Interactive whitelisting DNS-based firewalls that can run in a gateway?

Discussion in 'other firewalls' started by Ulysses_, Feb 3, 2019.

  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    The PFSense gateway can run pfblocker, a firewall that has a whitelisting mode where the white list is a list of DNS names. But this is not interactive, you have to manually type the allowed domain names. Instead, is there any DNS-based whitelisting firewall that is interactive ie prompts you to add a new site when an attempt is made to connect to that site?

    And that can be set up to run as part of a gateway?

    Linux or BSD based ideally. The idea is to run the interactive firewall in one VM and browser windows in separate VM's.
     
    Last edited: Feb 3, 2019
  2. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    215
    Isn't that kind of labor intensive ? Do you really want to maintain a white list of All sites you visit? A google search and results list that you click on to check answers will generate a lot of entries.
     
  3. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Certainly is. When you suspect the browser VM has just got owned or that Microsoft is getting copies of ALL your data periodically, it is worth the effort.
     
  4. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    My current setup is:

    Windows 7 -> IPFire (VM) -> Router -> Internet

    IPFire drops all traffic to and from the windows system*. An application (lets call it gatekeeper) on the windows system monitors all outgoing connection attempts and compares them to a list of allowed programs. If in the allowed list gatekeeper creates an iptables rule in IPFire containing the destination IP/Port and source port of the connection to allow it through. Similar functions for UDP (focusing on source port and protocol). Once the connection drops the rule is removed. Also has various alerts and logging. *webbrowsing is handled slightly differently and DNS is proxied via IPFire.

    Maybe you could do something similar. Watch for DNS traffic and if allowed poke holes in the firewall for the relevant IP/s.
     
  5. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Would rather not have anything compete with windows in the same VM, it's got to be a separate non-windows VM that does the gatekeeping. The solution in #1 does the job but it is not interactive, you're not prompted for anything, you just know from the beginning what domain names you will allow and that's it.
     
  6. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    That makes sense. For me I needed an external linux firewall to be windows process aware so had to have the gatekeeper app running on the windows system. It comes with it's own risks and rewards of course. If I stumble upon anything which fits your criteria I'll be sure to let you know.
     
  7. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Anyone seen a network IDS (intrusion detection system) in action, does it prompt for anything?
     
  8. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Do we have a business opportunity here? Software that people will pay for if someone develops it?
     
  9. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    I'd probably play with such a solution from a hobbyist perspective, but im in agreement with lunarlander that it's not very practical and too labor intensive. If you have a machine which needs very limited internet connectivity i can see it having some uses, but for the average desktop machine it would be a micromanaging nightmare.

    Web browsing is one of the biggest problems as each connection to a website may connect you to many many other domains. For instance I just browsed an arstechnica article with uMatrix disabled and counted 39 different sub/domain connections. I'm pretty patient when it comes to fixing sites broken via uMatrix but it's not always obvious which domains are needed.. And even if you have a whitelist in place for a website there's nothing to say the same whitelist will work next time you browse.

    What about CDNs? MaxCDN, CloudFlare, CloudFront, Akamai Edge, Fastly etc used throughout the web, gaming and even by windows OS. How do we know whether the connection was initiated by our web browsing session and not by another program? If the browser is responsible how do we know the browser isn't compromised and connecting to a C&C behind a CDN?

    Online games are another issue. Games with distributed server setups may be unplayable without huge work.

    And direct IP connections that don't require DNS? Do we blanket drop that traffic and hope nothing breaks? or do we have another service in place to intercept and prompt for that traffic also?

    Just some thoughts, sorry if it comes across as overly negative.
     
  10. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    We'd run only the browser in one VM. A gateway VM could be devoted to this VM so you knows it's firefox that attempts the connections.

    Could run the browser in a sandbox and periodically exit the browser which should reset the sandbox. Maybe multiple profiles of the browser, one per window automatically generated with an addon so closing a window resets its sandbox, there are already some addons for firefox that do something like this.

    Our DNS-based blocker would know IP's that were fetched by itself after a yes answer to a prompt and allow these IP's, whereas any unknown IP would result in a prompt accompanied by the inverse DNS lookup for the IP.
     
  11. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    Or the underlying OS and services which sit in the VM along with firefox? Would you automatically allow all DNS traffic through from the VM or still try to manage each connection?

    Edit: Again, I think the major issue is the sheer amount of work it would take just to browse the web having to micromanage every DNS request. It's not a case of just clicking allow 20 times per page, you'd need to check each request in order to know whether it's legit, otherwise whats the point of having the prompt?
     
    Last edited: Feb 6, 2019
  12. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    406
    Location:
    Dallas, TX
    Enterprise grade IDS/IPS? No, they do not generally prompt for anything interactive. Additionally, most enterprise customers do not want an IPS admin tweaking settings interactively throughout the day as this could potentially cause production issues if the admin was in any way "wrong" in their choices. Enterprise clients generally want all changes made during scheduled change windows. However, the IPS appliances can generally be configured to generate alerts or forward event / incident logs to an enterprise logging solution or Security Information and Event Management (SIEM) tool.

    Consumer level network IDS/IPS? A rather a niche area of security. Most consumers just want a nice wireless router with NAT'ing and a few firewall settings. Few want the hassle of associated with an IPS. Those consumers that do want some sort of DNS-based URL filtering, would probably be better served by a professionally curated DNS service like OpenDNS Consumer. Setup involves simply changing the DNS Server settings in your gateway, flush your cache, and... bam... you're done.
     
    Last edited: Feb 6, 2019
  13. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Could enforce the use of a proxy by firefox where the proxy runs in the gateway so the latter knows you're dealing with firefox connections and shows appropriate prompts. Whereas underlying OS and services connections would be ignored or have separate prompts shown. It remains to be seen how many domain names a typical site looks up and how many of them are essential. If some 5 are looked up and 2 of these are essential, as used to be the case with youtube some 5-10 years ago, then it's probably ok.

    Another issue is certain ISP's intercept DNS if you try to use a public DNS server such as 8.8.8.8 (for example I cannot visit joettecalabrese.com), and they block DNSSEC if you try to run your own DNS resolver, so you're left with DNS over HTTPS and tunnels as the only options. I think that rules out OpenDNS Consumer.
     
  14. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    156
    Location:
    Poland
    so you need full vm and then you can use IPfire (why because the mounted image is Linux?)
     
  15. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Windows 7 is a major drawback. Especially if updated, which makes it more and more like spyware. Wondering if that gatekeeper can distinguish windows attempts to connect to sites from application attempts to do the same. Also wondering if it can run in linux under wine, and be a gateway, in other words a VM separate from the VM where you run actual browsers.
     
  16. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    IPFire is a free linux based firewall so will need to be installed like a seperate OS: https://www.ipfire.org. It seems to run well in Oracle VirtualBox which is also free.

    For temporary testing purposes I've now added a low power netbook running IPFire into the mix:
    Windows 7 -> IPFire (VM) -> IPFire (netbook) -> Router -> Internet

    I only have the one Win7 PC running through it but it seems to run perfectly well on an intel atom, 2gb RAM netbook. The only downside being reduced bandwidth due to a USB to ethernet adapter.

    Gatekeeper watches for connection attempts (SYN) and can see the PID which initiated the connection attempt so can identify the process and path (barring some shady rootkit interference). It needs to run from the windows machine in order to know which process initiated the connection. If you absolutely had to monitor from a seperate VM you may need to go down the VM introspection route, but I know very little about that.
     
  17. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    156
    Location:
    Poland
    @RioHN So you are putting this VM seperataly as an usb, and windows connects to it via ethernet, so work on windows, network protection in vm on separate device, can you show me what device you are using for ip fire, I've never done that, its some gatheway yes

    my plan was to build a small pc from my old components and install pfsense and snort, that sort of setup I understand, though it entails its trials and tribulations
     
    Last edited: Apr 24, 2019
  18. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    @lucd Not quite, the VM version doesn't require any extra hardware, the netbook version does.

    The basics of the VM version are:

    • Install VM software like VirtualBox in windows
    • Download IPFire ISO
    • Install a loopback adapter in windows to act as secondary network card (example by someone else: https://www.youtube.com/watch?v=R9674zGHxrE)
    • In your real network adapters properties untick everything other than Virtualbox Bridged Networking Driver. eg: https://imgur.com/a/1xKLRMM
    • Create new VM with 2 bridged network adapters, assign your real network adapter to one and the loopback to the other.
    • Install IPFire in the VM. Assign the loopback adapter as the green interface and the real adapter as the red interface

    Windows now won't be able to get an IP or network connection unless the IPFire VM is running. All traffic to and from Windows will travel via the IPFire VM.
    During the IPFire setup you enable a DHCP service which will assign your windows machine an IP given out by IPFire. So you may end up with something like:

    Real network:
    ISP Router - 192.168.0.1
    IPFire red interface - 192.168.0.2

    And behind IPFire red interface:
    IPFire Green interface - 192.168.200.1
    Your PC - 192.168.200.2

    This is from memory so if I've missed any key points I can amend once home.
     
    Last edited by a moderator: Apr 24, 2019
  19. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    156
    Location:
    Poland
    I'll try this setup right away, the downside seam to be time of preparation, it won't just work on reboot it seams, and being an ISO its less manageable in terms of modifications, but I dunno yet I have to try
     
  20. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    While creating the VM in VirtualBox you create a virtual hard disk to install IPFire on, meaning any modifications are saved. You only use the ISO for initial install. Regarding reboot, you can try something like the following:

    https://superuser.com/questions/102...albox-vm-to-autostart-after-windows-10-reboot

    If you do go down this route it's useful to save a snapshot once you're happy with IPFire configuration. You can then restore the snapshot at any point if needed.
     
  21. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    156
    Location:
    Poland
    thanks that's good idea, I will look into it
     
  22. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    156
    Location:
    Poland
    @RioHN you could setup pfsense this way
     
  23. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    "IPFire drops all traffic to and from the windows system*. An application (lets call it gatekeeper) on the windows system monitors all outgoing connection attempts and compares them to a list of allowed programs. If in the allowed list gatekeeper creates an iptables rule in IPFire containing the destination IP/Port and source port of the connection to allow it through."

    If the windows client gets hacked, the IPFire VM can be told to allow everything the hacker needs and it's game over, for all clients, IPFire might as well not be there.

    Instead, I'm working on a script based on socat that will prompt at the gateway VM and say "allow youtube.com?". If you do not reply, it times-out and the DNS lookup never completes, whereas if you reply yes, the DNS lookup completes and the script adds an iptables rule to allow the associated IP from now on. It's really trivial, but I'm stuck with the bidirectional thing in socat. Do we have any socat experts here? Here's the command that tries to set up this DNS forwarder:

    socat -x udp-l:53,reuseaddr,fork system:"tee chunk | ( sudo -u user xterm -e ./promptBeforePassingOn.sh; cat reply.bin )"

    Contents of promptBeforePassingOn.sh:

    #!/bin/sh
    echo Received this:
    cat chunk | tr -d '\n' | sed 's/[^a-z0-9_\-]/./g'
    echo
    echo Allow it?
    read ANSWER
    if [ "$ANSWER" != "no" ]
    then
    echo Allowing it from now on
    # TO DO: Extract the DNS name from chunk and add it to a whitelist file

    PUBLIC_DNS=8.8.8.8
    echo Sending it to a public DNS server
    # socat -x GOPEN:chunk udp-datagram:$PUBLIC_DNS:53
    # TO DO: Wait for the public DNS server to return results in chunk
    cp chunk reply.bin
    # TO DO: Extract the IP from reply.bin and add an iptables rule to allow it​
    fi

    echo . | tr -d '\n'
    sleep 1
    echo . | tr -d '\n'
    sleep 1
    echo . | tr -d '\n'
    sleep 1​
    To test the above, on the client VM you type the following:

    dig +notcp hello.com @10.0.0.12
     
    Last edited: Jun 3, 2019
  24. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    266
    Whereas the following works, it does the bidirectional communication but no prompting:

    rm -f /home/user/pipe1
    mkfifo /home/user/pipe1
    socat -x udp-l:53,reuseaddr,fork pipe:/home/user/pipe1 | ./test.sh

    Contents of test.sh:

    #!/bin/sh
    socat -x pipe:/home/user/pipe1 udp:8.8.8.8:53​
     
  25. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    63
    Location:
    Here
    As previously mentioned I run ipfire on an external netbook also so compromising the VM wouldn't help initially.. But even if not the chances of finding such malware in the wild are slim to the point that it really doesn't concern me:

    The most vulnerable aspect of the solution is not the VM but the allowed applications and how you protect/isolate them.

    In your case the biggest issue is that the solution simply isn't feasible to use and doesn't achieve the security/control you're looking for.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.