Internet Firewall Policy

Because the Internet is not trustworthy, an organization's system connected to the Internet is vulnerable to abuse and attack. Enabling a firewall between the organization's local area network and the Internet can go a long way to control access between trusted parties and less-trusted ones. A firewall is not a single component; rather it is a strategy for protecting an organization's Internet-reachable assets. Firewalls serve as gatekeepers between the untrustworthy Internet and the more-trusted organization networks.

The primary function of a firewall is to centralize system access controls. If remote users, authorized or not, can access the internal networks without traversing the firewalls, their effectiveness is diminished. If a traveling employee has the ability to connect to his office workstation, circumventing the organization's firewall architecture, then an attacker can do the same. Firewalls have the ability to allow network services to be passed or blocked; consequently, system administrators must consult with firewall administrators relative to which services are necessary for business operations. All unnecessary services must be disabled, denied, or blocked.

Firewalls provide several layers and types of protection:

• Firewalls can block unwanted traffic, essentially partitioning the inside network from the outside network.

• They can direct incoming traffic to more trustworthy internal systems.

• They can conceal vulnerable systems that cannot be secure from the Internet.

• They can provide audit trails logging traffic to and from the organization's private networks and the Internet.

• Firewalls can conceal information such as system addresses, network devices, and user identification from the Internet.

Authentication

Firewalls located at the perimeter of the organization's network, interfacing between the Internet and the internal networks, do not provide user authentication. Host-based firewalls usually provide these types of user authentication:

• User names and passwords. User names and unique passwords are compared against authorized user lists and verified by correct passwords. This is one of the least secure methods.

• One-time passwords. One-time passwords using software or hardware tokens produce a new password for each user session. Old passwords cannot be reused if they were stolen, intercepted, or borrowed. This method is one where the user must know something and must possess something before gaining access.

• Digital certificates. Digital certificates use a certificate generated using public key encryption from a trusted third party. This access method is one where the user must know something and have something.

Firewall Types

Packet-filtering firewalls are gateways located at network routers that have packet-screening abilities based on policy rules granting or denying access based on several factors:

• Information packet source address. It is capable of denying system access from specific source addresses; for example, it is possible to deny outside entry of any information packet having a source address of a competing company.

• Information packet destination address. It is capable of denying access to any internal workstation or host based on its IP address; for example, all traffic can be blocked attempting to connect to the client list file server.

• Service port. Firewalls are capable of blocking or allowing access to specific services; for example, connection attempts to workstation TCP Port 139 are denied.

Packet-filtering firewalls offer minimum security but very low cost. They can be an appropriate choice for a low-risk network environment. However, there are some drawbacks:

• They do not protect against IP or DNS address spoofing.

• Attackers will have direct access to any host on the internal network once access has been granted by the firewall.

• Strong user authentication is not a feature supported with many packet-screening firewalls.

• They do not generally provide complete or useful logging features.

Application Firewalls

Application firewalls use server programs, called proxies, running on the firewall. These proxies arbitrate transactions between interior and exterior networks. They accept requests, examine them, and forward legitimate requests to internal hosts that provide appropriate service. Application firewalls generally support functions as user authentication and logging features. Application firewalls require that a proxy is configured for each applicable service such as FTP, HTTP, etc.

Application-level firewalls generally offer the solution of network address translation (NAT). This feature may be configured so that outbound traffic appears as if the traffic had originated from the firewall itself. In this fashion, all IP addresses of the hosts behind the firewall are protected from discovery in that once they depart the firewall outbound, they all have the same IP address.

• Application firewalls supporting proxies for different services prevent direct access to internal network services, protecting the business against insecure or poorly configured internal servers.

• Application firewalls generally offer strong user authentication.

• Application firewalls generally provide detailed logging of user activities.

Hardware Firewall Architectures

Firewalls can be configured in many different hardware architectures providing various levels of security with different installation and operation costs. Organizations should match their risks to the type of firewall architecture selected. The following briefly describes firewall architectures.

• Multiple-homed host. This is a firewall that has more than one network interface card, NIC. Each NIC is logically and physically connected to separate network segments. A dual-homed host, one with two NICs is the most common example of a multi-homed host. One NIC is connected to the external or untrusted network, like the Internet, and the other NIC is connected to the internal or trusted network. In this configuration, the key point is not to allow computer traffic to be passed from the untrusted network directly to the trusted network. The firewall acts as an intermediary (Exhibit 27).

  Exhibit 27: Multiple or Dual-Homed Firewall Policy

  In the configuration of multiple or dual-homed firewalls, routing by the firewall will be disabled, meaning that information packets from untrusted networks such as the Internet shall not be directly routed to the internal or trusted networks. All unnecessary network services will be disabled on XYZ Corporation hosts with firewalls configured appropriately denying ingress and egress traffic.

• Screened hosts. Screened firewall architecture uses a host called a bastion host. It usually has two network interface cards, but may have several NICs, making it a multiple-homed device. All outside hosts connect to this device rather than allowing direct connection between inside and outside hosts. To achieve this character, a filtering router is configured in such a fashion as to remove all unnecessary services, thereby earning its name as a hardened host. If superfluous services and features are removed or disabled, they cannot be exploited to gain unauthorized access. In the bastion host, a filtering router is installed and configured so that all connection traffic from between the internal and external networks must pass through the bastion host. No direct internal-network-to-external-network connections are allowed.

Bastion hosts can be deployed to partition sub-networks from other interior networks; for example, an interior network handling company e-mail is partitioned by a bastion host from another interior network where employee records are kept. This architecture is known as a screened sub-network, and adds an extra layer of security by creating a separate but connected internal network or sub-network (Exhibit 28).

Exhibit 28: Screened Sub-Network Policy

In the XYZ Corporation, a screened sub-network shall be deployed by partitioning a perimeter network in order to separate the internal network from a more-external network. This measure assures that if there is a successful attack on the bastion host, the attacker is restricted to the more-exterior or perimeter network by the screening router that is connecting the internal and external networks.

Firewall Administration

Firewalls consisting of hardware, software, or appliances have to be the ongoing job of a responsible and senior employee. After all, this employee literally has the "keys to the kingdom." It is a wise business practice to have two firewall administrators, assuring continuity and institutional knowledge in the event of an absence (Exhibit 29).

Exhibit 29: Firewall Administration Policy

It is the policy of the XYZ Corporation to have two firewall administrators for each work shift. The Chief Technology Officer or designee shall designate them. These employees shall be responsible for the installation, correct configuration, and maintenance of the firewalls. The primary administrator shall be empowered to make approved changes to the firewall and the secondary administrator shall only do so in the absence of the primary administrator, avoiding duplicate or contradictory firewall access.

Firewall Administrators

For each duty-day, it is recommended that two experienced employees are available to address firewall issues. In this manner, the firewall administrator function is constantly covered. It is compulsory that these employees have a thorough understanding of network architectures, TCP/IP protocols, and security policies (Exhibit 30).

Exhibit 30: Firewall Administrator Policy

In the XYZ Corporation, employees tasked with firewall administration must have significant hands-on experience with networking concepts, protocols, architectures, designs, configurations, and implementation so that firewalls are installed, configured. and maintained correctly. Firewall administrators will be responsible for securing computer traffic between secured network elements and less-secure network elements. It is expected that firewall administrators will complete periodic training on networks and firewalls in use.

Remote Firewall Administration

Firewalls are usually the first line and sometimes the last line of defense against attackers. By design, firewalls are supposed to be difficult to attack directly, causing attackers to attack the accounts on the firewall itself. Additionally, there should be no user accounts on the firewall host other than those of the administrators. User names and passwords must be strongly protected. One of the most common protections is strong physical security surrounding the firewall host and permitting firewall administration from one attached terminal. Only the primary and secondary firewall administrators should have physical access to the firewall host. Depending on the sensitivity of the data stored on the protected network, it is strongly recommended that firewall administrators are not allowed to remotely access firewalls. Depending on the business' operations, it may be prudent to have a firewall administrator on duty constantly. What degree of profit losses will be incurred if users are unable to access information assets because of firewall problems? Although having a firewall administrator on duty full-time, in the long run it provides increased integrity and availability for firewalls and the systems they protect (Exhibit 31 and Exhibit 32).

Exhibit 31: Firewall Administration Policy

In the XYZ Corporation, firewall administrators will be on duty at all times. All firewall administration must be performed from the local terminal attached to the firewall host. Access to the firewall host is not permitted via remote access. Physical and logical access to the firewall host or the local terminal is strictly limited to the primary and secondary firewall administrators.

Exhibit 32: Firewall Backup Policy

In the XYZ Corporation, firewall software, configuration data, access control data, database files, etc., must be backed up daily, permitting efficient firewall systems recovery in the event of outage. Backup files will be stored securely on Write Once, Read Many media. At all times, backup files are to be secured with access granted appropriately.