Flint is a free, open source, web-based firewall rule scanner. It examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can: - CLEAN UP OLD CONFIGURATIONS that are filled up with rules that can’t match traffic. - ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules - SANITY CHECK CHANGES to see if new rules create problems.
Who should use Flint? Administrators who have multiple firewalls protecting internal networks from the Internet and controlling access to customer data. Your business changes, and so do your firewalls, and not always at the same time. Firewalls can get out of step with policies.
Everybody makes mistakes. To understand a firewall configuration, you have to read hundreds of configuration lines, and then you have to think like a firewall does. People aren’t good at thinking like firewalls. So most firewalls are riddled with subtle mistakes. Some of those mistakes can be expensive:
- INSECURE SERVICES might be allowed through the firewall, preventing it from blocking attacks. - LAX CONTROLS ON DMZs may expose staging and test servers. - FIREWALL MANAGEMENT PORTS may be exposed to untrusted networks. - REDUNDANT FIREWALL RULES may be complicating your configuration and slowing you down.
Use of Flint: CHECK RULES BEFORE DEPLOYING THEM: Flint prevents engineers from making costly mistakes. It takes just moments for Flint to evaluate a ruleset and spot errors. Your team can have it up and running in minutes. Flint is low-drag, no drama. CLEAN UP RUSTY RULESETS: Flint does the hard work of scouring firewall rules for useless crud, saving you time and allowing your team to focus on engineering problems that really matter. Flint can spot redundant and contradictory rules, and Flint makes it easier to spot business-level problems. COMPREHEND COMPLEX CONFIGURATIONS: Flint doesn’t just check firewalls for problems. It also fully understands the meanings of configuration lines, and breaks them down for you by service or by interface, so you can see at a glance what any given firewall is doing.
It is very difficult and cumbersome if you are managing multiple firewalls . Flint makes your work easy and fine-tunes your firewalls effectively and fast.Great time saving tool. A download is available as a VMWare image.
We blogged about ipt_pkd in our previous posts here.
So, “ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a time-stamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.”
Now, ipt_pkd has been updated to version 1.6!
These are the changes made: This version was updated for Linux 2.6.32 and iptables 1.4.6. A new knock client was added, written in C# and works on both Linux and Windows and encrypts configuration data. A pre-built kernel module, an iptables library for vyatta community edition 5, and a small install script for vyatta were added.
If you have read our last few posts, you already what a port knock is. We had mentioned about it here when we wrote about winKnocks. Today, we are going to blog about ipt_pkd.
Port knocking per se can be very dangerous if you were to try it on your own firewall without any authentication mechanism. winKnocks is a good option though its implementation is mainly for Windows. So what do you do to protect your Linux based firewall, when you do want to use an option of port knocking? Simple – use ipt_pkd! ipt_pkd is an iptables extension implementing port knock detection. It makes use of single packet authorization. The knock packet is a sha256 of a timestamp, some random bytes, a small header, and a shared key, sent via udp. The timestamp and the bytes are passed in the packet so the server can do the sha256 and compare the results. If its a match then the pkd module returns true, otherwise false and any more packets from the sender are dropped. To eliminate a replay attack, the source and destination ports are used in the hash!
There are two versions – one in C and the other in Python. The open source package has a small python script-knock.py which is a python implementation of ipt_pkd which reads the necessary information from ipt_pkd.ini. You can have it accept 3 options – a 40 bytes long-hex-shared key, a window (time until it waits for a valid knock from a system) and a 4 byte long tag which helps in speeding up the processing. You can make use of “hitcount” to maintain a control over the number of times you would like the knock until it is dropped,reset, etc.
