Sei sulla pagina 1di 97


Methods of Attack
It is necessary to understand the nature of potential attacks on computer security. Some methods of attacks are: Unauthorized Access Exploitation of known weaknesses in programs Denial of service Spoofing Eavesdropping

IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service and IP spoofing attacks.

What Is a Firewall?
A firewall is a secure and trusted machine that sits between a private network and a public network. The firewall machine is configured with a set of rules that determine which network traffic will be allowed to pass and which will be blocked or refused.

What Is a Firewall? cont

A set of programs residing on a "gateway server" that protect the resources of an internal network A network device or an host that connect 2 or more networks A device able to monitor each packet to determine whether to forward it toward its destination A device able to evaluates packets with the objective to Control, Modify and Filter network traffic


Firewall Network



Firewall Implementation
Hardware Firewall: Dedicated Hardware Box (Cisco PIX, Netscreen, ISS Proventia ) Software Firewall: Installable on a Server ( ) Host OSs (Windows XP/Linux) also provide software firewall features to protect the host

These days Firewalls provide IDS/IPS (Intrusion Detection System/Intrusion Prevention System) services also.

Linux Security

LINUX Firewall
Use GUI (Applications ->System Settings-> Security Level) to activate the firewall Allow standard services and any specific port based application All other services and ports are blocked

Linux Security

LINUX Firewall

Firewall classification
Stateful Stateless A nonstateful firewall usually performs some packet filtering based solely on the IP layer (layer 3) of the OSI model, though sometimes higher-layer protocols are involved in this type of firewall. An example of this type of device might include a border router that sits at the edge of a network and implements one or more access lists to prevent various types of malicious traffic from entering the network.

Firewall classification
As opposed to a stateless firewall, a stateful firewall is one that keeps track of the packets previously seen within a given session and applies the access policy to packets based on what has already been seen for the given connection


Types of firewalls
Packet filter Application gateway Circuit level gateway Proxy server


Packet Filtering Firewalls

All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets.

A packet is a series of digital numbers basically, which conveys these things: The data, acknowledgment, request or command from the originating system The source IP address and port The destination IP address and port Information about the protocol (set of rules) by which the packet is to be handled Error checking information Usually, some sort of information about the type and status of the data being sent


Packet filtering cont

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.

Packet Filtering Firewalls

Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies. Packet filtering policies may be based upon any of the following: Allowing or disallowing packets on the basis of the source IP address Allowing or disallowing packets on the basis of their destination port Allowing or disallowing packets according to protocol. This is the original and most basic type of firewall.

Packet filtering
Disadvantages Address information in a packet can potentially be falsified or "spoofed" by the sender The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access. An advantage of packet filtering is its relative simplicity and ease of implementation.

Firewall placement in TCP/IP Reference Model


Packet filtering cont

The firewall independently filters what comes in and what goes out through the interface. The input filtering and the output filtering can, and likely do, have completely different rules. When speaking of a Linux firewall, the lists of rules defining what can come in and what can go out are called chains. The I/O pair is the list of rules on the input chain and the list of rules on the output chain. The lists are called chains because a packet is matched against each rule in the list, one by one, until a match is found or the list is exhausted

Choosing a default packet filtering policy

Deny everything by default, and explicitly allow selected packets through Accept everything by default, and explicitly deny selected packets from passing through Without question, the Deny everything by default is recommended approach


They deny everything by default policy


The Accept-everything by default policy


Application Level gatway(ALG)or Application layer gatway

The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf Applies security mechanisms to specific applications, such as FTP and Telnet Servers. This is very effective, but can impose a performance degradation

ALG Cont
It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions. Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities. A disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway. An application gateway is normally implemented on a separate computer on the network whose primary function is to provide proxy service

Also called a "Circuit Level Gateway," this is a firewall approach that validates connections before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may for examples be based upon: destination IP address and/or port source IP address and/or port time of day protocol user password Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open.

Proxy server
Intercepts all massages entering and leaving the network. The proxy server effectively hides the true network address


What is a Proxy server?

A proxy is a firewall that acts as a middleman. When one device requests a network service the request is forwarded to a proxy. The proxy will then make a request for the device, then relay the reply back.

Features of Proxies
A proxy may cache a copy of the information for future requests. Proxies support user authentication Advanced logging can provide audit trails as to everything that is done on the network.


IP Masquerading
IP Masquerading- The internal source address are different like but the external interface to the world is the proxy servers address something like 141.22.11. so the proxy server keeps a list of which internal address is expecting which packet from the external network and forwards it. This is ip masquerading

A typical IP masquerade configuration / L

ppp0 eth0 A N

Internet ppp

Linux Masquerade Router

Masqueraded request From: port 1035 Original reply To: port 1035

Original request From: port 1234 Demasqueraded reply To: port 1234

NAT & Masquradintng

Network Address Translation (NAT) is fully implemented in iptables. Before this, NAT was called masquerading in Linux. A simple, partial implementation of Source Address Translation, masquerading was used by site owners who had a single public IP address and who wanted other hosts on their private network to be capable of accessing the Internet. Outgoing packets from these internal hosts had their source address masqueraded to that of the public, routable IP address.

Linux based proxies

Squid TIS Firewall Toolkit (FWTK) SOCKS NOCAT


Why use a firewall?

Firewalls are generally setup for one of 3 reasons. To keep people out of your network (Viruses, crackers) To keep people in your network (employees, children) To share a public IP address.

Firewall Facts

A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network.

A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep intruders out, but usually also needs to let authorized users in and out.

Role of Linux in Firewall

The Linux kernel provides a range of built-in features that allow it to function quite nicely as a IP firewall. .


Setting Up Linux for Firewalling

To build a Linux IP firewall, it is necessary to have a kernel built with IP firewall support and the appropriate configuration utility. In all production kernels prior to the 2.2 series, you would use the ipfwadm utility. The 2.2.x kernels marked the release of the third generation of IP firewall for linux called ipchains Linux kernels 2.3.15 and later supports the fourth generation of Linux IP firewall utility called iptables.

The ipfwadm Utility

The ipfwadm (IP Firewall Administration) utility is the tool used to build the firewall rules for all kernels prior to 2.2.0.Its command syntax can be very confusing because it can do such a complicated range of things.


The ipchains Utility

Just as for the ipfwadm utility, the ipchains utility can be somewhat baffling to use at first. It provides all of the flexibility of ipfwadm with a simplified command syntax and additionally provides a chaining mechanism that allows you to manage multiple rulesets and link them together. IPChains is a stateless firewall. 37

The iptables Utility

The syntax of iptables utility is quite similar to that of the ipchains syntax. The changes are the improvements. An iptables firewall consists of several tables, each with a default policy and builtin chains of rules. Further rule chains can optionally be created in each table. Different tables and chains are traversed according to the source and destination of the packet. IPTables is a stateful firewall.

Netfilter& IP Tables
It is a generalized framework of hooks in the network stack. Any kernal module can plug into one or more of these hooks and will receive each packet traversing this hookNetfilter is the linux kernal space program code to implement a firewall within the Linux Kernal, either compiled directly into the kernal or included as a set of modules. Iptables is the userland program used for 39 administration of the Netfilter firewall

What Is Netfilter?
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.


Software commonly associated with netfilter is iptables .Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems


Main Features Netfiltering

stateless packet filtering (IPv4 and IPv6) stateful packet filtering (IPv4 and IPv6) all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only) flexible and extensible infrastructure


What can I do with netfilter/iptables?

build internet firewalls based on stateless and stateful packet filtering use NAT and masquerading for sharing internet access if you don't have enough public IP addresses use NAT to implement transparent proxies


Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter/firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfwadm, but was replaced by iptables in the 2.4 series.


Under(ipfwadm and ipchains) Packet Traversal


All packets arriving on an interface were filtered against the input chain. If the packet was accepted, it was passed to the routing module. The routing function determined whether the packet was to be delivered locally or forwarded to another outgoing interface.


If forwarded, the packet was filtered a second time against the forward chain. If the packet was accepted, it was passed to the output chain Both locally generated outgoing packets and forwarded packets were passed to the output chain. If the packet was accepted, it was sent out the interface

Received and sent local (loopback) packets passed through two filters. Forwarded packets passed through three filters. The loopback path involved two chains. each loopback packet passed through the output filter before going "out" the loopback interface, where it was then delivered to the loopback's input interface. Then the input filter was applied

IPFW loopback and masqueraded packet traversal


iptables is the user space command line program used to configure the Linux 2.4.x and 2.6.x Iptables can be used
listing the contents of the packet filter ruleset adding/removing/modifying rules in the packet filter ruleset


Netfilter Packet Traversal

Under Netfilter (iptables), built-in INPUT, OUTPUT, and FORWARD filter chains are used. Incoming packets pass through the routing function, which determines whether to deliver the packet to the local host's input chain or on to the forward chain .


Iptable packet traversal


If a locally destined packet is accepted by the INPUT chain's rules, the packet is delivered locally. If a remotely destined packet is accepted by the FORWARD chain's rules, the packet is sent out the appropriate interface. Outgoing packets from local processes are passed to the OUTPUT chain's rules. If the packet is accepted, it is sent out the appropriate interface. Thus, each packet is filtered once (except for loopback packets, which are filtered twice).


Three tables Filter Nat Mangle


The filter table is the default table. It contains the actual firewall filtering rules. The built-in chains include these: INPUT OUTPUT FORWARD


nat The nat table contains the rules for Source and Destination Address and Port Translation. These rules are functionally distinct from the firewall filter rules. The built-in chains include these: PREROUTING OUTPUT POSTROUTING

The mangle table contains rules for setting specialized packet-routing flags. These flags are then inspected later by rules in the filter table. The built-in chains include these: PREROUTING (routed packets) INPUT (packets arriving at the firewall but after the PREROUTING chain) FORWARD (changes packets being routed through the firewall) POSTROUTING (changes packets just before they leave the firewall, after the OUTPUT chain) OUTPUT (locally generated packets)

Syntax of iptables command

The general syntax of most iptables command is:
iptables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>


Conventions Representing Command-Line Syntax Options






Chain Commands on Individual Rules


filter Table Rule Operations


To disallow TCP connections from a internal host use: ip tables A INPUT -p TCP -s --syn DROP Note: -syn The SYN flag must be set as an initial connection request.

Examples of Iptables
To create a simple personal firewall that blocks all incoming ICMP traffic, you issue the following command: iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j DROP To block ICMP traffic from only the network, you issue this command: iptables -A INPUT -p icmp -s -d 0/0 -j DROP Lets add the rule to allow incoming tcp connections on 22:
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# iptables -F FORWARD # iptables -P FORWARD DROP # iptables -A FORWARD -m tcp p tcp s 0/0 --sport 80 -d / --syn -j DROP # iptables -A FORWARD -m tcp p tcp s / -sport / 80 -d 0/0 -j ACCEPT # iptables -A FORWARD -m tcp p tcp d --dport 80 -s 0/0 -j / ACCEPT


Perimeter Defense and Firewall

DMZ Internet
DNS Mail Web Server Server Server
Firewall Firewall




Outer Firewall Router


Inner Firewall Router






Intra1 (XP)

Intrusion Prevent System (IPS) combining Firewall with IDS

DMZ Internet
DNS Mail Web Server Server Server
Firewall Firewall






IPS Outer Honeypot IDS

IPS Inner
Intra1 (XP)



Unchecked Paths and Perimeter Defense ans.pdf
DMZ Internet
DNS Mail Web Server Server Server
Firewall Firewall






IPS Outer Honeypot IDS

IPS Inner
Intra1 (XP)



DeMilitarized Zone: a portion of a network that separate a purely internal network from an external network. Guard (Firewall): a host that mediates access to a network, allowing/disallowing certain types of access on the basis of a configured policy.


Linux Booting Procedure

B. Sathis Kumar Senior Lecturer CSE Department


How computer startup?

Booting is a bootstrapping process that starts operating systems when the user turns on a computer system A boot sequence is the set of operations the computer performs when it is switched on that load an operating system


Booting sequence
1. 2. 3. 4. 5. 6. Tern on CPU jump to address of BIOS (0xFFFF0) BIOS runs POST (Power-On Self Test) Find bootale devices Loads and execute boot sector form MBR Load OS


BIOS (Basic Input/Output System)

BIOS refers to the software code run by a computer when first powered on The primary function of BIOS is code program embedded on a chip that recognizes and controls various devices that make up the computer.

BIOS on board

BIOS on screen

The Basic Input/Output System (BIOS) typically resides in ROM on the motherboard and is the first program run when a system is powered on.
When you turn on your computer and the microprocessor tries to execute its first instruction, it has to get that instruction from somewhere. It cannot get it from the operating system because the operating system is located on a hard disk, and the microprocessor cannot get to it without some instructions that tell it how. The BIOS provides those instructions. Some of the other common tasks that the BIOS performs include:


This is its usual sequence:

Check the CMOS Setup for custom settings Load the interrupt handlers and device drivers Initialize registers and power management Perform the power-on self-test (POST) Display system settings Determine which devices are bootable Initiate the bootstrap sequence


This ROM chip is usually an EEPROM (Electrically Erasable Programmable ROM. Also known Flash ROM) , which allows it to be electrically erased and reprogrammed, like when you upgrade or "flash", your BIOS.


It is responsible for testing hardware devices using a process called Power-On Self Test (POST). The BIOS also loads the operating system from various media, including hard disks, floppy disks, and usually CD-ROMs. Your BIOS will usually provide you with a way to tell it about the different hardware that is attached. These settings are stored in the CMOS(Complimentary Metal Oxide Semiconductor ) which uses a battery to maintain it's contents(. hold
the date, time, and system setup parameters.)


BIOS Interaction
The Power On Self Test (POST): During the POST, a computer will test its memory and verify that it has all the necessary hardware, such as a keyboard and a mouse. This information is used by the BIOS to control all aspects of the boot process.

If it does not find the proper files on a device, the startup process will halt. If you have ever left a disk when you restarted your computer, you have probably seen this message.


Major BIOS manufacturers

American Megatrends Inc. (AMI) Phoenix Technologies ALi Winbond


A boot loader, also called a boot manager, is a small program that places the operating system (OS) of a computer into memory. When a computer is powered-up or restarted, the basic input/output system (BIOS) performs some initial tests, and then transfers control to the Master Boot Record (MBR) where the boot loader resides. Boot loader could be more aptly called the kernel loader. The task at this stage is to load the Linux 82 kernel

Boot loader

Boot loader
For Linux, the two most common boot loaders are known as LILO (LInux LOader) and LOADLIN (LOAD LINux). An alternative boot loader, called GRUB (GRand Unified Bootloader), is used with Red Hat Linux. LILO is the most popular boot loader among computer users that employ Linux as the main, or only, operating system. The primary advantage of LILO is the fact that it allows for fast boot-up. LOADLIN is preferred by some users whose computers have multiple operating systems, and who spend relatively little time in Linux. LOADLIN is sometimes used as a backup boot loader for Linux in case LILO fails. GRUB is preferred by many users of Red Hat Linux, because it is the default boot loader for that distribution.

Other boot loader (Several OS)

bootman GRUB LILO NTLDR XOSL BootX loadlin Gujin Boot Camp Syslinux GAG

Detailed Steps of the Boot Process

The first step of the boot process is the POST. This is actually something that every computer will do, regardless of its operating system. After the computer completes the POST, it will allow for other adapter cards to run their own POSTs, such as a SCSI card that is equipped with its own BIOS, for example. After the POST routine is complete, the computer will locate a boot device and load the Master Boot Record (MBR) into memory, which in turn locates the active partition and loads it into memory.

MBR (Master Boot Record)

OS is booted from a hard disk, where the Master Boot Record (MBR) contains the primary boot loader The MBR is a 512-byte sector, located in the first sector on the disk (sector 1 of cylinder 0, head 0) After the MBR is loaded into RAM, the BIOS yields control to it.


MBR (Master Boot Record)


MBR (Master Boot Record)

The first 446 bytes are the primary boot loader, which contains both executable code and error message text The next sixty-four bytes are the partition table, which contains a record for each of four partitions The MBR ends with two bytes that are defined as the magic number (0xAA55). The magic number serves as a validation check of the MBR

Depending on the boot loader, additional files may be stored and read from a partition on the hard drive. After this step the boot loader begins to start the operating system, and is not used again until the next boot.


The kernel is the central part in most computer operating systems because of its task, which is the management of the system's resources and the communication between hardware and software components Kernel is always store on memory until computer is tern off

At this point, the BIOS has selected the boot device and it's boot sector has been loaded. The boot manager nows loads the kernel image and possibly an initial RAM disk image. Once loaded into RAM, the kernel is executed and the setup code runs. The kernel must initialize any devices the system has. Even devices that have been initialized by the BIOS must be reinitialized. This provides portability and robustness by ensuring that each system has been initialized in a similar fashion, independent of the BIOS.


The setup code now loads the compressed kernel and calls the decompress_kernel() function. It is at this point that you will see the "Uncompressing Linux..." message printed on the screen. The decompressed kernel now takes over and begins to set up the execution environment for the first Linux process. The kernel will now begin printing a large number of messages on the screen as it initializes the scheduler, irqs, console, hardware, etc. The kernel_thread() function is called next to start init.

Task of kernel
Process management Memory management Device management System call


Init process
After the kernel is loaded and the system can talk to its peripherals the initialization begins. The first thing the kernel does is to execute init program Init is the root/parent of all processes executing on Linux The /etc/inittab file tells the system what to start up, the first is usually rc.sysinit.
Upon shutdown, init controls the sequence and

processes for shutdown


Starts logging Sets the hostname Prepares the network for startup Checks the clock Sets up the host computer hardware Sets up and mounts the filesystem


A runlevel is a software configuration of the system which allows only a selected group of processes to exist The processes spawned by init for each of these runlevels are defined in the /etc/inittab file Init can be in one of eight runlevels: 0-6


Linux bootup
Depending on the run level that the system is to run to, different rc files will be executed.
Run level 0 is shutdown Run level 1 is single user Run level 2 is multiuser, no NFS Run level 3 is ready to use full multiuser Run level 4 is unused at present Run level 5 is GUI Run level 6 is reboot


How Linux boot?