Building Network Firewalls
-
Upload
nomlanga-fitzgerald -
Category
Documents
-
view
39 -
download
0
description
Transcript of Building Network Firewalls
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Topics in this Session
TCP/IP Primer Types of Firewalls Client-only network: Example Rulesets CSCF Firewall Open Source solution to high availability and high
performance
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Internet Protocol
Network layer protocol Traffic directed between machines by routers Addresses are 32-bits long, split up into four 8-bit
chunks, seperated by a “.” Networks are determined by netmasks
(eg. 129.97.0.0/255.255.0.0) For addressing, IP header contains source IP
address and destination IP address
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
IP Addressing (Networks)
10.0.0.0/8 is the same as 10.0.0.0/255.0.0.0 = 10.*.*.*
129.97.0.0/16 is the same as 129.97.0.0/255.255.0.0 = 129.97.*.*
129.97.15.0/24 is the same as 129.97.15.0/255.255.255.0 = 129.97.15.*
129.97.128.10/32 is the same as 129.97.128.10/255.255.255.255 = 129.97.128.10
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Transport Protocols
TCP and UDP are most common Transmission Control Protocol (TCP) is connection
oriented and reliable (eg. HTTP, SSH, Telnet) User Datagram Protocol (UDP) is connectionless
and unreliable (eg. DNS, Xbox Live) Addressing consists of source port and destination
port Port number is in the range 1-65535
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
More about ports
Privileged ports (1-1023) Most Operating systems
won’t let just anyone bind to privileged ports
Notice most “servers” are on privileged ports?
Ephemeral ports(typically 1024-65535)
Ports that clients bind to when talking to servers
Ephemeral port range varies from OS to OS and may be customized
http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
TCP Flags
There are several flags (bits) in the TCP header. We care about:
SYN ACK FIN RST
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
TCP Connection (simplified)
Client Host (port 33000)
Server Host (port 80)SYN =1
SYN=1, ACK=1
ACK=1
ACK=1
Either side can end connection with a FIN packet
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
RST TCP Flag
RST flag is used if something goes wrong with the connection
If a client tries to connect to a port on a server where there is no process bound, the server sends the client a RST packet
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
“Backwards” TCP Protocols
X11 (port 6000) – the server actually runs on the client machine. The “client” is the program that you run on the remote host.
Ident (port 113) – aka Auth – When you the client connect to a service on a server, that service may try to connect to port 113 on your machine and ask: What user is bound to ephemeral port X?
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
ICMP
Internet Control Message Protocol
Has message types and message codes
Common examples: Type 8, code 0 – echo
request Type 0, code 0 – echo reply Type 3, code 1 – host
unreachable Type 3, code 3 – port
unreachable (UDP)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Types of Firewalls
Simple packet filters Stateful packet filters Application firewalls Intrusion Prevention systems
Most firewalls are stateful packet filters
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Simple Packet Filters
Filter traffic based on source IP address and port, and destination IP address and port
You need a rule for each direction of traffic for any given protocol
Examples include: Switch ACLs Windows 2000 IPSec filters ipchains (Linux)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Stateful Packet Filters
Filter traffic based on source IP address and port, and destination IP address and port
“Remember” the first packet, allow remaining packets of the connection through
Cheat for UDP since the protocol has no concept of state
Examples include: Most commercial firewalls iptables (Linux) ipfilter (*BSD/Solaris 10) ipfw (FreeBSD/Darwin) pf (OpenBSD) Windows XP ICF
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
How do we “remember” packets?
Memory is in the form of a state table, where each entry represents a connection.
Firewall first checks to see if a TCP packet belongs to a connection in the state table.
If not in state table, evaluate the packet against the ruleset (sanity check – SYN =1, ACK=0)
If allowed, an entry representing that TCP connection is added to a state table
With UDP, we look at src/dest IPAddr/ports and timing and hope for the best
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Application Firewalls
Analyse the payload of each packet, looking for nasty content
Behaves like a proxy server Many commercial firewalls offer HTTP and SMTP
application filtering Limited to those protocols understood by the
firewall Needs lots of CPU for processing
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Intrusion Prevention Systems
Like Intrusion Detection Systems, look at all traffic for known attack signatures
Block traffic based on attacks/certain behaviours Latest products focus on dealing with worms Open Source implementation (snort-inline) uses
snort with hooks into iptables Relatively new technology – false positives can be
a problem Lots of CPU needed on busy networks
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Sample Firewall Ruleset(client-only network)
Want to protect some PCs Allow arbitrary outbound traffic Clients need to be able to FTP, to download stuff! Want to allow X11 traffic on campus Inbound ping is OK Won’t worry about anti-spoofing rules Ignore rules involving the firewall itself
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
FTPA difficult protocol to firewall
Active FTP (older Windows IE) Client makes control
connection to port 21 Client picks an ephemeral
port for data connection and tells server
Server initiates connection from port 20 to client’s ephemeral port
Passive FTP Client makes control
connection to port 21 Server picks an ephemeral
port for the data connection and tells the client
Client initiates connection to server on ephemeral port
Active FTP is difficult to firewall on the client side.Passive FTP is difficult to firewall on the server side.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Client-Only Networkipchains ruleset
ipchains -p input denyipchains -p forward acceptipchains -p output acceptipchains -A input -p tcp -i $ExtIF -s 129.97.0.0/16 -d $clientnet 6000 -j acceptipchains -A input -p tcp -i $ExtIF -s 0/0 -d $clientnet 113 -j rejectipchains -A input -p tcp -i $ExtIF -s 0/0 20 -d $clientnet 1024:65535 -j acceptipchains -A input -p udp -i $ExtIF -d $clientnet -j acceptipchains -A input -p icmp -i $ExtIF -d 0/0 0 3 8 -j accept
Can you find the holes?
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Client-Only Networkiptables ruleset
iptables -p forward dropiptables -A forward -p tcp -i $IntIF -s $clientnet -d 0/0 -m state \ --state NEW,ESTABLISHED -j acceptiptables -A forward -p udp -i $IntIF -s $clientnet -d 0/0 -m state \ --state NEW,ESTABLISHED -j acceptiptables -A forward -p icmp -i $IntIF -s $clientnet -d 0/0 -m state \ --state NEW,ESTABLED,RELATED -j acceptiptables -A forward -p tcp -i $ExtIF -s 129.97.0.0/16 -d $clientnet --dport 6000 \ -m state NEW -j acceptiptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -dport 113 \ -j reject --reject-with tcp-resetiptables -A forward -p tcp -i $ExtIF -s 0/0 --sport 20 -d $clientnet -m state \ --state ESTABLISHED,RELATED -j accept
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Client-Only Networkiptables ruleset (continued)
iptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -m state \ --state ESTABLISHED -j acceptiptables -A forward -p udp -i $ExtIF -s 0/0 -d $clientnet -m state \ --state ESTABLISHED -j acceptiptables -A forward -i $ExtIF -p icmp --icmp-type 3 -s 0/0 --d $clientnet –m state \ --state NEW,ESTABLISHED,RELATED
Did you understand that?
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Client-Only Networkipfw ruleset
ipfw add 10 check-stateipfw add 20 allow tcp from any 20 to $clientnet 1024-65535 \ keep-stateipfw add 30 reset tcp from any to $clientnet 113ipfw add 40 deny tcp from any to $clientnet establishedipfw add 50 allow ip from $clientnet to any keep-stateipfw add 60 allow tcp from 129.97.0.0/16 to $clientnet 6000 \ setup keep-stateipfw add 70 allow icmp from any to $clientnet icmptype 8 keep-stateipfw add 65534 deny any to any
Rule 20 is really a stateless hack to allow active FTP.The keep-state is there for efficiency.
Easy to read, eh?
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Client-Only Networkpf ruleset (ipfilter like syntax)
OpenBSD pf uses a config file (/etc/pf.conf) for the ruleset:
rdr on $IntIF proto tcp from $clientnet to any port 21 -> 127.0.0.1 port 8021pass in on $IntIF inet from $clientnet to any keep state block in on $ExtIF any to anypass in on $ExtIF inet proto tcp from any port = 20 to ($ExtIF) \ port > 49150 keep statepass in on $ExtIF inet proto icmp from any to $clientnet \ icmp-type echoreq keep statepass in on $ExtIF inet proto tcp from 129.97.0.0/16 to $clientnet \ port = 6000 keep stateblock return-rst in on $ExtIF inet proto tcp from any to $clientnet port = 113
Short and sweet (and secure)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
More about pf
• The redirect (rdr) rule redirects FTP traffic to an FTPproxy running from inetd on the firewall itself. In /etc/inetd.conf you’ll find the entry:
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
• After editing the ruleset in /etc/pf.conf, run: pfctl –f /etc/pf.confto reload the ruleset.
• pf implicitly looks at the state table before the ruleset
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Firewall Requirements for Computer Science
Need to ensure that performance is not negatively impacted
We want to make things secure as possible for those machines under our control
Researchers need the ability to choose the level of protection they want
Deploying new technology takes time Don’t want a single point of failure
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Netscreen 500
Gig Firewall Appliance (ASIC) Interfaces support redundant connections Stateful packet filtering HTTPS/SSH mgmt interfaces Supports the concept of security zones; each zone
contains one or more subnets. We can define policies for traffic between zones.
Two devices can be put in Active/Active failover mode
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Logical Network Diagram
VSD 0 VSD 1 FirewallCluster
DCCoreNet
129.97.16.17 129.97.16.19
129.97.51.1129.97.49.1…
129.97.84.1129.97.15.1…
UnTrust
Trust
Protected subnets aremanually balanced between twovirtual security devices (VSDs).
CS Networks
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Eng switches
Simplified Physical Connection Diagram
exsw08 exsw18
exsw19
X-over cables
Firewall 1VSD0 masterVSD1 slave
IST (MC)
IST (Eng)
Future connection
Firewall 2VSD1 masterVSD0 slave
VLAN Trunk (CS Nets)Non-CS/Untrusted Nets
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
More about the Netscreens
Any configuration change made to one firewall is propagated to the other within seconds
X-over cables are 100/fdx – used for managing the cluster (exchanging state info, heartbeat, alternate data path, etc...)
Definining policies is quite simple, via a web-based management interface.
When defining policies, need to be careful that ALL zones are considered!
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Where we are with deployment
Teaching hosts are mostly divided correctly into proper subnets; ready for placing in security zones
Co-op student spent most of summer auditing and removing unused hostnames from non-teaching subnets – more work to be done in assigning hosts to zones
Teaching subnets to be moved behind firewall before 2005. It was supposed to be done in August 2004 but…
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
My life suddenly changed
My son Alex was born two months early.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Firewall Performace Considerations
State table lookups are fast – need RAM Minimize number of rules OpenBSD pf supports a “quick” keyword – if packet
matches rule, then stop processing. Rule ordering becomes important.
Minimize number of daemons running on firewall box
Obvious things like CPU, NIC, etc… But what if that P4 3.8 Ghz just isn’t fast enough?
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
Get a second firewall!You’ll have to worry about…
Load balancing Asymetric routing state table synchronization Multiple single points of failure Management of multiple firewalls (configs, etc…)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
OpenBSD Solution:pfsync and CARP
Functionality released in Spring 2004(OpenBSD 3.5)
CARP – Common Address Redundancy Protocol CARP has an “arpbalance” feature for load
balancing Pfsync – a virtual network interface for exchanging
state table info (dedicated NIC recommended) http://www.countersiege.com/doc/pfsync-carp http://www.openbsd.org/cgi-bin/man.cgi
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls
If money was no object…
Alteon Switched Firewall (ASF) Two devices: Director (PC running CheckPoint) and
Accelerator (appliance) Scales to 6 Directors and 2 Accelerators Up to 4.2 Gbps throughput, 500K sessions at wire-
speed, 20K-100K connections per second Rules evaluated by director, states managed by
accelerator