While researching a virus infection, Dragos Ruiu asked for the world's simplest firewall to isolate/quarantine the infected machine, so that it has access to the Internet, but not to the local network. So I created just such a firewall: isowall.
As a demonstration, I'm running isowall on a "Raspberry Pi", a $50 hobbyest Linux machine. The laptop in this picture may be infected with a virus. I want the laptop to still access the Internet, but not access my local network, where it may spread the infection. As you can see, the laptop has a direct Ethernet link to the Raspberry Pi running isowall (short purple cable to white USB Ethernet), which then links to the rest of my home network (grey cable).
The command-line on the Raspberry Pi looks like the following. As you can see, the infected laptop has an IP address of 10.20.30.207 and connects via 'eth1', but it can only exchange packets with the local router (and hence the Internet), and not any of the other devices on the local network.
The security guarantee of isowall rests on the fact that there is no TCP/IP stack bound to 'eth1'. Isowall has it's own TCP/IP. Today's firewalls fail because they are extensions to the existing network stack of the operating system. This introduces a huge attack surface and a lot of complexity, meaning hackers can attack the firewalls themselves, and users will misconfigure firewall rules. What isowall does is separate the two duties: TCP/IP firewalling is done wholly separate from the Linux TCP/IP stack.
You can see his principle when you run 'ifconfig'. As you can see, 'eth1' has no IP address assigned to the network adapter. The infected machine can attack this Ethernet port all it wants, it won't get anywhere, because there's nothing listening on that Ethernet except for isowall.
Another security guarantee that isowall provides is that it prevents common user configuration errors. It has the simplest, most necessary configuration options possible. This is shown in the above picture, where all the options are specified on the command-line. This means all options can be read to verify that you are secure.
Let's say that you do something wrong, and add an IP address to 'eth1'. If isowall detects this, it will refuse to startup. If this is done after isowall is running, it'll shut down with a nasty warning message, as shown below.
Lastly, there is another security guarantee: simple code. All the TCP/IP packet parsing and evaluation is contained in the function "is_valid()" at the top of the file "main.c" in the isowall source code. Anybody can read this code and verify that isowall doesn't have a bug that would allow a hacker to bypass or attack the firewall.
0 التعليقات
