Everybody Get Inline

Typically, that enforcement means you need a firewall, but a firewall by itself is not enough. If IDS technology has proven anything, it is that application layer decoding and inspection is critical to maintaining a strong network security posture. Therefore, it's only natural to build application layer inspection capabilities into tried-and-true inline enforcement devices—namely, firewalls.

In the world of the Linux operating system and open-source software, the iptables firewall provides a full-featured and stable packet filtering infrastructure. Commercial-grade capabilities such as protocol state tracking, network address translation, rate limiting and comprehensive logging are all provided by iptables. Excellent GUI management interfaces such as fwbuilder are also freely available.

However, the real icing on the cake offered by iptables is its ability to detect and respond to application layer attacks. This feature is made possible with the iptables string match extension. The best part is that if you are running Linux as part of your infrastructure, then you may already have this capability deployed.

The Power Of IPS
The term usually applied to application layer inspection and enforcement mechanisms is intrusion prevention system, but adoption of IPS technology (such as Snort running in inline mode or other commercial systems) has been slow. Network administrators are hesitant to deploy additional inline devices out of concern for basic connectivity and the need for low latency communications. This is where the stability of iptables, which is tested on Linux systems across the globe, makes its mark.

A true IPS is always inline to the network data path so that malicious packets can be dropped before they are sent to a targeted system. This is not possible with a traditional IDS, which passively monitors traffic from a span port on a switch.

Sure, even an IDS can knock down TCP connections with a spoofed reset, or interact with a remote firewall to block an attacker, but this does not stop the initial portions of an attack from reaching a targeted system. With iptables on your Linux systems, you basically have an IPS at your disposal for free.

One piece is missing, though: What are the specific attacks that iptables can detect and thwart? To answer this, the best strategy is to turn to the Snort rules community. This community reverse-engineers the latest exploits, attacks and malware in order to provide detection rules to people who run the Snort IDS and free rules are available. In recent alerts, for example, Sourcefire issued advisories for potential vulnerabilities affecting Samba, Skype and Apple Quicktime applications.

Regarding the Skype issue, Sourcefire said a programming error in the Skype URI handler may allow a remote attacker to cause memory corruption, which may lead to code execution. The advisory then pointed to a rule to detect attacks targeting this vulnerability.

The latest Snort release, version 2.8.0.1, was released late last year and is available as a free download at Snort.org.

Next, you need a way to automatically translate Snort rules into equivalent iptables rules and this is where the fwsnort project comes in. With fwsnort, you can build an iptables policy that leverages the power of the Snort community to detect and react to application layer attacks in realtime.

When it comes to network security, iptables is a robust and feature-rich firewall. It is time to take back the Internet from wrongdoers with strong inline application layer inspection with Snort rule sets, iptables policies and fwsnort.

Michael Rash is the founder of cipherdyne.org, and is a Security Architect on the Dragon IDS/IPS for Enterasys Networks. He is also the author of the book "Linux Firewalls: Attack Detection and Response with iptables, psad and fwsnort."