ Layer 4: User Datagram Protocol (UDP)
+ unreliable, best effort
+ adressing granularity: ports (16bit = 65535)
+ optional payload checksum
+
+ Layer 4: Transmission Control Protocol (TCP)
+ provides connection abstraction
+ reliable
+ ordering guarantee
+ retransmissions correct packet loss
+ flow control
+ payload checksum protects payload from data corruption
+
+ Layer 4: Internet Control Message Protocol (ICMP)
+ used internally by TCP/IP protocol suite
+ error messages (e.g. host unreachable)
+ diagnostics (e.g. ping/pong)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Potential Security Problems
+
+ Security issues arise at interconnection of two networks
+ Traditional Case: IP Router connecting an organization internal network to the Internet
+
+ What Security Problem?
+ organization-internal services exposed to outside network
+ spoofed (forged) packets to circumvent 'security by address'
+ even if all internal services secured by authentication, difficult to guarantee security on all internal hosts
+
+ Why Firewalling?
+ to restrict which internal services are exposed to the outside
+ to restrict which outside services are used by internal users
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Solution 1: Packet Filters
+
+ Filter individual packets at network interconnection (Router)
+
+ Filter criteria traditionally include
+ IP source + destination address
+ TCP/UDP source + destination port
+ TCP header flags
+
+ Filtering rules determine if
+ packet is allowed to transit interconnection
+ packet is silently dropped
+ packet is dropped and error message returned to sender
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Solution 1: Packet Filters
+
+ Capabilities
+ disallow communication between certain IP adresses
+ disallow communication between certain port numbers
+ disallow malicious packets, like packets
+ using source routing IP option
+ impossible combination of features, like tcp xmas scan
+ generate log of malicious and/or filtered packets
+
+ Limitations
+ scope limited to individual packets
+ no ability to look inside packet payload (HTTP 1.1 virtual hosts)
+ no abstraction of connection, filtering rules needed for both directions
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Solution 1: Packet Filters
+
+ Extensions
+ stateful packet filters (connection tracking)
+ filtering only needed for connection-initiating packets
+ all other packets within connection are accepted as part of an already established connection
+
+ TCP window tracking
+ allow filtering not only on source/dest port but also on TCP sequence number
+
+ NAT (Network Address Translation)
+ manipulation of source / destination address
+ redirect packets to other hosts
+ 'share' one ip address at dialup accounts (masquerading)
+ connect two networks with overlapping addresss ranges
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Solution 2: Proxies
+
+ A proxy operates at layer 5 and above
+
+ Mode of operation
+ client connects to proxy instead of server
+ proxy initiates a second, seperate connection to server
+
+ Proxies are just normal programs implementing a server and a client for a particular application protocol (e.g. HTTP) using operating system mechanisms (like sockets API, winsock, ...)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Solution 2: Proxies
+
+ Capabilities
+ disallow communication between certain IP adresses
+ disallow communication between certain ports
+ disallow communication based on packet payload
+ e.g. pathnames / filenames within HTTP and FTP
+ e.g. email-adresses within SMTP
+ e.g. hostnames within DNS (www.netzzensur.de)
+ e.g. badwords ('sex' and 'teen' within same file)
+ manipulation of packet payload
+ everything possible...
+
+ Limitations
+ somebody needs to tell client app to connect to proxy instead of server
+ seperate proxies for all used protocols needed
+ not possible to filter on packet options, etc.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Solution 2: Proxies
+
+ Extensions
+ Transparent Proxies
+ accept connections from client independent of dest IP
+ make reply packets to the client look like as sent by server
+ possibly to implement same transparancy towards server
+ no need to tell clients about proxies anymore!
+
+ SOCKS
+ application protocol indepentent proxy
+ one proxy for all application protocols
+ uses seperate protocol between client and proxy
+ needs explicit support from client application
+ integrated username/password authentication
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Comparison
+
+ Packet Filter
+ pro
+ total control on lowest per-packet level
+ very high performance
+ possible to implement failover / load balancing
+ NAT as extension solves adress space problem
+ contra
+ configuration requires sophisticated knowledge
+ problems when no state / window tracking used
+ support for complex protocols (H.323, SIP) difficult to implement
+ Proxy
+ pro
+ no knowledge about layer3/4 protocol needed
+ configuration very easy
+ address space automatically seperated
+ integrates easily with other applications like IDS
+ easy implementation, just normal application programs
+ contra
+ seperate proxies needed for almost every protocol
+ bad performance
+ uses lots of ressources (e.g. sockets) on gatway
+ horribly breaks end-to-end
+ needs explicit configuration of client apps if not transparent proxy
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Comparison
+
+ Transparent Proxy
+ uses ideas/methods of packet filtering (NAT) to achieve protocol transparence
+ horrible violation of layering
+
+ Stateful Packet Filter
+ uese ideas of proxies (tracking of higher layer state) to achieve better security and easieer configuration
+ horrible violation of layering
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Conclusion
+
+ Conclusion
+ proxies work for small installations where number of used protocols is small and administrative staff not very experienced
+ packet filters without state tracking are difficult to configure correctly
+ packet filters with state tracking are good solution for most usage scenarios: powerful but yet easy to configure correctly
+ for highest security, best of both worlds can be combined
+ imagine a stateful bridging packet filter in front of a proxy :)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalling Basics
+Thanks
+
+ Thanks to
+ the BBS people, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+
+ KNF
+ for bringing me in touch with the internet as early as 1995
+ for providing a playground for technical people
+ for telling me about the existance of Linux!
+
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+
+ Linux User Group Nuernberg (ALIGN, LUG-N)
+ for helping me with my initial Linux problems
+
personal git repositories of Harald Welte. Your mileage may vary