Guide to Network Defense and Countermeasures Second Edition Chapter 9 Choosing and Designing Firewalls

Objectives Explain what firewalls can and cannot do Describe common approaches to packet filtering Establish a set of rules and restrictions for a firewall Design common firewall configurations Compare hardware and software firewalls Guide to Network Defense and Countermeasures, Second Edition

An Overview of Firewalls Hardware or software Can configure to block unauthorized network access Firewalls cannot protect against malicious insiders Who send proprietary information out of the organization Firewalls cannot protect connections that do not go through it Guide to Network Defense and Countermeasures, Second Edition

What Firewalls Are Network firewall Combination of multiple software and hardware components Earliest firewalls were packet filters Some firewalls are designed for consumers Norton Personal Firewall ZoneAlarm Sygate Personal Firewall Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

What Firewalls Are (continued) Rules for blocking traffic are done case-by-case Actions include: Allow the traffic Block the traffic Customize access Check Point Next Generation (NG) firewall Designed to protect and monitor large-scale networks Firewall appliances Self-contained hardware devices Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

What Firewalls Are Not Firewalls are not a standalone solution Cannot protect from internal threats Need strong security policy and employee education Firewalls must be combined with Antivirus software IDS Open Platform for Security (OPSEC) Protocol used by Check Point NG to integrate with other security products Guide to Network Defense and Countermeasures, Second Edition

Approaches to Packet Filtering Stateless packet filtering Stateful packet filtering Packet filtering depends on position of components Guide to Network Defense and Countermeasures, Second Edition

Stateless Packet Filtering Decides whether to allow or block packets based on information in the protocol headers Filtering based on common IP header features IP address Ports and sockets ACK bits Intruders can get around these defenses Advantage: Inexpensive Disadvantage: Cumbersome to maintain Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Stateful Packet Filtering (continued) Keeps a record of connections a host computer has made with other computers Maintain a file called a state table containing record of all current connections Allows incoming packets to pass through only from external hosts already connected Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Stateful Packet Filtering (continued) Windows Firewall One of the most user-friendly packet filters Improved version of Internet Connection Firewall Can limit the amount of traffic with more precision You can even specify exceptions Advanced tab allows more complex settings Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Packet Filtering Depends on Position Type of filtering a device can do depends on Position of the device in the firewall perimeter Other hardware or software Packet filter placement Between the Internet and a host Between a proxy server and the Internet At either end of a DMZ Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Creating Rules and Establishing Restrictions Rule base Tells firewalls what to do when a certain kind of traffic attempts to pass Points to consider Based on organization’s security policy Include a firewall policy Simple and short as possible. Restrict access to ports and subnets on the internal network from the Internet Control Internet services Guide to Network Defense and Countermeasures, Second Edition

Base the Rule Base on Your Security Policy When configuring rules pay attention to Logging and auditing Tracking Filtering Network Address Translation (NAT) Quality of Service (QoS) Desktop security policy Rule base is a practical implementation of the organization’s policy Guide to Network Defense and Countermeasures, Second Edition

Base the Rule Base on Your Security Policy (continued) Common policies that need to be reflected in the rule base Employees have access to Internet with restrictions Public can access company’s Web and e-mail server Only authenticated traffic can access the internal LAN Employees are not allowed to use instant-messaging Traffic from the company’s ISP should be allowed Block external traffic by instant-messaging software Only network administrator should be able to access internal network directly from the Internet Guide to Network Defense and Countermeasures, Second Edition

Create a Firewall Policy That Covers Application Traffic Addition to security policy Describes how firewall handles application traffic Risk analysis provides a list of applications And associated threats and vulnerabilities General steps to create a firewall policy Identify network applications Determine methods for securing application traffic You must balance security and cost Consider all firewalls in your network Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Create a Firewall Policy That Covers Application Traffic (continued) Firewalls enable you to control access to your computer or network By controlling access to particular applications Options for defining rules Allow traffic Block traffic Ask or prompt Guide to Network Defense and Countermeasures, Second Edition

Keep the Rule Base Simple Keep list of rules as short as possible About 30 and 50 rules Shorter the rule base, faster the firewall will perform Firewalls process rules in a particular order Usually rules are numbered starting at 1 and displayed in a grid Most important rules should be at the top of the list Make the last rule a cleanup rule A catch-all type of rule Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Restrict Subnets, Ports, and Protocols Filtering by IP addresses You can identify traffic by IP address range Most firewalls start blocking all traffic You need to identify “trusted” networks Firewall should allow traffic from trusted sources Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Control Internet Services Web services Employees always want to surf the Internet DNS Resolves fully qualified domain names (FQDNs) to their corresponding IP addresses DNS uses UDP port 53 for name resolution DNS uses TCP port 53 for zone transfers E-mail POP3 and IMAP4 SMTP LDAP and HTTP Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Control Internet Services (continued) FTP Types of FTP transactions Active FTP Passive FTP Filtering by ports Filters traffic based on TCP or UDP port numbers Can filter a wide variety of information Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Control Internet Services (continued) Filtering by ports You can filter out everything but TCP port 80 for Web TCP port 25 for e-mail TCP port 21 for FTP Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Control Internet Services (continued) ICMP message type ICMP functions as a housekeeping protocol Helps networks cope with communication problems Attackers can use ICMP packets to crash a computer Filtering by service Firewalls can filter by the name of a service You do not have to specify a port number Firewalls can also filter by the six TCP control flags Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Control Internet Services (continued) Filtering by service Firewalls can also filter by the IP options Security Loose resource and record routing Strict source and record routing Internet timestamp Guide to Network Defense and Countermeasures, Second Edition

Control Internet Services (continued) Filtering by service Rules should follow a few general practices Firewall with a “Deny All” security policy should start from a clean slate Nobody can connect to the firewall except the administrator Block direct access from the Internet to any computer behind the firewall Permit access to public services in the DMZ Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Designing Firewall Configurations Firewalls can be deployed in several ways As part of a screening router Dual-homed host Screen host Screened subnet DMZ Multiple DMZs Multiple firewalls Reverse firewall Guide to Network Defense and Countermeasures, Second Edition

Screening Router Screening router Determines whether to allow or deny packets based on their source and destination IP addresses Or other information in their headers Does not stop many attacks Especially those that use spoofed or manipulated IP address information Should be combined with a firewall or proxy server For additional protection Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Dual-Homed Host Dual-homed host Computer that has been configured with more than one network interface Only firewall software can forward packets from one interface to another Provides limited security Host serves as a single point of entry to the organization Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Screened Host Screened host Similar to a dual-homed host Can add router between the host and the Internet To carry out IP packet filtering Combines a dual-homed host and a screening router Can function as a gateway or proxy server Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Screened Subnet DMZ DMZ Subnet of publicly accessible servers placed outside the internal LAN Called a “service network” or “perimeter network” Firewall that protects the DMZ is connected to the Internet and the LAN Called a three-pronged firewall Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Multiple DMZ/Firewall Configurations Server farm Group of servers connected in their own subnet Work together to receive requests with the help of load-balancing software Load-balancing software Prioritizes and schedules requests and distributes them to servers Clusters of servers in DMZs help protecting the network from becoming overloaded Each server farm/DMZ can be protected with its own firewall or packet filter Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Multiple Firewall Configurations Protecting a DMZ with two or more firewalls One firewall controls traffic between DMZ and Internet Second firewall controls traffic between protected LAN and DMZ Can also serve as a failover firewall Advantage Can control where traffic goes in the three networks you are dealing with Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Multiple Firewall Configurations (continued) Protecting branch offices with multiple firewalls Multiple firewalls can implement a single security policy Central office has a centralized firewall Directs traffic for branch offices and their firewalls Deploys security policy through this firewall using a security workstation Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Reverse Firewall Reverse firewall Monitors connections headed out of a network Instead of trying to block what’s coming in Helps monitor connection attempts out of a network Originated from internal users Filters out unauthorized attempts Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Comparing Software and Hardware Firewalls Software-based firewalls Hardware-based firewalls Hybrid firewalls Guide to Network Defense and Countermeasures, Second Edition

Software-Based Firewalls Free firewall programs They are not perfect Logging capabilities are not as robust as some commercial products Configuration can be difficult Popular free firewall programs Netfilter ZoneAlarm Sygate Personal Firewall Guide to Network Defense and Countermeasures, Second Edition

Software-Based Firewalls (continued) Commercial firewall programs: Personal firewalls Located between the Ethernet adapter driver and the TCP/IP stack Inspect traffic going between the driver and the stack Popular choices Norton Personal Firewall ZoneAlarm Pro BlackICE PC Protection Sygate Personal Firewall Pro Considered “lightweight” in terms of protection Guide to Network Defense and Countermeasures, Second Edition

Software-Based Firewalls (continued) Commercial firewall programs: Enterprise firewalls Include centralized management option Capable of installing multiple instances from a centralized location Some examples include PGP Desktop 9.0 Check Point NG Proventia security products Novell’s BorderManager Guide to Network Defense and Countermeasures, Second Edition

Hardware Firewalls Advantages Disadvantages Do not depend on conventional OSs Generally more scalable than software firewalls Disadvantages They do depend on nonconventional OSs Tend to be more expensive than software products Guide to Network Defense and Countermeasures, Second Edition

Hybrid Firewalls Hybrid firewall Combines aspects of hardware and software firewalls Benefits from the strengths of both solutions Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Summary Firewall Firewalls are not a standalone solution Hardware or software that blocks unauthorized network access Firewalls are not a standalone solution Combine them with antivirus software and IDSs Firewalls are effective only if configured correctly You can use several different firewall configurations to protect a network Guide to Network Defense and Countermeasures, Second Edition