Re: [SLUG] Firewall latency

From: Derek Glidden (dglidden@illusionary.com)
Date: Wed Jul 07 2004 - 14:04:59 EDT


On Jul 7, 2004, at 12:32 PM, Ronan Heffernan wrote:

> I am looking at adding some security (iptables and snort) to my
> network. I have several questions and problem-domains; if anyone has
> answers or experience with this, please pipe up.
>
> * What kind of latency (expressed as ms?) and CPU load (expressed as,
> I dunno, %CPU on a 900MHz Xeon? or other suitable expression) is
> introduced by having IPTables examine packets? Does the penalty scale
> (linearly? geometrically?) with the number of firewall rules? Is the
> latency higher on 100Mbit than 10Mbit? How does the penalty scale-up
> in relation to load/traffic?

There have been a few analysis done on this. A google search should
turn up some pretty good numbers. Suffice to say that you should
easily be able to push 100M through a 900Mhz Xeon if that's all the
answer you're really looking for. When you get to gigabit, then you're
starting to tax current high-end processors.

There's an alternative iptables/netfilter implementation (that I can't
remember the name of) that scales linerarly with the number of rules it
uses. The particular example they used compared iptables versus
whatever-it-is-called with 65K rules and showed relative
performance/CPU overhead of each. If you've reached that level of
iptables though, you are probably having more rules management problems
than performance...

> * If snort detects an 'attack' (or portscan, etc.), what is a good way
> to have it create IPTables rules to block attackers?

There are a couple of add-ins for snort that do this. Again, a google
search or checking the snort FAQ/mailing list. They're not especially
robust last time I checked and possibly you might just want to roll
your own depending on if they even support current versions of snort.

One of the issues with doing this sort of thing is that it's difficult
to insert and remove arbitrary rules from iptables tables. For
example, what do you do when you've inserted seventy-three new block
rules into your iptables and the guy whose box got Pwn3d that made rule
#5 get inserted sends you email and asks you to remove it. You have to
manually keep track of which rule is which outside of iptables, or
manually look at the iptables rules to figure out which one to remove.
(i.e. you can't just say "iptables remove host = bar and port = foo";
you have to know the exact rule to remove.)

The other thing that makes this generally a bad idea is that if someone
knows you're doing it, they can easily DoS you by spoofing packets at
your firewall until you can't receive data anymore. This is a fairly
regular subject on the snort-list if you look through the archives.

> * Related to the above question: can I have snort on one IDS box
> reach-out and create the rules on all of my other boxen (I guess SSH
> is a gimme, but is there a more structured protocol for propogating
> these messages?) Yes, this question exposes the fact that my boxen
> are not behind a single firewall. I am trying to avoid an expensive
> firewall (e.g. Cisco 535 = $21k) by running IPTables on each of the 6
> machines that need to be protected.

See above re: snort stuff. roll-your-own can do anything you want it
to. :)

Also, why wouldn't you just buy an inexpensive box to run as a linux
iptables firewall since you're planning on using iptables anyway
instead of buying some expensive firewall appliance or running iptables
on each box?

(There is just no reason to buy commercial firewall appliances anymore.
  They absolutely aren't be worth what you pay compared to just building
a linux or openbsd box, especially when you want to start doing things
like plugging the IDS into it and enabling IPSEC and get hit with even
more licen$es and annual $upport contract$ and....)

> * Isn't Windows naturally more secure? (Sorry, that one is just
> flamebait tossed-in for entertainment value!)

um, shut up?

:)

> * Do I need to merge various snort rulesets into my machine
> periodically (on www.snort.org, there is a ~15 line ruleset for
> dealing with NIMDA)? Is there an auto-updating source (well trusted,
> of course) that I can fetch from every day, week, etc?

Again, there are at least a couple of tools for automagically keeping
your snort rules up-to-date that you can probably find on the snort
website. I think oinkmaster is one of the more popular. (Although
that might be something else entirely....) Also at least a couple of
the more popular "snort analysis/management console" type things also
do rules management.

> * Is anyone running a tarpit using the IPTables TARPIT module? It
> sounds like a good idea, what do you think?

See above re: DoS. Depends on what you're trying to do. In general,
Best Practice says to never let your IDS automatically manage your
firewall; you should have an admin with a brain in there somewhere.

snort also has "flexresp" which might be more appropriate for what it
sounds like you're trying to do - it intercepts the TCP stream and
sends a RST packet back to the source for matching rules. This way
only the particular TCP stream is cut off rather than a whole
host/subnet/intarweb, as could conceivably happen if you let snort
manage your iptables rules itself.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"We all enter this world in the | Support Electronic Freedom
same way: naked; screaming; soaked | http://www.eff.org/
in blood. But if you live your | http://www.anti-dmca.org/
life right, that kind of thing |---------------------------
doesn't have to stop there." -- Dana Gould

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:12:22 EDT