[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipsec vs. firewalls



I came up with a disturbing conflict between ubiquitous IPSEC and
common firewall policies.  I'm not certain how to resolve it,
either.

A common firewall policy permits most outgoing calls.  (The
requirement to authenticate such calls, say via AH from the inside
host to the firewall, wouldn't affect what comes next.)  Suppose,
though, that the inside host wants to use ESP for end-to-end
encryption to the destination.  How will the firewall inspect the
return packet?

To implement that firewall policy, the return packet *must* be a
reply to the outbound packet -- say, the SYN+ACK in response to
the SYN.  But if it's encrypted, there's no way to tell; it could
be a probe from the outside host to some vulnerable ports on the
inside client machine.

There are a number of possible solutions; each has its limitations.

The most obvious, of course, is to prohibit end-to-end encryption,
and require that all packets be decrypted at the firewall.  Apart
from the obvious security risks, this complicates the topology
discovery process.

Another pretty good solution is per-connection keying.  But that
only works if the firewall *knows* that the inside machines will
indeed enforce that, and drop packets to different ports than are
bound to the SPI.

A third solution is to use some sort of auxiliary header with
cleartext port numbers, similar to that suggested by Greg Minshall.
Again, the firewall would have to *know* that hosts would drop
packets where the outer and inner port numbers didn't match.
Furthermore, in both this case and the previous one, all the firewall
knows is the packet direction; SYN, ACK, and FIN bits are still
invisible.  (Well, we could expose more of the TCP header.)  This
reduces the ability of a dynamic firewall to handle TCP to its
ability to handle UDP.

Fourth, we could restrict end-to-end encryption to trusted outside
hosts, and in particular to machines that comprise the VPN.
Obviously, this works against general use of encryption.

Finally, I suspect that some people will regard anything that
cripples firewalls as a feature.  With all due respect, I tend
to differ...

I'm not suggesting any changes to anything at this point.  I do
suggest that IPSEC vendors -- including IPSEC implementations that
will live on firewalls -- work towards per-connection keying.


Follow-Ups: