In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. A firewall is also called a Border Protection Device (BPD), especially in NATO contexts, or packet filter in BSD contexts.

A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.

Proper configuration of firewalls demands skill from the administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.

Types of firewalls

There are three basic types of firewalls depending on whether the communication is being done between a single node and the network, or between two or more networks
whether the communication is intercepted at the network layer, or at the application layer
whether the communication state is being tracked at the firewall or not
With regard to the scope of filtered communication there exist:

personal firewalls, a software application which normally filters traffic entering or leaving a single computer through the Internet
network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). Such a firewall filters all traffic entering or leaving the connected networks.
The latter definition corresponds to the conventional, traditional meaning of “firewall” in networking.

In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist:

network layer firewalls
application layer firewalls
application firewalls
These network-layer and application-layer types of firewall may overlap, even though the personal firewall does not serve a network; indeed, single systems have implemented both together.

There’s also the notion of application firewalls which are sometimes used during wide area network (WAN) networking on the world-wide web and govern the system software. An extended description would place them lower than application layer firewalls, indeed at the Operating System layer, and could alternately be called operating system firewalls.

Lastly, depending on whether the firewalls track packet states, two additional categories of firewalls exist:

stateful firewalls
stateless firewalls

Network layer firewalls
Main article: network layer firewall
Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).

A more permissive setup could allow any packet to pass the filter as long as it does not match one or more “negative-rules”, or “deny rules”. Today network firewalls are built into most computer operating system and network appliances.

Modern firewalls can filter traffic based on many packet attributes like source IP, source port, destination IP or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.

Application-layer firewalls
Main article: application layer firewall
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

By inspecting all packets for improper content, firewalls can even prevent the spread of the likes of viruses. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

The XML Firewall exemplifies a more recent kind of application-layer firewall.

Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult, and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.

Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly use so-called “private address space”, as defined in RFC 1918. Administrators often set up such scenarios in an effort (of debatable effectiveness) to disguise the internal address or network.

Check List for Linux Security

Linus Torvald of Finland. It has grown into a full-fledge 32-bit operating system. It is solid, stable and provides support for an incredible number of applications. It has very powerful capabilities and runs very fast and rarely crashes.

Unfortunately Linux machines are broken almost every day. This happens not because it is an insecure operating system. It contains all the necessary tools to make it very secure. But the truth is. It hasn’t become significantly more secure with the increase in popularity. On the other hand, our understanding of the hackers methods and the wide variety of tools and techniques available contributed to help system administrators to secure their Linux computers. Our goal in this article is to list the most critical situations, and how to prevent an invasion with simple measures.

1- Weak passwords ? By far the first and most used method used by hackers to try penetrating a Linux system is cracking a password, preferently of the user root. Usually they will target a common user first, and then, using his/her access to the operating system, try to get a privileged access cracking the root password. Good password policy, and good passwords are absolutely critical to the security on any computer. Some common mistakes when selecting a password:
A- use “password” as password.
B- use the name of the computer.
C- a well-know name from science, sports or politics.
D- reference to movies.
E- anything that is part of the user web site.
F? references associated with the account.

The latest version of Linux offer shadowed passwords. If a cracker can see an encrypted password, crack it would a simple task. So, instead of storing the password in the passwd file, they are now stored in the shadow file which is readable only for root. Before a hacker can crack a password he needs to figure out an account name. So, simple accounts names must be avoided as well. Another security measure is to apply a “no login” to the account in the passwd file. This must be done to all the accounts that don’t need to log in to the system. Examples are: apache, mysql, ftp and other.

Limit which terminals root may log in from. If the root account is allowed to log in only in certain terminals that are considered secure, it will be almost impossible for a hacker to penetrate the system. This can be done listing the allowed terminals on /etc/security. The login program will consider insecure any terminal that is not listed on this file, which is readable, only by root.

2- Open Network Ports

Any Linux default installation will provide the Operating System with tons of software and services. Several of them are not necessary or even wanted by the administrator. Removing these software and services will close the path to several attacks and improve security. The /sbin/chkconfig program can be used to stop services from automatically starting at run levels 3, 4 and 5. Log in as root and type /sbin/chkconfig –list to view all the services set to start automatically. Select the ones you don’t need and type /sbin/chkconfig 345 name_of_service off. You must do that to all services you don’t want to keep running. Also, the xinetd server can be used to disable other services as well.

3- Old Software Versions

Everyday vulnerabilities are found in programs, and most of them are fixed constantly. It is important, and sometimes critical, to keep up with the changes. There are mailing lists for every Linux distribution where one can have security related information’s, and the latest vulnerabilities found.
Some place to watch for security holes are:
? http://www.redhat.com/mailman/listinfo/redhat-announce-list
? http://www.debian.org/MailingLists/
? http://www.mandrakesecure.net/en/mlist.php
? http://www.suse.com/us/private/support/security/index.html
? http://www.freebsd.org/security/index.html
? http://www.linuxtoday.com/
? http://www.lwn.net/
It is crucial to insure that the security released patches are applied to the programs as soon as they area available. The hacker community will be aware of the discovered holes and will try to explore them before the fixes are applied.

4- Insecure and Badly Configured Programs

There are some programs that have a history of security problems. To name a few IMAP, POP, FTP, port map and NFS, are the most known. The good thing is that most of these programs can be replaced by a secure version like spop, sftp or scp.

It is important that, before deploying any service, the administrator investigate its security history. Sometimes simple configuration measures can prevent serious headaches in the future.

Some advices regarding a web server configuration are well worth to mention:

- Never run the web server as a privileged user;
- Do not keep clients’ confidential data on the web server ? Credit card numbers, phone numbers, mailing addresses, must be recorded on a different machine.
- Make sure the privileged data that a user supplies on a form does not show up as a default for the next person to use the form;
- Establish acceptable values for data that is supplied by web clients.
- Check vulnerabilities on CGI programs.

5- Stale and Unnecessary Accounts

When a user no longer uses his /her account, make sure it is removed from the system. This stale account won’t have this password changed periodically leaving a hole. Publicly readable or writable files owned by that account must be removed. When you remove an unnecessary service make sure you remove or disable the correspondent account.

Security Resources in the web

Bugtraq ? Includes detailed discussions of Unix security holes
http://www.securityfocus.com/

Firewalls ? Discuss the design, construction, operation, and maintenance of firewall systems.

http://www.isc.org/services/public/lists/firewalls.html

RISKS Discuss risks to society from computers

http://www.risks.org/

Insecure.org

http://www.insecure.org/

IPtables is a tool to that performs packet filtering in Linux 2.4 kernel. It is a replacement for ipchains in the previous versions. The entire data transfered through networks is in form of packets.The headers of the packets give us the information that is required for making routing decisions and other administrative details. The actual data that is being transfered belongs to the body. To filter packets, its header is examined and appropriate action is taken.

The question then arises why do we need to examine the header and filter the packets? The most important reason would be enhance the security of the network. For example we might want to protect our system from malicious outsiders. Another reason is we might want to restrict or control the usage of the resource that belongs to our network. For example we might want to allow only limited ammount of traffic to pass through.

Basic Format
Tables
The first option is table. There are three kinds of tables namely nat, mangle and filter.
Nat: This table is used for network address translation. There are three chains PREROUTING, OUTPUT and POSTROUTING. Prerouting chain is used to alter the packets as soon as they enter the firewall. Output chain is used to alter the packets locally generated. And postrouting chain is used to alter the packets as they are leaving the firewall
Mangle: This table is used to mangle packets and has two default chains. This table should not be used to either filter packet or do any address translation. The two default chains are PREROUTING and OUTPUT. As with prerouting in Nat table here also it is used to mangle packets as they enter the firewall. And the output is used to mangle packets that are generated locally. This table changes different packets and how their headers appear. For example TTL or TOS.
Filter: This is used to actually filter the packets and if the tables option is not specified then the command is applied to this tables. There are three kinds of chains the INPUT, OUTPUT and FORWARD. The input chain is used on the packets that are destined for local host. Output as in the above cases is used on the locally generated packets. And forward is used on all other chains. The action that can be taken is DROP, LOG, ACCEPT or REJECT on each chain.

Read More…