Lessons - Firewall basics
This lesson explores hardware and software firewalls and how to establish a secure foundation to deploy software firewalls. You learned in Lesson 1 that you can implement firewalls using either hardware or software solutions. To recap, a hardware firewall is most often a software firewall that comes prepackaged inside some particular hardware implementation. In other words, a hardware firewall uses a pre-fab computer system, an intelligent router, or some kind of network/internet access device that includes firewall software. In this form, a firewall is a kind of device that's attached to the internet on one side and to an internal, private network on the other side. To deploy a hardware firewall, you need to install it only onto your boundary network connection, such as an incoming T1 line or cable or DSL (Digital Subscriber Line) connection, and then to customize its filters or rules to meet your needs.
Inside hardware firewalls
The same software you can purchase and install as a software firewall is often found preinstalled on hardware-based firewalls. For example, the software firewall product Firewall-1 from CheckPoint software also provides the software for the preinstalled firewall on Nokia IP hardware firewall products. In some cases, a hardware firewall may include other functions besides those of a firewall, such as a cable modem or DSL interface, and more. In such cases, these devices are often called internet appliances because they provide everything needed to attach one or more computers safely to the internet in a single box. There are a few hardware firewalls whose software component is burned into an ASIC (Application-Specific Integrated Circuit) chip. Such true hardware firewalls offer the benefit of increased speed and are completely impervious to core system alterations because the software is burned into its CPU (central processing unit). The content filter rules for an ASIC-based firewall are typically stored on a removable media device (such as a floppy, CD-ROM, or flash memory card) that the firewall treats as a read-only source. However, to upgrade a true hardware firewall, you must replace the ASIC chip. This is the stumbling block for widespread deployment and adoption of true hardware firewalls. Typical hardware firewalls, which employ a customized computer with a preinstalled operating system and firewall product, are popular solutions. Often called standalone firewalls or firewalls-in-a-box, they allow network administrators to quickly deploy a firewall using technology that's intentionally different from what's used throughout their networks. For example, for networks comprised primarily of Windows systems, deploying a hardware firewall based on a Linux, Unix, or Macintosh operating system adds another dimension of protection to that network. Attackers need to compromise and
bypass the firewall first, and then switch tactics when attempting to infiltrate the actual network. Using a different operating system to protect the most commonly used operating system within a network is enough of a deterrent to foil many would-be intruders. Very few crackers are skilled at infiltrating more than one operating system. Using that to your advantage is smart security.
Hardware firewall pros
Hardware firewalls are generally faster than software firewalls. Software firewalls (see later sections of this lesson) are firewall software products that are installed by system administrators onto whatever computer(s) they have available. In comparison, hardware firewalls are tuned to operate efficiently and are dedicated to a single function -- namely filtering of traffic and content. Hardware firewalls are faster to set up than software firewalls, primarily because the software portion of the firewall is already preinstalled on such products. However, that is insignificant. The security that a firewall offers should be the driving reason you select any particular firewall, not the length of time required to install it. In the grand scheme of protecting your network, a few extra hours spent installing a security solution is well worth the effort if it succeeds at thwarting an attack. Whether you're working with a hardware or a software firewall, it will take a significant amount of time to fully configure that product as well as to implement and test content and traffic filters. Generally, there are fewer compatibility issues with hardware firewalls than with software firewalls. The preinstalled software found in firewall-in-a-box solutions has already been tested for compatibility with the hardware components within the host system. By comparison, software firewalls require system administrators to match their intended host's operating system and hardware components with the system requirements of the firewall software, often through a process involving trial and error.
Hardware firewall cons
Hardware firewalls do have drawbacks. If a hardware firewall fails, you must typically replace the whole device. Hardware firewalls offer little in the way of end-user (that means the system administrator) troubleshooting controls and corrective measures. Most of the components in a hardware firewall are proprietary; often, simply opening the case can void your warranty. In addition, when you experience a problem with a hardware firewall that you cannot quickly resolve via technical support emails or phone calls, a reboot, or some quick alteration to its startup parameters, this usually means you must ship the device to the vendor for repair or replacement. This may leave your network unprotected in the interim (think about maintaining spares for this reason, or ask your vendor if they can cross-ship a loaner to provide a temporary replacement for your
inbound unit). That said, some internet appliances cost under $100, so buying another one isn't too terribly painful, either. Another limitation of hardware firewalls is that end-users often cannot install component upgrades. Here again, you'll have to ship the device in to get it upgraded or to obtain a new model as a replacement. Finally, it's important to recognize that for the same level of functionality, a hardware firewall often costs more than a software-only firewall, if only because of the costs of the extra hardware involved. Software firewalls A software firewall is, in concept, no different from any other network service that you install onto a computer system. In this form, a firewall is a program that runs on a computer connected to the internet (and that may also be attached to an intranet, an internal, private network). The firewall software grabs all incoming traffic and inspects it to decide if will allow that traffic to enter the computer on which it's running, or pass it onto the internal network.
Software firewall pros
The benefits of a software firewall include a broad range of options. There are significantly more software firewall products than there are hardware firewall products. This allows you to compare and contrast more selections, and offers more choices for your specific needs (possibly even better ones than hardware firewalls might provide). Another benefit of software firewalls is that you supply the hardware and the operating system. This means you can upgrade and improve the capabilities of the host computer without involving the firewall vendor. However, this aspect of software firewalls also has a downside: You must make sure that the host meets minimum system requirements for the firewall product (as discussed in the next page of this lesson). Software firewalls typically require more computing horsepower to manage high traffic volumes properly at a reasonable level of performance as compared to equivalent hardware firewalls. Finally, just like hardware firewalls, software firewalls can offer additional services or capabilities, including proxying, NAT (Network Address Translation), and/or application gateway services.
Software firewall best practices
It's important to dedicate any software firewall host as a single-purpose system, because installing other services or applications on a firewall host reduces whatever security the firewall can offer. Always remember that a software firewall is only as secure as the host
system that supports it. If the host has hardware or software vulnerabilities, limitations, or flaws, the firewall itself may also be vulnerable to failure, downtime, or attack. If an attacker can make your host operating system freeze or obtain unrestricted system access, that attacker can render your firewall useless. It's of utmost importance that the host for a firewall be maintained vigilantly. You should immediately replace defective hardware or hardware near its MTBF (mean time between failures), patch all known security holes or vulnerabilities, and use any other means to make that host as secure and hardened as possible (such as locking it in a secure server room). If you fail to establish a secure foundation for a software firewall, you're not deploying that firewall effectively or securely. Just about any operating system can serve as a host platform for a software firewall. However, when you need to protect a network, select an operating system that offers reliable security -- a modern operating system such as Windows Server 2003, Windows 2000, Windows XP Professional, Linux, or Unix. Otherwise, the host's security foundation will not be strong enough to support the protection that the firewall can offer. Mac OS X is actually Unix-based, so it benefits from native security features present in Unix. If you need a firewall just to protect a single system, you need a personal firewall. A personal firewall is a firewall product designed to protect the system on which it's installed. Personal firewall products are available for most client, desktop, workstation, or standalone operating systems. Establish a secure host system When deploying a software firewall, you must use a secured host system to support it. Without a solid and reliable host, your firewall is worthless. There are a variety of steps you need to go through long before you actually install firewall software, to ensure your system is as secure as possible. These are explained in the following sections.
Procure the right hardware
The first step in establishing a secure host system is to meet minimum system requirements for the firewall product you plan to deploy. This includes hardware components, such as CPU, RAM (random access memory), hard drive space, and NIC (network interface card) throughput, as well as the operating system software. Whenever possible, you should install as much high-speed, high-capacity hardware on the host as your budget can afford. Software firewalls require a significant computing power, so it's better to build-in more than you need so you won't constrict yourself with underperforming systems that can hinder productivity.
Install and patch the software
After you have the right hardware, install the operating system and any applicable upgrades, updates, patches, fixes, and so on to establish the most secure and up-to-date system possible. Then, remove anything from the operating system or the firewall product that's not essential for proper functioning. In other words, if it's not a core component or an essential service, remove it, uninstall it, or disable it. The less unnecessary code running on a host, the fewer vulnerabilities it exposes, and the more processing power that remains available for firewall processing.
Create an installation log
It's common to deploy multiple instances of the same firewall, especially in large organizations. For this reason, it's important to document your installation procedure so you (or others) can repeat it successfully and consistently. The best way to document your installation is to create a log for each host. Here are some worthwhile items to include:
A complete inventory of all hardware components. The name and version of operating system and any installed or applied upgrades, updates, patches, fixes, and so on. The details on all driver versions for all hardware components. A list of all removed, uninstalled, or disabled applications or services with stepby-step procedures for performing each operation.
As you make changes to any host, no matter how insignificant, add those details to its log. This log should contain all firewall configuration settings, content filter rules, troubleshooting steps, and so forth. It should also be detailed enough that another person can use it as a guide to deploy an exact duplicate or firewall system. You'll also find this log extremely helpful when troubleshooting problems.
Secure the host system
After you've put your log together, lock down the host system. This doesn't mean you should physically put a lock on your system (although that's a good idea as well when you're done setting up the firewall). Rather, it means you secure your computer from a software perspective so it's as impervious to hacking as humanly (or digitally) possible. The steps you follow to lock down a host system differ from operating system to operating system and are usually detailed in a security baseline checklist. Visit the operating system manufacturer's home page to get a copy of the checklist for your version of the software, or query your favorite search engine for security baseline
checklist operating system, where operating system is the name and version of the operating system your firewall uses.
As part of your system lockdown, be sure to disable IP forwarding (where applicable; this doesn't apply to Windows 2000 or newer versions). IP forwarding is a service that transfers packets inbound from one network card (and the computer attached to it) directly and immediately to another (outbound) network card. This effectively bypasses the firewall; if not disabled, you're wasting your time installing a firewall.
Install your firewall software
Finally, install and perform initial configuration of the firewall product. Once it's installed and functioning, perform a complete system backup. You should periodically back up the system (as well as immediately following significant system changes, such as applying updates or major configuration alterations). Remember, every time you do anything, record it in the host or firewall log.
In this lesson, you learned that you can implement firewalls as hard ware-focused solutions or as software products deployed onto existing hardware. You also learned that when deploying software firewalls, nothing is as important as maintaining the security of the host system. Without a secure host, a firewall is ineffective. Before you move on, don't forget to do the assignment and the quiz. Also, visit the Message Board to find out what other students are up to and to touch base with your instructor. In Lesson 5, you'll explore the need for a security policy to guide and focus development and implementation of a firewall.
Firewall technologies assignment
Assignments are designed to help you apply the information learned in the lessons. Shopping for firewalls A good way to learn more about your firewall options (both hardware and software) is to research firewall products to learn which features they offer, which hardware and
software they require, and how much they cost. It's also a good idea to read reputable and reliable product reviews to see what kind of common installation and administration problems you might run into with either software and hardware firewalls. To start your research visit CNET to browse a collection of products and read reviews of hardware and software firewall products. One of the best all around sites is the Home PC Firewall Guide, which maintains a Personal Firewall Reviews page that not only offers reviews of many personal firewalls, but also identifies those personal firewalls it doesn't review. It also does a nice job of making recommendations, and of identifying second (and even lower) tier offerings available. Read the reviews of Norton Personal Firewall and ZoneAlarm on this website; see the Getting Started pointers at the bottom of this page as well.
Quizzes are designed to give you a chance to test your knowledge.
1. True or False: The same product that's available as a software firewall can sometimes be found as a preinstalled product on a hardware firewall. A. B. True False
2. What's the primary drawback to hardware firewalls? A. B. C. D. They often include other functions, such as a cable modem. They're nearly impervious to tampering. Upgrading the device may require returning it to the vendor. They offer faster performance than many software firewalls.
3. When deploying a software firewall, what must you supply? (Check all that apply.) A. B. C. D. Internet connectivity Computer hardware An operating system A high-speed connection
4. What's the most important factor in maintaining overall security when deploying a software firewall?
A. B. C. D.
Scanning for viruses Documenting the installation process Lots of additional RAM Securing the host system
5. True or False: For a firewall to function properly, the TCP/IP option known as IP forwarding must be enabled. A. B. True False