In a previous article in this series, I talked about using Linux-based systems for what could be a quasi-security purpose: network packet monitoring. In this article I go "all the way" and discuss how Linux can be used in areas where you need absolute control over what happens on a network, a firewall.
Firewalls seem to be the stuff of legend in the IT community. Everyone has one because they're afraid of system crackers, viruses, and other nefarious things, but very few people know what a firewall is, let alone how to construct one. This article will give you a good overview of what happens under the hood, and how you might use Linux in other security applications such as penetration-testing and intrusion detection.
In its most straightforward definition, a firewall is a process that implements a set of policies that control the flow of information between one area of interest and another.
You might be wondering why I defined "firewall" in such a non-technical way. ... It turns out that the concept of a firewall in the information-management realm goes back long before the advent of computers. Looking at what a firewall does outside the context of computing can demystify what's really going on.
For example, in banking, as well as many other fields, there are legally defined "firewalls" that define how one group (such as investment bankers) and another (such as traders on a trading floor) are allowed to share information. In banking, such procedural firewalls exist to ensure that investment bankers and stock traders don't get into a situation where one group is touting what the other is selling. In this case the "firewall" helps safeguard investors from potentially disastrous investments.
Of course, in the Internet/Intranet context, a firewall implements a policy that defines how two or more computer networks may interact and exchange information.
Firewalls themselves are really no more than extremely flexible routers. A firewall's goal is to keep track of every packet that enters or leaves its network interfaces according to a strict set of rules. If any of those rules are tested (that is, someone tries to do something they are not allowed to according to the defined access policies), the firewall should log it and, usually, notify a real human being. If any of the firewall's rules are violated, the firewall is said to have been "breached," and the systems being protected by the firewall are considered to be potentially "at risk."
Routers are not as programmable as firewalls -- a router's job is to move packets between networks as fast as possible; adding lots of security tools slows down the routing function as each packet has to be checked at a variety of levels. A firewall's job is to move authorized packets between networks according to a well-defined security policy. This is a very, very broad distinction.
Linux firewalls come in several flavors. The first is a commercial firewall package such as the Phoenix Adaptive Firewall or NetMax Firewall ProSuite. These are systems put together as turn-key solutions for people who want to install a firewall for which they can get support from a vendor. The other variety of firewall is the "homegrown" Linux firewall. Usually people "roll their own" when either they can't find a commercial package that meets their specific needs, or they wish to have more control over the settings, or source code, than can be had with a commercial package.
A Linux firewall is a regular Linux machine, to which all available security patches and updates have been applied and from which all unnecessary services have been removed. Unnecessary services include:
This point cannot be emphasized enough -- firewalls must be systems whose software is known to be working properly where all known security risks and exposures have been eliminated. This is the hardest part of any security administrator's job -- making sure you're up to date with the latest security advisories from CERT, the Computer Emergency Response Team, and the other information security monitoring groups. Most people get into trouble because they fail to monitor or, more often, fail to act on a known security vulnerability.
Packet filtering is the process by which packets coming from a network to which the firewall is attached are examined to determine how they should be handled.
There are several packet filtering systems available for Linux, but the most commonly used is a package called IP Chains, which is based on a novel, if not arcane, system for specifying how packets can be allowed through the firewall.
The goal of packet filtering is to examine each and every packet that could transit the firewall to ensure that it meets the rules set down by the administrators. The IP Chains system sets up a series of filters that examine a packet to determine what should be done with it; if one filter decided that the packet isn't a type that it handles, it passes it on to the next filter in the chain until the packet is either passed to the inside (protected) network, or it falls off the end of the filter chain and is rejected or dropped.
In the simplest scenario, the firewall has to make sure that the packet is coming from an authorized host on an authorized network and going to an authorized host on an authorized network.
Other checks might include making sure that only selected protocols (such as XWindow, FTP, or Telnet) are allowed to pass though the firewall, or, at a deeper level still, the content of the packets might be examined to ensure that they contain the kind of data they say they do and that someone isn't playing games with tunneling, say, X Window sessions over a Telnet session.
The bottom line with regard to creating a firewall system, whether using Linux as a base or any other operating system, is to make sure that the policies that define what can pass through the box are clearly thought out and consistently applied and that the system is not just set up and never looked at again.
If you are going to build a firewall, or if you already have one, a periodic inspection of what traffic is allowed through is a really good idea. It is said that information security is not a destination, but a journey. Just because you have bought (or built) a firewall doesn't mean that the job is done. Firewalls are like relationships; they need constant attention if they are going to work well.
NetMax Firewall ProSuite
One of the best way to test a firewall is to throw a lot of packets at it and see what the firewall accepts and rejects. There are several toolkits available that can perform this function. The best known of these is called SATAN for System Administrator's Tool for Analyzing Networks. It was written by Dan Farmer, a security consultant who now works for EarthLink Networks. SATAN allows an administrator to perform a series of port scanning operations against a firewall looking for vulnerabilities; it also has a built-in database of some well-known vulnerabilities that it can try to exploit.
A derivative work that takes most of its code-base from SATAN is SAINT (Security Administrator's Integrated Network Tool). SAINT updates some of SATAN's network scanning capabilities and is designed to work on Linux out of the box.
Another useful tool called NMAP can help you create a map of services on a given host or find all the hosts on a given network that support a given service. This can be very helpful in tracking down services that are not supposed to be running on machines on your network.
As I have stated before, tools such as network scanners are very powerful tools considered by most network managers to be very hostile if used on their networks without permission. Be careful how, if, when, and where you decide to experiment with them!
David HM Spector is President & CEO of Really Fast Systems, LLC, an infrastructure consulting and product development company based in New York
Read more Linux in the Enterprise columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.