Desarrollo de la Tutoría y Orientación Educativa

is expressed as a list of the AS numbers on the path. Routing loops are reliably detected, as the routers check the path and discard any routes already including their own AS.

Neighbouring routers connect to each other using a TCP session and periodically check whether the peers are still alive. If a link fails, they select a replacement route - if there is one left - for networks that were previously reached over the failed router. When the routes change, the router must announce an UPDATE message to its peers. If the update influences their routes, they need to further distribute the new routes they are using.

Routing decisions in BGP are not made according to the technically best solution (the fastest connection) but based on economic criteria. The routers are configured by policies describing whether they forward traffic to certain destinations or not. The distance is measured only by the number of ASes to traverse. The size of an AS can vary a lot, but is not taken into consideration by BGP. The same holds true for the bandwidths of links, which are also ignored. As each router announces only the best route to its peers, load balancing is not possible. Announcing alternative routes could also speed up recovery when a change has to be made. On the other hand, the size of the routing table is already a problem without the additional information of alternative routes. Every router has to have information on all routes. Although link aggregation is used to merge paths based on the same IP address prefix, an Internet BGP router currently has to know about 200’000 routes, and the number is growing fast.

For BGP configuration, there are a couple of settings that must be considered. Of course, each router needs to know which AS it belongs to. Because BGP is a backbone protocol, it would not be acceptable to have routers spontaneously setting up links to routers they have detected. Thus, information about neighbouring routers and routers belonging to the same AS is provided manually. Parameters to tune route distribution and weighting are implementation-specific.

BGP is not restricted to inter-AS communication. Very large networks can also make use of a BGP to connect several network areas, which might run OSPF or another protocol internally.

3.4

Packet Filtering

A network has to be protected from unwanted traffic and there should be limits set for the kind of data leaving it. In analogy to buildings, where special walls are built to prevent a fire from spreading unhindered, the term firewall is also used for means of avoiding uncontrolled data flows. Both the software doing the filtering as well as the concept of rules defining what data should be filtered are sometimes called firewalls. To add to the confusion, there exists dedicated hardware for protecting the network. Such devices are sometimes called hardware firewalls, while firewall applications running on general purpose computers are called software firewalls. Dedicated hardware is more secure because no other service runs on it, reducing the potential vulnerabilities. However, the distinction between hardware and software firewalls is not important from the conceptual point of view. The actual filtering is always done by some kind of software, and this software always runs on hardware. In this thesis, ‘firewall’ denotes a device that filters network traffic, regardless whether it is a dedicated device or not.

Firewalls are usually placed at the border between two different zones of trust. Any extraneous traffic is an unnecessary risk, because it could trigger harmful effects. Attackers could glimpse information about the network to plan their strategy. Forged packets can sometimes cause appli- cations to break or even open a hole by which the system can be entered. Outgoing traffic is limited to control which stations may have access to the Internet and to limit the damage in the case of a successful intrusion. The aim of a firewall is to limit as much of the traffic as possible while still keeping the network usable. Traffic is usually controlled by looking at the packets passing the firewall and deciding whether to forward or drop them, hence the name packet filtering. This can happen on different layers of the network. On the network layer, individual packets can be controlled, based on IP header properties like addresses, ports or flags. Information from adjacent layers can also be taken into account. The data link layer provides Ethernet MAC addresses. In the transport layer, information about the state of connections is used to decide whether a packet is expected or not. This is called stateful inspection, because the firewall looks at the state of a TCP connection, or logs information about a UDP communication. As the packets are not assembled in packet filtering, the payload cannot be checked.

28 CHAPTER 3. NETWORK SERVICES

to certain web pages can be restricted, or emails containing certain keywords can be filtered out. Application layer firewalls do not forward packets, but assemble messages. If the rules allow a client to perform a given action, the proxy opens new connections on its own, forwards requests and sends the responses back. Since proxies must analyse the contents of the communication, they need to understand the protocol. There is usually a separate application for each protocol that must be support. The remainder of this section will focus on packet filtering and not discuss application proxies.

Some packet filters run on the same machine they are supposed to protect. They filter only the traffic between the local machine and the network. This concept is usually called personal firewall [Cheswick et al., 2003]. The advantage of personal firewalls is the possibility of direct interaction with the user and the option of controlling which application initiates network connections, thus allowing for more precise filtering. The drawback is that if the personal firewall is flawed, an attacker directly gains access to the protected machine, providing less security than a separate firewall device. This kind of firewall is typically configured in a dynamic process between the user and the firewall application. The Verinec project does not address personal firewalls specifically. A classical firewall concept is assumed: a separate machine with (at least) two interfaces decides for each packet whether to forward it or not. Filters for traffic addressed to the local machine or originating from the machine can also be specified.

3.4.1

Netfilter

In the Linux world, the most common packet filter is the Netfilter framework [Welte et al., 2006]. It has been part of the Linux kernel since version 2.4. The visible front end of it is the command line program iptables. This framework uses a concise concept to handle the different flows of packets and thus exemplifies the operation of a firewall. Besides packet filtering, Netfilter is also capable of manipulating packets, a feature called mangling, for example to do Network Address Translation (NAT). This section is focused solely on packet filtering.

The Netfilter framework handles packets in different tables. There is a table for filtering, called the ‘filter’ table. The other predefined ones are ‘nat’ and ‘mangle’. Every table contains chains grouping individual rules. The table decides for each packet which chain to use. In the filter table, there are three built-in chains, providing the entry points for processing. They are named:

INPUT: Packets addressed to this machine.

OUTPUT: Packets sent from this machine to the network.

FORWARD: Packets received from the network, but addressed to some other machine.

It is possible to add custom chains which can be called upon match of a rule instead of simply applying one of the default actions. Custom chains allow isolating a sequence of rules to be used from different chains. Together with the RETURN action, custom chains allow the implementation of a kind of function call mechanism for packet filtering.

By default a chain is empty and its policy is to let all packets pass. The chains need to be filled with an ordered list of rules before they actually do anything. When a packet needs to pass a chain, it is checked against each rule in that table. A rule specifies tests and a target to use if the test is successful. Typical tests are destination or source IP, receiving network interface or whether properties like bits in the header are set or not.

Each rule consists of the following elements:

target: Target or chain to jump to if rule criteria match. prot: Of which protocol the packet has to be to match the rule.

opt: Options for the packet. For example whether it is fragmented or not. in: Interface the packet has to be received by.

out: Interface the packet is going to be sent from. source: Source IP address of the packet.