Deconstructing Firewalls

Trevon

$whoami

• Graduate Student
• Lifelong learning
• Lurker
• 49th Security Division
• 49sd.com

This Talk…

What is a Firewall

“A guardian of the digital world, standing between the chaos of the internet and the sanctity of our networks. It is a sentinel of order, enforcing the rules of access and denying entry to those who would do harm.”

​

Types of Firewalls

• Rudimentary packet filter
• Stateful vs. Stateless
• Proxy-based
• Next Generation Firewall

My Personal Favorite (Distributed Firewall)

• Not a new idea
• Distributed Firewalls, Steven Bellovin
• Packet filtering in switches/(between links)
• East-to-West
• Types of Implementations
• Host based
• Network device based
• Linkedin Distributed Firewall

Recapping Concepts

• All firewalls filtering packets
• Features
• Use case

​

Lower Level Packets Filters

• Implementing packets
• BPF (Berkeley packet filter)
• ebpf.io/what-is-ebpf/
• Used in wireshark and TCPDump
• Original BPF paper
• Netfitler
• IPtables
• Libpcap

Higher-Levels of Abstractions

• Software Defined Networking
• Decouples control and data plane
• Open VSwitch
• Manipulation of network packets

What is a Dataplane?

• Responsible for forwarding packets
• Data link networking / networking layer (OSI model)
• Data path
• Programmable ?

Languages Specifically for Programming Dataplanes

• P4
• eBPF
• Berkeley Packet Filter
• FD.io VPP
• Vector Packet Processor

How can we put this all together?

Let's say you wanted to build your own (janky) NGFW

Components

• Intrusions Detection System
• Listener
• eBPF program
• Packet forwarder
• Packet filter
• Python Program
• Point of integration

eBPF Program: Packet Filter

Binding in Python

More Polished Solutions

• Cilium
• https://cilium.io/get-started/
• Calico
• https://docs.tigera.io/calico/latest/about/
• Falco
• https://falco.org/
• Cloudflare Magic Firewall
• https://blog.cloudflare.com/programmable-packet-filtering-with-magic-firewall/

​

​

Research Applications

• Agile Network Security
• Storage Efficient
• Eventually open source

Good References

• Brendan Gregg’s Blog
• BCC github
• Offensive eBPF
• LWN: BPF to Firewalls

Takeaways

• Firewalls can be approachable
• Data plane programmable = affordable solutions ?

​

Around the web

twitter/mastadon : @trevonistrevon

https://trevon.dev