Building Internet Firewalls


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Building Internet Firewalls

  1. 1. Building Network Firewalls Jason Testart, Computer Science Computing Facility
  2. 2. Topics in this Session <ul><li>TCP/IP Primer </li></ul><ul><li>Types of Firewalls </li></ul><ul><li>Client-only network: Example Rulesets </li></ul><ul><li>CSCF Firewall </li></ul><ul><li>Open Source solution to high availability and high performance </li></ul>
  3. 3. Internet Protocol <ul><li>Network layer protocol </li></ul><ul><li>Traffic directed between machines by routers </li></ul><ul><li>Addresses are 32-bits long, split up into four 8-bit chunks, seperated by a “.” </li></ul><ul><li>Networks are determined by netmasks (eg. </li></ul><ul><li>For addressing, IP header contains source IP address and destination IP address </li></ul>
  4. 4. IP Addressing (Networks) <ul><li> is the same as = 10.*.*.* </li></ul><ul><li> is the same as = 129.97.*.* </li></ul><ul><li> is the same as = 129.97.15.* </li></ul><ul><li> is the same as = </li></ul>
  5. 5. Transport Protocols <ul><li>TCP and UDP are most common </li></ul><ul><li>Transmission Control Protocol (TCP) is connection oriented and reliable (eg. HTTP, SSH, Telnet) </li></ul><ul><li>User Datagram Protocol (UDP) is connectionless and unreliable (eg. DNS, Xbox Live) </li></ul><ul><li>Addressing consists of source port and destination port </li></ul><ul><li>Port number is in the range 1-65535 </li></ul>
  6. 6. More about ports <ul><li>Privileged ports (1-1023) </li></ul><ul><li>Most Operating systems won’t let just anyone bind to privileged ports </li></ul><ul><li>Notice most “servers” are on privileged ports? </li></ul><ul><li>Ephemeral ports </li></ul><ul><li>(typically 1024-65535) </li></ul><ul><li>Ports that clients bind to when talking to servers </li></ul><ul><li>Ephemeral port range varies from OS to OS and may be customized </li></ul>
  7. 7. TCP Flags <ul><li>There are several flags (bits) in the TCP header. We care about: </li></ul><ul><li>SYN </li></ul><ul><li>ACK </li></ul><ul><li>FIN </li></ul><ul><li>RST </li></ul>
  8. 8. TCP Connection (simplified) Client Host (port 33000) Server Host (port 80) SYN =1 SYN=1, ACK=1 ACK=1 ACK=1 Either side can end connection with a FIN packet
  9. 9. RST TCP Flag <ul><li>RST flag is used if something goes wrong with the connection </li></ul><ul><li>If a client tries to connect to a port on a server where there is no process bound, the server sends the client a RST packet </li></ul>
  10. 10. “ Backwards” TCP Protocols <ul><li>X11 (port 6000) – the server actually runs on the client machine. The “client” is the program that you run on the remote host. </li></ul><ul><li>Ident (port 113) – aka Auth – When you the client connect to a service on a server, that service may try to connect to port 113 on your machine and ask: What user is bound to ephemeral port X? </li></ul>
  11. 11. ICMP <ul><li>Internet Control Message Protocol </li></ul><ul><li>Has message types and message codes </li></ul><ul><li>Common examples: </li></ul><ul><li>Type 8, code 0 – echo request </li></ul><ul><li>Type 0, code 0 – echo reply </li></ul><ul><li>Type 3, code 1 – host unreachable </li></ul><ul><li>Type 3, code 3 – port unreachable (UDP) </li></ul>
  12. 12. Types of Firewalls <ul><li>Simple packet filters </li></ul><ul><li>Stateful packet filters </li></ul><ul><li>Application firewalls </li></ul><ul><li>Intrusion Prevention systems </li></ul>Most firewalls are stateful packet filters
  13. 13. Simple Packet Filters <ul><li>Filter traffic based on source IP address and port, and destination IP address and port </li></ul><ul><li>You need a rule for each direction of traffic for any given protocol </li></ul><ul><li>Examples include: </li></ul><ul><li>Switch ACLs </li></ul><ul><li>Windows 2000 IPSec filters </li></ul><ul><li>ipchains (Linux) </li></ul>
  14. 14. Stateful Packet Filters <ul><li>Filter traffic based on source IP address and port, and destination IP address and port </li></ul><ul><li>“ Remember” the first packet, allow remaining packets of the connection through </li></ul><ul><li>Cheat for UDP since the protocol has no concept of state </li></ul><ul><li>Examples include: </li></ul><ul><li>Most commercial firewalls </li></ul><ul><li>iptables (Linux) </li></ul><ul><li>ipfilter (*BSD/Solaris 10) </li></ul><ul><li>ipfw (FreeBSD/Darwin) </li></ul><ul><li>pf (OpenBSD) </li></ul><ul><li>Windows XP ICF </li></ul>
  15. 15. How do we “remember” packets? <ul><li>Memory is in the form of a state table, where each entry represents a connection. </li></ul><ul><li>Firewall first checks to see if a TCP packet belongs to a connection in the state table. </li></ul><ul><li>If not in state table, evaluate the packet against the ruleset (sanity check – SYN =1, ACK=0) </li></ul><ul><li>If allowed, an entry representing that TCP connection is added to a state table </li></ul><ul><li>With UDP, we look at src/dest IPAddr/ports and timing and hope for the best </li></ul>
  16. 16. Application Firewalls <ul><li>Analyse the payload of each packet, looking for nasty content </li></ul><ul><li>Behaves like a proxy server </li></ul><ul><li>Many commercial firewalls offer HTTP and SMTP application filtering </li></ul><ul><li>Limited to those protocols understood by the firewall </li></ul><ul><li>Needs lots of CPU for processing </li></ul>
  17. 17. Intrusion Prevention Systems <ul><li>Like Intrusion Detection Systems, look at all traffic for known attack signatures </li></ul><ul><li>Block traffic based on attacks/certain behaviours </li></ul><ul><li>Latest products focus on dealing with worms </li></ul><ul><li>Open Source implementation (snort-inline) uses snort with hooks into iptables </li></ul><ul><li>Relatively new technology – false positives can be a problem </li></ul><ul><li>Lots of CPU needed on busy networks </li></ul>
  18. 18. Sample Firewall Ruleset (client-only network) <ul><li>Want to protect some PCs </li></ul><ul><li>Allow arbitrary outbound traffic </li></ul><ul><li>Clients need to be able to FTP, to download stuff! </li></ul><ul><li>Want to allow X11 traffic on campus </li></ul><ul><li>Inbound ping is OK </li></ul><ul><li>Won’t worry about anti-spoofing rules </li></ul><ul><li>Ignore rules involving the firewall itself </li></ul>
  19. 19. FTP A difficult protocol to firewall <ul><li>Active FTP (older Windows IE) </li></ul><ul><li>Client makes control connection to port 21 </li></ul><ul><li>Client picks an ephemeral port for data connection and tells server </li></ul><ul><li>Server initiates connection from port 20 to client’s ephemeral port </li></ul><ul><li>Passive FTP </li></ul><ul><li>Client makes control connection to port 21 </li></ul><ul><li>Server picks an ephemeral port for the data connection and tells the client </li></ul><ul><li>Client initiates connection to server on ephemeral port </li></ul>Active FTP is difficult to firewall on the client side. Passive FTP is difficult to firewall on the server side.
  20. 20. Client-Only Network ipchains ruleset ipchains -p input deny ipchains -p forward accept ipchains -p output accept ipchains -A input -p tcp -i $ExtIF -s -d $clientnet 6000 -j accept ipchains -A input -p tcp -i $ExtIF -s 0/0 -d $clientnet 113 -j reject ipchains -A input -p tcp -i $ExtIF -s 0/0 20 -d $clientnet 1024:65535 -j accept ipchains -A input -p udp -i $ExtIF -d $clientnet -j accept ipchains -A input -p icmp -i $ExtIF -d 0/0 0 3 8 -j accept Can you find the holes?
  21. 21. Client-Only Network iptables ruleset iptables -p forward drop iptables -A forward -p tcp -i $IntIF -s $clientnet -d 0/0 -m state --state NEW,ESTABLISHED -j accept iptables -A forward -p udp -i $IntIF -s $clientnet -d 0/0 -m state --state NEW,ESTABLISHED -j accept iptables -A forward -p icmp -i $IntIF -s $clientnet -d 0/0 -m state --state NEW,ESTABLED,RELATED -j accept iptables -A forward -p tcp -i $ExtIF -s -d $clientnet --dport 6000 -m state NEW -j accept iptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -dport 113 -j reject --reject-with tcp-reset iptables -A forward -p tcp -i $ExtIF -s 0/0 --sport 20 -d $clientnet -m state --state ESTABLISHED,RELATED -j accept
  22. 22. Client-Only Network iptables ruleset (continued) iptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -m state --state ESTABLISHED -j accept iptables -A forward -p udp -i $ExtIF -s 0/0 -d $clientnet -m state --state ESTABLISHED -j accept iptables -A forward -i $ExtIF -p icmp --icmp-type 3 -s 0/0 --d $clientnet –m state --state NEW,ESTABLISHED,RELATED Did you understand that?
  23. 23. Client-Only Network ipfw ruleset ipfw add 10 check-state ipfw add 20 allow tcp from any 20 to $clientnet 1024-65535 keep-state ipfw add 30 reset tcp from any to $clientnet 113 ipfw add 40 deny tcp from any to $clientnet established ipfw add 50 allow ip from $clientnet to any keep-state ipfw add 60 allow tcp from to $clientnet 6000 setup keep-state ipfw add 70 allow icmp from any to $clientnet icmptype 8 keep-state ipfw add 65534 deny any to any Rule 20 is really a stateless hack to allow active FTP. The keep-state is there for efficiency. Easy to read, eh?
  24. 24. Client-Only Network pf ruleset (ipfilter like syntax) OpenBSD pf uses a config file (/etc/pf.conf) for the ruleset: rdr on $IntIF proto tcp from $clientnet to any port 21 -> port 8021 pass in on $IntIF inet from $clientnet to any keep state block in on $ExtIF any to any pass in on $ExtIF inet proto tcp from any port = 20 to ($ExtIF) port > 49150 keep state pass in on $ExtIF inet proto icmp from any to $clientnet icmp-type echoreq keep state pass in on $ExtIF inet proto tcp from to $clientnet port = 6000 keep state block return-rst in on $ExtIF inet proto tcp from any to $clientnet port = 113 Short and sweet (and secure)
  25. 25. More about pf <ul><li>The redirect (rdr) rule redirects FTP traffic to an FTP proxy running from inetd on the firewall itself. In /etc/inetd.conf you’ll find the entry: </li></ul><ul><li> stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy </li></ul><ul><li>After editing the ruleset in /etc/pf.conf, run: pfctl –f /etc/pf.conf to reload the ruleset. </li></ul><ul><li>pf implicitly looks at the state table before the ruleset </li></ul>
  26. 26. Firewall Requirements for Computer Science <ul><li>Need to ensure that performance is not negatively impacted </li></ul><ul><li>We want to make things secure as possible for those machines under our control </li></ul><ul><li>Researchers need the ability to choose the level of protection they want </li></ul><ul><li>Deploying new technology takes time </li></ul><ul><li>Don’t want a single point of failure </li></ul>
  27. 27. Netscreen 500 <ul><li>Gig Firewall Appliance (ASIC) </li></ul><ul><li>Interfaces support redundant connections </li></ul><ul><li>Stateful packet filtering </li></ul><ul><li>HTTPS/SSH mgmt interfaces </li></ul><ul><li>Supports the concept of security zones; each zone contains one or more subnets. We can define policies for traffic between zones. </li></ul><ul><li>Two devices can be put in Active/Active failover mode </li></ul>
  28. 28. Logical Network Diagram VSD 0 VSD 1 Firewall Cluster DCCoreNet … … UnTrust Trust Protected subnets are manually balanced between two virtual security devices (VSDs). CS Networks
  29. 29. Simplified Physical Connection Diagram Eng switches exsw08 exsw18 exsw19 X-over cables Firewall 1 VSD0 master VSD1 slave IST (MC) IST (Eng) Future connection Firewall 2 VSD1 master VSD0 slave VLAN Trunk (CS Nets) Non-CS/Untrusted Nets
  30. 30. More about the Netscreens <ul><li>Any configuration change made to one firewall is propagated to the other within seconds </li></ul><ul><li>X-over cables are 100/fdx – used for managing the cluster (exchanging state info, heartbeat, alternate data path, etc...) </li></ul><ul><li>Definining policies is quite simple, via a web-based management interface. </li></ul><ul><li>When defining policies, need to be careful that ALL zones are considered! </li></ul>
  31. 31. Where we are with deployment <ul><li>Teaching hosts are mostly divided correctly into proper subnets; ready for placing in security zones </li></ul><ul><li>Co-op student spent most of summer auditing and removing unused hostnames from non-teaching subnets – more work to be done in assigning hosts to zones </li></ul><ul><li>Teaching subnets to be moved behind firewall before 2005. It was supposed to be done in August 2004 but… </li></ul>
  32. 32. My life suddenly changed My son Alex was born two months early.
  33. 33. Firewall Performace Considerations <ul><li>State table lookups are fast – need RAM </li></ul><ul><li>Minimize number of rules </li></ul><ul><li>OpenBSD pf supports a “quick” keyword – if packet matches rule, then stop processing. Rule ordering becomes important. </li></ul><ul><li>Minimize number of daemons running on firewall box </li></ul><ul><li>Obvious things like CPU, NIC, etc… </li></ul><ul><li>But what if that P4 3.8 Ghz just isn’t fast enough? </li></ul>
  34. 34. Get a second firewall! You’ll have to worry about… <ul><li>Load balancing </li></ul><ul><li>Asymetric routing </li></ul><ul><li>state table synchronization </li></ul><ul><li>Multiple single points of failure </li></ul><ul><li>Management of multiple firewalls (configs, etc…) </li></ul>
  35. 35. OpenBSD Solution: pfsync and CARP <ul><li>Functionality released in Spring 2004 (OpenBSD 3.5) </li></ul><ul><li>CARP – Common Address Redundancy Protocol </li></ul><ul><li>CARP has an “arpbalance” feature for load balancing </li></ul><ul><li>Pfsync – a virtual network interface for exchanging state table info (dedicated NIC recommended) </li></ul><ul><li> </li></ul><ul><li>http :// </li></ul>
  36. 36. If money was no object… <ul><li>Alteon Switched Firewall (ASF) </li></ul><ul><li>Two devices: Director (PC running CheckPoint) and Accelerator (appliance) </li></ul><ul><li>Scales to 6 Directors and 2 Accelerators </li></ul><ul><li>Up to 4.2 Gbps throughput, 500K sessions at wire-speed, 20K-100K connections per second </li></ul><ul><li>Rules evaluated by director, states managed by accelerator </li></ul>
  37. 37. The End Thanks for coming!