Distributed Firewall for Linux MSC IN COMPUTER SCIENCE THARANGA ABEYSEELA UNIVERSITY OF MORATUWA SRI LANKA October, 2007 Distributed Firewall for Linux Tharanga Abeyseela This dissertation was submitted to the Department of Computer Science and Engineering Of the University of Moratuwa In partial fulfillment of the requirements of the Degree of MSc in Computer Science Department of Computer Science and Engineering University of Moratuwa Sri Lanka October, 2007 To my loving parents Who have dedicated their entire life for my education... DECLARATION I declare that the work included in the dissertation in part or whole has not been submitted for any other academic qualification at any institution. ------------------------- ------------------------- Tharanga Abeyseela Mr Shantha Fernando (Candidate) (Supervisor) Abstract The number of attacks on connected hosts has increased over the last several years [1], making the security of networks an increasingly important problem. Attacks have become more automated and can cause greater amount of damage. This increase in attacks coincides with an increased use of the Internet and with increases in the complexity of protocols, applications, and the internet itself. Critical infrastructures increasingly rely on the internet for operations. Individual users rely on the security of the internet, email, the web, and web-based applications to a greater extent than ever. Thus, a wide range of technologies and tools are needed to counter act the growing threat. At a basic level, cryptographic algorithms for confidentiality and authentication assume greater importance in network security .One of the most common ways that networks are hardened against attack is to tightly control what kind of network traffic can enter and exit the network using a firewall. Due to developments in distributed systems and network technologies, computer systems are operated in different geographical locations with different security policies and procedures. So managing and monitoring the firewalls in distributed environments have increased the system engineers and network administrator's daily workload. Proposed distributed firewall can operate in a centralized location (using client-server architecture) and securely propagates firewall rules to remote nodes. Wireless Short Messaging Service (SMS) has integrated as a distributed node monitoring tool in this research. And also the simple user friendly firewall rule generation engine has changed the conventional IPTABLE rule implementation. Those features not only reduce the workload of engineers but also prevent the system failures and enhanced the security measures in the distributed environment. This work discusses the design and implementation of the distributed firewall concept, its implementation and preventing single point of failure in the architecture. Acknowledgement This work would not have been possible without the guidance, support and help of many individuals and parties. My heartfelt gratitude and thanks to all of you. This effort would be both inconceivable and unlikely without the ever present leadership and mentoring of my supervisor Mr. Shantha Fernando. Thank you dear sir for all you did and always being there for me. I could not have wish for a better guide, both intellectually, as a mentor, as well as a person. My eternal gratitude and respect to my dearest parents and brother, without whose unconditional love, encouragement and vision, this would be never possible. I also take this opportunity to thank my “Loku amma” Mrs. Kamala Gunawardena for her support during the research work. Dr Sanath Jayasena, Msc Coordinator needs to be especially acknowledged for his support both at an administrative level as a mentor. I would also like to thank the rest of the CSE staff for their support and guidance. My sincere thank go out to the management of Roomsnet International, especially the CEO Mr. Eric Wikramanayake, and Mr. Nadeep de silva for their understanding, flexibility and tolerance. My heartfelt thank you to all my colleagues specially Jeewantha, Amila, Samitha, Charith, Sumedha, & Hirantha for all the understanding, support, knowledge sharing and trust. But most of all thank you guys, for your friendship and simply being there for me when ever I needed you. Last but not least, I would like to thank my beloved wife Randika for her love, support and encouragement during my research work. Thank you Randi for all you did for me, and also needs to be especially acknowledged her family for their love and support. October 27, 2007 Table of Contents Abstract Acknowledgement Table of contents--------------------------------------------------------------- I List of Figures------------------------------------------------------------------ III List of Tables------------------------------------------------------------------- IV 1. Introduction--------------------------------------------------------------- 1 1.1 Organization of the dissertation-------------------------------------- 4 2. Problem Statement and Approach------------------------------------ 5 2.1 Problem Definition & Approach------------------------------------ 5 2.2 Scope-------------------------------------------------------------------- 6 2.3 Motivation-------------------------------------------------------------- 7 2.4 Challenges ------------------------------------------------------------- 8 3. Literature Review--------------------------------------------------------- 9 3.1 Firewalls / packet filters----------------------------------------------- 9 3.2 Packet filtering Architecture on the Linux kernel----------------- 9 3.3 IPTABLES & Netfilter architecture-------------------------------- 10 3.4 IPTABLES facility---------------------------------------------------- 12 3.4.1 The Filter table------------------------------------------------ 12 3.4.2 The NAT table------------------------------------------------ 12 3.4.3 The Mangle table--------------------------------------------- 13 3.5 Connection tracking--------------------------------------------------- 13 3.6 IPTABLES Rules------------------------------------------------------ 13 3.7 Network level attacks and iptables configuration----------------- 14 3.7.1 Denial of Service attack-------------------------------------- 14 3.7.2 Ping of Death-------------------------------------------------- 15 3.7.3 SYN flood attack---------------------------------------------- 15 3.7.4 Port scanning attack------------------------------------------ 15 3.8 Kannel SMS gateway architecture---------------------------------- 16 3.8.1 SMS protocol-------------------------------------------------- 17 3.9 Linux HA architecture------------------------------------------------ 19 3.10 Mysql High Availability Clustering ------------------------------ 20 4. Review Of Existing Products------------------------------------------ 22 5. System Design and Implementation----------------------------------- 23 5.1 System Overview------------------------------------------------------ 23 5.2 DFS server/Client / Protocol Design & Implementation-------- 25 5.2.1 DFS server and secure protocol Implementation ---------- 26 5.2.1.1 Cyclic Redundancy check (CRC32) table generation--- 27 5.2.1.2 OpenSSL & Encryption-------------------------------------- 27 5.2.2 DFS client Daemon Implementation---------------------- 31 5.3 Rule Generation Engine design & Implementation---------- 32 5.4 Remote node status Monitoring design & Implementation- 34 5.5 Centralized policy manager & High availability Configuration 34 5.6 Mysql High availability clustering----------------------------- 36 5.7 SMS based Remote Node monitoring Design / Implementation 37 5.8 Other Design Considerations----------------------------------------- 38 5.9 Technology------------------------------------------------------------- 39 6. Observation & Evaluation---------------------------------------------- 41 6.1 Goals------------------------------------------------------------------ 41 6.2 Testing and Evaluation------------------------------------------ 42 7. Conclusion and Future Work------------------------------------------ 44 7.1 Conclusion----------------------------------------------------------- 44 7.2 Future Work------------------------------------------------------- 44 8. References------------------------------------------------------------------ 46 9. Appendix(A)--------------------------------------------------------------- 49 List of Figures 1-1 Evolution in attacks and the skill profile of the attackers------------------------2 2-1 Sample Zone file used in BIND DNS ----------------------------------------------7 2-2 Hypothetical view of the Distributed firewalls zone concept -------------------7 3-1 Packet Processing Chain ----------------------------------------------------------- 10 3-2 hooks to analyze packets on the network stack --------------------------------- 11 3-3 Kannel System Architecture -------------------------------------------------------17 3-4 Mobile SMS request ----------------------------------------------------------------18 3-5 Heartbeat protocol between two nodes--------------------------------------------20 3-6 Mysql Data synchronization -------------------------------------------------------21 5-1 Distributed Firewall Server Architecture ---------------------------------------- 23 5-2 INPUT chain rule generation interface--------------------------------------------33 5-3 High availability Architecture using Virtual IP----------------------------------36 5-4 Information about slave server Synchronization---------------------------------37 List of Tables 5-1 Development Tools--------------------------------------------------------------------39