Operations Area Working Group C. Sheth Internet Draft TCSL Intended status: Informational R.Thakker Expires: May 2016 VGEC November 10, 2015 Dynamic Routed Network for Interconnection of Firewalls at Multiple Geographic Locations draft-shet-opsawg-firewalls-interconn-00.txt Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, and it may not be published except as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on May 10, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Sheth & Thakker Expires May 10, 2016 [Page 1] Internet-Draft Network to Interconnect Firewalls November 2015 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract Firewall performs resource intensive filtering of traffic based on set of rules. A single firewall becomes a traffic bottleneck depending on network expansion, number of connections and the throughput required. This document describes a method of interconnecting the firewalls at multiple geographic locations through standalone network. It will enable firewall to dedicate its full processing capacity to perform task of packet filtering. The tasks of encryption, dynamic routing and anti-spoofing of traffic are taken care outside firewall function. The placement of firewall and routing device along with protocols to be used will form the proposed system to improve overall network security and scalability. Table of Contents 1. Introduction ................................................ 2 2. Conventions used in this document ............................ 3 3. Firewall Placement .......................................... 3 3.1. The Core Network ........................................ 5 3.2. Routing ................................................ 5 3.3. Proposed rules for inter site metrics ................... 6 4. High Capacity Site .......................................... 7 5. Dynamic Network Extension .................................... 7 6. Security Considerations ...................................... 8 7. IANA Considerations ......................................... 9 8. Conclusions ................................................. 9 9. References .................................................. 9 9.1. Normative References .................................... 9 9.2. Informative References .................................. 9 10. Acknowledgments ........................................... 10 1. Introduction A firewall protects one or more inside networks, connects inside protected network to the internet and also connects to other internal geographically separated firewalls for access to the rest of the network. Today, with growth and expansion, most companies are geographically spread all over the world. There is a need for increased network security when connecting one inside protected network with another inside protected network in different Sheth & Thakker Expires May 10, 2016 [Page 2] Internet-Draft Network to Interconnect Firewalls November 2015 geographical location, specifically over internet. One of the known approach to avoid sending data in plain text over internet is to establish site to site virtual private network (VPN) using firewall at both locations. VPN will ensure data security by encrypting the traffic. However, major challenge with site to site VPN is that it provides static network routing. In case of multiple sites, each site needs dedicated site to site VPN connectivity with all other sites. This increases network complexity and bottleneck in case of any site or link failure. Considerable amount of work has been done to study encryption algorithm on site-to-site IP Security (IPsec) VPN, Border Gateway Protocol (BGP) and Multi-Protocol Label Switching (MPLS) performance comparisons and setup of virtual cluster cloud for inter- site connectivity. This document describes system design of interconnection of firewalls to achieve dynamic routing. Apart from increased security, it also helps in improving scalability. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Firewall Placement The document is for global or wide area network that interconnects all sites at different geographical location and also interconnects all the networks within the same site. The way connectivity is achieved between the sites is irrelevant to the site firewalls. Firewalls only need dedicated network interfaces to connect to different networks as shown in Figure 1. Sheth & Thakker Expires May 10, 2016 [Page 3] Internet-Draft Network to Interconnect Firewalls November 2015 --------- / \ | Internet |_ | | \_________/ --------- ^ | | V --------- +-----------+ +-----------+ / \ | | | | | Core |__ | Routing | | Firewall | | Network |<---> | Device | <---> | Device | \_________/ | | | | --------- +-----------+ +-----------+ ^ | | V --------- / \ |Protected |_ | Network | \_________/ --------- Figure 1 Single Site Setup Direct communication between devices at separate sites requires a network that connects the sites without translating addresses. The network provides connectivity between internal networks. It does not provide internet connectivity. For internet connectivity, firewall will use dedicated internet interface to route all internet traffic. Depending on performance needs, same firewall could also act as routing device, if there are no high performance requirements. Sheth & Thakker Expires May 10, 2016 [Page 4] Internet-Draft Network to Interconnect Firewalls November 2015 A standard firewall has the following setup. 1. Internet interface for connecting to internet. 2. Interface for connecting to routing device of proposed network. 3. Inside interface(s) for connecting to protected network. All communication to internal networks that is not behind the local firewall is routed via the core network interface. It does not matter how the remote internal network is connected. It could be in the same datacenter in nearby rack, on the other side of the internet, behind a multiprotocol label switching (MPLS) virtual private network (VPN) or connected via a squad of synchronized yodelers. Remote network connectivity is irrelevant to the firewalls as that part is handled by the core network. Scaling the network becomes a simple process of connecting new devices to the proposed network. 3.1. The Core Network The core network does not perform any detailed filtering of traffic. It performs below. 1. Encrypt all traffic between sites 2. Anti-spoof all traffic entering the proposed network The standalone network consists of the device used for routing and the links connecting them. For inter-site connectivity the links between routing devices will use internet protocol security (IPsec) encapsulated generic routing encapsulation (GRE) tunnels. Within a site, it will be direct links or VLAN sub-interfaces. Inter-site traffic is always encrypted, no matter if the carrier is the internet or a dedicated data service. Inside the core network there is no filtering of traffic. It is a dynamically routed network that uses Border Gateway Protocol (BGP) for routing. Also, the network is split up into multiple autonomous systems (AS) to stabilize the routing. Stabilization of traffic will help preventing BGP breakdown. It uses one backbone AS and multiple leaf AS. The leaf AS connects the backbone AS for connectivity to the rest of the network. 3.2. Routing The backbone Autonomous System (AS) advertises all prefixes to leaf AS. A leaf AS only advertises its own prefixes on peering with other AS. A leaf AS may have peering with other leaf AS, but it does not provide transit between AS. All traffic between AS in the network will go either via the backbone AS or via a direct peering between the AS. Sheth & Thakker Expires May 10, 2016 [Page 5] Internet-Draft Network to Interconnect Firewalls November 2015 Inside each AS a BGP-only setup is used, with the Multi Exit Discriminator (MED) attribute used for path selection. The MED provides a dynamic way to influence another AS in the way to reach a certain route when there are multiple entry points for that AS. Below are some of the characteristics of core network for path selection. 1. All routing device should have internal BGP (iBGP) peering with only directly connected peers. 2. All routing device iBGP peers are configured as route-reflectors. 3. All routing device will re-write next-hop in iBGP peering so it is reachable via connected routes. 4. All routing device increment MED on received prefixes. The value used to increment MED should be the same on both sides of a peering. 3.3. Proposed rules for inter site metrics Some of the proposed rules for adapting inter-site metrics are as below. 1. Traffic between directly connected backbone sites should be routed via the direct connections. 2. Traffic from leaf AS to directly connected backbone sites should be routed via the direct connection. 3. Inter-site metrics should never be lower than +1k. 4. Within a site, metrics should either be +100 or +127, depending on if it is a primary or standby path. The general idea is that the cost within a site always should be lower than that between sites. 5. Each non-backbone site is configured as a leaf AS and connects to the backbone AS in two or more locations. 6. The backbone AS sites are high-speed, high availability sites. The firewall or firewall cluster connects to the routing device through dedicated edge interface. Two separate firewall edge devices should not be installed on the same subnet. Communication between firewalls devices always traverses the proposed network. All traffic entering the proposed network is subjected to anti-spoofing, using strict reverse path forwarding (RPF). The routing between routing device and firewall device can be either dynamic routing or static Sheth & Thakker Expires May 10, 2016 [Page 6] Internet-Draft Network to Interconnect Firewalls November 2015 routing depending on what the edge device supports. Static routing has management overhead as the devices may need to be manually updated as prefixes are added and removed from the network. When dynamic routing is used, route-filters are applied to only permit specific networks to be accepted into the routing protocol. The firewall edge device is only responsible for protecting the networks behind it. It is allowed to have a rule set that permits any from its inside networks to the proposed network. Traffic routed via the proposed network should not use network address translation (NAT). If it does, it will be subjected to the network policy for the firewall device range. 4. High Capacity Site A standard site contains routing device which connects all the firewall edge devices and other routing devices. It also connect to other sites using IPsec encapsulated GRE tunnels. At backbone sites the routing devices also need to process traffic between remote sites. The IPsec processing is a lot more CPU intensive than just forwarding. When the device needs to handle IPsec traffic, local forwarding performance is greatly reduced. To increase the capacity of the site, a new type of device is proposed. This device is dedicated to routing traffic inside a site. It takes over the task of interconnecting all the network core and edge devices at a site from the routing device. With this new device installed, the routing devices are no longer need to process traffic between local devices, they only need to handle VPN traffic. As a result, VPN capacity will be increased by adding additional routing devices to the site. The new devices will take care of the routing between all devices. As a bi-product, the capability to add additional routing devices at a site also provides a way to overcome the issues with link handling. If a site with firewall edge devices that require static routing and the site layout cannot support routing device with a single physical VLAN trunk interface, additional site routing devices could be added to the site to handle such firewalls. 5. Dynamic Network Extension This section specifies how to connect the core network to other networks using dynamically routed interconnections. This allows interconnections in multiple locations to achieve redundancy and also improve routing between the networks. It supports both local and VPN connectivity between networks. It will also enable routing device to have dynamically routed interconnections with other networks. The Interconnection is possible over below. Sheth & Thakker Expires May 10, 2016 [Page 7] Internet-Draft Network to Interconnect Firewalls November 2015 1. Direct physical interconnect 2. Encrypted VPN over Internet or other third party network. The Interconnections support source address verification. The Interconnections also support filtering of prefixes in the routing protocol. To handle the interconnections, interconnect routing device is used. It is dedicated to the task of interconnecting with other networks. This setup is used when we need to connect the network to other networks in more than one location using dynamic routing. It also means that any form of address translation is not supported. Internal networks use the same address space, as a result, interconnecting them always requires some form of address translation. Most networks have a VPN interconnect design to address these issues. BGP is the routing protocol supported for network interconnections. There are two types of Interconnects. 1. LAN Interconnect - It is used in the cases where both networks exist at the same location, like the same data center. 2. VPN Interconnect. It is used in the cases where we want to have an interconnect between the networks using Internet or another third party network as carrier. From a routing perspective there is no difference between a LAN and a VPN Interconnect. Under normal conditions, the proposed network will advertise the same networks at all interconnect locations and the other network is expected to do the same towards proposed network. Interconnect routing device connects to the routing device for connectivity to the proposed network. The interfaces used are core interfaces and filtering of traffic is not done on either device. The physical connectivity of the Interconnect routing device depends on the situation. Direct physical connection to peer network is done on dedicated physical interface. For routing, each side advertise all their prefixes at all locations with the same metrics and BGP attributes. 6. Security Considerations No additional security risk is introduced by using the mechanisms proposed in this document. Sheth & Thakker Expires May 10, 2016 [Page 8] Internet-Draft Network to Interconnect Firewalls November 2015 7. IANA Considerations No requirements for IANA. 8. Conclusions This document proposes system and method comprising a network for interconnection of firewalls at multiple geographical locations connected through wide area network and also interconnection of all the networks within the same site. It applies to all communication to internal networks that is not behind the local firewall. All such communication will be routed through proposed network which is connected to firewall via dedicated interface. Network design for sites which needs higher capacity as compared with other network sites is also proposed. Extension of the design is also proposed in order to connect the proposed network to other external networks using dynamically routed interconnections. 9. References 9.1. Normative References [RFC793] Postel, B., Bradner, S., "Transmission Control Protocol", STD 7, RFC 793, September 1981. [RFC4026] Andersson, L., "Provider Provisioned Virtual Private Network (VPN) Terminology", RFC 4026, March, 2005. [RFC4364] Rosen, E., Rekhter, Y., "BGP/MPLS IP Virtual Private Networks", RFC 4364, February, 2006. 9.2. Informative References [Att2006] Attebury, G., Ramamurthy, B., "Router and Firewall Redundancy with OpenBSD and CARP". IEEE ICC, 146 - 151, 2006 [OpenBSD-PF]OpenBSD, "pf(4) manual page: pf -- packet filter", 2015, . [RFC3511] Hickman, B., Newman, D., Tadjudin, S., Martin, T., "Benchmarking Methodology for Firewall Performance", RFC 3511, April 2003. [RFC2979] Freed, N.,"Behavior of and Requirements for Internet Firewalls", RFC 2979, October 2000. Sheth & Thakker Expires May 10, 2016 [Page 9] Internet-Draft Network to Interconnect Firewalls November 2015 [RFC4924] Aboba, B. and E. Davies, "Reflections on Internet Transparency", RFC 4924, July 2007. [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2013. 10. Acknowledgments TBC Sheth & Thakker Expires May 10, 2016 [Page 10] Internet-Draft Network to Interconnect Firewalls November 2015 Authors' Addresses Chirag Sheth TCSL Garima Park, Gandhinagar - 382421, India Email: chirag.sheth@tcs.com Rajesh Thakker VGEC Motera, Chandkheda, Ahmedabad, India Email: rathakker2008@gmail.com Sheth & Thakker Expires May 10, 2016 [Page 11]