Firewall Planning and Design
Firewalls are a vital part of your business defense, designed to enable authorized traffic to pass through and block unauthorized traffic, preventing business threats.
Without proper deployment and implementation, however, they bring relatively small value. Firewall are imperfect and only work when they are part of a Defense in Depth (DiD) network security approach.
Background, Firewalls In General
In general, a firewall is anything, whether hardware or software (or a combination of hardware and software), that can filter the transmission of packets of digital information as they attempt to pass through a boundary of a network. Firewalls perform two basic security functions:
Packet filtering: First and foremost, a firewall must be able to determine whether to allow or deny the passage of packets of digital information, based on established security policy rules.
Application proxy: In some cases, a firewall may provide network services to users while shielding individual host computers. This is done by breaking the IP flow (which is the traffic into and out of the network) between the network being protected and the network outside.
Firewall Security Features
Firewall User Protection
For a single home user who regularly surfs the Web and uses e-mail and instant messaging, a firewall’s primary job is to keep viruses from infecting files and prevent Trojan horses from entering the system and installing hidden openings called back doors, which can be used for access at a later time.
Firewall Network Perimeter Security
A firewall is often said to provide “perimeter security” because it sits on the outer boundary, or perimeter, of a network. The network boundary is the point at which one network connects to another.
If you have an extranet, an extended network that combines two or more LANs, the location of the “perimeter” becomes unclear. If you maintain a VPN with a supplier or business partner, the VPN should have its own perimeter firewall because your network boundary technically extends to the end of the VPN. Note that locating the firewall at the perimeter has one obvious benefit: it enables you to set up a checkpoint where you can block “bad things” like viruses and infected e-mail messages before they get inside. Another benefit is that a firewall enables you to log passing traffic, protecting the whole network at the same time. If an attack does occur, having a security subnet at the perimeter can minimize the damage.
A firewall can contain many components, including:
- Packet filter
- Proxy server
- Authentication system
- Software that performs Network Address Translation (NAT)
Many firewalls make use of a bastion host, a machine that has no unnecessary services. A network that needs to connect to the Internet might have been a bastion host and a service network. Together, they are the only part of the organization exposed to the Internet.
Firewall Security Tasks
A firewall that does packet filtering addresses the tendency of hackers to open an attack by scanning for network addresses and open ports. (A port is a virtual gateway on a computer through which a particular type of data is allowed to pass. Each port is assigned a number between 0 and 65,535). Initially, a hacker uses special software to scan a series of addresses, attempting to connect to a computer on each one. If any computer answers, it gives the hacker a target. Any gateway or router acting as a packet filter on your network or in your firewall should be configured to reject connection requests from computers that are not on your network.
Note that a port number combined with a computer’s IP address constitutes a network connection called a socket. Software that is commonly used by hackers attempts to identify sockets that respond to connection requests. The sockets that respond can be targeted to see if they have been left open or if they have security vulnerabilities that can be exploited. Some protocol examples include:
- Simple Mail Transport Protocol (SMTP) listens on port 25
- Post Office Protocol, version 3 (POP3) listens for incoming mail on port 110
- Hypertext Transport Protocol (HTTP) Web services use port 80
Restricting Access from Outside the Network
The most obvious goal of a firewall is to regulate which packets of information can enter the network. To do so, a firewall examines each packet to determine whether it meets the necessary “authorized” criteria. The criteria might be protocols or IP addresses on an “approved” list. Anything not on the list is excluded.
Restricting Unauthorized Access from Inside the Network
In some ways, it is relatively easy to protect a network from the Internet but more difficult to protect it from an inside attack. You should be aware of the following possibilities:
- Virus-infected thumb drive
- People using direct access to office computers from home using remote access software that bypasses the perimeter firewall
- Social engineering
- Poorly trained firewall administrators
- Employees who receive e-mail messages with executable attachments
Limiting Access to External Hosts
Firewalls can selectively permit traffic to go from inside the network to the Internet or other networks to provide more precise control of how employees inside the network use external resources. In other words, the firewall can act as a proxy server that makes high-level application connections on behalf of internal hosts and other machines. A single firewall product can provide both outbound packet filtering and outbound proxy services.
Protecting Critical Resources
Attacks on critical resources are becoming all too common. Worms are one type of attack. They “worm” their way into a computer in an e-mail attachment or a downloaded file, where they then replicate themselves. They are only slightly different than viruses, which also worm their way into a computer but then do much more destructive behavior than just replication. Trojan horses are similar to viruses; they contain malicious code that is hidden inside supposed harmless programs. Distributed Denial of Service (DDoS) attacks are just as harmful. They are caused when a hacker floods a server with requests, shutting down the server and making Web sites and networks that depend on that server unreachable.
Protecting Against Hacking
Hacking, in general, is the practice of infiltrating computers or networks to steal data, cause harm, or simply claim credit for getting inside. The impacts of this type of attack include:
A firewall centralizes security for the organization it protects. It simplifies the security-related activities of the network administrator, who typically has many other responsibilities. Having a firewall on the perimeter gives the network administrator a single location from which to configure security policies and monitor arriving and departing traffic.
Every firewall should be configured to provide information to the network administrator in the form of log files. These log files record attempted intrusions and other suspicious activity, as well as mundane events like legitimate file accesses, unsuccessful connection attempts, and the like.
Providing for Authentication
Authentication is the process of logging into a server with a username and a password before being allowed access to protected information. Only users who have registered their username and password are recognized by the server and allowed to enter. The authentication process can also be performed at the firewall and can make use of encryption to protect the usernames and passwords transmitted from client to server (or client to firewall).
Contributing to a VPN
A firewall is an ideal endpoint for a VPN, which connects two companies’ networks over the Internet. A VPN is one of the safest ways to exchange information online.
Types of Firewall Protection
Some examples of firewall functions and the corresponding layers at which they operate include:
Packet filters are an effective element in any perimeter security setup. In addition, they have the advantage of not taking up bandwidth, or the capacity of network cables to convey information, the way proxy servers do.
A packet, which is sometimes called a datagram, contains two types of information: the header and the data. Packet filters use packet headers to decide whether to block the packet or allow it to pass through a firewall. Note that your job as a system administrator would be to configure the firewall to deny all packets that arrive from outside but contain a source IP address that seems to be coming from within the network.
Stateless Packet-Filtering Firewalls
Stateless inspection, also called stateless packet filtering, is firewall packet inspection that ignores the state of the connection between the internal computer and the external computer. A firewall that conducts stateless packet filtering simply blocks or allows a packet based on the information in the header.
Stateful Packet-Filtering Firewalls
Stateful inspection, also called stateful packet filtering, is an examination of the data contained in a packet as well as the state of the connection between internal and external computers. This information, known as the state table, is kept in a memory location called the cache. Stateful inspection is superior to stateless inspection because it uses the connection state to make decisions on whether to allow the traffic
- Some of the most general packet-filtering rules include:
- Any outbound packet must have a source address that is on your internal network.
- Any outbound packet must not have a destination address that is on your internal network.
- Any inbound packet must not have a source address that is on your internal network.
- Any inbound packet must have a destination address that is on your internal network.
- Any packet that enters or leaves your network must have a source or destination address that falls within the range of addresses in your network.
Filter rules can affect the transmission of packets. These rules include the use of the following:
- Internet Control Message Protocol (ICMP)
- User Datagram Protocol (UDP)
- TCP filtering
- IP filtering
PAT and NAT
Each computer on the network is assigned an IP address. If that address is static, it is relatively easy for a hacker to find it and gain access to the computer more than once. With a static, reliable IP address, a hacker can use a computer as a staging area for launching long, sustained attacks.
Port Address Translation (PAT) and Network Address Translation (NAT) are addressing methods that make internal network addresses invisible to outside computers. PAT and NAT hide the TCP/IP information of hosts in the network being protected to prevent attackers from getting the address of an actual host on your internal network.
PAT and NAT function as a Network-level proxy; the proxy acts as a single host that makes requests on behalf of all internal hosts on the network. NAT hides the identity of hosts from anyone outside of the network by converting the IP address of internal hosts to the IP address of the firewall. To someone on the Internet or outside network, it seems like all information is coming from a single computer.
Application Layer Gateways
Another type of firewall protection is the Application layer gateway, also known as a proxy server. This type of gateway works at the Application layer, the top layer of the OSI model of network communications.
A complete overview of firewalls and what they do would not be complete without mentioning the following security techniques:
- Load balancing
- IP address mapping
- Filtering content
- URL filtering
Firewalls can be categorized by processing mode, generation, or structure. Firewalls categorized by level of technology are identified by generation, with the later generations being more complex and more recently developed. Firewalls categorized by intended structure are typically divided into categories including residential-, or commercial-grade, hardware-based, software-based, or appliance-based devices.
The processing modes are packet filtering, application gateways, circuit gateways, MAC layer firewalls, and hybrids.
Packet-filtering firewalls examine the header information of data packets that come from a network. The restrictions most commonly implemented are based on a combination of:
- Internet Protocol (IP) source and destination address
- Direction (inbound or outbound)
- Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests
Simple firewall models examine one aspect of the packet header: the destination and source address. They enforce address restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
They accomplish this through access control lists (ACLs), which are created and modified by the firewall administrators. There are three subsets of packet-filtering firewalls:
- Static filtering
- Dynamic filtering
- Stateful inspection
Static filtering requires that the filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed.
Dynamic filtering allows the firewall to react to an emergent event and update or create rules to deal with the event.
While static filtering firewalls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic packet-filtering firewall allows only a packet with a source, destination, and port address to enter through the firewall.
Stateful inspection firewalls, or stateful firewalls, keep track of each network connection between internal and external systems using a state table, which tracks the state and context of each packet in the conversation by recording which station sent which packet and when.
Whereas simple packet-filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can block incoming packets that are not responses to internal requests.
Primary Disadvantage: this type of firewall requires is the additional processing to manage and verify packets against the state table, which can leave the system vulnerable to a DoS or DDoS attack.
The application gateway, also known as an application-level firewall or application firewall, is frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router. The application firewall is also known as a proxy server since it runs special software that acts as a proxy for a service request.
Since the proxy server is often placed in an unsecured area of the network or in the DMZ, it—rather than the Web server—is exposed to the higher levels of risk from the less trusted networks.
Additional filtering routers can be implemented behind the proxy server, limiting access to the more secure internal system and thereby further protecting internal systems.
The circuit gateway firewall operates at the transport layer. Connections are authorized based on addresses. Like filtering firewalls, circuit gateway firewalls do not usually look at data traffic flowing between one network and another, but they do prevent direct connections between one network and another.
They accomplish this by creating tunnels that connect specific processes or systems on each side of the firewall and then allowing only authorized traffic, such as a specific type of TCP connection for only authorized users, in these tunnels.
MAC Layer Firewalls
While not as well known or widely referenced as the firewall approaches above, MAC layer firewalls are designed to operate at the media access control layer of the OSI network model. This gives these firewalls the ability to consider the specific host computer’s identity in its filtering decisions.
Using this approach, the MAC addresses of specific host computers are linked to ACL entries that identify the specific types of packets that can be sent to each host, and all other traffic is blocked.
Hybrid firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services or of packet filtering and circuit gateways.
Alternately, a hybrid firewall system can consist of two separate firewall devices; each is a separate firewall system, but they are connected so that they work in tandem.
Firewalls Categorized by Generation
- First-generation firewalls are static packet-filtering firewalls; that is, they are simple networking devices that filter packets per their headers as the packets travel to and from the organization’s networks.
- Second-generation firewalls are application-level firewalls or proxy servers; that is, they are dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.
- Third-generation firewalls are stateful inspection firewalls, which monitor network connections between internal and external systems using state tables.
- Fourth-generation firewalls are dynamic packet-filtering firewalls and allow only a packet with a source, destination, and port address to enter.
- Fifth-generation firewalls are the kernel proxy, a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT.
- Firewall appliances are stand-alone, self-contained systems that frequently have many of the features of a general-purpose computer with the addition of firmware-based instructions that increase their reliability and performance and minimize the likelihood of their being compromised.
- A commercial-grade firewall system consists of firewall application software running on a general-purpose computer. Organizations can install firewall software on an existing general-purpose computer system, or they can purchase hardware that has been configured to the specifications that yield optimum performance for the firewall software.
- SOHO and residential-grade firewall devices, also known as broadband gateways or DSL/cable modem routers, connect the user’s local area network or a specific computer system to the Internetworking device. The SOHO firewall serves first as a stateful firewall to enable inside-to-outside access, and it can be configured to allow limited TCP/IP port forwarding and/or screened subnet capabilities.
- Residential-grade firewall software is installed directly on the user’s system. Some of these applications combine firewall services with other protections such as antivirus or intrusion detection. There are limits to the level of configurability and protection that software firewalls can provide.
Each of the firewall devices noted earlier can be configured in a number of network connection architectures. The firewall configuration that works best for an organization depends on three factors: the objectives of the network, the organization’s ability to develop and implement the architectures, and the budget available for the function.
Although literally hundreds of variations exist, there are four common architectural implementations of firewalls:
- Packet-filtering routers
- Screened host firewalls
- Dual-homed host firewalls
- Screened subnet firewalls
Most organizations with an Internet connection have a router as the interface to the Internet at the perimeter between the organization’s internal networks and the external service provider. Many of these routers can be configured to reject packets that the organization does not allow into the network.
The drawbacks to this type of system include a lack of auditing and strong authentication and the fact that the complexity of the access control lists used to filter the packets can grow and degrade network performance.
Screened Host Firewalls
This architecture combines the packet-filtering router with a separate, dedicated firewall, such as an application proxy server, allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy.
The application proxy examines an application layer protocol and performs the proxy services. This separate host is often referred to as a bastion host or sacrificial host; it can be a rich target for external attacks and should be thoroughly secured.
Dual-Homed Host Firewalls
With this approach, the bastion host contains two NICs. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. With two NICs, all traffic must go through the firewall to move between the internal and external networks.
Implementation of this architecture often makes use of NAT. NAT is a method of mapping assigned IP addresses to special ranges of non-routable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers.
Screened Subnet Firewalls (with DMZ)
The dominant architecture used today, the screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet.
A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network:
- Connections from the outside or untrusted network are routed through an external filtering router.
- Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ.
- Connections into the trusted internal network are allowed only from the DMZ bastion host servers.
The screened subnet is an entire network segment that performs two functions:
- It protects the DMZ systems and information from outside threats by providing a network of intermediate security.
- It protects the internal networks by limiting how external connections can gain access to internal systems.
DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put in place to provide services that are not available to the public.
Limitations of Firewalls
Firewalls should not be the only form of protection for a network. They should be part of an overall security plan and should be used in conjunction with other forms of protection, including ID cards, passwords, and employee rules of conduct.
Okay, are you ready to take a test? Try Security Concepts Quiz 1.