DOCSLIB.ORG

Comparative Analysis of Iptables and Shorewall

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Comparative Analysis of Iptables and Shorewall COMPARATIVE ANALYSIS O F IPTABLES AND SHOREWA LL Muhammad Zeeshan Ahmad This thesis is presented as a part of Degree of Bachelor of Science in Electrical Engineering Supervisor: Raja M. Khurram Shahzad School of Engineering Internet: www.bth.se/ing Blekinge Institute of Technology Phone: +46 455 38 50 00 371 79 Karlskrona, Sweden Fax: +46 455 38 50 57 “Start by doing what's necessary, then what's possible; and suddenly you are doing the impossible.” Saint Francis ii Abstract The use of internet has increased over the past years. Many users may not have good intentions. Some people use the internet to gain access to the unauthorized information. Although absolute security of information is not possible for any network connected to the Internet however, firewalls make an important contribution to the network security. A firewall is a barrier placed between the network and the outside world to prevent the unwanted and potentially damaging intrusion of the network. This thesis compares the performance of Linux packet filtering firewalls, i.e. iptables and shorewall. The firewall performance testing helps in selecting the right firewall as needed. In addition, it highlights the strength and weakness of each firewall. Both firewalls were tested by using the identical parameters. During the experiments, recommended benchmarking methodology for firewall performance testing is taken into account as described in RFC 3511. The comparison process includes experiments which are performed by using different tools. To validate the effectiveness of firewalls, several performance metrics such as throughput, latency, connection establishment and teardown rate, HTTP transfer rate and system resource consumption are used. The experimental results indicate that the performance of Iptables firewall decreases as compared to shorewall in all the aspects taken into account. All the selected metrics show that large numbers of filtering rules have a negative impact on the performance of both firewalls. However, UDP throughput is not affected by the number of filtering rules. The experimental results also indicate that traffic sent with different packet sizes do not affect the performance of firewalls. Keywords: Linux Iptables, Firewall performance, Comparison of Linux firewalls iii iv Acknowledgements “In the name of Allah, the most Gracious, the most Compassionate” Foremost, I would like to express my sincere gratitude to supervisor Raja Muhammad Khurram Shahzad for his continuous help, support, motivation and guidance during the project. I am thankful to school of engineering at Blekinge Institute of Technology for allowing to use the Network laboratory for the thesis. I am grateful to my parents for their endless love and unconditional support during the studies and life. Finally, I offer regards and blessings to all of those who supported me in the project in any way. Karlskrona 2012 Muhammad Zeeshan Ahmad [email protected] v Table of Contents 1 INTRODUCTION .................................................................................................................. 1 1.1 Aim and Scope .................................................................................................................................................... 2 1.2 Evaluation Method ............................................................................................................................................. 2 1.2.1 Performance Metrics ........................................................................................................................................ 2 1.2.2 Hypotheses ....................................................................................................................................................... 2 1.3 Outline of the Project ......................................................................................................................................... 3 2 BACKGROUND ..................................................................................................................... 4 2.1 Working of a Firewall ........................................................................................................................................ 5 2.1.1 Packet Inspection .............................................................................................................................................. 5 2.2 Types of Firewalls ............................................................................................................................................... 7 2.2.1 Packet Filtering Firewall .................................................................................................................................. 7 2.2.2 Circuit Level Gateways .................................................................................................................................... 7 2.2.3 Application Level Gateways ............................................................................................................................ 8 2.2.4 Stateful Multilayer Inspection Firewall ............................................................................................................ 8 2.3 Linux Iptables ..................................................................................................................................................... 8 2.4 Firewalls Selection .............................................................................................................................................. 8 2.5 Limitations of Firewalls ..................................................................................................................................... 9 2.6 Related Work .................................................................................................................................................... 10 3 METHODOLOGY ............................................................................................................... 11 3.1 Requirements .................................................................................................................................................... 11 3.2 Experimental steps ........................................................................................................................................... 11 3.3 Traffic Classification ........................................................................................................................................ 11 3.3.1 Real-time (Online) Evaluation ........................................................................................................................ 11 3.3.2 Off-line Evaluation ......................................................................................................................................... 11 3.4 Traffic Duration ................................................................................................................................................ 12 vi 3.5 Evaluation Procedure ....................................................................................................................................... 12 3.6 Evaluation Tools ............................................................................................................................................... 13 3.6.1 Netperf ............................................................................................................................................................ 13 3.6.2 Iperf ................................................................................................................................................................ 14 3.6.3 THTTPd.......................................................................................................................................................... 14 3.6.4 HTTPing ......................................................................................................................................................... 14 3.6.5 Nmap .............................................................................................................................................................. 15 3.6.6 Webmin .......................................................................................................................................................... 15 3.6.7 Wireshark ....................................................................................................................................................... 15 3.7 Evaluation Metrics ........................................................................................................................................... 15 3.7.1 Throughput ..................................................................................................................................................... 17 3.7.2 Latency ........................................................................................................................................................... 18 3.7.3 Connection Establishment rate ....................................................................................................................... 19 3.7.4 Connection Teardown Rate ............................................................................................................................ 20 3.7.5 HTTP Transfer Rate ....................................................................................................................................... 20 3.7.6 System Resource Consumption .....................................................................................................................
Load more

Recommended publications
  • Campus Networking Best Practices Session 5: Wireless
    Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen Dale Smith NSRC & University of Oregon University of Oregon & NSRC [email protected] [email protected] Wireless LAN • Provide wireless network across your campus that has the following characteristics: – Authentication – only allow your users – Roaming – allow users to start up in one section of your network, then move to another location – Runs on your campus network Firewall/ Border Traffic Shaper Router Wireless REN switch Authentication Core Gateway Router Core Servers Network Access Control (NAC) Enterprise Identity Management • Processes and Documentation of users. – Now you must deal with this. – What to use as the back-end user store? • LDAP • Active Directory • Kerberos • Other? – Will this play nice with future use? • email, student/staff information, resource access, ... Identity Management Cont. • An example of such a project can be seen here: – http://ccadmin.uoregon.edu/idm/ • This is a retrofit on to an already retrofitted system. • Learn from others and try to avoid this situation if possible. A Wireless Captive Portal The Wireless Captive Portal • Previous example was very simple. • A Captive Portal is your chance to: – Explain your Acceptable Use Policies – Decide if you must authenticate, or – Allow users on your network and monitor for problems instead (alternate solution). – Anything else? Branding? What's Happening? • remember our initial network diagrams...? • Do you think our hotel built their own solution? • Probably not... Commercial Solutions • Aruba http://www.arubanetworks.com/ • Bradford Networks – http://www.bradfordnetworks.com/ • Cisco NAC Appliance (Clean Access) – http://www.cisco.com/en/US/products/ps6128/ • Cisco Wireless LAN Controllers – http://www.cisco.com/en/US/products/hw/wireless/ • Enterasys http://www.enterasys.com/ • Vernier http://www.verniernetworks.com Open Source Solutions • CoovaChilli (morphed from Chillispot) – http://coova.org/wiki/index.php/CoovaChilli – Uses RADIUS for access and accounting.
    [Show full text]
  • July Edition
    July Edition From the Technical Coordinator From the Section Emergency Coordinator From the Affiliated Club Coordinator From the Public Information Coordinator From the Section Traffic Manager Out and About From the Educational Outreach ARES Training Update From the Official Observer Coordinator Handbook Give Away DMR Fun Things To Do, Classes & Hamfests Too Weather Underground Stations Club Corner Final.. Final.. From the Technical Coordinator Jeff Kopcak – K8JTK TC [email protected] Hey Gang, Around the time of Dayton, the FBI asked everyone to reboot their routers. Why would they do that? Over the last two years more than 500,000 consumer and small business routers in 54 countries have become infected with a piece of malware called “VPNFilter.” This sophisticated malware is thought to be the work of a government and somewhat targeted with many of the infected routers located in Ukraine. Security researchers are still trying to determine what exactly VPNFilter was built to do. So far, it is known to eavesdrop on Internet traffic grabbing logon credentials and looking for specific types of traffic such as SCADA, a networking protocol controlling power plants, chemical plants, and industrial systems. Actively, it can “brick” the infected device. Src: Cisco’s Talos Intelligence Group Blog Bricking is a term to mean ‘render the device completely unusable’ and being as useful as a brick. In addition to these threats, this malware can survive a reboot. Wait, didn’t the FBI ask all of us to reboot our routers? Won’t that clear the infection? No. In order for this malware to figure out what it needs to do, it reaches out to a command-and-control server.
    [Show full text]
  • Iptables with Shorewall!
    Iptables with shorewall! Table of Contents 1. Install swarmlab-sec (Home PC) . 1 2. shorewall . 1 2.1. Installation . 2 3. Basic Two-Interface Firewall. 2 4. Shorewall Concepts . 3 4.1. zones — Shorewall zone declaration file . 3 4.2. interfaces — Shorewall interfaces file. 4 4.3. policy — Shorewall policy file . 4 4.4. rules — Shorewall rules file . 4 4.5. Compile then Execute . 4 5. Three-Interface Firewall. 5 5.1. zones . 6 5.2. interfaces . 6 5.3. policy . 7 5.4. rules . 7 5.5. masq - Shorewall Masquerade/SNAT definition file . 7 5.6. snat — Shorewall SNAT/Masquerade definition file . 8 5.7. Compile and Execute . 8 1. Install swarmlab-sec (Home PC) HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html NOTE Assuming you’re already logged in 2. shorewall Shorewall is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files. More: wikipedia 1 NOTE Our docker instances have only one nic to add more nic’s: create netowrk frist docker network create --driver=bridge --subnet=192.168.0.0/16 net1 docker network create --driver=bridge --subnet=192.168.0.0/16 net2 docker network create --driver=bridge --subnet=192.168.0.0/16 net3 then connect network to container connect network created to container docker network connect net1 master docker network connect net1 worker1 docker network connect net2 master docker network connect net2 worker2 now let’s look at the following image 2.1.
    [Show full text]
  • Sentry Firewall CD HOWTO Sentry Firewall CD HOWTO Table of Contents
    Sentry Firewall CD HOWTO Sentry Firewall CD HOWTO Table of Contents Sentry Firewall CD HOWTO............................................................................................................................1 Stephen A. Zarkos, Obsid@Sentry.net....................................................................................................1 1. Introduction..........................................................................................................................................1 2. How the CD Works (Overview)..........................................................................................................1 3. Obtaining the CDROM........................................................................................................................1 4. Using the Sentry Firewall CDROM.....................................................................................................1 5. Overview of Available Configuration Directives................................................................................1 6. Setting Up a Firewall...........................................................................................................................2 7. Troubleshooting...................................................................................................................................2 8. Building a Custom Sentry CD.............................................................................................................2 9. More About the Sentry Firewall Project..............................................................................................2
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Ubuntu Server Guide Ubuntu Server Guide Copyright © 2010 Canonical Ltd
    Ubuntu Server Guide Ubuntu Server Guide Copyright © 2010 Canonical Ltd. and members of the Ubuntu Documentation Project3 Abstract Welcome to the Ubuntu Server Guide! It contains information on how to install and configure various server applications on your Ubuntu system to fit your needs. It is a step-by-step, task-oriented guide for configuring and customizing your system. Credits and License This document is maintained by the Ubuntu documentation team (https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors, see the contributors page1 This document is made available under the Creative Commons ShareAlike 2.5 License (CC-BY-SA). You are free to modify, extend, and improve the Ubuntu documentation source code under the terms of this license. All derivative works must be released under this license. This documentation is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER. A copy of the license is available here: Creative Commons ShareAlike License2. 3 https://launchpad.net/~ubuntu-core-doc 1 ../../libs/C/contributors.xml 2 /usr/share/ubuntu-docs/libs/C/ccbysa.xml Table of Contents 1. Introduction ........................................................................................................................... 1 1. Support .......................................................................................................................... 2 2. Installation ............................................................................................................................
    [Show full text]
  • Papers/Openwrt on the Belkin F5D7230-4.Pdf
    WHITE PAPER OpenWRT on the Belkin F5D7230-4 Understanding the Belkin extended firmware for OpenWRT development White Paper OpenWRT on the Belkin F5D7230-4 Understanding the Belkin extended firmware for OpenWRT development CONTROL PAGE Document Approvals Approved for Publication: Author Name: Ian Latter 7 November 2004 Document Control Document Name: OpenWRT on the Belkin F5D7230-4; Understanding the Belkin extended firmware for OpenWRT development Document ID: openwrt on the belkin f5d7230-4.doc-Release-0.4(31) Distribution: Unrestricted Distribution Status: Release Disk File: C:\papers\OpenWRT on the Belkin F5D7230-4.doc Copyright: Copyright 2004, Ian Latter Version Date Release Information Author/s 0.4 07-Nov-04 Release / Unrestricted Distribution Ian Latter 0.3 26-Oct-04 Release / Unrestricted Distribution Ian Latter 0.2 24-Oct-04 Release / Unrestricted Distribution Ian Latter Distribution Version Release to 0.4 MidnightCode.org (correction of one grammatical error) 0.3 MidnightCode.org (correction of two minor errors) 0.2 MidnightCode.org Unrestricted Distribution Copyright 2004, Ian Latter Page 2 of 38 White Paper OpenWRT on the Belkin F5D7230-4 Understanding the Belkin extended firmware for OpenWRT development Table of Contents 1 OVERVIEW..................................................................................................................................4 1.1 IN BRIEF .................................................................................................................................4 1.2 HISTORY ................................................................................................................................4
    [Show full text]
  • Taxonomy of WRT54G(S) Hardware and Custom Firmware
    Edith Cowan University Research Online ECU Publications Pre. 2011 2005 Taxonomy of WRT54G(S) Hardware and Custom Firmware Marwan Al-Zarouni Edith Cowan University Follow this and additional works at: https://ro.ecu.edu.au/ecuworks Part of the Computer Sciences Commons Al-Zarouni, M. (2005). Taxonomy of WRT54G(S) hardware and custom firmware. In Proceedings of 3rd Australian Information Security Management Conference (pp. 1-10). Edith Cowan University. Available here This Conference Proceeding is posted at Research Online. https://ro.ecu.edu.au/ecuworks/2946 Taxonomy of WRT54G(S) Hardware and Custom Firmware Marwan Al-Zarouni School of Computer and Information Science Edith Cowan University E-mail: [email protected] Abstract This paper discusses the different versions of hardware and firmware currently available for the Linksys WRT54G and WRT54GS router models. It covers the advantages, disadvantages, and compatibility issues of each one of them. The paper goes further to compare firmware added features and associated filesystems and then discusses firmware installation precautions and ways to recover from a failed install. Keywords WRT54G, Embedded Linux, Wireless Routers, Custom Firmware, Wireless Networking, Firmware Hacking. BACKGROUND INFORMATION The WRT54G is a 802.11g router that combines the functionality of three different network devices; it can serve as a wireless Access Point (AP), a four-port full-duplex 10/100 switch, and a router that ties it all together (ProductReview, 2005). The WRT54G firmware was based on embedded Linux which is open source. This led to the creation of several sites and discussion forums that were dedicated to the router which in turn led to the creation of several variants of its firmware.
    [Show full text]
  • Introducción a Linux Equivalencias Windows En Linux Ivalencias
    No has iniciado sesión Discusión Contribuciones Crear una cuenta Acceder Página discusión Leer Editar Ver historial Buscar Introducción a Linux Equivalencias Windows en Linux Portada < Introducción a Linux Categorías de libros Equivalencias Windows en GNU/Linux es una lista de equivalencias, reemplazos y software Cam bios recientes Libro aleatorio análogo a Windows en GNU/Linux y viceversa. Ayuda Contenido [ocultar] Donaciones 1 Algunas diferencias entre los programas para Windows y GNU/Linux Comunidad 2 Redes y Conectividad Café 3 Trabajando con archivos Portal de la comunidad 4 Software de escritorio Subproyectos 5 Multimedia Recetario 5.1 Audio y reproductores de CD Wikichicos 5.2 Gráficos 5.3 Video y otros Imprimir/exportar 6 Ofimática/negocios Crear un libro 7 Juegos Descargar como PDF Versión para im primir 8 Programación y Desarrollo 9 Software para Servidores Herramientas 10 Científicos y Prog s Especiales 11 Otros Cambios relacionados 12 Enlaces externos Subir archivo 12.1 Notas Páginas especiales Enlace permanente Información de la Algunas diferencias entre los programas para Windows y y página Enlace corto GNU/Linux [ editar ] Citar esta página La mayoría de los programas de Windows son hechos con el principio de "Todo en uno" (cada Idiomas desarrollador agrega todo a su producto). De la misma forma, a este principio le llaman el Añadir enlaces "Estilo-Windows". Redes y Conectividad [ editar ] Descripción del programa, Windows GNU/Linux tareas ejecutadas Firefox (Iceweasel) Opera [NL] Internet Explorer Konqueror Netscape /
    [Show full text]
  • A Survey on Network Firewall Solutions
    A Survey on Network Firewall Solutions Nahid Kausar Shaikh Poonam Dhawale Asst. Prof., Department of Information Technology Asst. Prof., Department of Information Technology A.P. Shah Institute of Technology, A.P. Shah Institute of Technology, Thane, Maharashtra, India Thane, Maharashtra, India [email protected] [email protected] Shruti Agrawal Asst. Prof., Department of Computer Engineering A.P. Shah Institute of Technology, Thane, Maharashtra, India [email protected] Abstract — Today, as the number of online users increasing be a hardware device or a software program running on a rapidly resulting in complex networks and increase in network computer. Independent of the type of firewall, it must have at threats. Firewalls are an essential part of any information least two networks interfaces. One of its interfaces is connected security system being the first defense line against security to the private network and other is connected to the public attacks. Firewall is one of the most important parts of the network. network system which provides security in both the direction. It monitors both incoming and outgoing traffic and the specified Classification of the network firewall can be based on action. Firewalls can be categorized on the basis of usage and different parameters. features. There are a number of paid solutions present in the market but are expensive. As a result, Free or open source 1.1.1 Classification based on Firewall Usage firewall solutions can alternative to the paid solutions. Pfsense is 1.1.2 Classification based on Firewall Features free or open source firewall based on Free-BSD. Endian Firewall Community (EFW) is also free, open source network firewall 1.1.1 Classification based on Firewall Usage which is based on Linux.
    [Show full text]
  • Inferring Higher Level Policies from Firewall Rules ∗
    Inferring Higher Level Policies from Firewall Rules ∗ Alok Tongaonkar, Niranjan Inamdar, and R. Sekar Department of Computer Science, Stony Brook University. falok, ninamdar, [email protected] June 5, 2008 Abstract Packet filtering firewall is one of the most important mechanisms used by corporations to enforce their security policy. Recent years have seen a lot of research in the area of firewall management. Typically, firewalls use a large number of low-level filtering rules which are configured using vendor-specific tools. System administrators start off by writing rules which implement the security policy of the organization. They add/delete/change order of rules as the requirements change. For example, when a new machine is added to the network, new rules might be added to the firewall to enable certain services to/from that machine. Making such changes to the low-level rules is complicated by the fact that the effect of a rule is dependent on its priority (usually determined by the position of the rule in the rule set). As the size and complexity of a rule set increase, it becomes difficult to understand the impact of a rule on the rule set. This makes management of rule sets more error prone. This is a very serious problem as errors in firewall configuration mean that the desired security policy is not enforced. Previous research in this area has focused on either building tools that generate low-level firewall rules from a given security policy or finding anomalies in the rules, i.e., verifying that the rules implement the given security pol- icy correctly.
    [Show full text]
  • Download Appendix A
    Appendix A Resources Links This list includes most of the URLs referenced in this book. For more online resources and further reading, see our website at http://bwmo.net/ Anti-virus & anti-spyware tools • AdAware, http://www.lavasoftusa.com/software/adaware/ • Clam Antivirus, http://www.clamav.net/ • Spychecker, http://www.spychecker.com/ • xp-antispy, http://www.xp-antispy.de/ Benchmarking tools • Bing, http://www.freenix.fr/freenix/logiciels/bing.html • DSL Reports Speed Test, http://www.dslreports.com/stest • The Global Broadband Speed Test, http://speedtest.net/ • iperf, http://dast.nlanr.net/Projects/Iperf/ • ttcp, http://ftp.arl.mil/ftp/pub/ttcp/ 260! The Future Content filters • AdZapper, http://adzapper.sourceforge.net/ • DansGuard, http://dansguardian.org/ • Squidguard, http://www.squidguard.org/ DNS & email • Amavisd-new, http://www.ijs.si/software/amavisd/ • BaSoMail, http://www.baso.no/ • BIND, http://www.isc.org/sw/bind/ • dnsmasq, http://thekelleys.org.uk/dnsmasq/ • DJBDNS, http://cr.yp.to/djbdns.html • Exim, http://www.exim.org/ • Free backup software, http://free-backup.info/ • Life with qmail, http://www.lifewithqmail.org/ • Macallan Mail Server, http://macallan.club.fr/ • MailEnable, http://www.mailenable.com/ • Pegasus Mail, http://www.pmail.com/ • Postfix, http://www.postfix.org/ • qmail, http://www.qmail.org/ • Sendmail, http://www.sendmail.org/ File exchange tools • DropLoad, http://www.dropload.com/ • FLUFF, http://www.bristol.ac.uk/fluff/ Firewalls • IPCop, http://www.ipcop.org/ • L7-filter, http://l7-filter.sourceforge.net/
    [Show full text]