Linux Firewalls

Larger Cover

Linux Firewalls

Attack Detection and Response

By Michael Rash

Publisher: No Starch Press

Released: September 2007

Pages: 336

System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.

Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:

Passive network authentication and OS fingerprinting

iptables log analysis and policies

Application layer attack detection with the iptables string match extension

Building an iptables ruleset that emulates a Snort ruleset

Port knocking vs. Single Packet Authorization (SPA)

Tools for visualizing iptables logs

Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables-along with psad and fwsnort-to detect and even prevent compromises.

Chapter 1 CARE AND FEEDING OF IPTABLES
1. iptables
2. Packet Filtering with iptables
3. Installing iptables
4. Kernel Configuration
5. Security and Minimal Compilation
6. Kernel Compilation and Installation
7. Installing the iptables Userland Binaries
8. Default iptables Policy
9. Concluding Thoughts
Chapter 2 NETWORK LAYER ATTACKS AND DEFENSE
1. Logging Network Layer Headers with iptables
2. Network Layer Attack Definitions
3. Abusing the Network Layer
4. Network Layer Responses
Chapter 3 TRANSPORT LAYER ATTACKS AND DEFENSE
1. Logging Transport Layer Headers with iptables
2. Transport Layer Attack Definitions
3. Abusing the Transport Layer
4. Transport Layer Responses
Chapter 4 APPLICATION LAYER ATTACKS AND DEFENSE
1. Application Layer String Matching with iptables
2. Application Layer Attack Definitions
3. Abusing the Application Layer
4. Encryption and Application Encodings
5. Application Layer Responses
Chapter 5 INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
1. History
2. Why Analyze Firewall Logs?
3. psad Features
4. psad Installation
5. psad Administration
6. psad Configuration
7. Concluding Thoughts
Chapter 6 PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC
1. Port Scan Detection with psad
2. Alerts and Reporting with psad
3. Concluding Thoughts
Chapter 7 ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
1. Attack Detection with Snort Rules
2. psad Signature Updates
3. OS Fingerprinting
4. DShield Reporting
5. Viewing psad Status Output
6. Forensics Mode
7. Verbose/Debug Mode
8. Concluding Thoughts
Chapter 8 ACTIVE RESPONSE WITH PSAD
1. Intrusion Prevention vs. Active Response
2. Active Response Trade-offs
3. Responding to Attacks with psad
4. Active Response Examples
5. Integrating psad Active Response with Third-Party Tools
6. Concluding Thoughts
Chapter 9 TRANSLATING SNORT RULES INTO IPTABLES RULES
1. Why Run fwsnort?
2. Signature Translation Examples
3. The fwsnort Interpretation of Snort Rules
4. Concluding Thoughts
Chapter 10 DEPLOYING FWSNORT
1. Installing fwsnort
2. Running fwsnort
3. Observing fwsnort in Action
4. Setting Up Whitelists and Blacklists
5. Concluding Thoughts
Chapter 11 COMBINING PSAD AND FWSNORT
1. Tying fwsnort Detection to psad Operations
2. Revisiting Active Response
3. Thwarting Metasploit Updates
4. Concluding Thoughts
Chapter 12 PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
1. Reducing the Attack Surface
2. The Zero-Day Attack Problem
3. Port Knocking
4. Single Packet Authorization
5. Security Through Obscurity?
6. Concluding Thoughts
Chapter 13 INTRODUCING FWKNOP
1. fwknop Installation
2. fwknop Configuration
3. fwknop SPA Packet Format
4. Deploying fwknop
5. Concluding Thoughts
Chapter 14 VISUALIZING IPTABLES LOGS
1. Seeing the Unusual
2. Gnuplot
3. AfterGlow
4. iptables Attack Visualizations
5. Concluding Thoughts

Appendix ATTACK SPOOFING
1. Connection Tracking
Appendix A COMPLETE FWSNORT SCRIPT
COLOPHON

Title:

Linux Firewalls

By:

Michael Rash

Publisher:

No Starch Press

Formats:

Print
Ebook
Safari Books Online

Print:

September 2007

Ebook:

August 2009

Pages:

336

Print ISBN:

978-1-59327-141-1

| ISBN 10:

1-59327-141-7

Ebook ISBN:

978-1-59327-228-9

| ISBN 10:

1-59327-228-6

Description

Table of Contents

Product Details

About the Author

Recommended for You

Chapter 1 CARE AND FEEDING OF IPTABLES

iptables

Packet Filtering with iptables

Installing iptables

Kernel Configuration

Security and Minimal Compilation

Kernel Compilation and Installation

Installing the iptables Userland Binaries

Default iptables Policy

Concluding Thoughts

Chapter 2 NETWORK LAYER ATTACKS AND DEFENSE

Logging Network Layer Headers with iptables

Network Layer Attack Definitions

Abusing the Network Layer

Network Layer Responses

Chapter 3 TRANSPORT LAYER ATTACKS AND DEFENSE

Logging Transport Layer Headers with iptables

Transport Layer Attack Definitions

Abusing the Transport Layer

Transport Layer Responses

Chapter 4 APPLICATION LAYER ATTACKS AND DEFENSE

Application Layer String Matching with iptables

Application Layer Attack Definitions

Abusing the Application Layer

Encryption and Application Encodings

Application Layer Responses

Chapter 5 INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR

History

Why Analyze Firewall Logs?

psad Features

psad Installation

psad Administration

psad Configuration

Concluding Thoughts

Chapter 6 PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC

Port Scan Detection with psad

Alerts and Reporting with psad

Concluding Thoughts

Chapter 7 ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING

Attack Detection with Snort Rules

psad Signature Updates

OS Fingerprinting

DShield Reporting

Viewing psad Status Output

Forensics Mode

Verbose/Debug Mode

Concluding Thoughts

Chapter 8 ACTIVE RESPONSE WITH PSAD

Intrusion Prevention vs. Active Response

Active Response Trade-offs

Responding to Attacks with psad

Active Response Examples

Integrating psad Active Response with Third-Party Tools

Concluding Thoughts

Chapter 9 TRANSLATING SNORT RULES INTO IPTABLES RULES

Why Run fwsnort?

Signature Translation Examples

The fwsnort Interpretation of Snort Rules

Concluding Thoughts

Chapter 10 DEPLOYING FWSNORT

Installing fwsnort

Running fwsnort

Observing fwsnort in Action

Setting Up Whitelists and Blacklists

Concluding Thoughts

Chapter 11 COMBINING PSAD AND FWSNORT

Tying fwsnort Detection to psad Operations

Revisiting Active Response

Thwarting Metasploit Updates

Concluding Thoughts

Chapter 12 PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION

Reducing the Attack Surface

The Zero-Day Attack Problem

Port Knocking

Single Packet Authorization

Security Through Obscurity?

Concluding Thoughts

Chapter 13 INTRODUCING FWKNOP

fwknop Installation

fwknop Configuration