Firewall Primer


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Firewall Primer

  1. 1. Firewall Primer An Introduction to Firewall Concepts and Technologies Part No. DUA1611-0BAA01 Published October 2002
  2. 2. 3Com Corporation Copyright © 2002, 3Com Technologies. All rights reserved. No part of this documentation may be reproduced 5400 Bayfront Plaza in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Technologies. Santa Clara, California 95052-8145 3Com Technologies reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Technologies to provide notification of such revision or change. 3Com Technologies provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or!LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you. UNITED STATES GOVERNMENT LEGEND If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following: All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com and the 3Com logo are registered trademarks of 3Com Corporation. Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other company and product names may be trademarks of the respective companies with which they are associated. ENVIRONMENTAL STATEMENT It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to: Establishing environmental performance standards that comply with national legislation and regulations. Conserving energy, materials and natural resources in all operations. Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products. Ensuring that all products can be recycled, reused and disposed of safely. Ensuring that all products are labelled according to recognized environmental standards. Improving our environmental record on a continual basis. End of Life Statement 3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components. Regulated Materials Statement 3Com products do not contain any hazardous or ozone-depleting material. Environmental Statement about the Documentation The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are vegetable-based with a low heavy-metal content.
  3. 3. CONTENTS 1 INTRODUCING FIREWALLS Introduction to Firewalls 5 Background 5 Benefits 6 Limitations 6 Firewall Example Configuration 8 Firewall Basics 9 Restricting Access 9 Ensuring Security 10 Providing Public Services 10 Firewall Terminology 11 Types of Firewall 12 Packet-based Firewalls 12 Application-based Firewalls 12 Stateful Inspection Firewalls 12 Combined Service Firewalls 13 Embedded Firewalls 13 2 INTRODUCING VIRTUAL PRIVATE NETWORKS Introduction to Virtual Private Networks (VPN) 15 VPN Protocols and Concepts 16 IPSEC and L2TP 16 VPN/Firewall Applications 17 Site-to-site Scenario 17 Remote VPN Client Scenario 18 3 POLICIES AND RECOMMENDATIONS Firewall Policies 19 Configuration Recommendations 20
  4. 4. 1 INTRODUCING FIREWALLS This chapter introduces firewalls and discusses their features and benefits. It includes the following topics: ■ Introduction to Firewalls ■ Firewall Basics ■ Types of Firewall Introduction to A “firewall” is a device or series of devices that provide secure Firewalls connections between computer networks. Firewalls enforce security by either allowing or preventing access to computer networks. They serve a dual purpose within the network. In one regard, firewalls block or permit the entry of network traffic to a computer domain that exists behind the firewall. In another regard, they block or permit the exit of network traffic from a computer domain. In both scenarios, the primary function of the firewall is to enforce a policy for access control. Background At the onset, computer networks were safely sealed environments that generally existed within the confines of institutions such as universities, hospitals, and corporations. As the Internet evolved to its current state, information became much more vulnerable as access to information became easier. Despite the best intentions of information sharing, there is an inherent risk of unfriendly use. Computer hackers, corporate spies, and even innocent users can potentially enter a network through a virtual door and cause great harm in the form of lost data, computer viruses, and the theft of confidential and proprietary information. Because a virtual door poses a very real danger, it is important to deploy a device that restricts traffic in constructive and pre-determined ways.
  5. 5. 6 CHAPTER 1: INTRODUCING FIREWALLS In this regard, firewalls prevent unwanted users from entering their domain, but they also serve as a virtual lobby to an organization. When viewed as a portal or entryway to an organization, firewalls can provide a valuable service by offering product information, electronic forms, and corporate or organizational information. A firewall can be seen as a company showcase, offering a glimpse of products, services, culture and resources. Additionally, a firewall can serve as an outbound portal to the Internet. In this form, the firewall allows for control of outbound traffic and Internet access from within. Not only is network security enhanced, but simple network control is a major benefit of a well designed firewall. Benefits The most obvious benefit of a firewall is that it provides a single source point for traffic control. Think of it as the valve on a water main controlling the entry and exit of all water to and from a building. This single point of control offers network administrators a concise and easily controlled vantage of their network and its visitors. On one side of the firewall there is the outside world; on the other side is the secure organizational network. The same concept can work within domains of an existing network. Networks within networks can also be separated by firewalls for the exact same reasons; security and access. For example, legal, financial, medical, and engineering design departments all require security and access limitations to some degree. Limitations Firewalls can also have limitations. A firewall is only as good as its placement. If traffic is routed around a firewall, obviously, there is no benefit to it. If security is the ultimate goal, then all access into and out of the network must be governed by the firewall. This means that modems, File Transfer Protocols, and other forms of electronic communications must also be limited and controlled. Also, if an organization holding highly sensitive information is connected to the Internet, the restrictions on access may be so great that it may be more efficient not to connect at all than to use a firewall. Firewalls cannot protect against a user making an internal transfer of sensitive data to the outside world. Once a user has access to sensitive data and access to the Internet, there is nothing but the integrity of the user and the discretion of the management to prevent such leaks.
  6. 6. Introduction to Firewalls 7 Along these same lines, a firewall cannot protect against malicious authorized users. Although this may not seem to be as severe a threat, the risk is still real. An insider who has authority can pose a serious threat in a number of scenarios because they are safe within the realm of a policy. Embedded firewalls can address some of these concerns provided the insiders are identified and managed accordingly. Firewalls cannot protect against all viruses either. Due to their complex nature, viruses can be attached or disguised in too many ways for firewalls to effectively block them all. Viruses are the responsibility of good virus scanning software and network administration. Because viruses change so frequently and vary in characteristics, there is no way to build the necessary functionality into a device and keep it current. In summary, firewalls are only as good as their design, implementation, and maintenance. As such, policies that dictate access rules need to be designed for control, security, and should be made with foresight and care. A firewall is only as good as the policy that governs it.
  7. 7. 8 CHAPTER 1: INTRODUCING FIREWALLS Firewall Example The following example illustrates one possible configuration of a firewall Configuration in a network. The LAN is a safe location for hosts and servers, the Demilitarized Zone (DMZ) is a logical location for publicly accessed servers, and a WAN connection is provided to the Internet through a router or modem. (See “Demilitarized Zone (DMZ)”on page 11 for more details on DMZ.). Firewall Router/Broadband Modem Private Servers Clients Public Servers LAN DMZ WAN Figure 1 Firewall Example Configuration
  8. 8. Firewall Basics 9 Firewall Basics Specifically, a firewall is useful for the following reasons: ■ Restricting Access ■ Ensuring Security ■ Providing Public Services Restricting Access Restricting access is a critical aspect of a firewall. In this regard, firewalls protect against unwanted interference from outside sources. A particular threat is this regard is a Denial of Service (DoS) attack which is carried out by bombarding a server with unwanted traffic. Although they can take other forms, there are three basic types of DoS attacks; those that use TCP/IP Implementation bugs, those that find weaknesses in TCP/IP, and those that use brute force to harm a network. TCP/IP Implementation Bugs The most common TCP/IP Implementation bugs are referred to as “buffer overflow” bugs which cause a network to choke. Another type is called “PING of Death (POD).” A PING of Death attack limits the effectiveness of a network to handle large amounts of traffic. The PING of Death uses a technique that combines fragments of IP packets with overlapping fields. These fragmented packets are then reassembled and can cause a system to crash. Although they are not as common anymore as “buffer overflow” bugs, POD bugs can yield the same results on network performance. TCP/IP Weaknesses In order for a communication exchange to happen between two hosts, an initial connection must occur that acknowledges both parties engaged in the conversation. The initiator sends a “SYN” packet to the receiving host. The receiving host replies with an “ACK” packet. Once the connection is established a conversation can begin. An attack can occur when the receiving system is flooded with SYN packets. Since each SYN packet requires an ACK response, the server is flooded with traffic that cannot be accommodated. The end result is a server that has run out of resources. Brute Force Attack A brute force attack is basically what the name implies; an overpowering load of traffic that absorbs the available bandwidth and consumes all resources with broadcast storm traffic. This meaningless traffic
  9. 9. 10 CHAPTER 1: INTRODUCING FIREWALLS overwhelms the network resources to the point where performance is severely hindered and the network is crippled. Ensuring Security Security is one of the primary reasons for implementing a firewall. There are four basic building blocks that best ensure security: ■ Authorization — By providing approval of a specific user or action, a firewall controls the ingress and egress of network traffic. ■ Privacy — By using encryption/decryption algorithms and a Virtual Private Network (VPN), the firewall can protect confidential information within a network. ■ Integrity — Through careful inspection of incoming traffic based on established authorized standards, the firewall can guarantee the quality of the data. ■ Validation — By validating users through a pre-determined screening process, a firewall can permit/deny network activity. Providing Public Acting as a gatekeeper for a private network, a firewall can also control Services access to public services for users within the network. Public services include WWW access (HTTP traffic), email (SMTP) and external file transfer (FTP). Access to public services can be allowed by creating a Firewall policy to open a specific portal to the private network. However, an open portal in a firewall can also be a security risk. Open portals can defeat the purpose of the firewall if not managed properly. This is controlled by imposing filters that screen protocol types and make decisions based on pre-defined rules. It is important that outside access to public services be governed properly. In order to successfully deploy a firewall it is important to understand the intent of the device. Because so much of the firewall’s purpose is directly tied to the types of traffic it is preventing or allowing it is critical to understand the configuration parameters. This primer serves as a guide to help network administrators make those configuration decisions effectively and successfully. See “Types of Firewall” on page 12.
  10. 10. Firewall Basics 11 Firewall Terminology The following concepts are critical to understanding the deployment of a firewall. Demilitarized Zone (DMZ) Drawing on a name from the military, a demilitarized zone is an area of safety that is a buffer-zone between the Internet and the protected LAN which is more secure than the Internet, but not as secure as the protected LAN. A DMZ is accessible from both sides of the buffer-zone so that it is protected from, but accessible by Internet users. A DMZ is typically configured as a separate Ethernet port on a firewall. In this capacity, a DMZ provides a buffer zone between the Internet and publicly accessed servers. The benefit of a DMZ is that it keeps the private network safe from the Internet through segmentation. Network Address Translation (NAT) Network Address Translation (NAT) allows multiple computers to connect to the Internet using only one Internet Protocol (IP) address. NAT was developed to aid in the demand for unique IP addresses which were rapidly disappearing due to the explosive growth of the Internet. The concept is basically one of establishing a proxy server that holds the single IP address and administers network services to users behind the firewall. In this capacity, the NAT server takes requests from local users and passes them on to the web server. This is accomplished by using IP, but within the closed environment of the Local Area Network. In short, NAT provides the following: ■ Easy Internet access for multiple users on one site ■ Security ■ Increased control of network
  11. 11. 12 CHAPTER 1: INTRODUCING FIREWALLS Types of Firewall There are five basic types of firewall: ■ Packet-based Firewalls ■ Application-based Firewalls ■ Stateful Inspection Firewalls ■ Combined Service Firewalls ■ Embedded Firewalls Packet-based A packet-based firewall uses a series of filters to determine network Firewalls access. The filters are set according to a go/no-go permission policy. These types of firewalls use packet source and destination information and protocol type to make their decisions. A filter that restricts Telnet traffic from an internal network is an example of a packet filter. Since most networks with Internet access have a router, this method can be relatively inexpensive since most routers have some form of packet filtering capability. However, with a go/no-go policy in place, all traffic, both wanted and unwanted is restricted. As a result, trusted users are often restricted due to the policies in place. These types of firewalls are also difficult to maintain because they require manual intervention which is costly and time consuming for network administrators. Application-based Application-based firewalls use proxy servers to determine the user’s Firewalls access privileges. In this capacity, the proxy performs the service based on the request of the host. A host sends its request to the proxy which acts on its behalf based on a series of pre-configured rules. Acting as a gatekeeper, the proxy server provides firewall functionality by determining whether the request is allowed or not. Application-based firewalls can allow or restrict specific types of files. These types of firewalls are useful and very thorough because they examine at the application level. They are also useful in preventing Denial of Service attacks (DoS). Conversely, this type of firewall can be costly to maintain because of the hardware and processing power requirements of the proxy server. Additional hardware can cause bottlenecks and bandwidth restrictions. Stateful Inspection Within each network there are thousands of conversations that occur Firewalls simultaneously. Each conversation has a source and a destination address.
  12. 12. Types of Firewall 13 Stateful Inspection is a process that intercepts packets at the network layer and inspects them to ensure that the conversations are legitimate and allowed. If a session between a source and a destination is not allowed, the session is ended and disallowed for the future. Stateful Inspection provides security by examining that data and storing it for comparison against future communication transactions. Stateful Inspection firewalls offer high performance. All packets must be part of an authorized communication session this provides a high level of trust and security. Historically, Stateful Inspection has proved costly, as it requires additional software and hardware. Combined Service Combined Service Firewalls are hybrid solutions that combine a variety of Firewalls methods to achieve results. For example, a Combined Service Firewall might offer Stateful Inspection and Application-based functions to the user. These firewall types require additional hardware and software. Embedded Firewalls Embedded Firewalls protect against insider attacks. Although the network is protected by the external, traditional firewall, attacks from the inside pose just as serious a threat. Embedded firewalls address this problem using technology that employs Network Interface Cards (NICs) and a policy server. The NIC provides the connection to the user, while the policy server dictates the access privileges to the end host. This type of firewall provides security for internal access as well as control through the use of policies and privileges. Access is restricted at the network level so that the host never sees the packet. This eliminates a broad range of attacks against host applications and operating systems.
  14. 14. 2 INTRODUCING VIRTUAL PRIVATE NETWORKS One of the primary benefits of a firewall is that it allows communication across a Virtual Private Network (VPN). This chapter discusses VPNs and their role in the network and includes the following sections: ■ Introduction to Virtual Private Networks (VPN) ■ VPN Protocols and Concepts ■ VPN/Firewall Applications Introduction to A Virtual Private Network (VPN) uses the resources and infastructure of Virtual Private the Internet to establish network connectivity among remote Networks (VPN) organizational sites while maintaining privacy and confidentiality. Within that context, the VPN is a secure vehicle for corporations and organizations who wish to secure their network without the high cost of private leased lines for connectivity. In addition to the reduced cost, VPNs provide flexibility for smaller remote sites or users who need to access a secure organizational network safely. Firewalls are especially useful for Virtual Private Networks since they act as an entrance that is safe and secure. The term most commonly associated with a VPN is tunneling. Since the Internet is open to all, the only method for ensuring the security of private data is to create a virtual tunnel through which data can be sent securely. Tunnels are virtual circuits that operate over the Internet yet allow users to encapsulate their data within secure IP packets. These encapsulated packets offer safe transmission while protecting the source, content, or routing paths of the packets.
  15. 15. 16 CHAPTER 2: INTRODUCING VIRTUAL PRIVATE NETWORKS Because the VPN resides within the context of the public Internet, it is imperative that all of the basic functions required in a private network are equally as effective and secure within the VPN. Specifically the following areas of security are addressed by a VPN: ■ authentication — validates the point of origin of the connection ■ access control — allows/prevents access to an organizational network ■ confidentiality — secures data transfer from public viewing ■ data integrity — ensures that data is not tampered with in transit VPN Protocols and This section describes the major protocols used in a VPN. Additionally, Concepts there are several concepts that are unique to VPNs and that are introduced here. IPSEC and L2TP In order to guarantee the security of safe packet transmission, it is necessary to use secure tunneling protocols. Two tunneling protocols used for secure data transmission are: IPSec IPSec is a Layer 3 protocol standard that provides secure data encryption across an IP network. IPSec encrypts the data packets and encapsulates the entire IP packet for secure transfer across an IP network. The encrypted packets are decrypted at the receiving end and delivered to the intended user. The IPSec tunnel consists of a server and a client, which are configured to encrypt and decrypt as required. The features of IPSec are: ■ It supports IP traffic only. ■ It provides computer level authentication by a set of security policies governed by a set of filters that determine “go” or “no-go” decisions. ■ It is used primarily in LAN-to-LAN scenarios IPSec serves as the basis for running L2TP. In this capacity IPSec secures the L2TP function. See “L2TP” on page 17.
  16. 16. VPN/Firewall Applications 17 L2TP L2TP is a combination of two protocols; Point To Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). Using these tools, L2TP encapsulates Point To Point Protocol (PPP) packets using User Datagram Protocol (UDP) messages. L2TP uses PPP to establish a dial-up connection through the Internet. In this capacity L2TP provides authentication. The features of L2TP are: ■ It is secured using IPSec. ■ It provides user level authentication. ■ It is used primarily in dial-up scenarios. VPN/Firewall There are two main ways that VPNs interoperate with Firewalls. They are Applications as follows: ■ Site-to-site ■ Remote VPN Client Site-to-site Scenario A typical application of this scenario is a branch or remote office connecting in to a headquarters facility. This is very common in branch banks, retail outlets with a central office, or in the airline industry. In this setting, the remote branch end is connected via a local firewall which establishes the VPN connection to the Internet. On the headquarters end, another firewall completes the VPN by allowing traffic to be decrypted and then delivering it to the local area network. See Figure 2 The immediate benefit of this application is lower costs. It is no longer necessary to lease expensive private lines and since privacy is provided by the encryption/decryption mechanism of the VPN, security is guaranteed. This type of scenario fits most remote users requirements easily and supplies the basic network services such as Web access (HTTP), email (SMTP) and file transfer (FTP) capabilities. However, despite the obvious tangible benefits, this scenario does not work well with applications that are large or complex. An example of the limitations of this are seen in video where a steady stream is required. Or any application that requires real time traffic capability such as voice. Another risk is the efficiency of the Internet. Although this is remote, there is still a risk that is out of the control of the user.
  17. 17. 18 CHAPTER 2: INTRODUCING VIRTUAL PRIVATE NETWORKS Mobile Home Office Internet NEL TUN VPN TUNNEL L NE VPN N TU VPN Head Office Branch Office VPN TU NNEL Figure 2 Virtual Private Network Remote VPN Client A remote VPN Client scenario is typically defined as the “road warrior,” Scenario for example, a sales or company representative who travels and requires remote access to the company network. Another application is the work-at-home employee who requires access to the network. In this capacity, the user typically logs in using client software on their PC that establishes a VPN tunnel using an Internet Service Provider (ISP) as the transport. Access to the VPN is password encrypted and protected. See Figure 2 The most obvious benefits of this are cost and mobility. No longer is location a limitation when using remote dial-in since calls can originate locally thus sparing the cost of long distance service. Security is guaranteed through the VPN tunnel and the cost is minimal since remote users will dial-in using their local ISP connection. This scenario provides access through any service provider. The only real limitation of the remote dial-in scenario is latency. Large, complex applications do not work well in this situation due to sharing the Internet with multiple users because there are no real guarantees on how long packets will take to cross the Internet
  18. 18. 3 POLICIES AND RECOMMENDATIONS This chapter presents information that is critical for understanding and configuring a firewall. Specifically this chapter includes: ■ Firewall Policies ■ Configuration Recommendations Firewall Policies As described earlier, firewalls operate as barriers between the outside world, the Internet, and the inside network, the intranet. By definition a barrier does just that; it blocks. However, to be truly effective a firewall must permit users access; to some degree. This simple concept illustrates the trade-off of a firewall. In order to truly achieve an effective security policy for your intranet, you must be willing to sacrifice some element of access. The obvious extremes of this are complete blockage or complete access. Since neither of those are practical or desirable, a compromise must be established whereby limits are imposed on incoming and outgoing traffic. That compromise is established through policies. A policy is a set of rules that govern the ingress and egress of traffic through the firewall. The three most common types of policy are discussed here. The first and the one with the least amount of restriction uses a firewall to prevent external traffic from accessing the intranet. This type of policy allows internal users access to Internet services. A second type of policy builds on the principles of the aforementioned policy by restricting internal traffic to specific TCP/IP ports. In this scenario, the firewall could allow HTTP protocol traffic (web-based), but disallow Telnet traffic. These traffic types use different ports and prevent internal users from connecting to unknown external services.
  19. 19. 20 CHAPTER 3: POLICIES AND RECOMMENDATIONS The third type of policy points all traffic through a proxy server which allows only web-based traffic. This provides a significant amount of control over network services and resources. Ultimately, careful consideration must be made when implementing a policy. Too much control severely limits traffic, services and operation. However, too little causes the inverse; unlimited access to the intranet. Firewalls come with default settings which generally impose good security measures. Altering the default settings should be done with great care. Setting a policy in place that appears to have logic and control can actually create major holes in the network. Configuration Aside from establishing policies there are a number of recommendations Recommendations that should be considered when configuring a firewall or a firewall-protected network. The following list of recommendations will help you decide how best to deploy a firewall in your network. It is also important to remember that a firewall should be viewed as one of many devices or strategies that are necessary for a safe network. ■ It is best to take the most deterministic approach, that is to deny all traffic and allow only services and resources that are absolutely needed. This is counter to how firewalls were designed initially. However, with the growth of the Internet and the very real threat of unfriendly use, it is best to assume the worst and block all but that which is necessary. Email and web-based access are a few of the necessary functions. Telnet, File Transfer Protocol (FTP) might be considered secondary. ■ If traffic is blocked in one direction it must be blocked in the other as well. Conceivably, a simple query out to the Internet can generate a response back to the intranet opening a potentially harmful hole. Stateful Packet Inspection uses the principle that packets which originate from the protected LAN results in packets being returned to the protected LAN. Do not configure policies that allow incoming connections where only outgoing connections are required. ■ A firewall should operate as economically as possible with little overhead. Disable or remove any unnecessary applications or services that can impair the performance and efficiency of the firewall. ■ It is best to keep the firewall configuration simple and easy to maintain. More often than not, the default settings are sufficient.
  20. 20. Configuration Recommendations 21 ■ Ensure that physical access to the firewall is secure. An unfriendly user can otherwise gain access to the firewall and alter the security parameters. ■ Limit the number of proxy servers and policy rules. The more complex the configuration, the more likely a conflict can occur. When conflicts occur between policies, the likelihood of a hole in the network increases. Conceivably, a well-thought out policy can be overwritten by another and completely undermine the intent of either policy. For example, if a policy is written that allows incoming web traffic, this also opens a direct door from the Internet.