Wednesday, January 27, 2010

firewall-wizards Digest, Vol 45, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Is it possible to control access between clients on same
LAN with a firewall? (arvind doraiswamy)
2. Re: Is it possible to control access between clients on same
LAN with a firewall? (Eric Gearhart)
3. Re: Is it possible to control access between clients on same
LAN with a firewall? (Mark)
4. Re: Is it possible to control access between clients on same
LAN with a firewall? (Paul Melson)
5. Re: Is it possible to control access between clients on same
LAN with a firewall? (K K)
6. Re: Is it possible to control access between clients on same
LAN with a firewall? (Will Brickles)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Jan 2010 11:27:11 +0530
From: arvind doraiswamy <arvind.doraiswamy@gmail.com>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: wfitzgerald@4c.ucc.ie, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID:
<e7efc21f1001252157y36d213f1h60ddecef74cfe015@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

VLAN's on L3 switches is what instantly springs to mind. Alternatively
as you suggest ACL's on the L3 switch itself between all the machines
on that switch is another option.

How about something like this though? Say the LAN is 192.168.0.0/24.
The machines all have their gateway set to 192.168.3.1(switch). Don't
have any routes on the switch apart from a default one pointing to the
firewall which can be on another network (172.16.3.1) - one port on
the switch also on this network(172.16.3.2). So all traffic gets
forced through the firewall instead of being forcefully routed on the
switch itself.Logically this sounds ok to me - I haven't actually
tested this - but it might work.

Arvind

On Mon, Jan 25, 2010 at 9:51 PM, William Fitzgerald
<wfitzgerald@4c.ucc.ie> wrote:
> Dear all,
>
> I was just wondering how people control access amongst machines on the same
> subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so
> iptables is the firewall there.
>
> Presumably as with all firewalls, once a packet is not being sent to the
> firewall itself or forwarded through the firewall towards another network,
> the firewall will not protect machines behind the firewall from each other.
> Perhaps as a result of the built-in switch, packets don't get up to layer 3
> and so the firewall is oblivious to inter-LAN packet traffic.
>
> It would be nice to be able to restrict some LAN clients from talking to
> each other, perhaps by layer 3 filtering. For example, it may make sense to
> prohibit the network printer from talking to a web server and vice versa.
>
> Is there away to force/make it easier for the firewall to inspect inter-LAN
> packets. Perhaps examining packets at layer 2 could capture this.
>
> I understand that one solution would be to install a local firewall on each
> machine.
>
> This is just a general question, so that I might better understand the area
> of "inter-LAN" protection.
>
> While it may be possible to have a firewall to not just protect traffic from
> Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a
> practical thing to do.
>
> Any comments or insights are welcomed.
>
> regards,
> Will.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 2
Date: Tue, 26 Jan 2010 20:47:30 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: wfitzgerald@4c.ucc.ie, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e1001261947p4210d721g3423e004160f9c8e@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Jan 25, 2010 at 9:21 AM, William Fitzgerald
<wfitzgerald@4c.ucc.ie> wrote:
>
> I was just wondering how people control access amongst machines on the same
> subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so
> iptables is the firewall there.
>
> Presumably as with all firewalls, once a packet is not being sent to the
> firewall itself or forwarded through the firewall towards another network,
> the firewall will not protect machines behind the firewall from each other.
> Perhaps as a result of the built-in switch, packets don't get up to layer 3
> and so the firewall is oblivious to inter-LAN packet traffic.
>
> It would be nice to be able to restrict some LAN clients from talking to
> each other, perhaps by layer 3 filtering. For example, it may make sense to
> prohibit the network printer from talking to a web server and vice versa.


You sound like you might already know this, but I may as well
summarize it for the audience. Normally in "production networks" you
separate different servers on a network based on their purpose... for
example, application servers go into an "application VLAN," database
servers go into a "database VLAN," and publicly accessible servers go
in their own separate DMZ (preferably they also hang off their own
separate "DMZ" firewall appliance as well...)

I know that's a lot of "overarchitecting" for what you need, but your
DD-WRT does support breaking interfaces into separate VLANs, and the
ports on the DD-WRT effectively can become separate layer-3 switches
by doing this. With some creative config you could build a network
that was segregated as you described... if you're interested in
implementing this post back to the list... I use DD-WRT at the house
myself and maybe I can help

The only other way of doing this would be to setup something such as
Snort and have Snort listen on each port of the DD-WRT and do active
IDS, where traffic that was deemed "bad" would have a TCP reset
inserted into the session streams on each side of the TCP
connection... but I think that's a bit much to ask of the poor little
WRT54G's resources

By the way I have several WRT54Gs running DD-WRT and they work
great... I've never had a problem with them

--
Eric


------------------------------

Message: 3
Date: Tue, 26 Jan 2010 16:14:20 -0500
From: "Mark" <firewalladmin@bellsouth.net>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: <wfitzgerald@4c.ucc.ie>, "'Firewall Wizards Security Mailing
List'" <firewall-wizards@listserv.icsalabs.com>
Message-ID: <000901ca9ecc$881efe50$090aa8c0@357magnum>
Content-Type: text/plain; charset="us-ascii"

Will:

The issue here is that computers on the same LAN do not forward packets to
the default gateway (your firewall), but use ARP and layer 2 to communicate.
The firewall never even pays attention to this traffic. The fact that the
firewall and switch are occupying the same physical device (your WRT54G)
makes no nevermind (as we say in the south). Even if you could make your
firewall filter the traffic, in essence you would be creating a situation
where your packets do a U-turn at the firewall, (I believe there is a term
for this, something like inter-LAN forwarding) which is not a good idea IMO
and can open you up to spoofing attacks from the outside.

As you surmised, the best way to restrict traffic on the same LAN is via
personal firewalls. However, there are other (usually more complicated)
ways. IPSec filtering is one option, linux has used solutions like TCP
Wrappers and miscellaneous config files for specific services like FTP,
Apache, ssh, etc.

This is just my 2 cents. Hopefully some of the more seasoned veterans on
this list can give you a better answer.

V/R

Mark

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of William
Fitzgerald
Sent: Monday, January 25, 2010 11:22 AM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Is it possible to control access between clients on same
LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the
same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the
firewall itself or forwarded through the firewall towards another
network, the firewall will not protect machines behind the firewall from
each other. Perhaps as a result of the built-in switch, packets don't
get up to layer 3 and so the firewall is oblivious to inter-LAN packet
traffic.

It would be nice to be able to restrict some LAN clients from talking to
each other, perhaps by layer 3 filtering. For example, it may make sense
to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect
inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on
each machine.

This is just a general question, so that I might better understand the
area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic
from Internet to LAN and LAN to Internet but also LAN to LAN, it may not
be a practical thing to do.

Any comments or insights are welcomed.

regards,
Will.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 4
Date: Tue, 26 Jan 2010 07:04:14 -0500
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: wfitzgerald@4c.ucc.ie, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID:
<40ecb01f1001260404h2a868faela811a6842cb67e29@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Jan 25, 2010 at 11:21 AM, William Fitzgerald
<wfitzgerald@4c.ucc.ie> wrote:
> I was just wondering how people control access amongst machines on the same
> subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so
> iptables is the firewall there.

With DD-WRT you can assign a different VLAN to each interface of the
router and then use iptables rules to manage traffic between devices.
This requires either a high degree of customization of your router or
the use of static IP addressing on some of the VLANs. Which for a
home network may not be so bad. Keep in mind that if you uplink other
switches to the router that the firewall cannot protect two devices
connected to that switch from each other. This also applies to
wireless devices connected to the router.

The way I would solve this problem in a larger network would be to use
the switching infrastructure to force communication to the router
(firewall) and not allow local subnet communication. Cisco calls this
Private VLANs, and they are great for use on DMZ networks where its
important that communication between hosts on that network be
restricted and monitored. More on that here:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

PaulM


------------------------------

Message: 5
Date: Tue, 26 Jan 2010 00:16:04 -0600
From: K K <kkadow@gmail.com>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: wfitzgerald@4c.ucc.ie, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>,
firewall-wizards@listserv.cybertrust.com
Message-ID:
<dc718edc1001252216v46a11831p1417d0b1f3f5ba82@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Yes.
The most transparent (to the host) technique is what Cisco calls
"private VLAN", see:
http://en.wikipedia.org/wiki/Private_VLAN

There are other approaches to get the same results, all require either
a firewall with lots of interfaces (real or virtual) or a very smart
switch.

Kevin

On 1/25/10, William Fitzgerald <wfitzgerald@4c.ucc.ie> wrote:
> Dear all,
>
> I was just wondering how people control access amongst machines on the
> same subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so
> iptables is the firewall there.
>
> Presumably as with all firewalls, once a packet is not being sent to the
> firewall itself or forwarded through the firewall towards another
> network, the firewall will not protect machines behind the firewall from
> each other. Perhaps as a result of the built-in switch, packets don't
> get up to layer 3 and so the firewall is oblivious to inter-LAN packet
> traffic.
>
> It would be nice to be able to restrict some LAN clients from talking to
> each other, perhaps by layer 3 filtering. For example, it may make sense
> to prohibit the network printer from talking to a web server and vice versa.
>
> Is there away to force/make it easier for the firewall to inspect
> inter-LAN packets. Perhaps examining packets at layer 2 could capture this.
>
> I understand that one solution would be to install a local firewall on
> each machine.
>
> This is just a general question, so that I might better understand the
> area of "inter-LAN" protection.
>
> While it may be possible to have a firewall to not just protect traffic
> from Internet to LAN and LAN to Internet but also LAN to LAN, it may not
> be a practical thing to do.
>
> Any comments or insights are welcomed.
>
> regards,
> Will.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
Sent from my mobile device


------------------------------

Message: 6
Date: Tue, 26 Jan 2010 07:09:46 -0800 (PST)
From: Will Brickles <wbricks@yahoo.com>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: wfitzgerald@4c.ucc.ie, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <480055.6600.qm@web30403.mail.mud.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Using DD-WRT, what comes to mind immediately is to put your devices into separate VLANs and then use iptables to restrict traffic between the VLANs. I don't know how flexible DD-WRT is when it comes to VLANs, but it might be your best bet on such a platform. A configuration guide for VLANs I came across is at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160 - it sounds as if you are already familiar with iptables.

Using other (much more expensive) platforms, you have other options - for example using private VLANs, protected ports, "transparent" firewalls, etc.

Will Brickles


________________________________
From: William Fitzgerald <wfitzgerald@4c.ucc.ie>
To: firewall-wizards@listserv.cybertrust.com
Sent: Mon, January 25, 2010 9:21:59 AM
Subject: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each machine.

This is just a general question, so that I might better understand the area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do.

Any comments or insights are welcomed.

regards,
Will.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100126/fd3fed09/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 45, Issue 11
************************************************

No comments:

Post a Comment