Guide to Network Defense and Countermeasures Second Edition Chapter 9 Choosing and Designing Firewalls

Guide to Network Defense and CountermeasuresSecond Edition

Chapter 9Choosing and Designing Firewalls

Guide to Network Defense and Countermeasures, Second Edition 2

Objectives

• Explain what firewalls can and cannot do

• Describe common approaches to packet filtering

• Establish a set of rules and restrictions for a firewall

• Design common firewall configurations

• Compare hardware and software firewalls


An Overview of Firewalls

• Firewall– Hardware or software– Can configure to block unauthorized network access

• Firewalls cannot protect against malicious insiders– Who send proprietary information out of the

organization

• Firewalls cannot protect connections that do not go through it


What Firewalls Are

• Network firewall– Combination of multiple software and hardware

components

• Earliest firewalls were packet filters

• Some firewalls are designed for consumers– Norton Personal Firewall– ZoneAlarm– Sygate Personal Firewall



What Firewalls Are (continued)

• Rules for blocking traffic are done case-by-case– Actions include:

• Allow the traffic

• Block the traffic

• Customize access

• Check Point Next Generation (NG) firewall– Designed to protect and monitor large-scale networks

• Firewall appliances– Self-contained hardware devices




What Firewalls Are Not

• Firewalls are not a standalone solution– Cannot protect from internal threats– Need strong security policy and employee education

• Firewalls must be combined with– Antivirus software– IDS

• Open Platform for Security (OPSEC)– Protocol used by Check Point NG to integrate with

other security products


Approaches to Packet Filtering

• Stateless packet filtering

• Stateful packet filtering

• Packet filtering depends on position of components


Stateless Packet Filtering

• Decides whether to allow or block packets based on information in the protocol headers

• Filtering based on common IP header features– IP address– Ports and sockets– ACK bits

• Intruders can get around these defenses

• Advantage: Inexpensive

• Disadvantage: Cumbersome to maintain



Stateful Packet Filtering (continued)

• Keeps a record of connections a host computer has made with other computers– Maintain a file called a state table containing record of

all current connections– Allows incoming packets to pass through only from

external hosts already connected



Stateful Packet Filtering (continued)

• Windows Firewall– One of the most user-friendly packet filters– Improved version of Internet Connection Firewall– Can limit the amount of traffic with more precision

• You can even specify exceptions

– Advanced tab allows more complex settings





Packet Filtering Depends on Position

• Type of filtering a device can do depends on– Position of the device in the firewall perimeter– Other hardware or software

• Packet filter placement– Between the Internet and a host– Between a proxy server and the Internet– At either end of a DMZ




Creating Rules and Establishing Restrictions

• Rule base– Tells firewalls what to do when a certain kind of traffic

attempts to pass

• Points to consider– Based on organization’s security policy– Include a firewall policy– Simple and short as possible.– Restrict access to ports and subnets on the internal

network from the Internet– Control Internet services


Base the Rule Base on Your Security Policy

• When configuring rules pay attention to– Logging and auditing– Tracking– Filtering– Network Address Translation (NAT)– Quality of Service (QoS)– Desktop security policy

• Rule base is a practical implementation of the organization’s policy


Base the Rule Base on Your Security Policy (continued)

• Common policies that need to be reflected in the rule base– Employees have access to Internet with restrictions– Public can access company’s Web and e-mail server– Only authenticated traffic can access the internal LAN– Employees are not allowed to use instant-messaging– Traffic from the company’s ISP should be allowed– Block external traffic by instant-messaging software– Only network administrator should be able to access

internal network directly from the Internet


Create a Firewall Policy That Covers Application Traffic

• Firewall policy– Addition to security policy– Describes how firewall handles application traffic

• Risk analysis provides a list of applications– And associated threats and vulnerabilities

• General steps to create a firewall policy– Identify network applications– Determine methods for securing application traffic

• You must balance security and cost

– Consider all firewalls in your network




Create a Firewall Policy That Covers Application Traffic (continued)

• Firewalls enable you to control access to your computer or network– By controlling access to particular applications

• Options for defining rules– Allow traffic– Block traffic– Ask or prompt


Keep the Rule Base Simple

• Keep list of rules as short as possible– About 30 and 50 rules– Shorter the rule base, faster the firewall will perform

• Firewalls process rules in a particular order– Usually rules are numbered starting at 1 and

displayed in a grid– Most important rules should be at the top of the list– Make the last rule a cleanup rule

• A catch-all type of rule




Restrict Subnets, Ports, and Protocols

• Filtering by IP addresses– You can identify traffic by IP address range– Most firewalls start blocking all traffic

• You need to identify “trusted” networks

• Firewall should allow traffic from trusted sources



Control Internet Services

• Web services– Employees always want to surf the Internet

• DNS– Resolves fully qualified domain names (FQDNs) to

their corresponding IP addresses– DNS uses UDP port 53 for name resolution– DNS uses TCP port 53 for zone transfers

• E-mail– POP3 and IMAP4– SMTP– LDAP and HTTP





Control Internet Services (continued)

• FTP– Types of FTP transactions

• Active FTP• Passive FTP

• Filtering by ports– Filters traffic based on TCP or UDP port numbers– Can filter a wide variety of information





• Filtering by ports– You can filter out everything but

• TCP port 80 for Web• TCP port 25 for e-mail• TCP port 21 for FTP






• ICMP message type– ICMP functions as a housekeeping protocol– Helps networks cope with communication problems– Attackers can use ICMP packets to crash a computer

• Filtering by service– Firewalls can filter by the name of a service– You do not have to specify a port number– Firewalls can also filter by the six TCP control flags





• Filtering by service– Firewalls can also filter by the IP options

• Security• Loose resource and record routing• Strict source and record routing• Internet timestamp



• Filtering by service– Rules should follow a few general practices

• Firewall with a “Deny All” security policy should start from a clean slate

• Nobody can connect to the firewall except the administrator

• Block direct access from the Internet to any computer behind the firewall

• Permit access to public services in the DMZ




Designing Firewall Configurations

• Firewalls can be deployed in several ways– As part of a screening router– Dual-homed host– Screen host– Screened subnet DMZ– Multiple DMZs– Multiple firewalls– Reverse firewall


Screening Router

• Screening router– Determines whether to allow or deny packets based

on their source and destination IP addresses• Or other information in their headers

– Does not stop many attacks• Especially those that use spoofed or manipulated IP

address information– Should be combined with a firewall or proxy server

• For additional protection



Dual-Homed Host

• Dual-homed host– Computer that has been configured with more than

one network interface– Only firewall software can forward packets from one

interface to another– Provides limited security– Host serves as a single point of entry to the

organization



Screened Host

• Screened host– Similar to a dual-homed host– Can add router between the host and the Internet

• To carry out IP packet filtering– Combines a dual-homed host and a screening router– Can function as a gateway or proxy server



Screened Subnet DMZ

• DMZ– Subnet of publicly accessible servers placed outside

the internal LAN– Called a “service network” or “perimeter network”

• Firewall that protects the DMZ is connected to the Internet and the LAN– Called a three-pronged firewall



Multiple DMZ/Firewall Configurations

• Server farm– Group of servers connected in their own subnet– Work together to receive requests with the help of

load-balancing software• Load-balancing software

– Prioritizes and schedules requests and distributes them to servers

• Clusters of servers in DMZs help protecting the network from becoming overloaded

• Each server farm/DMZ can be protected with its own firewall or packet filter



Multiple Firewall Configurations

• Protecting a DMZ with two or more firewalls– One firewall controls traffic between DMZ and Internet– Second firewall controls traffic between protected

LAN and DMZ• Can also serve as a failover firewall

– Advantage• Can control where traffic goes in the three networks

you are dealing with



Multiple Firewall Configurations (continued)

• Protecting branch offices with multiple firewalls– Multiple firewalls can implement a single security

policy– Central office has a centralized firewall

• Directs traffic for branch offices and their firewalls• Deploys security policy through this firewall using a

security workstation



Reverse Firewall

• Reverse firewall– Monitors connections headed out of a network

• Instead of trying to block what’s coming in– Helps monitor connection attempts out of a network

• Originated from internal users– Filters out unauthorized attempts



Comparing Software and Hardware Firewalls

• Software-based firewalls• Hardware-based firewalls• Hybrid firewalls


Software-Based Firewalls

• Free firewall programs– They are not perfect– Logging capabilities are not as robust as some

commercial products– Configuration can be difficult– Popular free firewall programs

• Netfilter

• ZoneAlarm

• Sygate Personal Firewall


Software-Based Firewalls (continued)

• Commercial firewall programs: Personal firewalls– Located between the Ethernet adapter driver and the

TCP/IP stack– Inspect traffic going between the driver and the stack– Popular choices

• Norton Personal Firewall

• ZoneAlarm Pro

• BlackICE PC Protection

• Sygate Personal Firewall Pro

– Considered “lightweight” in terms of protection


Software-Based Firewalls (continued)

• Commercial firewall programs: Enterprise firewalls– Include centralized management option– Capable of installing multiple instances from a

centralized location– Some examples include

• PGP Desktop 9.0

• Check Point NG

• Proventia security products

• Novell’s BorderManager


Hardware Firewalls

• Advantages– Do not depend on conventional OSs– Generally more scalable than software firewalls

• Disadvantages– They do depend on nonconventional OSs– Tend to be more expensive than software products


Hybrid Firewalls

• Hybrid firewall– Combines aspects of hardware and software firewalls– Benefits from the strengths of both solutions



Summary

• Firewall– Hardware or software that blocks unauthorized network

access

• Firewalls are not a standalone solution– Combine them with antivirus software and IDSs

• Firewalls are effective only if configured correctly

• You can use several different firewall configurations to protect a network

Documents

Guide to Network Defense and Countermeasures Second Edition Chapter 9 Choosing and Designing Firewalls