360 likes | 368 Views
Learn about Passive Streaming Layer (PSL) for securing OSI model applications. Explore how PSL maintains connections, handles retransmissions, and offers TCP stream protection. Understand the PSL mechanism for holding and injecting segments. Discover the benefits of Passive Streaming and Segment Injection Flow for enhancing network security.
E N D
Streaming IS Shai Shabat Feb 2014
OSI Layers Introduction OSI Model Applications Application Network Process to Application Data Presentation Data Representation and Encryption Data SSL Session Inter-host Communication Data Streaming (Active/ Passive) Transport End-to-End Connections and Reliability Segments Network Path Determination And IP (Logical Addressing) Packets Firewall (Attachment/ Chain modules) Data Link MAC and LLC (Physical addressing) Frames Physical Media, Signal, and Binary Transmission Bits
Streaming background • Connect between the firewall and the application. • Assemble frames / packets into data. • Handle retransmissions • Handle re-ordering • Handle protocol related attacks.
Streaming mechanism • PSL – Passive Streaming Layer passive streaming follow the streaming requests without interfering with the connection. (there are some exceptions: hold, injection, replace data). • CPAS – Check Point Active Streamingactive streaming allow the changing of data, we play the role of “man in the middle”.
Passive inspection traffic flow Gateway Stateful Inspection Server Client SA S A
Passive Streaming – General overview • PSL maintain the connection as it is, it allow the security application to examine the connection without interfere with the connection itself. • When a packet arrive to the gateway, PSL send the packet to the security application for examination, the application will return drop, accept or continue examining the connection. • Because PSL is taking care of any retransmissions and/or out-of-order packets, the security application to will examine each packet only once, and in the correct order.
Passive Streaming – General overview • PSL providesTCP stream protection, for example: • Retransmission with different data. • TCP connection without a proper handshake. • Future ACK • Etc. • PSL allows to hold the connection by manipulating the retransmission mechanism. • PSL allow sending segment injection (changing the packet) but only if this follow the closing of the connection. – this is the only change PSL allows to send.
Passive Streaming • Passive Streaming does a non-intrusive TCP Streaming for a given connection. • Passive Streaming goes over all the TCP/IP packets in a single connection and builds a stream according to the TCP sequences. • If the segments are not ordered, a re-ordering will be done automatically by using a queue inside the Passive Streaming engine. • Old packets are stored in the queue for security validation. This is used to validate retransmissions of already validated segments. • For example - A hacker can attempt to send malicious data after it has been validated by the AI Application. A sophisticated attack can be sending valid segments with low TTL which will make sure it will pass the GW but will be dropped/not-received by the server. Then, the segments will be “retransmitted”, this time with malicious data and they won’t be inspected again by the GW’s streaming applications (because they inspect every segment in order and only once).
Passive Streaming 0 9 1 30 39 2 UG 20 29 3 B 3 2 10 19 4 4 3 2 4 3 2 BUG • It’s important that before any part of the stream reaches the client/server application it is first inspected by the AI security applications. Incoming Packets Passive Queue Application Inspection Outgoing Packets 1 1 1 2 2 3
Segment Injection (a.k.a. Send Error Page) • PSL allow the application to terminate a connection with an error page, this allow the client to get a feedback as to why the connection was close. • There are two ways to send segment injection: • Server timeout injection – the injection will be sent after the server reach a timeout, this allow us to prevent a state where the injection is combine with some data from the server and this create an attack. • Partial segment injection – we allow to send the injection without the server timeout, the application itself need to allow this.
Segment Injection Flow Normal TCP Flow Normal TCP inspection Security violation Half-Close Pass All S2C traffic (wait for timeout). Strip ACK replies from C2S traffic. Server Idle timeout Inject Error Page Inject error page to client. Send Reset to server. Wait for ACK replies from C2S traffic. Re-Transmission Client Idle timeout End client connection End connection gracefully (send FIN).
PSL hold • PSL hold API is used by application in order to hold TCP stream • The implementation exploits TCP retransmission mechanism – the held packet and the following retransmissions are stripped, this will cause the server to wait for retransmission of this packet. • Pros: holding the stream with minimal interference in TCP traffic and with minimum memory consumption. • Cons: the hold time is limited and it depends on specific implementation of TCP stack
PSL gradual hold • Enhancement of PSL hold mechanism which improves hold time • In addition to stripping the packet, before reaching the timeout (4 retransmissions) we will send one byte of data and start the process all over again. • Pros: longer hold time then the regular hold • Cons: depends on specific implementation of TCP stack and target application (application timeout, reconstruction using the partial data)
TCP Streaming – debugs • To enable PSL debugs – fwctlzdebug + tcpstr • PSL does not stat what application requested a drop, instead it stat what parser requested it, this because PSL does not know all the application, it transfer the application to the parser (like WS) and he transfer it to the application. • “psl_process_list: processing astream ffffc2005b93aaf0, packet ffffc20040b82030, seq 1233369950, offset 0, fus 1233369950”“psl_process_data: packet_data=ffffc20040b820e4, packet_data_len=1448;”“psl_process_data: calling data processing function app 9[ASPII_MT];”“psl_process_data: processing function for app 9[ASPII_MT] returned OK_CONTINUE”this debug tell us that when we started and when we are done with PSL examination of the packet and now we send the packet to the applications for testing, we sent it to parser ASPII_MT, and he return continue. • Astream represent the entire connection, all packet from the same connection will have the same astream pointer.
Active Streaming High-level Introduction Active Streaming Client Server SYN ACK ack SYN ACK data ack ACK SYN data ACK Connection termination SYN Server TCP Stack Client TCP Stack Security Application Inspection CPAS (connection table) CPAS 3rd party (connection table) Client server Client GW GW server
Active Streaming – General overview • CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.) • An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. • On each packet, CPAS send the application the packet data (with cpas_read), allow the application to change the data as it like, and send the data forward (with cpas_write)
CPAS Connection diagram Application Inspection (Client) • Applications interact with CPAS using the following functions: • cpas_pass_data – which passes data between hconns (half-conn) • cpas_write – which writes data onto the TCP stream • cpas_skip – which skips the next x bytes Client Client-> Server’ Client HCONN Client’-> Server Server HCONN Server Application Inspection (Server)
Active Streaming – step by step • Application register for CPAS – the application give callbacks functions for CPAS. • Client send SYN, CPAS send the packet to the application to decide if it want to work on this connection or not – If not, packet will continue as if no CPAS. • CPAS register the connection internally and produce SYN-ACK packet to the client. • Once the ACK from the Client is received CPAS will open a connection with the Server side. • For each packet arrive (for either side), CPAS will send the packet to the application, drop the original and replay with an ACK.If the application want it can pass the packet to the other side (server/client).
CPAS connection flow • Upon receiving a connection from a client to some server, the FW answers the client as if it were the server itself. • The client, unaware of this, communicates as it would normally with the FW. • The FW in turn (upon CPAS user’s request), connects to the server as if it were the client, and passes the information from the client to the server and vice versa. • This “passing of data” is, inspected and manipulated as needed.
Active Streaming – chain module • CPAS have two entry point in the firewall, one on the inbound and one on the outbound. • CPAS is the last chain module in the inbound – this because CPAS drops the original packet to prevent it from passing to the other side of the connection. • CPAS is the first chain module in the outbound – this is because CPAS creates the packet and send it to the other side of the connection, in order for all the chain modules to see the new packet we need CPAS to be first. • CPAS have another chain entry called CPAS VM – this is for packets that are meant for the gateway itself.
Active Streaming – tables • cpas_cookie_hash_tab_id – store for each packet that CPAS send its cookie hash (help identify packet that was sent by CPAS or sent by the client/server). • CPTLS_SERVER_CN_CACHE_TABLE_ID – SSL server connection. • pop3d_clients_id – hold all the pop3 connections. • cpas_pmtu_table_id – hold the mss value for connection • cpas_pending_kbuf_db_tab_id – register all the pending kbuf
Active Streaming – IPV6 • The different between IPV6 and IPV4 is hidden from the application, the application receive the data buffer and send it back (with or without changes), CPAS will build the packet according to the IP version we are in.
Active Streaming – SecureXL • As for now, CPAS doesn't support accelerated traffic, this mean that each CPAS packet will be F2F. • Since all the packet will pass SecureXLdo_outbound (even if they were F2F) we need to offload the connection to SecureXL. • The offload is done on the outbound, without CPAS, the offload will occur when the SYN packet leave to the server, because CPAS break the connection, the first outbound will occur on the SYN-ACK that is sent to the Client.
Active Streaming – https • With PSL, connection that is encrypted with SSL (TLS) was not supported, the reason for this is that the encryption keys are known only to the Client and Server since they are the one that initiated the connection (preformed the SSL handshake), because of this we couldn’t get the data out of the packet and the application couldn’t scan it for malicious information. • CPAS plays the rule of “man in the middle”, because of this, it can intercept the SSL handshake and change the keys so he will be able to understand the encryption. • The Client preform an SSL handshake with the gateway (thinking it is the Server) while the Server preform SSL handshake with the gateway (thinking he is the Client). The gateway have both keys and he’s able to open the encryption, check the packet and re-encrypt the packet with the corresponding keys.
Active Streaming – https cont. • In order to encrypt / decrypt the SSL connection, CPAS add another layer before the application queue. • The new layer will send the packet to the SSL engine for decryption/encryption and then resume the normal flow. • When the CPTLS engine load he register an hook with CPAS for each side that have SSL enable.
Active Streaming – https cont. step by step • Packets of SSL handshake are passed to the SSL engine to exchange keys. • When the connection and the SSL handshake is fully established, an hook will be register for this connection to handle the decrypt / encrypt of the packets. • When a packet arrive to CPAS, a trap will be sent and the SSL engine will receive the encrypted packet, decode the packet and return it to CPAS. • The packet will enter the receive queue and the application will be able to work on it, once he done he will send it to the write queue. • The packet will pass to the SSL engine for encryption and pass to the other side (Client, Server).
CPAS Hook API Architecture Hook CPAS HCONN HCONN RX RX Client Hook Queue App Queue Application App Queue Hook Queue Server Hook Queue App Queue App Queue Hook Queue TX TX Hook Legend: CPAS App API TCP Queue CPAS Hook API Application Queue
Active Streaming – clusterXL • CPAS does not synchronize connection between cluster members. If a failover occur and the connection was handled by CPAS then the connection will terminate. This is done because syncing the CPAS information will be to much data to sync (we will have to sync all the stack information in addition to CPAS internal information). • The only exception is VOIP connection. • When a connection start, CPAS will check if it needs to sync the connection (if we are in HA and VOIP connection), if so it will sync the connection information so the other member will be able to resume in case of fail over.We can sync the VOIP connection because it’s a lite connection that doesn't keep much information on the stack.
Active Streaming – debugs • To enable CPAS debugs – fwctlzdebug –m CPAS + <flag> • CPAS flags:error, warning, tcp, api, glue, events, conns, pkts, timer, tcpinfo, http, ftp, skinny, notify, sync, icmp.Flags meaning (the important ones) :tcp – information regarding the tcp_input and tcp_output function (the function that in-charge of sending and receiving packets) .Events – information regarding events (closing connection, timeout, established etc.).Timer – information regarding the timers. CPAS timers are in-charge of retransmissions, keep alive, and background handling of the TCP stack.Tcpinfo – information regarding the connection – this debug print for each packet the entire PCB struct, this struct contain all the connection information (state, rtt, mss etc.) pkt – information regarding the packet (split, alloc, send, chop, etc.)
Active Streaming – debugs cont. • When first handling a environment with CPAS enable, make sure that CPAS is really enable, the easy way to do it is with:fwctlzdebug –m CPAS + tcpif a packet is passed and CPAS is working on it we will see the information. • If CPAS is enable on a connection and another application is trying to work on this connection with PSL, PSL will turn into detect mode – no injection will be made to this connection by PSL. • All CPAS drops will be visible in “fwctlzdebug + drop” except the regular drops CPAS does for each packet (after it done working with it and send the response). • If there is a problem with the TCP structure then you need to turn on the “fwctlzdebug –m CPAS + tcp” debug, this will give you all the information about the tcp building.
Active Streaming – debugs cont. • When the environment is full with connections, you can identify a single connection you want (both client side and server side) by adding the tcpinfo flag, finding the problematic debug, go to the tcpinfo related to this CPU and find the pcb pointersearch for the pointer in the debug and you will find the information you need. • The tcpinfo (pcb dump) is called every time a packet arrive to tcp_input or tcp_output function (send or receive).