Firewall White Paper White Paper Firewalls Introduction With the explosion in Internet connectivity, a large number of corporations and homes are connected to the public network. However, Internet connectivity is also associated with numerous security threats. Networks and machines are exposed to the public network and need to be protected from casual intruders to sophisticated hackers and crackers. Firewall is a security tool that provides perimeter security to the networks. It provides configurable network access, authentication before accessing services. Firewalls also protect networks from DoS (Denial-Of-Service) attacks and other common attacks, for which tools are available in the public network. Challenges Corporate and home networks have confidential information and should be protected from malicious users. Any access to this information by unauthorized personnel should be prevented. Also, any unauthorized attempt should be logged. The solution should support the following, to provide perimeter security. Authorized Access – Access to the resources such as networks, machines and services in the machines should be controlled. The solution should provide flexibility in configuring access control policies. User Authentication – Corporations need to provide their mobile employees with secure access to their intranet and other resources. These resources and services could potentially fall into the wrong hands and lead to unauthorized access to corporate resources. To avoid this, the security solution should provide a way to authenticate the users accessing the network resources. Defense against DoS – Network and machines are connected to the Internet. The perpetrators, with the help of available tools on the internet, can bring down the network, and disable services on machines. The security solution should provide adequate defense against common DoS and attacks. Identity Protection – Hacker and crackers constantly try to uncover network maps and machine IP addresses to launch DoS attacks. The solution should be able to protect the identity of network maps and addresses. Copyright © 2002, Intoto Inc. Firewall White Paper 2 Logging – Any un-authorized attempt to access resources in the internal network and any attempt to mount DoS attacks should be detected and logged. This provides valuable information to administrators on the type of data and service being accessed, and enables them to take appropriate preventive actions. Firewalls are designed to provide access control, authenticated access and protect networks from common DoS attacks and exploits. In addition, they also log any break-in attempts. Firewalls Explained Firewalls provide perimeter security and are used to protect trusted networks from untrusted networks. Not only do they provide access control to the trusted network, but also provide access control from trusted networks to untrusted networks. The access control policy is defined with target network/machine address(es), target service(s) and source network. Action Deny or permit is attached to the policy. Whenever a new packet/connection is received by the firewall, the access control policy list is referred and action taken based on the ‘action’ parameter defined in the matched policy. There are no standards for firewalls. There are three kinds of firewalls in the market – Packet filtering, proxy based and stateful inspection firewalls. Packet filter firewalls, working at the network layer of the OSI stack, make simple allow or deny choices based on packet network addresses and ports. The access control rules are checked for all packets. This is simple and available in most of the routers. Though it meets some part of access control requirement of a perimeter security solution, it does not provide authenticated access, protection against simple and common DoS, or identity protection. It also does not provide application protocol intelligence, required to open temporary ports to support complex application protocols such as FTP, H.323, SIP, etc. Proxy based firewalls, working at the application layer of the OSI stack, act as intermediaries for user connections, terminating the client connections and making a second connection to server resources. Proxy based firewalls consist of several proxy applications. Though proxies get enough information to evaluate security, they are slow and require large amounts of memory to support many simultaneous connections. They are also not flexible and not available for newer applications. In some cases, they may even require changes to the client applications running on trusted/untrusted networks. Stateful inspection firewalls are a combination of proxy and packet filter firewalls. They support all the features required by perimeter security tool and operate at the network layer. A Stateful inspection firewall maintains and updates the state for each connection during the session. The state is used to take action on further packets of the connection. This is augmented with Application Layer Gateways (ALGs) to interpret application payload, offer superior security and open up only required ports to support complex applications. It provides better performance as it operates in the network layer where the memory requirement Copyright © 2002, Intoto Inc. Firewall White Paper 3 for multiple, simultaneous connections is low, and does not terminate and make new connections. The iGateway-Firewall solution from Intoto Intoto iGateway-Firewall solution implements stateful inspection technology. iGateway-Firewall is a fully integrated software solution providing perimeter security. iGateway-Firewall is architected for flexibility and scalability to build comprehensive network security gateways for organizations of all sizes and complexity. iGateway-Firewall includes comprehensive access policies, different flavors of NAT support, multiple ALGs to support complex application protocols, cyber-defense engine to prevent hackers to launch DoS attacks, authenticated access to servers behind it and comprehensive logging support. iGateway-Firewall maintains the state information for connections originating from all directions – external, internal, DMZ, etc. The state information includes selector information for session identification, Network Address Translation. information such as IP address and port information, attack information such as sequence numbers, window sizes for detecting and preventing DoS attacks, and link layer and routing information for faster forwarding. The session is terminated upon detecting inactivity for some specified duration or in the case of TCP, when RST and FIN packets are received. iGateway-Firewall supports comprehensive access policy lists for each trusted network in both directions – outbound and inbound. Policy list is ordered list of several policies. Policy contains selector information, action information, sub-action information and optional additional filtering information. Selectors include source and destination IP information, protocol, source port and destination port information. IP address can be specified as single IP address, range of IP addresses, subnet, wildcard or domain name. Port information can be a single port, wildcard or range. Action information specifies whether the policy is permit or deny policy. Sub-action information is valid only for permit policies. It includes NAT information such as NAT type, NAT IP, etc., and log information. Additional filtering information include time-windows, used to provide access/deny only during certain periods of time, and application filtering information such as filtering based on RPC program numbers, FTP and SMTP commands and HTTP URL extension, etc. iGateway-Firewall provides cyber-defense engine that protects trusted networks from known and common attacks. It provides defense against 60+ DoS attacks including Syn-flood, Smurf, LAND, Ping of Death, Jolt, Jolt2, IP spoofing, Win Nuke, Sequence number prediction, several IP and transport protocol header integrity attacks, multiple IP reassembly based attacks such as Bonk, Boink, Netsea, syndrop, opentear and application based attacks such as Mimeflood, octopus, DNS spoofing etc. In addition, it provides traffic policing capabilities (using token bucket algorithm) to limit the traffic of specified type, thus protecting trusted networks from a flood of unintended packets. Copyright © 2002, Intoto Inc. Firewall White Paper 4 iGateway-Firewall supports different flavors of NAT including one-to-one NAT, many-to-one NAT (NAPT), many-to-many NAT, and reverse NAT. NAT enhances security capability by hiding the internal IP address information on the public network. It is also useful to share an IP address by multiple internal machines to provide internet connectivity via many-to-one NAT and many-to-many NAT functionalities. Reverse NAT is used to host various internet services in the private IP address space, such as web servers, email-servers, and real audio servers. iGateway-Firewall allows multiple user communities to be created. User communities are associated with firewall policies. When a user logs on to the iGateway-Firewall, it dynamically activates respective community policies and these policies allow connections coming from the user to internal servers. This feature allows the access to trusted network resources by mobile users, upon successful authentication. iGateway-Firewall provides comprehensive HTTP based user interface, CLI interface via telnet and local console connection. It also generates logs and alerts any un-authorized attempt to access resources, DoS attacks detected, etc., to the administrator via email and syslog. Partners in Progress Embedded systems on the Internet are the fastest growing class of devices using Internet technologies. Uncompromised security over the Internet is an undeniable need for businesses communicating over networks. Positioned as the enabler of gateway infrastructure, Intoto Inc. provides complete embedded security software providing for security, connectivity, convergence, management and network processor solutions. Used extensively in a majority of gateway equipment in conjunction with embedded microprocessors, system-on-chip communications processors, and next-generation network processors, Intoto’s iGatewayTM software platform integrates security, wired and wireless connectivity, advanced networking protocols, web based management and WAN /LAN interfaces to provide a complete infrastructure for next generation gateway products. Intoto has successfully established strategic licensing relationships with processor vendors to pre-integrate iGateway on multiple processor such as x86, MIPS or ARM-based SoCs, PowerPC and specialized Network Processors. Its licensing-based business model allows equipment manufacturers to create and rapidly deploy fully validated, reliable gateway equipment. Equipment manufacturers have successfully reduced development costs, and re-used the modular software across multiple products to maximize returns. Copyright © 2002, Intoto Inc. Firewall White Paper 5 In the area of network security, iGateway™ Security Solutions are licensed to a large number of customers including over 15 blue-chip equipment manufacturers and processor vendors. Intoto licensed its embedded iGateway™ solutions to over 100 customers. For high performance gateways, Intoto’s innovative architecture in npFastPath Application Layer APIs, seamlessly integrate with iGateway to provide optimized performance and rapid deployment through separation of data plane software for individual network processors from the control plane. The iGateway™ Security Solutions have been extensively validated by leading equipment manufacturers and processor vendors. Intoto solutions are certified by ICSA, a leading security assurance organization1. Intoto Inc. 3160 de La Cruz Blvd., Suite #100 Santa Clara, CA 95054-0480, USA Voice: 408.844.0480 Fax: 408.844.0488 www: http://www.intotoinc.com 1 All trademarks and copyrights referred to are the property of their respective owners. Copyright © 2002, Intoto Inc. Firewall White Paper 6