From SemanticLab

Contents 1 Introduction 2 Features of the FWBPlus Tool 3 Preconditions 4 Screenshots 4.1 Main Window of the FWBPlus Tool 4.2 Scenario 4.2.1 Figure 1 - Filled in Data (FWBPlus Tool) 4.2.2 Figure 2 - Overview of Objects and Host Policy (Firewall Builder) 4.2.3 Figure 3 - Policy of VM1 4.2.4 Figure 4 - Policy of VM2 4.2.5 Figure 5 - Policy of VM3 4.2.6 Figure 6 - Policy of VM4 5 Sources

Introduction

The FWBPlus tool experimentally extends the Firewall Builder tool which is designed to build and contribute firewall policies. It therefore adds functionality to support policy building for virtualised environments (virtual machines on a host machine) by supporting storage files with the adapted rule sets. These rule sets can be added to the Firewall Builder project and include some necessary standard rules (for example SSH access).

More on the Firewall Builder main project can be found on: http://www.fwbuilder.org/

Features of the FWBPlus Tool

The main features of the FWBPlus tool are:

• Creation of FWBuilder-files (*.fwb)
• Host parameters can be chosen (IP- and Netmask- Address)
• Number of virtual machines (VMs) can be chosen (up to seven)
  • VM parameters can be chosen (IP- and Netmask- Address)
  • VM zone can be selected (DMZ, Internal and Test)
• Possibility to choose if standard rules should be included

Based on these inputs the program designs the rule sets based on the coherent approach. This means that VMs which are in different zones receives a DENY-rule to protect them from access through foreign virtual machines. On the other hand VMs within the same zone have an ACCEPT-rule to allow the communication between them. The Test-environment indicates a creation of DENY-rules for all other chosen VMs also if there are additional machines in the same zone to totally isolate the test machine.

Preconditions

• Host machine with one physical network interface
• No access to the host machine from the VMs is allowed
• SSH access must be available for the contribution of the policies

Screenshots

Main Window of the FWBPlus Tool

The following figure shows the main window of the FWBPlus extention with the different sections.

As can be seen from the figure above there are six different sections within the SWING-GUI:

1. Selection of the different VMs
2. Assigned IP-addresses
3. Assigned Netmask-addresses
4. Possibility to choose the zone of each VM
5. Possibility to choose if standard rules should be included or not
6. Menu

Scenario

The following situation should be covered:

• Host with IP-address (192.168.1.10)
• Four different VMs
  • VM1: IP-address 192.168.1.11 (zone=Intern)
  • VM2: IP-address 192.168.1.12 (zone=Intern)
  • VM3: IP-address 192.168.2.10 (zone=DMZ)
  • VM4: IP-address 192.168.3.1 (zone=Test)
• Standard rules should be used
• (Netmask always 255.255.255.0)

Based on these values the FWBPlus fields were filled (Fig. 1). Afterwards the configuration is stored. Then the Firewall Builder application is started and the file is loaded into the actual project. For each selected VM (and also for the host machine) a host- and firewall-object has been generated (Fig. 2) including the defined parameters. When looking at the policy-object we notice that all VMs have an outgoing DENY-rule for the host machine (Fig. 3). Also the standard rules can be seen (Fig. 3 - rule 4 to 6) which for example enables SSH access. In addition we can see that the policy of VM1 (Fig. 3) includes a rule which enables the traffic between VM1 and VM2. This is caused by the same zone those machines are within (Intern). Connections to all other VMs are denied. The VM2 policy has the same rules with permitted communication to VM1 (Fig. 4). As VM3 is the only one within the DMZ-zone the policy only has DENY-rules for all other selected VMs (Fig. 5). Finally VM4 (the test machine) also has no access to any of the available machines (Fig. 6). (Figure 2 to 6 are within the Firewall Builder Tool.)

For a more detailed illustration as the whole description of FWBPlus please look the master thesis at: http://www.semanticlab.net/index.php/Thesis

Figure 1 - Filled in Data (FWBPlus Tool)

Figure 2 - Overview of Objects and Host Policy (Firewall Builder)

Figure 3 - Policy of VM1

Figure 4 - Policy of VM2

Figure 5 - Policy of VM3

Figure 6 - Policy of VM4

Sources

You can checkout the complete source for FWBPlus from subversion:

svn checkout https://svn.semanticlab.net/svn/oss/thesis/FirewallsVMs/trunk/

Also available at:

http://svn.semanticlab.net/svn/oss/thesis/FirewallsVMs/trunk/

The executable Version (Jar-File) is available at:

http://svn.semanticlab.net/svn/oss/thesis/FirewallsVMs/Executable/FWBPlus.jar

--Florian 10:57, 18 August 2009 (UTC)