Open Source Firewall Dream or reality? Jan Du Caju KULeuvenNet
Open Source Firewall: dream or reality? Introduction Firewalls Situation K.U.Leuven Open Source implementation Open Source alternatives Future
Open Source Firewall: dream of reality? flexibility modifiable scalability high availability bandwidth price/licenses documentation expertise More or less independent of firewall reality for K.U.Leuven
Firewalls packet filter performance low security application independent no screening above network layer application proxy/gateway security performance full application awareness dedicated stateful packet inspection network layer inspection performance partial application awareness security
pre 1999 3Mbps Internet Firewall Cisco KotNet KULnet
1999 8Mbps Internet FW/NAT CheckPoint KotNet KULnet
2000 25Mbps Internet web cache Cisco FW/NAT CheckPoint web cache Cisco KotNet KULnet
2001 80Mbps Internet web cache NAT FW/NAT web cache Cisco Linux CheckPoint Cisco KotNet KULnet
2003 Avg 86Mbps Internet Nortel VPN 34 Mbps 36 Mbps 0.6 Mbps 6 Mbps web cache NAT Firewall NAT web cache Cisco Linux CheckPoint Linux Cisco KotNet KULnet
2005 Avg 100Mbps Internet Nortel VPN 36 Mbps 39 Mbps 10 Mbps 6 Mbps 8 Mbps web cache NAT Firewall NAT web cache Cisco Linux Linux Linux Cisco KotNet KULnet
Internet bandwidth usage web traffic (1/2) KotNet bandwidth usage remaining
K.U.Leuven network Internet Juniper Netscreen KotNet Firewall KULeuven SAP FW GNU/Linux servers clients central firewall: filtering only between 3 zones Within K.U.Leuven limited inter-subnet filtering via Cisco ACL s autoblock smtp-block or smtp traffic limited to CAV ACL towards subnet of DMZ s, departments, units, Domino-effect if 1 machine is hacked SAP servers
K.U.Leuven network Internet KotNet Firewall DMZ s servers KULeuven clients Eliminate Domino-effect between servers group servers in functional DMZ s (dedicated intrusion detection and prevention, ) security measures on servers: filters on each server
Functional DMZ s KotNet Internet KULeuven Firewall CAV WWW ldap dns/dhcp dmz-x pop/imap samba DB SAP
Data streams Internet web cache NAT NAT web cache KotNet service requests inter DMZ traffic Firewall DMZ s KULnet outgoing Internet requests web requests non-web requests Load implications Firewall: only KUL services NAT: only KUL non-web Internet requests web caches: only KUL web requests
2006 Internet VPN web cache NAT Firewall NAT web cache KotNet DMZ s KULnet
Firewalls CheckPoint/Nokia central management documentation/support GUI licenses/price multi OS/HW Cisco PIX out-of-box flexible hardened purpose built RT OS price ASIC based (Juniper Netscreen ISG-2000 or Fortinet Fortigate-3600) dedicated HW price high bandwidth performance performance under DDOS < open source witin specs hardened purpose built RT OS Open Source flexible (P2P) state replication (almost stable) modifiable (BCrouter) complex protocols (experimental modules) price (hardware only) little less high bandwidth performance performance
Firewalls security specific RT OS ASIC all in one vendor price (hardened) multipurpose OS open HW components based Open Source flexible
design criteria high availability redundancy scalability secure setup flexibility (adjustable/modifiable) avoid combination of services (logical/functional split) ease of administration
Open Source implementation NAT/Filtering: iptables/nf-hipac High Availability: VRRP Multiple DMZ s: 802.1q/vlan Logging: remote syslog/ulog remote logging : - performance - security
Filtering/NAT netfilter kernel framework iptables userspace program iptables <command> [<match>]+ <target> nf-hipac high performance packet classification implemented on top of the netfilter framework
Packet traversal Network PREROUTING INPUT ROUTING local process FORWARD ROUTING OUTPUT POSTROUTING Network
Packet traversal Network PREROUTING ROUTING INPUT filter local process ROUTING FORWARD filter OUTPUT filter POSTROUTING Network
Packet traversal Network PREROUTING ROUTING INPUT filter local process ROUTING FORWARD filter OUTPUT filter POSTROUTING Network
Packet traversal Network PREROUTING ROUTING nat INPUT local process ROUTING OUTPUT filter nat filter FORWARD filter POSTROUTING nat Network
Packet traversal Network conntrack PREROUTING nat ROUTING INPUT local process ROUTING OUTPUT filter conntrack nat filter POSTROUTING nat FORWARD filter Network
Packet traversal Network PREROUTING ROUTING raw conntrack nat INPUT filter local process FORWARD filter ROUTING OUTPUT raw conntrack nat filter POSTROUTING nat Network
states NEW ESTABLISHED RELATED INVALID Connection tracking
states NEW ESTABLISHED RELATED INVALID TCP basics Connection tracking client firewall server SYN ACK NEW ESTABLISHED ESTABLISHED SYN/ACK
ftp (active) Complex protocols command channel port 21 client data channel port 20 server
ftp (active) Complex protocols command channel port 21 client data channel port 20 server conntrack helper (PORT 134,58,10,1,4,1 aka 134.58.10.1:1025) client firewall server SYN/ACK RELATED ESTABLISHED SYN ACK
Open Source Complete solution Hardened OS GUI smoothwall, ipcops et al FW GUI/script generators fwbuilder, firestarter et al OS hardening projects openwall Commercial linux based FW (all-in-one) Astaro, Watchguard, Mara Systems,
Future GUI/complete solutions central management/logging enhanced conntrack helpers (SIP, ) additional matches & targets High Availability: real state replication transparent proxy/layer 7 filtering
Questions & Answers URL s iptables/ulog: nf-hipac: VRRP: syslog-ng: Debian GNU/Linux: http://www.be.iptables.org http://www.hipac.org http://www.keepalived.org http://www.ballabit.com http://www.debian.org Complete solution: http://smoothwall.org GUI s: http://phpfwgen.sourceforge.net http://fwbuilder.org http://firestarter.sourceforge.net http://shorewall.net Hardened Linux: http://openwall.com Commercial open source based: http://www.astaro.com http://www.watchguard.com http://www.marasystems.com