Lecture 2 - Packet Filtering and Inter-networking

Packet Filtering and Inter-networking

-Hardware inter-network devices containing a packet filter are colloquially referred to as firewalls

• Routers, bridges, or switches

-Inter-network processes typically used

• Bridging

  • A switch is a multi-port bridge

• Routing

  • Standard routing

  • Network Address Translation (NAT)

    • Static NAT

    • Dynamic NAT/PAT

Bridging

-Bridges are layer 2 devices

• The layer 3 header is not referenced in the forwarding decision

• A local address table (LAT) keeps track of the physical port on which each layer 2 address resides

-Bridge NICs operate in promiscuous mode

• To build the LAT

-Frames or cells are forwarded based on their destination layer 2 address

• Care must be taken not to create loops in a bridged environment

  • Leads to broadcast storms and infinite life frames/cells

  • Can be automated with the spanning tree algorithm

Filtering Bridges

-A bridge that contains a packet filter

-Allows protecting address sets not easily routed

• Addresses that cannot be aggregated

• Environments where you cannot affect routing changes

-Can protect noncontiguous addresses on a single L3 segment

• Any address on the segment can be placed behind the bridge with no routing configuration changes

-Requires a dedicated target interface (or VLAN)

-Induces latency from promiscuous mode

-Can create broadcast storms and loops

Filtering Bridge Best Practices

-If possible use straight routing instead

-For a couple addresses consider SNAT

-Leave target NIC unbound (no L3 address)

-Try to avoid sharing an interface as a bridge source and routing/NAT target

• Promiscuous mode latency will affect all traffic in/out of the interface

Routing

-Layer 3 process used to re-write a packet to another interface

-Packets are addressed to an interface’s L3 address

-Logical place to put a packet filter as the L3 address will be processed anyway

-Types of routing

• Standard routing

  • Simply adding a packet filter to a router

• Network Address Translation (NAT)

• Addresses are re-written when routed

Standard Routing Best Practices

• Use whenever possible to filter Internet servers

  • Adds the least latency

• The addresses on both sides of the firewall must be “legal“ in the inter-network

  • On the Internet some addresses are not allowed

    • RFC 1918 (private) - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

    • RFC 5735 (link local) - 169.254.0.0/16

• All normal routing rules and protocols apply

  • Default routes

  • Route aggregation

  • Routing Protocols

Network Address Translation (NAT)

• Traffic crossing the device has its L3 address re-written

  • Outgoing traffic (private to public)

    • The source address is re-written to a public address on the device

  • Incoming traffic (public to private)

    • The destination address is re-written to the address of the target

• Depending on NAT type additional protocol addresses may be re-written as well

Static NAT

• AKA SNAT or 1:1 NAT

• Operates exclusively at L3

• Each internal L3 host address is translated to/from a unique L3 address on the public side of the firewall

  • Multiple addresses are commonly bound to the public interface of the firewall

  • Does not reduce the number of required IP addresses

• Supports both ingress and egress connection requests

Static NAT Best Practices

• Use only when incoming connections are needed

  • If only outgoing connections are required use DNAT/PAT

• Each external interface can only support a limited number of addresses

  • Varies by OS

  • Best for under 10 addresses

  • Adds latency to all inbound traffic on the interface

    • As each packet must be inspected to see if translation is required

Dynamic NAT

• AKA DNAT or Port Address Translation (PAT)

• All outgoing traffic is translated to a single public address on the firewall

  • Layer 4/5 addresses are used to track the internal address for each session

  • Allows a single public address to support many private clients

• Very limited support for incoming connections

  • AKA port forwarding

  • A single internal host can be defined for each port number

  • Different ports can be targeted to different hosts

Dynamic NAT Best Practices

• Best routing solution for true private zones

  • Minimal public addresses required

  • No additional configuration when new internal hosts are added

  • Provides perfect protection from incoming connection requests

    • Unless a port forward is in place

• Remember that a session is made directly between the internal and external hosts for egress traffic

  • Once a session is in place it can be co-opted for nefarious use

Beyond Packet Filtering - ALGs

• An Application Layer Gateway (ALG) completely insulates the internal machine from the external machine

  • The internal machine communicates only with the internal interface of the proxy

  • The proxy then relays the message to the external machine and vice-versa

  • Allows access between private address space and public address space

• A separate ALG is required for each L6/7 protocol

  • Some are bundled into sets

Application Layer Gateways (ALG)

• Allow robust inspection of L6/7 layer traffic

  • Web content filtering

  • Email SPAM and Malware filtering

• Allow protocols that dynamically open ports to traverse the public/private boundary

  • H.323, Active FTP, etc

  • ALG monitors control channels for other ports to manage

Hybrid Firewall

• Combine elements of traditional pack filters and ALGs

  • Support bridging/routing/NAT

  • Provide ALG services for some common protocols

• Most current solutions fall into this category

  • Swiss Army knife tools/ Does everything

  • Getting harder to categorize these types of tools

Firewall Performance Metrics

• Throughput (bytes per second)

  • Can be misleading

  • As much of an issue of the protocol than the firewall itself

    • Low overhead, big packet protocols vs. small packet, chatty protocols (FTP vs. SMTP)

  • Can be useful for the exact same traffic

• Packet forwarding rate (packets per second)

  • More accurately measures performance

  • Will vary by filtering method

    • Routed, bridged, static natted, dynamic natted, etc

  • Better captures latency across the firewall

Packet Inspection = Latency

• Packets must be buffered

  • The packet must be inspected and allowed before the first bit is forwarded

  • No cut-through forwarding

• Stateful inspection adds additional latency

  • Requires a state table update/lookup

• All forms of NAT require the packet header be re-written

  • Along with an address table update/lookup

• Latency is added on a per-packet basis

Latency Order from Best to Worst

• Standard Routing

  • Minimal additional processing required

• Bridging

  • NICs must be in promiscuous mode which reduces efficiency

• Static NAT

  • To/from layer 3 addresses must be bi-directionally re-written

• Dynamic NAT/PAT

  • To/from layer 3 address and L4 addresses must be rewritten

• Application Layer Gateways

  • Two separate sessions must be managed

Firewalls Aren’t Everything

• There is much more to network security than firewalls

  • However, they are a good place to start as they typically provide the initial barrier to attack

• You should practice defense in depth

  • Multiple layers of security

• Too many people use the triple lock the front door approach with firewalls

  • Then leave the back door unlocked and wonder how the compromise happened……