Firewall Control Protocol Requirements and Framework

1
Firewall Control Protocol Requirements and
Framework

• Jiri Kuthan
• GMD Fokus
• kuthan_at_fokus.gmd.de

2
Problem Statement

• Application that use dynamic port numbers cannot
  get its data streams through firewalls deploying
  default-deny filtering policy unless the
  firewalls understand the application.
• If the firewalls deploy address translation the
  application cannot signal the end addresses
  unless told translation association by firewall.
• Interaction between firewalls and applications
  needed.

3
From Where to Perform Application-aware Control?

• The firewalls need to be controlled by
  application-aware entities. These may be located
• in end-devices
• in packet filters
• in external Application Level Gateways (Proxies)
• reasonable security model ALGs are centrally
  administered trusted devices
• packet filters relieved from understanding
  application protocols instead, existing ALG
  logic is reused -gt higher performance, easier
  maintenance of application-awareness
• Firewall Control Protocol needed

4
Architecture

• SIP
• SIP ---------_____________
• ________SIP Proxy \
• / ---------..
  -------------------
• 
  
• FCP
  -----------------
• ........... FCP
  Filtering
• FTP ---------.............
  unit Rules Table
• _____FTP Proxy_____________-----
  ------------
• / ---------
  Packet
• -----
  Filter
• ----------- /
  -------------------
• ----------- data streams /
• ---------------------------/
• end-devices (RTP, ftp-data, etc.)
• -----------
• ---------------------
• firewall management
• Inside tools
  Outside

5
Basic Requirements

• Allow for secure dynamic management of filtering
  and NAT rules.
• Operations set/delete/query filtering/NAT rules
• Rule definition Simple and powerful
• arbitrary packet matching rules
• precedence definition
• packet actions pass, drop w/ or w/o ICMP
  notification
• Application-driven soft-state design
• Security by private authenticated channel
  administrative policy defining who may maintain
  what rules and how he is required to
  authenticate.
• Reliability
• Multiple Access Consistency notion of rule
  ownership and operation atomicity.

6
Notes on Performance

• Default-deny-dynamic-open policy implies high
  number of rapidly changing filtering rules and
  may affect filters performance and packet
  latency.
• So may do complex rules. Resolving trade-off
  between rule complexity and processing speed left
  up to administrator. FCP supports arbitrary rules.

7
Extending FCPs Scope

• Firewall Control is a particular case of Flow
  State Management if designed carefully and
  generally the control protocol may be used to
  drive per-flow states residing in network nodes
  (e.g. accounting, QoS)
• Example SIP proxy driving DiffServ packet
  classification in edge routers
• Benefits of this particular deployment QoS
  control in this case is application-aware,
  administrator-controlled, and transparent to
  end-devices.
• Needed extension rewrite packet operation.

8
Support for Firewalls w/o Rule Tables

• Alternatively, future firewalls may use
  authenticated authorization tokens (MACs)
  attached to packets rather than internal flow
  tables to filter packets. Advantage
  spoofing-proof.
• This approach opens a huge can of warms (token
  time validity, specific security risks,
  management of the authorization tokens, etc.)
• FCP support should be considered.

9
Backup Slides
10
Administration

• What is out of protocols scope and belongs to
  administration policy
• Resolving trade-off between rule complexity and
  processing speed.
• Defining who may maintain what rules and what
  kind of authentication he needs. Examples
• arbitrary rules originating from SIP proxy
  allowed the proxy may modify only the rules it
  created
• direct SIP signaling allowed if users
  authenticate
• administrator may modify whatever (s)he wants

11
The Protocol

• Maybe an existing protocol may be reused. Maybe
  not.
• FCP can be seen as a database protocol (SQL),
  master-slave control protocol (IPDC, MGCP),
  management protocol (SNMP), RPC, HTTP, etc.
• Postpone this discussion until a consensus on
  requirements is reached.

12
Example Protocol Flow

• Example how FCP can be used to get an outgoing
  SIP call through a firewall deploying
  default-deny policy and address translation.
  Pinholes are opened for media streams in both
  directions for duration of SIP/SDP session.
• The protocol timeline shown here is thought as
  example, timing of opening and closing pinholes
  in SIP sessions (consider 183 provisional media,
  re-invites, ...!) subject to discussion.
• Note the pinholes are wide because SDP does
  not communicate source port numbers. (Otherwise,
  w/NAT an additional association rule would be
  needed for outgoing media.)

13
Example Protocol Flow - 1
------------------------------------------------
------------------ INSIDE
OUTSIDE
----------------------------------------------
-------------------- UAC SIP Proxy
AuthServer NAT/FW UAS

• 
  
• -----------------gt
  
• INV 10.1.1.1 55 ------gt
  
• auth ?
  
• lt------
  
• OK auth
  
• 
  
• ----------------------gt
  
• assoc 10.1.1.155
  
• lt----------------------
  
• OK assoc 10.1.1.155,
  
• 10.1.2.4266
  
• 
  
• ---------------------------
  ----------------gt
• INV 10.1.2.42 66
  

14
Example Protocol Flow -2
------------------------------------------------
------------------ INSIDE
OUTSIDE
----------------------------------------------
-------------------- UAC SIP Proxy
AuthServer NAT/FW UAS

• lt--------------------------
  -----------------
• 200 OK 10.1.3.1 77
  
• lt-----------------
  
• 200 OK 10.1.3.1 77
  
• -----------------gt
  
• ACK ----------------------gt
  
• allow incoming,
  
• S0.0.0.00 D10.1.2.4266
  
• lt----------------------
  
• OK allow incoming,
  
• ----------------------gt
  
• allow outgoing,
  
• 0.0.0.00 10.1.3.177
  
• lt----------------------
  
• OK allow outgoing,
  
• 
  
• ---------------------------
  ----------------gt
• ACK
  

15
Example Protocol Flow -3
------------------------------------------------
------------------ INSIDE
OUTSIDE
----------------------------------------------
-------------------- UAC SIP Proxy
AuthServer NAT/FW UAS

• 
  
• ................................................
  ................gt
• RTP DST 10.1.3.1 77
  
• lt..............................................
  .................
• RTP DST 10.1.1.155
  RTP DST 10.1.2.4266
• lt--------------------------
  -----------------
• BYE
  
• ----------------------gt
  
• deny incoming,
  
• 0.0.0.00 10.1.2.4266
  
• lt----------------------
  
• OK deny incoming,
  
• 0.0.0.0 0,
  
• 10.1.2.42 66
  
• lt-----------------
  
• BYE
  

16
Example Protocol Flow -4
------------------------------------------------
------------------ INSIDE
OUTSIDE
----------------------------------------------
-------------------- UAC SIP Proxy
AuthServer NAT/FW UAS

• -----------------gt
  
• 200 OK
  
• ----------------------gt
  
• deny outgoing,
  
• 0.0.0.0 0,
  
• 10.1.3.1 77
  
• lt----------------------
  
• OK deny outgoing,
  
• 0.0.0.0 0,
  
• 10.1.3.1 77
  
• ---------------------------
  ----------------gt
• 200 OK
  
• ----------------------gt
  
• release 10.1.1.1 55,
  
• 10.1.2.42 66
  
• lt----------------------
  
• OK release 10.1.1.1 55,
  
• 10.1.2.42 66
  

17
Examples - Matching Expressions

• Matching expressions (from tcpdump man pages)
  protocol offsetsize
• ip0 0xf !5 catches all IP packets with
  options
• ip62 0x1fff 0 catches only unfragmented
  datagrams and frag zero of fragmented datagrams

18
Examples FCP request

• Requests could consist of
• ltrequest, versiongt
• ltstate operationgt ... SETDELETEQUERY
• ltflow descriptiongt ... ltflow matching expression
  and precedencegt ltidgt
• parameters ltactiongt (drop matched packets w/o
  ICMP notification, reset counter, etc.)