FIREWALL INDEX INTRODUCTION WHAT FIREWALL DOES HOW DOES A FIREWALL PROTECT TYPES OF FIREWALLS PACKET FILTER APPLICATION PROXIES STATEFUL INSPECTION HOLES AND INCOMING TRAFFIC THE DEMILITARISED ZONE ( DMZ ) FIREWALL ARCHITECTURE BASIC FILTER ARCHITECTURE (SCREENING ROUTER) DUAL HOMED FIREWALL ARCHITECTURE SCREENED HOST ARCHITECTURE SCREENED SUBNET (OR DMZ) ARCHITECTURE INVISIBLE FILTER ARCHITECTURE ENCRYPTING FIREWALLS / TUNNELS INTRODUCTION Computer networks are generally designed to do one thing above all others: allow any computer connected to the network to freely exchange information with any other computer also connected to the same network. In an ideal world, this is a perfect way for a network to operate facilitating universal communications between connected systems. Individual computers are then free to decide who they want to communicate with, what information they want to allow access to and which services they will make available. This way of operating is called "host based security", because individual computers or hosts implement security mechanisms. In practice individual computers on say, an office network, are not terribly good at defining and securely enforcing a consistent security policy. They run very complex, and therefore by definition are error prone software systems, and it is very difficult to ensure that they are consistently kept secure, much less that their users obey basic advice like choosing difficult to guess passwords etc. This situation may be adequate where individual users on a network have a similar level of trust such that there is little chance or motive for a user to subvert host security, such as a small company network where everyone with physical access is trusted (e.g. employee etc). Once that network is connected to other networks where the trust relationships simply do not exist in the same way, and then other mechanisms need to be put in place to provide adequate security by protecting resources on the trusted network from potential access by attackers on the un-trusted part of the network. The way this is done is by partially breaking connectivity at the network level so that nodes on the trusted and untrusted parts of the network can no longer freely exchange information in an unfettered way. The device which does this is called a "Firewall", by reference to the analogue in American automobile engineering, where the Firewall is a thick steel plate barrier between engine and passenger compartments which prevents a fire in the former spreading to the latter. I suppose that if this particular piece of technology had been invented on the English side of the Atlantic, it would have been called a "bulkhead" instead! A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to deny, a firewall really won't help you. It's also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the connectivity for a large number of hosts therefore have a heavy responsibility. WHAT FIREWALL DOES A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through. A Firewall disrupts free communication between trusted and un-trusted networks, attempting to manage the information flow and restrict dangerous free access. There are numerous mechanisms employed to do this, each one being somewhere between completely preventing packets flowing, which would be equivalent to completely disconnected networks, and allowing free exchange of data, which would be equivalent to having no Firewall. HOW DOES A FIREWALL PROTECT? A Firewall normally includes mechanisms for protection at the: Network Layer: IP packets are sanitized (source routing disabled, only packets with valid external addresses allowed), and routed according to predefined rules. Some firewalls allow translation of internal IP addresses to valid Internet IP addresses (NAT or Network Address Translation) and other replace all internal addresses with the firewall address (meaning internal hosts cannot be addressed). Transport Layer: Access to TCP & UDP ports can be granted/blocked, depending on IP address of both sender and receiver. This allows access control for many TCP services, but doesn't work at all for others (e.g. X11, ftp, portmapper services). Application Layer: o Proxy servers (also called application gateways) accept requests for a particular application and either further the request to the final destination, or block the request. Ideally proxies should be transparent to the end user. Proxies are stripped-down, reliable versions of standard applications with access control and forwarding built-in. Encryption: A firewall may use encryption to provide confidentiality, authenticate or improve integrity. When encryption is used for confidentiality (often called VPNs, Virtual Private Networks), there are two general cases: 1. Encryption is performed by the firewall, i.e. it is the endpoint of a VPN. The firewall could understand and filter the actual protocol used within the VPN and provide intelligent logging. 2. Encryption is performed by a host inside the firewall (End-to-End encryption). The firewall sees an encrypted stream but cannot understand it. This is useful is you don't trust the firewall administrator, not so useful if you want to filter the protocols within the VPN. The VPN becomes a point of entry for an attacker that the Firewall administrator cannot detect. Therefore, the VPN end-point inside the firewall must be VERY well configured / monitored and use firewall mechanisms such as strong authentication. Dept of defence: A Firewall should also include redundant security barriers, so that a single point of failure cannot compromise the network. The Firewall should be as invisible as possible to users (who could weaken security) and the network (difficult to attack). Reliability: Redundant routing, clusters, RAID, cold standbys etc. can all be used to provide varying levels of availability. The reliability of service required should be specified before a firewall is designed. TYPES OF FIREWALL There are a number of different kinds of technique which may be employed by a Firewall in order to correctly identify a conversation and act on it. The techniques used by a particular Firewall have an impact on the accuracy with which it can identify traffic, the level of sophistication of the checks it can implement, but also its complexity and therefore cost and likelihood that it incorporates bugs. PACKET FILTER Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded. The network level operations corresponding to the security policy above were actually an example of a simple packet filter. A Firewall implementing a packet filter looks at one packet at a time, and considers it in isolation in order to make a forwarding decision. Because of the way that a packet filtering Firewall works, it can implement a restricted range of filtering decisions. APPLICATION PROXIES Another mechanism for controlling risks when Internal servers must allow connections from the Internet is to use a technique called Application Proxies on a single external firewall. Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. These work by terminating the external connection at a special service within the firewall. As the name suggests, this service acts as a proxy for the real server, implementing the application protocol in the same way as the real server running on the internal network. It forms a connection to the internal server, only passing on application protocol elements that pass its strict checks of correctness. This way, most mechanisms for subverting the internal application server are blocked. Using an application proxy is not without difficulty as their complexity tends to mean that they need to be implemented on firewalls which are significantly more powerful than the relatively simple systems used for basic packet filters. This, and the fact that such firewalls are typically sold to "Enterprise" customers mean that their cost is often uneconomic for small businesses. Application proxy firewalls also tend to require frequent software updating to ensure that they are running latest versions of the proxy code. This occurs both when new exploits are identified which need to be blocked, but also when problems occur in interactions between the proxy and widely deployed applications (in other words when the proxy is actually breaking an otherwise working connection due to over strict or even erroneous checking). STATEFUL INSPECTION A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, and then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. Stateful inspection takes the basic principles of packet filtering and adds the concept of history, so that the Firewall considers the packets in the context of previous packets. This has a number of advantages over simpler packet filtering: It is possible to build up Firewall rules for protocols which cannot be properly controlled by packet filtering. More complete control of traffic is possible. Equally, there are some disadvantages to a stateful inspection solution, in that the implementation is necessarily more complex and therefore more likely to be buggy. It also requires a device with more memory and a more powerful CPU etc for a given traffic load, as information has to be stored about each and every traffic flow seen over a period of time. HOLES AND INCOMING TRAFFIC An example of the kind of hole which is typically opened up in a Firewall is that necessary for mail delivery. On the Internet, a protocol called SMTP is used to deliver between mail servers. This works in effect by the mail sender's machine connecting to the mail recipient's server and pushing the e-mail. In order to accept mail from the Internet onto a local mail server it is usual to open up a hole which allows any server to connect to the local mail server. This will often be justified using logic which says that this is only a small hole to one specific service on one specific host, and the rest of the internal network is still fully protected by the Firewall "outbound only" rule. Unfortunately what this does is open up the internal mail server to any attack that is possible against the software installed on it, and if this is at all complex, there will be lots of potential attacks. As an example, a search on Bugtraq (an industry source of application vulnerability data) against a popular mail server, Microsoft Exchange showed that there had been 4 major vulnerabilities discovered, just between March and July 2002. Today these vulnerabilities have increased to a much greater extent and are on continuous increase Many of these vulnerabilities would have allowed a remote hacker not only to gain unauthorized access to the server itself, but also to then use it as a launch point to attack any other system on the network, just as if the Firewall wasn't there. NO HOLES: THE DEMILITARISED ZONE The classic solution to the problem of opening up holes in the network perimeter to allow access to services is the Demilitarised Zone or DMZ. Named after the buffer zone between opposing forces in a military peacekeeping scenario, the DMZ is a special separate network of servers to which external untrusted hosts have access, but which have no access to the Internal network. Large enterprise Internet access and Firewall systems always incorporate at least one level of DMZ as this is seen as essential to preventing the vulnerabilities described above which are inherent in opening up holes in the Firewall onto the internal network. The issue with this solution for the medium sized or smaller enterprise is one of cost. A typical DMZ solution requires at least three devices, the external Firewall, the internal Firewall, and the DMZ server machine. This means of course three times the cost which may not be feasible or proportionate for a small organisation wishing to secure it's ADSL Internet connection. FIREWALL ARCHITECTURE There are many possible ways to set up a Firewall. Here the principle methods are shown. The choice of Firewall depends on cost, performance, availability needs and the sensitivity of the information being protected by the firewall. Highly secure, high performance, high availability systems are not cheap. If high availability is important, it could double costs. BASIC FILTER ARCHITECTURE (SCREENING ROUTER) The cheapest (and least secure) setup involves using a router (which can filter inbound and outbound packets on each interface) to screen access to one (or more) internal servers. A router is normally needed anyway to connect to the Internet, so the filter is for free. This server is the starting point for all outside connections. Internal clients who wish to access the outside do so via this screened server. Advantages: Transparent, simple. Cheapest solution, lowest security. The router could be replaced by an intelligent filter, providing fine grained access control, protection against IP spoofing and with logging (although such logging is at a low level, making it difficult to interpret). Disadvantages: Complex filtering rules (and hence error prone) are required on the router. Fine grained access control is near impossible. Since most routers cannot do logging, little is known about possible attacks. The screening router can be easily modified to allow other internal hosts to access the outside. This is a bad thing, as it can soon get out of hand (too may hosts, too many complex rules, difficult to verify). Some (old) routers do not correctly screen source routed packets. Routers cannot add authentication. Difficult to hide internal structure. Only one barrier. This architecture is not recommended, except where finance is a severe problem (even then, is it really worth the risk?). As an improvement, an "intelligent filter" (see below) could be used to replace the router filter. DUAL HOMED FIREWALL ARCHITECTURE In this classical firewall architecture, a host is setup with two network interfaces, one connected to the outside, one to the inside. Packet forwarding is disabled on the gateway; information is passed at the application level. The gateway can be reached from both sides, but traffic cannot directly flow across it. Normally, a router is also needed for Internet connection. ADVANTAGES: The simple architecture is also easy enough to verify, but requires careful configuration of the gateway. Can hide internal network. Cheap, but dept of defence (2 barriers) and diversity of defence are weak. May be enough for small sites using basic outgoing services (HTTP, telnet, ftp). As with the previous example, an intelligent filter as opposed to a router filtering can improve security. Internet servers (WWW, ftp) would normally be placed on a third network DISADVANTAGES: Since the dual homed host cannot forward packets, a proxy must exist for all services that traverse the gateway (unless the gateway also has a packet filter). Not all services can be proxied and they require user input or configuration. Firewall performance is limited to the performance of one machine. SCREENED HOST ARCHITECTURE This variation of the Basic Filter involves the use of two filters, the additional filter being used between the screened host and its clients. The "protected" host is known as a Bastion Host. ADVANTAGES Filtering rules are simpler that the Basic Filter architecture, the external router only allows traffic between the bastion host and the outside and the internal router only allows traffic between the bastion host and the inside. Security is also improved (more barriers, greater dept of defence). If two different routers are used, diversity of defence is improved, at the cost of complexity. Internet servers (WWW, ftp) would normally be placed on the outside without any access to the internal network. Relatively cheap solution. DISADVANTAGES Costs are higher Routers cannot do logging, little is known about possible attacks at the packet level. Routers can't do "intelligent" filtering of dual port protocols such as FTP. This architecture may be a solution for small sites with tight finances, or simple outgoing services. SCREENED SUBNET (OR DMZ) ARCHITECTURE This architecture is an extension of the screened host architecture. The classical firewall setup is a packet filter between the outside and a "semi-secure" or De- Militarised Zone (DMZ) subnet where the proxies lie (this allows the outside only restricted access services in the DMZ Zone). The DMZ is further separated from the internal network by another packet filter which only allows connections to/from the proxies. The filters specified above are "intelligent" with logging. All incoming and outgoing services between the Internet and the Internal networks pass via proxy servers in the DMZ. The DMZ can be a switched LAN, or a two switched LANs with dual homed bastion hosts between them. The latter is more secure since only proxied connections will be allowed through and protects against a software error in the filters. Direct inside<-> outside socket connections are no longer possible, unless an extra filter is added on the default route in place of a bastion.. Modular & flexible. Dept and diversity of defence (but also cost and complexity) are higher than the previous solution. For maximum diversity of defence, two different firewall products should be used for the "packet filters" shown above. For very high availability, the DMZ with front & back end filters can be duplicated and hooked together by routers (2 on the inside and 2 on the outside) that support redundant routing. Recommended for large sites, or those protecting valuable assets.. INVISIBLE FILTER ARCHITECTURE Some products act as bridges and are as such invisible to TCP/IP traffic. An example is the SunScreen from Sun Microsystems. This offers a huge advantage, especially if the filter is intelligent - it is very difficult to attack the packet filter. ADVANTAGES Since the filter doesn't have an IP address, it is much more difficult to attack. Being invisible is a major security advantage. Since it can bridge but not route, it can be inserted into a current network without changing current addresses or subnet masks. But this also means that a router is still necessary! For high availability a duplicate filter should be available. The filter above is a Single point of failure. What if it dies or the wrong rule is added by mistake? So while using this type of architecture firewall used must be carefully designed, specified and installed over a network. CONCLUSION The level of security you establish will determine how many of these threats can be stopped by your firewall. The highest level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection. But a common rule of thumb is to block everything, and then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as e- mail, can get through. This is a good rule for businesses that have an experienced network administrator that understands what the needs are and knows exactly what traffic to allow through. For most of us, it is probably better to work with the defaults provided by the firewall developer unless there is a specific reason to change it. One of the best things about a firewall from a security standpoint is that it stops anyone on the outside from logging onto a computer in your private network. While this is a big deal for businesses, most home networks will probably not be threatened in this manner. Still, putting a firewall in place provides some peace of mind.
Pages to are hidden for
"firewall"Please download to view full document