Wednesday, May 17, 2006

Stealth and Security With Filtering Bridges

There is a good tutorial on bridging under Linux at Nepotismia. For those that don't know, bridging is a way to transparently connect and forward data between two networks. Because they operate at layer 2 (the data-link layer), bridges can operate independently of the protocols above them. Here is another good overview of Linux bridging. Pure bridging devices have largely been replaced by switches, but dedicated bridges can still be useful when they are combined with packet filtering. I've used bridging firewalls in a few situations over the years.

In one, a client had a proprietary application housed on a dedicated server (Windows-based) that was supplied and pre-configured by the vendor. One interface on this device had a public address used for remote management, and the other interface had to be connected to their LAN. Despite perimeter firewall rules that limited access to the device from the Internet, the customer did not trust the security of the device - it was basically an unknown risk to them. What we ended up doing was placing a bridging firewall between the device and the rest of the LAN (really the switch port it was connected to), allowing transparent filtering of packet flow to and from the device. The bridge in this case was a m0n0wall (a great firewall in its own right, also with bridging capability) on a Soekris box.

In another, I was doing remote penetration testing and had to satisfy the client's demands that the testing platform was segmented from the rest of our network, so that any data collected during the test could be kept secure. In this instance, I opted for a spare PC running OpenBSD, configured as a filtering bridge. The advantage of doing this was that it did not impact the layout of the LAN, as the bridge had no IP addresses - basically an "invisible" firewall. The testing server was allowed full outbound access, but no inbound network access to the server was permitted.

Bridging firewalls also turn out to be useful in honeynets. All-in-all, a very useful addition to your networking toolkit.

Technorati Tags: , ,

No comments: