SKILL CCNE011: Identify filtering devices
SKILL CCNE012: Define methodologies of filtering
SKILL CCNE013: Configure filtering devices on the Network
SKILL CCNE014: Filtering at the OS
- Routed Mode
- Transparent Mode
- Whitelist vs. Blacklist logic
Where/How should you arrange Firewalls in an Enterprise Topology?
- Host based versus Network Based Firewalls
- Packet Filtering
- Stateful Inspection
- Application level gateways
- Use ICMP, UDP, or TCP packets to test whether ports/protocols are allowed through filtering devices
- Incrementing TTL; TTL expirations trigger ICMP TTL exceeded replies
- Defense: block outgoing ICMP Time exceeded packets at the perimeter or use Network Address Translation to hide any/all internal network addresses
- Traceroute uses ICMP (windows) or UDP (linux)
- On Linux:
Complete the Firewall Exercise before moving on
IDS: Intrusion Detection System
- Does not need to be inline
- Logging, Alerting
IPS: Intrusion Prevention System
- Dropping, Blocking, Resetting, Sandboxing
Signatures
- Atomic
- Stateful
ip access-list standard 1
permit host 10.0.0.1
deny 10.0.0.0 0.0.0.255
permit any
----------------------
What interface/direction is the ACL applied to allow host 10.0.0.1 to access the 172.16.0.0 network, but deny ALL OTHER 10.0.0.0 hosts?
ip access-list extended 101
remark action protocol (src IP) (src port) (dst IP) (dst port)
deny udp host 172.16.0.1 host 192.168.0.2 eq 69
permit ip any any log
----------------------
What is the best interface/direction to place the ACL on to DENY only host 172.16.0.1 access to TFTP on host 192.168.0.2, but allow all other hosts to access these services?
Router 2, interface G0/1 inbound (Whitelisting)
ip access-list permit tcp 192.168.0.0 0.0.0.255 any eq domain
ip access-list permit tcp 192.168.0.0 0.0.0.255 any eq www
ip access-list deny ip any any
Router 1, interface G0/2 inbound (Blacklisting)
ip access-list deny ip 192.168.0.0 0.0.0.255 any
ip access-list deny ip 10.0.0.0 0.0.0.255 any
ip access-list permit ip any any
- Collects statistics on byte/packet counts for each rule (IP Accounting)
- Can be used for NAT (including masquerading & port forwarding)
- Can perform packet mangling to modify fields in headers
IPTables "Chains" (circled) represent various hooks that the kernel's networking stack interact with. The chain determines when a packet is examined. Using the diagram, you can see how packets are processed through various chains as they enter or leave a host.
Table: Use the "t" flag to define table (if not Filter)
Add/Delete/Insert: Use -A, -D, -I (can insert rule with number)
Chain: INPUT/OUTPUT/PRE or POST ROUTING
Target: Use -j to define an action (DROP/ACCEPT etc)
Protocol: Protocols. tcp, udp, icmp, etc. (-p)
Source: Source ip-address of the packet (-s)
Destination: Destination ip-address for the packet (-d)
Rules
Targets (ex. Filter applicable)
Syntax/Example
iptables -t [table] -[A(add)/D(del)/I(ins)/P(pol] CHAIN rule [-p (protocol, etc)] -j TARGET
iptables -P INPUT -j DROP
Filtering Rules
iptables -A OUTPUT -d 197.10.10.1 -p tcp --dport 80 - j ACCEPT
iptables -A INPUT - s 150.147.23.1 -p udp --dport 69 -j DROP
Adding a rule using Bytecode
iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT
Drop Traffic From Mac Address "DE:AD:BE:EF:CA:FE"
iptables -A INPUT -m mac --mac-source DE:AD:BE:EF:CA:FE -j DROPUsing the Iptables and extension man pages, practice IPTables syntax
- Change the source address to 1.1.1.1
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.1.1.1
- Change the source address to 1.1.1.1 and the port to 9001
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.1.1.1:9001
- Change the destination address to 10.0.0.1
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.0.0.1
- Forward traffic to an internal or private IP on port 8080
iptables -t nat -A PREROUTING -p tcp -o eth0 -j DNAT --to 10.0.0.1:8080
Using iptables, practice NATing