Chapter 5 Firewall Planning and Design

nullpitΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

80 εμφανίσεις

Chapter 5

Firewall Planning and Design



Objectives




After reading this chapter and completing the exercises
,

you will be able to:



Identify common misconceptions about firewalls



Explain why a firewall is dependent on an effective security policy



Discuss
what a firewall does



Describe the types of firewall protection



Identify the limitations of firewalls



Evaluate and recommend suitable hardware and software for a firewall application



Misconceptions about Firewalls


Some business managers who have heard of

a firewall in relation to Internet security have the notion that it is designed to
prevent all hackers, viruses, and would
-
be intruders from entering a computer or computer network. Their notion is not true
,

however, because firewalls are designed to enab
le authorized traffic to pass through and block unauthorized traffic.


It is often thought that
,

once a firewall is deployed, you only need

to let it operate on its own.
The fact is that firewalls are not
perfect and work best when they are part of a multi
-
pronged approach to network security known as Defense in Depth (DiD).



Firewalls Explained


In general, a
firewall
is anything, whether hardware or software (or a combination of hardware and software), that can filter
the transmission of packets of digi
tal information as they attempt to pass through a boundary of a network. Firewalls perform
two basic security functions:




Packet filtering: First and foremost, a firewall must be able to determine whether to allow or deny the passage of

packets of digital

information, based on established security policy rules.





Application proxy: In some cases, a firewall may provide network services to users while shielding individual host

computers. This is done by breaking the IP flow (which is the traffic into and o
ut of the network) between the

network being protected and the network outside.


Firewall Security Features



Firewalls


Logging unauthorized access

Providing a
v
irtual
p
rivate
n
etwork

Authentication

Shielding hosts inside the network

Caching data

Filter
ing content



Firewall User Protection


For a single home user who regularly surfs the Web and uses e
-
mail and instant messaging, a firewall’s primary job is to keep
viruses from infecting files and prevent Trojan horses from entering the system and inst
alling hidden openings called
back
doors
,
which can be used for access at a later time.



Quick Quiz


1.

True or False: An effective security policy should state how the company would respond to breaches of security.

Answer:

True


2.

A(n) _____ that
tells employ
ees what constitutes acceptable use of company resources should be part of an effective
security policy.

Answer:

a
cceptable
u
se
p
olicy


3.

Firewalls are designed to enable authorized traffic to pass through and _____ unauthorized traffic.

Answer: block


4.

Firew
alls work best when they are part of a multi
-
pronged approach to network security called _____.

Answer: Defense in Depth (DiD)


Firewall Network Perimeter Security


A firewall is often said to provide “perimeter security” because it sits on the outer boun
dary, or perimeter, of a network. The
network boundary is the point at which one network connects to another.


If you have an extranet, an extended network that combines two or more LANs, the location of the “perimeter” becomes
unclear. If you maintain a

VPN with a supplier or business partner, the VPN should have its own perimeter firewall because
your network boundary technically
extends to the end of the VPN.
Note that locating the firewall at the perimeter has one
obvious benefit: it enables you to se
t up a checkpoint where you can block “bad things” like viruses and infected e
-
mail
m
essages before they get inside.

Another benefit is that a firewall enables you to log passing traffic, protecting the whole
network a
t the same time.
If an attack does occ
ur, having a security subnet at the perimeter can minimize the damage.


Firewall
Components


A firewall can contain many components, including:


Firewall
Components


Packet filter

Proxy server

Authentication system

Software that performs
N
etwork
A
ddress
T
r
anslation (NAT)



Many firewalls make use of a bastion host, a machine tha
t has no unnecessary services.
A network that needs to connect to
the Internet might have been a bastion host and a service network. Together
,

they are the only part of the organiza
tion
exposed to the Internet.



Firewall

Security Tasks


A firewall that does packet filtering addresses the tendency of hackers to open an attack by scanning for net
work addresses
and open ports.
(A port is a virtual gateway on a computer through which a

particular ty
pe of data is allowed to pass.
Each
port is assigned a

number between 0 and 65,535).
Initially, a hacker uses special software to scan a series of addresses,
attempting to connect to a computer on each
one.
If any computer answers, it gives t
he hacker a target. Any gateway or router
acting as a packet filter on your network or in your firewall should be configured to reject connection requests from
computers that are not on your network.


Note that a port number combined with a computer’s IP a
ddress constitutes a netwo
rk connection called a socket.
Software
t
hat is commonly used by hackers

attempt
s

to identify sockets that
respond to connection requests.

The
sockets

that respond
can be targeted to see if they have been left open or if they have

security vulnerab
ilities that can be exploited.
Some examples
include:



Protocols



Simple Mail Transport Protocol (SMTP) listens on port 25

Post Office Protocol, version 3 (POP3) listens for incoming mail on port 110

Hypertext Transport Protocol (HTTP)
Web services use port 80



Restricting Access from Outside the Network


The most obvious goal of a firewall is to regulate which packets of information can enter the network. To do so, a firewall
examines each packet to determine whether it meets the nece
ssary “authorized” criteria. The criteria might be protocols or IP
addresses on an “approved” list. Anything not on the list is excluded.


Restricting Unauthorized Access from Inside the Network


In some ways, it is relatively easy to protect a network fro
m the Internet but more difficult to protect it from an inside attack.
You should be aware of the following possibilities:



Inside
Attacks



Staff who bring floppy disks that are virus
-
infected

Staff who access their office computers from home using remot
e access software that
bypass
es

the perimeter firewall

Social engineering

Poorly trained firewall administrators

Employees who receive e
-
mail messages with executable attachments



Lim

Limiting Access to External Hosts


Firewalls can selectively permit t
raffic to go from inside the network to the Internet or other networks to provide more

precise control of how employees inside the network use external resources. In other words, the firewall can

act as a
proxy
server
that makes high
-
level application conn
ections on behalf of inte
rnal hosts and other machines.
A single firewall product
can provide both outbound packet filtering and outbound proxy services.


Protecting Critical Resources


Attacks on critical resources are becoming all too common
. Worms are
one type of attack.
They “worm” their way into a
computer in an e
-
mail attachment or a downloaded file, where t
hey then replicate themselves.
They are only slightly different
than

viruses, which also worm their way into a computer but then do much more des
tructive behavior than just replication.
Trojan horses are similar to viruses; they contain malicious code that is hidden inside supposed harmless programs.
Distributed Denial of Service (DDoS) attacks are

just as harmful.
They are caused when a hacker f
loods a server with
requests, shutting down the server and making Web sites and networks that depend on that server unreachable.


Protecting Against Hacking


Hacking, in general, is the practice of infiltrating computers or networks to steal data, cause h
arm, or simply claim credit for
getting inside. The impact
s of this type of attack include
:


Impacts of
Attack



Loss of data

Loss of time

Loss of staff resources

Loss of confidentiality




Quick Quiz


1.

A secure mini
-
network created by combining firewalls
with routers and positioned between the internal network and
the outside world is called a(n) ______.

Answer:
demilitarized zone (DMZ)


2.

A(n) ______ is a virtual gateway on a computer through which a particular type of data is allowed to pass.

Answer: port


3.

The firewall can act as a ______, which is software that makes high
-
level application connections on behalf of
internal hosts and other machines.

Answer: proxy server


4.

______ attacks are caused when a hacker floods a server with requests, shutting down th
e server and making Web
sites and networks that depend on that server unreachable.

Answer: Distributed Denial of Service (DDoS)


5.

The process of logging in to a server with a username and a password to access protected information is called
______.

Answer:
authentication


Providing Centralization


A firewall centralizes security for the organization it protects. It simplifies the security
-
related activities of the
network
administrator, who typically has many other responsibilities. Having a firewall on the
perimeter gives the
network
administrator a single location from which to configure security policies and monitor arriving and departing

traffic.


Enabling Documentation


Every firewall should be configured to provide information to the network administrat
or in the form of log files. These log
files record attempted intrusions and other suspicious activity, as well as
mundane events like legitimate
file accesses,
unsuccessful connection attempts, and the like
.


Providing for Authentication


Authentication
is t
he process of logging in to a server with a username and a password before being allowed access to
protected information. Only users who have registered their username and password are recognized by the server and allowed
to enter. The authentication p
rocess can also be performed at the firewall and
can
make use of encryption to protect the
usernames and passwords transmitted from client to server (or client to firewall).


Contributing to a VPN


A firewall is an ideal endpoint for a VPN, which connects
two companies’ networks over the Internet. A VPN is one of the
safest ways to exchange information online
.



Types of Firewall Protection


Some examples of firewall functions and the corresponding layers at which they operate include:


Layer Number

OSI Ref
erence Model Layer

Firewall Technology

1

Application

Application
-
level gateway

2

Presentation

Encryption

3

Session

SOCKS proxy server

4

Transport

Packet filtering

5

Network

NAT

6

Physical

N/A

7

Data Link

N/A


Packet Filtering


Packet filters are a
n effective element in

any perimeter security setup.
In addition, they have the advantage of not taking up
bandwidth, or the capacity of network cables to convey information, the way proxy servers do.


A packet, which is sometimes called a datagram, conta
ins two types of informa
tion: the header and the data.
Packet filters use
packet headers to decide whether to block the packet or allow
it to pass through a firewall.
Note that your job as a system
administrator would be to configure the firewall to deny a
ll packets that arrive from outside but contain a source IP address
that seems to be coming from within the network.


Stateless Packet
-
Filtering Firewalls


Stateless inspection, also called stateless packet filtering, is firewall packet inspection that ign
ores the state of the connection
between the internal computer and the external computer. A firewall that conducts stateless packet filtering simply blocks or

allows a packet based on the information in the header.


Stateful Packet
-
Filtering Firewalls


Sta
teful inspection, also called stateful packet filtering, is an examination of the data contained in a packet as well as the s
tate
of the connection between internal and external computers. This information, known as the state table, is kept in a memory
loc
ation called the cache. Stateful inspection is superior to stateless inspection because it uses the connection state to make
decisions on whether to allow the traffic.


Packet
-
Filtering Rules


Some of the most general packet
-
filtering rules include:




Ru
les



Any outbound packet must have a source address that is in your internal network.

Any outbound packet must not have a destination address that is in your internal
network.

Any inbound packet must not have a source address that is in your internal netw
ork.

Any inbound packet must have a destination address that is in your internal network.

Any packet that enters or leaves your network mus
t have a source or destination
address that falls within the range of addresses in your network.



Filter rules can
affe
ct the transmission of packets.

These rules include the use of the following:



Internet Control Message Protocol (ICMP)



User Datagram Protocol (UDP)



TCP filtering



IP filtering


PAT and
NAT


Each computer on the network is a
ssigned an IP address.
If that

address is static, it is relatively easy for a hacker to find it and
gain access
to the computer more than once.

With a static, reliable IP address, a hacker can use a computer as a staging area
for launching long, sustained attacks.


Port Address Transla
tion (PAT) and Network Address Translation (NAT) are addressing methods that make internal network
addresses invisible to outside computers. PAT and NAT hide the TCP/IP information of hosts in the network being protected
to prevent attackers from getting t
he address of an actual host on your internal network.


PAT and NAT function
as a
N
etwork
-
level proxy;
the proxy

act
s

as
a single host that makes requests on behalf of all
internal
hosts on the network.
NAT hides the identity of hosts from anyone outside
o
f
the network by converting the IP address of
internal hosts to the IP address of the firewall. To someone on the Internet or outside network, it seems like all informatio
n is
coming from a single computer.



Application Layer Gateways


Another type of fir
ewall protection is the
A
pplication layer gateway,

also known as a proxy server.
This type of gateway
works at the Application layer, the top layer of the OSI model of network communications.


A complete overview of firewalls and what they do would not be
complete without mentioning the following security
techniques:


Security
Techniques



Load
b
alancing

IP address mapping

Filtering content

URL filtering




Quick Quiz


1.

______ packet filtering examines the data contained in a packet and keeps a memory of t
he state of the connection
between client and server in disk cache.

Answer:

Stateful


2.

The protocol used by utilities like Ping and Traceroute to report any errors that occurred in the transmission is
______.

Answer: Internet Control Message Protocol (ICMP)


3.

True or False: A NAT functions as a
N
etwork
-
level proxy; it acts as a single host that makes requests on behalf of
all the internal hosts on the network.

Answer: True


4.

The security technique used to block a site’s Domain Name System (DNS) name is called

______.

Answer: URL filtering



Firewall Categories


Firewalls can be categorized by processing mode, generation, or structure. Firewalls categorized by level of technology are
identified by generation, with the later generations being more complex and mo
re recently developed. Firewalls categorized
by intended structure are typically divided into categories including residential
-
,

or commercial
-
grade, hardware
-
based,
software
-
based, or appliance
-
based devices
.


Processing Mode


The processing modes are: pa
cket filtering, application gateways, circuit gateways, MAC layer firewalls, and hybrids.


Packet
-
Filtering Firewalls


Packet
-
filtering firewalls examine the header information of data packets that come into a network. The restrictions most
commonly implem
ented are based on a combination of:



Internet Protocol (IP) source and destination address



Direction (inbound or outbound)



Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests


Simple firewall models exam
ine one aspect of the packet header: the destination and source address. They enforce address
restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.



They accomplish this through acces
s control lists (ACLs), which are created and modified by the firewall administrators.
There are three subsets of packet
-
filtering firewalls:



Static filtering



Dynamic filtering



Stateful inspection


Static filtering requires that the filtering rules govern
ing how the firewall decides which packets are allowed and which are
denied are developed and installed.


Dynamic filtering allows the firewall to react to an emergent event and update or create rules to deal with the event.


While static filtering firew
alls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic
packet
-
filtering firewall allows only a particular packet with a particular source, destination, and port address to enter through
the firewall.


Stateful

inspection firewalls, or stateful firewalls, keep track of each network connection between internal and external
systems using a state table, which tracks the state and context of each packet in the conversation by recording which station

sent which packe
t and when.


Whereas simple packet
-
filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can
block incoming packets that are not responses to internal requests.



The primary disadvantage of this type of firewa
ll is the additional processing required to manage and verify packets against
the state table, which can leave the system vulnerable to a DoS or DDoS attack.


Application Gateways


The application gateway, also known as an application
-
level firewall or a
pplication firewall, is frequently installed on a
dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router.

The
application firewall is also known as a proxy server, since it runs special software
that acts as a proxy for a service request.



Since the proxy server is often placed in an unsecured area of the network or in the DMZ, it

rather than the Web server

is
exposed to the higher levels of risk from the less trusted networks.


Additional filter
ing routers can be implemented behind the proxy server, limiting access to the more secure internal system
and thereby further protecting internal systems.


Circuit Gateways


The circuit gateway firewall operates at the transport layer. Connections are aut
horized based on addresses. Like filtering
firewalls, circuit gateway firewalls do not usually look at data traffic flowing between one network and another, but they do

prevent direct connections between one network and another.



They accomplish this by c
reating tunnels that connect specific processes or systems on each side of the firewall and then
allowing only authorized traffic, such as a specific type of TCP connection for only authorized users, in these tunnels.



MAC Layer Firewalls


While not as we
ll known or widely referenced as the firewall approaches above, MAC layer firewalls are designed to operate
at the media access control layer of the OSI network model. This gives these firewalls the ability to consider the specific h
ost
computer’s identity

in its filtering decisions.



Using this approach, the MAC addresses of specific host computers are linked to ACL entries that identify the specific types
of packets that can be sent to each host, and all other traffic is blocked.


Hybrid Firewalls


Hybr
id firewalls combine the elements of other types of firewalls

that is, the elements of pack
et filtering and proxy services

or of packet filtering and circuit gateways.


Alternately, a hybrid firewall system can consist of two separate firewall devices; ea
ch is a separate firewall system, but they
are connected so that they work in tandem.



Firewalls Categorized by Generation


First
-
generation firewalls are static packet
-
filtering firewalls;
that is,
they are
simple networking devices that filter packets
according to their headers as the packets travel to and from the organization’s networks.


Second
-
generation firewalls are application
-
level firewalls or proxy servers
;
that is,
they are
dedicated systems that are
separate from the filtering router and tha
t provide intermediate services for requestors.


Third
-
generation firewalls are stateful inspection firewalls, which monitor network connections between internal and external
systems using state tables.


Fourth
-
generation firewalls are dynamic packet
-
filt
ering firewalls and allow only a particular packet with a particular source,
destination, and port address to enter.



Fifth
-
generation firewalls are the kernel proxy, a specialized form that works under the Windows NT Executive, which is the
kernel of Win
dows NT.



Firewalls Structures


Firewall appliances are stand
-
alone, self
-
contained systems that frequently have many of the features of a general
-
purpose
computer with the addition of firmware
-
based instructions that increase their reliability and perfor
mance and minimize the
likelihood of their being compromised.

A commercial
-
grade firewall system consists of firewall application software running on a general
-
purpose computer.
Organizations can install firewall software on an existing general
-
purpose com
puter system, or they can purchase hardware
that has been configured to the specifications that yield optimum performance for the firewall software.


SOHO and residential
-
grade firewall devices, also known as broadband gateways or DSL/cable modem routers,
connect the
user’s local area network or a specific computer system to the Internetworking device. The SOHO firewall serves first as a
stateful firewall to enable inside
-
to
-
outside access, and it can be configured to allow limited TCP/IP port forwarding an
d/or
screened subnet capabilities.



Residential
-
grade firewall software is installed directly on the user’s system. Some of these applications combine firewall
services with other protections such as antivirus or intrusion detection. There are limits to t
he level of configurability and
protection that software firewalls can provide.


Software vs. Hardware: The SOHO Firewall Debate


So which type of firewall should the residential user implement? Where would you rather defend against a hacker?


With the sof
tware option, the hacker is inside your computer, battling with a piece of software that may not have been
correctly installed, configured, patched, upgraded, or designed. If the software happens to have a known vulnerability, the
hacker could bypass it an
d then have unrestricted access to your system.


With the hardware device, even if the hacker manages to crash the firewall system, your computer and information are still
safely behind the now disabled connection, which is assigned a nonroutable IP addre
ss, making it virtually impossible to
reach from the outside.



Firewall Architectures


Each of the firewall devices noted earlier can be configured in a number of network connection architectures. The firewall
configuration that works best for a particu
lar organization depends on three factors: the objectives of the network, the
organization’s ability to develop and implement the architectures, and the budget available for the function.



Although literally hundreds of variations exist, there are four co
mmon architectural implementations of firewalls:



Packet
-
filtering routers



Screened host firewalls



Dual
-
homed host firewalls



Screened subnet firewalls


Packet
-
Filtering Routers


Most organizations with an Internet connection have a router as the interface t
o the Internet at the perimeter between the
organization’s internal networks and the external service provider. Many of these routers can be configured to reject packets

that the organization does not allow into the network.



The drawbacks to this type of

system include a lack of auditing and strong authentication and the
fact that the
complexity of
the access control lists used to filter the packets can grow and degrade network performance.


Screened Host Firewalls


This architecture combines the packet
-
filtering router with a separate, dedicated firewall, such as an application proxy server,
allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy.



The application proxy examines an application layer protoc
ol and performs the proxy services. This separate host is often
referred to as a bastion host or sacrificial host; it can be a rich target for external attacks and should be thoroughly secu
red.


Dual
-
Homed Host Firewalls


With this approach, the bastion ho
st contains two NICs. One NIC is connected to the external network, and one is connected
to the internal network, providing an additional layer of protection. With two NICs, all traffic must go through the firewall

in
order to move between the internal and

external networks.



Implementation of this architecture often makes use of NAT. NAT is a method of mapping assigned IP addresses to special
ranges of nonroutable internal IP addresses, thereby creating yet another barrier to intrusion from external attac
kers.



Screened Subnet Firewalls (with DMZ)


The dominant architecture used today, the screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the
firewall device linking a single bastion host, or it can be connected to a screened subn
et.


A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet
-
filtering
router, with each host protecting the trusted network:



Connections from the outside or untrusted network are routed through an ex
ternal filtering router.



Connections from the outside or untrusted network are routed into

and then out of

a routing firewall to
the separate network segment known as the DMZ.



Connections into the trusted internal network are allowed only from the DMZ bast
ion host servers.


The screened subnet is an entire network segment that performs two functions:



It protects the DMZ systems and information from outside threats by providing a network of intermediate
security.



It protects the internal networks by limitin
g how external connections can gain access to internal systems.


DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into
place to provide services that are not available to the general pu
blic.



Limitations of Firewalls


Firewalls should not be the only fo
rm of protection for a network.

They should be part of an overall security plan and should
be used in conjunction with other forms of protection, including ID cards, passwords, and employ
ee rules of conduct.



Class Discussion Topics


1.

What are the primary security features that a firewall performs?


2.

Ask students to do some research on low
-
cost firewalls suited for home and small businesses. Identify which of
these have NAT functions.


3.

Disc
uss the kind
s

of tactics
that
hackers might use to gain access to a site.



Additional Case Projects


1.

Provide definitions for the following terms:



NAT



VPN



DNS



OPSEC


2.

Identify some of the limitations of packet filtering.




Further Readings or Resources


1.

Fo
r a summary of how firewalls work, see:
www.howstuffworks.com/firewall.ht m
.



For product comparisons, see:
http://products.datam
ation.com/security//firewalls/
.