summaryrefslogtreecommitdiff
path: root/2002/firewalling-knf-2002/toc
blob: 8df045185e48af1a692488500650694fdbf74ccd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
- Introduction
	- since 1995 member of KNF, now 2nd TC, newsmaster + other stuff
	- learned lots of stuff while playing with KNF and own networks
	- done weird stuff like UUCP-over-SSL HOWTO :)
	- now maintainer of linux firewalling code

- Basics
	- Internet as packet switched network
	- 7-layer-OSI
	- Internetworking using IP
		- unreliable, best effort, no ordering guarantees
	- Routing within IP
	- UDP as stateless protocol
		- same characteristics as IP, but
			- added ports to multiplex between apps
			- optional payload checksum
	- TCP as session layer
		- providing abstraction of connection
	 	- reliable (payload checksum, retransmissions)
		- ordering guarantees
		- flow control
	- ICMP as helper
		- error messages / diagnostics
		- absolutely neccessary !!

- potential security problems
	- spoofed packets
	- connections to internal, private services
	- difficult to guarantee security on all internal hosts
	- restrictions the other way around (for outbound connections)
	- 

- solution 1: packet filters
	- operates on layer 3
	- filter packets based on packet header/content
	- alternatively also generate ICMP errors, RST packets

	- extensions / derivates
		- stateful firewalling
		- transparent firewalls (firewalling bridges)

- solution 2: proxies
	- layer 5+
	- description
	- explicit configuration of all clients

	- extensions / derivates
		- transparent proxies
		- SOCKS
			- needs explicit application support
			- solves authentication problem
			- not used widely
			- should be offered in addition to proxies
			  to give users a chance of running 'weird' prtoocols
			  without httptunnel.

- comparison
	- proxy
		+ no knowledge about protocol headers needed
		+ configuration extremely easy
		+ address space separated (no need for NAT)
		+ integrates easily with other applications like IDS
		+ easy implementation, just normal programs
		- seperate proxies needed for almost every protocol
		- bad performance
		- uses lots of ressources (i.e. sockets) on gateway
		- horribly breaks end-to-end
		- needs configuration of enduser applications, if not
		  used as transparent proxies

	- packet filter
		+ total control on lowest per-packet level
		+ very high performance
		+ possible to implement failover / load balancing
		+ NAT as extension solves address space problem 
		- configuration requires high knowledge on TCP/IP protocols
		- problems when no state/window tracking is done
		- support for complex protocols (h.323, SIP, ...) difficult
		  to implement

	- transparent proxies
		- use some ideas of packet filtering / NAT to achieve
		  transparency

	- stateful packet filters
		- use some ideas of proxies (tracking of higher layer state)
		  to achieve better security and easier configuration

	- summary:
		- proxies work for small installations where number of
		  to-be-supported protocols small and administrative stuff
		  not very experienced
		- packet filters without state tracking difficult to be
		  configured correctly
		- packet filters with state tracking are a good solution for
		  most usage scenarios: powerful, but yet easy to configure
		  right :)
		- for highest security, they can be combined: imagine a
		  stateful bridging packet filter in front of proxies :)

personal git repositories of Harald Welte. Your mileage may vary