Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
The single-system firewall presented in Chapter 4, "Building and Installing a Standalone Firewall," is a basic bastion firewall, using only the INPUT and OUTPUT chains. When the firewall is a packet-filtering router that has a network interface connected to the Internet and another connected to your LAN (referred to as a dual-homed system), the firewall applies rules to decide whether to forward or block packets crossing between the two interfaces. In this case, the packet-filtering firewall is a static router with traffic-screening rules enforcing local policies concerning which packets are allowed through the network interfaces. As pointed out in Chapter 3, "iptables: The Linux Firewall Administration Program," Netfilter handles forwarded packets quite differently from the previous IPFW mechanism. Forwarded packets are inspected by the FORWARD chain alone. The INPUT and OUTPUT rules don't apply. Network traffic related to the local firewall host and network traffic related to the LAN have completely different sets of rules and rule chains. Rules on the FORWARD chain can specify both the incoming and the outgoing interface. For a dual-homed host setup with a LAN, the firewall rules applied to the incoming and outgoing network interfaces represent an I/O pairone rule for arriving packets and a reverse rule for departing packets. The rules are directional. The two interfaces are handled as a unit. Traffic is not routed directly between the Internet and the LAN automatically. Packets to be forwarded won't flow without a rule pair to accept the traffic. The filtering rules applied to the two interfaces act as a firewall and static router between the two networks. The firewall configuration presented in Chapter 4 is perfectly adequate for an individual home system with a single network interface. As a standalone gateway firewall protecting a LAN, if the firewall machine is ever compromised, it's all over. Even if the firewall's local interfaces have completely different policies from those for forwarded traffic, if the system has been compromised, it won't be long before the interloper has gained root access. At that point, if not before, the internal systems are wide open as well. Chances are, a home LAN will never have to face this situation if the services offered to the Internet are chosen carefully and a stringent firewall policy is enforced. Still, a standalone gateway firewall represents a single point of failure. It's an all-or-nothing situation. Many larger organizations and corporations rely on a single firewall setup, and many others use one of two other architectures: a screened-host architecture with no direct routing, or a screened-subnet architecture with proxy services, along with a perimeter DMZ network created either between or alongside the external firewall, separated from the private LAN. Public servers in the DMZ network have their own specialized, bastion firewalls as well. This means that these sites have a lot more computers at their disposaland a staff to manage them.
In addition to the single-system, standalone firewall, the firewall presented in Chapter 4 can be expanded to form the basis for a dual-homed gateway firewall protecting the host, which offers one or a few public services. A home LAN is often protected by a single gateway firewall that both filters forwarded traffic and offers public services. What options are available for a dual-homed system that can't afford the risk of a single gateway firewall or the cost of many computers and a staff to manage them? Fortunately, a dual-homed firewall and LAN offer stronger security when the system is configured carefully. The question is this: Is the extra effort worth the increased security in a trusted environment? |
Категории