Jason Dixon DixonGroup Consulting. September 17, 2005 NYCBSDCON 2005



Similar documents
FreeBSD Firewalls SS- E Kevin Chege ISOC

Firewalling with OpenBSD and PF

Murus. OS X PF Manual

DHCP & Firewall & NAT

HOWTO. Bandwidth Management for ADSL with OpenBSD

OpenBSD in the wild...a personal journey

Digi Certified Transport Technician Training Course (DCTT)

Firewalling with OpenBSD s PF packet filter

Firewalls. Chien-Chung Shen

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

A. Hot-Standby mode and Active-Standby mode in High Availability

using routing domains / routing tables in a production network

Firewalling with OpenBSD s PF packet filter

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Building a Home Firewall/Router Using OpenBSD-Sparc. Joshua Malone (jmalone@ubergeeks.com)

What is Firewall Builder

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

IPv6-only hosts in a dual stack environnment

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Deployment of Services on IPv6

ZyXEL ZyWALL P1 firmware V3.64

Appliance Quick Start Guide. v7.6

Understanding and Configuring NAT Tech Note PAN-OS 4.1

IPv6.marceln.org.

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Cisco RV 120W Wireless-N VPN Firewall

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Advanced Higher Computing. Computer Networks. Homework Sheets

Stateful Firewalls. Hank and Foo

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Networking. Systems Design and. Development. CRC Press. Taylor & Francis Croup. Boca Raton London New York. CRC Press is an imprint of the

Cisco SA 500 Series Security Appliance

Host Configuration (Linux)

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Securing Your Network with pfsense. ILTA-U Dale Qualls Pattishall, McAuliffe, Newbury, Hilliard & Geraldson LLP dqualls@pattishall.

ISG50 Application Note Version 1.0 June, 2011

GregSowell.com. Mikrotik Security

Symantec Firewall/VPN 200

GregSowell.com. Mikrotik VPN

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

CCT vs. CCENT Skill Set Comparison

MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Lecture 17 - Network Security

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Juniper NetScreen 5GT

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

WAN Failover Scenarios Using Digi Wireless WAN Routers

Server configuration for layer 4 DSR mode

Firewall Troubleshooting

Active-Active Firewall Cluster Support in OpenBSD

Protecting the Home Network (Firewall)

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Multi-Homing Dual WAN Firewall Router

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

How To Pass The Information And Network Security Certificate

Load Balancing Smoothwall Secure Web Gateway

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Cisco QuickVPN Installation Tips for Windows Operating Systems

Firewall Firewall August, 2003

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Network virtualization

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

Networking Technology Online Course Outline

WebGUI Load Balancing

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Networking Basics and Network Security

Virtual Private Networks

Introduction to Analyzer and the ARP protocol

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

(d-5273) CCIE Security v3.0 Written Exam Topics

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Magnum Network Software DX

The VRRP Project. (Virtual Router Redundancy Protocol) Design Document

Relayd: a load-balancer for OpenBSD

Mobile IP Part I: IPv4

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Linux Routers and Community Networks

Lecture Computer Networks

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

BorderWare Firewall Server 7.1. Release Notes

Technical Support Information Belkin internal use only

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Transcription:

Failover Firewalls with OpenBSD and CARP Jason Dixon DixonGroup Consulting September 17, 2005 NYCBSDCON 2005

Introduction Firewalls are a mandatory network component

Introduction Firewalls are a mandatory network component Should be both a guardian and a guide

Introduction Firewalls are a mandatory network component Should be both a guardian and a guide Often a single point of failure

Introduction Firewalls are a mandatory network component Should be both a guardian and a guide Often a single point of failure Failover Firewalls are as vital as HA Application clusters

Introduction Firewalls are a mandatory network component Should be both a guardian and a guide Often a single point of failure Failover Firewalls are as vital as HA Application clusters Chicks dig redundancy

History of OpenBSD A leading secure UNIX-like operating system Emphasize code robustness and security Open licensing is crucial OpenBSD Packet Filter (PF) born out of IPFilter license change

PFSYNC Protocol OpenBSD team acknowledged need for failover

PFSYNC Protocol OpenBSD team acknowledged need for failover PFSYNC (IP Protocol 240)

PFSYNC Protocol OpenBSD team acknowledged need for failover PFSYNC (IP Protocol 240) Pfsyncd sends state updates via multicast

PFSYNC Protocol OpenBSD team acknowledged need for failover PFSYNC (IP Protocol 240) Pfsyncd sends state updates via multicast Other firewalls will update their own state tables

PFSYNC Protocol OpenBSD team acknowledged need for failover PFSYNC (IP Protocol 240) Pfsyncd sends state updates via multicast Other firewalls will update their own state tables Synchronized state == graceful failover

Before CARP OpenBSD lacked failover mechanism Virtual Router Redundancy Protocol (VRRP) assigns virtual gateway between physical routers Operates at OSI Layers 2 and 3 Master/Backup relationship VRRP encumbered by Cisco patent

CARP Protocol Common Address Redundancy Protocol (IP Protocol 112)

CARP Protocol Common Address Redundancy Protocol (IP Protocol 112) Addressed the need for a patent-free failover mechanism

CARP Protocol Common Address Redundancy Protocol (IP Protocol 112) Addressed the need for a patent-free failover mechanism Virtual MAC and IP addresses

CARP Protocol Common Address Redundancy Protocol (IP Protocol 112) Addressed the need for a patent-free failover mechanism Virtual MAC and IP addresses Supports IPv4 and IPv6

CARP Protocol Common Address Redundancy Protocol (IP Protocol 112) Addressed the need for a patent-free failover mechanism Virtual MAC and IP addresses Supports IPv4 and IPv6 Also provides load-balancing, preemption, and crypto hashed announcements

Basic CARP Failover

Basic CARP Example Single CARP virtual host on each gateway

Basic CARP Example Single CARP virtual host on each gateway Virtual host ID (vhid)

Basic CARP Example Single CARP virtual host on each gateway Virtual host ID (vhid) Control frequency of CARP advertisements (advskew)

Basic CARP Example Single CARP virtual host on each gateway Virtual host ID (vhid) Control frequency of CARP advertisements (advskew) Authenticate your advertisements (pass foo)

Basic CARP Example Single CARP virtual host on each gateway Virtual host ID (vhid) Control frequency of CARP advertisements (advskew) Authenticate your advertisements (pass foo) Attach CARP device to interface (carpdev)

Basic CARP Example (cont'd) Auto-recovery (net.inet.carp.preempt)

Basic CARP Example (cont'd) Auto-recovery (net.inet.carp.preempt) Secure pfsync interface OR peer address (syncpeer) + IPSec

Basic CARP Example (cont'd) Auto-recovery (net.inet.carp.preempt) Secure pfsync interface OR peer address (syncpeer) + IPSec Filter and translate on the physical interface

Basic CARP Example (cont'd) Auto-recovery (net.inet.carp.preempt) Secure pfsync interface OR peer address (syncpeer) + IPSec Filter and translate on the physical interface Must allow PFSYNC and CARP protocols

Basic Filtering - pf.conf # Macros ext_if="fxp1" int_if="fxp0" pfsync_if="xl0" # Options set skip on { lo $int_if } # Normalization scrub in # Translation nat on $ext_if from $int_if:network \ to any -> (carp0) # cont'd...

Basic Filtering - pf.conf #... cont'd # Filtering block in pass out keep state pass quick on { $ext_if $int_if } \ proto carp keep state pass quick on $pfsync_if proto pfsync pass in on $ext_if inet proto icmp \ icmp-type echoreq keep state pass in on $ext_if inet proto tcp \ port ssh flags S/SA keep state pass out on $ext_if all keep state

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 1 pass bar \ > carpdev fxp0 10.0.0.1 255.255.255.0

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 1 pass bar \ > carpdev fxp0 10.0.0.1 255.255.255.0 server1# ifconfig pfsync0 syncdev xl0

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 1 pass bar \ > carpdev fxp0 10.0.0.1 255.255.255.0 server1# ifconfig pfsync0 syncdev xl0 server1# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 1 pass bar \ > carpdev fxp0 10.0.0.1 255.255.255.0 server1# ifconfig pfsync0 syncdev xl0 server1# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1 server1# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding 0 -> 1

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 1 pass bar \ > carpdev fxp0 10.0.0.1 255.255.255.0 server1# ifconfig pfsync0 syncdev xl0 server1# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1 server1# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding 0 -> 1 server1# pfctl -nf /etc/pf.conf

Basic Setup server1 server1# ifconfig carp0 vhid 1 pass foo \ > carpdev fxp1 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 1 pass bar \ > carpdev fxp0 10.0.0.1 255.255.255.0 server1# ifconfig pfsync0 syncdev xl0 server1# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1 server1# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding 0 -> 1 server1# pfctl -nf /etc/pf.conf server1# pfctl -f /etc/pf.conf

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 1 pass bar \ > advskew 100 carpdev fxp0 \ > 10.0.0.1 255.255.255.0

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 1 pass bar \ > advskew 100 carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server2# ifconfig pfsync0 syncdev xl0

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 1 pass bar \ > advskew 100 carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server2# ifconfig pfsync0 syncdev xl0 server2# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 1 pass bar \ > advskew 100 carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server2# ifconfig pfsync0 syncdev xl0 server2# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1 server2# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding 0 -> 1

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 1 pass bar \ > advskew 100 carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server2# ifconfig pfsync0 syncdev xl0 server2# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1 server2# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding 0 -> 1 server2# pfctl -nf /etc/pf.conf

Basic Setup server2 server2# ifconfig carp0 vhid 1 pass foo \ > advskew 100 carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 1 pass bar \ > advskew 100 carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server2# ifconfig pfsync0 syncdev xl0 server2# sysctl -w net.inet.carp.preempt=1 net.inet.carp.preempt 0 -> 1 server2# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding 0 -> 1 server2# pfctl -nf /etc/pf.conf server2# pfctl -f /etc/pf.conf

Demonstration

Basic Example - Troubleshooting Tools: Tcpdump, ifconfig, arp, pfctl, vmstat, pftop Items to check: CARP, PFSYNC announcements Interface state (MASTER, BACKUP, INIT) LAN client settings (CARP gateway) Application tests: Ping Large file transfer (scp/sftp) Multimedia over NFS Failover mechanisms: Down CARP interface Unplug ethernet cable Power down CARP member

Advanced Failover with Load-Balancing

Advanced Example Multiple CARP virtual hosts on each gateway

Advanced Example Multiple CARP virtual hosts on each gateway Virtual host ID (vhid) must be unique for each CARP interface on each segment

Advanced Example Multiple CARP virtual hosts on each gateway Virtual host ID (vhid) must be unique for each CARP interface on each segment Each CARP member will serve as MASTER for one CARP interface, and BACKUP as the other

Advanced Example Multiple CARP virtual hosts on each gateway Virtual host ID (vhid) must be unique for each CARP interface on each segment Each CARP member will serve as MASTER for one CARP interface, and BACKUP as the other Load-balance at the packet level (net.inet.carp.arpbalance)

Advanced Filtering - pf.conf # Macros ext_if="fxp1" int_if="fxp0" pfsync_if="xl0" http_ext="192.168.0.20" http_int="10.0.0.50" smtp_ext= 192.168.0.30 smtp_int= 10.0.0.60 # Options set skip on { lo $int_if } # Normalization scrub in # Translation binat on $ext_if from any to $smtp_ext \ -> $smtp_int rdr on $ext_if from any to $http_ext \ port http -> $http_int source-hash # cont'd...

Advanced Filtering - pf.conf #... cont'd # Filters block in pass quick on { $ext_if $int_if } \ proto carp keep state pass quick on $pfsync_if proto pfsync pass in on $ext_if inet proto icmp \ icmp-type echoreq keep state pass in on $ext_if inet proto tcp \ from any to ($ext_if) port ssh \ flags S/SA keep state pass in on $ext_if inet proto tcp \ from any to $smtp_int port smtp \ flags S/SA keep state pass in on $ext_if inet proto tcp \ from any to $http_int port http \ flags S/SA keep state pass out on $ext_if keep state # EOF

Advanced Setup - server1 server1# ifconfig carp0 vhid 1 pass foo carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server1# ifconfig carp0 vhid 1 pass foo carpdev fxp1 \ > alias 192.168.0.30 255.255.255.0 server1# ifconfig carp1 vhid 2 pass foo carpdev fxp1 \ > advskew 100 192.168.0.20 255.255.255.0 server1# ifconfig carp1 vhid 2 pass foo carpdev fxp1 \ > advskew 100 alias 192.168.0.30 255.255.255.0 server1# ifconfig carp2 vhid 1 pass bar carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server1# ifconfig carp3 vhid 2 pass bar carpdev fxp0 \ > advskew 100 10.0.0.1 255.255.255.0 server1# sysctl -w net.inet.carp.arpbalance=1 net.inet.carp.arpbalance: 0 -> 1

Advanced Setup - server2 server2# ifconfig carp0 vhid 1 pass foo carpdev fxp1 \ > advskew 100 192.168.0.20 255.255.255.0 server2# ifconfig carp0 vhid 1 pass foo carpdev fxp1 \ > advskew 100 alias 192.168.0.30 255.255.255.0 server2# ifconfig carp1 vhid 2 pass foo carpdev fxp1 \ > 192.168.0.20 255.255.255.0 server2# ifconfig carp1 vhid 2 pass foo carpdev fxp1 \ > alias 192.168.0.30 255.255.255.0 server2# ifconfig carp2 vhid 1 pass bar carpdev fxp0 \ > advskew 100 10.0.0.1 255.255.255.0 server2# ifconfig carp3 vhid 2 pass bar carpdev fxp0 \ > 10.0.0.1 255.255.255.0 server2# sysctl -w net.inet.carp.arpbalance=1 net.inet.carp.arpbalance: 0 -> 1

Brief Intermission

sasyncd IPSec SA synchronization daemon

sasyncd IPSec SA synchronization daemon Tracks state changes on a CARP interface

sasyncd IPSec SA synchronization daemon Tracks state changes on a CARP interface Messages encrypted using AES key

sasyncd IPSec SA synchronization daemon Tracks state changes on a CARP interface Messages encrypted using AES key /etc/sasyncd.conf

sasyncd IPSec SA synchronization daemon Tracks state changes on a CARP interface Messages encrypted using AES key /etc/sasyncd.conf Shared IPSec keys for CARP hosts

IPSec Failover Setup CARP hosts server1# cat /etc/hostname.carp0 vhid 1 pass foo carpdev fxp1 192.168.0.20 255.255.255.0!ipsecadm flush!ipsecadm flow -addr 10.0.0.0/24 10.10.10.0/24 \ -src 192.168.0.20 -dst 192.168.0.23 \ -proto esp -out -require!ipsecadm flow -addr 10.10.10.0/24 10.0.0.0/24 \ -src 192.168.0.20 -dst 192.168.0.23 \ -proto esp -in -require!sasyncd server1# cat /etc/sasyncd.conf carp interface carp0 peer 10.255.255.22 sharedkey /etc/sasyncd.key

Summary HA Firewall & VPN solution Commodity hardware Available for all BSDs and Linux (ucarp) Competes with (or exceeds) functionality of commercial offerings

References OpenBSD -- http://www.openbsd.org/ PF -- http://www.benzedrine.cx/pf.html VRRP RFC 3768 -- http://www.faqs.org/rfcs/rfc3768.html OpenBSD FAQ -- http://www.openbsd.org/faq/index.html PF User's Guide -- http://www.openbsd.org/faq/pf/index.html Userland CARP -- http://www.ucarp.org/

Stateful Failover

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information