Residential firewall
Residential firewall overview
The residential firewall protects a home by tracking all flows to or from the home. Only inbound traffic that matches flows that originated inside of the home is allowed to pass through the firewall. By blocking other flows, an attacker cannot initiate a connection to a vulnerable service within the home. The residential firewall also provides protection against fingerprinting, port scanning, and DoS attacks. The dynamic flow tracking functionality provides a better user experience compared to static firewall rules because it does not limit any connection that has been set up within the home.
The residential firewall is based entirely on the tracking of Layer 3 and Layer 4 flows. Minimal application layer gateway (ALG) support is provided to allow protocols that use multiple flows, but application layer protection is not supported. The firewall only supports IPv6 flows. It is recommended to use Layer 2-aware NAT to provide similar protection for IPv4 flows within the same residential subscriber.
Supported protocols and extension headers
The residential firewall distinguishes between known and unknown protocols or known and unknown extension headers.
Unknown protocols create or match flows based only on Layer 3 information. For a known protocol, the firewall inspects Layer 4 information to create or match flows more precisely. The following known protocols are supported:
TCP
UDP
ICMPv6
Known extension headers are allowed by the firewall and processing continues on the remainder of the packet. The following extension headers are treated as known:
Hop-by-hop (0)
Fragment Header (44)
Authentication Header (51)
Destination Options (60)
Shim Header (140)
Unknown protocols
Unknown protocols are created and matched by a 3-tuple identifier that has the format <source IP, destination IP, protocol>. No Layer 4 data is used to differentiate between possible sub-flows. Because the firewall is unaware of unknown protocol states, removal of flows with unknown protocols is only governed by a single configurable timeout.
TCP and UDP
TCP and UDP flows are created and matched by a 5-tuple identifier that has the format <source IP, destination IP, protocol, source port, destination port>. Multiple configurable timeouts can apply depending on the exact flow state.
ICMPv6
ICMPv6 error messages (codes up to 127) are handled based on the encapsulated invoking packet. Layer 3 and Layer 4 information is re-extracted from the packet and is used to perform a flow lookup. If an existing flow is found, then the error message is forwarded; otherwise, it is dropped.
ICMPv6 echo flows are created and matched by a 4-tuple identifier that has the format <source IP, destination IP, protocol, identifier>. Echo replies must always match an existing flow. A single configurable timeout applies to these flows.
Other informational or non-transit ICMPv6 messages are dropped by the firewall.
Application Layer Gateway
Application layer gateways (ALGs) are used to track protocols where one flow triggers the creation of several associated flows. For example, a single session initiation protocol (SIP) session can trigger several additional media connections. These flows are not always triggered from inside the home, but traffic should still be allowed to pass. To support this, the residential firewall creates additional flows when a supported ALG connection is recognized and enabled.
Additional filtering control
The residential firewall has two filtering modes that control which action to take when an inbound packet does not match an existing flow.
In address and port-dependent filtering mode, security is considered most important and packets that do not match an existing flow are dropped. This could interfere with the operation of some applications that rely on multiple connections using the same host port.
In endpoint independent filtering mode, application transparency is considered most important. When a packet matches any flow that has the correct protocol and destination IP address, the packet is allowed to pass, and the IP address and port of the foreign endpoint are ignored. The assumption is that the application that triggers the original session may require additional remotely-triggered sessions for correct operation. This can be a security concern when an application with known vulnerabilities is used, as all firewall functionality for that application ceases as soon as the application itself opens one flow. Additionally, this exposes the host to fingerprinting attacks.
In addition to filtering, it is possible to limit the number of sessions, or flows, per subscriber. Sessions can be split into priority and non-priority categories based on their mapped forwarding class. Separate limits apply to each category to avoid starvation of priority sessions by non-priority sessions. This granularity of control helps to protect the firewall and the host against DoS attacks and resource starvation.
TCP MSS adjustment
TCP maximum segment size (MSS) adjustment can be used to clamp the MSS value that is sent during a TCP handshake. If the MSS option is not present, or is bigger than the configured value, then the firewall changes it to the configured value.
This is useful when a low-MTU link is used, such as during tunneling. If the MSS is changed to match the low MTU, IP layer packet fragmentation can be avoided, improving the performance of both the firewall and the end hosts.
Static port forwards and DMZ
The residential firewall supports static port forwards and DMZ to selectively allow inbound network-initiated traffic flows. Static port forwards allow operators to open up a specific subset of traffic. An exact IP address and a protocol must be provided. For TCP and UDP traffic, the system also requires at least one port. A foreign prefix or port may also be provided to limit the pinhole to a specific connection.
DMZ is enabled on a per-host basis and disables the firewall for that specific host. Before traffic can be forwarded on SLAAC hosts, the exact /128 address must be learned, either by DAD snooping, or initial upstream traffic. For security reasons, the system does not send any ND for a completely unknown /128 address for network-initiated flows.
Static port forwards are configured under the AAA Context. See the 7450 ESS, 7750 SR, and VSR RADIUS Attributes Reference Guide for more information.
Residential firewall provisioning
Residential firewalls are provisioned in three steps.
A firewall domain is created in the router or VPRN where the firewall is connected to an unsafe network, such as the Internet. In this domain, a list of prefixes specify which prefixes are subject to firewall rules.
A firewall policy is created that specifies operational rules for the firewall and which domain should be used.
The firewall policy is linked to an ESM subscriber using the subscriber profile.
Node# /configure service vprn 4 firewall
Node>config>service>vprn>firewall# info
----------------------------------------------
domain "domain_4" nat-group 1 create
prefix 2001:DB8::/32 create
exit
no shutdown
exit
----------------------------------------------
Node# /configure service nat
Node>config>service>nat# info
----------------------------------------------
firewall-policy "firewall_4" create
description "IPv6 Firewall policy for VPRN 4"
domain router 4 name "domain_4"
filtering address-and-port-dependent
exit
----------------------------------------------
Node# /configure subscriber-mgmt
Node>config>subscr-mgmt# info
----------------------------------------------
sub-profile "profile_1" create
firewall-policy "firewall_4"
exit
----------------------------------------------
Domains and addressing
A firewall domain specifies both the network (router or VPRN) to which a firewall is connected and which IP prefixes in that network are protected by the firewall. Hosts of a firewall-enabled subscriber are automatically protected if they are assigned an IP address from a domain prefix. It is possible to mix protected and unprotected hosts within one subscriber, but unprotected hosts must receive an IP address that is outside of the firewall domain.
The router or VPRN where the firewall domain is configured must not be the same as the router or VPRN where the subscriber is terminated. This function replaces classic ESM wholesale/retail for firewall hosts.