As part of my job, I had to undergo mandatory training in Network security. I went there with an odd feeling that why should I be attending a network security session.
I mean I am a software developer and security is the job of some Unix System Admin.
The first half an hour made me realize that it is the unsecured software, that web developers write, that makes the job of SA’s difficult. The presenter gave a very simple example of buffer overflow that I almost always forget to cover ().
Now that he had my attention, he started describing cases where small security holes lead to big problems, notably bank frauds.
He gave an analogy; Banks keep their money in heavy stainless steel vaults. However, their security measures do not end here, they also employ a security camera to monitor and have armed guards to thwart any illegal access to the vaults.
When it comes to software, the vaults are the firewalls, the security cameras are the intrusion detection tools and the security guards are the software/ System Admin’s who actually take counteraction.
In today’s world, it is not only the big banks with a huge amount of money who need to secure themselves; even a home computer needs to protect itself of the numerous hackers trying to steal or important data like the credit card numbers, bank login/passwords, personal details ( date of birth, social security number, etc) and contact lists.
If you think these are trivial things, ask a man who has just lost $20,000 on his Credit card to a hacker or whose lifetime savings is now comfortably resting in a bank somewhere in Somalia or a person who has been a victim of identity theft. Network security is essential for all, having said these let’s see a few measures to protect ourselves while on the internet.
FIRST and the foremost is to have a personal firewall and ensure that no port is open to the outside world. Most common Linux distribution closes all ports by default. However, we cannot rely on just a firewall. For the smartass hackers, we need to employ Security cameras.
In the first part, I will discuss installing and configuring a Firewall in OpenSUSE 10.3.
Netfilter is a framework that provides a set of hooks within the Linux kernel for intercepting and manipulating network packets. The best-known component on top of Netfilter is the firewall which filters packets.
iptables is the name of the userspace tool by which administrators create rules for the packet filtering (both inbound and outbound) and NAT modules. iptables is a standard part of all modern Linux distributions.
• listing the contents of the packet filter ruleset
• adding/removing/modifying rules in the packet filter ruleset
• listing/zeroing per-rule counters of the packet filter ruleset
• stateless packet filtering (IPv4 and IPv6)
• stateful packet filtering (IPv4 and IPv6)
• all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only)
• flexible and extensible infrastructure
• multiple layers of API’s for 3rd party extensions
• large number of plugins/modules kept in ‘patch-o-matic’ repository
What can I do with netfilter/iptables?
• build internet firewalls based on stateless and stateful packet filtering
• use NAT and masquerading for sharing internet access if you don’t have enough public IP addresses
• use NAT to implement transparent proxies
• aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
• do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
[As per the Redhat Guide] Traffic moves through a network in packets. A network packet is a collection of data in a specific size and format. In order to transmit a file over a network, the sending computer must first break the file into packets using the rules of the network protocol.
Each of these packets holds a small part of the file data. Upon receiving the transmission, the target computer reassembles the packets into the file.
Every packet contains information which helps it navigate the network and move toward its destination. The packet can tell computers along the way, as well as the destination machine, where it came from, where it is going, and what type of packet it is, among other things.
Most packets are designed to carry data, although some protocols use packets in special ways. For example, the Transmission Control Protocol (TCP) uses an SYN packet, which contains no data, to initiate communication between two systems.
The Linux kernel contains the built-in ability to filter packets, allowing some of them into the system while stopping others. A packet may be checked against multiple rules within each rules list before emerging at the end of the chain.
The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address or set of addresses when using a particular protocol and network service.
Regardless of their destination, when packets match a particular rule on one of the tables, they are designated for a particular target or action to be applied to them.
If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a REJECT target, the packet is dropped, but an error packet is sent to the packet’s originator.
Every rule has a default policy to ACCEPT, DROP, REJECT, or QUEUE the packet to be passed to user-space. The iptables command allows to configure these rule lists, as well as set up new tables to be used for your particular situation.
OpenSUSE 10.3 comes with SuSEfirewall2, a tool which generates tables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2 file. Though SuSEfirewall2 could be configured by YAST, however, SUSE recommends using the command line to be able to configure all options. It is recommended to start the firewall at bootup, but a manual start could also be configured.
We can setup Allowed Services, a list of services that the firewall allows through the network. Some common services include DHCP client/server, HTTP client/server, mail server, LDAP, Remote Administration, and ssh. We can also set IPSec or Internet Protocol Security. IPSec helps when we want to remotely administer the server.
SuSEfirewall2 has three different zones:
EXT – External (untrusted, Internet) FW_DEV_EXT
INT – Internal (trusted) FW_DEV_INT
DMZ – Demilitarized FW_DEV_DMZ
Assign your network interfaces to particular zones according to your needs. If you have only one network interface it is a good choice to assign it to the External zone. The network interface is assigned to a zone by adding the interface name to the variable.
Every firewall zone can allow four types of services
TCP – FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP
UDP – FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP
RPC – FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC
IP – FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IP
TCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two-port numbers with a colon in between.
Now I am not an expert at Security and have written this guide with the help of various online documentations, however, having configured a firewall I feel that I have put a layer between my home data and the prying eyes of hackers.
Also, note that a firewall never prevents anyone from giving his details in an IM session :).
In the next part of the series, I’ll discuss the Security cameras or the Intrusion detection tools, SNORT, available in OpenSUSE ( or any Linux for that matter).