|
|
 |
|
| |
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Chapter 7. Firewalls
Information security is commonly thought of as a process and not
a product. However, standard security implementations usually
employ some form of dedicated mechanism to control access
privileges and restrict network resources to users who are
authorized, identifiable, and traceable. Red Hat Enterprise Linux
includes several powerful tools to assist administrators and
security engineers with network-level access control issues.
Along with VPN solutions, such as IPsec (discussed in Chapter 6 Virtual Private Networks),
firewalls are one of the core components of a network security
implementation. Several vendors market firewall solutions catering
to all levels of the marketplace: from home users protecting one PC
to data center solutions safeguarding vital enterprise information.
Firewalls can be standalone hardware solutions, such as firewall
appliances by Cisco, Nokia, and Sonicwall. There are also
proprietary software firewall solutions developed for home and
business markets by vendors such as Checkpoint, McAfee, and
Symantec.
Apart from the differences between hardware and software
firewalls, there are also differences in the way firewalls function
that separate one solution from another. Table 7-1 details three common types
of firewalls and how they function:
| Method |
Description |
Advantages |
Disadvantages |
| NAT |
Network Address Translation (NAT)
places private IP subnetworks behind one or a small pool of public
IP addresses, masquerading all requests to one source rather than
several. |
| � Can be configured transparently to machines
on a LAN |
| � Protection of many machines and services
behind one or more external IP address(es) simplifies
administration duties |
| � Restriction of user access to and from the
LAN can be configured by opening and closing ports on the NAT
firewall/gateway |
|
| � Cannot prevent malicious activity once users
connect to a service outside of the firewall |
|
| Packet Filter |
A packet filtering firewall reads each data packet that passes
within and outside of a LAN. It can read and process packets by
header information and filters the packet based on sets of
programmable rules implemented by the firewall administrator. The
Linux kernel has built-in packet filtering functionality through
the Netfilter kernel subsystem. |
| � Customizable through the iptables front-end utility |
| � Does not require any customization on the
client side, as all network activity is filtered at the router
level rather than the application level |
| � Since packets are not transmitted through a
proxy, network performance is faster due to direct connection from
client to remote host |
|
| � Cannot filter packets for content like proxy
firewalls |
| � Processes packets at the protocol layer, but
cannot filter packets at an application layer |
| � Complex network architectures can make
establishing packet filtering rules difficult, especially if
coupled with IP masquerading or local
subnets and DMZ networks |
|
| Proxy |
Proxy firewalls filter all requests of a certain protocol or
type from LAN clients to a proxy machine, which then makes those
requests to the Internet on behalf of the local client. A proxy
machine acts as a buffer between malicious remote users and the
internal network client machines. |
| � Gives administrators control over what
applications and protocols function outside of the LAN |
| � Some proxy servers can cache
frequently-accessed data locally rather than having to use the
Internet connection to request it, which is convenient for cutting
down on unnecessary bandwidth consumption |
| � Proxy services can be logged and monitored
closely, allowing tighter control over resource utilization on the
network |
|
| � Proxies are often application specific
(HTTP, Telnet, etc.) or protocol restricted (most proxies work with
TCP connected services only) |
| � Application services cannot run behind a
proxy, so your application servers must use a separate form of
network security |
| � Proxies can become a network bottleneck, as
all requests and transmissions are passed through one source rather
than directly from a client to a remote service |
|
Table 7-1. Firewall Types
The Linux kernel features a powerful networking subsystem called
Netfilter. The Netfilter subsystem
provides stateful or stateless packet filtering as well as NAT and
IP masquerading services. Netfilter also has the ability to
mangle IP header information for advanced
routing and connection state management. Netfilter is controlled
through the iptables utility.
The power and flexibility of Netfilter is implemented through
the iptables interface. This command line
tool is similar in syntax to its predecessor, ipchains; however, iptables
uses the Netfilter subsystem to enhance network connection,
inspection, and processing; whereas ipchains used intricate rule sets for filtering
source and destination paths, as well as connection ports for both.
iptables features advanced logging, pre-
and post-routing actions, network address translation, and port
forwarding all in one command line interface.
This section provides an overview of iptables. For more detailed information about
iptables, refer to the Red Hat Enterprise Linux Reference Guide.
|
|
|
