Virtual Private Networks and Firewalls

CMPT 471: Networking II

VPN: Use Cases

2

Protect yourself from hackers in untrustworthy Wi-Fi hotspots

VPN: Use Cases

3

Bypass geographic restrictions

VPN: Use Cases

4

Bypassing egress filtering at firewalls

VPN: Use Cases

5

Extend private network (e.g., enterprise, home, etc.)

Many VPN Options

6

Motivation

• An enterprise grows 🡺 open sites at different geographical regions
• 🡺 would like to provide a single private network across all sites
• Employees need to access resources while traveling or at home

7

Internet

Old Solution

• Lease/own dedicated links between sites
• Drawbacks:
• Expensive
• Not flexible

​

​

8

Other Options?

• Instead, we need to think:
• of what protection guarantees are made by private networks
• whether these guarantees are achieved if a host is outside the private network

​

​

​

9

Guarantees of a Private Network

• User authenticated
• Verified identity

​

• Content protected
• Content of communication cannot be seen from the outside

​

• Integrity preserved
• Outsiders cannot inject fake data

​

​

10

What is a VPN?

• A private network consisting of hosts from both inside and outside
• Virtual 🡪 because this network isn’t physically private

​

11

Encrypted link

Authenticating clients

What is a VPN?

• Regardless of whether an application encrypts its data

🡪 IP packets need to be encrypted (including headers)

12

Encrypted IP pkt

Routers cannot read/modify IP headers

• Two techniques to implement IP tunneling:
• IPsec Tunneling (using IPsec Tunnel Mode)
• TLS (Transport Layer Security) Tunneling

IPsec Tunneling: Tunnel Mode

• Encrypts the whole IP packet
• Encapsulates the encrypted IP packet with a new IP packet
• Operates at the kernel space

13

Kernel

IP pkt

IP layer

Kernel

IP pkt

IP layer

A

B

Encrypted IP pkt

TLS Tunneling

• VPN-bound IP packets are handled by an application
• Encrypted using TLS protocol
• Operates at the application layer
• More popular. Why?

14

Kernel

IP pkt

Kernel

IP pkt

A

B

Encrypted IP pkt

User space

User space

Application

Application

Overview of TLS VPN

15

TLS-based VPN

16

TLS Tunnel

VPN Client

VPN Server

Original pkt: A🡪B

Three steps:

1. Creating the TLS Tunnel
2. Forwarding IP packets
3. Releasing IP packets

1

2

3

Creating a Tunnel

​

• This is a TLS channel
• It is built on top of a transport-layer protocol

​

• Before creating a channel, mutual authentication is needed:
• Server authenticates client: e.g., using passwords
• Client authenticates server: e.g., using certificates

​

17

TLS Tunnel

1

VPN Client

VPN Server

Forwarding IP Packets

• VPN Client needs to receive the whole IP pkt to encrypt it
• The kernel removes these headers

​

• How can an application receive the whole pkt (with headers)?
• Create a TUN/TAP device (virtual network interfaces)
• Modify routing table: All VPN-bound traffic goes to the new device

18

VPN Client

TUN/TAP device

Modify routing

TLS Tunnel

2

Releasing IP Packets

• VPN Server needs to release the original IP pkt after decrypting it

​

• How can an application send the whole pkt (with headers) to the kernel?
• Same idea as before (Create a virtual network interfaces)

19

VPN Server

TLS Tunnel

3

TLS VPN Details

20

Virtual Network Interfaces

• TUN/TAP virtual interfaces
• Common on Linux
• TUN interface:
• Works at the IP layer
• Point-to-point is the default
• Sending a pkt to a TUN interface will result in the pkt being delivered to the user-space program
• TAP interface:
• Works at the Ethernet layer
• Can forward IP and other (e.g., ARP) packets

21

Application

Application

TUN

TAP

Creating a TUN Interface

22

int createTunDevice()

{

int tunfd;

struct ifreq ifr;

memset(&ifr, 0, sizeof(ifr));

​

ifr.ifr_flags = IFF_TUN | IFF_NO_PI;

tunfd = open("/dev/net/tun", O_RDWR);

ioctl(tunfd, TUNSETIFF, &ifr);

​

return tunfd;

}

Create a TUN device

Register the device with the kernel

No additional info sent by the driver

Configuring the TUN Interface

• We need to:
• Specify what network the interface is connected to
• Assign an IP address to the interface
• Activate the interface

23

$ sudo ifconfig tun0 10.0.7.99/24 up

VPN: Big Picture

24

Routing

tun

Data from other hosts

Routing

tun

Data to other hosts

IP Pkt

IP Pkt

10.0.7.0/24

10.0.8.0/24

Routing Packets

• Routing is modified by configuring routing tables
• Traffic destined to 10.0.8.0/24 should be forwarded to tun0

​

25

$ sudo route add -net 10.0.8.0/24 tun0

• Packets written to tun0 are received by our VPN application
• Should be forwarded to the TLS tunnel
• Packets written to socket are received on the other side

​

Details of Building a VPN Tunnel

26

Overview of A Simplified VPN Program

27

Create a TUN interface

Overview of A Simplified VPN Program

28

IP Tunnel

Encrypt

IP Tunnel

Decrypt

TUN

TUN

Simple VPN Tunnel over UDP (in C)

• A simple UDP-based tunnel with no encryption
• The server:
• Creates its side of the tunnel
• Creates a socket
• Binds to a specific port
• Receives data from the client over the tunnel
• The client:
• Creates its side of the tunnel
• Creates a socket
• Sends data to the server
• We will present only the details of tunnel creation, others are standard socket programming

​

29

Monitoring Multiple Connections (File Descriptors)

• Option #1: create a thread for each fd 🡪 inefficient

​

• Option #2: IO multiplexing allows (better):
• Examining and blocking on multiple I/O streams
• Notifying the program whenever any one of the streams is active so that it can process data on that stream
• Implemented using select system call

​

​

• We will use select system call for our VPN

30

Program

fd1

fd3

fd2

fd0

fd4

Monitoring File Descriptors

31

while (1) {

fd_set readFDSet;

FD_ZERO(&readFDSet);

FD_SET(sockfd, &readFDSet);

FD_SET(tunfd, &readFDSet);

select(FD_SETSIZE, &readFDSet, NULL, NULL, NULL);

​

if (FD_ISSET(tunfd, &readFDSet)) tunSelected(tunfd, sockfd);

if (FD_ISSET(sockfd, &readFDSet)) socketSelected(tunfd, sockfd);

}

Register the fds

Register the fds

IO multiplexing

From TUN to Socket

• When the kernel sends an IP pkt to our VPN program

32

void tunSelected(int tunfd, int sockfd){

int len;

char buff[BUFF_SIZE];

bzero(buff, BUFF_SIZE);

len = read(tunfd, buff, BUFF_SIZE);

sendto(sockfd, buff, len, 0, (struct sockaddr *) &peerAddr,

sizeof(peerAddr));

}

Pkt is encrypted before sending

From Socket to TUN

• When our VPN program sends an IP pkt to the kernel

33

void socketSelected (int tunfd, int sockfd){

int len;

char buff[BUFF_SIZE];

bzero(buff, BUFF_SIZE);

​

len = recvfrom(sockfd, buff, BUFF_SIZE, 0, NULL, NULL);

write(tunfd, buff, len);

}

Pkt should be decrypted

Simple Demo of Tunneling using Python

34

#!/usr/bin/env python3

import fcntl

import struct

import os

import time

from scapy.all import *

�TUNSETIFF = 0x400454ca

IFF_TUN = 0x0001

IFF_TAP = 0x0002

IFF_NO_PI = 0x1000

�# Create the tun interface

tun = os.open("/dev/net/tun", os.O_RDWR)

ifr = struct.pack('16sH', b'tun%d', IFF_TUN | IFF_NO_PI)

ifname_bytes = fcntl.ioctl(tun, TUNSETIFF, ifr)

�# Get the interface name

ifname = ifname_bytes.decode('UTF-8')[:16].strip("\x00")

print("Interface Name: {}".format(ifname))

while True:

# read a packet from tun

pkt = os.read(tun, 2048)

if pkt:

ip = IP(pkt) #create an IP object using scapy

#now, we are supposed to encapsulate,� # encrypt, and send it to VPN Server

# instead, we just print it

print(ip.summary())

put this code in tun.py and run it:

$ chmod a+x ./tun.py

$ sudo ./tun.py

Simple Demo of Tunneling using Python

35

sudo ./tun.py  # create tun0  

​

ifconfig –a # check it exists, but DOWN (in another terminal)

​

sudo ifconfig tun0 10.0.2.99/24 up #assign IP address to tun0 and bring it up (check the ip address) 

​

ifconfig -a  # check again 

​

sudo route add -net 10.0.8.0/24 tun0 #add route to the remote network 10.0.8.0/24 �

route  # check the routing table

​

ping 10.0.8.1 -c2  #ping a host in 10.0.8.0/24 network (packet should go to tun0)

​

ping 10.0.9.1 -c2  #ping another network: tun0 should not receive it 

​

Firewalls

CMPT 471: Networking II

What is a Firewall?

• A component that stops unauthorized traffic flowing from one network to another.
• Often separates trusted and untrusted networks
• Can be implemented in software, hardware, or as a combination.

​

37

Firewall

Protected Network

Network

Requirements of a Firewall [Bellovin and Cheswick’94]

• All traffic between two trust zones should pass through a firewall

​

• Only authorized traffic, defined by the security policy, should be allowed to pass through

​

• The firewall itself must be immune to penetration

38

Firewall Policy

• The rules that a firewall enforces.

​

• Rule types:
• User control
• Service control
• Direction control

39

Firewall Policy

• User Control
• Controls access to data based on the user role (Who is accessing the data?)
• Often used for users within a firewall zone

​

• Service Control
• Access is controlled by the type of service offered by the host protected by the firewall
• Needs access to network address, port number, protocol, etc.

​

• Direction Control
• Allows traffic based on its direction: inbound or outbound.

​

40

Firewall Actions

• Network packets going through a firewall result in one of three actions:
• ACCEPTED: Allowed to enter the protected host/network
• DENIED: Not permitted to access the other side of the firewall
• REJECTED: Similar to DENIED.
• But the firewall attempts to tell the source of the packet abouts its decision.

41

Ingress and Egress Filtering

• Firewalls can inspect traffic from both directions.

​

• Ingress filtering

​

​

​

• Egress filtering

42

Other Functions

• Besides protecting a network, a firewall may:
• rewrite packet headers to route packets between networks
• act as a NAT

​

​

​

43

Types of Firewalls

• Packet Filtering
• Most kernels implement TCP/IP stack
• Filters are executed in the same address space of the kernel
• The kernel is in a position to immediately determine the action

​

​

• Can be Stateless or Stateful firewalls:
• Stateless: works on individual packets
• Stateful: considers packets of a flow

​

​

​

44

Types of Firewalls

• Application Firewall
• It is a proxy server
• Impersonates the intended recipient
• Connection terminates at the proxy, and another connection starts from the proxy

45

Packet Filtering Firewalls

46

netfilter

• A framework inside the Linux kernel
• Allows different networking-related functions to be implemented
• Provides hooks that a program can register with
• As packets traverse the stack, they will trigger the kernel modules that have registered with these hooks

47

Netfilter: Five Hooks

• A packet triggers kernel modules registered with netfilter hooks

48

NF_IP_POST_ROUTING

Routing

1

2

netfilter Calling Order

• Each registered kernel module provides a priority value
• netfilter calls a kernel module based on its priority
• Each registered kernel module returns one of these values:
• NF_ACCEPT: Let the packet go through the stack
• NF_DROP: Discard the packet
• NF_QUEUE: Pass the packet to the user space
• NF_STOLEN: Ask netfilter to forget this packet, and move responsibility to the calling module
• NF_REPEAT: Ask netfilter to call the calling module again

49

Example: Block Outgoing Telnet Packets

• Logic (of the hook)

50

unsigned int telnetFilter(void *priv, struct sk_buff *skb,

const struct nf_hook_state *state)

{

struct iphdr *iph;

struct tcphdr *tcph;

iph = ip_hdr(skb);

tcph = (void *) iph+iph->ihl*4; // ihl: IP header length

​

if (iph->protocol == IPPROTO_TCP && tcph->dest == htons(23)) {

return NF_DROP;

} else {

return NF_ACCEPT;

}

}

Example: Block Outgoing Telnet Packets

• Register the hook

51

static struct nf_hook_ops telnetFilterHook;

​

int setUpFilter(void) {

telnetFilterHook.hook = telnetFilter;

telnetFilterHook.hooknum = NF_INET_POST_ROUTING;

telnetFilterHook.pf = PF_INET;

telnetFilterHook.priority = NF_IP_PRI_FIRST;

​

// Register the hook

nf_register_hook(&telnetFilterHook);

return 0;

}

iptables

• iptables:
• user-space program that interfaces with netfilter
• can implement stateless and stateful firewalls
• iptables firewall can :
• filter packets, and
• make changes to packets.

​

52

iptables Structure

• iptables has a hierarchical structure
• Table
• Chain
• Rule

​

• A table reflects the purpose of the rules

​

• A chain reflects when a rule is applied
• At which hook
• (Recall the five hooks in netfilter)

​

• And we can have multiple tables

53

iptables: Built-in Tables

• iptables has four built-in tables:
• filter, nat, mangle, raw
• each table has built-in chains

​

​

54

The filter Table

• Widely used to implement firewalls
• Implements three chains
• INPUT: incoming packets
• FORWARD: packets routed through this machine
• OUTPUT: outgoing packets

​

​

55

The nat Table

• Determines whether and how to modify the source or destination addresses
• to impact the way a packet is routed
• Ex: Destination NAT:
• modify the dst address/port (for incoming packets to the private network)
• Ex: Source NAT:
• modify the src address/port (for outgoing packets from the private network)

​

56

The mangle Table

• Used to alter fields in packets
• E.g., TTL value
• Also, to enable marking packets
• Other network tools or tables may read this mark to process the packet differently
• Internal to the kernel (i.e., marking doesn’t modify the actual packet)

​

57

The raw Table

• Used to disable stateful firewall for some packets
• Set the mark called NOTRACK

58

Table/Chain Traversal Order (simplified)

59

Routing

Routing

Routing

Network Stack

Packet

Building a Simple Firewall

• Requirements
• Allow SSH, HTTP
• Allow loopback interface
• Allow DNS
• Allow all outgoing traffic

​

• Let’s call it sFW

60

Checking Rules

61

$ sudo iptables -L

​

Chain INPUT (policy ACCEPT)

target prot opt source destination

​

​

Chain FORWARD (policy ACCEPT)

target prot opt source destination

​

​

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

​

List all entries in the filter table

Use –t to show other tables

iptables notes:

62

• iptables command must be issued as sudo
• If –t <table> is not specified 🡺 filter table

General format of the command:

​

Our sFW

63

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Iptables –A OUTPUT –p tcp all –j ACCEPT

Allow SSH, HTTP, and all outgoing TCP

iptables -A INPUT -p all -i lo -j ACCEPT

Allow loopback interface

Our sFW

64

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p udp --sport 53 -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

Allow DNS

Our sFW

65

iptables -P OUTPUT ACCEPT

Allow outgoing traffic

iptables -P INPUT DROP

Iptables –P OUTPUT DROP

iptables -P FORWARD DROP

Drop all other traffic

Note:

-P: Policy

-p: Protocol

66

#!/bin/bash

# to run this script (sFW.sh):

## chmod a+x sFW.sh.

## sudo ./sFW.sh

## remember to cleanup the rules (run cleanup.sh) after you are done

​

# Allow incoming SSH, HTTP and all outgoing TCP

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp -j ACCEPT

​

# Allow loopback interface.

# -I INPUT 1: insert a rule at 1 first position of the INPUT chain

# -i lo: local interface

iptables -I INPUT 1 -i lo -j ACCEPT

​

# Allow DNS in both ways. –A: appends rule to the chain

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p udp --sport 53 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j ACCEPT

​

# Set default filter policy (-P) to DROP on the three chains.

# note: rules are applied in order. Thus, the DROP will apply only if none #of the above ACCEPT rules matches.

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

Let us try a few things

​

$ sudo iptables –L

$ sudo iptables –t nat –L

​

$ ping –c1 google.com (before fw)

​

$ sudo ./sFW.sh (apply rules. Note: they do not allow ICMP)

​

$ ping –c1 google.com (after fw. Should fail)

​

# add rule to FW to allow ICMP

$ sudo iptables -A INPUT –p icmp --icmp-type any –j ACCEPT

​

$sudo iptables –L

$ ping –c1 google.com (try again, works? No. Why? )

​

# allow ICMP in the other direction as well

$ sudo iptables -A OUTPUT –p icmp --icmp-type any –j ACCEPT

​

Demo of Simple Firewall

67

#!/bin/bash

# to run this script (cleanup.sh):

## chmod a+x cleanupsh.sh

## sudo ./cleanup.sh

# Setup all the default policies to ACCEPT packets

iptables -P OUTPUT ACCEPT

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

​

# Flush all exiting configurations

iptables -F

​

Demo of Simple Firewall

# restore all default policies

​

$ sudo ./cleanup.sh

​

Evading Firewalls: Rationale

• Some firewalls are restrictive
• E.g., Egress filtering may block users from reaching out to certain websites or services
• Tunneling is the main technique to evade firewalls.

68

• Two tunneling mechanisms: SSH tunnels, and VPN

Summary

• VPNs (Virtual Private Networks)
• Extend private networks to include hosts from the outside
• Implemented using tunneling either IPSec or TLS (more common)
• Tunneling principles and operation in Linux
• Firewall
• Packet filtering and application firewall
• Linux netfilter
• Linux iptables

​

69