15.6 Firewalls and the Web

15.6 Firewalls and the Web

In the world of fire prevention and control, a firewall is a barrier that is designed to prevent the spread of fire from one area to another. Firewalls in buildings are typically thick brick affairs, with only a few openings for doors that automatically close when the fire alarm gets set off. In a car, firewalls are designed to protect the occupants from engine fires. Overall, the fundamental guiding principle is that a firewall does not prevent fires, but instead merely contains the fire and gives people time to escape.

In the world of the Internet, the term firewall is taken to mean some kind of filter or barrier that affects the Internet traffic passed between two networks. Firewalls are often used as a perimeter defense, making it possible for an organization to decide which protocols it will exchange with the outside world. Firewalls can also be used to block access to particular sites on the Internet for example, to prevent employees from downloading information from servers that are on a blacklist of pornographic sites.

One problem with firewalls is that organizations tend to adopt laxer internal security controls once a firewall is deployed. After all, the thinking goes, if a firewall is deployed and is keeping out the bad guys, why bother with internal controls such as encryption and passwords? The problem with this thinking is that it overlooks the fact that many attacks come from trusted insiders according to the FBI, organizations should assume that 1% of their employees are malicious and acting against the organization's interests. Another problem with lax internal controls is that occasionally firewalls are bypassed; without strong internal controls, a failed or bypassed firewall will leave the organization wide open.

This section describes only the basics of firewalls. For a very complete discussion, see Building Internet Firewalls, by Elizabeth Zwicky, Simon Cooper, and Brent Chapman (O'Reilly).

15.6.1 Types of Firewalls

There are several kinds of firewalls in use on the Internet today.

Packet filtering

A packet filtering firewall is basically a router with a special set of filters that determines whether each packet is allowed to cross over a network boundary. Packet filtering firewalls can be easily implemented with most routers today, although they can also be purchased as standalone appliances. Packet filtering firewalls can be easily programmed to block all incoming connections from the Internet except for requests to a web server, and to allow outgoing connections of only particular types.

Packet filtering firewalls are fast and cheap they are easy to purchase, quick to implement, and relatively straightforward to keep operating. The main problem with a packet filtering firewall is that packets that are allowed to pass through the firewall travel unimpeded from the source to the destination. Thus, if your packet filtering firewall allows SMTP connections from the outside to your mail server, and if an exploit is discovered for the version of sendmail that you are running, then your packet filtering firewall will not protect your sendmail server from the exploit.

Proxy

A proxy firewall overcomes some of the limitations of packet filtering firewalls by breaking the direct connection between the inside network and the outside network. Instead of allowing through the packets that correspond with SMTP, HTTP, SNMP and other protocols, a proxy firewall has a matched pair of servers and clients for each protocol that act as intermediaries between the two worlds. The problem with a proxy firewall is that the proxies themselves can also represent a vulnerability, allowing an attacker to break into your firewall! In theory, this shouldn't happen because the firewall vendors, being security companies, are supposed to do a better job writing their servers than the operating system vendors. But you can never be sure.

Network Address Translation

These days, most firewalls support Network Address Translation (NAT), a technology that transparently rewrites the IP addresses of Internet connections as they move across the firewall boundary. NAT is a handy technology; many organizations use NAT and IP addresses in Net 10 (e.g., 10.0.0.0 through 10.255.255.255 ) to allow for hundreds or thousands of desktop computers to hide behind a single IP address on the Internet. NAT also lets an organization change its upstream Internet provider without having to reconfigure every computer on its internal network.

Virtual Private Networks

Many firewalls also support Virtual Private Networks (VPN), a technique that allows computers outside the firewall to tunnel their traffic through the firewall and then appear as if they are behind it. The primary purpose of VPN technology is to allow customers working at home or on the road to access Microsoft Windows file shares, Microsoft Exchange servers, and many corporate intranets that are not sufficiently secured to allow them to be placed on the external Internet. The problem with VPNs is that they can also allow attackers to tunnel seamlessly through a firewall. In December 2000, Microsoft revealed that its corporate network had been penetrated by attackers who had broken in using a VPN client running on an employee's home computer.

15.6.2 Protecting LANs with Firewalls

As discussed earlier, the primary use of firewalls is to protect LANs that are simply not secure enough to be placed on the Internet. Rather than patching every Windows desktop workstation and server to make sure that they will not crash if they receive the ping of death, it's easier and cheaper to simply program the organization's firewall to block all ICMP Echo packets from the outside world. This policy is sound until somebody inside your company starts sending out pings of death from your local network.

15.6.3 Protecting Web Servers with Firewalls

Firewalls can also be used to protect web servers. As with a LAN, the big advantage to protecting a web server with a firewall is that you can control the protocols the web server will see and the ones it will be shielded from. If your web server only offers HTTP services to the outside world, you can configure your firewall so that it will not pass traffic on anything other than port 80. If your web server also needs to support HTTP over SSL, you can open port 443.

In the event that a vulnerability is found with your web server, a firewall may prevent the attacker from using your web server as a base for attacking other computers on the Internet. For maximum protection, the firewall should also isolate the firewall from your own internal network (see Figure 15-5). This should prevent an attacker who compromises your web server from using it as a base for attacking your own organization.

Figure 15-5. For high security, use a firewall to protect your web server from attackers on the Internet. Position the firewall so that it also protects your own organization from the web server.

One of the nice advantages of using a firewall to protect your web server is that you can then use the firewall's VPN capabilities to allow you to securely update the web server's content.