What Can Firewalls Do?


Chapter 2, "Firewall Basics," and all of Part II, "How Firewalls Work," examine the details of how different types of firewalls work; before delving into more detail, however, you need to understand from a broad design perspective what firewalls can and cannot do. All firewalls (or at least all fire-walls that you should be considering implementing) share some common traits and functionality that help define what a firewall can do.

Fundamentally, firewalls need to be able to perform the following tasks:

  • Manage and control network traffic

  • Authenticate access

  • Act as an intermediary

  • Protect resources

  • Record and report on events

Firewalls Manage and Control Network Traffic

The first and most fundamental functionality that all firewalls must perform is to manage and control the network traffic that is allowed to access the protected network or host. Firewalls typically do so by inspecting the packets and monitoring the connections that are being made, and then filtering connections based on the packet-inspection results and connections that are observed.

Packet Inspection

Packet inspection is the process of intercepting and processing the data in a packet to determine whether it should be permitted or denied in accordance with the defined access policy. Packet inspection can look at any or all of the following elements in making a filtering determination:

  • Source IP address

  • Source port

  • Destination IP address

  • Destination port

  • IP protocol

  • Packet header information (that is, sequence numbers, checksums, data flags, payload information, and so on)

An important thing to keep in mind about packet inspection is that, to make a filtering decision, the firewall must inspect every single packet in every direction and on all interfaces, and access control rules must exist for every packet that will be inspected. This requirement can present a problem when it comes time to define an access control rule to address the return traffic from a permitted request.

Connections and State

For two TCP/IP hosts to communicate with one another, they must establish some sort of connection with each other. Connections serve two purposes. First, the hosts can use the connection to identify themselves to each other. This identification ensures that systems do not inadvertently deliver data to hosts that are not involved in the connection. Firewalls can use this connection information to determine what connections between hosts are allowed by the access control policy and thus determine whether data should be permitted or denied.

Second, connections are used to define the manner in which two hosts will communicate with each other. For Transmission Control Protocol (TCP), this type of connection is known as a connection-oriented session. For User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP), this type of connection is known as a connectionless session. Although connectionless session would seem to be contradictory in this context (how can a connection be connectionless?), connectionless session simply means that the hosts do not undertake any special mechanisms to ensure reliable data delivery, unlike TCP, which does undertake special mechanisms (specifically sequencing) to ensure that data is reliably delivered. Connections allow the hosts to know what the rules of etiquette for communications are. For example, when Host A makes a request for data from Host B using a protocol such as TCP, Host B responds with the data that was requested, not with a new connection request or with data other than what was requested.

This defined structure of a connection can be used to determine the state of the communications between two hosts. The easiest way to think of state is to think of a conversation between two people. If Bob asks John a question, the proper response is for John to answer the question. Thus, at the point that Bob has asked his question, the state of the conversation is that it is waiting for a response from John.

Network communication follows a similar format for tracking the state of a conversation. When Host A attempts to communicate with Host B, Host A initiates a connection request. Host B then responds to the connection request, and in doing so defines how the two hosts will keep track of what data needs to be sent and when it should be sent. So if Host A initiates a request, it can be assumed that the state of the conversation at that time is waiting for a response from Host B. Figure 1-2 illustrates this process in detail:

Figure 1-2. Connections Between Hosts


  1. HostA initiates a connection to HostB.

  2. HostB responds to the connection request from HostA.

  3. HostA finalizes the connection with HostB, allowing for the passing of data.

  4. HostA begins transmitting the required data to HostB.

  5. HostB responds as required, either with the requested data, or to periodically acknowledge the receipt of data from HostA.

Firewalls can monitor this connection state information to determine whether to permit or deny traffic. For example, when the firewall sees the first connection request from HostA (Step 1), it knows that the next data it should see is the acknowledgment of the connection request from HostB (Step 2). This is typically done by maintaining a state table that tracks what the state of all the conversations traversing the firewall are in. By monitoring the state of the conversation, the firewall can determine whether data being passed is expected by the host in question, and if it is, it is permitted accordingly. If the data being passed does not match the state of the conversation (as defined by the state table), or if the data is not in the state table, it is dropped. This process is known as stateful inspection.

Stateful Packet Inspection

When firewalls combine stateful inspection with packet inspection, it is known as stateful packet inspection. This is the inspection of packets not only based on packet structure and the data contained in the packet, but also based on what state the conversation between hosts is in. This inspection allows firewalls to filter not only based on what the contents of the packet are, but also based on the connection or state in which the connection is currently in (and thus provides a much more flexible, maintainable, and scalable filtering solution).

A benefit of stateful packet inspection over the packet inspection discussed previously is that after a connection has been identified and permitted (after being inspected accordingly), it is generally not necessary to define a rule to permit the return communications because the firewall knows by state what an accepted response should be. This buys you the security of being able to perform inspection of the commands and data contained within the packet to determine whether a connection will be permitted, and then automatically have the firewall track the state of the conversation and dynamically permit traffic that is in accordance with the state of the conversation. This process is done without needing to explicitly define a rule to permit the responses and subsequent communications. Most firewalls today function in this manner.

Note

For more information about TCP/IP packet structure and TCP/IP-based communications, see Chapter 3, "TCP/IP for Firewalls."


Firewalls Authenticate Access

A common mistake that people make when evaluating firewalls is to consider packet inspection of the source IP address and port as being the same as authentication. Sure, packet inspection allows you to restrict what source hosts are able to communicate with your protected resources, but that does not ensure that the source host should be allowed to communicate with your protected resources. After all, it is a relatively trivial task to spoof an IP address, making one host appear to be an entirely different host and thus defeating inspection based on source address and port.

To eliminate this risk, firewalls also need to provide a means of authenticating access. TCP/IP was built on the premise of open communications. If two hosts know each others' IP addresses and are connected to each other, they are allowed to communicate. Although this was a noble design at the time, in today's world you may not want just anyone to be able to communicate with systems behind your firewall.

Firewalls can perform authentication using a number of mechanisms. First, the firewall can require the input of a username and password (often known as extended authentication or xauth). Using xauth, the user who attempts to initiate a connection is prompted for a username and password prior to the firewall allowing a connection to be established. Typically, after the connection has been authenticated and authorized by the security policy, the user is no longer prompted for authentication for that connection.

Another mechanism for authentication of connections is through the use of certificates and public keys. A benefit of certificates over xauth is that the authentication process can typically occur with no user intervention, provided the hosts have been properly configured with certificates and the firewall and hosts are using a properly configured public key infrastructure. A benefit of this approach is that it scales much better for large implementations.

Finally, authentication can be handled through the use of pre-shared keys (PSKs). PSKs are less complex to implement than certificates, while at the same time allowing for the authentication process to occur without user intervention. With PSKs, the host is provided a predetermined key that is used for the authentication process. A drawback of this system is that the PSK rarely changes and many organizations use the same key value for multiple remote hosts, thus undermining the security of the authentication process. If possible, certificate-based authentication or xauth should be used over (or in addition to) PSKs.

By implementing authentication, the firewall has an additional method of ensuring that the connection should be permitted. Even when the packet would be permitted based on inspection and the state of the connection, if the host cannot authenticate successfully with the firewall, the packet will be dropped.

Firewalls Act as an Intermediary

When people are concerned that a direct meeting would be too risky for them, they commonly use intermediaries to act on their behalf, and thus protect them from the risk of direct interaction. In the same vein, a firewall can be configured to act as an intermediary in the communications process between two hosts. This intermediary process is commonly referred to as acting as a proxy.

A proxy functions by effectively mimicking the host it is trying to protect. All communications destined for the protected host occurs with the proxy, which to the remote host appears to be the protected host. Indeed, the remote host has no way of knowing that it is not actually talking directly to the protected resource. The proxy receives packets destined for the protected host, strips out the relevant data, and builds a brand new packet that is then forwarded to the protected host. The protected host responds to the proxy, which simply reverses the process and forwards the response to the originating host. In doing so, the proxy (in this case, a firewall) acts as an intermediary to insulate the protected host from threats by ensuring that an external host can never directly communicate with the protected host.

In many cases, this function as a proxy is complemented by using a firewall that is capable of inspecting the actual application data to ensure that it is legitimate and nonmalicious data. When functioning in this manner, the firewall is known as working as an application proxy, because it is proxying the actual application functionality. This allows the firewall to inspect the actual application data itself (for example, allowing it to differentiate between legitimate HTTP traffic and malicious HTTP traffic) before presenting the data to the protected resource. For more detailed information about application proxies, see Chapter 2.

Firewalls Protect Resources

The single most important responsibility of a firewall is to protect resources from threat. This protection is achieved through the use of access control rules, stateful packet inspection, application proxies, or a combination of all to prevent the protected host from being accessed in a malicious manner or being made susceptible to malicious traffic. Firewalls are not an infallible method of protecting a resource however, and you should never rely exclusively on the firewall to protect a host. If an unpatched host (that is, a host that is lacking security updates that would protect it from being exploited) is connected to the Internet, a firewall may not be able to prevent that host from being exploited, especially if the exploit uses traffic that the firewall has been configured to permit. For example, if a packet-inspecting firewall permits HTTP traffic to an unpatched web server, a malicious user could leverage an HTTP-based exploit to compromise the web server because the web server is not patched against this new exploit. The unpatched web server renders the firewall useless as a protection device in this case. This is because the firewall cannot differentiate between malicious and nonmalicious HTTP requests, especially if the firewall does not function as an application proxy, and thus will happily pass the malicious HTTP data to the protected host. For this reason, protected resources should always be kept patched and up-to-date, in addition to being protected by a firewall.

Firewalls Record and Report on Events

The simple reality is that regardless of what you do to protect resources with a firewall, you cannot stop every malicious act or all malicious data. From simple misconfigurations of the firewall to new threats and exploits the firewall cannot protect against yet, you have to be prepared to deal with a security event that the firewall was not able to prevent. As a result, all firewalls should have a method of recording all communications (in particular access policy violations) that occur to enable the administrator to review the recorded data in an attempt to ascertain what transpired.

You can record firewall events in a number of ways, but most firewalls use two methods, either syslog or a proprietary logging format. By using either method of logging, the firewall logs can be interrogated to determine what may have transpired during a security event. In addition to the forensic analysis benefits of recording events, this data can also frequently be used when troubleshooting a firewall to help determine what may be the cause of the problem that is occurring.

Some events are important enough that merely logging them is not a good enough policy. In addition to logging the event, the firewall also needs to have a mechanism of alarming when a policy has been violated. Firewalls should support a number of types of alarms:

  • Console notification This is the simple process of presenting a notification to the console. The drawback of this alarm method is that it requires someone to be actively monitoring the console to know an alarm has been generated.

  • SNMP notification Simple Network Management Protocol (SNMP) can be used to generate traps that are sent to a network management system (NMS) that is monitoring the firewall.

  • Paging notification When an event occurs, the firewall can be configured to send a page to an administrator. This page can be numeric or alphanumeric, depending on the type of pager carried by the administrator.

  • E-mail notification Similar to paging notification, but the firewall simply sends an e-mail to the appropriate e-mail address.

By having a method of recording and reporting events, your firewall can provide an incredibly detailed level of insight as to what is currently occurring, or what may have previously occurred in the event that a forensic analysis must be performed.




Firewall Fundamentals
Firewall Fundamentals
ISBN: 1587052210
EAN: 2147483647
Year: 2006
Pages: 147

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net