0

I am interested in setting up a firewall. This is going to include your usual NAT, with port-forwarding for incoming connections.

However I want the outgoing connections to use a whitelist of hostnames. I also want the same device to act as the DNS server that my PCs use so it always knows the latest IP for any hostname on the whitelist when a PC is trying to connect to it.

This can either be Cisco IOS, a recommended alternative, or an actual Illumos or Linux server. I'm thinking that using a server will give me more flexibility, but I'm open to suggestions.

Here's what I want to happen: (outgoing connections, from a user on my network)

  1. The user's PC performs a DNS lookup for a given site (i.e. serverfault.com)

  2. The firewall server compares this to a whitelist of hostnames, and if it is permitted then the resulting IP addresses are passed back to the PC.

  3. If the DNS lookup was allowed, then the IP access list is immediately updated with the most recent results from DNS. (with reasonable expiration)

    • If a PC initiates a connection an arbitrary IP address, which was not listed on any of the approved DNS responses, then arbitrary packets can be refused.

  4. (optional, but preferable) sniff the TCP connection to verify the hostname of the HTTP or HTTPS connection. In this way, we can prevent accessing a non-whitelisted site that may exist on a shared, whitelisted IP.

I think that I can accomplish items 1-3 with ipfilter, combined with a custom-written DNS server to handle the whitelist, and trigger the additions to ipfilter. Does this sound reasonable, or will there be inevitable issues with ipfilter not recognizing changes immediately? I'm pretty sure ipfilter will work with a Linux/Illumos NAT.

Is there an application for Linux or Illumos that already does DNS-triggered IP whitelisting? (keeps me from re-inventing the wheel)

I've not heard of IOS running a DNS server. Is there a solution in Cisco IOS that handles this? Is there an obvious solution I should know about, or is this simply an unusual firewall setup?

700 Software
  • 2,163
  • 9
  • 47
  • 77
  • 1
    Do you even understand the DNS lookup process? Your server will not know of every request for your domain's IP and that information is public. – Julie Pelletier Jul 08 '16 at 20:28
  • I totally understand DNS. Perhaps you mis-understand my question. The PCs on my network will use my server as the DNS server in step 1, and thus my server will know of every hostname the PCs on my network are trying to connect to to make a determination of step 2. – 700 Software Jul 08 '16 at 20:31
  • I posted a related question about [intercepting packets with a high-level language such as Java](http://unix.stackexchange.com/questions/294742/build-my-own-firewall-in-java-or-other-high-level-language). It may be that I accomplish steps 1-3 with `ipfilter` and my own DNS server and then for step 4 I roll my own Packet Filter, but that would be long-term given the level of complexity involved. – 700 Software Jul 08 '16 at 20:53
  • How would that serve at securing your application since all systems use DNS queries to get the IP of a domain name when they don't already know it? – Julie Pelletier Jul 08 '16 at 20:56
  • The purpose of processing all DNS queries is so that I always have the latest IP address (step 3) to whitelist. ServerFault could move back to California for example. I want all IP address updates to be in real-time. So getting these at the point of DNS lookup will ensure that the Firewall gets the news at the same time as the PC. Arbitrary hostname lookups are not allowed because step 2 uses a whitelist of hostnames. – 700 Software Jul 08 '16 at 21:00
  • I'm not securing my application, I'm securing my network, so that viruses cannot 'call home' unless they manage to communicate through one of the whitelisted hosts. – 700 Software Jul 08 '16 at 21:24
  • 1
    The question is different, but the answer is effectively the same one that can be found in [this Q&A](http://serverfault.com/a/711126/152073). There is a strong aversion to using firewalls in ways that incorporate changing DNS data (non-deterministic behavior and reliance upon an easily spoofed protocol), and it is unlikely that a solution exists which you will not have to design yourself. Even so, as a DNS professional I would strongly recommend against it. – Andrew B Jul 08 '16 at 21:29
  • @Andrew, If auto-updates access lists via DNS is not recommended, how do network administrators produce a whitelist of hosts, and keep it up to date? Do they use some other solution such as a Proxy? – 700 Software Jul 08 '16 at 21:31
  • Host based whitelists are typically a function of transparent proxies, not firewalls. Firewalls use static lists of IPs and/or networks. If firewalls do accept hostnames as input, they are immediately resolved to IP addresses and stored in memory as such. (never gets resolved again unless the rule is re-inserted) – Andrew B Jul 08 '16 at 21:33
  • Sure, if you're willing to accept that answer. I'll go ahead and submit it as one. – Andrew B Jul 08 '16 at 21:35
  • @Andrew, I would accept that answer just because it is mainstream, and I don't want to use a unique solution (1-4 above) for a common problem. (white-listing hosts) However, I do not understand why DNS updates adjusting Proxy whitelisting is less of an issue than DNS updates adjusting firewall whitelists. It seems that a Proxy and a firewall with sniff features is the same feature implemented at a different level of the networking stack. – 700 Software Jul 08 '16 at 21:41
  • Just to be clear, using a solution like this does absolutely nothing to stop illegitimate traffic egress. You are welcome to ask any of the recent targets about their proxy and firewall configs. What I'd suggest (and do) is use policies on the local machine to only allow my whitelisted executables and scripts to run. When it comes to security, user credential security is the perimeter, not the network. – Jim B Jul 08 '16 at 22:03
  • @Jim, Absolutely nothing? I agree it is not 100% effective, but it's a whole lot better than 0%. I realized that a virus could send data home via Google Docs or posting a question on a forum. However, I'm trying to permit some productive activity on whitelisted sites without blocking them completely. To that end, [I'm considering only allowing GET requests](http://security.stackexchange.com/questions/129599/transparent-proxy-with-whitelist-permit-get-requests-only). I do like your idea though, perhaps I will look into a way to require admin approval before adding executables to the whitelist. – 700 Software Jul 08 '16 at 22:21
  • Seriously, nothing. Zip, zero. You'll end up having to open all the common domains, like everyone else, and causing more headaches for yourself than gaining any security whatsoever. This is very similar to the fiction that NAT is "security". – Jim B Jul 09 '16 at 03:19
  • @Jim *"You'll end up having to open all the common domains"* This is just not true in our case. We have a separated network for that purpose. – 700 Software Jul 09 '16 at 14:27
  • Then don't allow internet access at all. Now this makes even less sense. If you have any internet access at all the vulnerability lies is credential theft, not the network. A firewall is fine as a defense in depth strategy, but will do absolutely nothing against malware getting in or out. That's all endpoint and credential theft mitigations. The best thing you can do is flatten your network, implement ipv6 to remove tunnel attacks and lockdown your workstations so as to not have to worry about malware and cred theft in the first place. – Jim B Jul 09 '16 at 16:22

1 Answers1

3

Per our discussion in the comments, it sounds like you may be confusing the role of a firewall with that of a transparent proxy.

  • Firewalls do not rely upon DNS resolution to implement access policies. There are several reasons for this that I have covered before. The most significant reasons are:

    1. Reliance upon an easily spoofed protocol
    2. Added software complexity and non-deterministic functionality from a given input set (what passes the filter today may not be what passes the filter tomorrow)
    3. Effectively delegating management of the firewall policy to a different device and protocol.

  • Transparent proxies typically intercept HTTP+DNS traffic, and apply access controls based on the hostnames being requested. The IP address is not a consideration at this layer. If the requested entity does not match an allowed name, an error page is returned directly from the transparent proxy itself without routing the request to the intended resource.

The primary difference is the layer at which these devices operate. Since the transparent proxy only has to concern itself with names, and not the IP addresses that those names resolve to, you don't run into the same logic problems that a firewall does.

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128