Calls: Send in your ideas. Deadline April 1, 2024
logo

Last update: 2016-03-14

Grant
End: 2017-01

SnabbWall

SnabbWall is a layer-7 network flow detector and firewall application.

Layer-7 firewalls, or application firewalls, empower technical users and administrators near the endpoints of networks. They can provide one centralized, flexible tool to subsume many other ones, simultaneously reducing the burden to learn how to achieve certain ends, and freeing people from the confines of very specific tools.

Software Defined Networking has been revolutionizing the network space over the last couple of years. SDN uses commodity hardware to implement network elements and functionalities which were generally provided by very expensive, and usually inflexible, special-purpose network appliances.

SnabbWall is designed as a modular, application-level (Layer-7) firewall suite built on the foundations of the popular open source SDN Snabb Switch, allowing it to be used with cheap commodity hardware.

As an application-level (Layer-7) firewall, it will be able to:

  • Inspect network traffic and detect flows of related data, and pinpoint which application has produced a certain data flow.
  • Filter (drop, reject, or accept) packets using criteria specified in a set of rules, which can use the information inferred by inspecting the packets.

As a suite, it will include a complete firewall program out of the box.

As a modular system, it will provide a set of components which can be reused in other Snabb Switch designs.

SnabbWall components

The L7 Spy application will be capable of identifying protocol data flows (that is, it will work in at the application level, or Layer-7) but other than that packets just flow through it. The idea here is that sometimes it is interesting to just know which kind of traffic passes through a network, for example to gather statistics. If a packet is determined to belong to a certain protocol, ancillary metadata is attached to the packet. The way metadata is handled does not ever modify the packet itself, so applications which are not designed to handle it do not need to be modified.

On the other hand, the L7 Firewall application will implement the actual logic of matching packets against a set of rules which determine what to do with each one of them. What is special about this application is that, on top of what other filtering solutions like pflua may offer, it also allows to match the additional metadata generated by L7 Spy — if present.

Note that it is not at all necessary to use both applications in tandem: they can function independently, to allow others to mix-and-match them as desired. Yet, they are designed to work together, and SnabbWall also provides a standalone program (snabb wall) which implements a complete application-level firewall.

A project of Igalia.