Chapter 7. Firewalls
Information security is commonly thought of as a process and not a
product. However, standard security implementations usually employ some form
of dedicated mechanism to control access privileges and restrict network
resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux
includes several powerful tools to assist administrators and security
engineers with network-level access control issues.
Aside from VPN solutions such as CIPE or IPsec (discussed in Chapter 6 Virtual Private Networks), firewalls are one of the core components of network
security implementation. Several vendors market firewall solutions
catering to all levels of the marketplace: from home users protecting
one PC to data center solutions safeguarding vital enterprise
information. Firewalls can be standalone hardware solutions, such as
firewall appliances by Cisco, Nokia, and Sonicwall. There are also
proprietary software firewall solutions developed for home and business
markets by vendors such as Checkpoint, McAfee, and Symantec.
Apart from the differences between hardware and software firewalls,
there are also differences in the way firewalls function that separate one
solution from another. Table 7-1 details three common
types of firewalls and how they function:
| Method | Description | Advantages | Disadvantages |
|---|
| NAT | Network Address Translation (NAT)
places internal network IP subnetworks behind one or a small
pool of external IP addresses, masquerading all requests to one
source rather than several | | · Can be configured
transparently to machines on a LAN | | ·
Protection of many machines and services behind one or more
external IP address(es), simplifying administration
duties | | · Restriction of user access
to and from the LAN can be configured by opening and closing
ports on the NAT
firewall/gateway |
| | · Cannot prevent malicious
activity once users connect to a service outside of the
firewall |
|
| Packet Filter | Packet filtering firewalls read each data packet that
passes within and outside of a LAN. It can read and process
packets by header information and filters the packet based on
sets of programmable rules implemented by the firewall
administrator. The Linux kernel has built-in packet filtering
functionality through the netfilter kernel subsystem. | | · Customizable through the
iptables front-end utility | | · Does not require any customization on the
client side, as all network activity is filtered at the
router level rather than at the application level | | · Since packets are not transmitted through a
proxy, network performance is faster due to direct
connection from client to remote
host |
| | · Cannot filter packets for
content like proxy firewalls | | ·
Processes packets at the protocol layer, but cannot filter
packets at an application layer | | ·
Complex network architectures can make establishing packet
filtering rules difficult, especially if coupled with
IP masquerading or local subnets and
DMZ networks |
|
| Proxy | Proxy firewalls filter all requests of a certain protocol
or type from LAN clients to a proxy machine, which then makes
those requests to the Internet on behalf of the local client. A
proxy machine acts as a buffer between malicious remote users
and the internal network client machines. | | · Gives administrators control
over what applications and protocols function outside of the
LAN | | · Some proxy servers can cache
data so that clients can access frequently requested data
from the local cache rather than having to use the Internet
connection to request it, which is convenient for cutting
down on unnecessary bandwidth consumption | | · Proxy services can be logged and monitored
closely, allowing tighter control over resource utilization
on the network |
| | · Proxies are often application
specific (HTTP, telnet, etc.) or protocol restricted (most
proxies work with TCP connected services only) | | · Application services cannot run behind a
proxy, so your application servers must use a separate form
of network security | | Proxies can become a
network bottleneck, as all requests and transmissions are
passed through one source rather than direct client to
remote service connections |
|
Table 7-1. Firewall Types
7.1. Netfilter and IPTables
The Linux kernel features a powerful networking subsystem called
netfilter. The netfilter subsystem provides
stateful or stateless packet filtering as well as NAT and IP
masquerading services. Netfilter also has the ability to
mangle IP header information for advanced routing
and connection state management. Netfilter is controlled through the
IPTables utility.
7.1.1. IPTables Overview
The power and flexibility of netfilter is implemented through the
IPTables interface. This command-line tool is
similar in syntax to its predecessor, IPChains;
however, IPTables uses the netfilter subsystem to
enhance network connection, inspection, and processing; whereas
IPChains used intricate rule sets for filtering
source and destination paths, as well as connection ports for
both. IPTables features advanced logging, pre- and
post-routing actions, network address translation, and port forwarding
all in one command-line interface.
This section provides an overview of IPTables. For more detailed
information about IPTables, refer to the
Red Hat Enterprise Linux Reference Guide.