HA Firewalls on the Cheap

OpenBSD / CARP / pfsyncBy:Adam Crosby

Overview

¢ OpenBSD¢ pf – IP Packet filter¢ CARP – Redundancy protocol¢ pfsync – State table sync¢ Competition¢ Production example¢ FWBuilder (in case the CLI is not your ball of wax)¢ Demo Architecture¢ Demo¢ Q&A

OpenBSD

¢ Typically known for ‘security’ focus¢ Increasing network-centric focusl pf, OpenBGP, ssh, OpenNTPD, etc

¢ Tiny (~140mb install)¢ Simple¢ Extremely well documentedl ‘man’ pages for everything that are up

to date and actually have useful info!

pf – packet filter

¢ Packet filter for TCP/IPl NAT l QOS (w/ALTQ)l High Availability (w/pfsync + carp)

¢ Written to replace Darren Reed’s ‘ipf’after a license change by Reed

CARP (Common Address Redundancy Protocol)

¢ Allows mutiple hosts to share an IP¢ Free, non-patent encumbered¢ Secure (compared to VRRP/HSRP)¢ IPv4 and IPv6 support

pfsync

¢ Network interface that exposes pf state table changes

¢ Can be configured to share changes over the network

¢ Can be configured to listen for changes on the network

¢ Unsecure – use IPSEC or X-over cable

Competition

¢ Cisco PIXl Friends don’t let friends use PIX

¢ Juniper Netscreenl Decent, not enough experience to judge

¢ Checkpoint Firewall NGl Excellent for large numbers of nodes,

overkill for 1 or 2 locations/nodes¢ Linux IPtables/heartbeatl No state table failover

¢ Linux pf/carp (ugh!)l It has been ported…

In Production

¢ 2 VIA 1Ghz C3 1U rackmounts¢ 20-30Mb/s average, peaks of ~70Mb/s¢ Replaced CheckPoint Firewall NG¢ pf/CARP Implementation:l 2 hours setup and installl 1 hour converting Checkpoint rules

• Working on python script to automate this!

l 1 week proof of concept / testing

Fwbuilder

¢ GUI Ruleset builder¢ Works with pf¢ Works with iptables¢ Runs on Linux and

Windows¢ Uses native

configuration (ssh/scpto set stuff up – no config daemon!)

¢ No carp/pfsync support L

Demo Architecture