Novell BorderManager®: Advanced Packet Filtering Novell BrainShare 2002 Novell BorderManager®: Advanced Packet Filtering Craig Johnson Consultant craigsj@ix.netcom.com Caterina Luppi caterina@wirediguana.com TUT342—Novell BorderManager: Advanced Packet Filtering

Why Change from Defaults The default filters are fine—the default filter exceptions are too open The default filter exceptions in BorderManager 3.6 are the same as in 2.1 NetWare® has changed since BorderManager 2.1, and now includes several programs accessible from the Internet

Default Exception Vulnerabilities Remote Web Manager (PORTAL.NLM) RCONAG6 CSATPXY (subject to a denial of service attack) Third party programs like Compaq web-enabled Insight Manager agents

Understanding the Defaults FILTERS—block all traffic TO and FROM the public interface (This is good!) EXCEPTIONS—allow certain traffic to and from the public IP address Web server inbound (for reverse proxy) VPN traffic TCP and UDP high ports All outbound IP

The Worst Offender Dynamic/TCP—designed to allow return traffic on high ports, it also allows inbound high port connections to be initiated Dynamic/UDP is similar, but there are few programs listening on UDP high ports on a NetWare server

How ACK Bit Filtering Can Help The default Dynamic/TCP exception does not enable ACK bit filtering The ACK bit is set when an connection is established The ACK bit is not set when an initial connection is being set up The first TCP packet is sent without the ACK bit set

ACK Bit Filtering Example Host1 sends a TCP Packet to host2 using some defined destination port (for instance, HTTP) Host2 recognizes destination port, and sends back an acknowledgement, with ACK bit set All traffic from this point on has the ACK bit set Host1 receives the acknowledgement packet, with ACK bit, and sends back another acknowledgement packet

Enabling ACK Bit Filtering Replace the default Dynamic/TCP exception with a custom definition called Dyn/ACK/TCP Source port=Any, Destination ports=1024-65535, ACK bit filtering enabled, OR Change the default definition for Dynamic/TCP in FILTERS.CFG to enable ACK bit filtering

Problems Changing Defaults BRDCFG—if you run it again to redo the defaults, you will see some problems If a Dyn/ACK/TCP custom definition was used, an additional Dynamic/TCP exception will be added that defeats the custom exception If the default Dynamic/TCP definition was changed, BRDCFG will put a flawed exception in place that allows all inbound traffic Traffic allowed before (to the public IP address) may now be blocked

Solution/Workaround Delete or rename the BRDCFG.NLM so that it cannot be run accidentally later on by someone who does not understand the implications for custom filtering Add a BRDCFG.NCF file that simply puts up a message not to run BRDCFG.NLM because of the problem, and rename BRDCFG.NLM

Alternative to Dynamic/TCP Replace the Dynamic/TCP and Dynamic/UDP inbound exception, and the default ‘all IP’ outbound exception with a single Stateful ‘all IP’ outbound exception This takes care of all return traffic automatically Even allows ping from the server console Produces somewhat more overhead on the server for keeping track of all IP traffic

Further Customization Delete the filter exceptions that are not being used HTTP and SSL (Accel Auth) definitions, and VPN, if not using VPN Do not load programs that can be accessed from the Internet Replace the default exceptions with definitions that specify source ports

Complete Customization Concept: Remove all the default exceptions, and create only custom definitions with the minimum ports needed for the application All outbound exceptions will be stateful All inbound exceptions will not be stateful You must understand exactly what ports will be required for every application and proxy

Outbound Exceptions for Proxies XYZ Proxy Source interface: Public Destination interface: Public Source IP Address: Proxy public IP Address Destination IP Address: Any Source Ports: (varies, often 1024-65535) Destination Port: as needed Stateful Filtering: Enabled

Inbound Exception for Proxies Reverse XYZ Proxy Source Interface: Public Destination Interface: Public Source Ports: varies, typically 1024-65535 Destination Port: as needed Source IP address: Any Destination IP address: Reverse XYZ Proxy public IP address

Inbound Exception for Proxies, (cont.) Must allow reverse proxies to send return packets Source and destination interfaces: Public Source port: use the destination ports from part 1 Destination ports: use the source ports from part 1 Source IP address: Reverse XYZ Proxy public IP address

Outbound HTTP Proxy Trickier than you might expect, because of non-standard port numbers in use by some web sites Need to allow at least TCP destination ports 80 and 443 out Often will need to allow destination ports 8080, 8008, 8009, and ?? outbound If using a Stateful ‘All IP’ outbound, should be no problem

Outbound Non-Proxy Traffic Use customized stateful filter exceptions Always specify both a ‘from’ and a ‘to’ (usually using source and destination interfaces, but sometimes might be an IP address instead) When making a customized exception, specify the source ports

Inbound Static NAT Traffic Don’t use a stateful filter exception—better security and performance Customize the exception, and specify the source ports Use a ‘from’ and ‘to’ (usually source and destination interface), and also specify the internal host IP address as the destination IP address

Inbound Static NAT Return Traffic For every inbound packet, you need to allow a return reply (response) Reverse the definition of the inbound exception; Switch source and destination interfaces, ports and IP address(es) For TCP exceptions (the majority), enable ACK bit filtering here

3-NIC DMZ A 3-NIC DMZ provides an isolated LAN segment for servers to be accessed from the Internet Access to servers on the DMZ is controlled by packet filtering for both public (Internet) and private (internal LAN) Start by blocking all traffic to and from the DMZ NIC Use BRDCFG.NLM Delete all of the new default exceptions afterward Declare the DMZ address as private

3-NIC DMZ, (cont.) Access to the DMZ segment from the Internet will be exactly the same as if providing access to servers on the private LAN segment Reverse proxy, static NAT, filter exceptions Use stateful filter exceptions to allow selected traffic from the private LAN to the DMZ It is best not to allow any traffic (including NDS) from the DMZ to the private LAN

3-NIC DMZ Example—Web Server Web server in DMZ segment needs Either a reverse proxy definition, or Static NAT Filter exceptions for the reverse proxy, or Filter exceptions for static NAT Filter exceptions to allow updating the web server content from the private LAN, such as: FTP-PORT-ST Source interface=private, destination interface=DMZ Source ports=1024-65535, destination ports=20-21 Stateful filtering enabled

Odds and Ends SET FILTER DEBUG=ON—see specific traffic SET TCP IP DEBUG=1—see all traffic www.ethereal.com for a free packet analysis tool There is no ACK Bit in UDP Novell Public Forums—free advice! Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions http://nscsysop.hypermart.net

Changes Coming in BorderManager 3.7 GUI Filtering Interface (via iManage) Other (information not yet available at the time this version of the presentation was written)

Book Giveaway Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions

wiN big Access and Security table one Net solutions lab visit the in the to obtain an entry form