building network firewalls

Building Network Firewalls

Jason Testart, Computer Science Computing Facility

WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Building Network Firewalls

Topics in this Session

TCP/IP Primer Types of Firewalls Client-only network: Example Rulesets CSCF Firewall Open Source solution to high availability and high

performance


Internet Protocol

Network layer protocol Traffic directed between machines by routers Addresses are 32-bits long, split up into four 8-bit

chunks, seperated by a “.” Networks are determined by netmasks

(eg. 129.97.0.0/255.255.0.0) For addressing, IP header contains source IP

address and destination IP address


IP Addressing (Networks)

10.0.0.0/8 is the same as 10.0.0.0/255.0.0.0 = 10.*.*.*

129.97.0.0/16 is the same as 129.97.0.0/255.255.0.0 = 129.97.*.*

129.97.15.0/24 is the same as 129.97.15.0/255.255.255.0 = 129.97.15.*

129.97.128.10/32 is the same as 129.97.128.10/255.255.255.255 = 129.97.128.10


Transport Protocols

TCP and UDP are most common Transmission Control Protocol (TCP) is connection

oriented and reliable (eg. HTTP, SSH, Telnet) User Datagram Protocol (UDP) is connectionless

and unreliable (eg. DNS, Xbox Live) Addressing consists of source port and destination

port Port number is in the range 1-65535


More about ports

Privileged ports (1-1023) Most Operating systems

won’t let just anyone bind to privileged ports

Notice most “servers” are on privileged ports?

Ephemeral ports(typically 1024-65535)

Ports that clients bind to when talking to servers

Ephemeral port range varies from OS to OS and may be customized

http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html

http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html


TCP Flags

There are several flags (bits) in the TCP header. We care about:

SYN ACK FIN RST


TCP Connection (simplified)

Client Host (port 33000)

Server Host (port 80)SYN =1

SYN=1, ACK=1

ACK=1

ACK=1

Either side can end connection with a FIN packet


RST TCP Flag

RST flag is used if something goes wrong with the connection

If a client tries to connect to a port on a server where there is no process bound, the server sends the client a RST packet


“Backwards” TCP Protocols

X11 (port 6000) – the server actually runs on the client machine. The “client” is the program that you run on the remote host.

Ident (port 113) – aka Auth – When you the client connect to a service on a server, that service may try to connect to port 113 on your machine and ask: What user is bound to ephemeral port X?


ICMP

Internet Control Message Protocol

Has message types and message codes Common examples:

Type 8, code 0 – echo request

Type 0, code 0 – echo reply Type 3, code 1 – host

unreachable Type 3, code 3 – port

unreachable (UDP)


Types of Firewalls

Simple packet filters Stateful packet filters Application firewalls Intrusion Prevention systems

Most firewalls are stateful packet filters


Simple Packet Filters

Filter traffic based on source IP address and port, and destination IP address and port

You need a rule for each direction of traffic for any given protocol Examples include:

Switch ACLs Windows 2000 IPSec filters ipchains (Linux)


Stateful Packet Filters

Filter traffic based on source IP address and port, and destination IP address and port

“Remember” the first packet, allow remaining packets of the connection through

Cheat for UDP since the protocol has no concept of state

Examples include: Most commercial firewalls iptables (Linux) ipfilter (*BSD/Solaris 10) ipfw (FreeBSD/Darwin) pf (OpenBSD) Windows XP ICF


How do we “remember” packets?

Memory is in the form of a state table, where each entry represents a connection.

Firewall first checks to see if a TCP packet belongs to a connection in the state table.

If not in state table, evaluate the packet against the ruleset (sanity check – SYN =1, ACK=0)

If allowed, an entry representing that TCP connection is added to a state table

With UDP, we look at src/dest IPAddr/ports and timing and hope for the best


Application Firewalls

Analyse the payload of each packet, looking for nasty content

Behaves like a proxy server Many commercial firewalls offer HTTP and SMTP

application filtering Limited to those protocols understood by the

firewall Needs lots of CPU for processing


Intrusion Prevention Systems

Like Intrusion Detection Systems, look at all traffic for known attack signatures

Block traffic based on attacks/certain behaviours Latest products focus on dealing with worms Open Source implementation (snort-inline) uses

snort with hooks into iptables Relatively new technology – false positives can be

a problem Lots of CPU needed on busy networks


Sample Firewall Ruleset(client-only network)

Want to protect some PCs Allow arbitrary outbound traffic Clients need to be able to FTP, to download stuff! Want to allow X11 traffic on campus Inbound ping is OK Won’t worry about anti-spoofing rules Ignore rules involving the firewall itself


FTPA difficult protocol to firewall

Active FTP (older Windows IE) Client makes control

connection to port 21 Client picks an ephemeral

port for data connection and tells server

Server initiates connection from port 20 to client’s ephemeral port

Passive FTP Client makes control

connection to port 21 Server picks an ephemeral

port for the data connection and tells the client

Client initiates connection to server on ephemeral port

Active FTP is difficult to firewall on the client side.Passive FTP is difficult to firewall on the server side.


Client-Only Networkipchains ruleset

ipchains -p input denyipchains -p forward acceptipchains -p output acceptipchains -A input -p tcp -i $ExtIF -s 129.97.0.0/16 -d $clientnet 6000 -j acceptipchains -A input -p tcp -i $ExtIF -s 0/0 -d $clientnet 113 -j rejectipchains -A input -p tcp -i $ExtIF -s 0/0 20 -d $clientnet 1024:65535 -j acceptipchains -A input -p udp -i $ExtIF -d $clientnet -j acceptipchains -A input -p icmp -i $ExtIF -d 0/0 0 3 8 -j accept

Can you find the holes?


Client-Only Networkiptables ruleset

iptables -p forward dropiptables -A forward -p tcp -i $IntIF -s $clientnet -d 0/0 -m state \ --state NEW,ESTABLISHED -j acceptiptables -A forward -p udp -i $IntIF -s $clientnet -d 0/0 -m state \ --state NEW,ESTABLISHED -j acceptiptables -A forward -p icmp -i $IntIF -s $clientnet -d 0/0 -m state \ --state NEW,ESTABLED,RELATED -j acceptiptables -A forward -p tcp -i $ExtIF -s 129.97.0.0/16 -d $clientnet --dport 6000 \ -m state NEW -j acceptiptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -dport 113 \ -j reject --reject-with tcp-resetiptables -A forward -p tcp -i $ExtIF -s 0/0 --sport 20 -d $clientnet -m state \ --state ESTABLISHED,RELATED -j accept


Client-Only Networkiptables ruleset (continued)

iptables -A forward -p tcp -i $ExtIF -s 0/0 -d $clientnet -m state \ --state ESTABLISHED -j acceptiptables -A forward -p udp -i $ExtIF -s 0/0 -d $clientnet -m state \ --state ESTABLISHED -j acceptiptables -A forward -i $ExtIF -p icmp --icmp-type 3 -s 0/0 --d $clientnet –m state \ --state NEW,ESTABLISHED,RELATED

Did you understand that?


Client-Only Networkipfw ruleset

ipfw add 10 check-stateipfw add 20 allow tcp from any 20 to $clientnet 1024-65535 \ keep-stateipfw add 30 reset tcp from any to $clientnet 113ipfw add 40 deny tcp from any to $clientnet establishedipfw add 50 allow ip from $clientnet to any keep-stateipfw add 60 allow tcp from 129.97.0.0/16 to $clientnet 6000 \ setup keep-stateipfw add 70 allow icmp from any to $clientnet icmptype 8 keep-stateipfw add 65534 deny any to any

Rule 20 is really a stateless hack to allow active FTP.The keep-state is there for efficiency.

Easy to read, eh?


Client-Only Networkpf ruleset (ipfilter like syntax)

OpenBSD pf uses a config file (/etc/pf.conf) for the ruleset:rdr on $IntIF proto tcp from $clientnet to any port 21 -> 127.0.0.1 port 8021pass in on $IntIF inet from $clientnet to any keep state block in on $ExtIF any to anypass in on $ExtIF inet proto tcp from any port = 20 to ($ExtIF) \ port > 49150 keep statepass in on $ExtIF inet proto icmp from any to $clientnet \ icmp-type echoreq keep statepass in on $ExtIF inet proto tcp from 129.97.0.0/16 to $clientnet \ port = 6000 keep stateblock return-rst in on $ExtIF inet proto tcp from any to $clientnet port = 113

Short and sweet (and secure)


More about pf

• The redirect (rdr) rule redirects FTP traffic to an FTPproxy running from inetd on the firewall itself. In /etc/inetd.conf you’ll find the entry:

127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

• After editing the ruleset in /etc/pf.conf, run: pfctl –f /etc/pf.confto reload the ruleset.

• pf implicitly looks at the state table before the ruleset


Firewall Requirements for Computer Science

Need to ensure that performance is not negatively impacted

We want to make things secure as possible for those machines under our control

Researchers need the ability to choose the level of protection they want

Deploying new technology takes time Don’t want a single point of failure


Netscreen 500

Gig Firewall Appliance (ASIC) Interfaces support redundant connections Stateful packet filtering HTTPS/SSH mgmt interfaces Supports the concept of security zones; each zone

contains one or more subnets. We can define policies for traffic between zones.

Two devices can be put in Active/Active failover mode


Logical Network Diagram

VSD 0 VSD 1 FirewallCluster

DCCoreNet

129.97.16.17 129.97.16.19

129.97.51.1129.97.49.1…

129.97.84.1129.97.15.1…

UnTrust

Trust

Protected subnets aremanually balanced between twovirtual security devices (VSDs).

CS Networks


Eng switches

Simplified Physical Connection Diagram

exsw08 exsw18

exsw19

X-over cables

Firewall 1VSD0 masterVSD1 slave

IST (MC)

IST (Eng)Future connection

Firewall 2VSD1 masterVSD0 slave

VLAN Trunk (CS Nets)Non-CS/Untrusted Nets


More about the Netscreens

Any configuration change made to one firewall is propagated to the other within seconds

X-over cables are 100/fdx – used for managing the cluster (exchanging state info, heartbeat, alternate data path, etc...)

Definining policies is quite simple, via a web-based management interface.

When defining policies, need to be careful that ALL zones are considered!


Where we are with deployment

Teaching hosts are mostly divided correctly into proper subnets; ready for placing in security zones

Co-op student spent most of summer auditing and removing unused hostnames from non-teaching subnets – more work to be done in assigning hosts to zones

Teaching subnets to be moved behind firewall before 2005. It was supposed to be done in August 2004 but…


My life suddenly changed

My son Alex was born two months early.


Firewall Performace Considerations

State table lookups are fast – need RAM Minimize number of rules OpenBSD pf supports a “quick” keyword – if packet

matches rule, then stop processing. Rule ordering becomes important.

Minimize number of daemons running on firewall box

Obvious things like CPU, NIC, etc… But what if that P4 3.8 Ghz just isn’t fast enough?


Get a second firewall!You’ll have to worry about…

Load balancing Asymetric routing state table synchronization Multiple single points of failure Management of multiple firewalls (configs, etc…)


OpenBSD Solution:pfsync and CARP

Functionality released in Spring 2004(OpenBSD 3.5)

CARP – Common Address Redundancy Protocol CARP has an “arpbalance” feature for load

balancing Pfsync – a virtual network interface for exchanging

state table info (dedicated NIC recommended) http://www.countersiege.com/doc/pfsync-carp http://www.openbsd.org/cgi-bin/man.cgi

http://www.countersiege.com/doc/pfsync-carp

http://www.openbsd.org/cgi-bin/man.cgi

http://www.openbsd.org/cgi-bin/man.cgi


If money was no object…

Alteon Switched Firewall (ASF) Two devices: Director (PC running CheckPoint) and

Accelerator (appliance) Scales to 6 Directors and 2 Accelerators Up to 4.2 Gbps throughput, 500K sessions at wire-

speed, 20K-100K connections per second Rules evaluated by director, states managed by

accelerator

The End

Thanks for coming!

building network firewalls

Documents