Firewall rules

from Wikipedia, the free encyclopedia

A firewall set of rules defines which traffic is allowed through a firewall and which is forbidden . The method is based on Mandatory Access Control : depending on the sender, delivery address, protocol and sending process, permitted data packets may pass ( pass ), forbidden packets are rejected (reject) or discarded (deny, drop) . This protective mechanism is itself the target of a number of specific attack options.

Basics

The rules are checked for each packet (for stateful firewalls for each new connection) in sequence, and the first rule that applies is applied. The order of the rules is therefore relevant. A firewall rule usually consists of six components:

  1. Sender IP address (also network addresses such as 192.168.0.0/24)
  2. Destination IP address
  3. Network protocol ( TCP , UDP , ICMP , ...)
  4. Port number (with TCP and UDP)
  5. Action (allow, reject or reject)
  6. Logging (English "log") yes / no

Another possible component with TCP is the inspection of the control flags . By checking the ACK flag, it is possible to only allow a connection to be established in one direction; for example, an attacker cannot use SSH in combination with a port rule .

Some firewall systems also offer the option of commenting on individual rules or activating them based on time. The possibility of commenting on rules, IP addresses and services is very useful in order to be able to identify and delete unused rules or parts of them. After all, cleaning up a set of rules that has become confusing using the trial and error method is practically impossible on a productive firewall.

The port number has only a limited influence on which service is actually allowed to run via this rule. For example, it is technically possible to configure an SSH connection so that it runs over TCP 80 for HTTP instead of its standard port TCP 22. Only an application layer firewall can prevent this.

In the case of larger sets of rules, the clarity can be increased with systems in which addresses or services can be combined in groups, e.g. For example, a “Mail Services” group could have members SMTP, POP3 and IMAP. Another way of defining IP addresses and port numbers is to use number ranges, e.g. E.g. 10.0.0.30-10.0.0.40 or port 135-139. In the case of IP addresses, however, this is slower to process than specifying network areas with a network mask .

Reject, decline and allow

The rules of a firewall determine what should happen to a network packet that fits into the pattern of a filter. A distinction is made between the following actions, which can be titled differently depending on the product:

DENY or DROP (discard)

The packet is discarded, i.e. not allowed through without further reacting to it. The sender did not receive a message that their connection attempt was blocked. The disadvantage of rejection is that the sender only learns of the unsuccessful connection attempt after a timeout. This causes problems with the Ident protocol, which is often used together with IRC and rarely with SMTP . The network is burdened with additional requests because the clients do not receive an explicit refusal and continue to try to establish the connection. In addition, debugging, i.e. looking for the causes of errors, is difficult in a network if the systems do not respond to a request instead of sending back a status message.

REJECT (reject)

The packet is discarded and the sender is informed that the connection was rejected. In general, this corresponds more to the standard for communication between network components. The message takes place either via ICMP -Unreachable or with TCP with a reset packet. Rejection has the advantage that the described side effects of simply rejecting it do not occur. However, it also has the disadvantage that if fake IP addresses are used, the firewall itself can be misused for denial-of-service attacks by burdening the alleged sender with rejection packets. Some firewalls have functions such as ICMP rate limiting that counteract this problem.

ALLOW or PASS (allow)

The network request is allowed and is let through. These terms mostly refer to the outgoing data traffic (i.e. from the internal to the external network, or in the case of personal firewalls from the own computer system to the network).

FORWARD or PERMIT (allow)

The network request is permitted and is forwarded, which includes the option of redirecting to a network address specified by the administrator. These terms primarily refer to incoming data traffic (i.e. from the external to the internal network, or in the case of personal firewalls, to requests from the network).

Security principles

The ideal set of rules for a firewall is always structured in such a way that, in principle, all network traffic is prohibited and the desired connections are allowed ("whitelist" strategy). The other variant, only forbidding unwanted traffic and allowing everything else, can never be considered secure in the rapidly changing IT world. The sender and destination addresses are usually always specified numerically and not as a DNS name, in order to prevent an attacker from being able to influence the set of rules by changing the DNS.

Protocols ("logging")

Log files (colloquially: log files ) are used for traceability of network traffic and troubleshooting. Logging can take place on the firewall itself, if it has a built-in hard drive, or on a remote "log host". In this case, proprietary protocols or syslog are sometimes used. If the log files have to be kept tamper- proof , a system that uses a log host and can log locally in the event of an error is recommended. For the evaluation of log files it is very helpful if each rule can be assigned a unique number so that the entries can be assigned to the corresponding rules.

Some firewalls log each individual network packet, others create a log entry for each connection. Basically, a firewall logs all connections. Exceptions are only made if individual rules produce so many log entries that there are technical problems or speed losses. This can e.g. This can happen , for example, during denial of service attacks or when worms are active in the network. One way to avoid this is to have a separate rule for these worm attacks, which are not logged.

Stealth rule

A "stealth" rule (German for example: "secret rule" or "cunning rule") serves to protect the firewall itself and prohibits all connections to it. Since the order of the rules is relevant, the administration services for the Firewall so that these packets are not also discarded. The following example shows why a stealth rule is necessary:

  • The firewall has the IP address 10.0.0.1 on one interface
  • There is a rule that allows all company PCs SSH connections to the servers in the 10.0.0.0/24 network.

Since 10.0.0.1 is also part of the 10.0.0.0/24 network, all PCs in this network are allowed to access the SSH port of the firewall, which would make the firewall more vulnerable to internal perpetrators.

ICMP rules

ICMP is used in the network to exchange error and information messages, but can also be misused for attacks in the network. Since the rigorous method of either blocking ICMP entirely or always allowing ICMP would cause too many problems, experts recommend enabling the following types:

  • ICMP Unreachable
  • ICMP Unreachable, Fragmentation Needed (used by Path MTU Discovery )
  • ICMP Time Exceeded in Transit (TTL expired in transit with traceroute under UNIX and tracert under Windows)
  • ICMP echo request (outgoing, used by ping )

All other ICMP types are only activated as required, with a firewall to the Internet more restrictive than one between two internal networks. Because of the potential for abuse, the ICMP redirect type is usually blocked. Allowing the "ICMP Echo Request" message in depth makes it easier for outsiders to search for errors, but it also enables crackers to scout the network. In addition, there are always security gaps in "ICMP Echo" such as B. Ping of Death and others.

If ICMP unreachable fragmentation needed packets are filtered at one point on the route, for example by a simple "ICMP deny", transmission problems can arise, as described in the article Maximum Transmission Unit .

Outbound traffic

Often times, outbound traffic control is neglected. Many firewalls basically leave outgoing traffic open for all ports. This opens up communication channels for malware in a simple way that are not even recognized by the machine operator - sending spam is a typical case. Such paths are blocked on a well-configured firewall. For example, outgoing mail should only be possible via the mail server; all other ways are blocked (under Linux / Netfilter you can bind outgoing connections to a user or group ID). Then malicious programs can still send, but are quickly noticed in the log file.

swell

  1. The Firewall Ruleset (Protecus.de)
  2. [Firewall Rule Review - Approach and Possibilities http://www.scip.ch/?labs.20120607 ] (scip.ch)
  3. a b c Linux Security Cookbook , ISBN 3-89721-364-8 , p. 30
  4. BSI basic protection catalogs: S 2.76 Selection and establishment of suitable filter rules
  5. BSI: Integration and IT revision of network gateways (PDF; 576 kB)
  6. BSI basic protection catalogs: logging of security gateway activities
  7. Use and misuse of ICMP ( Memento of the original from March 4, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. (Hakin9)  @1@ 2Template: Webachiv / IABot / kab306.selfhost.eu
  8. Security holes in Cisco's IOS (Heise.de, January 25, 2007)
  9. A ping - and Solaris panics (Heise.de, January 31, 2007)

See also