Difference between revisions of "Firewall"

From Hackepedia
Jump to navigationJump to search
(etherreal -> wireshark)
 
(15 intermediate revisions by 5 users not shown)
Line 1: Line 1:
A Firewall is an extension to an Operating System that allows one to create policies for Internet protocols in order to deny content that is deemed illegal or harmful.  Firewalls are most common to work on [[OSI]] layers 3 and 4.  Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content ([[RFC]] 2821 and 2822).  Firewalls cannot inspect encrypted protocols (see [[cryptography]]) unless they have been given the secret key.
+
A Firewall is part of an Operating System's [[internet stack|networking stack]] that allows one to create policies for network traffic, and permit or deny that traffic accordingly.  Firewalls most commonly work on [[OSI]] layers 3 and 4, although any layer except 1 is possible.  Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content ([[RFC]] 2821 and 2822).  Firewalls cannot inspect encrypted protocols (see [[cryptography]]) unless they have been given the secret key.  Firewalls can run either on a specific host, or on a dedicated system that sits between the production systems and the rest of the Internet.
  
 +
Our recommended process for installing a firewall is to have a "default deny" stance.  This means "block all in" and block all out" by default. Once that has been established, then only allow rules as required. 
  
My recommended process for installing a firewall is:
+
For example, if you have blocked all by default, first you will want to try to resolve [[DNS]] I'm sure. So you will need to start a packet sniffer ([[tcpdump]], [[wireshark]], [[snoop]]) and watch the packets trying to leave and come in. In another window, type "host hackepedia.org" to try and resolve this DNS. As you should see, you need to allow [[ports|port]] 53.. but was that [[TCP]] or [[UDP]]? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host hackepedia.org" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80.  Repeat this process as needed for each service, and eventually you'll have a very decent firewall
  
; # : Block all by default
+
Of course, this is time consuming, and error prone, especially for someone who is just starting.  A better solution may be to find a ruleset, or script online, and modify it until it works and fits your specific requirements.
; # : Allow rules only as required
 
  
 +
A common mistake we see it an implicit allow all outbound, this is a mistake, and very beneficial to anyone who has just compromised your machine. Allow only the required ports and protocols outbound, most commonly ports 80 (web) and 25 (smtp), and block and log everything else outbound. If you find something isn't working, check the logs and allow a rule for that application, if you approve of its  usage. It will be a short bell curve until you will very rarely have to modify your outbound ruleset, as outbound traffic rarely changes.
  
  
For example, if you have blocked all by default, first you will want to try to resolve [[DNS]] I'm sure. So you will need to start a packet sniffer ([[tcpdump]], [[ethereal]], [[snoop]]) and watch the packets trying to leave and come in. In another window, type "host yashy.com" to try and resolve my DNS. As you should see, you need to allow [[port]] 53.. but was that [[TCP]] or [[UDP]]? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host yashy.com" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Eventually you'll have a very decent firewall.
 
  
 +
=== Firewalls for UNIX ===
  
 +
; [[pf]] : A stateful firewall written by Daniel Hartmeier for [[OpenBSD]].  Has been ported to all [[BSD]]'s.  pf has a nice logging mechanism that one can view with [[tcpdump]].  This firewall can share states between other firewalls meaning communication can continue if the path of communication changes through another firewall.  This firewall has built-in [[NAT]].  Apple [[Mac OS X]] has started using pf with Mountain Lion.
  
=== Firewalls for UNIX ===
+
; [[npf]] : A stateful firewall in NetBSD.  According to the manpage it will be released for NetBSD 6.0.
  
; [[pf]] : A stateful firewall written by Daniel Hartmeier for [[OpenBSD]].  Has been ported to all [[BSD]]'s.  pf has a nice logging mechanism that one can view with [[tcpdump]].  This firewall can share states between other firewalls meaning communication can continue if the path of communication changes through another firewall.  This firewall has built-in [[NAT]].
 
  
 
; [[ipfw]] : IP Firewall available in [[FreeBSD]] and Apple [[Mac OS X]].  Much work done from Luigi Rizzo.  States were introduced with the second version of ipfw.  [[NAT]] can be achieved with IPDIVERT [[socket]]s with programs such as [[natd]].
 
; [[ipfw]] : IP Firewall available in [[FreeBSD]] and Apple [[Mac OS X]].  Much work done from Luigi Rizzo.  States were introduced with the second version of ipfw.  [[NAT]] can be achieved with IPDIVERT [[socket]]s with programs such as [[natd]].
  
; [[ipf]] : IP Filter available in a number of UNIX OS's.  Written by Darren Reed.  Stateful, has built-in [[NAT]].
+
; [[ipf]] : IP Filter is available in a number of [[UBO]]s.  Written by Darren Reed.  Stateful, has built-in [[NAT]].
  
; [[netfilter]] / [[iptables]] :  The standard firewall software that comes with the [[Linux]] Operating System.  Stateful has built-in [[NAT]].
+
; [[netfilter]] / [[iptables]] :  The standard firewall software that comes with the [[Linux]] Operating System.  Stateful has built-in [[NAT]].  Has a huge number of specialized filters ranging from statistical matching ("30% of all tcp packets"), to packet burst management, to raw content checking.
  
 
; Checkpoint :  Expensive commercial firewall runs on Solaris.  Written in Israel.  Could have been the first stateful firewall, patented.  Has [[NAT]].
 
; Checkpoint :  Expensive commercial firewall runs on Solaris.  Written in Israel.  Could have been the first stateful firewall, patented.  Has [[NAT]].
 +
 +
; Cisco PIX : More expensive commercial hardware/software solution from Cisco.  Runs on a dedicated box, using a highly specialized UNIX variant as the OS.  Supports most (all?) major firewall features.
 +
 +
=== Home Firewall ===
 +
 +
Brands such as Soekris, Alix and Lanner are pretty popular in geek circles.  They are small, energy efficient boxes with 2 or more ethernet ports so that they can act like a firewall.  They run open source and proprietary operating systems.
 +
 +
Here is a picture of a Lanner firewall/router.
 +
 +
[[File:lanner1.jpg]]
 +
 +
You can surely also run a firewall in a PC or laptop but it's not as dedicated as these.
  
 
=== Firewalls for Windows ===
 
=== Firewalls for Windows ===
  
A common free firewall for Windows that blocks all of your [[ports]] is [http://www.zonealarm.com zone alarm].  Checkpoint Firewall also works on Windows.
+
[[Windows#Firewalls]]

Latest revision as of 04:01, 9 December 2012

A Firewall is part of an Operating System's networking stack that allows one to create policies for network traffic, and permit or deny that traffic accordingly. Firewalls most commonly work on OSI layers 3 and 4, although any layer except 1 is possible. Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content (RFC 2821 and 2822). Firewalls cannot inspect encrypted protocols (see cryptography) unless they have been given the secret key. Firewalls can run either on a specific host, or on a dedicated system that sits between the production systems and the rest of the Internet.

Our recommended process for installing a firewall is to have a "default deny" stance. This means "block all in" and block all out" by default. Once that has been established, then only allow rules as required.

For example, if you have blocked all by default, first you will want to try to resolve DNS I'm sure. So you will need to start a packet sniffer (tcpdump, wireshark, snoop) and watch the packets trying to leave and come in. In another window, type "host hackepedia.org" to try and resolve this DNS. As you should see, you need to allow port 53.. but was that TCP or UDP? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host hackepedia.org" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Repeat this process as needed for each service, and eventually you'll have a very decent firewall.

Of course, this is time consuming, and error prone, especially for someone who is just starting. A better solution may be to find a ruleset, or script online, and modify it until it works and fits your specific requirements.

A common mistake we see it an implicit allow all outbound, this is a mistake, and very beneficial to anyone who has just compromised your machine. Allow only the required ports and protocols outbound, most commonly ports 80 (web) and 25 (smtp), and block and log everything else outbound. If you find something isn't working, check the logs and allow a rule for that application, if you approve of its usage. It will be a short bell curve until you will very rarely have to modify your outbound ruleset, as outbound traffic rarely changes.


Firewalls for UNIX

pf
A stateful firewall written by Daniel Hartmeier for OpenBSD. Has been ported to all BSD's. pf has a nice logging mechanism that one can view with tcpdump. This firewall can share states between other firewalls meaning communication can continue if the path of communication changes through another firewall. This firewall has built-in NAT. Apple Mac OS X has started using pf with Mountain Lion.
npf
A stateful firewall in NetBSD. According to the manpage it will be released for NetBSD 6.0.


ipfw
IP Firewall available in FreeBSD and Apple Mac OS X. Much work done from Luigi Rizzo. States were introduced with the second version of ipfw. NAT can be achieved with IPDIVERT sockets with programs such as natd.
ipf
IP Filter is available in a number of UBOs. Written by Darren Reed. Stateful, has built-in NAT.
netfilter / iptables
The standard firewall software that comes with the Linux Operating System. Stateful has built-in NAT. Has a huge number of specialized filters ranging from statistical matching ("30% of all tcp packets"), to packet burst management, to raw content checking.
Checkpoint
Expensive commercial firewall runs on Solaris. Written in Israel. Could have been the first stateful firewall, patented. Has NAT.
Cisco PIX
More expensive commercial hardware/software solution from Cisco. Runs on a dedicated box, using a highly specialized UNIX variant as the OS. Supports most (all?) major firewall features.

Home Firewall

Brands such as Soekris, Alix and Lanner are pretty popular in geek circles. They are small, energy efficient boxes with 2 or more ethernet ports so that they can act like a firewall. They run open source and proprietary operating systems.

Here is a picture of a Lanner firewall/router.

Lanner1.jpg

You can surely also run a firewall in a PC or laptop but it's not as dedicated as these.

Firewalls for Windows

Windows#Firewalls