Sunday, January 15, 2017

Swiss Cheese, or Is that your Firewall?

by Craig Miller

Yummy yes, but not a good firewall
While debugging connectivity issues a user was having with my v6brouter project, I discovered that I was not the only one to see a brouter as a solution to extending the ISPs IPv6 network (when they don't provide prefix delegation). And the humbling thing is, that IPSOL did it more elegantly than my clunky code.

So if extending an IPv6 prefix can be done so elegantly, why not rewrite my v6brouter to utilize that better idea. And while I was there, I thought I would provide value add of a bridging firewall (see v6Brouter Part 2: v6Bridge Firewall). The first bridging firewall was more of a proof of concept, but not that useful if you are directly connected to the internet, since it only blocked external SSH access.

Creating a static bridging firewall

My first attempt at rewriting the firewall, was to block all external access, and only allow external in-bound SSH connections. This seemed like a better default firewall configuration.

And it worked great! It blocked all all in-bound connections except SSH. It also blocked responses to web requests, and any external response to a host on my LAN. Very secure, but not all that useful.

A more useful, stateful firewall

This led me to think more about how firewalls work, and the delicate balance of security vs convenience. I had created a very secure firewall, but certainly wasn't convenient. Modern firewalls are stateful machines which keep track of outbound requests, and open holes to permit external responses to those requests, thus making the firewall useful to the users inside on the LAN.

Fortunately, OpenWrt is linux-based, and I could utilize ip6tables features to create a stateful bridging firewall. It would block unsolicited external access, while allowing internal LAN hosts to receive external responses to their requests. All of this without altering the packets, just bridging, and extending the IPv6 prefix into user's LAN.

We tend to think of firewalls as a monolithic non-combustible barrier providing protection from the firestorm that is the Internet these days. But even a car firewall has holes: holes for brake lines, accelerator linkages, steering wheel linkage, wiring, coolant pipes (for the heater), etc.

Check for Holes

A network firewall can begin to look like Swiss cheese, after all the special user requested holes, connection-based holes (for external responses), and UPnP (Universal Plug n Play) holes that are requested by software on LAN hosts. If you don't know how many holes are in your firewall, it might be time to take a look. Don't forget to check your IPv6 firewall as well. Swiss cheese is good on a sandwich, but not as a firewall.

* Swiss cheese photo - Creative Commons