13.7 Firewalls

A firewall is a method of protecting one network from another untrusted network (see Figure 13.4). The actual mechanism whereby this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one that blocks traffic and the other that permits traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.

Figure 13.4: A firewall protects the enterprise network (trusted) from a variety of attacks emanating from untrusted networks such as the Internet, thereby safeguarding mission-critical resources.

One way firewalls protect networks is through packet filtering, which can be used to restrict access from or to certain machines or sites (see Figure 13.5). It can also be used to limit access based on time of day or day of week, by the number of simultaneous sessions allowed, or by the service host(s), destination host(s), or service type. This kind of firewall protection can be set up on various network routers, communications servers, or front-end processors.

Figure 13.5: Operation of a packet-filtering firewall: (1) inbound/outbound packets are examined for compliance with company-defined security rules; (2) packets found to be in compliance are allowed to pass into the network; (3) packets that are not in compliance are dropped.

Proxies are also used to provide secure outbound communication to the internetwork from the internal network. The firewall software achieves this by appearing to act as the default router to the internal network. However, when packets hit the firewall, the software does not route the packets but immediately starts a dynamic, transparent proxy. The proxy connects to a special intermediate host that actually connects to the desired service (see Figure 13.6).

Figure 13.6: An implementation of a proxy application.

Proxies are often used instead of router-based traffic controls to prevent traffic from passing directly between networks. Many proxies contain extra logging or support for user authentication. Since proxies must “understand” the application protocol being used, they can also implement protocol-specific security. For example, FTP proxy might be configurable to permit incoming FTP traffic and block outgoing FTP traffic.

While firewall operation may look simple, it is quite complex in terms of initial configuration, fine-tuning, and ongoing administration. A firewall vendor might offer help with initial configuration and fine-tuning, but ongoing administration is the responsibility of the buyer. Modifying the attack-detection parameters of a firewall to deal with new threats, for example, takes the knowledge and experience of a certified security engineer (CSE), whereas changing a firewall rule set might require a certified security administrator (CSA).

Since attacks can originate from anywhere at any time around the world, effective-firewall operation requires 24/7 vigilance by expert staff. This means the IT

organization must support three shifts of security personnel, which is expensive, or have someone on-call 24 hours a day, which can delay the response to threat situations. Either way, maintaining security staff is an expensive proposition. In fact, acquiring any level of management expertise is the biggest hidden cost of firewall ownership. The dearth of knowledgeable security personnel and the high salaries they command puts seasoned talent out of reach for many smaller companies. An effective and economical alternative, however, is a managed firewall solution that allows small and medium-size firms to implement best-of-breed security solutions at a fixed monthly cost and without the hassles of recruiting and retaining quality staff. These types of services could cost less than the equivalent salary of a half-time firewall administrator.

For effective security, a firewall solution will be required at each corporate location, including branch offices and the homes of telecommuters. Firewalls also protect the integrity of VPNs and multi-company extranets. In addition to regulating traffic flow between public and private network environments, firewalls can be used to regulate traffic to and from internal company networks, such as the subnets of human resource, marketing, and legal departments.

A managed firewall service consists of hardware, software, consulting, monitoring, and management tools that continuously scan and analyze the vulnerability of an organization’s Internet-connected systems. Firewall management usually must be ordered in conjunction with the provider’s Internet services, including those provisioned over ATM, frame relay, DSL, and integrated service offerings that combine voice and Internet services over the same access bandwidth. Assuming that the Internet service is already in place, a managed firewall solution can be up and running in 10 business days or less.

To configure a managed firewall appropriately, the service provider performs a comprehensive vulnerability analysis, starting with a port scan of the customer’s network resources. A port is simply a place where information goes into and out of a device on the network, like a router or computer. Left unguarded, a port is a door through which a hacker can enter and, from there, gain access to other resources on the corporate network. After submitting the network to a battery of tests, sometimes using so-called hacker tools, the managed firewall service provider will present the customer with recommendations for fixing problems that have been identified. The recommendations will be codified in the form of rule sets that will be loaded into a firewall.

The firewall itself can be physically located at the company’s location or the service provider’s location. Regardless of location, the firewall will make decisions about what traffic to pass based on instructions contained in the rule set. Access control rules can be defined according to the source and destination of network traffic, specific applications, users or groups of users, and even time of day. If incoming traffic contains an executable file that has the signature of a known virus, for example, that traffic will not be allowed to pass beyond the firewall onto the corporate network, where it can do harm when opened. The content security capabilities of the firewall can even spot suspicious Java applets and ActiveX controls, weed out undesirable Web content, and put limits on the size of files that are allowed onto the corporate network.

The service provider designs a firewall rule set in collaboration with the IT manager, and there is usually a trial period to allow for minor changes to the rule set at no charge. During this period, which can last as long as 14 days, real-world testing is performed and minor adjustments of the new firewall rule set are made, if necessary. Generally, customers may make unlimited changes during the trial period. After that, the service provider bills for further changes on a time-and-materials basis.

As new threats become known, the managed firewall service provider will take the appropriate course of action, which might entail adding a rule to the rule set or changing an existing port configuration on the firewall to thwart persistent access attempts. The changes are implemented remotely from the service provider’s network security operations center (NSOC) over an encrypted Internet connection. If the customer’s dedicated access connection is not available, perhaps due to an out-of-service transmission line or malfunctioning router, the service provider will use a dial-up connection to a modem attached to the firewall to upload the changes.

As an added precaution, the managed firewall service provider should take responsibility for maintaining backup copies of the customer’s rule sets for locations, along with all the firewall passwords. A copy of the most recent router configuration might be kept as well, since this information is usually needed to reconfigure the firewall or router in case of a major system failure. It should take no more than 4 hours for the service provider to fully restore a firewall rule set and associated configuration files, assuming the dedicated connection is available or a dial-up modem link can be established.

The managed firewall service provider will usually be able to generate performance reports that can be accessed by the customer on a secure Web site using a browser that supports 128-bit key encryption. By entering a user name and password, the customer can view high-level charts and graphs that summarize the quality of network and application resources. Comparative performance data on specific network resources and groups of resources should also be available.

Companies with branch offices, telecommuters, and mobile professionals should choose a service provider that can offer a range of security solutions, as well as connectivity services to suit the organization’s various needs. A low-end firewall solution that protects corporate information stored on a telecommuter’s PC, for example, might consist of firewall software loaded and configured in a DSL/cable router (see Figure 13.7). Since DSL and cable connections are always on, hackers can come in through the Internet and tamper with the personal data on the home computer, as well as any corporate information it may hold. There is even the very real threat of hackers using the telecommuter’s connection to launch an attack on the employee’s company.

Figure 13.7: Firewall software for individual computers allows users to control their own level of security. Shown is ZoneAlarm from Zone Labs, which is available for download at the company’s Web site.

For companies with an installed base of Cisco routers, the provider may offer a combined firewall-router service that entails configuring the operating system’s security features. For enterprise-level security, the choice might include Check Point Firewall 1. If separate devices provide firewall and router functionality, it might be preferable from a management standpoint to have both devices monitored by the same service provider. Firewall implementation is not as simple as “set and forget.” To maintain the highest degree of protection, security policy must be continually evaluated against the latest threats. For small and midsize companies, the value of a managed firewall service is in having an expert partner that will stay abreast of the latest developments and implement effective countermeasures to prevent unauthorized access to the organization’s valuable network resources.

It is important to choose a service provider that will maintain contact with various-network security watch groups, such as the Computer Emergency Response Team (CERT) Coordination Center and the National Infrastructure Protection Center (NIPC), to stay abreast of the latest security problems reported by the user community and the remedies proposed by the vendor community. This information helps the managed firewall service provider deal effectively with new types of security threats and become familiar with the associated attack profiles so the customer’s firewall policies can be updated in an appropriate and timely manner.