Implementing Firewalls Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018) Chapter 3:

Objectives Understand how firewalls are deployed in different networks host-based firewalls vs router-based firewalls Other configurations

Implementing Firewalls Need to understand the firewall’s relationship to the network it is protecting Most common solutions Network host-based Dual-homed host Router-based firewall Screened host The following slides address each of these solutions.

Network Host-Based Firewalls c.f., Host-Based Firewalls https://www.howtogeek.com/122065/htg-explains-i-have-a-router-do-i-need-a-firewall/ (Windows Firewall) Software-based solution runs on top of an operating system Must harden the operating system: Ensure all patches are updated Uninstall unneeded applications or utilities Close unused ports Turn off all unused services Cheap solution Q: What are the trade-offs (vs commercial-grade firewalls)? Hardening of operating systems is covered more in Chapter 8, “Operating System Hardening.” A ‘host-based firewall’ may become a ‘network host-based firewall’ when it is placed between two segments of networks. On the other hand, a ‘host-based firewall’ may be just a host computer (that is, an end device).

In Practice: Demilitarized Zone (DMZ) Two separate firewalls One faces the outside world One faces the inside Web, email, and FTP servers are located in the area in-between them Explain how a DMZ is configured and the benefits that can be derived from this configuration. Refer to Figure 3.3.

Dual-Homed Hosts Expanded version of the Network Host-based Firewall Also runs on top of the OS of a server An older technology Automatic routing is disabled on the host The outer and the inner networks cannot see each other; both talk to the dual-homed host Disadvantage, as with Network host firewalls, is its reliance on the security of the OS See Figure 3.4 for a sample configuration of a dual-homed host firewall.

Dual-Homed Hosts NOTE: correction in the chart Q: Is the dual-homed host firewall an application-level firewall? http://netcentricnj.com/firewallsystems: Dual-homed gateway firewall “… uses proxy servers on the gateway for access and for services like Telnet, FTP, and e-mail.”

Router-Based Firewall Usually the first line of defense Uses simple packet filtering Ideal for novice administrators Can be preconfigured by vendor for specific needs of user Can be placed between segments of a network Emphasize that the benefit with the router-based solution is its ease of setup and configuration.

Screened Host A combination of firewalls Bastion host and screening router is used Similar in concept to the dual-homed host (except for the use of a screening router) Explain what a Bastion host is and the screening router. Figure 3.5 illustrates this type of setup. Explain that packet filters work at the network layer of the OSI, and these firewall solutions can block traffic on specific ports for both incoming and outgoing traffic.

screened host firewall Image source: http://www.rvs.uni-bielefeld.de/lecture/Unix-SysAdmin/Firewalls/screenedhost.html The packet-filtering router allows only traffic destined to the bastion host. A network-level firewall

screened host firewall Image source: https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch06_02.htm

screened subnet firewall The single bastion host in the screened host firewall is expanded into a subnet of bastion hosts. The subnet is called perimeter network, in which public servers (HTTP, FTP, etc) are hosted. If one of the hosts in the perimeter network is compromised, the hacker can only snoop on traffic transmitted over the subnet (but not traffic between hosts in the protected network). Communication within the protected network is therefore protected from snooping. Q: Is the perimeter network a DMZ? Source: https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch06_03.htm#ch06-1910.html

screened subnet firewall Source: https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch06_03.htm#ch06-1910.html

In Practice: Utmost Security Multiple firewalls Stateful packet inspecting firewall Application gateway Screened firewall routers separating each network segment Dual-perimeter firewall, packet screening on all routers, individual packet filtering firewalls on every server

In Practice: Utmost Security

Selecting and Using a Firewall Configure it properly Consider a consultant for initial setup Review logs periodically for anomalies Utilize statistics for baseline performance Outline the proper use of firewalls and how they can be used to baseline your system performance and what you would use the baseline information for.

Using Proxy Servers Prevent the outside world from gathering information about your internal network Provide valuable log information Can redirect certain traffic, based on configuration Typically runs on the firewall machine Protects against spoofing Include some of your own experiences with proxy servers and how they can benefit your security solution.

Network Address Translation (NAT) Supersedes proxy servers Translates internal IP addresses to public addresses Can explicitly map ports to internal addresses for web servers Explain that some operating systems come with this feature that can be configured separately.

Summary Firewalls and proxy servers are critical for network security solutions Many solutions are available, which vary in price and features Choose the most secure solution that the budget allows

Summary Types of Firewalls Types of Implementations Packet filter Stateful packet inspection Circuit level gateway Application gateway Types of Implementations Host-based Network host-based Router-based Dual-homed, screened host, screened subnet