Linux Firewalls Hold Up Under Application Layer Attacks12:00 AM EST Mon. Nov. 12, 2007
Connecting a system to the lifeblood that is the Internet today is a risky proposition, even with the latest patches and security updates applied. Intrusion Detection Systems have proved their worth from a network security monitoring perspective, but there is no substitute for a good inline mechanism to enforce policy. Typically, this means that you need a firewall, but a firewall by itself is not enough. If IDS technology has proven anything, it is that application layer decoding and inspection is critical to maintaining a strong network security posture. Therefore, it's only natural to build application layer inspection capabilities into tried and true inline enforcement devices -- firewalls.
In the world of the Linux operating system and open source software, the iptables firewall provides a full featured and stable packet filtering infrastructure. Commercial-grade capabilities such as protocol state tracking, NAT, rate limiting, and comprehensive logging are all provided by iptables, and excellent GUI management interfaces such as fwbuilder are also freely available. However, the real icing on the cake offered by iptables is its ability to detect and respond to application layer attacks. This feature is made possible with the iptables string match extension, and the best part is that if you are running Linux in your infrastructure, then you may already have this capability deployed.
The term usually applied to application layer inspection and enforcement mechanisms is "Intrusion Prevention System," but adoption of IPS technology (such as Snort running in inline mode or other commercial systems) has been slow. Network administrators are hesitant to deploy additional inline devices out of concern for basic connectivity and the need for low latency communications. This is where the stability of iptables, which is tested on Linux systems across the globe, makes its mark.
A true IPS is always inline to the network data path so that malicious packets can be dropped before they are forwarded to a targeted system. This is not possible with a traditional IDS that passively monitors traffic from a span port on a switch. Sure, even an IDS can knock down TCP connections with a spoofed RST, or interact with a remote firewall to block an attacker, but this does not stop the initial portions of an attack from reaching a targeted system. With iptables on your Linux systems, you basically have an IPS at your disposal for free.
One piece is missing though: What are the specific attacks that iptables can detect and thwart? To answer this, the best strategy is to turn to the Snort rules community. This community reverse engineers the latest exploits, attacks, and malware in order to provide detection rules to people who run the Snort IDS, and free rules are available.
Next, you need a way to automatically translate Snort rules into equivalent iptables rules, and this is where the fwsnort project comes in. With fwsnort, you can build an iptables policy that leverages the power of the Snort community to detect and react to application layer attacks in real time. Significant coverage of fwsnort can be found in the new book from No Starch Press entitled "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort."
When it comes to network security, iptables is a robust and feature-full firewall. It is time to take back the Internet from wrongdoers with strong inline application layer inspection with Snort rule sets, iptables policies, and fwsnort.
Michael Rash holds a Master's Degree in applied mathematics with a
concentration in computer security from the University of Maryland. He is the founder of cipherdyne.org, a website dedicated to open source
security software for Linux systems, and works professionally as a Security
Architect on the Dragon IDS/IPS for Enterasys Networks. He is the author of
the book "Linux Firewalls: Attack Detection and Response with iptables, psad,
and fwsnort," published by No Starch Press.