313 lines
9.1 KiB
Plaintext
313 lines
9.1 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
|
|
TCP/IP Firewalling Basics
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@sunbeam.franken.de>
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Contents
|
|
|
|
Introduction
|
|
|
|
Networking Basics
|
|
|
|
Potential Security Problems
|
|
|
|
Solution 1: Packet Filters
|
|
|
|
Solution 2: Proxies
|
|
|
|
Comparison
|
|
|
|
Summary
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Introduction
|
|
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Networking Basics
|
|
|
|
7 layer OSI model used to abstract networking protocols
|
|
layer 7: application layer: e.g. telnet/ftp
|
|
layer 6: presentation layer:
|
|
layer 5: session layer:
|
|
layer 4: transport layer: e.g. TCP/UDP
|
|
layer 3: network layer: e.g. IP
|
|
layer 2: data link layer: e.g. Ethernet
|
|
layer 1: physical layer: e.g. Wire
|
|
Layer 1 + 2 embedded in hardware
|
|
Layer 3 + 4 implemented in operating system
|
|
Layer 5+ embedded in application program
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Networking Basics
|
|
|
|
Layer 2: Ethernet
|
|
enables two hosts within same pysical net to exchange packets
|
|
unreliable
|
|
adressing granularity: host
|
|
fixed hardware adresses (MAC adress, 48bit)
|
|
|
|
Layer 3: Internet Protocol (IP)
|
|
enables two hosts in diferent physical networks to exchange packets
|
|
unreliable, best effort
|
|
packet reordering
|
|
packet loss
|
|
adressing granularity: host
|
|
logical adresses (IP Adress, 32bit)
|
|
checksum protects only IP header
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Networking Basics
|
|
|
|
Layer 4: User Datagram Protocol (UDP)
|
|
unreliable, best effort
|
|
adressing granularity: ports (16bit = 65535)
|
|
optional payload checksum
|
|
|
|
Layer 4: Transmission Control Protocol (TCP)
|
|
provides connection abstraction
|
|
reliable
|
|
ordering guarantee
|
|
retransmissions correct packet loss
|
|
flow control
|
|
payload checksum protects payload from data corruption
|
|
|
|
Layer 4: Internet Control Message Protocol (ICMP)
|
|
used internally by TCP/IP protocol suite
|
|
error messages (e.g. host unreachable)
|
|
diagnostics (e.g. ping/pong)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Potential Security Problems
|
|
|
|
Security issues arise at interconnection of two networks
|
|
Traditional Case: IP Router connecting an organization internal network to the Internet
|
|
|
|
What Security Problem?
|
|
organization-internal services exposed to outside network
|
|
spoofed (forged) packets to circumvent 'security by address'
|
|
even if all internal services secured by authentication, difficult to guarantee security on all internal hosts
|
|
|
|
Why Firewalling?
|
|
to restrict which internal services are exposed to the outside
|
|
to restrict which outside services are used by internal users
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Solution 1: Packet Filters
|
|
|
|
Filter individual packets at network interconnection (Router)
|
|
|
|
Filter criteria traditionally include
|
|
IP source + destination address
|
|
TCP/UDP source + destination port
|
|
TCP header flags
|
|
|
|
Filtering rules determine if
|
|
packet is allowed to transit interconnection
|
|
packet is silently dropped
|
|
packet is dropped and error message returned to sender
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Solution 1: Packet Filters
|
|
|
|
Capabilities
|
|
disallow communication between certain IP adresses
|
|
disallow communication between certain port numbers
|
|
disallow malicious packets, like packets
|
|
using source routing IP option
|
|
impossible combination of features, like tcp xmas scan
|
|
generate log of malicious and/or filtered packets
|
|
|
|
Limitations
|
|
scope limited to individual packets
|
|
no ability to look inside packet payload (HTTP 1.1 virtual hosts)
|
|
no abstraction of connection, filtering rules needed for both directions
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Solution 1: Packet Filters
|
|
|
|
Extensions
|
|
stateful packet filters (connection tracking)
|
|
filtering only needed for connection-initiating packets
|
|
all other packets within connection are accepted as part of an already established connection
|
|
|
|
TCP window tracking
|
|
allow filtering not only on source/dest port but also on TCP sequence number
|
|
|
|
NAT (Network Address Translation)
|
|
manipulation of source / destination address
|
|
redirect packets to other hosts
|
|
'share' one ip address at dialup accounts (masquerading)
|
|
connect two networks with overlapping addresss ranges
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Solution 2: Proxies
|
|
|
|
A proxy operates at layer 5 and above
|
|
|
|
Mode of operation
|
|
client connects to proxy instead of server
|
|
proxy initiates a second, seperate connection to server
|
|
|
|
Proxies are just normal programs implementing a server and a client for a particular application protocol (e.g. HTTP) using operating system mechanisms (like sockets API, winsock, ...)
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Solution 2: Proxies
|
|
|
|
Capabilities
|
|
disallow communication between certain IP adresses
|
|
disallow communication between certain ports
|
|
disallow communication based on packet payload
|
|
e.g. pathnames / filenames within HTTP and FTP
|
|
e.g. email-adresses within SMTP
|
|
e.g. hostnames within DNS (www.netzzensur.de)
|
|
e.g. badwords ('sex' and 'teen' within same file)
|
|
manipulation of packet payload
|
|
everything possible...
|
|
|
|
Limitations
|
|
somebody needs to tell client app to connect to proxy instead of server
|
|
seperate proxies for all used protocols needed
|
|
not possible to filter on packet options, etc.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Solution 2: Proxies
|
|
|
|
Extensions
|
|
Transparent Proxies
|
|
accept connections from client independent of dest IP
|
|
make reply packets to the client look like as sent by server
|
|
possibly to implement same transparancy towards server
|
|
no need to tell clients about proxies anymore!
|
|
|
|
SOCKS
|
|
application protocol indepentent proxy
|
|
one proxy for all application protocols
|
|
uses seperate protocol between client and proxy
|
|
needs explicit support from client application
|
|
integrated username/password authentication
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Comparison
|
|
|
|
Packet Filter
|
|
pro
|
|
total control on lowest per-packet level
|
|
very high performance
|
|
possible to implement failover / load balancing
|
|
NAT as extension solves adress space problem
|
|
contra
|
|
configuration requires sophisticated knowledge
|
|
problems when no state / window tracking used
|
|
support for complex protocols (H.323, SIP) difficult to implement
|
|
Proxy
|
|
pro
|
|
no knowledge about layer3/4 protocol needed
|
|
configuration very easy
|
|
address space automatically seperated
|
|
integrates easily with other applications like IDS
|
|
easy implementation, just normal application programs
|
|
contra
|
|
seperate proxies needed for almost every protocol
|
|
bad performance
|
|
uses lots of ressources (e.g. sockets) on gatway
|
|
horribly breaks end-to-end
|
|
needs explicit configuration of client apps if not transparent proxy
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Comparison
|
|
|
|
Transparent Proxy
|
|
uses ideas/methods of packet filtering (NAT) to achieve protocol transparence
|
|
horrible violation of layering
|
|
|
|
Stateful Packet Filter
|
|
uese ideas of proxies (tracking of higher layer state) to achieve better security and easieer configuration
|
|
horrible violation of layering
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Conclusion
|
|
|
|
Conclusion
|
|
proxies work for small installations where number of used protocols is small and administrative staff not very experienced
|
|
packet filters without state tracking are difficult to configure correctly
|
|
packet filters with state tracking are good solution for most usage scenarios: powerful but yet easy to configure correctly
|
|
for highest security, best of both worlds can be combined
|
|
imagine a stateful bridging packet filter in front of a proxy :)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Firewalling Basics
|
|
Thanks
|
|
|
|
Thanks to
|
|
the BBS people, Z-Netz, FIDO, ...
|
|
for heavily increasing my computer usage in 1992
|
|
|
|
KNF
|
|
for bringing me in touch with the internet as early as 1995
|
|
for providing a playground for technical people
|
|
for telling me about the existance of Linux!
|
|
|
|
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
|
|
for implementing (one of?) the world's best TCP/IP stacks
|
|
|
|
Paul 'Rusty' Russell
|
|
for starting the netfilter/iptables project
|
|
for trusting me to maintain it today
|
|
|
|
Linux User Group Nuernberg (ALIGN, LUG-N)
|
|
for helping me with my initial Linux problems
|
|
|