%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 TCP/IP Firewalling Basics %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Contents Introduction Networking Basics Potential Security Problems Solution 1: Packet Filters Solution 2: Proxies Comparison Summary %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Introduction %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Networking Basics 7 layer OSI model used to abstract networking protocols layer 7: application layer: e.g. telnet/ftp layer 6: presentation layer: layer 5: session layer: layer 4: transport layer: e.g. TCP/UDP layer 3: network layer: e.g. IP layer 2: data link layer: e.g. Ethernet layer 1: physical layer: e.g. Wire Layer 1 + 2 embedded in hardware Layer 3 + 4 implemented in operating system Layer 5+ embedded in application program %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Networking Basics Layer 2: Ethernet enables two hosts within same pysical net to exchange packets unreliable adressing granularity: host fixed hardware adresses (MAC adress, 48bit) Layer 3: Internet Protocol (IP) enables two hosts in diferent physical networks to exchange packets unreliable, best effort packet reordering packet loss adressing granularity: host logical adresses (IP Adress, 32bit) checksum protects only IP header %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Networking Basics Layer 4: User Datagram Protocol (UDP) unreliable, best effort adressing granularity: ports (16bit = 65535) optional payload checksum Layer 4: Transmission Control Protocol (TCP) provides connection abstraction reliable ordering guarantee retransmissions correct packet loss flow control payload checksum protects payload from data corruption Layer 4: Internet Control Message Protocol (ICMP) used internally by TCP/IP protocol suite error messages (e.g. host unreachable) diagnostics (e.g. ping/pong) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Potential Security Problems Security issues arise at interconnection of two networks Traditional Case: IP Router connecting an organization internal network to the Internet What Security Problem? organization-internal services exposed to outside network spoofed (forged) packets to circumvent 'security by address' even if all internal services secured by authentication, difficult to guarantee security on all internal hosts Why Firewalling? to restrict which internal services are exposed to the outside to restrict which outside services are used by internal users %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Solution 1: Packet Filters Filter individual packets at network interconnection (Router) Filter criteria traditionally include IP source + destination address TCP/UDP source + destination port TCP header flags Filtering rules determine if packet is allowed to transit interconnection packet is silently dropped packet is dropped and error message returned to sender %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Solution 1: Packet Filters Capabilities disallow communication between certain IP adresses disallow communication between certain port numbers disallow malicious packets, like packets using source routing IP option impossible combination of features, like tcp xmas scan generate log of malicious and/or filtered packets Limitations scope limited to individual packets no ability to look inside packet payload (HTTP 1.1 virtual hosts) no abstraction of connection, filtering rules needed for both directions %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Solution 1: Packet Filters Extensions stateful packet filters (connection tracking) filtering only needed for connection-initiating packets all other packets within connection are accepted as part of an already established connection TCP window tracking allow filtering not only on source/dest port but also on TCP sequence number NAT (Network Address Translation) manipulation of source / destination address redirect packets to other hosts 'share' one ip address at dialup accounts (masquerading) connect two networks with overlapping addresss ranges %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Solution 2: Proxies A proxy operates at layer 5 and above Mode of operation client connects to proxy instead of server proxy initiates a second, seperate connection to server Proxies are just normal programs implementing a server and a client for a particular application protocol (e.g. HTTP) using operating system mechanisms (like sockets API, winsock, ...) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Solution 2: Proxies Capabilities disallow communication between certain IP adresses disallow communication between certain ports disallow communication based on packet payload e.g. pathnames / filenames within HTTP and FTP e.g. email-adresses within SMTP e.g. hostnames within DNS (www.netzzensur.de) e.g. badwords ('sex' and 'teen' within same file) manipulation of packet payload everything possible... Limitations somebody needs to tell client app to connect to proxy instead of server seperate proxies for all used protocols needed not possible to filter on packet options, etc. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Solution 2: Proxies Extensions Transparent Proxies accept connections from client independent of dest IP make reply packets to the client look like as sent by server possibly to implement same transparancy towards server no need to tell clients about proxies anymore! SOCKS application protocol indepentent proxy one proxy for all application protocols uses seperate protocol between client and proxy needs explicit support from client application integrated username/password authentication %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Comparison Packet Filter pro total control on lowest per-packet level very high performance possible to implement failover / load balancing NAT as extension solves adress space problem contra configuration requires sophisticated knowledge problems when no state / window tracking used support for complex protocols (H.323, SIP) difficult to implement Proxy pro no knowledge about layer3/4 protocol needed configuration very easy address space automatically seperated integrates easily with other applications like IDS easy implementation, just normal application programs contra seperate proxies needed for almost every protocol bad performance uses lots of ressources (e.g. sockets) on gatway horribly breaks end-to-end needs explicit configuration of client apps if not transparent proxy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Comparison Transparent Proxy uses ideas/methods of packet filtering (NAT) to achieve protocol transparence horrible violation of layering Stateful Packet Filter uese ideas of proxies (tracking of higher layer state) to achieve better security and easieer configuration horrible violation of layering %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Conclusion Conclusion proxies work for small installations where number of used protocols is small and administrative staff not very experienced packet filters without state tracking are difficult to configure correctly packet filters with state tracking are good solution for most usage scenarios: powerful but yet easy to configure correctly for highest security, best of both worlds can be combined imagine a stateful bridging packet filter in front of a proxy :) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Firewalling Basics Thanks Thanks to the BBS people, Z-Netz, FIDO, ... for heavily increasing my computer usage in 1992 KNF for bringing me in touch with the internet as early as 1995 for providing a playground for technical people for telling me about the existance of Linux! Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen for implementing (one of?) the world's best TCP/IP stacks Paul 'Rusty' Russell for starting the netfilter/iptables project for trusting me to maintain it today Linux User Group Nuernberg (ALIGN, LUG-N) for helping me with my initial Linux problems