Network Security-

Assignment Iptable Firewall

Student Name: ---------Student No: ------------------

TABLE OF CONTENT

Executive Summary ..................................................................................................... 3

1

Firewall design ................................................... Error: Reference source not found 4

1.What is a firewall…………………………………………………………………...5

2. Requirements of the firewall ........................ Error: Reference source not found 5

3. Implementation of the firewall ..................... Error: Reference source not found 6

Testing of firewall ......................................................................................................... 7

1. ICMP Test………………………………………………………………………….8

2. HTTP Test………………………………………………………………………….8

3. VSFTPTest.…………………………………………………..…………….………8

4. SSH Test……………………………………………………………………………9

Attacks ........................................................................................................................... 9

1. Ping flooding ........................................................................................................... 10

2. SYN flood ................................................................................................................ 11

3 Port scan using nmap. ............................................................................................. 12

4. Port scan using SYN SET ...................................................................................... 12

Conclusion…………………………………………………………………………...14

References……………………………………………………………...……………15

EXECUTIVE SUMMARY

The purpose of this report is to build a firewall and demonstrate it’s use in mitigating

attacks on a computer network. Network security is a priority of every network. Most

common solutions used for network security are antivirus software’s and firewalls.

Firewalls are good tools to make a security-based network. One of the open source

2

firewall is iptables. Iptables are freely available with standard Linux distribution and

they help system administrators to configure the net filters, tables, chains and rules to

make a secure access based network.

Here I have made use of VMware Workstation with Red Hat Linux to build my

network environment. I have tried to secure the network by using iptables based

firewall to protect the network. In the latter part I have testified its working. At the

end I have launched some major attacks to demonstrate that this firewall would be

able to protect the network from some major attacks and at the same time it will

provide access to major services which were the basic requirements for this network.

NETWORK DESIGN

3

To simulate the network I have made use of three Red Hat hosts and one host machine which is the remote machine or can be considered the external machine. There are three separate networks: 100.100.100.0/24, 192.168.1.0/24, 192.168.2.0/24. Network 100.100.100.0/24 is used as outer network and is connected to the host machine. 192.168.2.0/24 is the company’s internal network and network 192.168.1.0/24 is used for placing a server, which is running some basic services like HTTP, SSH AND VSFTP that is the requirement of this company’s network.Firewall will be used on the gateway host to provide security to internal network. Routing function on Red Hat Linux gateway can be enabled using the following command.

echo 1 > /proc/sys/net/ipv4/ip_forward

FIREWALL DESIGN

What is a firewall?

Definition:A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from

4

accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.(Wikipedia, n.d.)

Requirements of the firewall

To secure the network, we must fulfill these requirements of the security policy.

Server provides HTTP, SSH and TFTP service to external and internal network.

Internal networks can request any kind of services, which are provided by external network.

Allow internal network devices to ping external network.

Block the ping from external network to internal networks, just allow ping reply from outside.

Internal and external hosts are allowed to access their gateway.

Block ping flooding and SYN flooding from all the networks.

Internal networks can access each other without any restriction.

Network scanning is not permitted.

Legitimate hosts in external network can login to the gateway by using SSH.

Implementation of the firewall

At the beginning we shall delete all the default rules in iptables and flush all the entries from the table. I have created a script for this process.

Flush.sh

echo "Flushing the Firewall"

iptables -F

5

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

The above commands will set the default policy to Drop everything except the OUTPUT chain.

Now the next step is to stop pings from outside network to inside network, and also the rules should be set in such a manner that they should deny the possible attack of ping flooding at the same time. This can be accomplished by making icmp_p chain, that will deny the ICMP request from outside as well as limit

the number of requests allowed per second from the internal network to the internal server.The rules applied are as follows:

echo " icmp rules "

iptables -N icmp_one

iptables -A icmp_one -s 100.100.100.0/24 -d 192.168.0.0/16 -p icmp --icmp-type 8 -j DROP

iptables -A icmp_one -p icmp --icmp-type 8 -m limit --limit 10/minute -j ACCEPT

iptables -A icmp_one -p icmp --icmp-type 8 -j DROP

iptables -A icmp_one -p icmp -j ACCEPT

In a similar manner bad_tcp packets will be activated when the server receives a TCP packet. Here to the maximum of 5 packets will be allowed per minute, the rest shall be dropped.

echo "Bad tcp chain,used to stop syn attack"

iptables -N bad_tcp

iptables -A bad_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

iptables -A bad_tcp -p tcp --syn -m limit --limit 5/min -j ACCEPT

iptables -A bad_tcp -p tcp --syn -m state --state NEW -j LOG --log-prefix "Stealth_Attack_Syn"

iptables -A bad_tcp -p tcp --syn -m state --state NEW -j DROP

6

The below mentioned chain is the allowed chain which will contain all the allowed tcp packets

echo "Allowed Chain"iptables -N allowediptables -A allowed -p TCP --syn -j ACCEPTiptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A allowed -p TCP -j DROP

The tcp_chain gives us information of the services which we can run from the internal and the external network. Additional services can be easily incorporated in this structure. Here tcp port 22(ssh) and port 80(http) are allowed.

echo "TCP Chain"iptables -N tcp_piptables -A tcp_p -p TCP --dport 22 -j allowediptables -A tcp_p -p TCP --dport 80 -j allowed

Similarly the Udp_chain will control the udp services that we shall implement on the servers. Here udp port 69(tftp) is allowed.

echo "UDP chain"iptables -N udp_piptables -A udp_p -p UDP --destination-port 21 -j ACCEPT

The below mentioned rules are implemented on the input chains.

echo "Input Chain"iptables -A INPUT -p icmp -j icmp_piptables -A INPUT -p tcp -j bad_tcpiptables -A INPUT -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp -j tcp_piptables -A INPUT -p udp -j udp_piptables -A INPUT -j DROP

This will allow all the packets from 192.168.0.0/16 subnet whose states are either ESTABLISHED or RELATED. Rest of the packets from other destinations shall be dropped.

echo "Forward Chain"iptables -A FORWARD -p icmp -j icmp_piptables -A FORWARD -p tcp -j bad_tcpiptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

7

iptables -A FORWARD -p tcp -j tcp_piptables -A FORWARD -p udp -j udp_piptables -A FORWARD -j DROP

The below mentioned rules are implemented on the output chains.

echo "Output Chain"iptables -A OUTPUT -p tcp -j bad_tcpiptables -A OUTPUT -j ACCEPT

More and more services can be added to the tcp and udp chain according to their compatibility, thus the issue of scalability can be taken care of.

TESTING OF THE FIREWALL

ICMP TESTICMP traffic should only be allowed from the internal network, so all the external hosts cannot send ICMP packets to the server. This is shown below, when attacker(100.100.100.5) pings server(192.168.1.2).No response from server because packets are dropped.

HTTP TESTFor testing purpose, the HTTP service is opened on a server. The below mentioned command will help to start the HTTP service.

Service httpd start

And start the thttpd service.

8

The figure below shows the whole process.

VSFTP TESTHere there is a ftp service called vsftp. Firstly you need to create a directory to hold the files to be retrieved from and sent to the ftp server. The directory is /home/ftp.The figure below shows that the vsftp service has been started on the internal serverwith the help of vsftp command. Below get nana.txt command is used to get a file named nana.txt from 192.168.1.2.

9

SSH TEST

To start the ssh server run

Service sshd start

The ssh service is started on the internal as well as the external server.

1

ATTACKS

PING FLOODING

A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets. It only succeeds if the attacker has more bandwidth than the victim. (Wikipedia, n.d.). Ping flooding can be harmful for the network because it may contain large loaded icmp request, which may use whole processing of GATEWAY or SERVER to make it unavailable for eligible users.

There are 2 variants of ping flood attack that I have incorporated.

Type: 1

I shall create a ping flood attack from the internal machine (192.168.2.1) to the server (192.168.1.2).For this purpose I shall use the following command. ping –f 192.168.1.2

The figure below shows the attacks done on the machine before and after implementing the firewall. In the first part once the attack is carried out it shows 0% packet loss and once the firewall is applied and the attack is carried out it shows 90% packet loss. This is a proof that the firewall has been incorporated in a proper manner.

Type:2

We can launch ping flooding by using HPING command as well and by using HPING you can add an extra payload to ping as well and can reset any flags as your choice to make it worse. Like use -I u1000 to create pings per 1000 micro seconds.

1

Hping 192.168.1.2 –i u 1000

To mitigate this kind of attack I will allow only one ping request per second to a host. This way I can mitigate the possible ping flooding that can occur. If the possible number of icmp requests are more then one per second , gateway will just discard the packet.The figure below shows the delay in response when the Hping attack is implemented. In the figure its seen that when server (192.168.1.2) is sent a ping then the last column time shows values like 0.4 or 0.3 milliseconds, but when the Hping attack is carried out it shows a delayed time period of 16.8 milliseconds( yellow marker).

SYN FLOOD

SYN flooding is a method that the user of a hostile client program can use to conduct a denial-of-service (DOS) attack on a computer server. The hostile client repeatedly sends SYN (synchronization) packets to every port on the server, using fake IP addresses.(Whatis.com)The firewall drops any external request packets whose destination port are not 22 (SSH) and 80 (HTTP). For the internal network, the firewall uses the same mechanism as preventing ping flood, which restricts request packet once a minute. If the number of incoming packets is exceeded, the firewall will drop packets and log with “Stealth Attack _Syn” prefix. I use the command: hping2 –S to launch the SYN flood attack.User either of the following commands:nmap -sT 192.168.1.2The figure below shows the state of the firewall once this attack is implemented. Logs with “Stealth Attack_Syn” can be seen.

1

PORT SCANING USING NMAP

Use nmap to scan the server IP address. It can detect the ports, which are exposed to the network, and as well as it can check whether the host is running or not. To secure the SERVER and internal network, the firewall has to close the unnecessary ports exposed to the outside. According to the result, we can see that only port 22 (SSH) and port 80 (HTTP) are exposed on the server; for the intranet host, there is no available port to the external network.

nmap –sT 192.168.1.2

PORT SCANNING USING SYN SET

Since Port scanning using nmap is disabled, there is one more way to do port scan. Attacker can use SYN FLOODING as tool to port scan. Command below can be used to do port scanning purpose using a packet with SYN BIT set and continuously appending the destination port.

1

Hping -S 192.168.1.2 –p ++20 -I u1000Ornmap –p “1-1024” 192.168.1.2

This will send syn set bit packet to each port appending 21 to the server and what it got back is only replies from open ports on the server.

This can be denied by disabling SYS FLOODING to the server.

CONCLUSION

This assignment made my understanding of firewalls and iptables clearer. I tried to provide the three basic services to the network SSH, HTTP and VSFTP. It also implemented some basic protection, such as ping flood, SYN flood, port scanning. This assignment also enlightened me on how various attacks can be laid through the network and how firewall helps mitigate these attacks. Firewalls are an important security appliance for today’s networks and even though many expert computer users can still manage to break through a firewall, it continues to be an important tool in mitigating attacks and keeping the network and information safe from malicious attackers.

1

REFERENCES

Andreasson, O. 2006, Iptables Tutorial 1.2.2, retrieved from http://iptables-tutorial.frozentux.net/iptables-tutorial.html on October 16 2008

Harrison P., 2007, Linux Firewalls Using iptables, retrieved from http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables on October 20 2008

Fingerprinting port 80 attacks A look into web server, and web application attack signatures: Part Two, 2007, cgisecurity.net retrieved from http://www.cgisecurity.net/papers/fingerprinting-2.shtml on October 22 2008

Russel. R, 2002,Linux 2.4 Packet Filtering HOWTO , retrieved from http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html on October 24 2008

Wikipedia, Retrieved on October 23 2008 from www.wikipedia.com

1