1. Introduction to firewall stateful inspection is currently one of the prerequisites.
It work at the IP layer, check the firewall forwarding packages, and create the corresponding structure records the State of the connection. It checks that include link layer, network layer, transport layer, application layer in a variety of information, and in accordance with the rules of the table or the state table to decide whether to allow forwarding packets to pass through. Open source project SIFI (http://www.ifi.unizh.ch/ikm/sinus/) implements a firewall stateful inspection feature. The Firewall kernel section of code is to establish in the framework of LINUX2.2.x network security, is a very good analysis, learning State detection technology instance. The following is from the data structure, status checks, serial number check, timeout, application protocol data checking and other aspects of its State testing is how to achieve. 2. Overview of the first look at SIFI several important data structures. 2.1.sf_fw_ops SIFI kernel code is LINUX2.2.x network security framework, so it should define in the check point on the reference architecture, as follows: structfirewall_opssf_fw_ops = {NULL, sf_forward_ck, sf_input_ck, sf_output_ck, PF_INET, 2} struct sf_forward_chk, sf_input_chk, sf_out_chk three functions in checkpoint call_fw_firewall, call_in_firewall, call_out_firewall on being called. All three functions to call the function sf_check_packet real action. This structure is of priority 2, higher than LINUX2.2.x kernel-defined priority of ipfw_ops, check point, first call the function defined in the structure. Only in it for the function's return value is FW_SKIP circumstances will call the functions defined in ipfw_ops. 2.2. rule table rule sheet is a one-way list, is used to match the packages need to be addressed, and decided to match the action. As shown in Figure 2.1. 2.3. connection table connection table is a hash table, the same hash value of the structure is linked in a doubly linked list. All fabric and is linked in a doubly linked list, the pointer points to the conns head and tail pointing to the linked list of lastc. As shown in Figure 2.1. 2.4. State defined connection tables in every structure in a moment, there is a certain State. In SIFI, only for TCP and UDP protocols to create the connection structure. Other protocol checks by matching rules table implementation, without creating the connection structure. State is defined as follows: [table 2.1] table with grey logo status in status check is not used. SF_TCP_ESTABLISHEDFTP status for the FTP protocol defined for the control connection, define this State's purpose is to check the FTP protocol, and find out the address and port, and create a new connection structure, so that the FTP data connection in the absence of appropriate rules can also be set up. Other State defines TCP connection in the process of change of legal status and the status of the conversion process as mentioned below. 3. the basic process now look SIFI on different protocol packet processing. On the ICMP protocol or IGMP Protocol of the packet, it checks the length of the package, and in the rules table lookup, if a match is found, perform the action required by the rules; if you do not find a matching rule, the default ban the bag. It did not record the ICMP or IGMP protocols. The UDP protocol of the packet flow check as follows: [figure 3.1] first look at the attached table, if found, this direction of UDP traffic is allowed by the rules; if not found, then the rule table lookup, if there is a matching rule, perform the action required by the rules, if you do not find a matching rule, the default ban the bag. Rule check, if the matched rules allow this package will add the connection table a new structure, the status value is SF_UDP_STATE, subsequent packets will no longer be rule checks until the structure to be deleted. It is worth noting that the UDP packet to check the connection table using a single match, this to handle different on TCP. On the TCP protocol of the packet flow check as follows: [figure 3.2] first connection table to see if there is a corresponding connection structure. Here find using two-way matching (the destination address, destination port and source address, source port swap), so a TCP connection for each connection structure. If you find an appropriate connection structure, status changes (status change will be described later); if not found, check whether the package is syn reset bit, but there is no reset bit ack packet (TCP connecting packages), and if so, use the source port is zero, the calculated hash value in the join table to find the appropriate structure (this structure is in processing application protocol data in dynamic address and create a dynamic port, and address translation of similar), if found, delete the original source port is zero, and this bag's address and port to recompute the hash value, create a new structure; if not syn reset position while the ack packet is not set, the prohibition of the package. 4. status check 4.1. status check status check defines TCP connection changes in the process of legal status, as well as in a particular State allows the package type. Stateful inspection at the same time to allow the adoption of the package do check the legality, such as their serial numbers are consistent with the TCP protocolDiscussion of provisions, etc. All state changes between as shown in the figure: [figure 4.1] connection structure of the initial state is SF_TCP_ACCEPT_SYN, ack syn reset bit but did not reset bit TCP packet in rules check the return value is created when FW_ACCEPT. Structure after it is created, access to create a connection's status check. Steps: (1) If a CLIENT (the connection initiator) ack syn reset bit but did not reset bit package, the connection state changes to SF_TCP_CLIENT_SYN. (2) in SF_TCP_CLIENT_SYN State, when SERVER (connect the recipient) to respond to the syn reset bit or syn/ack packet, setting the connection state changes to SF_TCP_SYN_ACK. In this State also allows CLIENT's syn reset bit or syn/ack packet, setting the connection status remains unchanged. (3) in SF_TCP_SYN_ACK State, when a CLIENT response ack setting or syn/ack packet, setting the connection state changes to SF_TCP_ESTABLISHED3. In this State, also allows the SERVER's syn/ack packet, setting the connection status remains unchanged, but does not allow the SERVER's syn reset bit and CLIENT of syn packets through setting. These are the SF_TCP_ACCEPT_SYN, SF_TCP_CLIENT_SYN, SF_TCP_SYN_ACK three State on ack syn or setting package check. This check support TCP connections open simultaneously, provided that the rules you want to allow. Close the connection status to check the steps as follows: (4) If a CLIENT of fin set bits in the package, the connection state changes to SF_TCP_CLIENT_FIN. (5) if the SERVER's fin reset bit package changes the connection to the SF_TCP_SERVER_FIN. (6) the above two steps of change if you have completed, the status of the connection is either greater than SF_TCP_TERMINATED SF_TCP_TERMINATED (if the FTP control connection is to create a structure). (7) in the State is greater than or equal to, if you receive SF_TCP_TERMINATED syn reset bit package, will remove the connection, and check the rules. In any State if you receive an rst reset bit package, delete the connection. And, if received syn, fin set bits or rst set bits syn, fin, rst, or set of packages (Christmas packet), will prevent the packet through. 4.2. timeout in each State of the non-ESTABLISHED are set on an appropriate timeout value, as follows: [table 4.1] timeout by kernel Timer implementation, timed-out connection is deleted. SF_TCP_ESTABLISHED3, SF_TCP_ESTABLISHEDFTP two status on the default timeout value is not defined, but you can define SF_TCP_IDLE compilation options, make the two State timeout value is 8 * 36 * HZ is 8 hours. 4.3. serial number check the serial number is the TCP protocol is used to ensure data reliability of an important means. TCP connection in the delivery of every byte of data is used to identify a serial number. Connection of the initial sequence number when a connection is established. Receive a package of a party will issue the ack setting response packet, tell someone their acceptance of the next sequence number is a number that identifies the next serial number before the data received. TCP protocol using serial number window to limit each other can send packets of length, to control traffic. Window size is a 16 bit positive integer, you can extend the scale options TCP window size. Use the scale option, in calculating the window will change the window value left to increase the value of the window. TCP initial sequence number in the negotiation of syn reset bit package occupies one serial number disconnected fin set bits in occupies one serial number for the package. SIFI by checking the serial number for forwarding packets to determine the legality of this package. The realization of the SIFI, you can configure the parameter checking each TCP connection of the serial number, the steps are as follows: (1) no syn reset bit package (fin or ack setting package), first determine the sender's maximum sequence number in the other side of the window, and then if you are setting the ack packet, which confirm the serial number should be in each other's serial number. (2) a State record in SF_TCP_CLIENT_SYN CLIENT's serial number, window size and scaling factor. In a State record SERVER SF_TCP_SYN_ACK sequence numbers, window size and zoom factor, and the CLIENT's sequence number increases by one. (3) in the State, if SF_TCP_TERMINATED received syn reset bit package, its serial number in the serial number of the party. (4) in the SERVER SF_TCP_SYN_ACK of duplicate syn/ack packet, setting it to confirm the serial number should be used with the connection record the serial number of the CLIENT. 4.4. application protocol data check application protocol data check does is check the control connection agreement on the application of the address and port, and create a corresponding connection structure, so that subsequent data connections can be established. In General, unless the rule to allow all ports, otherwise these agreements in passing dynamic ports by default in the rule is prohibited. If you are able to dynamically create a fabric, to avoid checking rules, transparent to the user. Of course, this can create a dynamic rule to achieve, but the rule is a
No comments:
Post a Comment