System Security Network (Firewall)

SYSTEM SECURITY NETWORK
(Firewall)
Install a firewall
Determine the type of the type of network security
Identify the control network is needed
Design a network security system
HOME
COMPETENCE MAPING
Dasar Kejuruan Level I ( Kelas X ) Level II ( Kelas XI ) Level III ( Kelas XII )
1 2 3
Merakit Personal Menerapkan teknik elektronika Melakukan instalasi perangkat Melakukan instalasi perangkat
Komputer analog dan digital dasar jaringan lokal (Local Area jaringan berbasis luas (Wide Area
Network) Network)
Melakukan instalasi Menerapkan fungsi Mendiagnosis permasalahan Mendiagnosis permasalahan perangkat
sistem operasi dasar peripheral dan instalasi PC pengoperasian PC yangKlik

tersambung jaringangnosis
yang tersambung jaringan berbasis luas
(Wide Area Network)
Dis
Menerapkan K 3 LH Mendiagnosis permasalahan Melakukan perbaikan dan/ atau
ini Melakukan perbaikan dan/ atau
pengoperasian PC dan setting ulang koneksi jaringan setting ulang koneksi jaringan
periferal an berbasis luas (Wan)
Melakukan perbaikan dan/ Melakukan instalasi sistem operasi Melakukan perbaikan dan/ atau setting
jaringan berbasis GUI (Graphical User ulang koneksi jaringan berbasis luas
atau setting ulang sistem PC Interface) dan Text (Wide Area Network)
Melakukan perbaikan periferal Mengadministrasi server

dalam jaringan
Melakukan perawatan PC
Merancang bangun dan
menganalisa Wide Area
Network
Melakukan instalasi sistem operasi
berbasis graphical user interface (GUI) Merancang web data base
dan command line interface (CLI)
untuk content server
Melakukan instalasi software
Lulus
HOME
Destination:
The discussion aims to:
1. Students understand the types of firewall
2. Students understand how to implement a firewall on the network
Main discussion:
In this discussion include:
1. Type the type of network security, firewall, network Control.
2. How to Design a network security system.
HOME
Module 15 System Security Network (Firewall)

Determine The Type of The Type of Network Security
In computer networks, especially related to applications that

involve a variety of interests, many things happen that can
disrupt the stability in computer network connection,
whether related to hardware (physical security, electrical
power source) and related software (systems, configuration,
system access, etc.).
Interference in the system can occur
due to factors inadvertence
committed by the manager (human
error), but not a few of them are
caused by third parties.
Interference can be a destruction,
infiltration, theft of access rights, data
or abuse the system, until the criminal
action through the computer network
applications.

Internetworking in some type of interference is known by the term:
1. Hacking, in the form of network infrastructure that already exists, for

example, of the system from a server.
2. Physing, a forgery of official data to be related pemanfaataanya.
3. Deface, changes to the look of a website is illegal.
4. Carding, identity theft of banking data to someone, such as stealing
credit card numbers, used to take advantage of the balance of the
account for online shopping.
5. And many terms in the network security system relating to the abuse
and destruction of existing systems.

In the preparation of the security system should be prepared in the form
below:
1. Regroup terminal is enabled as a network control center or access
point (server) on a network, which should be given special security.
2. Provide a physical space for the special security device called the
point number 1. Room can be given a label Network Operating
Center (NOC) by limiting the personnel allowed to enter.
3. Separate power source for the NOC from the other. Please also
enabled Uninteruptable Power Supply (UPS) and the stabilizer for
maintaining the stability of the power supply device is required on the
NOC.
4. Tidy rooms and wiring label and classification cable.
5. Giving a Soft Security System Firewall is enabled on the device in
the network.
6. Maintenance plan and prepare the Back Up system.

Figure 15.1 Illustration Application Firewall
Firewall (Figure 15.1) is one of the applications on the operating system

needed by the computer network to protect intergritas data / network
systems from attacks that are not parties responsible.

Firewall composed of the rules that apply both to hardware, software or
system itself with the goal to protect the network, both perform with
Filtration, restrict, or refuse a request from the external network, such as the
Internet.
Figure 15.2 Architecture At Firewall Software

Figure 11.2 shows a firewall that protects the local network in a way to
control the flow of packages through.
Occurred on the firewall that allow multiple processes to protect the
network. There are three kinds of process that occurred in the firewall, is:
1. Packet header modification,

modification is used to modify the quality of service
bits before the TCP packet routing process.
2. Translation of a translation can occur one to one (one to one), that is

a private IP address mapped to one or public IP address translation
many to one (many to one) that some private IP address mapped to
one address public, and
3. A packet filter,
filter is used for determination whether the package can be
forwarded or not.

Install a Firewall
HOME
SPECIES OF Firewall
1. Packet Filtering Gateway

2. Application Layer Gateway
3. Circuit Level Gateway
4. Statefull Multilayer Inspection Firewall
HOME

Packet Filtering Gateway
Packet filtering gateway firewall can be defined as a duty to perform

Filterization packages that come from outside network will be save.
Figure 15. 3 Tier 3 process for Packet Filtering Gateway

Application Layer Gateway
This model can also be called Proxy Firewall. Mechanism is not only
based on source, destination and package attributes, but can reach the
content (content) package.
Figure 15.4 Web server with a Firewall

When we see a layer of the TCP / IP, the firewall will do this type of
Filterisasi on the application layer (Application Layer).
Figure 15.5 Proxy Firewall Model views on TCP / IP

Circuit Level Gateway
This model is working on the Tier transport reference model of TCP / IP.
This firewall will do the supervision of the initial TCP connection is usually
referred to as TCP Handshaking, the process to determine if the session
is allowed to contact or not. Forms almost the same as the Application
Layer Gateway, only the filtered there have a different layer, which is
located at the Transport layer.
Figure 15.6 Circuit Level Gateway Model views on the TCP / IP

Statefull Multilayer Inspection Firewall
This model is a merging of the three previous firewall. Firewall of this type of
work on the application layer, Transport and the Internet.
By combining the three models, namely the firewall Packet Filtering
Gateway, Application Layer Gateway and Circuit Level Gateway, may be
said of this type of firewall is a firewall, providing the most give features level
of security and the most high.
Figure 15.7 Statefull Multilayer Inspection Firewall seen in Model TCP / IP

Identify The Control Network
is Needed
HOME
The application control network using the firewall can be implemented with
a number of implementing rules (chains) on the existing topology.
In the case of a network using iptables, there are two things that must be
considered, namely:
1. Connection package that implements a firewall that is used.

2. The concept of a firewall is implemented.
With these two things are expected as the iptables rules that defines the
firewall can identify whether a connection that happens a new connection
(NEW), which has no connection (Establish), connections that have
relationships with other connections (RELATED), or the connection is not
valid (invalid) . The four types of connections that make IPTables called
Statefull Protocol.
HOME

Connection Package
Connection packet in the process of sending from the sender to the

recipient must go through the firewall rules, can be grouped connection to
the three groups, namely:
1. TCP connections
2. IP Connection
3. UDP connections

TCP connections
TCP connection is a connection known as a Connection Oriented means

that before sending the data, the machines will be through the 3 steps how
to relate (3-way handshake).
Figure 15.8 A First TCP Connection

IP Connection
A frame that is identified using the Internet protocol (IP) must be through a
firewall rule that is defined using the IP protocol is before package get
answers from the destination package.
One of which is a group package IP protocol is ICMP, which is often used
as a test application connection (link) between hosts.
Figure 15.10 An image ICMP Connection

There are four different types of echo of the package will get a reply,
namely:
1. Echo request and reply,
2. Timestamp request and reply,
3. Information request and reply,
4. Address mask request and reply.

UDP connections
Unlike the TCP connections, UDP connections (Figure 11.11) is

connectionless. A machine that sends UDP packets will not detect the error
on the shipping package.
UDP packets will not send back the packages that have errors. Model of
this package will be more efficient in the broadcasting or multicasting
connection.
Figure 15.11 An image UDP Connection

Chain IPTABLES
To build a firewall, we should know first is how a packet is processed by the

firewall, whether the packets that enter the waste akan (DROP) or accepted
(ACCEPT), or the package will be forwarded (forward) to another network .
One of the many tools used to process the firewall is iptables. Iptables
Program is a program for administrative Filter Package and NAT (Network
Address Translation). To run the function, equipped with iptables table
mangle, nat and filter.
Processes that occur on the packet through a firewall that can be described
as follows.

Figure 15.12 On The Picture Package Beyond the Firewall.
Description:
DNAT (Destination NAT): The purpose of conversion require Network
Address Translation.
SNAT (Source NAT): The conversion uses Network Address
Translation
TABLE 15.1 TABLE FILTER TO IPTABLES
No INPUT OUTPUT FORWARD
1 Rule no 1 Rule no 1 Rule no 1
N N Rules N Rules N Rules
ACCEPT / ACCEPT / ACCEPT /

POLICY
DROP DROP DROP

Table 15.2 At the IPTABLES NAT
Post Routing Pre Routing

No OUTPUT
(SNAT) (DNAT)
N N Rules N Rules N Rules
ACCEPT / ACCEPT / ACCEPT /

POLICY
DROP DROP DROP

Figure 11:13 SNAT and DNAT
One of the advantages IPTABLES is to enable the computer we can

become the gateway to the internet. Technical need another table in the
IPTABLES than a third above the table, the NAT table (Figure 11.13)
SNAT is used to change the IP address of the sender (source IP
address). SNAT usually useful to make the computer as a gateway to the
internet.
For example, we use the computer IP address 192.168.0.1. IP is the local

IP. SNAT will change the local IP is a public IP, such as 202.51.226.35.
As well as vice versa, if the local computer can access the internet from
the DNAT to be used.
Mangle on IPTABLES used to mark (marking) packages for use in the

processes further. Mangle most in use for limiting the bandwidth, or
bandwidth.

TABLE 15.3 Table MANGLE
PRE POST
No INPUT FORWARD OUTPUT
routing ROUTING
1 Rule no 1 Rule no 1 Rule no 1 Rule no 1 Rule no 1
N N Rules N Rules N Rules N Rules N Rules
ACCEPT / ACCEPT / ACCEPT / ACCEPT / ACCEPT /

POLICY
DROP DROP DROP DROP DROP
Mangle of other features is the ability to change the value of Time to Live
(TTL) on the package and TOS (type of service).
Design a Network Security
System
HOME
Here are the steps required to build a firewall:
1. Determine the network topology that will be used.

2. Determine policy or policy.
3. Determine the application - the application or service, what services
will run.
4. Users determine which will be worn by one or more firewall rules.
5. Implement the policies, rules, and procedures in the implementation of
the firewall.
6. Socialization policies, rules, and procedures that have been applied.
HOME

The following example is given on the application of the iptables firewall.
Network configuration used for the example illustrated in the picture 11:14.
15.14 Picture In Scheme Firewall Network
In the picture above there is a firewall that has two inter-faces. Firewall
related to the Internet through a network interface eth0 and related to the
private network through the interface eth1. Sometimes a firewall associated
with the Internet network using a modem, in this case the interface eth0
can be replaced with ppp0.
Ability to be first on the firewall have to do is forward IP Address of the
interface eth0 to eth1 interface and the interface from eth1 to eth0
interface. It is with the value 1 on the parameters with the command
ip_forward.
# echo ”1”
>/proc/sys/net/ipv4/ip_forward
In some Linux variant is done with a line in the configuration file / etc /
sysconfig / network.
FORWARD_IPV4=yes

MAKE initialization
Initialization iptables rules used to create a general policy of the iptables

chain that will apply in the firewall. This policy will be applied if there are no
rules that apply. The general policy that is applied in a firewall is generally
as follows:
1. Policy to remove all the packages, and travel out of the firewall.
# iptables –p input DROP
# iptables –p forward DROP
# iptables –p output DROP
2. Policy to accept all the packages and leave the device Loop back.
# iptables – A INPUT – i lo – j ACCEPT
# iptables – A OUTPUT– o lo – j ACCEPT
3. Policies receive all the packets before routing.

# iptables – t nat – p POSTROUTING – j ACCEPT
# iptables – t nat – p PREROUTING – j ACCEPT

THEN ALLOW CROSS-PAKET ICMP
ICMP packets are used to test whether a network equipment is connected
correctly in the network. Usually to test whether a device is connected
correctly in the network can be done with the ping command. This
command will try to send ICMP packets to the destination IP address and
use the responses from the IP address is. To provide flexibility outgoing,
incoming and passing through ICMP packet with the rule is applied.
# iptables – A INPUT –p icmp -j ACCEPT
# iptables – A FORWARD –p icmp -j ACCEPT
# iptables – A OUPUT –p icmp -j ACCEPT
Purpose command above is as follows:

1. Firewall to allow ICMP packets come in.
2. Firewall to allow ICMP packets through.
3. Firewall to allow ICMP packets will come out.
Third command allows the firewall to mananggapi the ICMP packet is sent
to the firewall. If the third is not given, then the firewall can not send
outgoing ICMP packet responses.
Note:
Sometimes the ICMP packet is used for

purposes that are not true, so that sometimes
the firewall is closed to traffic package. If a
firewall is not permitted to receive the ICMP
packet traffic, the above command does not
need to be included.

ALLOW SIGN IN PACKAGE SSH Firewall
To configure the computers in the network, usually done remotely. This
means that management does not have to come with dealing with the
computer. Including in this case for the management of the firewall. To
manage the firewall from a remote, you can use SSH program.
Program package using SSH with TCP port 22 to connect between two
computers. Therefore the firewall should allow the package to the destination
port 22 for entry to the firewall. A firewall must also allow packets coming
from port 22 to exit the firewall. Here is the command that is applied to allow
SSH access through the interface eth1 that is from a private network.
# iptables – A INPUT –p tcp –dport 22 –i eth1 -j ACCEPT

# iptables – A OUTPUT –p tcp –sport 22 –o eth1 -j ACCEPT

# iptables – A INPUT –p tcp –dport 22 –i eth1 -j ACCEPT
# iptables – A OUTPUT –p tcp –sport 22 –o eth1 -j ACCEPT
The purpose of the above is as follows:
Firewall to allow incoming TCP packets that have

destination port 22 through the interface eth1.
Firewall to allow outgoing TCP packets originating from

port 22 through the interface eth1
Rules allow only SSH access from the private network through the
interface eth1. For security reasons, SSH access from the private network
can be restricted for access only from a specific network address, or even
from a specific computer (input). This is done by adding the option-s
followed by a network address or IP address on the first.
# iptables – A INPUT –s 202.51.226.37 –p tcp –
dport 22 –i eth1 -j ACCEPT
The syntax is above the rules that will receive input on eth1 TCP packet
coming from IP address 202.51.226.37 to the destination port 22.

ALLOW ACCESS HTTP through Firewall
Http protocol access is the most widely used for surfing the internet. The
information presented on the Internet generally use this http access.
Access using http port 80 with the type of TCP packet.
Firewalls usually allow http access through the firewall, especially a good
exit or enter the private network. Http access to the private network out to
use for http provide access for computers that are in the private network.
While the http access from the internet on the network occurs when there
is a private web server accessible from the Internet network.

Implementation of iptables rules to allow http access is as follows:
# iptables – A FORWARD –p tcp –dport 80 –i eth1 -j ACCEPT

# iptables – A FORWARD –p tcp –sport 80 –o eth1 -j ACCEPT
# iptables – A FORWARD –p tcp –dport 80 –i eth0 -j ACCEPT
# iptables – A FORWARD –p tcp –sport 80 –o eth0 -j ACCEPT
The purpose of the above is as follows:
1. Through the firewall to allow TCP packets that have destination port 80
through the interface eth1.
2. Through the firewall to allow TCP packets that have a home port 80
3. Through the firewall to allow TCP packets that have destination port 80
4. Through the firewall to allow TCP packets that have a home port 80
First and second commands are used to allow access to http that came
from a private network, while the third and the fourth is used to allow
access to http that came from the internet.
The four commands can be replaced with a single command using the
multiport option as follows:
# iptables – A FORWARD –p tcp –m multiport

--port 80 -j ACCEPT
Command states that the firewall allows TCP packets that have port 80
(destination / origin) to pass (from eth0 or eth1).

ALLOW QUERY DNS SERVER
Firewalls usually have at least one IP address for DNS server. To query
DNS servers use UDP packets through port 53. Firewalls need to query
DNS server determines the IP address associated with a host name. Query
DNS servers on the firewall is usually allowed to query DNS servers
outgoing firewall (either via eth0 or eth1) and query DNS servers across
the firewall server. Iptables rules are applied to allow outgoing DNS queries
sever from the firewall are as follows:
# iptables – A OUTPUT –p udp –dport 53 –o eth1 -j ACCEPT

# iptables – A INPUT –p udp –dport 53 –i eth1 -j ACCEPT

That is:
1. Firewall to allow outgoing UDP packets that have destination port 53

2. Firewall to allow outgoing UDP packets that have a home port 53
3. Firewall to allow outgoing UDP packets that have destination port 53
4. Firewall to allow outgoing UDP packets that have a home port 53

First and second commands are used to query DNS servers out through
eth1 interface, while the third and the fourth is used to allow outgoing DNS
queries through the interface eth0.
Then the firewall will allow queries DNS servers for travel. Iptables rules to
allow queries DNS servers across the firewall are as follows:
# iptables – A FORWARD –p udp –m multiport –ports

53 -j ACCEPT
Command states that the firewall allows UDP packets that have port 53 to
pass.

IP MASQUERADE
Relations between the local computer on the network with the public
network is done with the disguise IP addresses with private IP addresses
are owned by the network card with a public IP address. The process of
disguise your IP address into a private IP address is called a public IP
Masquerade.
IP Masquerade is a form of network address translation (NAT), which

allows for the computers that are connected in a local network using private
IP addresses for communicating to the Internet through a firewall.
IP Masquerade is a technique that is usually used to connect a local

network with the public (internet). For customers given that only one
dynamic IP addresses (dial up) modem use.

Here is an example implementation given IP Masquerade (NAT).
Figure 15.15 Implementation of IP Network for Masquerade

ENGINEERING DIRECT RELATIONS
In the direct contact technique, computers that are designed to be
accessible through the Internet, given the public IP address and directly
connected to the internet, without going through the firewall. So that the
computer will be routed by the public network. An example structure is
shown in the image 15.16.
15.16 Picture Network Direct Relationships

# iptables – t nat –A POSTROUTING –o eth0 –s
192.168.100.0/24 –j snat –to-source
202.51.226.34
This states that after the routing, the packet will be sent through the
interface eth0 is derived from the network 192.168.100.0/24 akan become
an SNAT IP address 202.51.226.34.

The Unit (DE-MILITARIZED ZONE).
There are two techniques that can be used DMZ. The first is putting a
computer on the DMZ network is separate from the private network. The
second is putting a computer on the DMZ network with the same network
private.
15.17 In the DMZ Network Separate

15.18 Picture Network In The DMZ Network

Firewall WITH SPECIAL HARDWARE
Firewall functions such as mentioned above can also be done with the use
of special hardware vendors that have been designed for the purpose of
making certain chains. Nevertheless, the technique and its application
using the same IP Tables.
On special hardware firewall chains to its implementation are designed in

such a way that eases the administrator in implementing the rule / policy
firewall. One thing that distinguishes the device is a firewall vendor's only
designed for other functions without the chains, while the PC firewall can
be used in addition to the firewall function to the other network terminals.

Exercise
Answer the question below correctly.
1. What is a Firewall?
2. Describe the type of firewall for computer networks.
3. Please draw Firewall working relationship with the order of layer
Reference Model TCP / IP.
4. From the four types of firewall, which impalements easily but have a high
reliability?
5. Explain the difference between Pre routing and Post routing.
6. How to implement a rule / policy to allow access to an http server?
7. What is a DMZ?
8. How to implement NAT for 192.168.0.0/24 with Private IP and Public IP
202.203.204.2/30
9. Please draw topology to number 8.
10.What is a Firewall with hardware-specific
HOME

System Security Network (Firewall)

Uploaded by

Copyright:

Available Formats

System Security Network (Firewall)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System Security Network (Firewall)

Uploaded by

Copyright:

Available Formats

SYSTEM SECURITY NETWORK

Melakukan instalasi Menerapkan fungsi Mendiagnosis permasalahan Mendiagnosis permasalahan perangkat

sistem operasi dasar peripheral dan instalasi PC pengoperasian PC yangKlik

Melakukan perbaikan periferal Mengadministrasi server

Melakukan instalasi software

Module 15 System Security Network (Firewall)

In computer networks, especially related to applications that

Module 15 System Security Network (Firewall)

1. Hacking, in the form of network infrastructure that already exists, for

Module 15 System Security Network (Firewall)

Module 15 System Security Network (Firewall)

Firewall (Figure 15.1) is one of the applications on the operating system

Module 15 System Security Network (Firewall)

Figure 15.2 Architecture At Firewall Software

1. Packet header modification,

2. Translation of a translation can occur one to one (one to one), that is

Module 15 System Security Network (Firewall)

1. Packet Filtering Gateway

Module 15 System Security Network (Firewall)

Packet filtering gateway firewall can be defined as a duty to perform

Figure 15. 3 Tier 3 process for Packet Filtering Gateway

Module 15 System Security Network (Firewall)

Figure 15.4 Web server with a Firewall

Module 15 System Security Network (Firewall)

Figure 15.5 Proxy Firewall Model views on TCP / IP

Module 15 System Security Network (Firewall)

Figure 15.6 Circuit Level Gateway Model views on the TCP / IP

Figure 15.7 Statefull Multilayer Inspection Firewall seen in Model TCP / IP

1. Connection package that implements a firewall that is used.

Module 15 System Security Network (Firewall)

Connection packet in the process of sending from the sender to the

Module 15 System Security Network (Firewall)

TCP connection is a connection known as a Connection Oriented means

Figure 15.8 A First TCP Connection

Figure 15.10 An image ICMP Connection

1. Echo request and reply,

2. Timestamp request and reply,

3. Information request and reply,

4. Address mask request and reply.

Module 15 System Security Network (Firewall)

Unlike the TCP connections, UDP connections (Figure 11.11) is

Figure 15.11 An image UDP Connection

To build a firewall, we should know first is how a packet is processed by the

Module 15 System Security Network (Firewall)

No INPUT OUTPUT FORWARD

1 Rule no 1 Rule no 1 Rule no 1

2 Rule no 2 Rule no 2 Rule no 2

3 Rule no 3 Rule no 3 Rule no 3

N N Rules N Rules N Rules

ACCEPT / ACCEPT / ACCEPT /

Module 15 System Security Network (Firewall)

Post Routing Pre Routing

1 Rule no 1 Rule no 1 Rule no 1

2 Rule no 2 Rule no 2 Rule no 2

3 Rule no 3 Rule no 3 Rule no 3

N N Rules N Rules N Rules

ACCEPT / ACCEPT / ACCEPT /

Module 15 System Security Network (Firewall)

One of the advantages IPTABLES is to enable the computer we can