Linux Firewalls - Michael Rash [154]
Note
For more information on socat, see http://www.dest-unreach.org/socat.
* * *
[82] 5 Transmitting keys over an insecure medium is an abstract notion that includes things like writing the shared key down on a piece of paper and mailing it between the parties.
[83] 6 The puzzle is usually derived from a classic computational problem such as integer factorization of products of two large prime numbers, or computing discrete logarithms over a cyclic group. The latter method is used by the Elgamal cryptosystem in GnuPG; see http://en.wikipedia.org/wiki/elgamal_encryption for a brief overview.
[84] 7 There have been some attacks against Tor in order to reduce the strength of its resistance to traffic analysis; see http://www.cl.cam.ac.uk/users/sjm217/papers/oakland05torta.pdf.
[85] 8 A blind TCP ACK (or other TCP packet with other flags set) is not part of an established TCP connection.
Concluding Thoughts
This chapter and Chapter 12 have illustrated powerful techniques in computer security, showing how a server can be protected by a default-drop packet filter, through which access is granted only to clients able to prove their identities to a passively monitoring device. Port knocking was the first technology to implement this idea, but due to some serious limitations in the port-knocking architecture (including the difficulty of adequately addressing the replay problem and the inability to transmit more than a few tens of bytes), SPA has proved itself a more robust technology. The notion of an authorizing Ethernet sniffer combined with a default-drop packet filter is a relatively new one in the computer security field, but it seems that new implementations are springing up every day.[86]
Based on iptables, fwknop is an open source implementation of SPA that provides a flexible mechanism for managing multiple users within the SPA paradigm.
* * *
[86] 9 There is even a project to put HMAC-based SPA directly into iptables; see http://svn.berlios.de/svnroot/repos/portknocko, and a discussion thread in the Netfilter development list archives, http://lists.netfilter.org/pipermail/netfilter-devel/2006-october/thread.html.
Chapter 14. VISUALIZING IPTABLES LOGS
Visualizing security data is becoming increasingly important in today's threat environment on the open Internet. Security devices—from intrusion detection systems to firewalls—generate huge amounts of event data as they deal with attacks from all corners of the globe. Making sense of this vast amount of data is a tremendous challenge. Graphical representations of security data allow administrators to quickly see emerging trends and unusual activity that would be difficult to detect without dedicated code. That is, a graph is effective at conveying context and change because the human eye can quickly discern relationships that are otherwise hard to see.
This chapter explores the usage of psad with the Gnuplot (http://www.gnuplot.info) and AfterGlow (http://afterglow.sourceforge.net) projects for the production of graphical representations of iptables log data. Our primary data source will be iptables logs from the Honeynet Project (see http://www.honeynet.org).
The Honeynet Project is an invaluable resource for the security community; it publicly releases raw security data such as Snort alerts and iptables logs collected from live honeynet systems that are under attack. A primary goal of the Honeynet Project is to make this security data available for analysis in a series of "scan challenges," and the results of these challenges are posted on the Honeynet Project website. In this chapter, we will visualize data from the Scan34 Honeynet challenge (see http://www.honeynet.org/scans/scan34). You can download all graphs and Gnuplot directive files referred to in this chapter from http://www.cipherdyne.org/linuxfirewalls.
Note
All examples in this chapter assume the Scan34 iptables data file is called iptables.data