Реклама: |
Many organizations started using IP well before they thought a firewall or a subnet
would be a good idea. Now they have class-C sized networks or larger that include all
their servers, their workstations, their routers, coffee makers, everything. The horror!
Renumbering with propper subnets, trust levels, filters, and so are in both time consuming
and expensive. The expense in hardware and man hours alone is enough to make most
organizations unwilling to really solve the problem, not to mention the downtime involved.
The typical problem network looks like this:
20.20.20.1 router 20.20.20.6 unix server
20.20.20.2 unix server 20.20.20.7 nt workstation
20.20.20.3 unix server 20.20.20.8 nt server
20.20.20.4 win98 workstation 20.20.20.9 unix workstation
20.20.20.5 intelligent switch 20.20.20.10 win95 workstation
Only it's about 20 times larger and messier and frequently undocumented. Ideally,
you'd have all the trusting servers in one subnet, all the work- stations in another, and
the network switches in a third. Then the router would filter packets between the subnets,
giving the workstations limited access to the servers, nothing access to the switches, and
only the sysadmin's workstation access to the coffee pot. I've never seen a class-C sized
network with such coherancy. IP Filter can help.
To start with, we're going to separate the router, the workstations, and the servers.
To do this we're going to need 2 hubs (or switches) which we probably already have, and an
IPF machine with 3 ethernet cards. We're going to put all the servers on one hub and all
the workstations on the other. Normally we'd then connect the hubs to each other, then to
the router. Instead, we're going to plug the router into IPF's xl0 interface, the
servers into IPF's xl1 interface, and the workstations into IPF's xl2
interface. Our network diagram looks something like this:
| 20.20.20.2 unix server
router (20.20.20.1) ____________| 20.20.20.3 unix server
| / | 20.20.20.6 unix server
| /xl1 | 20.20.20.7 nt server
------------/xl0 IPF Bridge <
xl2 | 20.20.20.4 win98 workstation
____________| 20.20.20.8 nt workstation
| 20.20.20.9 unix workstation
| 20.20.20.10 win95 workstation
Where once there was nothing but interconnecting wires, now there's a filtering
bridge that not a single host needs to be modified to take advantage of. Presumably we've
already enabled bridging so the network is behaving perfectly normally. Further, we're
starting off with a ruleset much like our last ruleset:
pass in quick on xl0 proto udp from any to 20.20.20.2/32 port=53 keep state
pass in quick on xl0 proto tcp from any to 20.20.20.2/32 port=53 flags S keep state
pass in quick on xl0 proto tcp from any to 20.20.20.3/32 port=25 flags S keep state
pass in quick on xl0 proto tcp from any to 20.20.20.7/32 port=80 flags S keep state
block in quick on xl0
pass in quick on xl1 proto tcp keep state
pass in quick on xl1 proto udp keep state
pass in quick on xl1 proto icmp keep state
block in quick on xl1 # nuh-uh, we're only passing tcp/udp/icmp sir.
pass in quick on xl2 proto tcp keep state
pass in quick on xl2 proto udp keep state
pass in quick on xl2 proto icmp keep state
block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.
Once again, traffic coming from the router is restricted to DNS, SMTP, and HTTP. At
the moment, the servers and the workstations can exchange traffic freely. Depending on
what kind of organization you are, there might be something about this network dynamic you
don't like. Perhaps you don't want your workstations getting access to your servers at
all? Take the xl2 ruleset of:
pass in quick on xl2 proto tcp keep state
pass in quick on xl2 proto udp keep state
pass in quick on xl2 proto icmp keep state
block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.
And change it to:
block in quick on xl2 from any to 20.20.20.0/24
pass in quick on xl2 proto tcp keep state
pass in quick on xl2 proto udp keep state
pass in quick on xl2 proto icmp keep state
block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.
Perhaps you want them to just get to the servers to get and send their mail with
IMAP? Easily done:
pass in quick on xl2 proto tcp from any to 20.20.20.3/32 port=25
pass in quick on xl2 proto tcp from any to 20.20.20.3/32 port=143
block in quick on xl2 from any to 20.20.20.0/24
pass in quick on xl2 proto tcp keep state
pass in quick on xl2 proto udp keep state
pass in quick on xl2 proto icmp keep state
block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.
Now your workstations and servers are protected from the outside world, and the
servers are protected from your workstations.
Perhaps the opposite is true, maybe you want your workstations to be able to get to the
servers, but not the outside world. After all, the next generation of exploits is breaking
the clients, not the servers. In this case, you'd change the xl2 rules to look
more like this:
pass in quick on xl2 from any to 20.20.20.0/24
block in quick on xl2
Now the servers have free reign, but the clients can only connect to the servers. We
might want to batten down the hatches on the servers, too:
pass in quick on xl1 from any to 20.20.20.0/24
block in quick on xl1
With the combination of these two, the clients and servers can talk to each other,
but neither can access the outside world (though the outside world can get to the few
services from earlier). The whole ruleset would look something like this:
pass in quick on xl0 proto udp from any to 20.20.20.2/32 port=53 keep state
pass in quick on xl0 proto tcp from any to 20.20.20.2/32 port=53 flags S keep state
pass in quick on xl0 proto tcp from any to 20.20.20.3/32 port=25 flags S keep state
pass in quick on xl0 proto tcp from any to 20.20.20.7/32 port=80 flags S keep state
block in quick on xl0
pass in quick on xl1 from any to 20.20.20.0/24
block in quick on xl1
pass in quick on xl2 from any to 20.20.20.0/24
block in quick on xl2
So remember, when your network is a mess of twisty IP addresses and machine classes,
transparent filtered bridges can solve a problem that would otherwise be lived with and
perhaps someday exploited.