Carolina Con Talk 1
Deconstructing Firewalls
Disclaimer: This post is being actively updated. Please check back for additional links
Table of Contents
This presentation provides a general overview of the past implementations of firewalls, a modern perspective, and a forward look at what they can become. In this blog post, I will fill in any gaps in the presentation with references and helpful commentary. If you find this post useful, feel free to reach out to me at me[@]manta.black.
What is a Firewall
“A guardian of the digital world, standing between the chaos of the internet and the sanctity of our networks. It is a sentinel of order, enforcing the rules of access and denying entry to those who would harm.”
Generally, firewalls work as a boundary to resources by managing network access through packet filters in dedicated network devices or software appliances. It is easy to think of a firewall as the perimeter defense structure to networks, but as discussed later, there are well-defined architectures for deploying firewalls to defend against different security models, including defense against network traversal and covert channels. The key idea of a firewall is powered by a packet filter. Now, there is not just one type or program that enables packet filtering. Some examples include eBPF/BPF, netfilter, and libpcap.
Packet filters are leveraged in a wide variety of packet filters that are deployed for different security use cases.
Firewall Architectures
A Rudimentary packet filter is, as its name suggests, a simple packet filter that is usually found on network routers. These packet filters typically filter based on network headers that power the TCP/IP model. Later packet filters discussed expand on this technology to enforce more advanced filtering functions. Two of those packet filters are stateful and stateless packet filters. A simple way to think about these two types of packet filters is that stateful firewalls track network connections, or “state,” whereas stateless firewalls do not. In some sense, a stateless firewall is another way to describe a rudimentary firewall. A more in-depth blog post on stateful vs. stateless packet filters can be found here.
A proxy firewall acts like a border firewall in the sense that it sits between the internet and the user. This is possible because it centralizes network activity on a central server to process the inspection of network packets. Network packets are typically forwarded from endpoint systems to an appliance to enable this functionality. An example of this type of firewall includes zorp. Another novel firewall is a next-generation firewall, also known as a third-generation firewall technology. These firewalls were developed specifically to address the increasing amount of threats targeting large organizations and governments. These firewalls combine technologies previously described and improve application awareness, deep packet inspection, and application filtering to arguably filter out zero-day threats. There is much to be said about next-generation firewalls, especially by firewall vendors. You can find a more in-depth introduction to the topic in the cloudflare blog post
Distributed firewalls were conceived in the late ’90s. Attribution can be tracked earlier, but an informative paper from Steven M. Bellovin embodies much of the intuition of the architecture strategy. A distributed firewall filters all ingress and egress traffic from a device placed within the network. This improves the scalability and agility of the security boundary compared to centralized or perimeter-based firewalls. There were shortcomings with this type of implementation at the time, including management complexity and state growth, but these problems are being addressed in the development of network software stacks that take advantage of software-defined networking methodologies.
Newer Technology
Software-defined networking is the idea of decoupling the control and data planes in computer networks. In traditional networks, you have a network router that hosts and manages how network packets are routed in the network. The act of managing network packet flows is accomplished by the control plane. By decoupling the data and control planes, a logically centralized controller can plan the placement of network flows by leveraging its global view knowledge. In cases of distributed SDN controller placements, the global view is shared amongst physically dispersed controllers, but the scale that requires a distributed controller implementation is significant. On the other hand, it can be thought to be where the packets are forwarded. This typically includes network switches and, inherently, includes extremely fast packet parsing.
Commonly known as Open flow SDN, does not directly support programming the data plane. Proposed specifications such as POF also known as Open Flow 2.0, propose expanding the standard to provide this ability. Now, why would you even want to program the data plane in the first place if you can directly network traffic using the control plane interface? Earlier, I said that the data plane includes network switches and is inherently fast. This is due to the use of network switches. The data plane bypasses the operating system and directly uses network hardware to process and forward packets without OS intervention. Network switches are designed with dedicated packet processing pipelines to accomplish this task.
Intuitively, there have been research and application technologies, such as eBPF, that have attempted to bypass the slower software stack in the operating system to deploy programs directly into the packet processing pipeline. One language that supports the creation and deployment of data plane programs on supported switches is p4. This is where my area of research resides. To provide a demonstration of why the development of security functionality in the data plane is important, you can take a look at my demo. Disclaimer: The demo is yet to be uploaded
Takeaways
The key takeaways from this presentation are the following:
- Network firewalls are approachable and constantly advancing
- No one firewall solution answers every security model
- Data plane programming is breathing life into distributed firewall solutions, posed to improve traditional implementations