VMware

  Download

Download this Appliance

  Community Feedback

4 votes

Log in to rate item

Comment on this appliance

  Related Categories

Administration | Application/Web Server | Challenge Entry Appliance | Networking | Operating System | Security | Server | Challenge Award Appliance

Sieve Firewall

Transparent bridging iptables firewall configured through Windows-based .net GUI

Description

Support site is at http://sievefirewall.sourceforge.net.

1. What does the appliance do, and what are its uses and benefits to the intended audience in the VMware community. The judging panel is interested to know what is unique about this appliance, why users will want to download and run it, and how they will use it.

At its simplest, Sieve is a virtual machine that runs an extremely small linux kernel to create a transparent bridging firewall. However, it provides several unique features critical to an ongoing environment and/or tailored to the theme of the contest:

- Small size - As of 5/24/06, the smallest VM firewall download was the 7MB monowall, only the 5MB Minix VM was smaller. Sieve comes in at 2.7MB complete!!!
- Easy integration into existing environment - Sieve was designed by working server engineers who understand the complexity of an enterprise environment. Unlike currently available appliances, Sieve can be installed on a production server in minutes with no OS changes other than turning off one nic and turning on another. The existing IP address will be retained after installation, avoiding all of those infrastructure changes required by available solutions.
- The best of Windows and Linux - True to the spirit of the competion, Sieve makes use of the best of both worlds, making the powerful Linux networking subsystem available with a Windows-style configuration interface. The user interacts with Sieve through a GUI written from scratch for Sieve, based on .Net Framework 2.0 to provide the Windows "feel". The Linux appliance provides iptables firewalling and netfilter bandwidth control to the Windows user.
- A new model for creating and configuring firewall rules and traffic control policies. Sieve builds upon Shorewall's model, using a Pipe, Zone, and Filter model. A Zone is a group of hosts defined by IP address, range, or subnet/mask. A Pipe is a bandwidth-controlled path into/out of the host OS which allows specification of minimum and maximum bandwidth and priority. The Filter ties these two together to a firewall rule accepting traffic. An example filter would take a zone of client computers, give them access to port 80 web services on the host, and then tie them to a bandwidth control policy unique to that zone/filter combination.
- Easy and modular configuration - A complete configuration is saved to an XML file, which is imported if the firewall needs to be regenerated.
- Security - Sieve is completely invisible to the outside world and boots from a read-only virtual cd-rom. The bridge itself has no ip address so is not vulnerable to most common attacks, and is configured outside of the vm itself through generation of the iso.

Transparent bridging firewalls are not a new concept. Sieve uses the concept to provide an unprecedented feature set to a Windows OS user, including powerful and flexible iptables firewalling and netfilter traffic control.

Users will finally be able to make use of a Shorewall-style bridging firewall from Windows without having to learn Linux. It's not a simple process to start changing IP addresses on production servers in an enterprise environment, or creating subnets for firewall addresses. Sieve allows an administrator to add Linux firewalling and bandwidth control to a Windows server without any of those problems. And all of this in a 2.4MB download and without having to learn Linux!!!

Sieve was designed around real problems and design issues found in an enterprise:

- Server administrators think about client groups by department or some other common symbolic name, not by ip addresses like a network administrator. Sieve's Zones create a map between a symbolic name, like accounting, and an ip address or subnet, like 192.168.3.0/24. Once the zones are created, bandwidth control and firewall rules are created through these zone names.
- Windows doesn't provide an easy way to make a service available to only a subset of an organization. Sieve's Zones and Filters let you easily give Accounting and Marketing access to the web services but not SMB shares or administrative ports, and Administrators access to everything.
- Bandwidth control and prioritization by zone and port. A perfect example is Microsoft's WSUS servers at a remote site on the site's only server. With Sieve, you can give local users wide open access to the server, remote users throttled access to protect the T-1 connection, and limit WSUS by creating a zone for the upstream server and throttling it back to 56k.
- Microsoft's new "Surface Area" tools provide a good ability to limit the attack surface exposed by a server. Sieve lets an administrator provide a different "Surface Area" to different departments. The idea of internally firewalling servers and limiting available services to groups of clients that require them has been around for a while. Now the tool to actually do it is here with Sieve.

2. How was the appliance built, summarizing the steps involved. Describe what optimizations were made, for example any changes you made to the underlying operating system to optimize it for size or functionality, or any special application configurations you made that increase the usefulness of the appliance.

Sieve started out with a search for a small Linux OS to implement a transparent bridging firewall. Having had experience with Shorewall, the Shorewall/LEAF combination proved to be a perfect fit. Starting out with a hard drive installation in a VM, the first basic firewall was created and implemented. The modular nature of LEAF made it simple to remove unnecessary applications by removing the .LRP package from the hard drive and updating the Leaf.cfg file to reflect the change. The original idea was to build a web interface to this hard drive image based VM using webconf, a shell-based web server platform provided in LEAF.

After thinking through security issues with this implementation, we began brainstorming how we could configure the firewall if it was truly invisible on the network. From this brainstorming came the basic framework of creating an ISO boot image outside of the VM, then booting the VM off this ISO. With this model, we could use a native Windows application and better match the Windows look and feel, and hopefully make a Windows administrator feel more at home. After laying out the basic structure of this bootable ISO, we ran down the tools required to make it happen, namely BSDTar and mkisofs. A Windows GUI application was created in Visual Basic with .Net Framework 2.0.

As development of the GUI progressed, we returned to resolving some issues with using LEAF in this type of VM. First, not all desired iptables modules were available in LEAF, like ipt_iprange ip address range matching. Using LEAF's buildtool and iptables patch-o-matic we updated the provided 2.4.32 kernel source, added the desired modules, cross-compiled them for the LEAF VM and uClibc, and built new .lrp packages for the ISO. Next up was VMWare Tools. Without glibc or a complete build environment, the Makefiles for vmxnet.o and vmmemctl.o were manually modified so we could cross-compile them within the buildtool environment and add them to the ISO. With a limited amount of time for the contest and no easily discoverable source for the precompiled tools like vmware-guestd, we haven't yet resolved how to deal with getting these tools to run in a uClibc environment.

After all the new iptables and VMWare modules were cross-compiled, they were packaged up into .LRP, added into the ISO, and init scripts were changed to make use of the new modules. We then began addressing issues with startup of the host OS in an Active Directory environment. Several days of research put us onto two sets of changes to eliminate these problems. Since these bridges wouldn't be participating in an enterprise's STP environment, bridge startup times were reduced with bridge_fd and bridge_maxwait parameters in /etc/network/interfaces, making the bridge startup almost immediately. On the Host OS side, registry tweaks make the Windows OS wait longer to see if the domain controllers are available before failing through and skipping application of computer policies. If the host OS is DHCP addresses, disabling APIPA addresses in the registry make the host wait longer for access to the DHCP server before failing through and assigning an unroutable APIPA address.

Testing, testing, testing on the limited amount of time available revealed countless issues with boundary conditions, hopefully most have been addressed.

3. Detailed instructions to start using the Appliance and the location of any other documentation.

- First, if you have not recently, install or update your installation of Microsoft's .Net Framework 2.0 at http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.
- Download and install VMWare Server, Workstation, or Player.
- Download the appliance, and unzip it to a temporary directory. In this temporary directory, you will find two top-level folders, Sieve and Program Files. Copy the three folders under Program Files to your Program Files directory. Copy the Sieve directory to where your virtual machines will reside, typically c:\Virtual Machines.
- Run the executable c:\Program Files\Sieve\Sieve.exe.
- Go to Options/Settings and update your directory paths to reflect your install. If you followed the defaults above, these will be:
Sieve Resource Path - C:\Program Files\Sieve\Resources
Sieve Working Path - C:\Program Files\Sieve\Working
Sieve Build Path - C:\Program Files\Sieve\Build
Virtual Machine(s) Path - c:\Virtual Machines
BSDTar Path - C:\Program Files\BSDTar
MKISOFS Path - C:\Program Files\MKISOFS
- Close the options dialog by clicking on the X in the upper right hand corner
- On the File Menu, select Generate Sieve OS (ISO Only). When the generate dialog comes up, click on Generate button. When complete, click on Close.
- You can now exit the GUI application
- Assuming VMWare Server, (Other versions are very similar and documented on the SourceForge site), open the VMWare Server Console. Click on File/Open to open a new virtual machine. On this dialog box click browse and find the Sieve.vmx file from your installation. If you followed the defaults above, you will find this in C:\Virtual Machines\Sieve.
- Click on OK and you should see 'Sieve' in the inventory list on the left. Highlight this VM and start it by clicking on the green arrow in the toolbar. In 15 seconds or so you should see a login prompt. When you see the login prompt you have a firewall vmnet1 ethernet adapter in your host!!!
- To force traffic over the firewalled vmnet1 adapter, open network control panel and select your physical adapter. Right click on the adapter and select properties. Under 'This connection uses the following items:' scroll down until you see TCP/IP. Uncheck the check box and click OK, this will unbind TCP/IP from this adapter. Your new path will be through vmnet1, which can be confirmed by pinging your gateway or looking at the output from "route print".

Networking itself can become complex, and with multiple versions of Windows and multiple versions of VMWare a single, concise guide is difficult. Other alternatives to VMWare Server and Windows XP are covered in documentation on our SourceForge site, http://www.sourceforge.net/projects/sievefirewall. There are also several important FAQ items relating to DHCP and Active Directory at that site.

4. The names of any licensed operating systems, applications, or other components in your appliance, and the licenses (names or URLs) under which you are using them

LEAF - GPL - http://www.sourceforge.net/projects/LEAF
Shorewall - GPL - http://www.shorewall.net
BSDTar - GPL - http://www.sourceforge.net/projects/gnuwin32
mkisofs - GPL - http://cdrecord.berlios.de/old/private/mkisofs.html
syslinux/isolinux - http://syslinux.zytor.com/iso.php
7-zip - GPL - http://www.7-zip.org (to create archive)

Last updated: 06/06/2006

Operating system: Leaf Bering - Linux 2.4 based

Applications installed:
Bering uClibc 2.4 distribution, linux kernel 2.4.32 Shorewall 3.0.5 BSDTar 1.2.38 mkisofs 2.01-bootcd.ru (i386-pc-mingw32) syslinux/isolinux 3.11 7-zip 4.42 (to create .zip archive)

VMware Tools installed: Yes

Size: 2.7 MB MB
Torrent available: Yes
(What is BitTorrent?)

Primary account
Username: root
Password:

Submitted by: jettm

Download link provided by the submitter, not VMware. Report broken downloads here.


« BACK...