Update / Clarification: the techniques I'll discuss can't all be done "natively" in iptables. Some of them leverage other tools, like Dans Guardian for URL filtering. IPtables itself isn't good at L7, but it can do lovely manipulation below that.
IPtables is the standard Linux firewall, happily implementing policy at L3/L4. As such, it looks like an older-generation firewall, stuck firmly in the Stateful Packet Filter realm of technology. It knows about UDP and TCP, but has no clue about HTTP, much less your userid on FaceTube.
However, iptables has one thing going for it that a lot of turn-key commercial products don't - it conforms to the Linux idea of being programmable and extensible. Beyond the basic TCP 3-way handshake, have-I-seen-this-circuit statefulness, it allows for nearly arbitrary reactions to and actions on packets. Furthermore, it's got some hooks that allow for blurring the lines between the network layer and the application layer.
This talk will focus on creating IPtables policies with weird abilities that aren't always found in other firewall implementations. Examples include:
- Using external auth to tie a user to an IP, then implementing different policies based on that IP
- URL filtering, with different policies per-group
- SNAT with different IP address based on user group
- Outbound routing through high-bandwidth, low-latency, etc.
- Slowing down network access for low-priority users
- De-clogging logs
- Why must Windows discovery broadcasts be so chatty?
- Poor-man's blocking IDS
- Ignore inbound IP for a while if it seems naughty
- Implementing port knocking on the gateway
- Anti-spam IP blacklisting and graylisting
- Tying iptables policies to the underlying applications on the same host
- Allow outbound ssh only if it's really from the ssh process
- Allow inbound connections to arbitrary / dynamic ports for specific applications
- Whoever decided dynamic ports were a good idea had no bloody experience with implementing security!
This talk will not focus on ways to bypass iptables. That's just about every other talk this week in Vegas.
Why am I giving this talk? My job is to retrofit security onto NMS appliances for a large networking vendor. My personal goal is to keep 80% of you from cracking my department's product within the first week of its release, and to convince my team to make my job unnecessary by writing code that's secure.
No comments:
Post a Comment