Firewalls, NATs, and Tunnels

Some quick notes on three useful security-related topics.

  1. Firewalls.
    1. A firewall is a router, with two modifications:
      1. It may examine parts of the packet in addition to the destination, and use them to match packets under relevant rules.
      2. It has the additional destination, discard. (A.K.A., the floor, the bit bucket or /dev/null.)
    2. A firewall is generally used as the router which forwards packets in an out of some organization.
    3. It has a routing table and performs the routing function in the usual way, with additional rules configured by the admin. Such as:
      1. “Block all inbound traffic using port 23.”
      2. “Discard packets arriving on the external connection whose source address is in the range of internal addresses.” This would be a remote machine pretending to be local. Can't be good.
      3. “Discard packets arriving on the external connection which have the SYN bit set.” This packet is attempting to connect to a service. If you don't have any externally-visible servers, this packet has no business here.
      4. If you know that 72.65.67.75 is run by evil people (or maybe just your business competitor), you might block any outbound traffic which is going there.
    4. Main classes of firewalls.
      1. Stateless firewalls examine each packet in isolation.
      2. Stateful firewalls retain history to relate one packet to another.
        1. They primarily track connections.
        2. For instance, a stateful firewall can have a rule like: “Block all incoming traffic from port 80 unless bound to a a local machine that sent a request outbound on to port 80 on that same machine within the last 10 minutes.” This would let you broadly block traffic, but allow responses to HTTP requests.
        3. Stateful firewalls can become impractical if the traffic volume is very large.
    5. Content filters examine the actual payload. These must understand an application protocol (usually HTTP) and are limited to filtering such traffic.
  2. NAT Routing.
    1. Network Address Translation is a technique developed to stretch the supply of IP4 addresses.
    2. Certain IP address ranges are designated private.
      1. Ranges are: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
      2. These are not assigned and may be used by anyone.
      3. Routers on the larger Internet drop packets destined to private addresses.
    3. Organizations use private addresses internally, and place NAT routers at the edge to translate.
      1. A NAT router has one interface using an internal private address and another with an external public address assigned to the organization.
      2. When an internal machine sends a packet out, the NAT router substitutes the packet source with the public IP and a port of its own choosing.
      3. The NAT router records this choice.
      4. When the external host answers, it responds to the public address which is attached to the NAT router. NAT makes the reverse substitution from the stored translation.
      5. The NAT router assigns different port numbers to different conversations so it can support several conversations on several internal hosts at once.
      6. Inbound packets are all directed to the same IP address, but to different ports. The NAT router uses the destination port number to choose the right translation.
    4. Translation records.
      1. When an outbound packet creates a translation record in the NAT, that record is generally retained until it is unused for a while.
      2. An inbound packet will be dropped if there is no pre-existing translation record for it.
      3. A TCP connection through the NAT will generally fail if the NAT drops its translation record. Many TCP implementations send redundant “keep-alive” acks during quiet periods to freshen the NAT record.
      4. If it is desired that some internal host be accessible from outside, a translation may be stored permanently for it.
      5. This all means a NAT has some firewalling side-effects, but all of them could be accomplished with a plain firewall absent a NAT.
    5. A NAT is logically different from a firewall, but they are almost always implemented together.
      1. They go in the same place in the network.
      2. A NAT and a stateful firewall require nearly the same record-keeping, so why duplicate effort?
    6. NAT allows an organization to connect many hosts to the Internet using only one or a few public addresses.
  3. Tunneling and VPNs.
    1. Encapsulation need not always walk up the protocol stack.
    2. TCP segments can be sent as UDP messages. That allows TCP to be carried as UDP traffic. (The IP layer must be included again if you want to deliver the TCP to a destination different from the UDP.)
    3. In segment B, routers and firewalls see UDP traffic destined to router Y, rather than the true destination.
    4. In this example, the UDP segments contain IP, it could be any protocol, at any level of the stack, including hardware segments.
    5. VPN
      1. Tunnel router X encrypts each IP datagram before placing it in a UDP message. Router Y decrypts it.
      2. Segment A and C might be LANs belonging to the same organization in different locations.
      3. Segment B can safely cross the public net without revealing private info.
      4. A tunnel router may be a physical router, or just a software program running on host M and/or N.
      5. In a common arrangement, X is software on the laptop of a traveling or remote employee who may use it to safely connect to the organizational LAN.
    6. Penetrating firewalls.
      1. If segment B contains a firewall, it will not see the true destination and other properties of the tunneled traffic.
        1. For a VPN, that information should be quite hidden from the firewall.
        2. Even if not encrypted, the firewall probably won't know to check.
      2. VPNs can therefore be used to bypass blockages created by firewalls. The firewall does not see the information it needs to apply its rules relative to the final destination of the traffic. For all the usual purposes.
        1. Violate terms of service for the local network.
        2. Information theft.
        3. Corporate or political espionage.
        4. Bypass government information controls.
      3. Firewall administrators
        1. Will often attempt to block known tunneling hosts.
        2. But it's pretty easy to just set up a new one.
        3. If the administrators control the internal network also, they may attempt to prevent installation of VPN software there.
      4. NATs often treat TCP and UDP differently, so a tunnel can sometimes be used to change the way a NAT treats your traffic, for good or ill.
    7. Note: I have sometimes heard the administrative unblocking of a port in a firewall described as “opening a tunnel.” Thats not how I'm using the term here.