Public
Ethernet Condom - The World's Stupidest Firewall
To deal with #badBIOS , I'd like to build a second level of secure systems, beyond my isolated systems. One that can only network to a very limited degree, so I need to build "The World's Stupidest Firewall" - a device with two ethernet interfaces, that simply copies packets from one to the other if it meets one of two criteria:
1) ARP packets from a single gateway mac address to a fixed destination and responses back. No other ARP traffic.
2) Non-broadcast IPv4 traffic from a single fixed gateway MAC address to and from a single destination client IP. (And potentially filter out local ip addresses 10 and 196 to isolate this client from other nearby systems, but once you introduce ip filering you start down the feature creep road I'd like to avoid.)
Ideally this device will do no processing of any other kind of traffic, no broadcast, no multicast, no ipv6, no dhcp, no teredo, no rtsol, no arp traffic, no anything except those two classes, and the filtering happens at driver level, the OS never sees ANY packets except these 4 types (two each direction). giving as close to zero chances for any kernel vulnerability and as small an attack surface as possible, with no remote access, and configuration from a console keyboard only.
Another objective is for the device code base to be as small as possible to allow quick and simple auditing and verification. Less code runs faster and is more secure. The smallest possible binary to do this is another objective - so I intend to strip out as much other extraneous code and functionality as possible..
Bonus points if this device can record all these packets for later examination. How do you think I should do this? I'm looking for ideas or help developing as elegant and simple a solution for this as possible. Preferrably the hardware should be as low cost and ubiquitous as possible. Extra points if I can fit the binary in a tweet. :-)
My current approach will be to start with an embedded box with multiple nics and an OpenBSD core, and put some simple stupid fixed filter you configure with a kernel rebuild in the nic driver, because that's the kernel and drivers I'm familiar with... but I am curious how others would approach this problem.
I've also considered using a Rasperry Pi with Linux and two usb nics....
Another interesting device is: http://www.ubnt.com/rspro
Also: http://routerboard.com/
Andrew Zonenberg on twitter suggests: Use two PHY chips and an FPGA. The worst a bad PHY can do in that case is corrupt/drop packets, and to do header validation to protect against bugs like this one he found recently: http://osvdb.org/show/osvdb/92903
To me that sounds likely to be the cheapest possible hardware cost.
Andrea Barisani pointed me towards Michael Ossman's DARPA funded Daisho board, which looks liek a good board for this function. http://goo.gl/oyT77G
I suggested the clever name: Ethernet Condom
Coding this is trivial so I can do that - what I'm really looking for most here is other's ideas on elegant solutions and hardware for this, and to pass on the idea of how to do stealthy remote communications access filtering to others.
Thanks in advance,
--dr
To deal with #badBIOS , I'd like to build a second level of secure systems, beyond my isolated systems. One that can only network to a very limited degree, so I need to build "The World's Stupidest Firewall" - a device with two ethernet interfaces, that simply copies packets from one to the other if it meets one of two criteria:
1) ARP packets from a single gateway mac address to a fixed destination and responses back. No other ARP traffic.
2) Non-broadcast IPv4 traffic from a single fixed gateway MAC address to and from a single destination client IP. (And potentially filter out local ip addresses 10 and 196 to isolate this client from other nearby systems, but once you introduce ip filering you start down the feature creep road I'd like to avoid.)
Ideally this device will do no processing of any other kind of traffic, no broadcast, no multicast, no ipv6, no dhcp, no teredo, no rtsol, no arp traffic, no anything except those two classes, and the filtering happens at driver level, the OS never sees ANY packets except these 4 types (two each direction). giving as close to zero chances for any kernel vulnerability and as small an attack surface as possible, with no remote access, and configuration from a console keyboard only.
Another objective is for the device code base to be as small as possible to allow quick and simple auditing and verification. Less code runs faster and is more secure. The smallest possible binary to do this is another objective - so I intend to strip out as much other extraneous code and functionality as possible..
Bonus points if this device can record all these packets for later examination. How do you think I should do this? I'm looking for ideas or help developing as elegant and simple a solution for this as possible. Preferrably the hardware should be as low cost and ubiquitous as possible. Extra points if I can fit the binary in a tweet. :-)
My current approach will be to start with an embedded box with multiple nics and an OpenBSD core, and put some simple stupid fixed filter you configure with a kernel rebuild in the nic driver, because that's the kernel and drivers I'm familiar with... but I am curious how others would approach this problem.
I've also considered using a Rasperry Pi with Linux and two usb nics....
Another interesting device is: http://www.ubnt.com/rspro
Also: http://routerboard.com/
Andrew Zonenberg on twitter suggests: Use two PHY chips and an FPGA. The worst a bad PHY can do in that case is corrupt/drop packets, and to do header validation to protect against bugs like this one he found recently: http://osvdb.org/show/osvdb/92903
To me that sounds likely to be the cheapest possible hardware cost.
Andrea Barisani pointed me towards Michael Ossman's DARPA funded Daisho board, which looks liek a good board for this function. http://goo.gl/oyT77G
I suggested the clever name: Ethernet Condom
Coding this is trivial so I can do that - what I'm really looking for most here is other's ideas on elegant solutions and hardware for this, and to pass on the idea of how to do stealthy remote communications access filtering to others.
Thanks in advance,
--dr
View 11 previous comments
+Dragos Ruiu Do you know this project?
http://blog.erratasec.com/2013/11/isowall-isolating-firewall.html
cc: +Robert GrahamNov 11, 2013
Gustavo, yeah I think Rob was a champ and built it based on this post. I'm looking forward to checking it out on a raspberry pi.Nov 11, 2013
+Mario Tello I verry much like the firewall concept referred to by Gustavo Bittencourt.
What i have in mind exists ( hardware for signal-level protocol metering and filtering ) But this gadget could well be enhanced to supply such metering functionality.Nov 11, 2013
I hate to ask this, but has anyone disasmed the dump files of the supposed BadBios d.tgz? And if so, what's the current new info about it?Nov 14, 2013
I wonder if there is any relation between badbios and this http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.htmlDec 29, 2013
There are several microcontrollers with multiple Ethernet ports. You could write something relatively simple (perhaps with lwip as middleware, perhaps not) in a lot less time than it would take to write and debug it in an FPGA. The FPGA is otherwise a promising avenue, though. Let me know if you need pointers on which micros to use; that's my area of expertise.Jan 10, 2014
Add a comment...