Synopses & Reviews
System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.
Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.
Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:
Passive network authentication and OS fingerprintingiptables log analysis and policiesApplication layer attack detection with the iptables string match extensionBuilding an iptables ruleset that emulates a Snort rulesetPort knocking vs. Single Packet Authorization (SPA)Tools for visualizing iptables logsPerl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables-along with psad and fwsnort-to detect and even prevent compromises.
Synopsis
The Netfilter firewall built into Linux provides capabilities that rival many commercial firewalls. Providing concrete examples to illustrate concepts, this new reference explores using Netfilter as an intrusion detection system (IDS) by combining it with Snort rule sets and custom software available from the author's site, cipherdyne.org.
About the Author
Michael Rash is a Security Architect on the Dragon Intrusion DetectionSystem with Enterasys Networks, Inc., and is a frequent contributor toopen source projects. As the creator of psad, fwknop, and fwsnort, Rashis an expert on firewalls, IDSs, OS fingerprinting, and the Snort ruleslanguage. He is co-author of the book Snort 2.1 Intrusion Detection,lead-author and technical editor of the book Intrusion Prevention andActive Response, and has written security articles for Linux Journal,SysAdmin, and ;login:.
Table of Contents
; ACKNOWLEDGMENTS; FOREWORD; INTRODUCTION; Why Detect Attacks with iptables?; Prerequisites; Technical References; About the Website; Chapter Summaries; Chapter 1: CARE AND FEEDING OF IPTABLES; 1.1 iptables; 1.2 Packet Filtering with iptables; 1.3 Installing iptables; 1.4 Kernel Configuration; 1.5 Security and Minimal Compilation; 1.6 Kernel Compilation and Installation; 1.7 Installing the iptables Userland Binaries; 1.8 Default iptables Policy; 1.9 Concluding Thoughts; Chapter 2: NETWORK LAYER ATTACKS AND DEFENSE; 2.1 Logging Network Layer Headers with iptables; 2.2 Network Layer Attack Definitions; 2.3 Abusing the Network Layer; 2.4 Network Layer Responses; Chapter 3: TRANSPORT LAYER ATTACKS AND DEFENSE; 3.1 Logging Transport Layer Headers with iptables; 3.2 Transport Layer Attack Definitions; 3.3 Abusing the Transport Layer; 3.4 Transport Layer Responses; Chapter 4: APPLICATION LAYER ATTACKS AND DEFENSE; 4.1 Application Layer String Matching with iptables; 4.2 Application Layer Attack Definitions; 4.3 Abusing the Application Layer; 4.4 Encryption and Application Encodings; 4.5 Application Layer Responses; Chapter 5: INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR; 5.1 History; 5.2 Why Analyze Firewall Logs?; 5.3 psad Features; 5.4 psad Installation; 5.5 psad Administration; 5.6 psad Configuration; 5.7 Concluding Thoughts; Chapter 6: PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC; 6.1 Port Scan Detection with psad; 6.2 Alerts and Reporting with psad; 6.3 Concluding Thoughts; Chapter 7: ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING; 7.1 Attack Detection with Snort Rules; 7.2 psad Signature Updates; 7.3 OS Fingerprinting; 7.4 DShield Reporting; 7.5 Viewing psad Status Output; 7.6 Forensics Mode; 7.7 Verbose/Debug Mode; 7.8 Concluding Thoughts; Chapter 8: ACTIVE RESPONSE WITH PSAD; 8.1 Intrusion Prevention vs. Active Response; 8.2 Active Response Trade-offs; 8.3 Responding to Attacks with psad; 8.4 Active Response Examples; 8.5 Integrating psad Active Response with Third-Party Tools; 8.6 Concluding Thoughts; Chapter 9: TRANSLATING SNORT RULES INTO IPTABLES RULES; 9.1 Why Run fwsnort?; 9.2 Signature Translation Examples; 9.3 The fwsnort Interpretation of Snort Rules; 9.4 Concluding Thoughts; Chapter 10: DEPLOYING FWSNORT; 10.1 Installing fwsnort; 10.2 Running fwsnort; 10.3 Observing fwsnort in Action; 10.4 Setting Up Whitelists and Blacklists; 10.5 Concluding Thoughts; Chapter 11: COMBINING PSAD AND FWSNORT; 11.1 Tying fwsnort Detection to psad Operations; 11.2 Revisiting Active Response; 11.3 Thwarting Metasploit Updates; 11.4 Concluding Thoughts; Chapter 12: PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION; 12.1 Reducing the Attack Surface; 12.2 The Zero-Day Attack Problem; 12.3 Port Knocking; 12.4 Single Packet Authorization; 12.5 Security Through Obscurity?; 12.6 Concluding Thoughts; Chapter 13: INTRODUCING FWKNOP; 13.1 fwknop Installation; 13.2 fwknop Configuration; 13.3 fwknop SPA Packet Format; 13.4 Deploying fwknop; 13.5 Concluding Thoughts; Chapter 14: VISUALIZING IPTABLES LOGS; 14.1 Seeing the Unusual; 14.2 Gnuplot; 14.3 AfterGlow; 14.4 iptables Attack Visualizations; 14.5 Concluding Thoughts; ATTACK SPOOFING; Connection Tracking; A COMPLETE FWSNORT SCRIPT; COLOPHON;