Skip to main content

PACKET FLOW IN THE FIREWALL

Image
By



PACKET FLOW IN THE FIREWALL:


There are some common patterns that the Firewall vendors follow and this whitepaper helps to understand how the packet flow in the firewall.
The Firewall Maintains the two paths, one is SLOW Path and the Other is Fast Path. Once the Firewall unit external interface receives a packet it first checks is the packet relate to the existing session, if the packet belongs to the existing session then it enters into the fast path or else it first sends the packet to the slow path to identify some parameters and to allocate the new session from the free pool.

Below are the Steps the Firewall will follow to allocate the new session in the SLOW Path and to Enter into the Fast Path:

Once the Firewall unit external interface receives a packet, the packet proceeds through a number of steps on its way to the internal interface, traversing each of the inspection types, depending on the security policy and security profile configuration. The diagram below is a high level view of the Fortigate and the Paloalto packet’s journey.

                                             Fig 1: Packet flow in the Fortigate Firewall
The ingress stage receives packets from the network interface, parses those packets,and then determines whether a given packet is subject to further inspection. If the packet is subject to further inspection, the firewall continues with a session lookup and the packet enters the security processing stage
Note: During packet processing, the firewall may discard a packet because of a protocol violation. In certain cases, due to firewall attack prevention features, it discards packets without configurable options.
Packet parsing starts with the Ethernet (Layer-2) header of the packet received from the wire. The ingress port, 802.1q tag, and destination MAC address are used as keys to lookup the ingress logical interface. If the packet destination MAC is not same as the ingress port Destination MAC then the firewall will discard the packet.
Next, the IP header is parsed (Layer-3). If Layer 3 is an IPv4 Packet then it checks the below parameters to discard the packet if anything matches in the list.
·         IPv4: Mismatch of Ethernet type and IP version
·         Truncated IP header  IP protocol number 0
·         TTL zero Land attack
·         Ping of death
·          Martian IP address
·          IP checksum errors
If the Packet was IPv6 then it checks the below parameters to discard the packet
 IPv6:
·         Mismatch of Ethernet type and IP version
·         Truncated IPv6 header
·         Truncated IP packet (IP payload buffer length less than IP payload field)
·         JumboGram extension (RFC 2675)
·         Truncated extension header

Next, the Layer-4 (TCP/UDP) header is parsed, if applicable.
TCP:
The firewall will discard the packet for any one of the following reasons:
·         TCP header is truncated,
·         Data-offset field is less than 5
·         Checksum error
·         Port is zero

If DOS sensor was enabled in the firewall then the ingress interface network device driver passes the packet to the Denial of Service (DoS) sensors to determine whether this is a valid or a part of the DOS attack (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed.

If the packet is an encrypted packet arrived through the VPN. The firewall performs decapsulation/decryption at the parsing stage. After parsing the packet, if the firewall determines that it matches a tunnel, i.e. IPSec, SSL-VPN with SSL transport, then it performs the following sequence: - The firewall decapsulates the packet first and discards it if errors exist. - The tunnel interface associated with the tunnel is assigned to the packet as its new ingress interface and then the packet is fed back through the parsing process, starting with the packet header defined by the tunnel type. Currently, the supported tunnel types are IP layer tunneling, thus packet parsing (for a tunneled packet) starts with the IP header


                                           Fig 2 : Packet flow in the Palo alto Firewall

IP Defragmentation:

 The firewall parses IP fragments, reassembles using the defragmentation process, and then feeds the packet back to the parser starting with the IP header. At this stage, a fragment may be discarded due to tear-drop attack (overlapping fragments), fragmentation errors, or if the firewall hits system limits on buffered fragments (hits the max packet threshold)
If the packet is subject to firewall inspection, it performs a flow lookup on the packet. A firewall session consists of two unidirectional flows, each uniquely identified.  The firewall identifies the flow using a 6-tuple key.
·         Source and destination addresses: IP addresses from the IP packet.
·         Source and destination ports: Port numbers from TCP/UDP protocol headers. For non-TCP/UDP, different protocol fields are used (e.g. for ICMP the ICMP identifier and sequence numbers are used, for IPSec terminating on device the Security Parameter Index (SPI) is used, and for unknown, a constant reserved value is used to skip Layer-4 match).
·         Protocol: The IP protocol number from the IP header is used to derive the flow key.
·         Security zone: This field is derived from the ingress interface at which a packet arrives.

The firewall stores active flows in the flow lookup table. When a packet is determined to be eligible for firewall inspection, the firewall extracts the 6-tuple flow key from the packet and then performs a flow lookup to match the packet with an existing flow.   

Firewall Session Setup          :

Some Firewall Vendors check the DOS Protection Profile once the packet arrives at the ingress stage and some vendors check the DOS profiles before the session setup.

NOTE: Some vendor firewalls also perform the “TCP STATE CHECK” means the firewall discard the packet if the first packet it arrives to the Ingress Port is not  a SYN Packet.

NAT LOOKUP:

Firewalls first perform the Destination NAT Lookup and looks the appropriate route is available for DNAT then it performs to lookup the Source NAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the Firewall. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists.
     NOTE:    Firewalls first perform Destination NAT before routing so that the firewall can route packets to the correct destination. If there is no route to the original destination then the firewall discard the packet.

Security Policy Lookup:

At this stage, the ingress and egress zone information is available. The firewall uses application ANY to perform the lookup and check for a rule match. In case of a rule match, if the policy action is set to ‘deny’, the firewall drops the packet. The firewall denies the traffic if there is no security rule match. The firewall permits intra-zone traffic by default.
INTRA ZONE Means same zone like Inside to Inside or Outside to Outside
Note: The firewall applies security rules to the contents of the original packet, even if there are NAT rules configured

Session Allocation :

Once all of the above steps are successfully completed then the  Session allocates a new session entry from the free pool
Session allocation failure may occur at this point due to resource constraints:
·         VSYS session maximum reached, or
·         The firewall allocates all available sessions.
After the session allocation is successful:
·         The firewall fills session content with flow keys extracted from the packet and the forwarding/policy results.
·         Session state changes from INIT (pre-allocation) to OPENING (post-allocation).
·         Firewall queries the flow lookup table to see if a match exists for the flow keys matching the session. If a flow lookup match is found (session with same tuple already exists), then this session instance is discarded as session already exists, else
·         Session is added to the flow lookup table for both C2S and S2C flows and firewall changes the session’s state from OPENING to ACTIVE. The firewall then sends the packet into Session Fast Path phase for security processing.

Packet Enters into the Fast Path :

A packet that matches an existing session will enter the fast path. This stage starts with Layer-2 to Layer-4 firewall processing:
·         If the session is in discard state, then the firewall discards the packet. The firewall can mark a session as being in the discard state due to a policy action change to deny, or threat detection.
·         If the session is active, refresh session timeout.
·         If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or RST packet. The session is closed as soon as either of these timers expire.
·         If NAT is applicable, translate the L3/L4 header as applicable.

Security Processing - Content and Application Inspection:

A packet matching an existing session is subject to further processing (application identification and/or content inspection). If the firewall does not detect the session application, it performs an App-ID lookup. If the firewall detects the application then the session is subject to content inspection if any of the following apply:
·         Application Layer Gateway (ALG) is involved.
·         Application is tunneled application.
·         Security rule has security profile associated

1.       If the security policy has logging enabled at session start, the firewall generates a traffic log, each time the App-ID changes throughout the life of the session.
2.       If security policy action is set to allow and it has associated profile and/or application is subject to content inspection, then it passes all content through Content-ID.
3.       If security policy action is set to allow, the firewall performs a QoS policy lookup and assigns a QoS class based on the matching policy.
4.       If security policy action is set to allow and the application is SSL or SSH, perform a decryption policy lookup and set up proxy contexts if there is a matching decryption rule.
Once the firewall decrypt the ssl content and again it performs the content inspection on the plain traffic to check any threats on the data , if there is no threats then  the firewall re-encrypts the packet and sends to the forwarding or egress stage.

Forwarding/Egress:

The firewall performs QoS shaping as applicable in the egress process. Also, based on the MTU of the egress interface and the fragment bit settings on the packet, the firewall carries out fragmentation if needed.
By these the firewall protects the organization from the latest sophisticated attacks.

                                                                                                                                                                                                                                                                                               By
                                                                                                              Ganapareddy Sudhakar



Labels:

Popular posts from this blog

UPGRADING EOS in the ARISTA Switches

By
UPGRADING EOS in the ARISTA Switches: EOS is the Firmware for Arista Switches whereas IOS for Cisco. This blog post shows the detailed procedures to follow and to upgrade the EOS in the Arista Switches. This Post was supports for any platform or the Version you are going to upgrade in the Arista Switches. This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE-UPGRADING-PROCESS: 1       1)        Check the Upgrade Path tool by clicking the below link. https://www.arista.com/en/support/mlag-portal/mlaglist and confirm it is in mlag issu compatible 2)       Check if the  STP agent is restartable by giving the command switch-1# show spanning-tree bridge detail | grep agent Stp agent restartable                      :            True NOTE :    A switch can continue supporting MLAG when its peer is offline if the STP agent is restartable. When one peer is offline, data traffic flows from the devices through the
Read more

VPC in Cisco Nexus and Failover scenarios.

By
Etherchannel is the technology that binds multiple physical links in to the single logical link in the switch which fools the spanning tree to be visible as a single port id instead of multiple physical ports id's this causes all the ports to be in the forward state to pass the traffic without creating the loops in the network. We can configure the etherchannel either through static or dynamic. Static ether channel works by manually binding the physical ports into one logical port, this is not recommended because it is not aware the state of the other end physical ports whereas LACP (Link aggregation control protocol) and PAGP (Port aggregation group protocol) are the two dynamic protocols. LACP is the IEEE standard and the PAGP is the Cisco proprietary protocol, LACP is the most commonly used protocol in the networks it works by negotiating with the other end of the ports and would form the portchannel once the set of parameters match on both ends. We can bind max 16 ports to a si
Read more

FORTIGATE ACTIVE PASSIVE UPGRADE

By
FORTIGATE ACTIVE PASSIVE UPGRADE : This blog post shows the detailed procedures to follow and to upgrade the firmware in the Fortigate Firewall. This Post was supports for any platform or the Version you are going to upgrade in the Fortigate Firewall This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE UPGRADE STEPS: 1   1)     Go to the below website and check the Upgrade Path https://docs.fortinet.com/upgrade-tool 2)        Next Login to the Fortigate Console and check the HA Status ( it is to be In sync and higher Priority enabled for the required primary device) 3)        Login to the Console and give the command Config global – get sys ha status Also check session pickup is in enable to avoid session interruptions in failover. 4)        Download all the Firmware’s and the md5 files in the list and check with the software MD5sum.exe to avoid the download errors. NOTE : Must and should configuration backup have t
Read more