CompTIA Linux+ XK0-005 – Unit 12 – Security part 3

21. Traffic Filtering and Marking

So now as we think about letting traffic move through our system as an intermediate system being a router, we can also control this flow of traffic through traffic filtering. And we would do that by basically becoming a firewall. Now, in today’s world, firewalls and definitions of firewalls are certainly changing. That is, we have stateful firewalls applicationspecific, firewalls that scan for intrusions and vulnerabilities and a lot of different features. But in the generic meaning of a firewall, we’re really only going to look at the OSI layers three and four to make a decision yes or no. We often call that a packet filtering firewall and that’s what we’re going to turn on when we enable firewall services with Linux. Now, we do that usually through the firewall services IP tables, talking about creating chains, chains of rules that can make decisions about yes or no.

Now, input and output parts of our chain would be for the traffic that’s coming into our firewall or where the router is the destination, or traffic leaving the output forwarding would be about the traffic moving through. When we create these rules, we can choose to accept the traffic, allow it or reject and drop. The big difference between reject and drop is that reject is going to send a notice back to the sender that says, nanyanya, I just dropped your traffic or drop it just lets it do it silently. I always tell people in the actual production, drop is your choice because dropping it is going to not give away the secret that your firewall stopped the traffic. Reject is good for testing your rules because you’re going to get the notice back that it was a firewall, reason it was stopped and not some other reason.

22. Configuring Chains and Rules

So as we do the work with IP tables to create our firewall, we’re basically going to be creating a chain or configuring chains and rules. Now, as you create these, you’re going to have some options about how you want to set them up, some different commands to go with your IP tables. As an example, if you’re adding a new rule to the list appending to the rules, that’s a if you want to create a default policy. Now that’s interesting because most firewalls, if I enable firewall services, the default policy is drop everything. In this case, you can change the default policy if you want to accept everything, if you are going to have some exclusionary rules, or you can have a default policy drop everything if it doesn’t match an existing rule.

I mean, it’s your choice about that. I don’t want to get too much into firewall theory, but just to let you know, you’ve got a lot of these same features. You can delete an existing rule, replace rules that are already there, you can remove everything. Maybe you need to start over or list the rules that you have. Now, important aspect of firewalls is that when you have a series of rules, it is going to go at the top of the list until it finds a match and it follows that action. It doesn’t look at anything else. So if you had a rule that said I wanted to permit a certain host on this subnet and deny everybody else on the subnet.

Where you got some trouble if you put the deny everybody on the subnet rule before you put the permit, that one host that one host will never get permitted because it falls as a second rule. So sometimes you might remove all the rules to try it all over again or replace rules. You know, you’re going to work with ways to be able to set this up, but I would certainly tell you that you probably ought to list your existing rules. Or if it’s the first time you’ve done this, is map the rules out on piece of paper or on a notepad or something like that. So you can then say, okay, this looks like the right logical order, then put them in.

23. iptables Command Parameters

Now, there are some other parameters as you will create these rules, and that is that you have to define the layer three and layer four information. Layer three is IP. Remember the network stuff of OSI? There you’re going to have a source and destination address. Meaning, do I want to improve traffic from this source to that destination? The protocol being used, is it TCP, UDP? What protocol am I making this rule for? If it’s TCP or UDP, then you’re going to also deal with the port numbers. What is your destination port number? Not worrying about the source, but what kind of service you’re connecting to. And finally, if you match all those parameters, what’s the action? The J again. The actions were accept, allow it to go through or drop or reject, which both cases stop it. Remembering that reject sends a message back saying, hey, I just dropped your stuff.

24. iptables Examples

So, looking at some examples of the commands with Iptables, if you wanted to list everything, you would type iptables l. If you want to set the default rule, it’s Iptables p and then Input accept means I’m going to accept, in this case, input. Remember, was everything coming to the router. So that would be for the input chain to accept everything, reject everything. Well, you could do Iptables a. There’s an append and you would say it’s going to be input s, source address, whatever it is, j reject. So that would be for the input rule. Again, input of stuff coming to the firewall itself. Everything from that host rejected forward from the network. Well, here we would have a forwarding chain rule. So Iptables a append for the forwarding source address.

Now, again, the source address doesn’t have to be a specific host. You could have a zero with a slash notation for the subnet. In this case, if you did like a 24, that’s saying the first 24 bits of the network. Everything else is a host except that J, except blocking spam email. Here, instead of IP addresses, you can use URLs or fully qualified domain names. So you could say a append for the input or forwarding or output or whatever this case is. In this case, input s source is mail spammer. com, or you fill in the blank d destination address could be another host name or an IP address. Now, this is email. So email means dash p, the port or the protocol, I’m sorry, is TCP the dash port, the destination port is 25, and the action drop the J. So I’m trying to, again, just give you lots of ideas about how you can create these rules utilizing all of those commands and options that we talked about.

25. Demo – Configuring iptables

All right, let’s verify that I am the administrator, or the route, I should say, and I am. And what we’re going to do is we’re going to play with the IP tables. We’re going to block ourselves from being able to go out just so you kind of see an idea of how these work. And that means that we’re going to deal with the output. So when I typed in IP tables list, we look at output and it says the policy right now is to accept all traffic. So if I said pingwww dot Google. com, it lets me do that just fine. Okay, clear the screen. Now let’s try IP tables and let’s do a dash P and we’re going to do output Drop. Okay, now let’s try that same ping to Www. google. com. And look at that unknown host. Couldn’t even do a DNS lookup, couldn’t do a trace route to Www. google. com because the name service, I can’t even get out to do a DNS server because of my IP tables.

In fact, if I do IP tables and listed again, you can see my output has dropped. Now remember, input and output was traffic to the machine itself, to this operating system or from and so that was taking care of that traffic from, well, let’s turn it back on. Let’s go back to IP tables and let’s do a dash P, output accept. And now that we’ve done that, we’ll do our trace route or peeing or whatever else we wanted to do. And there we at least saw the DNA resolution. And hopefully here in a second, you’ll start seeing the rest of the trace routes. And there it is. I’ll control C to get out of there. And that just shows you a beginning of how you might even use something like these IP tables if you are a router to work with the traffic that’s going through, not necessarily from and to with this particular system.

26. Network Security Tools Part1

Now, there are a variety of other types of tools you can use for network security. Protocol analyzers are nothing more than packet sniffers that can capture the traffic. In fact, we haven’t even had a chance to talk about some of the built in features that you have with Linux. Like a tool called TCP dump. It’ll capture the traffic and can store it in a file that you can analyze. But basically, by analyzing the traffic, you can watch to see how different protocols behave. In fact, if you’re really good at protocol analysis, you can actually see attacks against your networks. You can see a variety of denial of services. You can see when a machine has been taken over by some remote access. I mean, there’s a lot of cool stuff that you can use, if anything, just to see who’s chatty, who’s not. It allows you to look at traffic. But beware you can also grab people’s passwords right off of the wire and that’s something that can be scary.

27. Network Security Tools Part2

Port scanners are a tool to look to see what ports I can get to from different locations. Now we use port scanners to basically test your firewalls. If I don’t want port 80 to come in, I’m going to use a port scanner to see if I can get through and connect on port 80. If I can’t, then that sounds pretty good. If I can, that might have violated what you’re trying to do. So port scanners are our ways of seeing what port ports are answering or being answered because the hackers are going to be basically rattling the doorknobs on your networks to see what ports they can use to make a communications into your network. Network mappers again, are going to go out there and do ping sweeps.

They’re going to find out all of the machines that are alive. They’re going to find all the IP addresses from those machines that talk back to them. They’re going to draw a diagram and have a list of targets. So you can do that as well. You should know what the hacker can know. Password crackers, lots of different types, using dictionary lists, brute force, people intercepting hashes and comparing it against rainbow tables. There’s a lot in the realm of password crackers and I’m hitting these quickly because this is another two weeks worth of work just to talk about things we can do in hacking. It is amazing the stuff we can use. So just giving you a taste of it I hope will make you want to go out and look at these even more vulnerability scanners.

Oh, lots of free ones. Lots of ones that give you trial use, but they go out and they probe your systems and your network devices to see if they’re up to date with their patches, to see if any of these announced exploits could be used against your systems. If you aren’t doing a vulnerability scan against your systems, I will guarantee you somebody else is doing it for you and they’re going to find out what your weaknesses are and attack you. Now, your traditional firewall, I told you, only looks at your layer three and layer four stuff we talked about that you were creating rules on source address, destination address, protocols and ports.

Well, unfortunately, many of those things that you allow in can still take over your networks through the use of buffer overflows or malware. As an example. I tell people every day that I deal with security that getting through a firewall is a piece of cake. You can do it. You’ve already done it. And how do I say that? Well, if you’ve gone to a website today, did you go to one? If you did, the odds are you had to go through a firewall to get to the web server. Well, guess what? You made it through a firewall. And I know people saying, well, that’s really ridiculous. Well, it’s not. Getting through a firewall is easy because it has two big weaknesses.

One is we as people configure it and we make mistakes. The second is that it allows traffic. So if I get through your firewall because you allow it, I can then mount attacks against your systems. For example, a web server, depending on the server has a whole multitude of different exploits buffer overflows, denial of service that I can use to attack your systems. And if you’re just looking at layer three and four, you won’t have any idea. Intrusion detection systems actually look at what is in the data that I’m sending to look for signs of these exploits and can stop those cold so that they don’t affect me. So it’s just another tool that is out there.

28. Nessus

Nessus is an example of a vulnerability scanner. Now, depending on what you want, it can be free or you can pay for a commercial version, but what it is is a series of tests about vulnerabilities that are written by the open source community. So as a new vulnerability is announced by any vendor, somebody can write, addin a plugin to test to see if your system is vulnerable to that exploit. It’s a way of basically making sure that you are as UpToDate on your patches and operating systems and everything else, so you can see whether or not you have any concerns.

29. Intrusion Detection Systems

When it comes to intrusion detection, as I described it’s like the next layer of defense after your firewall. Now, there are two options for the network based. One is called networkbased intrusion detection. The other is called a networkbased intrusion prevention. So here’s the difference. Now, I’m going to use a sports analogy. So for those of you who aren’t familiar with the game of football, American football, you’ve got a whole lot of people who, whose job is to protect this guy called the quarterback, and you do so by blocking them. If you miss your block, you have to turn and yell at the quarterback and say, hey, look out. So that they know that the enemy is on the way. Network based intrusion detection systems use lookout blocks.

What they do is they check the traffic. They look for strings that match certain signatures or ports or headers. But the thing is, they look at a copy of the traffic. So some switch out there, copies all the traffic and sends it to this device. And then it says, oh, I just saw an attack, but it’s too late, it’s already gone on its way. Now, after it sees that attack, it can try to lessen the effects by telling the firewall to reset the TPC, or to clean it or redirect it or any of those things to take an appropriate action. Intrusion prevention actually doesn’t work with a copy. All traffic must go through the IPS. And so if it sees an attack, it can reset it right there. It can just log it if it wants to send alerts. It could even redirect it to an antivirus cleaning program. It has other options.

Now, having said that, everybody’s going to say, well, why even use network intrusion detection when prevention sounds so much better? Well, the downside with prevention was that it really became a bottleneck. Because to do all of that testing of your throughput slowed things down. Okay? That was the old reason against it. Today, companies like Palo Alto Networks have a firewall that can do parallel processing of your traffic to look for these intrusions. Judy perhaps a model called an SRX that does a similar parallel processing. So what does that mean? It means that the issue of throughput has greatly improved. So you can add intrusion prevention and not say, oh, I’ve just got a new bottleneck. A lot of good things that are out there that you can utilize to do this, including get this, your Linux machine can do intrusion intrusion prevention as well.

30. Snort IDS

How does your Linux machine do it? It does it through Snort, a freely available intrusion detection system. Now, if you are the router and acting as a firewall and you’re running snort, you’re technically doing intrusion prevention. It’s in line. You’re looking at it as it goes through. You can also run Snort on every single workstation. And it even has a port that works with Windows windows Machines, where you can have a host based intrusion detection system running Snort. The nice thing about snort is you can write your own detection signatures to be able to look for specific kinds of attacks that might not come right out of the package when you install it. So it is intrusion detection. It can run on the firewalls to check traffic going through. It can run on the host. And that is another layer of protection called a host based intrusion detection.

31. HIDS

So HIDs the host space again, gives me audit logs. I can monitor files. It can watch my applications and processes. It can look at incoming network packets. It can make the decisions. Is this good or bad? The advantages is that it lets me know if somebody’s tried to attack. It monitors what users do, by the way. It can monitor local attacks. It’s independent of the network. It just goes on and on, on with a layer of advantages. Now, people say, why don’t we use it all the time? Well, same reason as intrusion prevention. Running these tests and scans will slow down the speed of the operating system. I mean, that’s always been the issue with antivirus software, is that it scans all the traffic, all the email, and it makes things run slower. And so you have to kind of the advantages and the disadvantages of what you want to do.

32. Unit 12 Review

All right? So in this section we talked about security. We talked about the security components, a client server, authentication, other authentication methods, LDAP, Radius, NISS or NIS. We talked about a version of Linux that was put into a mandatory access control called the Se Linux and a lot of other user tools. And then we said, look, we can also be a router and a firewall and intrusion detection and so many other cool things. By the way, the other tools that I mentioned, the protocol analyzers and all that kind of cool stuff, they all come on Linux and they’re ready for you to use so you can do your network mapping, your ping sweeps, your port scans, your TCP dumps for protocol analysis. All right? There it’s a wonderful operating system and it just comes with so many great things that you can really utilize right away to make your network so much more secure.