It would be nice if we lived in a world where we could connect
networks together and be able to trust others to respect our systems.
Unfortunately, such a world doesn’t exist. If your Linux systems are
connected to a network, you need to be very concerned about network
attacks. If your network is connected to a public network, such as the
Internet, you need to be extremely concerned about network attacks.
As with most of the topics discussed in this book, network security is
a huge topic that can fill many volumes. We really don’t have the time
or space here to do the topic justice. Instead, I’m going to discuss
some basic things you can do to defend against network attacks. I’ll
discuss the following:
• Mitigating network vulnerabilities
• Implementing a firewall with iptables
Let’s begin by discussing some things you can do to mitigate network
vulnerabilities.
Mitigating Network Vulnerabilities
The good news is that there are some simple things you can do to
mitigate the threat to your Linux systems from network attacks. These
include the following:
• Staying abreast of current threats
• Unloading unneeded services
• Installing updates
Let’s first discuss staying abreast of current network threats.
Staying Abreast of Current Threats
One of the biggest problems with network security threats is the fact
that we’re always one step behind the guys wearing black hats. No
sooner do we implement a fix to protect our systems from the latest
exploit than they hit us with a new one. Therefore, it’s critical that
you stay up to date with the latest network threats. You’ll soon see
that they change week to week, and sometimes even day to day! The only
way you can keep your systems safe is to be aware of what the current
threats are.
The best way to do this is to visit security-related websites on a
regular basis. These sites inform you of the latest exploits and how
to defend yourself against them. One of the best sites to visit is
www.cert.org, which is maintained by the Computer Emergency Response
Team (CERT) at the Carnegie Mellon Software Engineering Institute. The
CERT website contains links to the latest security advisories.
Another excellent resource is www.us-cert.gov. Maintained by the
United States government’s Computer Emergency Readiness Team, the
US-CERT website provides tons of information about current
cyber-attacks.
Of course, there are hundreds of other security-related websites out
there. However, those I’ve listed here are among the most
authoritative sites around. Most of the other security-related
websites derive their content from these sites. If you visit these
sites religiously, you can stay abreast of what’s happening in the
security world and hopefully prevent an attack on your systems.
In addition to staying current with these sites, you should also
review your systems to see if all the services they provide are really
necessary. Let’s talk about how to do that next.
Unloading Unneeded Services
One of the easiest things you can do to mitigate the threat from a
network attack is to simply unload network services running on your
system that aren’t needed. Depending on your distribution and how you
installed it, you probably have a number of services running on your
system that you didn’t know were there and that you don’t need. You
can view a list of installed services and whether or not they are
running by entering chkconfig at the shell prompt. This command will
list each service and its status, as shown in Figure 17-9.
As a word of caution, however, don’t disable a service unless you know
what it actually does. Some daemons are required for the system to run
properly. If you don’t know what a particular service is, use the man
utility, the info utility, or the Internet to research it and
determine whether or not it is necessary.
In addition to chkconfig, you can also use the
nmap
command to view open IP ports on your Linux system. This information is really useful.
Each port that is open on your Linux system represents a potential vulnerability. Some open
ports are necessary. Others, however, may not be necessary. You can close the port by unloading the service that is using it.
The syntax for using nmap is
nmap –sT host_IP_address
for a TCP port scan
and
nmap –sU host_IP_address
for a UDP port scan.
In Figure 17-10, the nmap utility has been used to scan for open TCP ports.
As you can see in this figure, a number of services are running on the
host that was scanned. You can use this output to determine what
should and shouldn’t be left running on the system. To disable a
service, you can use its init script in your init directory to shut it
down. You should also use the chkconfig or systemctl command to
configure the service to not automatically start.
TIP You should run nmap both locally and from a different system
against the same host. This will tell you what ports are open on your
system and which services are allowed through your host’s firewall.
In addition to the nmap utility, you can also use the
netstat utility to scan for open ports.
The netstat utility is another powerful toolin your virtual toolbox. The syntax for
using netstat is to enter
netstat option
at the shell prompt of the system you want to scan. You can use the options listed in Table 17-2.
An example of using netstat with the –l option to view a list of
listening sockets on a Linux host is shown in Figure 17-11.
netstat -l
Installing Updates
One of the most important things you can do to defend against network
attacks is to regularly install operating system updates. A simple
fact of life that we have to deal with in the IT world is that
software isn’t written perfectly. Most programs and services have some
defects. Even your Linux kernel has defects in it. Some of these
defects are inconsequential, some are just annoying, and others
represent serious security risks.
As software is released and used, these defects are discovered by
system administrators, users, and (unfortunately) hackers. As they are
discovered, updates are written and released that fix the defects.
With most distributions, you can configure the operating system to
automatically go out on the Internet and periodically check for the
availability of updates. For example, with SUSE Linux, you can use the
YaST Online Update module, shown in Figure 17-12, to do this. You can
configure the system to either automatically install them for you or
prompt you to install them. The tool you use to update your system
will vary depending on which Linux distribution you are using.
Implementing a Firewall with iptables
Today, most organizations connect their corporate networks to the
Internet. Doing so enhances communications and provides access to a
wealth of information. Unfortunately, it also exposes their network to
a serious security threat. If users can go out on the Internet, an
uninvited person from the Internet can also get into the network,
unless measures are taken to keep this from happening. To do this, the
organization needs to implement a network firewall as well as host-
based firewalls on each system.
A network firewall is very different from a host-based firewall. A
host-based firewall controls traffic in and out of a single computer
system. A network firewall, on the other hand, is used to control
traffic in and out of a network segment or an entire network.
In this part of the chapter, we’re going to spend some time learning
how to use Linux in both capacities. We’ll discuss the following
topics:
• How firewalls work
• Implementing a packet-filtering firewall
Let’s begin by discussing how firewalls work.
How Firewalls Work
So what exactly is a firewall? A firewall is a combination of hardware
and software that acts like a gatekeeper between your network and
another network. Usually, a firewall has two or more network
interfaces installed. One is connected to the internal network; the
other, connected to the public network, acts much like a router.
However, a firewall is not a router (although it may be implemented in
conjunction with one).
The job of a firewall is to monitor the traffic that flows between the
networks, both inbound and outbound. You configure the firewall with
rules that define the type of traffic that is allowed through. Any
traffic that violates the rules is not allowed, as shown in Figure
17-13
Firewalls can be implemented in a variety of ways. One of the most
common types is a packet-filtering firewall, where all traffic moving
between the private and public networks must go through the firewall.
As it does, the firewall captures all incoming and outgoing packets
and compares them against the rules you’ve configured.
The firewall can filter traffic based on the origin address, the
destination address, the origin port, the destination port, the
protocol used, or the type of packet. If a packet abides by the rules,
it is forwarded on to the next network. If it doesn’t, it is dropped,
as shown in Figure 17-14.
Packet-filtering firewalls don’t necessarily have to be implemented
between your network and the Internet. They can also be implemented
between a network segment and a backbone segment to increase your
internal network security.
To use a packet-filtering firewall, you must be familiar with which
port numbers are used by default by specific services. IP ports 0
through 1023 are assigned by the IANA organization to network services
and are called well-known ports. Some of the more common port
assignments that you need to be familiar with are shown in Table 17-3.
Packet-filtering firewalls are widely used. They cost less than other
types of firewalls. They also require relatively little processing.
Data moves through very quickly, making them much faster than other
firewalls.
Implementing a Packet-Filtering Firewall
Just as Linux can act as a router, it can also be configured to
function as a firewall. In fact, it can be used to configure a very
robust, very powerful firewall. Currently, there are many firewall
appliances on the market based on the Linux operating system. There
are also many downloadable Linux ISOs, such as from Untangle, that you
can install on standard PC hardware to turn it into a router. For our
purposes here, we’re going to focus on creating a basic
packet-filtering firewall using iptables.
The first step in setting up a packet-filtering firewall on a Linux
system is to design your implementation. You should answer the
following questions when designing in your firewall:
• Will you allow all incoming traffic by default, establishing rules
for specific types of traffic that you don’t want to allow in?
• Will your firewall deny all incoming traffic except for specific
types of traffic that you want to allow?
• Will you allow all outgoing traffic by default, blocking only
specific types or destinations?
• Will you block all outgoing traffic except for specific types or destinations?
• What ports must be opened on the firewall to allow traffic through
from the outside? For example, are you going to implement a web server
that needs to be publicly accessible behind the firewall? If so, you
will need to open up ports 80 and probably 443 on your boundary
firewall.
How you decide to configure your firewall depends on your
organization’s security policy. However, I recommend that you err on
the side of caution. Given a choice, I’d rather deal with a user who’s
upset because the firewall won’t let him share bootlegged music files
over the Internet than deal with a major attack that has worked its
way deep into my network.
Once your firewall has been designed, you’re ready to implement it.
After installing and configuring the required network boards, you can
configure a firewall on your Linux system using the iptables utility.
Many Linux distributions include graphical front ends for iptables
that you can use to build your firewall. These front ends are usually
not as flexible as the command-line utility, but they make the setup
process much faster and easier!
The heart of the Linux firewall is the iptables package. Most
distributions include it. If yours didn’t, it can be downloaded from
www.netfilter.org. Versions of the Linux kernel prior to 2.4 used
ipfwadm or ipchains instead of iptables. If you visit The Linux
Documentation Project at www.tldp.org, you’ll see that many of the
firewall HOWTOs are still written to help with these older packages.
NOTE The iptables package will be replaced in the future by a new
package called nftables.
The Linux kernel itself completes packet-filtering tasks on Linux. In
order to use iptables, your kernel must comply with the netfilter
infrastructure. The netfilter infrastructure is included by default
when most distributions are installed.
The netfilter infrastructure uses the concept of “tables and chains”
to create firewall rules. A chain is simply a rule that you implement
to determine what the firewall will do with an incoming packet. The
netfilter infrastructure uses the filter table to create
packet-filtering rules.
Within the filter table are three default chains:
• FORWARD
The FORWARD chain contains rules for packets being
transferred between networks through the Linux system.
• INPUT
The INPUT chain contains rules for packets that are being sent
to the local Linux system.
• OUTPUT
The OUTPUT chain contains rules for packets that are being
sent from the local Linux system.
If you don’t explicitly specify a table name when using the iptables
utility, it will default to the filter table.
Each chain in the filter table has four policies that you can configure:
• ACCEPT
• DROP
• QUEUE
• REJECT
You can use iptables to create rules within a chain. A chain can
contain multiple rules. Each rule in a chain is assigned a number. The
first rule you add is assigned the number 1. The iptables utility can
add rules, delete rules, insert rules, and append rules. The syntax
for using
iptables
is
iptables –t table command chain options
You can use the following commands with iptables:
• –L
Lists all rules in the chain
• –N
Creates a new chain
You can work with either the default chains listed previously or
create your own chain. You create your own chain by entering iptables
–N chain_name. You can add rules to a chain by simply using the –A
option.
You can also use one of the other options listed here:
• –I
Inserts a rule into the chain
• –R
Replaces a rule in the chain
• –D
Deletes a rule from the chain
• –F
Deletes all the rules from the chain (called flushing)
• –P
Sets the default policy for the chain
You can also use the following options with iptables:
• –p
Specifies the protocol to be checked by the rule. You can specify
all, tcp, udp, or icmp. If you specify tcp or udp, you can also use
the following extensions for matching:
• --sport Specifies a single port to match on
• --dport Specifies a single destination port to match on
• --sports Specifies multiple source ports to match on
• --dports Specifies multiple destination ports to match on
• –s ip_address/mask
Specifies the source address to be checked. If you want to check all IP addresses, use 0/0.
• –d ip_address/mask
Specifies the destination address to be checked. If you want to check all IP addresses, use 0/0.
• –j target
Specifies what to do if the packet matches the rule. You can specify ACCEPT, REJECT, DROP, or LOG actions.
• –i interface
Specifies the interface where a packet is received. This only applies to INPUT and FORWARD chains.
• –o interface
Specifies the interface where a packet is to be sent. This applies only to OUTPUT and FORWARD chains.
The best way to learn how to use iptables is to look at some examples.
Table 17-4 has some sample iptables commands that you can start with.
You can use iptables to create a sophisticated array of rules that
control how data flows through the firewall. Most administrators use
the
–P option with iptables to set up the firewall’s default filtering
rules.
Once the default is in place, you use iptables to configure
exceptions to the default behavior needed by your particular network.
Remember that any rules you create with iptables are not persistent.
If you reboot the system, they will be lost by default.
To save your rules, you use the
iptables-save
command to write your tables out to a file. You can then use the
iptables-restore
command to restore the tables from the file you created.
LX0-104 Exam Objectives (V and U, 323, 647 - 689)
No comments:
Post a Comment