Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 103
Pages: 103
Authors: Tim Speed, Juanita Ellis
|
A firewall is a system designed to control access to applications on a network, typically access to a private network from the public Internet. We know that when we connect to the Internet or any outside entity, we need a firewall. There are many different choices when it comes to defining the topology, selecting the vendor, and selecting the type of firewall.
There are three main types of firewall software and hardware configurations:
Packet filtering
Proxy server or application gateway
Circuit-level gateway or generic application proxy
This chapter will help you assess the main types of firewall architectural options. In addition, an evaluation checklist exists for selecting firewall vendor solutions.
There are several reasons why we need a firewall:
Loss of mission-critical business information
Loss of services such as e-mail, HTTP, FTP, and EDI
Protection of legal and confidential information
Prevention of exposure to network servers and workstations
Enforcement of security policies
Will firewalls solve all of your security problems? No, but they do provide a needed level of security. They do not, however, protect against users accidentally revealing a password, computers within an organization connecting to a phone that is not protected from the firewall, or insider attacks. Over 50% of all security breaches occur from insiders. Not all firewall products check incoming code for signs of viruses and Trojan horses. You will still need to implement hardware level security, OS security, application security, and solid policies and procedures. Even though they are not a 100% guarantee, you still need them in place to add additional levels of security for your enterprise's data. The question is, how much security do you really need? [1]
Firewalls have traditionally been valued for the restrictions or the protection they provide. They can, however, do far more. They also act as "enablers" for an enterprise to safely interact with the Internet. Firewalls are an essential element in the infrastructure of the Internet-facing enterprise and the selection of the right components and configurations will go a long way toward not only protecting internal proprietary information but also in safely opening up opportunities for your business. By doing your homework and making the right choices, you will provide your business with a gatekeeper that screens visitors and protects the walls of your electronic community so that the modern day Billy the Kid is prevented from accessing the "town's bank."
In analyzing architectural considerations, it is important to keep in mind that many factors should be evaluated. There is no "one solution fits all" approach that is right for every business. In performing your initial analysis, and on to the final product selection, you must consider factors such as product performance, the security level desired, the availability or "dependability" desired, cost, manageability, configurability, and functional features. It will be necessary to make certain allowances or trade-offs, as not every product or architectural layout may be able to meet your every requirement. As a consequence, you must decide those factors that are most critical to your enterprise and prioritize them accordingly.
The following considerations should be included when performing your initial architectural analysis:
How much traffic will be passing through the firewall system? During busier times, will a single firewall host be enough or will a multiple firewall host layout be required?
Based on the nature of your proprietary data and your level of security desired, do you want to have incoming traffic pass through more than one firewall system? Are you willing to endure the extra cost and slower transaction times required in order to do this?
How important is it for your enterprise to review the flow of traffic passing through the firewall system? Do you want to have the ability to screen every single message and request for linking to an external site, or are you more interested in restricting access to only certain types of sites?
How critical is the dependability of your firewall system? Do you want to spend extra money on a system that is highly reliable and is available 24 hours a day, seven days a week? If you have only one firewall device in place and it fails, what repercussions would you face? Would it affect your ability to conduct business openly and securely?
Since not every product can meet your every need, do you need to consider products from more than one vendor in order to make your business less vulnerable to different types of external attacks?
What unique functional features will your firewall system require based on the characteristics of the business?
What is your budget for the implementation of the firewall system? Do you have carte blanche to install a state-of-the-art system, or will you have to make concessions due to budgetary constraints? Is your budget adequate to meet minimum security needs?
The answers to these questions will help guide you to the types of firewalls that are right for your enterprise.
The main function of a firewall is to protect the internal proprietary data from the outside world. There are three major types of firewalls used for protecting an enterprise's Intranet, but any device that controls traffic flowing through a network for security reasons can be considered a firewall. The three major types of firewalls utilize different methods to basically accomplish the same thing protect an internal network. The most basic type of firewall is a packet-filtering device, also known as a screening router. Packet-filtering firewalls are routers that operate in the low levels of a network protocol stack. At the higher end are the proxy-server gateways that perform proxy services for internal clients by regulating incoming external network traffic and by monitoring and providing traffic control of outgoing internal packets. The third type of firewall, known as the circuit-level gateway, relies on stateful inspection techniques. "Stateful inspection" is a filtering technique that requires a trade-off between performance and security. Let's look at the three main firewall types.
Packet-filtering firewalls provide a way to filter IP addresses by either of two basic methods:
Allowing access to known IP addresses
Denying access to IP addresses and ports
By allowing access to known IP addresses, for example, you could allow access only to recognized, established IP addresses, or, you could deny access to all unknown or unrecognized IP addresses.
By denying access to IP addresses or ports, for example, you could deny access to port 80 to outsiders. Since most HTTP servers run on port 80, this would in effect block off all outside access to the HTTP server.
According to a report by CERT, it is most beneficial to utilize packet filtering techniques to permit only approved and known network traffic to the utmost degree possible. The use of packet filtering can be a very cost-effective means to add traffic control to an already existing router infrastructure.
IP packet filtering is accomplished by all firewalls in some fashion. This is normally done through a packet-filtering router. The router will filter or screen packets traveling through the router's interfaces that are operating under the firewall policy established by the enterprise. A packet is a piece of information that is being transmitted over the network. The packet filtering router will examine the path the packet is taking and the type of information contained in the packet. If the packet passes the firewall policy's tests, it is permitted to continue on its path. The information the packet filtering router looks for includes (1) the packet source IP address and source TCP/ UDP port, and (2) the destination IP address and destination TCP/UDP port of the packet.
Some packet-filtering firewalls will only be able to filter IP addresses and not the source TCP/UDP port, but having TCP or UDP filtering as a feature can provide much greater maneuverability, since traffic can be restricted for all incoming connections except those selected by the enterprise.
Packet-filtering firewalls are generally run on either general purpose computers that act as routers or on special-purpose routers. Both have their advantages and disadvantages. The main advantage of the general purpose computer is that it offers unlimited functional extensibility, whereas the disadvantages are average performance, a limited number of interfaces, and operating system weaknesses. The advantages of the special-purpose router are the greater number of interfaces and increased performance, whereas the disadvantages are reduced functional extensibility and higher memory requirements.
Although packet-filtering firewalls are less expensive than other types, and vendors are improving their offerings, they are considered less desirable in maintainability and configurability. They are useful for bandwidth control and limitation but are lacking in other features such as logging capabilities. If the firewall policy does not restrict certain types of packets, the packets may go unnoticed until an incident occurs. Enterprises utilizing packet-filtering firewalls should look for devices that can provide detailed logging, a simplified setup, and firewall policy checking.
Proxy servers, also known as application proxy or application gateway, use the same method as a packet filter in that they examine where the packet is being routed and the type of information contained in the packet. The application proxy, however, does not simply let the packet continue to its destination; it delivers the packet for you.
An application-proxy firewall is a server program that understands the type of information being transmitted for example, HTTP or FTP. It functions at a higher level in the protocol stack than do packet-filtering firewalls, thus providing more opportunities for the monitoring and control of accessibility. In dispatching messages from internal clients to the external world, an application gateway acts much like a distributor and modifies the source identification of the client packets. This accomplishes two purposes: First, it disguises the internal client to the rest of the Internet, and second, it acts as a proxy agent for the client on the Internet.
By hiding the address of all internal computers, the risk of hackers gathering information about an enterprise's internal data is lessened. In the past, the use of proxy-type servers has resulted in reduced performance and transparency of access to other networks. Newer models, however, have addressed some of these issues.
Application gateways have addressed some of the weaknesses associated with packet-filtering devices in regard to applications that forward and filter connections for services such as Telnet and FTP. Application gateways and packet-filtering devices do not have to be used independently, however. Using application-gateway firewalls and packet-filtering devices in conjunction can provide higher levels of security and flexibility than using either of the two alone. An example for this would be a web site that uses a packet-filtering firewall to block out all incoming Telnet and FTP connections and routs them to an application gateway. Through the use of an application gateway, the source IP address of incoming Telnet and FTP packets can be authenticated and logged, and if the information contained in the packets passes the application gateway's acceptance criteria, a proxy is created and a connection is allowed between the gateway and the selected internal host. The application gateway will allow through only those connections for which a proxy has been created. This form of firewall system allows only those services that are considered trustworthy of passing through to the enterprise's internal systems and prevents mistrusted services from passing through without the monitoring and control of the firewall system administrators.
The advantages offered by application gateways are numerous. By hiding the source IP address of a client to external systems, additional protection is provided from the prying eyes of hackers intent on extracting information from your internal systems. The use of logging and authentication features serves to identify and authorize external services attempting to enter your internal network. Unwanted and unwelcomed guests can be recognized and kept out. This is also a very cost-effective approach, as any third-party devices for authenticating and logging only need to be located at the application gateway. Application gateways also permit the use of simpler filtering rules. Instead of having to route application traffic to several different systems, it only need be routed to the application gateway; all other traffic can be rejected.
Many types of application gateways also support e-mail and other services in addition to Telnet and FTP. Since application gateways route many forms of application traffic, they enable security policies that are based not only on source and destination IP addresses and services, but the actual data contained in the application packets can be evaluated as well.
In the case of an application gateway that is gathering and routing e-mail among an Intranet, the Extranet and Internet would view all internal users under a form based on the name of the e-mail application gateway for example, <user@name-of-email-host.> The e-mail application gateway will route mail from the Extranet or Internet throughout the internal network. Internal users can send mail externally either directly from their hosts or via the e-mail application gateway that directs the mail to the destination host. Application gateways can also monitor and weed out e-mail packets containing viruses and other unwanted forms of commercial e-mail from penetrating through to the internal areas of your business.
As in the case of packet-filtering firewalls, application gateways are generally run on either general purpose computers that act as routers or on special-purpose proxy servers.
Packet-filtering devices are by and large faster performers than application gateways but characteristically lack the security offered by most proxy services.
Given the additional complexity of application gateways over packet-filtering firewalls, the additional computing resources and cost of supporting such a system should be considered when you are assessing the firewall needs for your enterprise. As an example, depending on your requirements, the host may have to support hundreds to thousands of proxy processes for all of the concurrent sessions in use on your network. As with most business decisions, the greater the performance demanded, the higher the costs that will be incurred for attaining that added performance.
A circuit-level gateway is similar to an application gateway, except that it does not need to understand the type of information being transmitted. For example, SOCKS servers can act as circuit-level gateways. "SOCKS" is a protocol that a server utilizes to accept requests from a client in an internal network so that it can dispatch them across the Internet. SOCKS uses sockets to monitor individual connections.
Circuit-level gateways perform the stateful inspection or dynamic packet filtering for making filtering decisions. Although circuit-level gateways are sometimes grouped with application gateways, they belong in a separate category since they perform no extra evaluation of data in a packet beyond making the approved connections between the outside world and the internal network.
The stateful inspection is a circuit-level gateway function that allows for more robust screening than that offered by packet-filtering devices, in that both packet content and prior packet history are used to establish filtering decisions. This inspection is an "add-on" function, so the circuit-level gateway device also serves as a router.
This add-on functionality provides increased performance over application proxies by compromising between performance and security criteria.
Circuit-level gateways, then, offer increased security monitoring capabilities over packet-filtering firewalls, but still rely on a well-laid-out core routing structure, and, like application proxies, can be set up to specify advanced accessibility decision making.
The section presented here on firewall evaluation guidelines, including the "Firewall Buyer's Assessment Form," has been used in its entirety with permission from ICSA.net. [2]
The exact features a firewall needs in order to effectively implement the specific policies of an organization vary. In general, however, a firewall should be able to do the following:
Support a "deny all services except those specifically permitted" design policy, even if that is not the policy initially used.
Support a security policy, not impose one.
Accommodate new services and needs if the security policy of the organization changes.
Contain advanced authentication measures or the hooks for installing advanced authentication measures if needed.
Employ techniques to permit or deny services to specified host systems as needed.
Log access to and through the firewall.
Use a flexible, user-friendly IP-filtering language that is easy to program and can filter on a wide variety of attributes, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface.
If users require services such as NNTP, X11, HTTP, or gopher, the firewall would do well to support the corresponding services. The firewall typically should also act as a mail gateway for Internet mail, reducing direct SMTP connections between site and remote systems, resulting in centralized handling of site e-mail. The firewall should accommodate public access to the site such that the firewall can protect public information servers while segregating them from other site systems that do not require the public to have access.
The firewall should be able to concentrate and filter dial-in access (if you have that requirement). It should contain mechanisms for logging traffic and suspicious activity, as well as mechanisms for log reduction to keep logs readable and understandable. If the firewall requires an operating system such as UNIX, a secured version of the operating system should be included, along with other security tools as necessary to ensure firewall host integrity and all operating system patches installed. Note that there is no reason for the firewall machine itself to use the same operating system as the company network.
Indeed, numerous firewalls use their own proprietary operating system, optimized for performance and security. However, managing the firewall may be simpler on a system with a familiar operating system and interface.
The firewall's strength and correctness should be verifiable. Its design should be simple so that administrators can understand and maintain it. The firewall and any corresponding operating system should be updated with patches and other bug fixes in a timely manner.
As mentioned in earlier discussion, the Internet constantly changes. New vulnerabilities can arise. New services and enhancements to other services may represent potential difficulties for any firewall installation. Therefore, flexibility to adapt to changing needs is important, as is the process of staying current on new threats and vulnerabilities. You may want to subscribe to some of the mailing lists catalogued at our web site (http://www.icsa.net/) or consider a paid subscription to reconnaissance services such as ICSA's TruSecure Monitor.
Some organizations have the capability to put together their own firewalls, either by using available software components and equipment or by writing a firewall from scratch. At the same time, plenty of vendors offer a wide range of services in firewall technology, from providing the necessary hardware and software to developing security policy and carrying out risk assessments, security reviews, and security training.
One of the advantages for a company in building its own firewall is that in-house personnel will subsequently understand the specifics of the design and use of the firewall. Such knowledge may not exist in-house for a vendor-supported firewall. On the other hand, an in-house firewall can require a great deal of time to build, document, and maintain. These costs are easy to overlook. Organizations sometimes make the mistake of anticipating only the equipment costs. When the company makes a true accounting of all costs associated with building a firewall, it could prove more economical to purchase from a vendor.
Consideration of the following questions may help the organization decide whether or not it has the resources to build and operate a successful firewall:
How will the firewall be tested?
Who will verify that the firewall performs as expected?
Who will perform general maintenance of the firewall, such as backups and repairs?
Who will install updates to the firewall, such as new proxy servers, patches, and other enhancements?
Can security-related patches and problems be corrected in a timely manner?
Who will perform user support and training?
Many vendors offer maintenance services along with firewall installation, so the organization can consider using those if it does not have the internal resources to perform these functions. Either way, organizations must view firewall administration as a critical job role and afford it as much time as possible. In small organizations, the task may require less than a full-time position. However, it should take precedence over other duties assigned to the responsible individual.
A firewall can only be as effective as its administration makes it. A poorly maintained firewall may become insecure and may permit break-ins while providing an illusion of security. Security policy should clearly reflect the importance of strong firewall administration, and management should demonstrate its commitment to this importance in terms of personnel, funding, and other necessary resources. A firewall should not serve as an excuse to pay less attention to site system administration. In fact, if a firewall is penetrated, a poorly administered site will be wide open to intrusions and resultant damage. A firewall also in no way reduces the need for highly skilled system administration. At the same time, a firewall can permit a site to be proactive in its system administration as opposed to reactive. Because the firewall provides a barrier, sites can spend more time on system administration duties and less time reacting to incidents and damage control.
Sites should perform the following during firewall implementation:
Standardize operating system versions and software to make installation of patches and security fixes more manageable.
Institute a program for efficient, sitewide installation of patches and new software.
Use services to assist in centralizing system administration, if this will result in better administration and better security.
Perform periodic scans and checks of host systems to detect common vulnerabilities and errors in configuration.
Ensure that a communications pathway exists between system administrators and security administrators to alert the site about new security problems, alerts, patches, and other security-related information.
Given the state of the firewalls market and the speed at which the Internet is changing, nearly any organization should be able to find a commercial firewall that fits the business and security needs of the organization. Remember, a firewall can be very good at what it does, but it still is mainly a security perimeter device. Firewalls, alone, are not enough.
Amoroso and Sharp concur that no single set of firewall features is right for all environments. [3] They recommend that each shopper select features based on the site's unique requirements. To use their example, a heavily serviced Internet connection requiring identification of all users who connect to the Internet needs user-authentication capabilities, whereas an Internet connection used only for e-mail exchange needs little firewalling at all. Amoroso and Sharp also caution against relying too heavily on grades or rankings in magazine articles and papers, as these evaluations make assumptions about site requirements. For example, speed always factors heavily in these rankings but sites with a Tl (1.5 Mbits/sec) or slower connection to the Internet will find most available firewalls fast enough to suit their needs. Further factors that could affect your choice of firewall features, according to those same authors are:
The severity of the threat to the network
The potential loss if an intruder breaks into the network
Other security mechanisms already employed to protect the network and its resources
The loss to the organization if the firewall prevents all access to and from the Internet due either to a hardware or software failure or to a successful denial-of-service attack to the firewall itself
The services the organization wishes to support to and from the Internet
The throughput requirements for the connection that is, the number of simultaneous users going through the firewall
The availability of knowledgeable firewall administrators at the site
Potential future requirements, such as increased activity through the firewall or new Internet services requested by users
[1]Source: http://www.cert.org/security-improvement/modules/m08.html, http://csrc.ncsl.nist.gov/nistpubs/800-10/node1.html
[2]Source: http://www.icsa.net/html/communities/firewalls/buyers_guide/index.shtml
[3]Amoroso, Edward and Ronald Sharp. Intranet and Internet Firewall Strategies. New York: Ziff Davis. 1996.
|