Since no-one seems to be quite catching on to what I mean when about a new
way to do firewalls, this is an attempt to explain myself. I apologize in
advance for re-hashing any concepts already understood.
Current solutions:
Various scripts like sea-wall, Matthew Grant's scripts, and many 'click the
box & build a script' type programs. These solutions can be very easy to
use, and configurable (to an extent), but they quickly run into problems
when dealing with arbitrary situations that were not planned for by the
script writers. For instance, the following network:
4 DMZ networks firewalled from each other (some specific services allowed)
3 Internal networks firewalled from each other (again, sharing some specific
services)
Appropriate connections between:
Internal networks and the DMZs
DMZs and the internet
Internal networks and the internet
remote networks and the internal networks (via VPN)
This is actually a description of the TX facility, which is implemented with
3 LRP boxes and a Cisco router...
Other problems with the general firewall scripts I've seen include:
Extensions to add functionality are typically difficult, and may have global
security implications that are not immediately obvious
The complexity level of configuration grows dramatically as the scripts are
'generalized' to try and do more and more things.
It is typically difficult to re-use work (configurations or customizations)
done in one environment in other environments.
So what's to be done???
First, forget about ipchains, netfilter, ACL's, packet filter rules, etc.
These are all simply tools. The correct application of these tools will
follow directly from a clear and concise definition of the problem at hand,
which is creating a firewall.
So, what is a firewall? Obviously, many different things to different
people. My needs are certainly different than yours, yet it seems there are
large areas of overlap, where it would be desirable to share development,
peer review, etc. How can this be done?
What I alluded to previously, and am rapidly warming to the more I think
about it, is an object oriented mechanism for building firewalls. Sort of a
firewall construction kit, but very much in the abstract.
Networks would be defined, and assigned basic classes (like DMZ, masqueraded
internal net, routed internal net, external net, etc). There would be
default interactions between different classes of networks, which could be
overridden by modifying the basic class, the specific instance of that class
for a particular network, or the creation of entirely new access classes
(possibly by modifying or combining existing classes).
All very object-oriented and buzzword-compliant :>
Once the overall policy was defined, some low-level routines would be
responsible for building rules that implement the desired result. This
would probably be the easy part, and I think such a system could easily
target ipchains rulesets, netfilter rulesets, Cisco rulesets, or just about
any other system that comes along. Some features (like stateful packet
filtering) may not be fully implemented on all target systems (like IP
chains) but this would be handled by the low-level 'compiler'. It might be
possible to make a close approximation (-j ACCEPT ! -y), you could throw an
error, or anything else your heart desired (the translation from high-level
specification to low-level rules would also be very object based). This
would all be abstracted the same way the basic filter specifications are, so
if Joe created "Joe's way-kewl ipchains packet-filter routines", anyone else
who thought the rules were pretty neat could easily incorporate them into
their own custom firewall, likely by simply grabbing Joe's rule files and
changing a couple words in a high-level config file.
This is about the only thing I've come up with that is arbitrarily
expandable, allows users to share development/configuration across
dissimilar firewalls, and has the benefit of targeting multiple end-targets.
With the complexity of creating firewall rules, and the amount of money
being thrown around in the networking arena, I can't believe there isn't
something kind of like this available already (please someone send me a link
so I don't have to start coding!).
Again, the real work is in a clear and concise definition of the problem
(what does my firewall do). If we can create a simple firewall modeling
language, firewall construction set, or whatever you want to call it,
converting the generated specification to an actual ruleset is pretty
straight-forward. I think shell-script is more than capable enough to parse
and process the hierarchal tree of object based configuration documents
(more buzz-word compliance :>), and we could even leverage <steal> an
existing object-based text language (like XML or somesuch), as long as the
actual requirements of defining a firewall are clearly defined and well
understood.
Anyway, this is the sort of thing I'd write for making firewalls if I was
doing it from scratch and had enough time <yeah, like that's going to
happen>
Let me know if I'm way off in left field (or orbiting mars...maybe left the
solar-system...)
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
