SlideShare ist ein Scribd-Unternehmen logo

Unix Web servers and FireWall

Als PPT, PDF herunterladen
W
webhostingguy
1 von 39
1 Unix Web servers andUnix Web servers and FirewallFirewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein
2 Unix Server (..continue..)Unix Server (..continue..) Monitor the integrity of System Files and Binaries Back up Your System Monitor the integrity of System Files and Binaries Back up Your System
3 Monitor the integrity of Systems Files and Binaries Monitor the integrity of Systems Files and Binaries  It is to monitor whether the files have been modified by intruders.  The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))  Compare the files a few days later and see whether any discrepancy.  It is to monitor whether the files have been modified by intruders.  The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))  Compare the files a few days later and see whether any discrepancy. .sys and .wi n
4 Back up the systemBack up the system  This is common to any system administrators to perform regular backups of essential files.  tar program is a common utility to perform backup.  This is common to any system administrators to perform regular backups of essential files.  tar program is a common utility to perform backup. Tar is a Unix command
5 Server Security Checklist (1)Server Security Checklist (1) Have you installed all security-related patches? Have you disabled all unnecessary services? Have you run a security scanner on your system? (lab 10) Does the server do double duty as a user workstation? Do the Web server’s file permissions reasonable? Have you installed all security-related patches? Have you disabled all unnecessary services? Have you run a security scanner on your system? (lab 10) Does the server do double duty as a user workstation? Do the Web server’s file permissions reasonable? From administrator’s viewpoint
6 Server Security Checklist (2)Server Security Checklist (2) Is the Web server running as root? (/) Is the Web server running any unnecessary features? Have you established the limit of users? Do you monitor system and web pages logs? Do you monitor the integrity of the host? Do you backup your system? Is the Web server running as root? (/) Is the Web server running any unnecessary features? Have you established the limit of users? Do you monitor system and web pages logs? Do you monitor the integrity of the host? Do you backup your system?
7 Summary on Unix Web serversSummary on Unix Web servers  To harden a Unix Web server as many as possible (patch, disable features….)  To properly configure the Web server (reduce number of users, file/directory access rights…)  To Monitor the logs (error log and system log, might run fingerprint)  To backup your files (use tar command..)  To harden a Unix Web server as many as possible (patch, disable features….)  To properly configure the Web server (reduce number of users, file/directory access rights…)  To Monitor the logs (error log and system log, might run fingerprint)  To backup your files (use tar command..) Learnt last week
8 Web servers & Firewall - OverviewWeb servers & Firewall - Overview  What is a firewall?  How to select a firewall?  How to configure a firewall?  Automatic proxy configuration for browsers?  Examining firewall logs for signs of server compromise?  What is a firewall?  How to select a firewall?  How to configure a firewall?  Automatic proxy configuration for browsers?  Examining firewall logs for signs of server compromise? This week
9 Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules
10 What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm
11 Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htm Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
12 What is a firewall?What is a firewall?  In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.  Just one of the weakest host will break the system.  The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.  In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.  Just one of the weakest host will break the system.  The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.
13 The location of a firewallThe location of a firewall  All traffic must go through the proxy server (firewall as well ) which then decides to accept or reject the traffic.  All traffic must go through the proxy server (firewall as well ) which then decides to accept or reject the traffic.
14 Two basic Firewall SystemsTwo basic Firewall Systems There are two basic implementations for firewalls.  Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)  Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks. There are two basic implementations for firewalls.  Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)  Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.
15 Dual-home gateway firewallDual-home gateway firewall  By default, the two networks are isolated.  However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features)  By default, the two networks are isolated.  However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features) block
16 Screen-hosted gatewayScreen-hosted gateway  A network router is used to control access to the inner network. The router restricts communication between the outer and inner networks.  It ensures that the packets from the Internet can reach the well secured proxy which then examines the data. In fact, there is no effective difference between dual- home and screen-host
17 Notes about firewallNotes about firewall  Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.  The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)  For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.  Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.  The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)  For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.
18 Select a firewall system (1)Select a firewall system (1)  Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list. Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it. Protocols used: All firewalls will handle FTP, e- mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.  Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list. Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it. Protocols used: All firewalls will handle FTP, e- mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.
19 Select a firewall system (2)Select a firewall system (2)  Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.  Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.  Administration: Some firewalls are configured with graphical user interfaces, others use text only.  Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.  Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.  Administration: Some firewalls are configured with graphical user interfaces, others use text only.
20 Select a firewall system (3)Select a firewall system (3)  Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.  Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)  Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.  Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)
21 ProductsProducts Product Feature AltaVista Uses a combination of packet filters, application level proxies and circuit-level BorderWare A Unix-only system for both application-level and packet-level CyberGuard Unix to support packet filtering, application and circuit-level. Eagle Uses application and circuit level proxy and is available for NT and Unix machines Firewall-1 Packet filtering an stateful inspection for NT and Unix Gauntlet Available a a software-only package or as a turnkey combination. No need to memorise
22 How to configure a firewall?How to configure a firewall? As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products. Outgoing web access 1. How to allow people within your organisation to safely browse the Web; 2. How to make your organisation’s public web available to the rest of the world? As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products. Outgoing web access 1. How to allow people within your organisation to safely browse the Web; 2. How to make your organisation’s public web available to the rest of the world?
23 A simple example – packet filter – IE and FTPA simple example – packet filter – IE and FTP Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE) Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE) Action Src Port Dest Port Flags Comment Block * * * * * Block all Allow [internal user] * * 80 * Browse outside (iexplorer – outgoing) Allow * 80 * * ACK ie- Incoming Allow [internal user] * * 21 * ftp - outgoing Allow * 21 * * ACK ftp - incoming important
24 ExplanationExplanation  The first column indicates whether it is allowed or blocked that traffic.  The second and third columns indicate which traffic shows from the source. Here port number is specified as well.  The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.  Flags indicates whether it is an  acknowledgement.  The first column indicates whether it is allowed or blocked that traffic.  The second and third columns indicate which traffic shows from the source. Here port number is specified as well.  The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.  Flags indicates whether it is an  acknowledgement.
25 Another simple example – block IE and allow FTP Another simple example – block IE and allow FTP Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP. Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP. Action Src Port Dest Port Flags Comment Block * * * * * Block all Allow [internal user] * * 21 * ftp - outgoing Allow * 21 * * ACK ftp - incoming important
26 Picture – Gopher protocol is blocked, the table is in the ProxyPicture – Gopher protocol is blocked, the table is in the Proxy 26
27 A simple example – application level – outgoing, linux environment A simple example – application level – outgoing, linux environment  If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56 #rules for the FTP gateway ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: deny-hosts unknown ftp-gw: permit-hosts 189.45.56.* #rules for the http/gopher gateway http-gw: permit-hosts 189.45.56.*  If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56 #rules for the FTP gateway ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: deny-hosts unknown ftp-gw: permit-hosts 189.45.56.* #rules for the http/gopher gateway http-gw: permit-hosts 189.45.56.* No need to memorise , step by step, but have to understand
28 ExplanationExplanation  The first six lines of this file set up defaults for the FTP proxy.  The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)  The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)  The first six lines of this file set up defaults for the FTP proxy.  The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)  The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)
29 Incoming Web accessIncoming Web access  Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.  There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce: – Judas server – Proxy and Web server – Sacrificial Lamb – Web server outside firewall – Private Affairs – Web server inside the firewall – Doubly Fortified Server - use multi-level of proxy to separate networks.  Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.  There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce: – Judas server – Proxy and Web server – Sacrificial Lamb – Web server outside firewall – Private Affairs – Web server inside the firewall – Doubly Fortified Server - use multi-level of proxy to separate networks.
30 Judas – combine Proxy and Web server Judas – combine Proxy and Web server  It is not a good idea to combine proxy and web server together.  It is because Web server cannot be trusted to be bug free.  Any security holes will degrade the proxy.  It is not a good idea to combine proxy and web server together.  It is because Web server cannot be trusted to be bug free.  Any security holes will degrade the proxy. Not a good idea
31 The Sacrificial LambThe Sacrificial Lamb  The safest place for a public web server is outside the firewall. It is intended to public use.  Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server.  The safest place for a public web server is outside the firewall. It is intended to public use.  Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server. Access by outsiders
32 The Private Affair ServerThe Private Affair Server  If the Web server is not intended to be publicly available, all best location is behind the firewall.  It maintains confidential or sensitive information.  If the Web server is not intended to be publicly available, all best location is behind the firewall.  It maintains confidential or sensitive information. Filter all first
33 The Doubly Fortified ServerThe Doubly Fortified Server  If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)  If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)
34 Running a reverse Web proxy  The primary mission of firewall proxies is to allow people inside the organisation to make outgoing connections to servers on the Internet.  Their desk-top software connects to a proxy on the firewall; it relays the request to the Internet server and forwards the server's response back.  It is also possible to use application-level proxies in the reverse direction to grant people on the Internet controlled access to a Web server.
35 Flow of Information – Bastion (firewall) Flow of Information – Bastion (firewall)
36 Hybrid Server  The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.  In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.  The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.  In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.
37 Hybrid approach – Bastion (firewall here) Hybrid approach – Bastion (firewall here)
38 SummarySummary  Firewall is to filter the unwanted traffic  It is to limit the Incoming and outgoing traffic as well.  Criteria to select a firewall  Configure a firewall – application level (IE, e-mail) or packet level (IP or TCP)  Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.  Firewall is to filter the unwanted traffic  It is to limit the Incoming and outgoing traffic as well.  Criteria to select a firewall  Configure a firewall – application level (IE, e-mail) or packet level (IP or TCP)  Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.
39 Next Week Policy and Law

Empfohlen

Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 

Empfohlen

Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguideLiễu Hồng
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Snort
SnortSnort
SnortFadwa Gmiden
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Snort
SnortSnort
SnortRahul Jain
 
Backtrack
BacktrackBacktrack
Backtrackn|u - The Open Security Community
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Snort
SnortSnort
Snortbala150985
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
File000174
File000174File000174
File000174Desmond Devendran
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Managing the system and network connection Linux
Managing the system and network connection LinuxManaging the system and network connection Linux
Managing the system and network connection LinuxShriharsh Shendre
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Managing the system and network connection Linux
Managing the system and network connection LinuxManaging the system and network connection Linux
Managing the system and network connection LinuxShriharsh Shendre
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 

Was ist angesagt? (20)

snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
Snort
SnortSnort
Snort
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Snort
SnortSnort
Snort
 
Backtrack
BacktrackBacktrack
Backtrack
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
Snort
SnortSnort
Snort
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
File000174
File000174File000174
File000174
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
Managing the system and network connection Linux
Managing the system and network connection LinuxManaging the system and network connection Linux
Managing the system and network connection Linux
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 

Ähnlich wie Unix Web servers and FireWall

Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityHTS Hosting
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache), webhostingguy
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache), webhostingguy
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answermandarshetye45
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationgaurav96raj
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding FirewallsLikan Patra
 
Tools.pptx
Tools.pptxTools.pptx
Tools.pptxImXaib
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 

Ähnlich wie Unix Web servers and FireWall (20)

Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnet
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
Ip tables
Ip tablesIp tables
Ip tables
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server Security
 
Firewalls
FirewallsFirewalls
Firewalls
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache),
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache),
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answer
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
Firewalls
FirewallsFirewalls
Firewalls
 
Desktop support qua
Desktop support quaDesktop support qua
Desktop support qua
 
Desktop support qua
Desktop support quaDesktop support qua
Desktop support qua
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding Firewalls
 
Tools.pptx
Tools.pptxTools.pptx
Tools.pptx
 
Firewall
FirewallFirewall
Firewall
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 

Mehr von webhostingguy

Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serverswebhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreementwebhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructurewebhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.pptwebhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandiserswebhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mbwebhostingguy
 

Mehr von webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
 
Notes8
Notes8Notes8
Notes8
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
 

Unix Web servers and FireWall

  • 1. 1 Unix Web servers andUnix Web servers and FirewallFirewall PP 200 and P387 to 411 – Web Security by Lincoln D. Stein
  • 2. 2 Unix Server (..continue..)Unix Server (..continue..) Monitor the integrity of System Files and Binaries Back up Your System Monitor the integrity of System Files and Binaries Back up Your System
  • 3. 3 Monitor the integrity of Systems Files and Binaries Monitor the integrity of Systems Files and Binaries  It is to monitor whether the files have been modified by intruders.  The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))  Compare the files a few days later and see whether any discrepancy.  It is to monitor whether the files have been modified by intruders.  The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))  Compare the files a few days later and see whether any discrepancy. .sys and .wi n
  • 4. 4 Back up the systemBack up the system  This is common to any system administrators to perform regular backups of essential files.  tar program is a common utility to perform backup.  This is common to any system administrators to perform regular backups of essential files.  tar program is a common utility to perform backup. Tar is a Unix command
  • 5. 5 Server Security Checklist (1)Server Security Checklist (1) Have you installed all security-related patches? Have you disabled all unnecessary services? Have you run a security scanner on your system? (lab 10) Does the server do double duty as a user workstation? Do the Web server’s file permissions reasonable? Have you installed all security-related patches? Have you disabled all unnecessary services? Have you run a security scanner on your system? (lab 10) Does the server do double duty as a user workstation? Do the Web server’s file permissions reasonable? From administrator’s viewpoint
  • 6. 6 Server Security Checklist (2)Server Security Checklist (2) Is the Web server running as root? (/) Is the Web server running any unnecessary features? Have you established the limit of users? Do you monitor system and web pages logs? Do you monitor the integrity of the host? Do you backup your system? Is the Web server running as root? (/) Is the Web server running any unnecessary features? Have you established the limit of users? Do you monitor system and web pages logs? Do you monitor the integrity of the host? Do you backup your system?
  • 7. 7 Summary on Unix Web serversSummary on Unix Web servers  To harden a Unix Web server as many as possible (patch, disable features….)  To properly configure the Web server (reduce number of users, file/directory access rights…)  To Monitor the logs (error log and system log, might run fingerprint)  To backup your files (use tar command..)  To harden a Unix Web server as many as possible (patch, disable features….)  To properly configure the Web server (reduce number of users, file/directory access rights…)  To Monitor the logs (error log and system log, might run fingerprint)  To backup your files (use tar command..) Learnt last week
  • 8. 8 Web servers & Firewall - OverviewWeb servers & Firewall - Overview  What is a firewall?  How to select a firewall?  How to configure a firewall?  Automatic proxy configuration for browsers?  Examining firewall logs for signs of server compromise?  What is a firewall?  How to select a firewall?  How to configure a firewall?  Automatic proxy configuration for browsers?  Examining firewall logs for signs of server compromise? This week
  • 9. 9 Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules
  • 10. 10 What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm
  • 11. 11 Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htm Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
  • 12. 12 What is a firewall?What is a firewall?  In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.  Just one of the weakest host will break the system.  The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.  In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.  Just one of the weakest host will break the system.  The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.
  • 13. 13 The location of a firewallThe location of a firewall  All traffic must go through the proxy server (firewall as well ) which then decides to accept or reject the traffic.  All traffic must go through the proxy server (firewall as well ) which then decides to accept or reject the traffic.
  • 14. 14 Two basic Firewall SystemsTwo basic Firewall Systems There are two basic implementations for firewalls.  Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)  Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks. There are two basic implementations for firewalls.  Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)  Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.
  • 15. 15 Dual-home gateway firewallDual-home gateway firewall  By default, the two networks are isolated.  However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features)  By default, the two networks are isolated.  However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features) block
  • 16. 16 Screen-hosted gatewayScreen-hosted gateway  A network router is used to control access to the inner network. The router restricts communication between the outer and inner networks.  It ensures that the packets from the Internet can reach the well secured proxy which then examines the data. In fact, there is no effective difference between dual- home and screen-host
  • 17. 17 Notes about firewallNotes about firewall  Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.  The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)  For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.  Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.  The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)  For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.
  • 18. 18 Select a firewall system (1)Select a firewall system (1)  Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list. Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it. Protocols used: All firewalls will handle FTP, e- mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.  Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list. Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it. Protocols used: All firewalls will handle FTP, e- mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.
  • 19. 19 Select a firewall system (2)Select a firewall system (2)  Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.  Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.  Administration: Some firewalls are configured with graphical user interfaces, others use text only.  Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.  Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.  Administration: Some firewalls are configured with graphical user interfaces, others use text only.
  • 20. 20 Select a firewall system (3)Select a firewall system (3)  Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.  Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)  Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.  Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)
  • 21. 21 ProductsProducts Product Feature AltaVista Uses a combination of packet filters, application level proxies and circuit-level BorderWare A Unix-only system for both application-level and packet-level CyberGuard Unix to support packet filtering, application and circuit-level. Eagle Uses application and circuit level proxy and is available for NT and Unix machines Firewall-1 Packet filtering an stateful inspection for NT and Unix Gauntlet Available a a software-only package or as a turnkey combination. No need to memorise
  • 22. 22 How to configure a firewall?How to configure a firewall? As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products. Outgoing web access 1. How to allow people within your organisation to safely browse the Web; 2. How to make your organisation’s public web available to the rest of the world? As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products. Outgoing web access 1. How to allow people within your organisation to safely browse the Web; 2. How to make your organisation’s public web available to the rest of the world?
  • 23. 23 A simple example – packet filter – IE and FTPA simple example – packet filter – IE and FTP Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE) Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE) Action Src Port Dest Port Flags Comment Block * * * * * Block all Allow [internal user] * * 80 * Browse outside (iexplorer – outgoing) Allow * 80 * * ACK ie- Incoming Allow [internal user] * * 21 * ftp - outgoing Allow * 21 * * ACK ftp - incoming important
  • 24. 24 ExplanationExplanation  The first column indicates whether it is allowed or blocked that traffic.  The second and third columns indicate which traffic shows from the source. Here port number is specified as well.  The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.  Flags indicates whether it is an  acknowledgement.  The first column indicates whether it is allowed or blocked that traffic.  The second and third columns indicate which traffic shows from the source. Here port number is specified as well.  The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.  Flags indicates whether it is an  acknowledgement.
  • 25. 25 Another simple example – block IE and allow FTP Another simple example – block IE and allow FTP Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP. Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP. Action Src Port Dest Port Flags Comment Block * * * * * Block all Allow [internal user] * * 21 * ftp - outgoing Allow * 21 * * ACK ftp - incoming important
  • 26. 26 Picture – Gopher protocol is blocked, the table is in the ProxyPicture – Gopher protocol is blocked, the table is in the Proxy 26
  • 27. 27 A simple example – application level – outgoing, linux environment A simple example – application level – outgoing, linux environment  If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56 #rules for the FTP gateway ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: deny-hosts unknown ftp-gw: permit-hosts 189.45.56.* #rules for the http/gopher gateway http-gw: permit-hosts 189.45.56.*  If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56 #rules for the FTP gateway ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: deny-hosts unknown ftp-gw: permit-hosts 189.45.56.* #rules for the http/gopher gateway http-gw: permit-hosts 189.45.56.* No need to memorise , step by step, but have to understand
  • 28. 28 ExplanationExplanation  The first six lines of this file set up defaults for the FTP proxy.  The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)  The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)  The first six lines of this file set up defaults for the FTP proxy.  The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)  The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)
  • 29. 29 Incoming Web accessIncoming Web access  Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.  There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce: – Judas server – Proxy and Web server – Sacrificial Lamb – Web server outside firewall – Private Affairs – Web server inside the firewall – Doubly Fortified Server - use multi-level of proxy to separate networks.  Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.  There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce: – Judas server – Proxy and Web server – Sacrificial Lamb – Web server outside firewall – Private Affairs – Web server inside the firewall – Doubly Fortified Server - use multi-level of proxy to separate networks.
  • 30. 30 Judas – combine Proxy and Web server Judas – combine Proxy and Web server  It is not a good idea to combine proxy and web server together.  It is because Web server cannot be trusted to be bug free.  Any security holes will degrade the proxy.  It is not a good idea to combine proxy and web server together.  It is because Web server cannot be trusted to be bug free.  Any security holes will degrade the proxy. Not a good idea
  • 31. 31 The Sacrificial LambThe Sacrificial Lamb  The safest place for a public web server is outside the firewall. It is intended to public use.  Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server.  The safest place for a public web server is outside the firewall. It is intended to public use.  Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server. Access by outsiders
  • 32. 32 The Private Affair ServerThe Private Affair Server  If the Web server is not intended to be publicly available, all best location is behind the firewall.  It maintains confidential or sensitive information.  If the Web server is not intended to be publicly available, all best location is behind the firewall.  It maintains confidential or sensitive information. Filter all first
  • 33. 33 The Doubly Fortified ServerThe Doubly Fortified Server  If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)  If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)
  • 34. 34 Running a reverse Web proxy  The primary mission of firewall proxies is to allow people inside the organisation to make outgoing connections to servers on the Internet.  Their desk-top software connects to a proxy on the firewall; it relays the request to the Internet server and forwards the server's response back.  It is also possible to use application-level proxies in the reverse direction to grant people on the Internet controlled access to a Web server.
  • 35. 35 Flow of Information – Bastion (firewall) Flow of Information – Bastion (firewall)
  • 36. 36 Hybrid Server  The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.  In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.  The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.  In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.
  • 37. 37 Hybrid approach – Bastion (firewall here) Hybrid approach – Bastion (firewall here)
  • 38. 38 SummarySummary  Firewall is to filter the unwanted traffic  It is to limit the Incoming and outgoing traffic as well.  Criteria to select a firewall  Configure a firewall – application level (IE, e-mail) or packet level (IP or TCP)  Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.  Firewall is to filter the unwanted traffic  It is to limit the Incoming and outgoing traffic as well.  Criteria to select a firewall  Configure a firewall – application level (IE, e-mail) or packet level (IP or TCP)  Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.