Shorewall users - Nov 2012 - New L7 Filter option for netfilter

Hi all.  There is an interesting project that was called opendpi 
(originally by ipoque GmbH) and recently been forked and maintained by 
the ntop guys under the nDPI label.  It offers a new and currently 
maintained layer 7 (L7) packet identification library.  It could 
definitely benefit from more eyes and development effort, but at present 
it gives much better breakdown of traffic for ntop

There is a netfilter library, originally by Elian Gidoni, that I have 
updated to use the nDPI fork

https://github.com/ewildgoose/ndpi-netfilter



The practical upshot is that you can do stuff like:

     iptables -I FORWARD -m ndpi --WinUpdate -j LOG
or
     iptables -I FORWARD -m ndpi --skype -j REJECT

In theory you can also filter Facebook, Twitter, etc, as specific named 
protocols - this ability is likely to be improved in the next iterations 
(ie be more configurable)

Another of the clever things that nDPI does is to try and classify SSL 
traffic by examining the name on the cert.  A technique that seems 
likely to allow crude identification of significant traffic. (If the 
cert says "mail.google.com", have a guess what we are doing?)


The big picture here is that a lot of protocols are starting to look 
like "http", and increasingly more are just "https". Any
filters are
going to be reasonably easy for an active attacker to defeat (tunnel it 
some way), but I have a requirement to save users from themselves and so 
we want to be able to do things like limiting Windows Update and 
disallow it over the expensive satellite connection, and only allow over 
the cheaper wifi (or 3G) connections.

Simple filtering on http & https is quite useful in implementing that 
despite the limitations. Forcing connections through squid has some 
limitations (and some advantages), but at present squid can''t do some
of
the things we can do with nDPI such as examining SSL certs.

There is still some way to go on this project, but I started pondering 
how I might express such rules in shorewall (and trying to avoid further 
overloading MARKs).

Kind regards

Ed W

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

On 11/01/2012 02:02 AM, Ed W wrote:
> Hi all.  There is an interesting project that was called opendpi
> (originally by ipoque GmbH) and recently been forked and maintained by
> the ntop guys under the nDPI label.  It offers a new and currently
> maintained layer 7 (L7) packet identification library.  It could
> definitely benefit from more eyes and development effort, but at present
> it gives much better breakdown of traffic for ntop
>
> There is a netfilter library, originally by Elian Gidoni, that I have
> updated to use the nDPI fork
>
> https://github.com/ewildgoose/ndpi-netfilter
>
>
>
> The practical upshot is that you can do stuff like:
>
>       iptables -I FORWARD -m ndpi --WinUpdate -j LOG
> or
>       iptables -I FORWARD -m ndpi --skype -j REJECT
>
> In theory you can also filter Facebook, Twitter, etc, as specific named
> protocols - this ability is likely to be improved in the next iterations
> (ie be more configurable)
>
> Another of the clever things that nDPI does is to try and classify SSL
> traffic by examining the name on the cert.  A technique that seems
> likely to allow crude identification of significant traffic. (If the
> cert says "mail.google.com", have a guess what we are doing?)
>
>
> The big picture here is that a lot of protocols are starting to look
> like "http", and increasingly more are just "https".
Any filters are
> going to be reasonably easy for an active attacker to defeat (tunnel it
> some way), but I have a requirement to save users from themselves and so
> we want to be able to do things like limiting Windows Update and
> disallow it over the expensive satellite connection, and only allow over
> the cheaper wifi (or 3G) connections.
>
> Simple filtering on http & https is quite useful in implementing that
> despite the limitations. Forcing connections through squid has some
> limitations (and some advantages), but at present squid can''t do
some of
> the things we can do with nDPI such as examining SSL certs.
>
> There is still some way to go on this project, but I started pondering
> how I might express such rules in shorewall (and trying to avoid further
> overloading MARKs).
Should be pretty easy to put together an action where the action. file 
does ?BEGIN PERL ... ?END PERL. Have a look at action.TCPFlags for an 
example (and ignore the fact that it says DropSmurfs in the heading 
comments).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct