Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Auditing Your Firewall

By noeld in News
Mon Apr 10, 2000 at 10:26:31 AM EST
Tags: Security (all tags)
Security

Lance Spitzner tells us how to Audit Your Firewall Setup.
"You've just finished implementing your new, shiny firewall. Or perhaps you've just inherited several new firewalls with the company merger. Either way, you are probably curious as to whether or not they are implemented properly. Will your firewalls keep the barbarians out there at bay? Does it meet your expectations? This paper will help you find out. Here you will find a guide on how to audit your firewall and your firewall rulebase. Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls."


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Audit Your Firewall Setup
o Also by noeld


Display: Sort:
Auditing Your Firewall | 6 comments (6 topical, editorial, 0 hidden)
First Post! (none / 0) (#1)
by ramses0 on Mon Apr 10, 2000 at 12:58:12 PM EST

Ok, sorry for the gratuitious first post thingie (hey, how often is it that a story ends up on the front page with *no* comments) but I really do have a question that maybe someone can explain.

What's the difference between a firewall, and TCP_WRAPPERS, and hosts.deny, and hosts.allow?

I -think- I understand the differences, but I get the feeling that all of them are closely related. I'm sure someone here knows what the differences are, and can explain them.

Thanks in advance!

--Robert
[ rate all comments , for great justice | sell.com ]

Re: First Post! (none / 0) (#2)
by rusty on Mon Apr 10, 2000 at 01:25:39 PM EST

Inoshiro is really the one to answer this question, but he's off writing his next article, so I'll take a stab at it. :-)

Basically, things like tcp_wrappers allow you to define, in a rough way, what hosts have access to what services on a machine. A firewall is more general, and more secure, in that it will intercept and examine all traffic for any number of machines, and take action as needed. So, I could have a dozen webservers, and put them all behind one firewall, then have that firewall machine filter traffic based on a bunch of criteria. The firewall takes all incoming traffic, and, if it approves the request, will forward packets on the the destination machine, and vice versa from the server to the world.

The line can be a bit blurred in the unix world, as a machine can serve as it's own firewall, to an extent. Things like ipchains allow you to run all incoming traffic for the local host through rulesets, and do pretty much the same thing you'd be doing on an actual firewall. The advantage to making it a dedicated machine is that you only have to manage the rulesets on one box, and you have a convenient traffic gateway, for any machine on the "private" side of the firewall.

Oh yeah, and hosts.deny and hosts.allow are just the config files for tcp_wrappers. They let you say which hosts can do what, for services that run through tcp_wrappers.

____
Not the real rusty
[ Parent ]

Re: First Post! (none / 0) (#6)
by Inoshiro on Mon Apr 10, 2000 at 05:33:14 PM EST

Hehe.. I did answer it, even if it did happen 4 hours after you did ;-)

--
[ イノシロ ]
[ Parent ]
Re: First Post! (none / 0) (#4)
by eann on Mon Apr 10, 2000 at 01:53:09 PM EST

Well, I'm no security expert, although I think I can make some reasonably valid general statements (see the fuzzy logic article for refinement of "reasonably valid").

TCP Wrappers aren't actually extra data passed with TCP packets; it's the program tcpd that "wraps" around telnetd, ftpd, etc., when they're invoked by inetd, on a single machine. It's not inconceivable to me that it could be applied to other network servcies; I've just never seen it done. hosts.allow and hosts.deny are the files (usually in /etc) that tell tcpd which machines to allow access to those services, based on IP address and various other restrictions.

A firewall, on the other hand, is (usually) a dedicated machine that can intercept traffic using similar rules, but it can sit between a router and a hub, and therefore be applied to the entire network. In days gone by (I really haven't shopped for firewalls recently), the most common config would be to have two ethernet ports--one connected to the internal network and one to the outside world, and the security software would regulate which data could pass between the two.

At the time I started writing this, no one else had responded. Please forgive apparent duplication of effort, and publicly correct any of my misthinkings.

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.


[ Parent ]
Re: First Post! (none / 0) (#5)
by Inoshiro on Mon Apr 10, 2000 at 04:50:22 PM EST

TCP wrappers work via hosts.deny and hosts.allow. Most Linux distributions ship with TCP wrapper code compiled in. OpenBSD does not.

Theo has stated before that the problem with TCP wrappers is that it requires the person you do not want accessing your services to connect to a service before they are denied access. It's easier and safer to block them at the TCP/IP stack level via ipf, ipchains, etc.. Any sanity checking the TCP wrappers do can be done more easily in the TCP/IP stack before the program even sees the connection.

That is why there are no TCP wrappers in OpenBSD, and why they are generally an indication of the wrong solution to the problem. They do have uses for some situations (perhaps an extra notification or snoop of a session via the TCP wrapper), but they should not be used to enforce packet rules. Use the built in settings for that.



--
[ イノシロ ]
[ Parent ]
Firewalls.......good idea. (none / 0) (#7)
by Anonymous Hero on Tue Apr 11, 2000 at 01:18:49 PM EST

I have an NT firewall [no flames] but recently swapped to a Unix firewall [FreeBSD w/ ipfw]. It 'works', sorta open now :( I want to set it up more....but, due to lack of support......bha D~y mr-white$pacbell.net

[ Parent ]
Auditing Your Firewall | 6 comments (6 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!