afaefafe

1
Standardized Firewall Management An IPCable2Home
Perspective
Amol Bhagwat Engineer, Technology Development
OSS Provisioning Broadband Access, CableLabs
2
What is a Home Network Firewall?

• Usually located in a gateway device that connects
  a local network (LAN) to a wide area network
  (WAN)
• Protects a LAN against unsolicited traffic from
  the WAN.

3
Types of Firewalls

• Packet Filtering (PF)
• Static rule configuration
• Uses packet header info
• Stateful Packet Filtering (SPF)
• Monitors state of connection/session to make
  filtering decisions
• Application Level Gateway (ALG)
• Uses connection info at application layer
• Used by SPF for connection monitoring
• Application Server Proxy (ASP)
• Filters based on application layer client-server
  messaging
• Can authenticate sessions
• Possible to filter subsections of a protocol

4
IPCable2Come Firewall

• IPCable2Come requires the firewall to have SPF or
  ASP filtering capabilities.
• Is session aware, keeps track of initiated vs.
  response packets.
• Supports remote configuration by service provider
  as well as consumer configuration
• Uses standardized configuration language
• Event monitoring

5
IPCable2Come Firewall Architecture
Residential Gateway (R/G)

• PS Portal Services Element, IPCable2Home
  specified functionality for R/G
• CAT Address Port Translation Functionality
• Passthrough Enables transparent bridging
  through the R/G
• USFS Upstream Selective Forwarding Switch,
  stops in-home traffic within the home only

6
Configuration Options

• Configuration supported via SNMP MIB objects
• Bulk Configuration
• PS or Firewall Configuration file
• Firewall configuration file is separate and
  optional.
• Direct SNMP SETs

7
Bulk Configuration

• Firewall SNMP MIB object settings can exist in
  either the PS configuration file or the FW
  configuration file.
• Configuration file consists of IPCable2Home
  defined TLV (Type, Length, Value) fields to set
  MIB values
• Download of a separate FW configuration file
  (optional) can be triggered by settings in the PS
  configuration file.
• Configuration files are authenticated using a
  hash digest, TLS download or Kerberos (SNMP prov
  mode).

8
Direct SNMP SETs

• PS supports SNMPv1, v2, and v3.
• SNMP manager can directly set MIB objects
• Remote
• Local
• Supports live diagnostic/configuration
  activities with CSR and/or installer.
• Security
• Access control via SNMP Community strings and
  VACM Views.
• SNMPv3 provides encryption and integrity features.

9
Separate Firewall ConfigurationFile Download
Trigger

• URL address that is different than the URL
  address of the last successfully downloaded file
  acts as a trigger
• TLS or TFTP download methods are determined by
  the prefix of the Firewall Config File URL.
• tftp// TFTP download
• https// TLS download
• Before triggering a TFTP download, the hash
  digest of the entire Firewall Configuration File
  should be set

10
Primary Management Features

• Firewall Policy and Filter Rules
• Parental Control Support
• Policy Selection
• Event Reporting
• Application Support

11
Firewall Policy and Rules

• There are three categories of filtering rules
  used by the IPCable2Come 1.1 firewall.
• General Behavior Rules
• Factory Default Ruleset
• Configured Ruleset
• Apply to session initiated traffic not to
  response traffic.

12
General Behavior Rules

• Provides filtering baseline
• Always applied unless an exception is defined by
  the default and/or configured ruleset.
• Primary Filtering functions
• WAN-to-LAN traffic deny
• LAN-to-WAN traffic - allow

13
Factory Default Ruleset

• A fixed set of filtering rules that do not change
• Defines exceptions to General Behavior Rules
• Minimum ruleset to support management of the PS
• Primary Filter functions
• WAN-to-PS SNMP traffic allow
• WAN-to-PS/LAN ICMP traffic allow
• Can be read via SNMP
• Provided by a vendor

14
Configured Ruleset

• An SNMP configurable set of filtering rules
• Defines exceptions to the General Behavior Rules
  and Default Rules
• Can filter on LAN or WAN interface, dest/source
  IP address range, dest/source port range, and
  Protocol ID
• Supports time restrictions for Parental Control
  applications
• Consists of two filter MIB tables
• Service Provider Configuration Table
• Local User Configuration Table
• Filter rule entries in the Configured Ruleset
  tables are persistent

15
Parental Control Support

• Time restrictions can be applied to each
  filtering rule in the Configured Ruleset
• Time settings define the time window when a
  filter rule should be active or applied
• Start time (military time format)
• End time (military time format)
• Day of Week (bit flags)
• A start time of 0, end time of 2359, and a DOW of
  0xFE indicate the filter rule is always active
  (default values).
• If the end time is less than the start time,
  filter is active across two days.

16
Policy Selection

• The firewall can be configured to apply the
  Factory Default Ruleset or the Configured
  Rulesets along with the General Behavior Rules.
• When the Factory Default and Configured Ruleset
  are both selected, the Configured Ruleset has
  priority over any filtering rule conflicts
• When a filtering rule conflicts exist between the
  Service Provider Configuration Table and Local
  User Configuration table, the priority MIB
  determines which one wins

17
Firewall Rules Diagram
Policy Selection
Configured Default
Configured
Default
High
Configured Filter Rules
Default Filter Rules
Priority
General Filter Rules
Low
18
Firewall Event Reporting

• The PS can log a number of different firewall
  events
• FW config file download status
• Policy violations
• DoS Attacks
• Configuration changes
• Failed configuration attempts
• Allowed inbound/outbound packets
• Most of these events can be enabled/disabled and
  regulated with a threshold value.
• Along with the PS event logging table an
  additional FW logging table provides more detail
  on the events.

19
Application Support

• The IPCable2Come firewall is expected to support
  a minimum number of common applications
• This means the functions of the firewall will not
  disrupt/corrupt an allowed application session.
• A list of these applications can be found in
  Appendix IV of the IPCable2Come specification.

20
Questions
Contact a.bhagwat_at_cablelabs.com