Zorp and KZorp: Integrating Packet Filtering and Userspace proxying - - PowerPoint PPT Presentation

zorp and kzorp integrating packet filtering and userspace
SMART_READER_LITE
LIVE PREVIEW

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying - - PowerPoint PPT Presentation

Jun 10, 2023 387 likes •591 views

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler <bazsi@balabit.com> www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

slide-1
SLIDE 1

www.balabit.com

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying

Balázs Scheidler <bazsi@balabit.com>

slide-2
SLIDE 2

www.balabit.com

Zorp

Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start

  • Initial set of proxies and the Zorp Core
  • Transparent Proxying (merged fjnally in 2008 after a few

incarnations)

  • OS integration tools

Used as a part of our solutions, and is embedded in our Firewall product We reinforced our open source efgorts in 2013

  • published more of the code and
  • further integration into upstream projects
slide-3
SLIDE 3

www.balabit.com

Trends on Our Internet

Internet access is ubiquitous (mobile phones, tablets, WiFi everywhere) Mobile Apps rely on the availability of the Internet (the „cloud”) Traditional network boundaries became fuzzy, as we carry our devices around

slide-4
SLIDE 4

www.balabit.com

Consequences

IP addresses are not static anymore (CDNs, distributed services, …) Everything talks HTTP , not just browsers, so L7 protocols are not distinctive anymore More & more things talk HTTPS (fortunately!), which is completely opaque to most fjrewalls Extensions to HTTP like WebSockets & WebRTC The complexity of browsers and apps (that use HTTP) represents an ever growing attack surface

slide-5
SLIDE 5

www.balabit.com

Traditional Firewall Approach

Internal & external networks (+ DMZ) Shielding clients/servers at the perimeter Filter based on direction of connection, IP addresses, ports Protect network stacks against implementation errors (synfmood, ISN problems, source routing, Xmas, DoS, ...)

slide-6
SLIDE 6

www.balabit.com

Challenges

T

  • be controlled, user visible services all use HTTP:
  • Chatting on Facebook vs. Google Search vs.

Online Banking vs. Windows Update And their IP addresses are changing all the time Direction of the connection is not really relevant anymore Network stacks became much better wrt implementation errors, and their efgect is more limited Attacks move higher up in the stack

slide-7
SLIDE 7

www.balabit.com

T

  • provide any meaningful control, a

peek into the L7 traffjc is needed, sometimes even complete proxying

slide-8
SLIDE 8

www.balabit.com

Use best of Both Worlds!

Use hybrids Multiple levels of processing:

  • Packet fjltering
  • Circuit level gateways (e.g. synproxy)
  • Protocol aware L7 proxying
  • Application specifjc (e.g. Facebook)

where you need to exert more control

slide-9
SLIDE 9

www.balabit.com

In order to make it usable, it has to be easy to switch between Processing Levels

slide-10
SLIDE 10

www.balabit.com

With iptables/nft...

It's a bit diffjcult

  • Multiple rules/tables to achieve the

same efgect

  • Iterative evaluation
  • Switching a PF rule to proxying can

mean changing a number of rules

  • A bit of a low-level
slide-11
SLIDE 11

www.balabit.com

Making it easy to switch

Make it trivial to direct the fjrewall to do one

  • r the other, without infmicting changes on the

ruleset

  • e.g. create a rule for online banking,
  • r Windows Update

Make it possible to switch between processing levels based on a runtime decision

  • e.g. SSL certifjcates, SNI, etc
slide-12
SLIDE 12

www.balabit.com

We wanted to make the „service” be the focus

slide-13
SLIDE 13

www.balabit.com

Service

Conditions, selectors are like in a fjrewall:

  • IP addresses (ipv4 or ipv6)
  • Ports
  • Interface
  • Zones (set of IP addresses)
  • VPN connection
  • Authentication information
  • ...
slide-14
SLIDE 14

www.balabit.com

Key difgerence: best match, instead of iterative evaluation

slide-15
SLIDE 15

www.balabit.com

Zorp Confjguration Model

Zones (set of IP addresses, but also DNS names) Service selection based on Best Match

  • Integrating many sources of information into the condition

part (interface, IP, ports, VPN, authentication, …) Actions include:

  • Forward via packet fjlter
  • Forward via Proxy
  • Drop

Lookup based instead of iterative

slide-16
SLIDE 16

www.balabit.com

Architecture

Netfjlter (conntrack, nat) KZorp (best match) kzorpd (userspace integration) kzorp (best match) Zorp (proxies) Policy & customization (Python)

slide-17
SLIDE 17

www.balabit.com

Use cases

Zones based on DNS name (e.g. a rule for gmail.com, whatever IP that means) Easily add custom rule for online banking, w/o afgecting the rest of the ruleset MITM for SSL encrypted HTTPS sessions, fall back to PF (or kernel level proxying) based on SNI API call inspection/alteration: transparently encrypt Google Calendar data

slide-18
SLIDE 18

www.balabit.com

Zorp Features

Proxies for a number widespread protocols (HTTP, FTP, …) Transparent at L3, L2 is possible Customizable, programmable from Python Handing over payload to further processing (virus scanning, DLP, etc)

slide-19
SLIDE 19

www.balabit.com

Ongoing Work

Separating & generalizing the KZorp component Merging as much of this to the kernel as possible Decouple Zorp from Python, and make that

  • ptional

Maintaining Zorp in distributions (Debian, OpenWRT)

slide-20
SLIDE 20

www.balabit.com

Questions?

Zorp T utorial http://zorp-gpl-tutorial.readthedocs.org/en/latest/ Zorp Homepage http://bit.ly/1mx4gnW Reach the authors: zorp@lists.balabit.hu Github: http://github.com/balabit