Hardening Linux: Firewall implementation

A poorly implemented firewall not only allows viruses to slip past your defenses -- it could lock you out of your host, according to James Turnbull, author of "Hardening Linux." Here, he explains how Linux firewalls differ from those used in Windows, and then points out how to avoid common pitfalls that can plague firewall configuration.

A poorly implemented firewall not only allows viruses to slip past your defenses -- it could lock you out of your host, according to James Turnbull, author of Hardening Linux . In this Q&A, he explains how Linux firewalls differ from those used in Windows, and then points out how to avoid common pitfalls that can plague firewall configuration. - Editor

How do firewalls in Linux differ from the ones used in Windows or other systems?

James Turnbull
James Turnbull
James Turnbull: In their core function, Linux and Windows firewalls do not really differ. The major difference is how firewalls are deployed in Linux and Windows environments. In the Windows world, host firewalling (which entails putting a firewall on your hosts -- not just adding a firewall or firewalls into the network to protect all your hosts) is generally limited to desktop systems using tools like Zone Alarm or the in-built Windows XP firewall. Most companies do not firewall their individual Windows server hosts but rely on a network-based firewall to restrict the traffic flows to the host to only those that are acceptable.

Are network-based firewalls more vulnerable?

Turnbull: This lack of a host firewall poses some risks as it assumes that:

a. Your firewall is unbreakable;
b. Your attacker is not already inside your network.

The first risk is probably best expressed as a failure to secure your environment using the principle of defense in depth. A defense-in-depth security model requires that you not rely on a single layer or mechanism to secure your environment from attack. Instead you deploy security at each potential "control" point in your environment. In the case of firewalls, this means controlling the traffic as it enters your network and then again before it enters your host.

The second risk is more obvious. A large percentage of attacks come from internal sources. Internal sources may have inside knowledge that provides them significant advantages over an external attacker. Assuming that placing a firewall at the perimeter of your network will protect your hosts from attack ignores this potential threat.

So, are Linux firewalls safer?

Turnbull: In the Linux world, most distributions come with some form of host firewall enabled by default. For example, as part of the Red Hat installation process, the iptables firewall is configured and enabled. This ensures that your hosts will have some form of protection in the event that your perimeter firewall is compromised or fails, or if the attacker that is targeting the host is already inside your network.

Microsoft's introduction of the software-based Windows Firewall suggests that companies are slowly becoming aware of a need to firewall individual hosts. This awareness has mainly been limited to desktop or laptop hosts at this stage, but going forward I would suggest that more and more Windows server hosts will have host firewalls installed.

Are there any firewall "gotchas" to look out for?

Turnbull: Probably the biggest "gotcha" with host firewalls is outgoing traffic. Too many people assume that simply allowing all outgoing traffic because they have restricted the incoming traffic is an acceptable security model. This kind of security model is one of the reasons worms, viruses and botnets propagate so easily. Once running on a system, nothing stops them from making as many external connections as they like and attempting to compromise or infect other hosts. You should be able to identify the vast majority of the incoming and outgoing traffic flow alike that your server requires -- this is easier than you think it is. As with incoming traffic, only let the outgoing traffic you absolutely need out of the system.

Another "gotcha" is testing. Take the time to learn how to use tools like tcpdump and ethereal to test your firewall rules. A minor mistake in a firewall rule can sometimes be very hard to trace and the easiest way to troubleshoot is to watch the traffic as it enters and leaves your system.

Additionally, if you are configuring firewalls remotely you should consider that a poorly defined rule could disconnect you from the host without any way for you to connect again (for example, changing the default policy to "Deny" or installing a rule restricting ssh). This is particularly annoying if you are in a different country from the host being configured. I'd recommend you write a simple test script for testing new rules. It should implement the new rule or rules for a set period (most people use the "sleep" command) and then stops iptables or reverts back to an older ruleset in case you have locked yourself out of the host. When you are satisfied that your rule works, you can implement it for real and add it to your permanent firewall configuration.

Should different criteria be used for VPN versus remote traffic?

Turnbull: A VPN tunnel merely provides an encrypted tunnel between two network segments. It does not ensure that the packets flowing through that tunnel are not malicious. Thus if you are connecting to a remote network, especially one where you do not have control of the security of that network, then you should treat all traffic from that network as untrusted. Additionally an attacker who has access to a remote network connected to your network with a VPN tunnel has the potential to use that tunnel to penetrate your network. I'd recommend treating VPN and remote traffic with equal consideration when assessing any firewall rules.


In addition to securing outsourced services for the Commonwealth Bank of Australia, James Turnbull is the author of Hardening Linux and resident security expert on SearchEnterpriseLinux.com.
This was first published in July 2005

Dig deeper on Linux system security best practices

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close