|
We've talked about using Solaris as both a router and a gateway. Implementations of such systems using Solaris are reliable, stable, and secure. However, using Solaris in such an environment has many drawbacks in terms of security. Unlike hardware solutions, Solaris offers nothing in terms of network access control in a stock install.
In the interest of providing a more secure network, in this section we discuss various methods and packages available for providing firewall services to networks and systems. The benefit of doing so lies in allowing us to control the traffic that flows from one side of our router to the other. We also discuss design of networks using these packages and deployment of the systems. Additionally, we discuss the benefits and the drawbacks of using such systems.
There are many free commercial implementations of firewalls that run on Solaris. Gauntlet and Firewall-1 are two examples. Additionally, free firewall packages such as Sun's SunScreen Lite and IP Filter by Darren Reed are available. We focus our discussion on SunScreen Lite and IP Filter.
What is the idea behind a firewall? The concept, in basic terms, is to keep the bad guys out while letting the good guys continue to have access to the outside (or at least the things that they are allowed to access on the outside) and letting in the people that need access. Although this sounds easy enough at first blush, implementing a firewall system is far more complicated in reality.
Most enterprises use multiple layers of firewalls to accomplish their mission. This multilayering has the benefit of distributing the load of access control, which prevents any one system from being a bottleneck. It also has the benefit of providing several layers of access control before reaching the final destination. The overall benefit is that network security and performance are enhanced.
There are also drawbacks to this design. One drawback is that it creates multiple systems to maintain. This can result in additional labor expenditure and more man hours. Another drawback to this design is the added complexity of multiple firewall rule sets. One change on any of the systems can easily result in a network nightmare.
So, what is the best solution? Opinions vary, and the armies of the "bigger firewalls" and the "more firewalls" camps continue to wage war over this issue. Our suggestion is to create an infrastructure that meets your business needs, provides security to hosts on the network, and does not restrict user access to the point of being unusable. The key to providing good network security is continuous planning.
Deploying security infrastructure is not a silver bullet, nor is it a permanent fix. You will continually discover problems with software; operating systems, applications, even firewall packages themselves are affected and in need of continuous update. Additionally, network needs and network sizes change. What works for your network today could be a burden on the network tomorrow. It is essential that you continuously monitor the security infrastructure placed on a network for performance and security.
It is impossible to dictate in this book the best firewall design for a network. All networks have their own sets of needs and requirements. In the next section, we discuss general firewall design. We approach this topic from an objective standpoint and mention only the concepts we can apply to all networks.
Each firewall differs in configuration commands, administrative interfaces, and various features. All firewalls, however, are designed to do basically the same thing, which is filter traffic. The two types of firewalls available are stateless and stateful. Let's take a closer look at these two terms.
Stateless firewalls are firewalls designed to enforce firewall rule set, without keeping track of traffic. These types of firewall are generally referred to as packet filters. In this type of firewall, there is no tracking of connection activity, or the "state" of connections. Stateless firewalls are comparable to software packages such as TCP Wrappers except that they work on a broader range of services and ports. Stateless firewalls are, in most cases, easily bypassed.
Stateful firewalls are firewalls designed to enforce firewall rule sets and keep track of connections to and from the system. Unlike packet filters, these firewalls watch the state of connections between hosts and permit further connectivity based on the state of current connections. This type of firewall is more granular and configurable than that of the stateless variety and offers more security.
Previously, we mentioned that it is impossible to dictate in this text the best firewall rules for a network. This noble truth has not changed. However, we can establish some guidelines that can be generally applied to any network. Let's gather some of these extrapolations into a list.
Use multiple layers of access control. This means filtering untrusted traffic from the border routers of the network, all the way to the firewall. This method has two benefits. The first is that a connection is scrutinized at multiple places on the network. The second is that it distributes the load of access control, preventing any one system from being a bottleneck as decisions are made about traffic.
Block all unnecessary traffic. A firewall should be implemented to block everything unless otherwise specified. This means blocking everything that is not mission critical. E-mail, for example, is mission critical. Any services that are required should be passed through a proxy, if possible. This is not possible on every network, but the closer we get to this type of implementation, the better. This system has the benefit of restricting access from not only the outside, where an attacker can get into our network, but also from the inside, where an unwitting user could execute a Trojan horse program that connects to hosts across the Internet and gives an intruder the ability to execute commands on the system locally.
Use stateful rules. Having a stateful firewall can greatly enhance overall network security. However, a stateful firewall does us no good if we do not use the stateful connection inspection features. When implementing rules, ensure that they check the state of connections.
It is outside the scope of this book to address network design issues such as private networks and the demilitarized zone, but it is worth noting that these concepts can be applied to networks of any type.
Let's move on and talk about some of the tools necessary to get the job done. Many firewall implementations are available for Solaris in the commercial arena, such as Gauntlet and Check Point Firewall-1. We discuss only the freely available tools here. We will not dig deeply into the use of these tools but merely mention them as part of the decision-making process in further securing our network.
SunScreen Lite is a free version of the SunScreen Secure Net firewall package. SunScreen Lite is designed to operate in routing mode. This means that the filter only filters traffic that the Solaris router is routing. This is perfect for our needs. SunScreen Lite can be used in VPNs and supports Simple Key Management for Internet Protocol (SKIP).
Some drawbacks are associated with this package as well. First, it has a number of package dependency issues that could require the addition of packages, depending on how your system was designed. Next, it will not support high-availability clustering. This means that a SunScreen packet filter is a single point of failure. In a situation in which the system fails for one reason or another, the entire network screened by the firewall becomes unavailable.
Another drawback is that it does not support proxies. If we decide to allow some services from within the confines of a draconian network and these services require a proxy to communicate with the outside network, we can't use SunScreen Lite. This could limit the use of some application proxies.
Finally, SunScreen Lite is limited in the number of interfaces supported and in the number of IP addresses that can be used for Network Address Translation (NAT). The package supports a maximum of two interfaces on a system. This is undesirable if we would like to place our systems on a private network and allow only certain traffic from the outside to a predetermined IP address to reach the port of a system inside the private network. SunScreen Lite supports only 10 private address and two NAT rules. Additionally, SunScreen Lite has no IPv6 support.
The commercial SunScreen package supports all these features. Additionally, it provides some advanced features such as stealth firewalling, multiple interfaces, and time-based access control. If the constrains of this product do not prohibit its use on your network, SunScreen Lite might be your best option. SunScreen is available from the Sun Download Center. Documentation regarding the installation and administration of SunScreen is also freely available from Sun.
The IP Filter package is one of the older firewall implementations available on the Internet, originally released in 1993. Written by Darren Reed, the program remains popular as a stateful firewall for UNIX hosts. It is freely available, open-source software. It can be implemented both as a network firewall and a host-based firewall. It supports both IPv4 and IPv6 networks.
The mail IP Filter site is http://coombs.anu.edu.au/ipfilter/index.html. There is documentation in the form of FAQs linked on the site. Two other documents about IP Filter are a two-part document written by Jeremy Rauch in July 2000, "Introduction to IP Filter," and one written by Kristy Westphal, "Solaris and IP Filter: How to Make Them Your NAT Solution," both available via SecurityFocus at www.securityfocus.com.
With the many benefits of IP Filter, it suffers the same high-availability problems as SunScreen. There is no high availability, so the software introduces a single point of failure into the network. Additionally, IP Filter is not cryptographically aware. The latter issue is more easily solved than the former, but it is something to take into account in the decision process.
Another method that can be used to secure traffic is placing information systems on a private network and using NAT. NAT is defined in RFC3022. The term private means that the addresses contained within the network are not routable over the Internet. Systems on the network managed by the router pass traffic out through the router, which performs the address translation to make the packets appear as though they originated at the router.
The systems behind the NAT router are not directly accessible from the router's outside interface. Therefore, users outside the local network cannot access systems behind the NAT router unless either a specific port on the NAT router has been mapped to a specific port on a host or a specific IP address on the NAT router has been mapped to a specific IP address on the private network. This restriction provides the network with a limited amount of security.
Solaris 8 does not include utilities to provide NAT infrastructure in the default software installation. The previously mentioned firewall packages all have NAT capabilities and can be used for this purpose. The drawback of this type of implementation is that by relying solely on NAT and no access control, it is still possible for hosts inside the network to communicate with hosts outside, either on a voluntary or involuntary basis. As we mentioned previously, an unwitting user who executes a Trojan horse program could give a remote attacker access to the system across the NAT router; this is just one of many risks. This could result in the attacker compromising the system and, potentially, other network resources.
NAT is, however, an extremely useful infrastructure and is the saving grace of networks with limited public IP address space. If NAT is to be used, it is recommended that you use the firewall capabilities of the previously mentioned software packages also to provide a more secure network posture.
|