Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Document 9449455

advertisement 
The Netnice Module for Firewall Builder
Patrick Myers
West Virginia University
Topics of this Presentation
●
●
●
●
●
●
Introduction to Firewall Builder
A Quick Walk-Through of Firewall Builder
Architecture of Firewall Builder
The Netnice Module for Firewall Builder
Implementation & Design of the Netnice
Module
Q&A
Introduction to Firewall Builder
The Problem:
● In an environment with many different platforms,
an administrator needs to be proficient with
many different configuration languages
● Administrators must understand how each firewall
differs in capabilities and features.
● Transition from one platform to another requires
complete reconfiguration
● Good open source firewall implementations do
not have decent user interfaces (iptables, ipfilter,
pf)
Introduction to Firewall Builder
What is Firewall Builder?
●
●
●
Open Source framework and multi-platform firewall
configuration tool that allows an administrator to build
a policy for an abstract firewall and then translate it to
an actual configuration language.
Uses an object-oriented approach to firewall policy
design
Currently Supports
–
iptables
–
ipfilter
–
pf
–
ipfw
–
Cisco PIX
Introduction to Firewall Builder
Firewall Builder Features
●
●
●
Firewall Builder allows a user to create an abstract
firewall policy within the GUI.
The user can then compile the code for the actual
firewall.
Installing the policy on the firewall can be done one of
several ways.
Introduction to Firewall Builder
The Firewall Builder GUI
●
●
Uses an object-oriented approach to present objects and
rules visually
Drag and Drop operations are allowed for working with
rules and objects
●
Uses standard tooltip GUI widgets
●
Comes with its own library of standard objects
●
Integrated network discovery wizard for quick and easy
object creation
Introduction to Firewall Builder
Introduction to Firewall Builder
Policy Compilers
●
●
●
The policy compilers translate rules defined in the GUI
into the target firewall configuration language.
Each compiler consists of several elementary building
blocks referred to as “rule processors”
Each rule processor performs a simple procedure on the
rule and then passes it on to the next rule processor.
Introduction to Firewall Builder
Rule Processors
●
●
●
●
Operations the rule processors perform include:
–
rule verification
–
transformation
–
optimization
Rule processors may work on a single rule or the whole
set
Each rule processor is a C++ class.
Rule processors can be reused in many different policy
compilers
Introduction to Firewall Builder
Introduction to Firewall Builder
Policy Installation
●
●
The simplest way to install a policy on a remote firewall
is to create a user defined script, copy over the code
using 'scp', and then 'ssh' to execute it.
There is also the fwbd Daemon which can be installed on
a target firewall and logged into. This is the advanced
way but can be easier if configured correctly. It
interfaces with the GUI to log a user into the firewall
and install the policy.
Introduction to Firewall Builder
Walk Through of Firewall Builder
Let's now walk through Firewall Builder
to get an idea of what its all about.
Walk Through of Firewall Builder
Starting Firewall Builder
●
When the program is started, a welcome screen appears
and asks the user which file to work from.
Walk Through of Firewall Builder
Main Screen
●
●
After the user chooses where to place his new project,
the main screen appears.
It is blank since no objects have been created and you
see a screen as follows:
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Creating a Firewall
●
●
●
Since the main screen is blank, we must now create a
firewall object.
We simply click on the “New Page” icon and scroll down
to 'New Firewall'
A dialog box appears as follows:
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Firewall Templates
●
●
We put in the name of our new firewall, platform it is
running, and OS.
We now get to choose a template to assist us in creating
our firewall.
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Firewall Options
●
Since we are interest in end-host systems, we choose the
'host fw template'
●
Next!
●
We get more options on our firewall here:
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Firewall Settings
●
Say we want to click on our 'Firewall Settings' button
before hitting 'Next'...
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Back to the Main Page
●
●
After finished up the Firewall Settings and the Firewall
Options
We finally get back to the main screen, but now its
populated with firewall data!
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Adding a Rule to the Policy
●
●
●
Say we want to add another rule to the policy...
We can right click in the right pane and choose insert
rule.
Then a new line pops up at the top and the screen now
looks like... ->
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Compiling the Policy
●
●
●
Say the rule was exactly what we wanted and we didn't
want to change a thing so we leave it and decide its time
to compile.
To compile our policy, we click on the fourth icon from
the left that looks like a gear.
And we get... ->
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Deleting a Policy Rule
●
●
Notice the error in the compile?
It's because we have a duplicate rule... Rule 0 and Rule 3
are the same.
●
So lets right click on Rule 0 and delete it.
●
Now it should look like... ->
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Compiling (Again)
●
Now lets try compiling again... ->
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Installing the Policy
●
●
●
Great! So the policy was compiled successfully.
Now lets install it by clicking on the icon to the right of
the compile button.
And... ->
Walk Through of Firewall Builder
Walk Through of Firewall Builder
Installing the Policy
●
●
●
Assuming that you have set up the daemon on the
firewall machine, you can now log in and install your
policy on your firewall.
If you did not configure your firewall, you simply go into
the directory that you project is stored in and manually
copy over the script and execute it.
And thats how simple Firewall Builder is.
Architecture of Firewall Builder
All access to objects in the Firewall Builder Network Object
Database is done via C++ Application Program Interface
or API. All API classes are organized into several submodules:
–
fwbuilder - Base API classes providing access to
objects in the database as well as a few utility
classes.
–
fwcompiler - Policy Compiler classes. Provides
common classes used to construct Policy Compilers for
supported firewall platforms.
–
fwbd – Client library, written in C, used to connect to
Firewall Builder Daemon.
Architecture of Firewall Builder
–
–
–
XML storage and manipulation - provides classes for
loading and saving XML files.
DNS - a collection of classes that provide methods to
resolve host names into IP addresses (both for a single
queries and bulk queries), transfer and parse DNS
zones. All operations are thread-safe.
SNMP - a simple C++ wrapper for SNMP operations.
Special classes exist for a high level queries such as
extracting information about interfaces, ARP tables,
routing tables. All operations are thread-safe.
Architecture of Firewall Builder
–
Network Crawler - a sophisticated network discovery
process. Given a ’seed’ host it finds other hosts and
networks and creates corresponding objects. Crawler
can be restricted to a single subnet; other restrictions
can be applied as well. Network discovery simplifies
the task of entering hosts and networks into the
network object database.
Architecture of Firewall Builder
Architecture of Firewall Builder
●
●
The GUI
– Written using GTK+ Toolkit
– Incorporates drag and drop technique
– Allows user to create policy on an abstract firewall
– Supports both global and interface policies
XML Storage
– Stores all Firewall object data.
– Stores FWBuilder Preferences.
Architecture of Firewall Builder
●
●
Policy Compiler
– Compiles the policy into the target firewall
configuration language.
– Checks for errors and duplications
– Able to optimize the policy
Policy Installer
– Interfaces with the FWBuilder Daemon running on the
target firewall using the fwbd classes.
– Creates a user friendly GUI to install the policy.
The Netnice Module for Firewall Builder
This module will be an add-on to Firewall Builder that will
allow a user to create firewall rules, compile them
within, and apply them to a machine with Netnice Packet
Filter installed.
The Netnice Module for Firewall Builder
The basic features of this module will include:
●
Module to process rules that are associated with specific Netnice VIF
●
Compiler to support groups of objects and services in the GUI
●
Compiler to support ‘Accept’, ‘Deny’, ‘Reject’ actions
●
●
●
●
Compiler to process rules that are associated with packets going
inbound or outbound.
Compiler to apply rules to all Netnice interfaces on a ‘global’ Netnice
machine if specific rules for any interface is not specified
Compiler to process rules with negation
Compiler to create a log file for which rules were processed for each
interface
The Netnice Module for Firewall Builder
The advanced features of this module will include:
●
●
●
Compiler to detect many common error in interface configuration
Compiler to optimize configuration by detecting rules that have
already occurred in the policy
Compiler to use two models for the generated configuration: it will
be able to generate rules for inbound and outbound packets, or it can
permit all outbound packets and only generate rules for inbound
packets. The choice will be applied in the GUI.
●
Compiler to support ‘address range’ object
●
Options for logging can be set for global and/or individual rules.
The Netnice Module for Firewall Builder
Interface Support:
●
●
Compiler to support interfaces with dynamic address
Compiler can configure actual interfaces using addresses
of the firewall object as it is configured in the GUI
The Netnice Module for Firewall Builder
Implementation and Design of Module
The GUI
●
●
●
●
Built separate from the firewall platform modules
Combo boxes are populated from XML data
But GUI still contains references to specific firewall
platforms
Each firewall platform has its own classes and settings UI.
To Do
●
●
●
Netnice GUI classes will need to be created.
References will need to be modified to include netnice.
UI for firewall setting will need to be created.
Implementation and Design of Module
XML Datafiles
●
Stores object information and preferences.
To Do
●
●
●
Netnice firewall platform information needs to be added
into the XML files.
Add Netnice path information.
Add Netnice OS information.
Implementation and Design of Module
Policy Compilers
●
The policy compilers translate rules defined in the GUI
into the target firewall configuration language.
●
Specific to each firewall platform.
●
Some compilers support NAT
To Do
●
●
●
Create fwcompiler classes for netnice
Create a policy compiler for netnice
NAT support not needed for end-host use.
Implementation and Design of Module
Generated Code
●
●
The policy compilers create a file containing the
generated code.
Specific to each firewall platform.
To Do
●
●
File format will follow BPF convention
Placed in default folder under Firewall Builder
Implementation and Design of Module
Policy Installation
●
●
User script or daemon installs generated code onto
actual firewall
Each firewall platform has specific instructions and
scripting classes
To Do
●
●
Explore ease to which the daemon can be ported to a
netnice platform
Create scripting classes to be used to create a userexecuted script that will install the code to the
/proc/network directory on the netnice machine for each
VIF
Q&A
Ask me some questions!
Downloads
You can download a PDF version of this
presentation and the paper it summarizes
at:
–
–
http://www.patdotcom.com/netnice/presentation.pdf
http://www.patdotcom.com/netnice/paper.pdf
Thank you for your time.
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
technical planning - St. Joseph Elementary School Library
technical planning - St. Joseph Elementary School Library
Datasheet SNET SMB
Datasheet SNET SMB
Guidelines for Petitioning the Firewall Advisory Committee
Guidelines for Petitioning the Firewall Advisory Committee
Classroom PC Specs
Classroom PC Specs
Download
advertisement