Browse Source

Updated, based on the comments

master
Martins Eglitis 4 weeks ago
parent
commit
6c32fee136
4 changed files with 448 additions and 1054 deletions
  1. 0
    3
      lab2/comments_Karam_Akar_Erik_Higbie.txt
  2. 448
    16
      lab2/group_64_report.lyx
  3. 0
    1035
      lab2/group_64_report.lyx~
  4. BIN
      lab2/group_64_report.pdf

+ 0
- 3
lab2/comments_Karam_Akar_Erik_Higbie.txt View File

@@ -1,3 +0,0 @@
1
-In general, I disaggree with most of the comments given by the two authors.
2
-
3
-1. The only 

+ 448
- 16
lab2/group_64_report.lyx View File

@@ -210,7 +210,7 @@ noprefix "false"
210 210
 \end_layout
211 211
 
212 212
 \begin_layout Standard
213
-The purpose of the laboratory report is to give a written feedback on the
213
+The purpose of the laboratory report is to give written feedback on the
214 214
  evaluation of the currently used firewall and the update, which is based
215 215
  on the requirements.
216 216
 \end_layout
@@ -237,19 +237,56 @@ As stated in the laboratory assignment, the setup consists of two virtual
237 237
 \begin_layout Standard
238 238
 The initial firewall configuration is fairly simple and is not optimal in
239 239
  terms of security.
240
- The three chains, namely 
240
+ There are four chains, namely 
241 241
 \begin_inset Formula $INPUT$
242 242
 \end_inset
243 243
 
244 244
 , 
245
-\begin_inset Formula $FO$
245
+\begin_inset Formula $FORWARD$
246 246
 \end_inset
247 247
 
248
+, 
249
+\begin_inset Formula $OUTPUT$
250
+\end_inset
251
+
252
+ and 
253
+\begin_inset Formula $LOG\_DROP$
254
+\end_inset
255
+
256
+.
257
+ The initial policy for 
258
+\begin_inset Formula $INPUT$
259
+\end_inset
260
+
261
+, 
262
+\begin_inset Formula $FORWARD$
263
+\end_inset
248 264
 
265
+ and 
266
+\begin_inset Formula $OUTPUT$
267
+\end_inset
268
+
269
+ chains is 
270
+\begin_inset Formula $ACCEPT$
271
+\end_inset
272
+
273
+, which means that every packet is accepted by the firewall.
274
+ The only layer of protection is the blocking of 
275
+\begin_inset Formula $XMAS$
276
+\end_inset
277
+
278
+ and 
279
+\begin_inset Formula $NULL$
280
+\end_inset
281
+
282
+ packets.
283
+ Also, every packet on every interface gets logged, which may exhaust resources
284
+ such as CPU and memory.
249 285
 \end_layout
250 286
 
251 287
 \begin_layout Standard
252 288
 \begin_inset listings
289
+lstparams "numbers=left"
253 290
 inline false
254 291
 status open
255 292
 
@@ -414,10 +451,11 @@ The snippets provided fulfills the respective requirement.
414 451
 
415 452
 .
416 453
  Note that the order of the rules is important.
417
- The idea and execution is straight-forward, little to no comments are given:
454
+ The idea is straight-forward, little to no comments are given:
418 455
 \end_layout
419 456
 
420 457
 \begin_layout Enumerate
458
+Set the default policies to default deny.
421 459
 \begin_inset listings
422 460
 inline false
423 461
 status open
@@ -448,6 +486,7 @@ $IPTABLES -P OUTPUT DROP
448 486
 \end_layout
449 487
 
450 488
 \begin_layout Enumerate
489
+Allow all traffic from the loopback device.
451 490
 \begin_inset listings
452 491
 inline false
453 492
 status open
@@ -473,6 +512,7 @@ $IPTABLES -A OUTPUT -o lo -j ACCEPT
473 512
 \end_layout
474 513
 
475 514
 \begin_layout Enumerate
515
+Allow traffic from your host.
476 516
 \begin_inset listings
477 517
 inline false
478 518
 status open
@@ -493,6 +533,7 @@ $IPTABLES -A OUTPUT -o enp0s3 -j ACCEPT
493 533
 \end_layout
494 534
 
495 535
 \begin_layout Enumerate
536
+Drop spoofed packets.
496 537
 \begin_inset listings
497 538
 inline false
498 539
 status open
@@ -538,24 +579,24 @@ $IPTABLES -A OUTPUT -s 169.254.0.0/16 -j DROP
538 579
 \end_layout
539 580
 
540 581
 \begin_layout Enumerate
582
+Allow established connections (stateful inspection).
541 583
 \begin_inset listings
542 584
 inline false
543 585
 status open
544 586
 
545 587
 \begin_layout Plain Layout
546 588
 
547
-#allow ping, protect from flood
589
+#established, related
548 590
 \end_layout
549 591
 
550 592
 \begin_layout Plain Layout
551 593
 
552
-$IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request --match limit
553
- --limit 1/second -j ACCEPT
594
+$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
554 595
 \end_layout
555 596
 
556 597
 \begin_layout Plain Layout
557 598
 
558
-$IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request -j DROP
599
+$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
559 600
 \end_layout
560 601
 
561 602
 \end_inset
@@ -564,23 +605,25 @@ $IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request -j DROP
564 605
 \end_layout
565 606
 
566 607
 \begin_layout Enumerate
608
+Allow ping and add protection from ping-flooding.
567 609
 \begin_inset listings
568 610
 inline false
569 611
 status open
570 612
 
571 613
 \begin_layout Plain Layout
572 614
 
573
-#established, related
615
+#allow ping, protect from flood
574 616
 \end_layout
575 617
 
576 618
 \begin_layout Plain Layout
577 619
 
578
-$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
620
+$IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request --match limit
621
+ --limit 1/second -j ACCEPT
579 622
 \end_layout
580 623
 
581 624
 \begin_layout Plain Layout
582 625
 
583
-$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
626
+$IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request -j DROP
584 627
 \end_layout
585 628
 
586 629
 \end_inset
@@ -589,6 +632,7 @@ $IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
589 632
 \end_layout
590 633
 
591 634
 \begin_layout Enumerate
635
+Allow specific applications.
592 636
 \begin_inset listings
593 637
 inline false
594 638
 status open
@@ -619,6 +663,7 @@ $IPTABLES -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT
619 663
 \end_layout
620 664
 
621 665
 \begin_layout Enumerate
666
+Log all other packets.
622 667
 \begin_inset listings
623 668
 inline false
624 669
 status open
@@ -661,18 +706,369 @@ Each of the requirements was tested by checking the output of
661 706
 Firewall correctness
662 707
 \end_layout
663 708
 
709
+\begin_layout Standard
710
+This section briefly describes if and how the newly configured firewalls
711
+ solves the requirements given.
712
+ Each subsection corresponds to the respective requirement, making it easier
713
+ to implement, test and document the newly established firewall.
714
+\end_layout
715
+
664 716
 \begin_layout Subsection
665 717
 Set the default policies to default deny
666 718
 \end_layout
667 719
 
720
+\begin_layout Standard
721
+The respective code snippet sets the 
722
+\begin_inset Formula $INPUT$
723
+\end_inset
724
+
725
+, 
726
+\begin_inset Formula $FORWARD$
727
+\end_inset
728
+
729
+ and 
730
+\begin_inset Formula $OUTPUT$
731
+\end_inset
732
+
733
+ chains to 
734
+\begin_inset Formula $DROP$
735
+\end_inset
736
+
737
+.
738
+ This is the recommended setting for firewall - deny everything first and
739
+ the allow only certain chains, interfaces, ports, services, etc.
740
+ The rules work on all network interfaces.
741
+\begin_inset listings
742
+inline false
743
+status open
744
+
745
+\begin_layout Plain Layout
746
+
747
+#policy
748
+\end_layout
749
+
750
+\begin_layout Plain Layout
751
+
752
+$IPTABLES -P INPUT DROP
753
+\end_layout
754
+
755
+\begin_layout Plain Layout
756
+
757
+$IPTABLES -P FORWARD DROP
758
+\end_layout
759
+
760
+\begin_layout Plain Layout
761
+
762
+$IPTABLES -P OUTPUT DROP
763
+\end_layout
764
+
765
+\end_inset
766
+
767
+
768
+\end_layout
769
+
770
+\begin_layout Subsection
771
+Allow all traffic from the loopback device
772
+\end_layout
773
+
774
+\begin_layout Standard
775
+Loopback interface is often used for internal communication and testing.
776
+ The following two rules set the 
777
+\begin_inset Formula $INPUT$
778
+\end_inset
779
+
780
+ and 
781
+\begin_inset Formula $OUTPUT$
782
+\end_inset
783
+
784
+ chains to accept all packages on the loopback 
785
+\begin_inset Formula $lo$
786
+\end_inset
787
+
788
+ interface.
789
+\begin_inset listings
790
+inline false
791
+status open
792
+
793
+\begin_layout Plain Layout
794
+
795
+#loopback
796
+\end_layout
797
+
798
+\begin_layout Plain Layout
799
+
800
+$IPTABLES -A INPUT -i lo -j ACCEPT
801
+\end_layout
802
+
803
+\begin_layout Plain Layout
804
+
805
+$IPTABLES -A OUTPUT -o lo -j ACCEPT
806
+\end_layout
807
+
808
+\end_inset
809
+
810
+
811
+\end_layout
812
+
813
+\begin_layout Subsection
814
+Allow traffic from your host
815
+\end_layout
816
+
817
+\begin_layout Standard
818
+It is usually a good idea to allow all outgoing traffic using the 
819
+\begin_inset Formula $OUTPUT$
820
+\end_inset
821
+
822
+ chain on the interface exposed to external networks, e.g.
823
+ 
824
+\begin_inset Formula $enp0s3$
825
+\end_inset
826
+
827
+.
828
+ However, filtering egress traffic might protect other network nodes from
829
+ attacks from the current node or nodes connected to the current node.
830
+\begin_inset listings
831
+inline false
832
+status open
833
+
834
+\begin_layout Plain Layout
835
+
836
+#allow all egress traffic from enp0s3
837
+\end_layout
838
+
839
+\begin_layout Plain Layout
840
+
841
+$IPTABLES -A OUTPUT -o enp0s3 -j ACCEPT
842
+\end_layout
843
+
844
+\end_inset
845
+
846
+
847
+\end_layout
848
+
849
+\begin_layout Subsection
850
+Drop spoofed packets
851
+\end_layout
852
+
853
+\begin_layout Standard
854
+There is a list approved by IANA of address intended for special purposes,
855
+ for example, allowed only in internal networks.
856
+ The given rules drop traffic incoming and outgoing traffic from such addresses
857
+ and subnets.
858
+\begin_inset listings
859
+inline false
860
+status open
861
+
862
+\begin_layout Plain Layout
863
+
864
+#spoofed
865
+\end_layout
866
+
867
+\begin_layout Plain Layout
868
+
869
+$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP 
870
+\end_layout
871
+
872
+\begin_layout Plain Layout
873
+
874
+$IPTABLES -A OUTPUT -s 10.0.0.0/8 -j DROP
875
+\end_layout
876
+
877
+\begin_layout Plain Layout
878
+
879
+$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
880
+\end_layout
881
+
882
+\begin_layout Plain Layout
883
+
884
+$IPTABLES -A OUTPUT -s 172.16.0.0/12 -j DROP
885
+\end_layout
886
+
887
+\begin_layout Plain Layout
888
+
889
+$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
890
+\end_layout
891
+
892
+\begin_layout Plain Layout
893
+
894
+$IPTABLES -A OUTPUT -s 169.254.0.0/16 -j DROP
895
+\end_layout
896
+
897
+\end_inset
898
+
899
+
900
+\end_layout
901
+
902
+\begin_layout Subsection
903
+Allow established connections (stateful inspection)
904
+\end_layout
905
+
906
+\begin_layout Standard
907
+An important property of a modern firewall is to remember the state of connectio
908
+ns, thus improving security by distinguishing legitimate packets for different
909
+ types of connections.
910
+ Only packets matching a known active connection are allowed to pass the
911
+ firewall [
912
+\begin_inset CommandInset ref
913
+LatexCommand ref
914
+reference "enu:https://en.wikipedia.org/wiki/St"
915
+plural "false"
916
+caps "false"
917
+noprefix "false"
918
+
919
+\end_inset
920
+
921
+].
922
+\begin_inset listings
923
+inline false
924
+status open
925
+
926
+\begin_layout Plain Layout
927
+
928
+#established, related
929
+\end_layout
930
+
931
+\begin_layout Plain Layout
932
+
933
+$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
934
+\end_layout
935
+
936
+\begin_layout Plain Layout
937
+
938
+$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
939
+\end_layout
940
+
941
+\end_inset
942
+
943
+
944
+\end_layout
945
+
946
+\begin_layout Subsection
947
+Allow ping and add protection from ping-flooding
948
+\end_layout
949
+
950
+\begin_layout Standard
951
+Although the following practice is not recommended as it only complicates
952
+ network management (icmp echo is used for checking if a particular machine
953
+ is responding), it is completely fine to use it for personal home machines.
954
+ The two rules limit the icmp echo request to one per second and drop all
955
+ other icmp echo requests.
956
+\begin_inset listings
957
+inline false
958
+status open
959
+
960
+\begin_layout Plain Layout
961
+
962
+#allow ping, protect from flood
963
+\end_layout
964
+
965
+\begin_layout Plain Layout
966
+
967
+$IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request --match limit
968
+ --limit 1/second -j ACCEPT
969
+\end_layout
970
+
971
+\begin_layout Plain Layout
972
+
973
+$IPTABLES -A INPUT -m icmp -p icmp --icmp-type echo-request -j DROP
974
+\end_layout
975
+
976
+\end_inset
977
+
978
+
979
+\end_layout
980
+
981
+\begin_layout Subsection
982
+Allow specific applications
983
+\end_layout
984
+
985
+\begin_layout Standard
986
+As requested, some ports have to be allowed for services.
987
+ The three 
988
+\begin_inset Formula $iptables$
989
+\end_inset
990
+
991
+ rules accept all 
992
+\begin_inset Formula $TCP$
993
+\end_inset
994
+
995
+ packages on every interface, maintaining the statefulness functionality
996
+ achieved in the previous subsection.
997
+\begin_inset listings
998
+inline false
999
+status open
1000
+
1001
+\begin_layout Plain Layout
1002
+
1003
+#allow services
1004
+\end_layout
1005
+
1006
+\begin_layout Plain Layout
1007
+
1008
+$IPTABLES -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
1009
+\end_layout
1010
+
1011
+\begin_layout Plain Layout
1012
+
1013
+$IPTABLES -A INPUT -p tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
1014
+\end_layout
1015
+
1016
+\begin_layout Plain Layout
1017
+
1018
+$IPTABLES -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT
1019
+\end_layout
1020
+
1021
+\end_inset
1022
+
1023
+
1024
+\end_layout
1025
+
1026
+\begin_layout Subsection
1027
+Log all other packets
1028
+\end_layout
1029
+
1030
+\begin_layout Standard
1031
+Finally, the new firewall configuration logs all unfiltered packets on 
1032
+\begin_inset Formula $INPUT$
1033
+\end_inset
1034
+
1035
+ and 
1036
+\begin_inset Formula $OUTPUT$
1037
+\end_inset
1038
+
1039
+ chains.
1040
+\begin_inset listings
1041
+inline false
1042
+status open
1043
+
1044
+\begin_layout Plain Layout
1045
+
1046
+#log
1047
+\end_layout
1048
+
1049
+\begin_layout Plain Layout
1050
+
1051
+$IPTABLES -A INPUT -j LOG
1052
+\end_layout
1053
+
1054
+\begin_layout Plain Layout
1055
+
1056
+$IPTABLES -A OUTPUT -j LOG
1057
+\end_layout
1058
+
1059
+\end_inset
1060
+
1061
+
1062
+\end_layout
1063
+
668 1064
 \begin_layout Section
669
-Conclusions
1065
+Discussion and conclusions
670 1066
 \end_layout
671 1067
 
672 1068
 \begin_layout Standard
673
-When evaluating the currently used firewall, it can concluded that the initial
674
- ruleset is very blank, accepting all incoming traffic and only dropping
675
- NULL or XMAS attack packets [
1069
+When evaluating the currently used firewall, it can be concluded that the
1070
+ initial ruleset is very blank, accepting all incoming traffic and only
1071
+ dropping NULL or XMAS attack packets [
676 1072
 \begin_inset CommandInset ref
677 1073
 LatexCommand ref
678 1074
 reference "enu:https://nmap.org/book/man-port-s"
@@ -692,6 +1088,27 @@ noprefix "false"
692 1088
  actual requests to the services.
693 1089
 \end_layout
694 1090
 
1091
+\begin_layout Standard
1092
+It can be easily seen that the newly configured firewall provides improved
1093
+ security, reliability and management of 
1094
+\begin_inset Formula $IP$
1095
+\end_inset
1096
+
1097
+ packets.
1098
+ On the other hand, the new firewall is far from complete and more rules
1099
+ are required to provide at least somewhat acceptable qualities of a real,
1100
+ non-trivial firewall.
1101
+\end_layout
1102
+
1103
+\begin_layout Standard
1104
+Another really important aspect is that even if the rules provide some form
1105
+ of protection against well-known attacks, the system is completely unaware
1106
+ of other types of attacks, for example, zero-day attacks.
1107
+ A modern solution to this problem is implementing and regulary updating
1108
+ an intrusion detection system (e.g.
1109
+ Snort), or even using a stable intrusion prevention system.
1110
+\end_layout
1111
+
695 1112
 \begin_layout Section
696 1113
 References
697 1114
 \end_layout
@@ -716,6 +1133,16 @@ name "enu:https://nmap.org/book/man-port-s"
716 1133
 https://nmap.org/book/man-port-scanning-techniques.html
717 1134
 \end_layout
718 1135
 
1136
+\begin_layout Enumerate
1137
+\begin_inset CommandInset label
1138
+LatexCommand label
1139
+name "enu:https://en.wikipedia.org/wiki/St"
1140
+
1141
+\end_inset
1142
+
1143
+https://en.wikipedia.org/wiki/Stateful_firewall
1144
+\end_layout
1145
+
719 1146
 \begin_layout Section
720 1147
 Appendix
721 1148
 \end_layout
@@ -1033,7 +1460,12 @@ $IPTABLES -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT
1033 1460
 
1034 1461
 \begin_layout Plain Layout
1035 1462
 
1036
-$IPTABLES -A INPUT -j LOG $IPTABLES -A OUTPUT -j LOG
1463
+$IPTABLES -A INPUT -j LOG
1464
+\end_layout
1465
+
1466
+\begin_layout Plain Layout
1467
+
1468
+$IPTABLES -A OUTPUT -j LOG
1037 1469
 \end_layout
1038 1470
 
1039 1471
 \end_inset

+ 0
- 1035
lab2/group_64_report.lyx~
File diff suppressed because it is too large
View File


BIN
lab2/group_64_report.pdf View File


Loading…
Cancel
Save