Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Internet Firewalls

998 views

Published on

  • Be the first to comment

  • Be the first to like this

Building Internet Firewalls

  1. 1. Building Network Firewalls Jason Testart, Computer Science Computing Facility
  2. 2. Topics in this Session <ul><li>TCP/IP Primer </li></ul><ul><li>Types of Firewalls </li></ul><ul><li>Client-only network: Example Rulesets </li></ul><ul><li>CSCF Firewall </li></ul><ul><li>Open Source solution to high availability and high performance </li></ul>
  3. 3. Internet Protocol <ul><li>Network layer protocol </li></ul><ul><li>Traffic directed between machines by routers </li></ul><ul><li>Addresses are 32-bits long, split up into four 8-bit chunks, seperated by a “.” </li></ul><ul><li>Networks are determined by netmasks (eg. 129.97.0.0/255.255.0.0) </li></ul><ul><li>For addressing, IP header contains source IP address and destination IP address </li></ul>
  4. 4. IP Addressing (Networks) <ul><li>10.0.0.0/8 is the same as 10.0.0.0/255.0.0.0 = 10.*.*.* </li></ul><ul><li>129.97.0.0/16 is the same as 129.97.0.0/255.255.0.0 = 129.97.*.* </li></ul><ul><li>129.97.15.0/24 is the same as 129.97.15.0/255.255.255.0 = 129.97.15.* </li></ul><ul><li>129.97.128.10/32 is the same as 129.97.128.10/255.255.255.255 = 129.97.128.10 </li></ul>
  5. 5. Transport Protocols <ul><li>TCP and UDP are most common </li></ul><ul><li>Transmission Control Protocol (TCP) is connection oriented and reliable (eg. HTTP, SSH, Telnet) </li></ul><ul><li>User Datagram Protocol (UDP) is connectionless and unreliable (eg. DNS, Xbox Live) </li></ul><ul><li>Addressing consists of source port and destination port </li></ul><ul><li>Port number is in the range 1-65535 </li></ul>
  6. 6. More about ports <ul><li>Privileged ports (1-1023) </li></ul><ul><li>Most Operating systems won’t let just anyone bind to privileged ports </li></ul><ul><li>Notice most “servers” are on privileged ports? </li></ul><ul><li>Ephemeral ports </li></ul><ul><li>(typically 1024-65535) </li></ul><ul><li>Ports that clients bind to when talking to servers </li></ul><ul><li>Ephemeral port range varies from OS to OS and may be customized </li></ul>http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
  7. 7. TCP Flags <ul><li>There are several flags (bits) in the TCP header. We care about: </li></ul><ul><li>SYN </li></ul><ul><li>ACK </li></ul><ul><li>FIN </li></ul><ul><li>RST </li></ul>
  8. 8. TCP Connection (simplified) Client Host (port 33000) Server Host (port 80) SYN =1 SYN=1, ACK=1 ACK=1 ACK=1 Either side can end connection with a FIN packet
  9. 9. RST TCP Flag <ul><li>RST flag is used if something goes wrong with the connection </li></ul><ul><li>If a client tries to connect to a port on a server where there is no process bound, the server sends the client a RST packet </li></ul>
  10. 10. “ Backwards” TCP Protocols <ul><li>X11 (port 6000) – the server actually runs on the client machine. The “client” is the program that you run on the remote host. </li></ul><ul><li>Ident (port 113) – aka Auth – When you the client connect to a service on a server, that service may try to connect to port 113 on your machine and ask: What user is bound to ephemeral port X? </li></ul>
  11. 11. ICMP <ul><li>Internet Control Message Protocol </li></ul><ul><li>Has message types and message codes </li></ul><ul><li>Common examples: </li></ul><ul><li>Type 8, code 0 – echo request </li></ul><ul><li>Type 0, code 0 – echo reply </li></ul><ul><li>Type 3, code 1 – host unreachable </li></ul><ul><li>Type 3, code 3 – port unreachable (UDP) </li></ul>
  12. 12. Types of Firewalls <ul><li>Simple packet filters </li></ul><ul><li>Stateful packet filters </li></ul><ul><li>Application firewalls </li></ul><ul><li>Intrusion Prevention systems </li></ul>Most firewalls are stateful packet filters
  13. 13. Simple Packet Filters <ul><li>Filter traffic based on source IP address and port, and destination IP address and port </li></ul><ul><li>You need a rule for each direction of traffic for any given protocol </li></ul><ul><li>Examples include: </li></ul><ul><li>Switch ACLs </li></ul><ul><li>Windows 2000 IPSec filters </li></ul><ul><li>ipchains (Linux) </li></ul>
  14. 14. Stateful Packet Filters <ul><li>Filter traffic based on source IP address and port, and destination IP address and port </li></ul><ul><li>“ Remember” the first packet, allow remaining packets of the connection through </li></ul><ul><li>Cheat for UDP since the protocol has no concept of state </li></ul><ul><li>Examples include: </li></ul><ul><li>Most commercial firewalls </li></ul><ul><li>iptables (Linux) </li></ul><ul><li>ipfilter (*BSD/Solaris 10) </li></ul><ul><li>ipfw (FreeBSD/Darwin) </li></ul><ul><li>pf (OpenBSD) </li></ul><ul><li>Windows XP ICF </li></ul>
  15. 15. How do we “remember” packets? <ul><li>Memory is in the form of a state table, where each entry represents a connection. </li></ul><ul><li>Firewall first checks to see if a TCP packet belongs to a connection in the state table. </li></ul><ul><li>If not in state table, evaluate the packet against the ruleset (sanity check – SYN =1, ACK=0) </li></ul><ul><li>If allowed, an entry representing that TCP connection is added to a state table </li></ul><ul><li>With UDP, we look at src/dest IPAddr/ports and timing and hope for the best </li></ul>
  16. 16. Application Firewalls <ul><li>Analyse the payload of each packet, looking for nasty content </li></ul><ul><li>Behaves like a proxy server </li></ul><ul><li>Many commercial firewalls offer HTTP and SMTP application filtering </li></ul><ul><li>Limited to those protocols understood by the firewall </li></ul><ul><li>Needs lots of CPU for processing </li></ul>
  17. 17. Intrusion Prevention Systems <ul><li>Like Intrusion Detection Systems, look at all traffic for known attack signatures </li></ul><ul><li>Block traffic based on attacks/certain behaviours </li></ul><ul><li>Latest products focus on dealing with worms </li></ul><ul><li>Open Source implementation (snort-inline) uses snort with hooks into iptables </li></ul><ul><li>Relatively new technology – false positives can be a problem </li></ul><ul><li>Lots of CPU needed on busy networks </li></ul>
  18. 18. Sample Firewall Ruleset (client-only network) <ul><li>Want to protect some PCs </li></ul><ul><li>Allow arbitrary outbound traffic </li></ul><ul><li>Clients need to be able to FTP, to download stuff! </li></ul><ul><li>Want to allow X11 traffic on campus </li></ul><ul><li>Inbound ping is OK </li></ul><ul><li>Won’t worry about anti-spoofing rules </li></ul><ul><li>Ignore rules involving the firewall itself </li></ul>
  19. 19. FTP A difficult protocol to firewall <ul><li>Active FTP (older Windows IE) </li></ul><ul><li>Client makes control connection to port 21 </li></ul><ul><li>Client picks an ephemeral port for data connection and tells server </li></ul><ul><li>Server initiates connection from port 20 to client’s ephemeral port </li></ul><ul><li>Passive FTP </li></ul><ul><li>Client makes control connection to port 21 </li></ul><ul><li>Server picks an ephemeral port for the data connection and tells the client </li></ul><ul><li>Client initiates connection to server on ephemeral port </li></ul>Active FTP is difficult to firewall on the client side. Passive FTP is difficult to firewall on the server side.
  20. 20. Client-Only Network ipchains ruleset ipchains -p input deny ipchains -p forward accept ipchains -p output accept ipchains -A input -p tcp -i $ExtIF -s 129.97.0.0/16 -d $clientnet 6000 -j accept ipchains -A input -p tcp -i $ExtIF -s 0/0 -d $clientnet 113 -j reject ipchains -A input -p tcp -i $ExtIF -s 0/0 20 -d $clientnet 1024:65535 -j accept ipchains -A input -p udp -i $ExtIF -d $clientnet -j accept ipchains -A input -p icmp -i $ExtIF -d 0/0 0 3 8 -j accept Can you find the holes?
  21. 21. Client-Only Network iptables ruleset iptables -p forward drop iptables -A forward -p tcp -i $IntIF -s $clientnet -d 0/0 -m state --state NEW,ESTABLISHED -j accept iptables -A forward -p udp -i $IntIF -s $clientnet -d 0/0 -m state --state NEW,ESTABLISHED -j accept iptables -A forward -p icmp -i $IntIF -s $clientnet -d 0/0 -m state --state NEW,ESTABLED,RELATED -j accept iptables -A forward -p tcp -i $ExtIF -s 129.97.0.0/16 -d $clientnet --dport 6000 -m state NEW -j accept iptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -dport 113 -j reject --reject-with tcp-reset iptables -A forward -p tcp -i $ExtIF -s 0/0 --sport 20 -d $clientnet -m state --state ESTABLISHED,RELATED -j accept
  22. 22. Client-Only Network iptables ruleset (continued) iptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -m state --state ESTABLISHED -j accept iptables -A forward -p udp -i $ExtIF -s 0/0 -d $clientnet -m state --state ESTABLISHED -j accept iptables -A forward -i $ExtIF -p icmp --icmp-type 3 -s 0/0 --d $clientnet –m state --state NEW,ESTABLISHED,RELATED Did you understand that?
  23. 23. Client-Only Network ipfw ruleset ipfw add 10 check-state ipfw add 20 allow tcp from any 20 to $clientnet 1024-65535 keep-state ipfw add 30 reset tcp from any to $clientnet 113 ipfw add 40 deny tcp from any to $clientnet established ipfw add 50 allow ip from $clientnet to any keep-state ipfw add 60 allow tcp from 129.97.0.0/16 to $clientnet 6000 setup keep-state ipfw add 70 allow icmp from any to $clientnet icmptype 8 keep-state ipfw add 65534 deny any to any Rule 20 is really a stateless hack to allow active FTP. The keep-state is there for efficiency. Easy to read, eh?
  24. 24. Client-Only Network pf ruleset (ipfilter like syntax) OpenBSD pf uses a config file (/etc/pf.conf) for the ruleset: rdr on $IntIF proto tcp from $clientnet to any port 21 -> 127.0.0.1 port 8021 pass in on $IntIF inet from $clientnet to any keep state block in on $ExtIF any to any pass in on $ExtIF inet proto tcp from any port = 20 to ($ExtIF) port > 49150 keep state pass in on $ExtIF inet proto icmp from any to $clientnet icmp-type echoreq keep state pass in on $ExtIF inet proto tcp from 129.97.0.0/16 to $clientnet port = 6000 keep state block return-rst in on $ExtIF inet proto tcp from any to $clientnet port = 113 Short and sweet (and secure)
  25. 25. More about pf <ul><li>The redirect (rdr) rule redirects FTP traffic to an FTP proxy running from inetd on the firewall itself. In /etc/inetd.conf you’ll find the entry: </li></ul><ul><li>127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy </li></ul><ul><li>After editing the ruleset in /etc/pf.conf, run: pfctl –f /etc/pf.conf to reload the ruleset. </li></ul><ul><li>pf implicitly looks at the state table before the ruleset </li></ul>
  26. 26. Firewall Requirements for Computer Science <ul><li>Need to ensure that performance is not negatively impacted </li></ul><ul><li>We want to make things secure as possible for those machines under our control </li></ul><ul><li>Researchers need the ability to choose the level of protection they want </li></ul><ul><li>Deploying new technology takes time </li></ul><ul><li>Don’t want a single point of failure </li></ul>
  27. 27. Netscreen 500 <ul><li>Gig Firewall Appliance (ASIC) </li></ul><ul><li>Interfaces support redundant connections </li></ul><ul><li>Stateful packet filtering </li></ul><ul><li>HTTPS/SSH mgmt interfaces </li></ul><ul><li>Supports the concept of security zones; each zone contains one or more subnets. We can define policies for traffic between zones. </li></ul><ul><li>Two devices can be put in Active/Active failover mode </li></ul>
  28. 28. Logical Network Diagram VSD 0 VSD 1 Firewall Cluster DCCoreNet 129.97.16.17 129.97.16.19 129.97.51.1 129.97.49.1 … 129.97.84.1 129.97.15.1 … UnTrust Trust Protected subnets are manually balanced between two virtual security devices (VSDs). CS Networks
  29. 29. Simplified Physical Connection Diagram Eng switches exsw08 exsw18 exsw19 X-over cables Firewall 1 VSD0 master VSD1 slave IST (MC) IST (Eng) Future connection Firewall 2 VSD1 master VSD0 slave VLAN Trunk (CS Nets) Non-CS/Untrusted Nets
  30. 30. More about the Netscreens <ul><li>Any configuration change made to one firewall is propagated to the other within seconds </li></ul><ul><li>X-over cables are 100/fdx – used for managing the cluster (exchanging state info, heartbeat, alternate data path, etc...) </li></ul><ul><li>Definining policies is quite simple, via a web-based management interface. </li></ul><ul><li>When defining policies, need to be careful that ALL zones are considered! </li></ul>
  31. 31. Where we are with deployment <ul><li>Teaching hosts are mostly divided correctly into proper subnets; ready for placing in security zones </li></ul><ul><li>Co-op student spent most of summer auditing and removing unused hostnames from non-teaching subnets – more work to be done in assigning hosts to zones </li></ul><ul><li>Teaching subnets to be moved behind firewall before 2005. It was supposed to be done in August 2004 but… </li></ul>
  32. 32. My life suddenly changed My son Alex was born two months early.
  33. 33. Firewall Performace Considerations <ul><li>State table lookups are fast – need RAM </li></ul><ul><li>Minimize number of rules </li></ul><ul><li>OpenBSD pf supports a “quick” keyword – if packet matches rule, then stop processing. Rule ordering becomes important. </li></ul><ul><li>Minimize number of daemons running on firewall box </li></ul><ul><li>Obvious things like CPU, NIC, etc… </li></ul><ul><li>But what if that P4 3.8 Ghz just isn’t fast enough? </li></ul>
  34. 34. Get a second firewall! You’ll have to worry about… <ul><li>Load balancing </li></ul><ul><li>Asymetric routing </li></ul><ul><li>state table synchronization </li></ul><ul><li>Multiple single points of failure </li></ul><ul><li>Management of multiple firewalls (configs, etc…) </li></ul>
  35. 35. OpenBSD Solution: pfsync and CARP <ul><li>Functionality released in Spring 2004 (OpenBSD 3.5) </li></ul><ul><li>CARP – Common Address Redundancy Protocol </li></ul><ul><li>CARP has an “arpbalance” feature for load balancing </li></ul><ul><li>Pfsync – a virtual network interface for exchanging state table info (dedicated NIC recommended) </li></ul><ul><li>http://www.countersiege.com/doc/pfsync-carp </li></ul><ul><li>http ://www.openbsd.org/cgi-bin/man.cgi </li></ul>
  36. 36. If money was no object… <ul><li>Alteon Switched Firewall (ASF) </li></ul><ul><li>Two devices: Director (PC running CheckPoint) and Accelerator (appliance) </li></ul><ul><li>Scales to 6 Directors and 2 Accelerators </li></ul><ul><li>Up to 4.2 Gbps throughput, 500K sessions at wire-speed, 20K-100K connections per second </li></ul><ul><li>Rules evaluated by director, states managed by accelerator </li></ul>
  37. 37. The End Thanks for coming!

×