Firewall - HackMD

# Firewall [TOC] ## What is firewall ### Defination - An agent which **screens network traffic** in some way, blocking traffic it believes to be inappropriate, dangerous, or both. - Act as - A **protocol end point** and **relay** - **Implement a "safe" subset of the protocol** - Perform extensive protocol validity checks - Use an implementation methodology designed to minimize the likelihood of bugs - Run in an insulated, "safe" environment - A **packet filter** - **Examines each packet** - Passes the packet through to the other side unchanged - Drops the packet entirely, or handles the packet itself - Firewalls typically base some of their decisions on IP source and destination addresses and port numbers - :::spoiler - block packets from the Internet side that claim a source address of a system on the internal network - block TELNET or RLOGIN connections from the Internet to the internal network - block SMTP and FTP connections to the Internet from internal systems not authorized to send email or move files - act as an intermediate server in handling SMTP and HTTP connections in either direction - require the use of an access negotiation and encapsulation protocol such as SOCKS to gain access to the Internet, to the internal network ::: #### Transparency rule - **Path MTU Discovery** / ICMP - Determin the maximum transmission unit (MTU) size on the network path between two IP hosts, usually with the goal of **avoiding IP fragmentation**. - A packet-filtering router acting as a firewall which ++permits outgoing IP packets with the Don't Fragment (DF) bit set++ MUST NOT block incoming ++ICMP Destination Unreachable /Fragmentation Needed errors++ sent in response to the outbound packets from reaching hosts inside the firewall. - **Extended HELO (EHLO)** / SMTP - A command sent by an email server to identify itself when connecting to another email server to start the process of sending an email, tells the receiving server it supports extensions compatible with ESMTP. - The original SMTP protocol didn't provide a mechanism for negotiating protocol extensions. What is necessary is for the firewall to **scan the list of EHLO responses and only allow the ones the firewalls understands through**. ### Types of firewall ![](https://www.softwaretestinghelp.com/wp-content/qa/uploads/2018/07/Basic-Firewall-Network-Example-1.png) - Hardware firewall - Protects the entire network of an organization using it from external threats only. - Software firewall - Provide host-based security as the software is installed on each of the devices connected to the network, thereby protecting the system from external as well as internal threats. ### Placement ![](https://lh3.googleusercontent.com/proxy/OiNr19OoBa6HXEOKxrw8sh-0BOHM2iqxu6f_KEkZYY2drYYP1qK4IEra8KERwlAUo_WjdHcBoyXfi43mNpzokMqW0JPVexVG3yy0sSRgjR26ZAiRibDHk6trml-p) - A firewall system can work on five layers of the OSI Model. But most of them run at only four layers i.e. data-link layer, network layer, transport layer, and application layers. ### Threats #### Network - Worms - Denial of Service (DoS) - Trojan Horses #### Internal - Most of the attack on the network occurs from inside the system - Cyberattacks - Monitor the activities of every employee and guard the internal network by using multiple layers of the password to each of the servers. - The host systems should have limited access to the internet. All unnecessary browsing should be blocked. ### DMZ - Demilitarized Zone - A majority of firewall systems to guard assets and resources. - It behaves as a **buffer** between distinctive segments in the network - DMZ’s are deployed to give external users access to resources without uncovering the internal network. #### Security Level | Link to | Security Level | | -------- | -------- | | Internet | Lowest | | DMZ | Medium | | Remote organization | Medium | | Internal network | Highest | - Rules | Access level | Allowed | | -------- | -------- | | High to Low | :heavy_check_mark: | | Low to High | :x: | | Equivalent | :x: | - The traffic allowed to automatically flow through the firewall - Internal devices to DMZ, remote organization, and the internet - DMZ to the remote organization and the internet - Any other kind of traffic flow is blocked > If a hacker wants to hack the internal resources then it first has to hack the DMZ. ### Components of a Firewall System ![Example1](https://www.softwaretestinghelp.com/wp-content/qa/uploads/2018/07/Overall-Firewall-System-Design-Example.png) ![Example2](https://i.imgur.com/pam51tB.png) #### Perimeter router - Provide **a link to the public networking system.** - Performs the routing of data packets by following an appropriate routing protocol, also the filtering of packets and addresses translations. #### Firewall - Provide **distinctive levels of security** and **supervises traffic among each level**. - Most of the firewall exists near the router to provide security from external threats. #### VPN - Provide the **secure remote access of the network**, thereby connecting two WAN networks on the same platform while not being physically connected. - This consists of **encryption**, **authentication**, and, **packet-reliability assurance**. #### IDS - Intrusion-detection System - Identify, preclude, investigate, and resolve the unauthorized attacks. - Solution - **Network-based** - Whenever an attack is spotted, can access the firewall system and after logging into it can configure an efficient filter that can restrict the unwanted traffic. - **Host-based** - A kind of software that runs on a host device which spots the threat against that device only. ### Points - Every server having exposure to a public network such as the Internet will be placed in DMZ. - Servers having crucial data will be equipped with host-based firewall software within them. - If external sources such as remote organizations want to access your server placed in an internal network of security system then use VPN. - For crucial internal sources, IDS should be used to monitor and deal with internal attacks. ## Operation ### `ufw` - Uncomplicated Firewall - Netfilter subsystem in Linux kernel - Enable ```bash= sudo ufw enable ``` - Open a port ```bash= sudo ufw allow 22 ``` - Or, add this rule with a numbered format ```bash= sudo ufw insert 1 allow 22 ``` - Close an opened port ```bash= sudo ufw deny 22 ``` - Remove a rule ```bash= sudo ufw delete deny 22 ``` - Allow access from specific hosts or networks to a port ```bash= sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22 ``` > It can be a single IP address or a range of subnet - Output the resulting rules of command, but not apply them ```bash= sudo ufw --dry-run allow http ``` - See the firewall status ```bash= sudo ufw status ``` - View the numbered format ```bash= sudo ufw status numbered ``` ## Reference ### Official - [RFC 2979 - Behavior of and Requirements for Internet Firewalls](https://www.ietf.org/rfc/rfc2979.txt) - [RFC 7288 - Reflections on Host Firewalls](https://datatracker.ietf.org/doc/html/rfc7288) - [`ufw` - Ubuntu firewall tool](https://ubuntu.com/server/docs/security-firewall) - [Firewall Security - Tutorialspoint](https://www.tutorialspoint.com/internet_technologies/firewall_security.htm) ### Article - [A Complete Guide To Firewall: How To Build A Secure Networking System](https://www.softwaretestinghelp.com/firewall-security/) ### Related Topic - [IPSec](https://hackmd.io/@Phoebe61G/IPSec)