In Lessons 1 through 3, you learned about designing authentication, authorization, and encryption strategies in order to secure your Web site and your internal network against outside attacks. Another strategy that you can use to secure your network is to implement firewall protection. Although firewalls, by themselves, don’t completely safeguard your network, they do provide an added layer of security that can help prevent access to, or the destruction of, sensitive data. This lesson provides an overview of firewalls and describes firewall strategies that you can implement in your organization.
A firewall is a combination of hardware and software that prevents unauthorized access from outside the firewall to an internal network or intranet. Firewalls restrict access to network resources by allowing traffic only through specified port numbers. They provide additional security and protection to the services that are running within the network.
Firewalls allow organizations to support Internet connectivity while minimizing the risks to sensitive data. They prevent unauthorized users from accessing your internal network resources by examining incoming and outgoing data and blocking traffic that isn’t allowed. You can also use firewalls to control internal access to the Internet.
A firewall placed between your intranet and the Internet can partially protect your network from intrusion by controlling access from the Internet. However, you shouldn’t place sole reliance on a firewall for Web site security. For example, viruses have been designed to breach firewalls and wreak havoc on your site. Once a firewall is breached, you must rely on other security measures to defend resources against intruders.
A firewall examines and filters data as it passes through the firewall. Firewalls support various kinds of filtering. For example, Microsoft Internet Security and Acceleration (ISA) Server uses three methods of filtering data: packet filtering, circuit filtering, and application filtering.
Packet filters control the flow of IP packets to and from the firewall. Only explicitly allowed packets can pass through the firewall. Packet filtering can block packets that originate from specific Internet hosts and can reject packets associated with many common attacks. You can also use packet filtering to block packets destined to any service on your internal network. You can filter IP packets based on service type, port number, source computer name, and destination computer name.
A firewall that performs circuit filtering inspects and filters sessions rather than connections or packets. With circuit filtering, sessions, which can support multiple connections, can be established only in response to a user request. Circuit filtering supports Internet applications and services, such as Telnet, mail, news, and streaming media. The firewall allows these applications and services to perform as if they were directly connected to the Internet.
Application filters analyze a data stream for a particular application and can then inspect, screen, redirect, or modify the data as it passes through the firewall. These filters block known exploits such as unsafe Simple Mail Transfer Protocol (SMTP) commands or attacks against internal Domain Name System (DNS) servers. You can also use third-party tools in conjunction with application filters to further extend the firewall. Unlike packet filters, which examine the source, destination, and type of traffic, application filters inspect the actual content of the traffic passing through the firewall. As a result, application filters can perform application-specific tasks, such as accessing secondary connections transparently, blocking potentially harmful commands, and detecting viruses. Application filters support a number of Internet-related protocols, such as HTTP, File Transfer Protocol (FTP), and SMTP.
NAT translates private internal IP addresses to public external addresses in order to hide internally managed addresses from external networks. NAT allows you to use unregistered IP addresses internally and then use only a small number of registered IP addresses externally, which allows you to hide the internal network structure.
Some firewall services allow you to use NAT to support clients that have no special software. The firewalls provide transparent support for client computers with no special client software configured on those computers. For example, ISA Server uses SecureNAT to extend Windows 2000 NAT functionality. SecureNAT clients can be configured so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. SecureNAT enables IP-based access control, content analysis by application filters, and use of the ISA Server cache through the HTTP filters. Servers that publish information to the Internet, such as mail servers, can be SecureNAT clients.
A proxy server manages traffic between programs on one network and servers on another. The proxy server responds to a request from a client program by translating the request and passing it to the Internet. When a computer on the Internet responds, the proxy server passes that response back to the client program on the computer that made the request. The proxy server computer has two network interfaces: one connected to the LAN and one connected to the Internet.
You can use Microsoft Proxy Server to regulate traffic from your LAN out to the Internet. Proxy Server acts as a gateway with firewall-class security. It allows clients and servers to access the Internet while keeping your intranet free from intruders. Proxy Server blocks inbound connections. Internal clients can initiate connections to Internet servers, but Internet clients can’t initiate connections to the internal clients. Proxy Server can also restrict outbound connections.
Some firewall applications can be configured to support proxy services. For example, ISA Server can act as a proxy server for requests generated from a client browser. The browser sends the requests directly to the Web Proxy Service on the ISA Server computer to determine if Internet access is allowed.
A perimeter network defines an area of your network—protected by firewalls—that’s used to provide a secure environment in which to host your Web services and make them available to Internet clients without compromising the security of your services, applications, sensitive data, or private network. You can set up a perimeter network and its firewall configuration in several ways, depending on your organization’s needs and your network’s current topology; however, often the perimeter network topology falls into two categories: single firewall and back-to-back firewalls.
A single firewall is the simplest way to set up your perimeter network. In this configuration, you use one firewall configured with three network interface cards (NICs). One NIC is connected to the private network, one to the Internet, and one to the perimeter network, as shown in Figure 10.12.
Using one firewall has several advantages:
Figure 10.12 - Perimeter network supported by one firewall
The main disadvantage of this configuration is that it protects the corporate network with only one layer of firewall protection. If an intruder can get past the firewall, resources in the corporate network could be in as much risk as those resources in the perimeter network. However, additional layers of firewall protection can provide more effective security.
In a perimeter network that’s configured with back-to-back firewalls, a firewall is located on either side of the perimeter network. The front end of the perimeter network is connected to the Internet through one of the firewalls, and the back end of the perimeter network is connected to the corporate network through the other firewall, as shown in Figure 10.13.
By adding an additional firewall, you’re reducing the risk of compromise because an attacker would need to break into both systems to access resources in the corporate network. However, a second firewall makes configuration more complicated and expenses higher than a single firewall does. Another problem with this configuration is that the corporate network is dependent on the perimeter network to connect to the Internet. If the perimeter network experiences connectivity problems, the corporate network is also affected.
In some cases you might want to add additional firewalls between tiers in your perimeter network to minimize the number of computers accessible directly through the Internet, making it more difficult to disrupt or abuse back-end servers. For example, you can place a firewall between the Web server tier and the data tier, as shown in Figure 10.14. In this configuration the corporate network is even more difficult for a hacker to access and you can protect the back-end database servers from vulnerabilities that don’t depend on the relationship between the Web servers and the database servers. You can also use the firewall to limit the IP addresses that can request data directly from the database servers. Although adding a third firewall adds even more costs and administrative overhead, it does increase security.
Figure 10.13 - Perimeter network supported by back-to-back firewalls
Figure 10.14 - Perimeter network supported by three firewalls
When you implement firewall protection in your perimeter network, you can use a single firewall or back-to-back firewalls. In addition, if you use back-to-back firewalls, you can also add firewalls between tiers in the perimeter network. Table 10.10 describes some of the considerations that you should take into account when planning your perimeter network strategy.
When designing a firewall strategy, you should determine how much security you need and what you can afford in terms of costs and administrative overhead. In general, the more layers of firewall protection you can implement, the more secure your network.
Table 10.10 Perimeter Network Topology
This configuration is the easiest and most inexpensive to implement. The corporate network can continue to connect to the Internet should the perimeter network fail. The perimeter network is physically separated from other networks. However, it protects the corporate network with only one layer of firewall protection.
The more layers of firewall protection you can add to your network, the more security you can provide. However, additional firewalls increase costs and administrative overhead. In addition, the corporate network is dependent on the perimeter network to connect to the Internet.
Woodgrove Bank is providing Web-based services to its customers. Its perimeter network is based on a back-to-back firewall model. To provide services to its customers, they use ASP-based applications that access COM+ components from a separate physical tier. The COM+ components then access data from the databases on a third tier. In order to provide an extra level of security, administrators decided to implement a layer of firewall protection between the Web servers and the COM+ application servers, as shown in Figure 10.15. The additional firewall protects the back-end servers from vulnerabilities that don’t depend on the relationship between the Web servers and the back-end servers.
A firewall prevents unauthorized access from outside the firewall to an internal network or intranet. A firewall examines and filters data as it passes through the firewall. Packet filters control the flow of IP packets to and from the firewall, circuit filters inspect and filter sessions, and application filters analyze a data stream for a particular application and can then inspect, screen, redirect, or modify the data as it passes through the firewall. NAT translates private internal IP addresses to public external addresses in order to hide internally managed addresses from external networks. A proxy server manages traffic between programs on one network and servers on another. A perimeter network defines an area of your network that’s used to provide a secure environment. Two common configurations that you can use to set up your firewalls are a single firewall strategy and a back-to-back firewall strategy. A single firewall is the easiest and most inexpensive solution to implement. A back-to-back configuration with two or more firewalls provides greater security.
Figure 10.15 - A layer of firewall protection between the Web cluster and the COM+ application cluster