Weekly Edition
Return to the Security page
| |||||||||||||
Fedora introduces Network ZonesFedora is exploring a new security feature in the upcoming Fedora 17 release that is intended to make firewall configuration simpler for the average user. Based on features found in the new, D-Bus-enabled firewall tool, the Network Zones feature will automatically activate different sets of firewall rules based on the network location, and provide sensible defaults for different classes of network — from trusted connections at home to potentially dangerous open WiFi networks in public. BackgroundAt the heart of Network Zones is the notion that each network has an associated trust level — fully trusted, mostly trusted, mostly untrusted, or fully untrusted. To serve the needs of users that regularly move between network locations, the firewall should ratchet up the netfilter rules to a stricter level when in an untrusted location such as a restaurant or public park, but ratchet them back down when reconnecting to the home or office network. Exactly which rules are applied at each trust level is up to the user or administrator. Existing firewall tools, however, fall short in two ways. First, they know only about network interfaces, not about the networks themselves (trust information in particular). Second, they require stopping and restarting the firewall in order to change any settings. Red Hat's Thomas Woerner developed a solution tackling both issues based on GNOME's NetworkManager, and a new firewall application named Firewalld. NetworkManager, which was designed to keep track of WiFi networks and opportunistically switch between them when roaming, already implemented some of the required functionality. It maintains a history of networks visited, and allows users to associate preferences with each saved network connection. Adding a trust level to each network connection would allow NetworkManager to instruct the firewall to change to a different rule set. Firewalld solves the restarting problem by running as a D-Bus enabled daemon, listening for state change commands, and emitting information on the current status of the firewall. NetworkManager also uses D-Bus, so it can simply send a message to Firewalld telling it to raise or lower specific firewall rules as the situation dictates. To keep the firewall state consistent, though, Firewalld must be the only application modifying the settings (thus requiring that other firewall management packages be disabled), and for security reasons, all rule change requests accepted by Firewalld must be authenticated with PolicyKit. In order for Firewalld to expose a straightforward set of configuration options to users (and other applications) over D-Bus, the firewall rule set had to be refactored into a clean set of distinct chains that correspond to individual features and services. Thus, adding or removing a rule in one chain will not interfere with the others. Firewalld implements chains for feature sets like virtualization, masquerading (NAT), port forwarding, and open ports, plus predefined chains for individual services like Samba or FTP. The Zones zoneThe official Network Zones proposal on the Fedora wiki defines nine initial network trust levels: trusted (meaning fully trusted, with all incoming traffic permitted), home, work, and internal (all three of which are for mostly trusted networks), dmz, public, and external (which are mostly untrusted), and block and drop (which are both fully untrusted). Firewalld provides an initial configuration for each zone in an XML file. By default, the mostly-trusted zones open only a select set of ports (SSH, mDNS, Samba, and Internet Printing Protocol (IPP) for the home and internal zones, and SSH and IPP for work). The mostly-untrusted zones are more restricted, with SSH being the only allowed protocol for public and dmz, but SSH allowed and IP Masquerading enabled for external — though it's not exactly clear what the benefit of the latter is. The block zone rejects all incoming connections, while the drop zone drops them silently. Of course, the intent is for users or system administrators to customize each of the zones' configuration as desired, allowing some differentiation between the otherwise-identical offerings. There are GUI and command-line utilities (named firewall-config and firewall-cmd, respectively) for examining and altering the configuration options; however as of today not all of the Firewalld rules are supported in either tool. There does not appear to be a DTD or XML Schema for the zone configuration or firewall rules yet, but the syntax is straightforward. Individual services are enabled with a <service name=servicename> element; the other available firewall options are enabled by adding an element specific to the feature, such as <masquerade enabled="True"/>. Network Zone integration is available in the NetworkManager 0.9.4 release, which will be part of Fedora 17, allowing users to assign a trust level to each of their saved networks, as well as a default zone to apply to unknown network connections. A system tray applet will display the current firewall state in GNOME Shell. The project has discussed adding the same functionality to KDE's network manager as well. Firewalld was first made available in Fedora 15, but with the completion of the Network Zones support, it is slated to become the default firewall configuration tool in Fedora 17 (scheduled for release in early May 2012). Network zone support is not the only benefit of the daemon-like firewall approach — D-Bus controls open the door for other dynamic features in the future, like triggering temporary firewall rules without manual intervention, and desktop notifications triggered by firewall events. The Firewalld project is not resting on its laurels, however. The future plans include support for granting or limiting access to the configuration tools on a per-user basis, and more abstract firewall rules based on metadata — such as "allow external access to music sharing applications." Network Zones is of clear benefit to laptop users, who both expose their systems to the greatest risk while roaming, and have had the hardest time finding a balanced firewall policy. But the possibilities enabled by a dynamically controlled firewall extend further; only time will tell what roles it can fill that a static configuration hasn't. (Log in to post comments)
Fedora introduces Network Zones Posted Mar 1, 2012 3:36 UTC (Thu) by smoogen (subscriber, #97) [Link]
Question: How does the firewalld protect itself from being fooled into thinking it is on a "Trusted" environment.
The reason I ask is that there have been several attacks in the past where either malware or a network attack caused other firewalls to switch profiles from a protected one to a trusted one.
Fedora introduces Network Zones Posted Mar 1, 2012 3:38 UTC (Thu) by smoogen (subscriber, #97) [Link]
I missed the PolicyKit items when first reading the article. A bit more explanation might help me understand it better though.
Fedora introduces Network Zones Posted Mar 1, 2012 12:40 UTC (Thu) by Ben_P (subscriber, #74247) [Link]
It sounded like PolicyKit is used to ensure that only these Network Zones tools can modify the firewall. So you'd have to auth with policykit before you could modify any IpTables state, that's how I read it anyway. So the Zones application would defacto auth with policykit so when it decides to change the firewall, it can.
Also, will it be possible to associate zones with actual IpTables rule sets? I'm very comfortable with the existing iptables command line interface and the format in the linked zone files ( http://git.fedorahosted.org/git/?p=firewalld.git;a=tree;f... ) at least at first reading doesn't seem nearly as verbose. Maybe someone has a link to the file spec for these zone xml files?
Fedora introduces Network Zones Posted Mar 1, 2012 13:18 UTC (Thu) by jnareb (subscriber, #46500) [Link]
Is it similar to zones concept in e.g. Guarddog firewall configuration tool?
Fedora introduces Network Zones Posted Mar 1, 2012 14:39 UTC (Thu) by fuhchee (subscriber, #40059) [Link]
... or to Windows >= vista.
9 levels? Posted Mar 1, 2012 15:21 UTC (Thu) by rvfh (subscriber, #31018) [Link]
Are 9 levels really necessary? Is this not the goode olde syndrom of Linux to give too much choice?
I think we should only have:
If in doubt, choose public.
The only question is whether we need something special to allow ssh, but the user can modify the public level if they trust their password enough...
9 levels? Posted Mar 1, 2012 18:44 UTC (Thu) by iabervon (subscriber, #722) [Link]
It's necessary to have to "dmz" and "external" policies, at least, for things like mail servers and data-center-hosted servers. Of course, there's no reason for NetworkManager to trigger these policies dynamically, but there's value in having a firewall program that can be set up easily on both your infrastructure servers and your user laptop, rather than needing to understand two tools for the same purpose or having one of the common cases lack examples.
9 levels? Posted Mar 2, 2012 3:16 UTC (Fri) by bronson (subscriber, #4806) [Link]
Does anybody use NetworkManager on their servers? I know I sure wouldn't.
Network Manager and Servers Posted Mar 2, 2012 14:44 UTC (Fri) by alex (subscriber, #1355) [Link]
Indeed. On our Ubuntu 10.04 server appliance we had problems with Network Manager only enabling the network once logged in. In the end we just removed it and went back to configuring /etc/network/interfaces.
9 levels? Posted Mar 2, 2012 17:42 UTC (Fri) by iabervon (subscriber, #722) [Link]
I certainly wouldn't use NetworkManager on a server, but I was suggesting that people might use firewalld on their servers, not NetworkManager. Once someone has set up NetworkManager and firewalld on a bunch of user laptops, and they're going to set up a server, it makes sense to ditch NetworkManager (because they don't want its functionality), but it doesn't make sense to switch to some other firewall system they are less familiar with. Unless, of course, firewalld doesn't have a suitable trust profile to set statically for the server.
9 levels? Posted Mar 2, 2012 20:14 UTC (Fri) by xtifr (subscriber, #143) [Link]
For an enterprise server farm? No. For a SOHO server? Maybe.
9 levels? Posted Mar 5, 2012 8:02 UTC (Mon) by drag (subscriber, #31333) [Link]
> Does anybody use NetworkManager on their servers? I know I sure wouldn't.
I don't yet, except at home. But I don't see any problem with using it on a server. The reason I don't simply has to do with inertia... have something that works so why bother caring?
But NetworkManager itself is stable and has relatively low overhead.
Networkmanager-dispatcher allows you to create custom scripts to respond to network changes in a similar fashion to ifup/ifdown script. Probably makes it a bit easier in practice, actually, if you want to fully automate everything. It's easy to use that sort of thing to deal with protocols/configurations that NetworkManager doesn't support natively*.
*((not related to servers) so if you run into situations were you Gnome laptop goes to sleep and loses your weird VPN setup is lost every time you close the lid without thinking about it... you can write a script to deal with it proactively instead of trying to figure out how to turn off your power management features. :) )
I expect that for most people the resistance comes from a perception that you need a GUI to manage NetworkManager. A second issue that it is not able to deal with configurations were you don't have a user logged in. Also I expect that the third big perception problem comes from people believing that NetworkManager uses some hidden binary database or format to store it's configurations and you must use weird dbus scripts or whatever to edit configs.
These perceptions are largely false, though, if you configure NetworkManager correctly for a server setup.
I'll deal with the perception issues like so...
For issue #1. NetworkManager supports a number of configuration backends which are configured as 'plugins' in /etc/NetworkManager/NetworkManager.conf
The plugins that I am aware of are:
Now I don't know about ifupdown support in NetworkManager, but the ifcfg-rh is blatantly terrible. It doesn't support all the same options and many things are interpreted differently then the ifcfg documentation and examples would suggest. On top of that many types of devices NetworkManager supports is incompatible with it. So I recommend disabling ifcfg-rh altogether and using keyfile if you are using NetworkManager in a server.
More documentation and details can be found at:
Here are the connection settings for 0.9 (older versions are similar)
I recommend turn on the keyfile plugin, if it's not enabled, and then configuring some interfaces from the GUI to help get you some examples to help you learn the NM .ini format.
For issue #2 (no commandline/bad command line tools)
Once you get keyfile plugin enabled and got some sample configurations going then playing around with 'nmcli' is what you want:
for current status:
to bring it down:
start it back up:
The principal arguments are going to be nm, con, and dev. Check out the man file.
For issue #3, user required to be logged in...
In the GUI it's controlled by 'enabled for all users' checkmark in the network configurations dialogs.
The one thing to watch out for, IIRC, is that changes those files are monitored by NetworkManager. So editing them in-place is a bad idea. If you want to edit the configuration files manually, copy them to another directory, edit them, then copy them back. NetworkManager will act on changes to configurations automatically.
What is the advantage for a server to use NetworkManager? If you just have one or two statically configured ethernet devices.. then not much.
But you can control many types of network connections in a uniform and cross distro way in a easily scriptable way...
So managing those sorts of devices gains a lot more consistency then in the past.
|
|||||||||||||