netbsd-users: Re: Which (free) software to do application-level firewalling

Subject: Re: Which (free) software to do application-level firewalling
To: None <joel@carnat.net>
From: Chuck Swiger <cswiger@mac.com>
List: netbsd-users
Date: 03/04/2006 08:57:41
Joel CARNAT wrote:
> I spend the last two days at "Microsoft Security Days" in Paris while I
> was spammed with "M$ does it", "M$ is great", yadda yadda... When I put
> the commercial aspect away, there ISA server 2004 looks pretty nice.

It's not clear to me why a rational purchaser of security products would buy a
solution from Microsoft, unless your network and userbase is so dependent upon
M$-specific protocols that the integration of Active Directory with your
ISA-based firewall actually helps rather than hurts.

One should be aware that ISA deals rather poorly with blocking malicious traffic
from authenticated machines (ie, if a machine inside gets virusized), and $Deity
alone help you if the domain controller gets owned.  (Why, yes, Virgina,
terminating VPN users via Terminal Services onto the domain controller rather
than putting VPN users into a semi-trusted DMZ subnet can lead to vital machines
 being compromised because this traffic goes right by ISA.)

> To sum up, it is a firewall that can deal with network flow at
> application level (aka ISO layer 7) - that is, it can block data flow if an
> HTTP/SMTP/... command is known to be bad (too long, attack signature, ...).
> 
> My question is, using NetBSD ;), what is the way to validate network flow
> at level7 ?

Layer-7 means application-protocol specific proxying, such as ssmtp or squid, or
the "deep protocol inspection" that some vendors use (ie "proto fixup smtp" in
Cisco IOS).

> Is it postfix that can kill a session (for eg) if the HELO
> command gets more than "64" chars ?

Yes.  Obviously, you should choose a more thorough set of HELO checks than that.
 Something like:

smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        reject_unauth_destination,
        check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre,
        check_helo_access hash:/usr/local/etc/postfix/helo_checks,
        check_policy_service inet:127.0.0.1:10023,
        # reject_rbl_client sbl.spamhaus.org,
        permit

...and set this up in helo_checks (and run postmap on it):

3-pi% cat /usr/local/etc/postfix/helo_checks
localhost       REJECT You are not localhost.
aa.bb.cc.dd     REJECT You are not my IP, go away.
example.com     REJECT You are not in my domain.

> Is it squid that can terminate a
> session if it see URL patterned like "GET blabla.php?vars=DOSme\n\n\n\n"
> ? How do we do this is the free world (didn't find anything on
> google|freshmeat - but I may not have use the right search pattern).

Squid supports hostname and URL regex blocking (among other things), so if the
comments in squid.conf aren't enough to get you working, consider setting up
Webmin and using the web-based GUI to do this.

On the other hand, you could always set up a 404 handler like this:

   http://www.pkix.net/~chuck/strychnine.py

...to deter malware.  You could see your suggested URL in action:

   http://www.pkix.net/blabla.php?vars=DOSme

-- 
-Chuck