Fun Talk about Network Protocols-Lecture 26 | Network Security in the Cloud: Although not a local tyrant, basic safety and security are also required

This series of related blog, reference geeks time - Something about network protocol

As we saw in the previous section, it is not easy to build a community property to maintain a shared environment for everyone. If they are all residents who consciously abide by the rules, that's fine. If they encounter unconscious residents, it will be very troublesome.

Just like the environment of a public cloud, it is not as pure as you think. Every hacker who is born with ghosts scans your port everywhere, detects what applications you start, and see if there are various vulnerabilities. It's like a thief sneaking into the community, here and there, see if the windows are closed tightly, whether the curtains are closed, if the owner is asleep, is the time to dive into the room, etc.

Suppose you create a virtual machine with an e-commerce application in it. This is a very important application for you. You will harden it. In the operating system of this virtual machine, another background application is accidentally installed, listening to a port, and your alertness is not so high.

The port of the virtual machine is open to the public network. It happens that the background application itself is vulnerable. The hacker can scan this port, and then invade your machine through the port of the background application to strengthen your e-commerce. Website hacked. It's like if you bought a five-star security door, the truck can't open, but the door handle of the toilet window is broken, and the thief came in from the toilet.

So for virtual machines on public clouds, my suggestion is to only open the required ports and close all other ports. At this time, you only need to guard the only entrance through security measures . The method used is often to use ACL (Access Control List, access control list) to control the IP and port.

After setting these rules, only the specified IP segment can access the specified open interface. Even if there is a vulnerable background process, it will be blocked and hackers will not be able to enter. On cloud platforms, these sets of rules are often called security groups . How is the security group implemented?

What happens when a network packet enters a machine

Let's review what happens when a network packet enters a machine.

First take down the MAC header to see if it is mine. If yes, then take down the IP header. After getting the target IP, it starts to judge the route. Before routing judgment, this node is called PREROUTING . If the IP is found to be mine, the packet should be mine and sent to the upper transport layer. This node is called INPUT . If you find that the IP is not mine, you need to forward it. This node is called FORWARD . If it is mine, after the upper layer processing is completed, it will generally return a processing result. This processing result will be sent out. This node is called OUTPUT . Whether it is FORWARD or OUTPUT, it occurs after routing judgment. The last node is POSTROUTING .

The whole process is shown in the figure. 

The processing of the entire package is still the original process, but why should we pay special attention to these five nodes ?

Netfilter framework implements iptables

Because in the Linux kernel, there is a framework called Netfilter . It can insert hook functions at these nodes. These functions can intercept data packets and intervene in the data packets. For example, make certain modifications, and then decide whether to proceed to the TCP / IP protocol stack; or it can be returned to the protocol stack, that is ACCEPT ; or filtered out, no longer transmitted, it is DROP ; there is QUEUE , sent to a A user mode process.

This is more difficult to understand. It is often used for internal load balancing, that is, the data coming over is passed to the target address 1 and the target address 2 in a while, and the number and weight of the target addresses may change. The protocol stack often cannot handle such complex logic, and it is necessary to write a function to take over this data and implement its own logic.

It is great to have this Netfilter framework, you can intervene in this process at any time during the IP forwarding process, as long as you can implement these hook functions.

A well-known implementation is the kernel module ip_tables . It buryes functions on these five nodes, so that it can process packets according to the rules. According to the function, it can be divided into four categories: connection tracking (conntrack) , packet filtering (filter) , network address translation (nat) and data packet modification (mangle) . Among them, connection tracking is a basic function, which is dependent on other functions . The other three can implement packet filtering, modification and network address translation.

In user mode , there is also a client program iptables that you must know , which uses command lines to intervene in the kernel rules. The function of the kernel corresponds to the command line of iptables, which is the concept of tables and chains . 

The iptables table is divided into four types: raw-> mangle-> nat-> filter. These four priorities are lowered in order , and raw is not commonly used, so the main functions are implemented in the other three tables. Multiple chains can be set for each table.

The filter table handles filtering functions and mainly includes three chains:

• INPUT chain: filter all data packets whose target address is local;
• FORWARD chain: filter all data packets passing by this machine;
• OUTPUT chain: Filter all data packets generated by this machine.

The nat table mainly deals with network address translation . It can perform Snat (change the source address of the data packet) and Dnat (change the destination address of the data packet) . It contains three chains:

• PREROUTING chain: the destination address can be changed when the packet reaches the firewall;
• OUTPUT chain: can change the target address of locally generated data packets;
• POSTROUTING chain: Change the source address of a packet when the packet leaves the firewall.

The mangle table is mainly to modify the data package , including:

• PREROUTING chain;
• INPUT chain;
• FORWARD chain;
• OUTPUT 链；
• POSTROUTING chain.

The table and chain of iptables are added to the above process diagram to form the following diagram and process.

1. When the data packet enters, the PREROUTING chain of the advanced mangle table. Here, you can enter the PREROUTING chain of the nat table after changing the content of the data packet header as needed. Here, you can do Dnat, that is, target address translation, as needed.
2. When entering the route judgment, it is necessary to judge whether it is entering the local or forwarding.
3. If it is local, enter the INPUT chain, and then restrict entry by conditional filtering.
4. Then enter the machine, then enter the OUTPUT chain, filter out according to the conditions, and leave the local.
5. If it is forwarding, enter the FORWARD chain, and filter forwarding based on conditional filtering.
6. Then enter the POSTROUTING chain, where you can do Snat and leave the network interface.

With the iptables command, we can implement certain security strategies in the cloud. For example, we can handle the previous peeping event. First we close all the doors.

iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -d X.X.X.X -j DROP

-s indicates the source IP address segment, -d indicates the target address segment, DROP indicates discarded, that is, no matter where it comes from, if you want to access my machine, all refused, and no one will come in.

But if you find that it is broken, ssh will not be able to enter. You can't operate it remotely, you can open it.

iptables -I INPUT -s 0.0.0.0/0.0.0.0 -d X.X.X.X -p tcp --dport 22 -j ACCEPT

If this machine is providing web services, port 80 should also be opened. Of course, once opened, this port 80 needs to be well protected, but it must be opened from a regulatory perspective.

iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d X.X.X.X -p tcp --dport 80 -j ACCEPT

In this way, all other accounts are blocked, and a security door can be accessed. As long as the security door is five-star, it is safer.

These rules can be configured in the virtual machine, install iptables yourself. However, if the number of virtual machines is very large and must be configured, it is too much trouble for users. Can the cloud platform do this part of the work?

iptables implements cloud platform filtering access and creates security groups

of course. On a cloud platform, one or more virtual machines are generally allowed to belong to a certain security group, and access between virtual machines belonging to different security groups and external network access to virtual machines need to be filtered by the security group. 

For example, in the picture, we will create a series of websites, all of which are front-end in Tomcat, and open port 8080 to the outside world. The database uses MySQL and opens port 3306.

To facilitate operation and maintenance, we create two security groups and place the virtual machine where Tomcat resides on the security group. In the security group port, any IP address 0.0.0.0/0 is allowed to access port 8080, but for port 22 of ssh, only the administrator network segment 203.0.113.0/24 is allowed to access.

We put the virtual machine where MySQL resides in security group B. In security group B, only machines from security group A are allowed to access port 3306, but for port 22 of ssh, the administrator network segment 203.0.113.0/24 is also allowed to access.

These security group rules can be automatically distributed to each virtual machine in the security group, thereby controlling the security policies of a large number of virtual machines. How is this batch delivery done? Do you remember this picture? 

Both VMs are connected to a bridge through a tap network card, but the bridge is a layer 2 and the two VMs can communicate with each other at will, so there needs to be a place to configure these iptables rules uniformly.

You can add an additional bridge, configure iptables rules on this bridge, and put the rules configured on the user interface on this bridge. Then run an Agent on each machine to change the security group configured by the user into iptables rules and configure it on this bridge.

The security problem is solved, iptables is really powerful! Don't be busy, iptables has nat besides filter and this function is also very important.

iptables implements cloud platform network address translation

As we said in the previous chapter, when designing a cloud platform, we want to isolate the network between the virtual machine and the physical network, but the virtual machine still needs to communicate with the outside world through the physical network, so it needs to be At that time, do a network address translation, that is, nat, this can be done with iptables.

We have learned that the IP header contains the source IP address and the destination IP address, both of which can be converted to other addresses. We translate the source IP address as Snat; we translate the destination IP address as Dnat.

Have you ever thought about this problem, the TCP access is one after another, and the IP address you connect to WIFI in your home is a private network IP, 192.168.1.x. After you visit the 163 website through your home router, how can the results of the website reach your laptop? Certainly cannot pass 192.168.1.x, this is a private network IP, does not have the positioning ability of the public network, and there are many people using this network segment, the vast crowd, how can I find you?

So when you visit the 163 website from your home, you will do Snat at the exit of your router, and the operator's exit may also be Snat, which will eventually convert your private network IP address to a public network IP address, and then 163 The website can return the result through this public IP address, and then nat back until it reaches your laptop.

The virtual machine in the cloud platform is also like this. It only has a private network IP address. When it arrives at the external network port, it will do a Snat, convert it into a computer room network IP, and then convert it to a public network IP when it leaves the data center. 

There is a question here. When doing Snat on the external network port, are all converted into a computer room network IP, or does each virtual machine correspond to a computer room network IP, and ultimately corresponds to a public network IP? As I said before, public network IPs are very expensive, and there are many virtual machines. Of course, each cannot have a separate computer room network and public network IP, so this kind of Snat is a special kind of Snat, MASQUERADE (address camouflage) .

In this way, all virtual machines share the IP address of the computer room network and the public network, and all those that go out of the external network port are converted to this IP address. Then another question came, and all became a public IP. When the 163 website returned the result, who would it be, and which private IP would Nat become?

This is the connection tracking (conntrack) function of Netfilter. For the TCP protocol, it is sure to establish a connection first. You can use "source / destination IP + source / destination port" to uniquely identify a connection. This connection will be placed in the conntrack table. At that time, this machine requested the 163 website. Although the source address has been Snat into the public IP address, there is still a record of this connection in the conntrack table. When the 163 website returns data, it will find the record to find the correct private IP address.

This is the case where the virtual machine acts as the client. What if the virtual machine acts as the server? In other words, what if the 163 website is deployed in the virtual machine?

At this time, you need to configure a fixed physical network IP address and public IP address for this website. At this time, you need to display the configuration of Snat rules and Dnat rules.

When external access comes in, the external network port will convert the public network IP address to the private network IP address through the Dnat rule, and reach the virtual machine. The virtual machine contains 163 websites. The result is returned. Convert the private IP address to the fixed public IP address assigned to it.

Similar rules are as follows:

• Source address translation (Snat): iptables -t nat -A -s 私网IP -j Snat --to-source 外网IP
• Destination address translation (Dnat): iptables -t nat -A -PREROUTING -d 外网IP -j Dnat --to-destination 私网IP

So far iptables has solved the problem of illegal peeping privacy.

summary

Okay, that ’s all for this section, let ’s summarize.

• The common way of security policy in the cloud is to use the rules of iptables, please remember its five stages, PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING.
• iptables is divided into four tables, raw, mangle, nat, filter. Among them, the security strategy is mainly implemented in the filter table, and the conversion of the virtual network and the physical network address is mainly implemented in the nat table.

Finally, I will leave you two thinking questions.

1. This section focuses on the filter and nat functions of iptables. Iptables can also achieve load balancing through QUEUE. Do you know how to do it?
2. This section only talks about the problem of peeping in the cloud. If it is a legitimate user, but does not consciously seize the network channel, what strategy should be adopted?