26/11/2008

Network Firewalls including NAT, routing, arp, DMZs and a dash of layer 7 (Mike Rose, Chemistry/DAMTP)

A talk given as part of the TechLink Workshops and Seminars program.

This talk is somewhat generic with the implementation done on Linux with iptables. I am not an iptables expert. Instead I use an OSS GUI to generate the rules/script, hence this talk should be accessible to non-iptables experts.

The talk will cover: NAT'ing, routing, firewall design, host/protocol rules, deployment, DMZs, cost and resource practicalities, deployment, application level filtering/inspection and a brief comparison with a commercial firewall.

What is a Firewall?
Why use FWs?
Routing
The Tools I've used
Basic Network FW Design Suggestions
Test/Development System Setup
The System Setup Used for the Following Examples
Simple Port-based firewall
Port-based firewall with DMZ
NATing FW
External Access to a server behind the firewall
Fluffy (Your friendly local neighbourhood network welcome message)
In Cambridge University
Experiences with Application Layer Filtering
Comparison with a Commerical Firewall
Simple Practical Backup/Recovery/Resilience
Deployment
Extra Techie stuff
Further comments about/from/relating to this talk
Other Information

What is a FW?

" A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules. "

This and more definitions are available from the Firewall entry on wikipedia.

Why use FWs?

Old equipment being run by even older computers (RH6, SGI, Win 95, 98, ME, NT, etc.) upon which data is collected and needs to be transferred and, preferably, backed up.
Keep network traffic from trusted services within your trusted network (e.g. NFS and NIS)
Block access to internal "open" services such as print servers

Routing

Getting packets from one place to another

Which is more important, complete security or a functional network?

If the firewall rules "go wrong" I prefer a functional network for an academic environment.

network routing on the firewall is done by a separate initialisation script
the firewall rules can easily and simply be removed (flushed) with network routing left in place
we do manage security updates/patches to the servers and workstations that are within our care and do not depend upon network firewalls for security

The Tools I've used

design - back of an envelope then dia
routing - linux with a simple init script
to generate iptables scripts/rules/policies - fwbuilder (a serendipitous discovery in the Linux Journal)
- supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists.
- Very active development
- http://www.hurricanelabs.com/august2008_story_3
- migrating from Checkpoint to fwbuilder
- versions: Version 3.0.1 is used for this talk because the laptop likes QT4 so I had to compile with a newer version of fwbuilder. Previosly I have used 2.1.14 and 2.1.12. I have crashed v3.0.1 a few times, whereas I've never managed that with 2.1.12 nor 2.1.14
- upgrades: when loading a firewall rule set (policies) from an older version of fwbulder into a newer version an "upgrade" is performed on the .fwb file. This has always worked for me, thus far
implementing the rules - iptables on linux (a learned colleague assures me that Linux and iptables are capable of providing a 10GBit network firewall)

Basic Network FW Design Suggestions

FW can obtain software updates (not to block itself)
always allow connection to the FW in case of blocking your own computer/everything (e.g. ssh to FW from own workstation)
facilitate the work of the people whose computing you are responsible for by providing security that works and allows work
use "standard" settings (often particularly to your organisation) for thing like the GateWay (e.g. 192.168.1.62) FW internal interface (eth0), external interface (eth1)
a method/process that allows at least a few of your colleagues to make simple changes to the firewall(s) you run (and to recover from disasters). fwbuilder can certainly help in this area, IMHO.

Test/Development System Setup

I have found it very helpful to setup a development/test system that is similar to the live system, including:

a copy of the University DNS running under bind on the web/DNS server
ntp service inside and outside the firewall
another copy of the University DNS running on a server inside the firewall
a simple web-server (outside the firewall and usually one inside the firewall to which the outside world would like access)
other services running on servers inside the firewall such as samba (Windows file-sharing), DHCP and LDAP

The System Setup Used for the Following Examples

web/DNS server (outside the firewall) - Debian 4.0
firewall/router - Debian 4.0
laptop - OpenSuSe 11.0

There's no particularly reason for the above choices except that I tend to use Debian on servers and openSuSe for laptops.

Simple Port-based firewall

Allow ssh and icmp echo request to our internal network
Allow our internal networks access to all
Allow access to our internal network web-server
Block all other network traffic
Diagram
system build including routing

check the routing works from 131.111.112.51

ping 131.111.12.20
traceroute 131.111.12.20

check DNS on 131.111.112.52
```
host www.cam.ac.uk
host 131.111.8.46
```
the fwbuilder file
screenshot of the fwbuilder policy
firewall rules as a script as produced by fwbuilder

Some testing:

# from the laptop (inside FW)
ping 131.111.112.62 # ping the gateway
host www.cam.ac.uk # DNS lookup
traceroute www.cam.ac.uk
wget www.cam.ac.uk
smbclient -L www.cam.ac.uk
nmap 131.111.12.20
ssh 131.111.12.20 # then we can do the tests below

# from web/DNS (outside FW)
ping 131.111.112.51 # should work
host 131.111.112.51 # should work as I am a DNS server
smbclient -L kaos.ch.cam.ac.uk # should be blocked
nmap kaos.ch.cam.ac.uk # will take a while and only show a few services
ssh kaos.ch.cam.ac.uk # allowed
wget kaos.ch.cam.ac.uk # allowed

# turn off the firewall rules
ssh root@131.111.112.62
/etc/init.d/firewall-FW stop

# run a test from above that was previously blocked
ssh root@131.111.12.20
smbclient -L kaos.ch.cam.ac.uk # allowed
nmap kaos.ch.cam.ac.uk # quick and will show all services

# turn the firewall rules back on
ssh root@131.111.112.62
/etc/init.d/firewall-FW start

# generally a good idea to test a FW with some data transfer
# from the web/DNS server (outside the firewall
# a 10MB data transfer
dd if=/dev/zero bs=1024k count=10 | ssh root@131.111.112.51 dd of=/dev/null

Port-based firewall with DMZ

Allow icmp echo request to our internal network
Allow our internal networks access to all
Allow ssh to DMZ hosts
Block DMZ access to our internal network
Block all other network traffic
Diagram
system build including routing
Note: this is not a tested set of firewall rules as I do not have enough equipment nor time to do this one right now
the fwbuilder file
screenshot of the fwbuilder policy
firewall rules as a script as produced by fwbuilder
do LOTS of testing on this one of different combinations of access. It is quite easy to have a nice DMZ with FULL access to your internal network by accident

NATing FW

Allow icmp echo request to the external interface of our firewall
Allow our internal networks access to all
Block all other network traffic
Diagram
system build including routing
remove the firewall rules from the firewall then change the IP address of the internal (eth0) interface, then make sure the simple routing is enabled:
```
# from laptop
ping 192.168.1.62
ping 131.111.12.20
```
the fwbuilder file
screenshot of the fwbuilder policy
screenshot of the fwbuilder NAT rules
firewall rules as a script as produced by fwbuilder

simple testing

# from the laptop (192.168.1.1)
ssh root@131.111.12.20 # DNS/web server outside the firewall
less /var/log/auth.log # and you should see the IP address you connected from
ping 192.168.1.1

you could allow ping to 192.168.1.1 by adding the internal network object to the ping rule - not recommended for a live setup with NAT and 192.168

External Access to a server behind the firewall

Allow icmp echo request to the external interface of our firewall (2 IP addresses)
Allow our internal networks access to all
Allow external access to a machine on our internal network
Block all other network traffic
Diagram
system build including routing
the fwbuilder file
screenshot of the fwbuilder policy
firewall rules as a script as produced by fwbuilder

simple testing:

# from 192.168.1.1 (laptop)
ssh root@131.111.12.20
smbclient -L 131.111.12.1
wget 131.111.12.1
ssh mr@131.111.12.1
hostname # and you should have found yourself back on the laptop

Notes: if you can find another way to do make things work, then please do so. For example putting the server to which external access is required outside the firewall (or in a DMZ) and letting your internal network clients/servers connect to it is probably better.
You can use proxy arp to actually give the server the externally accessible IP address if you want to. Some notes for how to do this with Linux:

# to get a public IP, behind the firewall, to forward through the firewall:

# on the firewall:
IP=131.111.11X.XXX # IP of firewall
HOST_IP=131.111.11X.XXX # IP of computer behind firewall for proxy_arp
# NOTE: both firewall and public IP computer behind the firewall need IPs in the same
# network
# eth0 = external interface
route add -host ${HOST_IP} eth0 
# enable proxyarp on both interfaces of the firewall:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

# NOTE: $IP needs to be in the same network as the firewall IP
# AND
# The Proxy ARP is actually only used to get packets from external to internal network.
# To get packets back the other way, the normal IP routing functionality is employed.
# Therefore the firewall would need an IP address in each network to route packets
# back to hosts...

Fluffy (Your friendly local neighbourhood network welcome message)

This is a favourite of mine. If an unkown host is connected to our physical network we like to be nice and direct any web-browsing at a helpful page suggesting how network connectivity can be achieved.

DHCP server to handout 192.168.211.0/24 to unknown hosts including a default GateWay of 192.168.211.62
Allow http to our web-server (NATing the source address to be fluffy's IP address)
Allow icmp echo request to all
Allow repeated DHCP requests to our DHCP servers
Allow DNS
divert all http requests from unkown hosts to a default website
Block all other network traffic
the fwbuilder file
screenshot of the fwbuilder policy
screenshot of the fwbuilder NAT rules

In Cambridge University

Consider:

friendly probing
UFS print servers
access to your servers that are providing external services (http, VPN, ssh, DNS, etc.)
traceroute (udp and/or tcp)
letting the CS know what you are doing
if you are NATing then you certainly need to consider for how long you keep your log files for
you may also need to publicy define your logging policy
documentation for your users so that they have some idea of what your network firewall(s) are doing, an example of this - Chemistry Department (raven account required)

Experiences with Layer 7 - cation Layer Filtering

An application layer firewall may inspect traffic at the application layer and, for example, block viruses, certain websites and attempts to exploit known logical flaws in client software. I believe this is typically done by matching patterns of undesirable traffic to network traffic. Therefore the effectiveness and accurray will be dependent upon how good the patterns are.
My experience with the application layer filtering (Smart Defense) in Checkpoint firewall (R60) is this:

blocked download of openSuSe iso images - naughty ART file
blocked download of PDF - dangerous jpeg
blocked download of an online checking bar code GIF - bad tif
turn off Smart Defense and some of it is still active and blocking valid www content download
turned ALL SmartDefense off a few weeks ago and the problems were indeed the tip of the iceberg. We have had many reports of different applications, websites, etc. now "working"

One answer to these problems was to upgrade from R60 to R62. I asked how this would help given that the patterns would be the same. The answer was:
" As of R62 - the behaviour of smart defence inspection has been greatly improved / re-written. Instead of the traffic following a linear path through the firewall when in monitor only mode - the traffic passes through the kernel without inspection but is also copied through the smart defence module to generate the relevant log entry so there is no way for monitor-only to possibly block traffic. "
I have been, informally, told that any Checkpoint release with a 0 at the end should be avoided.

Comparison with a Commerical Firewall

This is a comparison of iptables on Linux with fwbuilder against Checkpoint Firewall. The comparison is purely my own opinion and based upon my personal experience working with Checkpoint (R60) and then replacing a Checkpoint firewall with a Linux, iptables and fwbuilder. .

Category	Checkpoint	Linux iptables and fwbulder
Software Licence Cost	Lots. E.g. 18K for initial licence	0. free software
Software Maintenance Cost	Lots. E.g. 1.5K per annum for maintenance	0. free software
Software Support Cost	Lots. E.g. 1.2K per annum for support from a 3rd party	0. free software
Staff time on software issues	Lots. Submit a suport request to your support provider. If the support provider can answer then it is quick. If the support request has to go to Checkpoint the wait is long then you might need to run extensive debugging and send them fairly large files	Some. There is a huge amount of information out there on the www and in books. Colleagues can also be very helpful.
Training Costs	Lots. E.g. 2K per person for the 5 days of training you really do need	Medium. Staff time spent using and learning iptables, fwbuilder and Linux. A test setup is a good idea
Hardware Costs	More. Windows computer to run the GUI. Smart centre on a computer. Firewall on another computer	Less. A computer to run the firewall
Site to site VPN	does this well	I do not know and have not investigated
VPN for client computers	Lots of licence costs and no support for Linux.	Allow access to your VPN server. Use openVPN, Windows VPN, etc.
Automatic fail-over	Impressive. You need more licences. Cluster 2 firewall computers together and you get very good failover. You can also have both FWs active (in the cluster). On the training course we saw no traffic loss when disconnecting one of the clustered FW computers.	The heartbeat application could be used, although it will not synchronise the state tables between two firewalls. pf on openBSD will, I am told, do the full monty with state table synchronisation between clustered servers as one firewall. For a GUI and many other feature there is pfsense on freeBSD which has been ported to openBSD

Notes: I also experienced problems with Checkpoint R60 blocking Windows Domain (Active Directory) joins from Windows 2003 Server and Windows Vista. The solution was to apply the hot fixes to R60. Unfortunately applying the hotfixes resulted in machines with multiple IP addresses being blocked. Months passed and then the solution was to turn off the "out of state" (fw_allow_out_of_state_post_syn) checking.

Simple Practical Backup/Recovery/Resilience

2nd PC with FW rules ready to go, on it. 192.168.X.X on a spare interface to get patches and new rule-sets onto the backup FW
can be nice to also have a test FW around the place - 3rd backup
you can copy the mac address of the live FW to the backup one for quicker changeover (depending upon arp cache timeouts on the next router out from your network)
PC has some redundancy such dual redundant PSUs (1 for UPS, 1 for mains) and RAID
doco printed out and attached to FW

Deployment

be careful
development and test firewall rules on a test setup
ask a colleague to check the new rules, particularly when a big change is being made
be careful
deploy the rules to the live firewall during advertised downtime
test on the live network (a scripted regression test is a good thing)
be careful
wait
no problems reported then deploy the rules to your backup firewall
you can use fwbuilder to automate deployment of rules to more than one firewall via ssh if you wish - not something I have explored - I have scripted my own way of doing this

Extra Techie stuff

The following are some simple commands for viewing iptables rules, log message handling and memory usage (state tables) on Linux:

aptitude install iproute

Useful iptables commands
# list the rules:
iptables -L
# no DNS lookups (numeric output)
iptables -nvL
# to also see the NAT rules with no DNS lookups (numeric output)
iptables -nvL -t nat
# to see NAT stuff with DNS lookups
iptables -t nat L

# to clear the iptables settings
i${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z

# To stop log messages going to the console:
# /proc/sys/net/ipv4/ip_forward
cat >>/etc/sysctl.conf <<EOF
kernel.printk = 3 4 1 7
EOF
sysctl -p

# Memory usage and state tables
http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
# the hashsize (number of buckets) is set with:
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
# interesting stuff for connection tracking in:
/proc/sys/net/ipv4/netfilter

# to set the hashsize dynamically, depending upon kernel version:
# Between 2.6.14 and 2.6.19 (included), use:
echo $HASHSIZE > /sys/module/ip_conntrack/parameters/hashsize
# Since 2.6.20, use:
echo $HASHSIZE > /sys/module/nf_conntrack/parameters/hashsize

# to set CONNTRACK_MAX:
# Since Linux kernel version 2.4.23 (thus Linux 2.6 as well), use:
echo $CONNTRACK_MAX > /proc/sys/net/ipv4/netfilter/ip_conntrack_max


# How large do these values need to be?
The size of kernel memory used by netfilter connection tracking is:
size_of_mem_used_by_conntrack (in bytes) =
        CONNTRACK_MAX * sizeof(struct ip_conntrack) +
        HASHSIZE * sizeof(struct list_head)

on i386, kernel 2.6.5, size_of_mem_used_by_conntrack is around
CONNTRACK_MAX * 300 + HASHSIZE * 8 (bytes).
(pointer size is 4 bytes, therefore 2 * 4 = 8 )

By default, CONNTRACK_MAX = HASHSIZE * 8.  This means that there is an average
of 8 conntrack entries per linked list (in the optimal case, and when
CONNTRACK_MAX is reached), each linked list being a hash table entry
(a bucket).
On systems with enough memory and where performance really matters, you can
consider trying to get an average of one conntrack entry per hash bucket,
which means HASHSIZE = CONNTRACK_MAX.

# Debian etch v4.0 on 64-bit Intel
sizeof(struct ip_conntrack) = 304 bytes
sizeof(struct list_head) = 2 * size of pointer = 2 * 8 = 16 bytes

65536 * 304 + 65536 * 8 = 20447232
20447232 / 1024^2 = 19.5MB

304x + 8x = memory(MB).1024^2

x = memory.1024^2 / 312
# we want approximately 1GB for connections:
x = 1024.124^2 / 312 = 3441480.20512820512820512820
# we want a power of 2 number
2^21 = 2097152
2^22 = 4194304 # chosen as this is for the Department perimeter FW

echo 4194304 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 4194304 > /sys/module/ip_conntrack/parameters/hashsize

# for an internal NATing firewall we want to use 512MB of memory:
1048576
# in /etc/init.d/firewall-chfwnmr
                # set hashsize for performance
                echo 1048576 > /sys/module/ip_conntrack/parameters/hashsize
                # set connection table size
                echo 1048576> /proc/sys/net/ipv4/netfilter/ip_conntrack_max
                # set arp cache timeout to 3 minutes
                echo 180 > /proc/sys/net/ipv4/route/gc_timeout

# "Neighbour table overflow" - arp tables filling up
First of all: this has nothing to do with netfilter, just with
the routing and cacheing of the routes.

Further comments about/from/relating to this talk

" Although I am familiar with iptables, our Technicians are not, this software allows a graphical representation of what is happening, and a way to edit themselves. Which from an 'all can fix/ understand' point of view is excellent. "

" I cannot see why anyone would want a commercial firewall. "

" pfSense is on freeBSD and its home page is here http://www.pfsense.com/
pf is the openBSD firewall like netfilters for linux. pfSync is the tool that copies firewall states between pf firewalls CARP is the openBSD implementation of something like cisco's VRRP allowing 2 (or more) machines to share a floating IP with one as master and one as backup. All this has been ported to freeBSD
pfSense is a build of freeBSD with the pf firewall, pfsync, CARP and php based configuration (even init scripts) and webGUI with all the bits you need to have a decent firewall (DHCP, DNS etc).
I have been running a test setup of 2 pfSense firewalls in a CARP cluster for a while now. The failover is amazing you can yank the power lead out of the master whilst streaming video and it will failover with only a tiny loss of packets. Usually the loss is so small the buffering in the video copes with the loss and you won't even notice. "

"7 months after replacing a Checkpoint firewall with Linux and iptables there have been zero security incidents. This is on a network with some 2000 devices and a varied selection of hardware and operating systems." - Mike Rose.

Other Information

JANET training course: Firewalls: Planning and Implementation