Network Filtering

CCTC - Networking

Outcomes


SKILL CCNE011: Identify filtering devices


SKILL CCNE012: Define methodologies of filtering


SKILL CCNE013: Configure filtering devices on the Network


SKILL CCNE014: Filtering at the OS


Firewall Basics


- Routed Mode
- Transparent Mode


- Whitelist vs. Blacklist logic


Where/How should you arrange Firewalls in an Enterprise Topology?



Filtering Basics


- Host based versus Network Based Firewalls

  • IPTables, Windows FW
  • Network Based FW's come in many flavors


- Packet Filtering

- Stateful Inspection

- Application level gateways


Fire Walking


- Use ICMP, UDP, or TCP packets to test whether ports/protocols are allowed through filtering devices

- Incrementing TTL; TTL expirations trigger ICMP TTL exceeded replies

- Defense: block outgoing ICMP Time exceeded packets at the perimeter or use Network Address Translation to hide any/all internal network addresses

Traceroute Tricks


- Traceroute uses ICMP (windows) or UDP (linux)

- On Linux:

  • -T: sents TCP syn
  • -m: sets max TTL
  • -p: sets destination ports (udp-start port then increments, TCP- constant)
  • -U: sets constant udp port




Firewall Exercise


Complete the Firewall Exercise before moving on

Intrusion Detection vs. Prevention


IDS: Intrusion Detection System

- Does not need to be inline
- Logging, Alerting

IPS: Intrusion Prevention System

- Dropping, Blocking, Resetting, Sandboxing

Signatures

- Atomic
- Stateful

Snort Activity

Standard ACLs


ip access-list standard 1
permit host 10.0.0.1
deny 10.0.0.0 0.0.0.255
permit any

----------------------

What interface/direction is the ACL applied to allow host 10.0.0.1 to access the 172.16.0.0 network, but deny ALL OTHER 10.0.0.0 hosts?


Extended ACLs


ip access-list extended 101
remark action protocol (src IP) (src port) (dst IP) (dst port)
deny udp host 172.16.0.1 host 192.168.0.2 eq 69
permit ip any any log

----------------------

What is the best interface/direction to place the ACL on to DENY only host 172.16.0.1 access to TFTP on host 192.168.0.2, but allow all other hosts to access these services?


Router 2, interface G0/1 inbound (Whitelisting)

ip access-list permit tcp 192.168.0.0 0.0.0.255 any eq domain
ip access-list permit tcp 192.168.0.0 0.0.0.255 any eq www
ip access-list deny ip any any

Router 1, interface G0/2 inbound (Blacklisting)

ip access-list deny ip 192.168.0.0 0.0.0.255 any
ip access-list deny ip 10.0.0.0 0.0.0.255 any
ip access-list permit ip any any

IPTables; not just for Filtering!



- Collects statistics on byte/packet counts for each rule (IP Accounting)

- Can be used for NAT (including masquerading & port forwarding)

- Can perform packet mangling to modify fields in headers


IPTables Order


IPTables "Chains" (circled) represent various hooks that the kernel's networking stack interact with. The chain determines when a packet is examined. Using the diagram, you can see how packets are processed through various chains as they enter or leave a host.

Inside IPTables





Building Rules


Table: Use the "t" flag to define table (if not Filter)
Add/Delete/Insert: Use -A, -D, -I (can insert rule with number)
Chain: INPUT/OUTPUT/PRE or POST ROUTING
Target: Use -j to define an action (DROP/ACCEPT etc)
Protocol: Protocols. tcp, udp, icmp, etc. (-p)
Source: Source ip-address of the packet (-s)
Destination: Destination ip-address for the packet (-d)


Targets and Rules


Rules

  • If the criteria is matched, it goes to the rules specified in the target (or) executes the special values mentioned in the target.
  • If the criteria is not matched, it moves on to the next rule (SEQUENTIAL)
  • Policy - default rule, can be changed with "P"

Targets (ex. Filter applicable)

  • ACCEPT: accept the packet
  • DROP: drop the packet
  • REJECT: is used to send back an error packet in response to the matched packet (still drops packet)

Examples

Syntax/Example

iptables -t [table] -[A(add)/D(del)/I(ins)/P(pol] CHAIN rule [-p (protocol, etc)] -j TARGET
iptables -P INPUT -j DROP

Filtering Rules

iptables -A OUTPUT -d 197.10.10.1 -p tcp --dport 80 - j ACCEPT
iptables -A INPUT - s 150.147.23.1 -p udp --dport 69 -j DROP

Adding a rule using Bytecode

iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT

Try these...

Drop Traffic From Mac Address "DE:AD:BE:EF:CA:FE"

iptables -A INPUT -m mac --mac-source DE:AD:BE:EF:CA:FE -j DROP

Accept any NEW connections from a range of ports from 20-23
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20:23 -j ACCEPT

IPTables Activity


Using the Iptables and extension man pages, practice IPTables syntax

Source NAT (IP)


- Change the source address to 1.1.1.1

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.1.1.1




Source NAT (IP & Port)


- Change the source address to 1.1.1.1 and the port to 9001

iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.1.1.1:9001



Destination NAT (IP)


- Change the destination address to 10.0.0.1

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.0.0.1




Destination Nat (Port Forwarding)


- Forward traffic to an internal or private IP on port 8080

iptables -t nat -A PREROUTING -p tcp -o eth0 -j DNAT --to 10.0.0.1:8080



IPTables - NAT Activity


Using iptables, practice NATing