PowerPoint Presentation [Additional Information] Sophos Firewall FW2010 Advanced Firewall Rule Management on Sophos Firewall April 2022 Version 19 0v1 © 2022 Sophos Limited All rights reserved No part[.]
Trang 1© 2022 Sophos Limited All rights reserved No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos
Sophos and the Sophos logo are registered trademarks of Sophos Limited Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy This document is subject to change at any time without notice
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP
Trang 2Advanced Firewall Rule Management on Sophos Firewall
In this chapter you will learn how
packets flow through the
firewall, how they are offloaded
to the FastPath, and how to
order firewall rules for
performance and protection.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ Creating and managing firewall rules
Trang 3In this first example we will consider the packet flow for traffic being forwarded through the
device, either inbound or outbound
Firewall subsystems offer a way to intercept and manipulate the packets at the different positions
in a network stack in order to implement the firewall functionality These subsystems are:
Trang 4• The packet is associated with a user ID based on the source IP address
• The packet state is inspected, and packets with an invalid state are dropped
• For the first packet in a connection the link ID is set as per configured routes for multilink management, then the packets is associated with its destination zone
• DNAT rules are applied
FORWARD
• Packets undergo application classification, and are associated with an application where possible
• The packets pass through the packet filter based on the firewall rules
• If the packet is accepted it will be submitted to the IPS if it is applied to the
matching firewall rule, or it will go straight to POSTROUTING
POSTROUTING
• If the packet is the first in the connection, the masquerading and SNAT policies are checked and applied to the packet For existing connections, the already matched NATing policy is used
• The connection tracking module entries are updated
• If HA load balancing is enabled, the packet is sent to the load balancer
• Finally, Quality of Service is applied
Advanced Firewall Rule Management on Sophos Firewall - 3
Trang 5connection is made to the backend server that is being protected.
The subsystems in this example are:
• The INPUT module applies to all packets that are destined for the device
• The packets pass through the packet filter based on the firewall rules defined
Trang 6• OUTPUT module applies to the traffic that is generated by the device
• Packets are submitted to the connection tracking module (Conntrack) If the packet doesn’t match an existing connection a new entry is created If the packet matches
an existing connection the packet is associated with it If the connection is Related (e.g., FTP connection) then a child connection entry is added, which is then
associated with its parent connection entry
• DNAT rules are applied to the packet
• The packets pass through the packet filter based on the firewall rules defined
• The packet is submitted to the IPS if it is applied to the matching firewall rule, or it will go straight to POSTROUTING
Trang 7Xstream DPI Engine: deep packet threat protection in a single high-performance streaming engine with proxy-less scanning of all traffic for antivirus, IPS, and web threats as well as providing
application control and SSL inspection
Xstream Network Flow FastPath: provides automatic and policy-based intelligent offloading of trusted traffic processing at wire speed
Trang 8Initial Connection
FastPath
• Connection management
• Allow, block, secure decisions
• DoS and QoS
• Streaming DPI processing
• Intelligent offloading
• Proxy-less web filtering
• SSL policy and inspection
• Virtual or hardware accelerated FastPath
• Forwarding packets – offloading L2& L3
• Direct delivery to DPI engine
Let’s look at how traffic flows through the Xstream architecture
When a connection is initialized, it is processed by the firewall stack that will make decisions on whether it should be allowed, provide protection against denial-of-service attacks, and apply quality of service rules to it
Advanced Firewall Rule Management on Sophos Firewall - 6
Trang 9• Direct delivery to DPI engine
Once the connection is allowed it can be offloaded to the FastPath, speeding up the flow to wire speeds
How does it know to do this?
If we look at the packets that pass through the firewall as part of a connection, we will notice that the data looked at by packet filtering always remain the same for a connection Things like the source and destination IP’s as well as the ports in use When this is matched to a firewall rule, we know that any additional packets in that connection will have the same information and will match the same rule every time Because of this, we can mark this information for the connection and skip this processing
Trang 10Initial Packet Delivery to DPI Engine
FastPath
• Connection management
• Allow, block, secure decisions
• DoS and QoS
• Streaming DPI processing
• Intelligent offloading
• Proxy-less web filtering
• SSL policy and inspection
• Virtual or hardware accelerated FastPath
• Forwarding packets – offloading L2& L3
• Direct delivery to DPI engine
Where traffic needs to be scanned using the DPI engine, the initial packets will flow through the firewall stack and then on to the DPI engine before returning to the firewall stack for delivery
Advanced Firewall Rule Management on Sophos Firewall - 8
Trang 11• Direct delivery to DPI engine
Once the initial connection is made, the FastPath can offload to the DPI engine cutting out the firewall stack for improved performance
Trang 12Full FastPath Offload
FastPath
• Connection management
• Allow, block, secure decisions
• DoS and QoS
• Streaming DPI processing
• Intelligent offloading
• Proxy-less web filtering
• SSL policy and inspection
• Virtual or hardware accelerated FastPath
• Forwarding packets – offloading L2& L3
• Direct delivery to DPI engine
Once the stream is known to be safe, all processing can be offloaded to the FastPath
Advanced Firewall Rule Management on Sophos Firewall - 10
Trang 13The DPI engine will offload as much traffic as possible to the FastPath, either entirely or those functions that have been completed; however, there are conditions where the DPI engine cannot fully offload to FastPath, such as when there is TLS traffic that matches a decryption rule
Let’s look at an example using this component model where TLS inspection, application control and IPS are enabled
When the traffic first comes into the Sophos Firewall, it must be processed by the SlowPath, which
is responsible for:
• Determining how to forward each incoming packet
• Applying denial-of-service (DoS) protection
• Performing ingress decapsulation, including for VPNs
• Applying firewall policy
• Performing egress decapsulation
• And enforcing quality-of-service (QoS)
The DPI engine inspects traffic from a layer-4 and above perspective It uses a data acquisition (DAQ) layer, which among other things, provides a high-speed mechanism for moving packets in and out of the system with zero copy
Trang 14App IPS Web
AV
Data Acquisition (DAQ)
Flow classified
Offload DoS, VPN and firewall actions
The firewall sees both directions of the flow and uses this in the classification Once it has classified the flow it can offload its decisions to the FastPath
Advanced Firewall Rule Management on Sophos Firewall - 12
Trang 16App IPS Web
In this example, the application has been identified and IPS has identified that there are no files for
AV scan, so AV will not be required from this point
Now let’s assume that the IPS determines that the flow is trustworthy, and it can be offloaded
Advanced Firewall Rule Management on Sophos Firewall - 14
Trang 18Virtual FastPath vs Network Flow FastPath
XGS Series
CPU
Xstream Flow Processor
Network Chip Network Chip
In the XG series and with virtual and software firewalls we used a virtual FastPath that is processed
by the CPU The XGS series includes an Xstream Flow Processor that sits between the physical ports and the CPU, with a PCIe (PCI Express) interconnect between them The Xstream Flow Processor handles the traffic that is offloaded to the FastPath reducing the load on the CPU for other tasks that cannot be offloaded
Advanced Firewall Rule Management on Sophos Firewall - 16
Trang 19Xstream Flow Processor
FastPath
SP2FP API
We will now look at what the packet flow looks like with the Xstream Flow Processor
The initial packets of a connection will always flow through the SlowPath and may also flow
through IPS, as in the example here
[Additional Information]
NOTE: DAQ stands for Data Acquisition
Trang 20Program FastPath with
relevant state information
e.g., GOTO IPS
Once the SlowPath has gathered enough information about the connection it can program the FastPath with the state information using an API
Advanced Firewall Rule Management on Sophos Firewall - 18
Trang 21Xstream Flow Processor FastPath
Now the packets are flowing through the FastPath, bypassing the SlowPath, but still going through IPS
Trang 23Xstream Flow Processor FastPath
The packets can now fully flow through the FastPath
Trang 24It is also possible for the FastPath to hand a connection back to the SlowPath if it falls outside of predefined boundaries This will allow the SlowPath to gather more information about the
connection before offloading to the FastPath again
Advanced Firewall Rule Management on Sophos Firewall - 22
Trang 25If you want to check if traffic is being offloaded to the FastPath on an XGS series device, you would start by checking if firewall acceleration is enabled on the console with the command:
system firewall-acceleration show
You can also use the system firewall-acceleration command to enable and disable the FastPath.
Trang 26XGS2100_RL01_SFOS 18.5.0 EAP3-Build247# conntrack –L
proto=tcp proto-no=6 timeout=10796 state=ESTABLISHED src=172.16.16.17 dst=50.16.7.188 orig-sport=65119 orig-dport=443 packets=24 bytes=11840 reply-
orig-src=50.16.7.188 reply-dst=192.168.29.14 reply-sport=443 reply-dport=65119 packets=22 bytes=5389 [ASSURED] mark=0x8001 use=1 id=2395119104 masterid=0 devin=Port1
devout=Port2 nseid=16777233 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0
policytype=1 fwid=5 natid=2 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0
hbappcatid=0 dpioffload=0x3f sigoffload=0 inzone=1 outzone=2 devinindex=10
devoutindex=11 hb_src=0 hb_dst=0 flags0=0x800a0000200008 flags1=0x5c106804000
flagvalues=3,21,41,43,55,78,87,89,90,96,102,103,104,106 catid=6 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=7c:5a:1c:bc:06:ae
src_mac=e8:d8:d1:45:62:89 startstamp=1617256585 microflowid[0]=5777 microflowrev[0]=0 microflowid[1]=5916 microflowrev[1]=0 hostrev[0]=3 hostrev[1]=3 ipspid=0 diffserv=0 loindex=11 tlsruleid=0 ips_nfqueue=1 sess_verdict=2 gwoff=0 cluster_node=0
current_state[0]=13 current_state[1]=13 vlan_id=0 inmark=0x0 brinindex=0 sessionid=82 sessionidrev=22265 session_update_rev=12 dnat_done=0 upclass=0:0 dnclass=0:0
pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=8 nhop_id[1]=10 nhop_rev[0]=0 nhop_rev[1]=0
conn_fp_id=74 conn_fp_rev=0
Checking FastPath Offload
To check a specific connection, you can use conntrack on the advanced shell
If a connection has a connection FastPath ID (conn_fp_id) then it has been offloaded to the FastPath If it has not been offloaded, it will say ‘NOT_OFFLOADED’
Advanced Firewall Rule Management on Sophos Firewall - 24
Trang 27You can also review the counters that show how many packets are being offloaded to the FastPath
On the advanced shell use the command:
usfp_table_print.sh worker_sys_cnt
The WIRE_TO_WIRE counter shows traffic that has been fully offloaded to the FastPath
Trang 28console> tcpdump “proto 1”
07:01:39.890534 Port1, IN: IP 172.16.16.17 > 8.8.8.8: ICMP echo request, id 1, seq 375, length 40 07:01:39.917063 Port1, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 375, length 40 07:01:39.917067 oct0, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 375, length 40 07:01:40.912820 Port1, IN: IP 172.16.16.17 > 8.8.8.8: ICMP echo request, id 1, seq 376, length 40 07:01:40.939961 Port1, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 376, length 40 07:01:40.939969 oct0, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 376, length 40
FastPath and tcpdump
There are two important things to note about the FastPath
First, if you use tcpdump the traffic will not be offloaded to the FastPath This is to provide full visibility into the traffic for tcpdump to operate properly
Second, as the physical ports are connected to the Xstream Flow Processor, which is then
connected to the CPU via PCIe, the ports are virtual interfaces This means that you will see traffic going to the virtual port and then through the hardware connection to the Xstream Flow Processor
Advanced Firewall Rule Management on Sophos Firewall - 26
Trang 29With a better understanding of how offloading to the FastPath works, we can start to consider how
to make the best use of it Where possible, try to process traffic so that it matches only the
required security processes The goal for all the scenarios is where eventually FastPath has to be the ultimate path for a connection where it does not utilize the host CPU cycles anymore but rather uses the NPU
To start, if there is traffic that matches a firewall rule with no DPI processes, this traffic can
normally be offloaded right away as the firewall does not have to perform any complex scanning
on the traffic
Trang 30Improving FastPath Usage With Policy
Traffic that matches a firewall rule with no DPI processes
Similarly, if the firewall rule that is matched has SophosLabs offload signatures, then the firewall
knows that this traffic can be offloaded to the FastPath right away
The same thing goes for traffic that matches a policy with the IPS policy set to bypass session
Advanced Firewall Rule Management on Sophos Firewall - 28
Trang 31If the traffic does not require TLS decryption, then it is possible to offload the entire stream While this may or may not happen, it is best to group this traffic together with a firewall rule for
maximum efficiency with FastPath
Trang 32Improving FastPath Usage With Policy
Traffic that matches a firewall rule with no DPI processes
Traffic that does not require TLS decryption
If the traffic matches a firewall rule with application control as one of the conditions, this will result
in a fast path offload, where the initial part of the TCP session will be going thru the slow path and once the IPS engine identifies the application and, if this app is allowed according to the policy, the firewall will offload this connection to the NPU
Advanced Firewall Rule Management on Sophos Firewall - 30