Logging network traffic on the firewall

Last week we hold a technical partners day. I was talking about logging. I put it here, hopefully somebody is interested;-)

What can we do if we want to know what is going through on our firewall? It fully depends on the type of our firewall. A well configured packet filter not only logs the denied traffic, but the allowed too. (I have already seen such a firewall which has not logged any traffic.) Let's see an example log of a netfilter/iptables. When the connection is started we will see this:

FORWARD: IN=br0 OUT=eth1 PHYSIN=eth0 SRC=192.168.1.1 DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1398 DF PROTO=TCP SPT=1055 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

At the end we have almost the same message:

FORWARD: IN=br0 OUT=eth1 PHYSIN=eth0 SRC=192.168.1.1 DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=1389 DF PROTO=TCP SPT=1055 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

How can we know that they belong to the same connection? From the following informations:

• Same source Ip (SRC) and port (SPT)
• Same destination IP (DST) and port (DPT)
• Same transport protocol (PROTO=TCP)
• The first log means the initiation (TCP SYN flag is on)
• The second one means the end (TCP FIN flag is on)

Of course to see this, we need to turn on the logging in the policy (--jump LOG) and it only works with TCP. UDP is not a connection oriented protocol, therefore we can choose not to log any or log them all. Which can be a really big load on the logging subsystem.

How can we do that with Zorp and PFservice? (PFService is for forwarding with kzorp and Zorp policy. So they use the same policy, therefore we do not need to administer twice). When the connection starts we will see the following in the logs:

kzorp (svc/intra_HTTPPF_internet:1): Forwarded session started; client_address='192.168.1.3:50587', client_zone='intranet', server_address='192.168.2.3:80', server_zone='internet', protocol='TCP'

At the and:

kzorp (svc/intra_HTTPPF_internet:1) Forwarded session closed

When we use UDP, the same message must come, but the protocol will be UDP;-)

If we are using Zorp Services (real proxies), on the default log level we can see the following. The client side connection started:

zorp/web[5086]: core.session(3): (svc/intranet_HTTP_internet:0): Starting proxy instance; client_fd='21', client_address='AF_INET(192.168.1.1:50834)', client_zone='Zone(intranet, 192.168.1.0/24)', client_local='AF_INET(192.168.2.200:80)', client_protocol='TCP'

After that the server side connections start too:

zorp/web[5086]: core.session(3): (svc/intranet_HTTP_internet:0/http): Server connection established; server_fd='24', server_address='AF_INET(192.168.2.200:80)', server_zone='Zone(internet, 0.0.0.0/0)', server_local='AF_INET(192.168.2.254:39778)', server_protocol='TCP'

What do theses parameters mean?

• core.session(3): the log class and the level
• client_address: the client IP address
• client_local: the IP were the client wants to go
• client_zone: the client's zone
• server_address: the IP where the Zorp connects
• server_local: the IP, what Zorp uses as a source IP
• server_zone: The server's zone
• intranet_HTTP_internet:0: the started service ID and the number of the session
• zorp/web: the proces name (zorp) and the instance ID

Now we want to see the end of the connection. Just turn on logging the core.session logs on level 4 (--log-spec 'core.session:4') in the instances.conf:

zorp/web[5086]: core.session(4): (svc/intranet_HTTP_internet:0): Ending proxy instance;

Okay. Now we know the wheres and whens. It would be good to see the whos. All in all, traditional firewalls make their decisions (DAC: Discretionary Access Control) upon the client IP and server IP and the target ports. In addition proxies also checks if the parties keep the protocol (really HTTP is going on port 80?) According to the available logs we have now we do not have exact information who has made the connection, because:

• From one IP multiple users can come
• The same user can use different machines
• Maybe someone used the machine without the others knowledge
• Because of a possible malicious application the the PC
  
• Some applications connects to the vendor's website (for searching new versions) when the started. Maybe it is a useful information for the vendor that we do not want to tell.

So what can we do? Every connection must be authenticated and authorized by the user. With the use of Zorp and ZAS every running session must be authenticated and only those successfully authenticated sessions can build server side connections. There are two possible way to do that. Inside the original protocol (eg HTTP can do that) with the help of the client application, but it do not supports all the methods. And what is more it is not encrypted. The other way is to do on an independent, encrypted and mutually authenticated SSL channel. We need to install Zorp Authentication Agent. The authentication process itself is done by the ZAS server and the auth back end (integration to existing auth centers - eg LDAP or AD). Zorp only mediates between the parties (ZAA and ZAS) and after the auth process builds up the server side connection. What is more it produces beautiful log messages. This is a successful authentication:

zorp/web[5358]: core.auth(3): (svc/intranet_HTTP_internet:0/http): User authentication successful; entity='balabit', auth_info='inband'

In the auth_info 'inband' means we used the browser as an auth client. The entity holds the UID. After the session id '/http' indicates the proxy class. The next messages is a failed authentication:

zorp/web[5584]: core.error(2): (svc/intranet_HTTP_internet:1/http): Error occured during authentication, credential is not accepted; method='REJECT'

Finally we can see som extra info about the amount of data and duration of the connection. To enable it, just enable accouning logs (--log-spec '*.accounting:4'):

zorp/web[5358]: core.accounting(4): (svc/intranet_HTTP_internet:0/http/client): accounting info; type='ZStreamFD', duration='10', sent='1825',
received='445'
zorp/web[5358]: core.accounting(4): (svc/intranet_HTTP_internet:0/http/server): accounting info; type='ZStreamFD', duration='10', sent='402',
received='1825'

Of course we have different logs for the client and the server side. In the session id '/client' shows the client side traffic, while '/server' means the opposite. The downloaded amount of data is the received and uploaded is indicated by sent. The time of the connection is indicated by 'duration'.

Some proxies can give addition useful information eg. HttpProxy about the URI:

zorp/web[5358]: http.accounting(4): (svc/intranet_HTTP_internet:0/http): Accounting; command='GET', url='http://www.balabit.com/'

No we have complete picture about what is happening on our borders. I hope I coud give you a more detailed info about Zorp's logging capabilities and it is appetizing enough for ZAS testing. Thank you for the attention.