Checkpoint FAQ-2
Checkpoint FAQ 2
FIREWALLS
Q1: What is a Firewall?
Q: What are the major types of Firewalls?
Q: What kinds of implementations are most common today?
Q: What is a DMZ?
Q: What type of product is best?
NAT
Q: What is NAT?
Q: First, What are "Private Addresses"?
Q: Define NAT, Network Address Translator
Q: What problems did NAT solve?
Q: Are there problems with NAT?
Q: How does CISCO implement NAT?
IOS
Q: Can I use my CISCO router as a Firewall?
Q: What are CISCO Access Lists?
Q: What is the command syntax?
Q: Show some example access-list rules?
Q: What about "IP Session Filtering"
Q: Show some example reflexive access-list rules?
IPCHAINS
Q: What is IP Chains?
Q: Why are they called "chains?"
Q: What Linux Kernel/OS version should I use?
Q: How does the command work?
Q: Show some example ipchains rules?
Q: Do we have time to talk about Masquerade?
Q: Where can I find more ipchains rule examples?
VPN
Q: What is a VPN?
Q: What is IPSEC?
Q: What is PPTP?
Q: How do I setup PPTP?
Q: What about SSH tunnels?
Q: Where can I obtain SSH?
Q: Are there other SSH versions?
Q: Which about commercial VPN's?
GENERAL RECOMMENDATIONS
RESOURCES
IP, TCP, UDP HEADERS
1. Finish Host Security
- A Checklist For Securing Linux
introduces
- System Integrity, Checksums
- IP Chains Blocking
- Syslog Logging
2. VPN's, SSH and PPTP
3. Firewalls
4. NAT, Private Addresses
5. IP Chains for Linux
FIREWALLS
Q: What is a Firewall?
A firewall is a network device used to implement a security policy.
A firewall has multiple network interfaces, and is typically
used to create a secure boundary between untrusted external networks
and trusted internal networks. Rules are defined, which are entered
into the firewall, that implement the security policy. The policy
defines what type of access is allowed between the connected networks.
Q: What are the major types of Firewalls?
-- packet-filtering -- These firewalls examine
every packet independently, and allow or disallow transit
based on the interface/source/destination/port# contained
within the packet. eg. early firewalls, IPCHAINS
-- session-filtering "stateful inspection" -- These firewalls
build state (or memory) as time passes, and allow or disallow
packets based on whether a "session" or "connection" has been
pre-established.
Sessions are established by watching for the initial
packets in the TCP 3-way handshake. SYN, SYN-ACK, ACK.
Typically only sessions which are initiated from trusted
internal networks are allowed. eg. CHECKPOINT eg. SONICWALL,
NOTE: TCP 3-Way Handshake (TCP RFC793):
http://www.faqs.org/rfcs/rfc793.txt
TCP A TCP B
CLOSED LISTEN
1. SYN-SENT --> (SEQ=100)(CTL=SYN) --> SYN-RECEIVED
2. ESTABLISHED <-- (SEQ=300)(ACK=101)(CTL=SYN,ACK) <-- SYN-RECEIVED
3. ESTABLISHED --> (SEQ=101)(ACK=301)(CTL=ACK) --> ESTABLISHED
ESTABLISHED --> (SEQ=101)(ACK=301)(CTL=ACK)(DATA) --> ESTABLISHED
-- application proxies -- These firewalls accept connections from
applications, and may apply extra functions like additional
authentication, then redirect the connections to non-standard
ports. eg. SOCKS eg. IPCHAINS "Transparent Proxy"
-- hybrid -- These firewalls will allow a combination of the
above three primary types of firewalls. Session-based firewalls
will usually also allow rules to be set for packet-filtering as well.
Some firewall products do everything. eg. CHECKPOINT
*** DIAGRAM #1 Router as a Firewall
Q: What kinds of implementations are most common today?
-- Firewall Appliances
-- CISCO Routers as Firewalls
-- Commercial Firewalls with Service Contracts
-- Linux Firewalls using IPCHAINS
Q: What is a DMZ?
DMZ stands for "De-Militarized Zone". It refers to a network
segment that is a "middle ground" along side two networks that are
separated by a firewall. The DMZ is designed to allow public
access, and is assumed to be much less secure than the firewall
network. Put public services here. It is always assumed that
machines in the DMZ are vulnerable to attack.
*** DIAGRAM #2 Firewall with DMZ
Q: What type of product is best?
Software or Hardware, Commercial or Freeware?
Open up the discussion here...
Issues include cost, ease of configuration, maintenance,
reliablity, redundancy, ...
*** DISCUSSION: reference to SonicWALL online-demo also
NAT
Q: What is NAT?
Q: First, What are "Private Addresses"?
RFC 1597, "Address Allocation for Private Internets"
http://www.faqs.org/rfcs/rfc-index.html
http://www.faqs.org/rfcs//rfc1597.txt
RFC 1597 defines these address ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Q: Define NAT, Network Address Translator
RFC 1631, "The IP Network Address Translator (NAT)"
http://www.faqs.org/rfcs/rfc1631.txt
The IETF Working Group
Theory: within a stub domain, a small number of globally
unique IP addresses can be used and resused to provide
service to a much larger number of local addresses.
A Network Address Translator is a device placed at the
border of a domain that provides this function. It maintains
a table that translates between external globally unique addresses,
and internal non-globally unique addresses.
Q: What problems did NAT solve?
NAT was designed to solve two problems:
Problem 1: IP address space depletion
Problem 2: Routing table scalability/size
Problem 3: I need to renumber my entire domain
Problem 4: anybody on the Internet can route to my machine
*** DIAGRAM #3, Jose's INTEC NAT
Q: Are there problems with NAT?
- NAT + Servers is difficult
- Protocols that carry IP addresses in data have trouble
examples: FTP, DNS, PPTP, NETMEETING, ICQ ...
- "Protocol Complications with the IP Network Address Translator"
http://www.ietf.org/internet-drafts/draft-ietf-nat-protocol-complications-06.txt
Q: How does CISCO implement NAT?
- Cisco IOS 11.2 or greater
- Extremely flexilbe implementation
- Both addresses and ports can be mapped
- Many applications supported
http://www.cisco.com/warp/public/cc/so/cuso/epso/entdes/index.shtml
IOS
Q: Can I use my CISCO router as a Firewall?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/index.htm
Yes but it depends on ...
- CPU
- Memory
- CISCO IOS version
- Quality-Of-Service expectations
Q: What are CISCO Access Lists?
CISCO IOS has commands to create rules for packet filtering
on each interface. So you can make a CISCO router act like
a packet-filtering firewall.
Q: What is the command syntax?
access-list [n] [permit|deny] [proto] [src] [dst] [oper port]
This Firewalls FAQ has some simple examples:
http://www.interhack.net/pubs/fwfaq/
- you jump out of the rules on the first match
- matching permits early is the fastest/best option
- DENY is the default as the last rule
Q: Show some example access-list rules?
1. set this access list on this interface
interface serial 0
ip access-group 111 in
2. keep active connections alive
access-list 111 permit tcp any any established
3. deny spoofed addresses from coming in
access-list 111 deny ip 207.176.16.16 0.0.0.15 any log
4. deny "private" addresses from coming in
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.0.255.255 any log
access-list 111 deny ip 192.168.0.0 0.0.0.255 any log
5. allow connections to the internal mail server
access-list 111 permit tcp any host 207.176.16.20 eq smtp
...
Q: What about "IP Session Filtering"
CISCO also calls these "Reflexive Access Lists"
http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/screflex.html
- Cisco IOS version 11.3 or greater
- allows you to implement TCP session rules
- automatically created and destroyed
- stateful, state create at start and end of TCP session
Q: Show some example reflexive access-list rules?
1. define the extended lists and their directions
ip access-group myinputfilter in
ip access-group myoutputfilter out
2. set the idle session timeout
ip reflexive-list timeout 120
3. allow all outbound sessions
ip access-list exteneded myoutputfilter
permit tcp any any reflect mytcptraffic
4. deny incoming sessions except established ones
ip access-list extended myinputfilter
evaluate mytcptraffic
IPCHAINS
Q: What is IP Chains?
IP Chains is a packet-filtering firewall implementation
that is run on a number Unix-based operating systems.
In Linux, IP Chains is implemented in the kernel, and
sequences of rules are defined that control the input,
output, and forwarding of packets based on the 1) interface
2) source 3) destination and 4) port number of the packet.
Q: Why are they called "chains?"
The rules that define the security policy
are checked in sequence, that is, one rule after
the other. So the ordering of the rules is important.
Like the links of a chain, all the rules are in sequence
and tied together to form a whole.
Q: What Linux Kernel/OS version should I use?
- Use a modern version 2.2.X kernel.
- Redhat 6.0 comes with Kernel 2.2.5-15.
- Patch the net/ipv4/ip_fw.c file
to block short fragments, or configure your kernel
with CONFIG_IP_ALWAYS_DEFRAG.
Q: How does the command work?
Rules are established using the "ipchains" command.
Settings are recorded in the proc filesystem files:
/proc/net/ip_fwchains
/proc/net/ip_fwnames
/proc/net/ip_masquerade
The MAN pages:
% man ipfw ( file:/usr/man/man4/ipfw.4 )
% man ipchains ( file:/usr/man/man8/ipchains.8 )
By default there are three types rules:
INPUT (receiving)
OUTPUT (sending)
FORWARD (forwarding, routers)
There are 5 primary actions for matched rules:
ACCEPT aka "SKIP" pass it thru
REJECT toss it but send ICMP host unreachable
DENY aka "BLOCK", toss it with no notification
REDIRECT UDP/TCP, send packet to local process/port
MASQ UDP/TCP, rewrite src-and-port
And three special case actions:
just for accounting, a rule with no action
RETURN the end of a rule chain
default if no rules match, apply the default rule
Q: Show some example ipchains rules?
1. deny all incoming packets
ipchains --append input --source 0/0 --jump DENY
2. deny all incoming ICMP packets
ipchains --append input --protocol ICMP --source 0/0 --jump DENY
3. create a new chain, add rules, append to input chain,
block incoming all TCP connection requests
ipchains -N mychain
ipchains -A mychain -p TCP --syn -j REJECT
ipchains -A input -j mychain
4. list the chain, flush all rules, delete the chain
ipchains -L
ipchains -F
ipchains -X mychain
Q: Do we have time to talk about Masquerade?
- think of "ip masquerading" as an extension of ipchains
- you can use MASQ to hide internal machines
- you can use MASQ ipchains to implement a NAT device
- linux machine acts as a router, so 2 interfaces.
- external iface "masquerades" the forwards from the internal iface
- Suse Linux has scripts to support this:
* NOTE: your routes/forwarding has to be setup correctly first!
1. make a chain and append to forwarding chain for outgoing packets
ipchains -N user_msq
ipchains -A user_msq -s 0/0 -d 0/0 -j MASQ
ipchains -A forward -s 192.168.0.0/24 -d 0/0 -i eth0 -j user_msq
2. add module support for protocols that need special handling
insmod ip_masq_ftp
insmod ip_masq_irc
insmod ... cuseeme, raudio, vdolive, quake
Q: Where can I find more ipchains rule examples?
There are lots of good examples in the mailing list archives.
VPN
Q: What is a VPN?
VPN stands for "Virtual Private Network". VPN's are
implementations of secure communications established by building
secure channels between two endpoints using authentication
and encryption. These are sometimes called "secure tunnels".
Q: What is IPSEC?
IPSEC stands for "Secure IP". It is the IETF's standard
for creating secure IP communication channels. It consists
of developing "security associations" between systems using
the protocols of the AH (authentication header) and ESP
(encapsulating security payload).
http://network-services.uoregon.edu/RFCS/rfc/rfc2401.txt
IPSEC operates at the network layer. This means that
normal applications should operate without changes.
IPSEC implementations are allowed to vary.
Authentication might involve manually configured keys,
and DIFFIE-HELLMAN key exchanges. Encryption might
involve TRIPLE-DES, etc. Make sure to check compatibility
and standards compliance for interoperability.
IPSEC is becoming the most popular method for building
commercial VPN's.
http://www.internetwk.com/VPN/links.htm
http://www.icsa.net/services/product_cert/ipsec
Q: What is PPTP?
PPTP stands for Point-to-Point Tunnel Protocol
It is a network protocol developed by Microsoft
that can be used to create VPN's to NT servers
using the RAS (Remote Access Server) services
found in the NT operating system. A PPTP server
for Linux has also been developed.
- It's free and builtin as part of NT
- The clients for NT,W95,W98 are also free
- It takes advantage of NT DOMAIN authentication
- Good for large NT sites
Q: How do I setup PPTP?
A collection of documents and instructions is here:
Q: What about SSH tunnels?
SSH is a good example of a VPN, but only in terms
of "host-to-host" connections. It is completely distributed,
so that setup and management must be controlled on every host.
Q: Where can I obtain SSH?
Q: Are there other SSH versions?
TeraTerm SSH is freely available.
SecureCRT is another program that is available.
SSH also shows up in CISCO IOS in some versions.
Q: Which about commercial VPN's?
SecuRemote, at http://www.checkpoint.com
Raptor Mobile, at http://www.axent.com/product/rsbu/mobile/default.htm
Network Associates Guantlet, http://www.nai.com/about/news/press/1999/january/011999.asp
PIX, Cisco, http://www.cisco.com/warp/public/778/security/pix/pie_ds.htm
(every firewall vendor also sells VPN's)
GENERAL RECOMMENDATIONS
- use ISOLATED LANS for "high sensitivity" machines/groups/services
- use FIREWALLS for "medium sensitivity" machines/groups/services
- use DMZ for "low sensitivity" public machines/groups/services
- use NAT to conserve addresses and for "medium sensitivity" machines
- use IP-SPOOFING access lists
- use SWITCHES instead of hubs
- use EAVESDROP PREVENTION on hubs
- use ICMP blocking
- use VPNS for secure remote access
- run VULNERABILITY SCANNERS to detect weaknesses
- run INTRUSTION DETECTION to log intrusions
- run SSH
- turn off UNUSED DAEMONS
- run BUFFER OVERFLOW prevention
- run CRACK to test password vulnerability
- run SYSLOG for centralized logging
- run BACKUPS
- run VIRUS DETECTION software on all pc's
- make a SECURITY MAILING LIST
- make a SECURITY POLICY GROUP
- make a SECURITY RESPONSE TEAM
- develop RELATIONSHIPS with law enforcement
- develop RELATIONSHIPS with other organizations
- develop a SECURITY POLICY
Q: Which are in use at the University of Oregon?
(Also mention DUCKWARE Secure Apps Installer)
RESOURCES
General
CERT http://www.cert.org/
COAST http://www.cs.purdue.edu/coast/
BUGTRAQ http://www.securityfocus.com/
mailto:LISTSERV@SECURITYFOCUS.COM
SUBSCRIBE BUGTRAQ
SANS http://www.sans.org/
mailto:sans@sans.org - SUBSCRIBE NewsBites
GREATCIRCLE mailto:majordomo@greatcircle.com
SUBSCRIBE firewalls
Firewalls
FAQ http://www.interhack.net/pubs/fwfaq/
Checkpoint http://www.checkpoint.com/products/firewall-1
SonicWALL http://www.sonicwall.com/
WatchGuard http://www.watchguard.com/products/firebox.asp
Cisco http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/index.htm
Virtual Private Networks
PPTP http://ns.uoregon.edu/pptp/
(see also) all firewall vendors sell VPN's
Network Monitoring
MRTG http://oss.oetiker.ch/mrtg/
RRDTool http://oss.oetiker.ch/rrdtool/
Vulnerability Scanning
Saint http://www.wwdsi.com/saint/
NMap ftp://metalab.unc.edu/pub/packages/security/nmap/
ISS Scanner http://www.iss.net/
NetSonar http://www.cisco.com/warp/public/cc/so/neso/sqso/index.shtml
Intrusion Detection
links http://www.cs.purdue.edu/coast/ids/
NFR http://www.checkpoint.com/products/intrusion.html
Security Policy - sample
UnivOregon http://security.uoregon.edu/node/11.html
PennState http://guru.psu.edu/policies/AD20.html
System Integrity
Sample http://ns.uoregon.edu/security/
Unix Security
Solaris http://ns.uoregon.edu/security/
PGP&SSH http://ns.uoregon.edu/pgpssh/
PGP.COM http://www.pgp.com/
Other
TOASTER: http://www.oac.uci.edu/support/dcs/security/toaster.html
IP, TCP, UDP HEADERS
IP Header Format (RFC 791) http://www.faqs.org/rfcs/rfc793.html
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header Format (RFC 793) http://www.faqs.org/rfcs/rfc793.html
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+