We already mentioned that a firewall provides basic access control services for sites and corporate intranets. In accordance with a specific security policy, the firewall intercepts data traffic and permits only authorized and legitimate traffic to pass through. The access control services can be provided either at the network and transport layers using packet filters, or at a higher layer using application gateways.
In this section we overview the basic components of which a firewall typically consists: a firewall policy, packet filters, and application gateways. In addition, a contemporary firewall typically provides other functions, such as network address translation or network layer encryption. These issues are addressed later in Part II.
There are two levels of policy that directly influence the design, installation, and use of a firewall system:
The higher level policy, the service access policy, defines the TCP/IP protocols and services that should be allowed or denied from the protected network, how these services should be used, and how exceptions to this policy are handled.
The lower level policy, the firewall design policy, describes how the firewall actually restricts access and filtering the TCP/IP protocols and services according to the service access policy.
Before we further address the two levels of policy, we want to note that a firewall policy should always be as flexible as possible. This need for flexibility is mainly due to the fact the Internet itself is in flux, and that an organization's needs may change over time as the Internet offers new services, methods, and possibilities for doing business. New TCP/IP protocols and services are emerging on the Internet, which offer more benefits to organizations using the Internet, but sometimes also result in new security concerns. Consequently, a firewall policy must be able to reflect and adequately address these concerns.
A network security policy (NSP) is a document that describes an organization's network security concerns and specifies the way network security should be achieved in that organization's environment. Parts of the NSP must include a service access policy that defines the TCP/IP protocols and services that should be accessible for internal and external use. As such, the service access policy extends the overall organizational policy regarding the protection of informational resources.
A firewall can implement a number of service access policies. In general, a service access policy is focused more on keeping outsiders out than trying to police insiders. For example, a typical policy is to allow no inbound access to a corporate intranet, but to allow full outbound access to the Internet. Another typical policy would be to allow some inbound access from the Internet, but perhaps only to selected systems, such as information servers or e-mail gateways. Also, firewalls sometimes implement service access policies that allow access from the Internet to selected internal systems, but this access would be granted only if necessary and only if it is combined with strong user authentication and data encryption.
For a firewall to be successful, its service access policy must be realistic and reflect the level of security required for the intranet. For example, a site with top secret and classified data does not need a firewall at all. They should not be hooked up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the intranet. A realistic service access policy is one that provides a balance between protecting intranet resources from known risks, while still protecting users access to external resources, such as the Internet.
In general, there is a tradeoff between the accessibility and security of intranet resources. This tradeoff can be symbolized with a balance as illustrated in Figure 7.1. It is quite easy to provide either full accessibility or full security. In the first case, one simply connects a corporate intranet to the Internet without caring about security, whereas in the second case, one established two physically separated networks, one with Internet connectivity and one without. The challenge is to find an appropriate balance between the accessibility and security of intranet resources, and this balance must be reflected in the service access policy of the corresponding firewall configuration.
Figure 7.1: Tradeoff between the accessibility and security of intranet resources
The service access policy must be refined in a firewall design policy that is unique to a specific firewall configuration. The firewall design policy specifies the rules used by the firewall to implement the service access policy.
Formulating a firewall design policy is a difficult task, because one cannot design it in a vacuum isolated from understanding issues such as firewall capabilities and limitations, as well as threats and vulnerabilities associated with TCP/IP protocols and services. A key decision in the firewall design policy is the stance of the firewall design. The stance reflects the attitude of the firewall designers. It is determined by the cost of failure of the firewall and the designers' estimate of that likelihood. Obviously, it is also based on the designers' opinions of their own abilities. In general, a firewall may implement one of the following two stances:
Permit any service unless it is expressly denied;
Deny any service unless it is expressly permitted.
A firewall that implements the first stance allows all TCP/IP protocols and services by default, with the exception of those that the service access policy identifies as disallowed. In other words, anything that is not expressly prohibited is permitted by default. From a security point of view, this stance is less desirable, as it offers more avenues for circumventing the firewall. For example, users could access new services currently not denied by the policy or run denied services at nonstandard ports that are not expressly denied by the policy.
A firewall that implements the second stance denies all TCP/IP protocols and services by default, and passes only those that are identified as allowed. Obviously, this stance better fits the traditional access control model that is usually used in information security: Anything that is not expressly permitted is prohibited by default. From a security point of view, this stance is preferable. Note, however, that it is usually also more difficult to implement and may affect users more in that certain TCP/IP protocols and services must be blocked or restricted heavily.
As further addressed in Chapter 8, a packet filter is a multiported internetworking device that applies a set of rules to each incoming IP packet in order to decide whether it will be forwarded or discarded. IP packets are filtered based on information usually found in packet headers, such as:
Protocol numbers;
Source and destination IP addresses;
Source and destination port numbers;
TCP connection flags;
Some other options.
Routers that are able to screen and selectively filter IP packets are also called screening routers. Note that a screening router is always a packet filter, whereas the opposite is not always the case (note that a packet filter may not be able to route IP packets, and that a packet filter is not necessarily a screening router). However, in the text that follows we are going to use the terms packet filter and screening router synonymously most of the time.
In general, packet filters are stateless, meaning that each IP packet is examined isolated from what has happened in the past, forcing the filter to make a decision to permit or deny each packet based upon the packet-filtering rules. In Chapter 8, however, we elaborate on dynamic packet filtering as a technology to enhance the capabilities and to improve the security of a packet filtering device. Dynamic packet filtering is sometimes also referred to as stateful multilevel inspection, or stateful inspection. Stateful inspection can be used to increase the expressibility of packet-filtering rules considerably.
A firewall configuration that only consists of a screening router is sometimes also referred to as a packet-filtering-only firewall, or packet-filtering gateway in short. Perhaps one justification of the term gateway is that filtering based on port numbers and TCP connection flags done at the transport layer is not a pure function of a router that typically operates at the network layer of the OSI-RM. The packet-filtering-only firewall is perhaps the most common and easiest to employ for small, uncomplicated sites. Basically, one installs a screening router as a gateway to the Internet and configures the packet-filtering rules in accordance with a service access and firewall design policy. More often than not, such a service access policy allows internal systems to fully access the Internet, while all or most access from the Internet is blocked. The packet-filtering gateway suffers from a number of disadvantages and is less secure than the other firewall configurations discussed in the rest of Part II.
In general, an application gateway or gateway refers to an internetworking device that interconnects one network to another for a specific application. Therefore, the gateway must understand and implement the corresponding application protocol. In the client-server model, an application gateway refers to an intermediate process running between the client that requests a particular service and the server that provides the service. In this model, the application gateway functions as a server from the client's point of view, and as a client from the server's point of view.
Again referring to the Internet model, an application gateway can either work at the application layer or at the transport layer [3, 4]:
If the gateway works at the application layer, it is usually called an application-level gateway, or proxy server.
If the gateway works at the transport layer, it is usually called a circuit-level gateway.
Most application gateways used in firewall configurations work at the application layer and represent application-level gateways or proxy servers accordingly. In either case, the application gateway runs on a firewall host and performs a specific function as a proxy on the user's behalf. If the application gateway is an application-level gateway, then the function is application-specific. Otherwise, the function is not application-specific and the application gateway is actually a circuit-level gateway. Circuit-level gateways and application-level gateways are further addressed in Chapters 9 and 10.
The Internet community often uses the term bastion host to refer to an exposed firewall system that hosts an application gateway. The term bastion comes from the heavily fortified projections on the exteriors of castles in medieval times. A bastion host should be configured to be particularly secure because it is exposed to direct attacks from the Internet. Typically, a bastion host is located in a secure environment by residing on a secure operating system. In this case, the secure operating system must protect the firewall code and files from outside attacks. More often than not, the firewall code is the only application that is permitted to execute on the bastion host. Absence of other applications reduces the possibility of unauthorized attempts to penetrate the firewall. Despite the fact that most bastion hosts run a modified and downstripped (or "hardened") version of the UNIX or Linux operating system, there is increasing demand for Windows NT-based firewalls. Also, there are some firewalls that come along with a special and highly secure operating system. One example of this kind is the Sidewinder firewall developed and marketed by the Secure Computing Corporation.[4]
Depending on its basic components and their configuration, several grades of firewall security can be obtained. For example, there is no security by allowing unrestricted access between a corporate intranet and the Internet. Next, packet filters or screening routers can be added to obtain a basic level of traffic interception. Also, the firewall can include both packet filters and application gateways. A variety of circuit-level or application-level gateways can be added along with different strengths of the corresponding authentication schemes. We can also improve the overall security for the intranet by adding e-mail gateway and name services to the firewall. The firewall can also reside on a secure operating system, thereby improving the underlying security for the firewall code and files. A firewall can also provide support for Internet layer security protocols (e.g., IPsec). This facility can be used to build secure tunnels between firewall-protected sites and to build virtual private networks (VPNs) accordingly. Finally, a company can also deny any access to and from the Internet, thereby ensuring isolation and complete security from the outside world. Although this is seemingly a theoretical option in the euphoric time for Internet access we live in these days, for certain highly secure environments it is still the only prudent approach to follow.
[4]http://www.securecomputing.com
Team-Fly |