Information security is commonly thought of as a process and not a
product. However, standard security implementations usually employ some form
of dedicated mechanism to control access privileges and restrict network
resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux
includes several powerful tools to assist administrators and security
engineers with network-level access control issues.
Along with VPN solutions, such as IPsec (discussed in Chapter 6 Virtual Private Networks), firewalls are one of the core components of a
network security implementation. Several vendors market firewall
solutions catering to all levels of the marketplace: from home users
protecting one PC to data center solutions safeguarding vital enterprise
information. Firewalls can be standalone hardware solutions, such as
firewall appliances by Cisco, Nokia, and Sonicwall. There are also
proprietary software firewall solutions developed for home and business
markets by vendors such as Checkpoint, McAfee, and Symantec.
Apart from the differences between hardware and software firewalls,
there are also differences in the way firewalls function that separate one
solution from another. Table 7-1 details three common
types of firewalls and how they function:
Method
Description
Advantages
Disadvantages
NAT
Network Address Translation (NAT)
places private IP subnetworks behind one or a small pool of
public IP addresses, masquerading all requests to one source
rather than several.
� Can be configured
transparently to machines on a LAN
�
Protection of many machines and services behind one or more
external IP address(es) simplifies administration
duties
� Restriction of user access
to and from the LAN can be configured by opening and closing
ports on the NAT
firewall/gateway
� Cannot prevent malicious
activity once users connect to a service outside of the
firewall
Packet Filter
A packet filtering firewall reads each data packet that
passes within and outside of a LAN. It can read and process
packets by header information and filters the packet based on
sets of programmable rules implemented by the firewall
administrator. The Linux kernel has built-in packet filtering
functionality through the Netfilter kernel subsystem.
� Customizable through the
iptables front-end utility
� Does not require any customization on the
client side, as all network activity is filtered at the
router level rather than the application level
� Since packets are not transmitted through a
proxy, network performance is faster due to direct
connection from client to remote
host
� Cannot filter packets for
content like proxy firewalls
�
Processes packets at the protocol layer, but cannot filter
packets at an application layer
�
Complex network architectures can make establishing packet
filtering rules difficult, especially if coupled with
IP masquerading or local subnets and
DMZ networks
Proxy
Proxy firewalls filter all requests of a certain protocol
or type from LAN clients to a proxy machine, which then makes
those requests to the Internet on behalf of the local client. A
proxy machine acts as a buffer between malicious remote users
and the internal network client machines.
� Gives administrators control
over what applications and protocols function outside of the
LAN
� Some proxy servers can cache
frequently-accessed data locally rather than having to use
the Internet connection to request it, which is convenient
for cutting down on unnecessary bandwidth
consumption
� Proxy services can be
logged and monitored closely, allowing tighter control over
resource utilization on the
network
� Proxies are often application
specific (HTTP, Telnet, etc.) or protocol restricted (most
proxies work with TCP connected services only)
� Application services cannot run behind a
proxy, so your application servers must use a separate form
of network security
� Proxies can become a
network bottleneck, as all requests and transmissions are
passed through one source rather than directly from a client
to a remote service
The Linux kernel features a powerful networking subsystem called
Netfilter. The Netfilter subsystem provides
stateful or stateless packet filtering as well as NAT and IP
masquerading services. Netfilter also has the ability to
mangle IP header information for advanced routing
and connection state management. Netfilter is controlled through the
iptables utility.
The power and flexibility of Netfilter is implemented through the
iptables interface. This command line tool is
similar in syntax to its predecessor, ipchains;
however, iptables uses the Netfilter subsystem to
enhance network connection, inspection, and processing; whereas
ipchains used intricate rule sets for filtering
source and destination paths, as well as connection ports for
both. iptables features advanced logging, pre- and
post-routing actions, network address translation, and port forwarding
all in one command line interface.
This section provides an overview of
iptables. For more detailed information about
iptables, refer to the
Red Hat Enterprise Linux Reference Guide.
