guide to network defense and countermeasures second edition chapter 9 choosing and designing...
Post on 18-Dec-2015
222 views
TRANSCRIPT
Guide to Network Defense and CountermeasuresSecond Edition
Chapter 9Choosing and Designing Firewalls
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Explain what firewalls can and cannot do
• Describe common approaches to packet filtering
• Establish a set of rules and restrictions for a firewall
• Design common firewall configurations
• Compare hardware and software firewalls
Guide to Network Defense and Countermeasures, Second Edition 3
An Overview of Firewalls
• Firewall– Hardware or software– Can configure to block unauthorized network access
• Firewalls cannot protect against malicious insiders– Who send proprietary information out of the
organization
• Firewalls cannot protect connections that do not go through it
Guide to Network Defense and Countermeasures, Second Edition 4
What Firewalls Are
• Network firewall– Combination of multiple software and hardware
components
• Earliest firewalls were packet filters
• Some firewalls are designed for consumers– Norton Personal Firewall– ZoneAlarm– Sygate Personal Firewall
Guide to Network Defense and Countermeasures, Second Edition 6
What Firewalls Are (continued)
• Rules for blocking traffic are done case-by-case– Actions include:
• Allow the traffic
• Block the traffic
• Customize access
• Check Point Next Generation (NG) firewall– Designed to protect and monitor large-scale networks
• Firewall appliances– Self-contained hardware devices
Guide to Network Defense and Countermeasures, Second Edition 9
What Firewalls Are Not
• Firewalls are not a standalone solution– Cannot protect from internal threats– Need strong security policy and employee education
• Firewalls must be combined with– Antivirus software– IDS
• Open Platform for Security (OPSEC)– Protocol used by Check Point NG to integrate with
other security products
Guide to Network Defense and Countermeasures, Second Edition 10
Approaches to Packet Filtering
• Stateless packet filtering
• Stateful packet filtering
• Packet filtering depends on position of components
Guide to Network Defense and Countermeasures, Second Edition 11
Stateless Packet Filtering
• Decides whether to allow or block packets based on information in the protocol headers
• Filtering based on common IP header features– IP address– Ports and sockets– ACK bits
• Intruders can get around these defenses
• Advantage: Inexpensive
• Disadvantage: Cumbersome to maintain
Guide to Network Defense and Countermeasures, Second Edition 13
Stateful Packet Filtering (continued)
• Keeps a record of connections a host computer has made with other computers– Maintain a file called a state table containing record of
all current connections– Allows incoming packets to pass through only from
external hosts already connected
Guide to Network Defense and Countermeasures, Second Edition 15
Stateful Packet Filtering (continued)
• Windows Firewall– One of the most user-friendly packet filters– Improved version of Internet Connection Firewall– Can limit the amount of traffic with more precision
• You can even specify exceptions
– Advanced tab allows more complex settings
Guide to Network Defense and Countermeasures, Second Edition 19
Packet Filtering Depends on Position
• Type of filtering a device can do depends on– Position of the device in the firewall perimeter– Other hardware or software
• Packet filter placement– Between the Internet and a host– Between a proxy server and the Internet– At either end of a DMZ
Guide to Network Defense and Countermeasures, Second Edition 22
Creating Rules and Establishing Restrictions
• Rule base– Tells firewalls what to do when a certain kind of traffic
attempts to pass
• Points to consider– Based on organization’s security policy– Include a firewall policy– Simple and short as possible.– Restrict access to ports and subnets on the internal
network from the Internet– Control Internet services
Guide to Network Defense and Countermeasures, Second Edition 23
Base the Rule Base on Your Security Policy
• When configuring rules pay attention to– Logging and auditing– Tracking– Filtering– Network Address Translation (NAT)– Quality of Service (QoS)– Desktop security policy
• Rule base is a practical implementation of the organization’s policy
Guide to Network Defense and Countermeasures, Second Edition 24
Base the Rule Base on Your Security Policy (continued)
• Common policies that need to be reflected in the rule base– Employees have access to Internet with restrictions– Public can access company’s Web and e-mail server– Only authenticated traffic can access the internal LAN– Employees are not allowed to use instant-messaging– Traffic from the company’s ISP should be allowed– Block external traffic by instant-messaging software– Only network administrator should be able to access
internal network directly from the Internet
Guide to Network Defense and Countermeasures, Second Edition 25
Create a Firewall Policy That Covers Application Traffic
• Firewall policy– Addition to security policy– Describes how firewall handles application traffic
• Risk analysis provides a list of applications– And associated threats and vulnerabilities
• General steps to create a firewall policy– Identify network applications– Determine methods for securing application traffic
• You must balance security and cost
– Consider all firewalls in your network
Guide to Network Defense and Countermeasures, Second Edition 28
Create a Firewall Policy That Covers Application Traffic (continued)
• Firewalls enable you to control access to your computer or network– By controlling access to particular applications
• Options for defining rules– Allow traffic– Block traffic– Ask or prompt
Guide to Network Defense and Countermeasures, Second Edition 29
Keep the Rule Base Simple
• Keep list of rules as short as possible– About 30 and 50 rules– Shorter the rule base, faster the firewall will perform
• Firewalls process rules in a particular order– Usually rules are numbered starting at 1 and
displayed in a grid– Most important rules should be at the top of the list– Make the last rule a cleanup rule
• A catch-all type of rule
Guide to Network Defense and Countermeasures, Second Edition 32
Restrict Subnets, Ports, and Protocols
• Filtering by IP addresses– You can identify traffic by IP address range– Most firewalls start blocking all traffic
• You need to identify “trusted” networks
• Firewall should allow traffic from trusted sources
Guide to Network Defense and Countermeasures, Second Edition 34
Control Internet Services
• Web services– Employees always want to surf the Internet
• DNS– Resolves fully qualified domain names (FQDNs) to
their corresponding IP addresses– DNS uses UDP port 53 for name resolution– DNS uses TCP port 53 for zone transfers
• E-mail– POP3 and IMAP4– SMTP– LDAP and HTTP
Guide to Network Defense and Countermeasures, Second Edition 38
Control Internet Services (continued)
• FTP– Types of FTP transactions
• Active FTP• Passive FTP
• Filtering by ports– Filters traffic based on TCP or UDP port numbers– Can filter a wide variety of information
Guide to Network Defense and Countermeasures, Second Edition 41
Control Internet Services (continued)
• Filtering by ports– You can filter out everything but
• TCP port 80 for Web• TCP port 25 for e-mail• TCP port 21 for FTP
Guide to Network Defense and Countermeasures, Second Edition 45
Control Internet Services (continued)
• ICMP message type– ICMP functions as a housekeeping protocol– Helps networks cope with communication problems– Attackers can use ICMP packets to crash a computer
• Filtering by service– Firewalls can filter by the name of a service– You do not have to specify a port number– Firewalls can also filter by the six TCP control flags
Guide to Network Defense and Countermeasures, Second Edition 48
Control Internet Services (continued)
• Filtering by service– Firewalls can also filter by the IP options
• Security• Loose resource and record routing• Strict source and record routing• Internet timestamp
Guide to Network Defense and Countermeasures, Second Edition 49
Control Internet Services (continued)
• Filtering by service– Rules should follow a few general practices
• Firewall with a “Deny All” security policy should start from a clean slate
• Nobody can connect to the firewall except the administrator
• Block direct access from the Internet to any computer behind the firewall
• Permit access to public services in the DMZ
Guide to Network Defense and Countermeasures, Second Edition 52
Designing Firewall Configurations
• Firewalls can be deployed in several ways– As part of a screening router– Dual-homed host– Screen host– Screened subnet DMZ– Multiple DMZs– Multiple firewalls– Reverse firewall
Guide to Network Defense and Countermeasures, Second Edition 53
Screening Router
• Screening router– Determines whether to allow or deny packets based
on their source and destination IP addresses• Or other information in their headers
– Does not stop many attacks• Especially those that use spoofed or manipulated IP
address information– Should be combined with a firewall or proxy server
• For additional protection
Guide to Network Defense and Countermeasures, Second Edition 55
Dual-Homed Host
• Dual-homed host– Computer that has been configured with more than
one network interface– Only firewall software can forward packets from one
interface to another– Provides limited security– Host serves as a single point of entry to the
organization
Guide to Network Defense and Countermeasures, Second Edition 57
Screened Host
• Screened host– Similar to a dual-homed host– Can add router between the host and the Internet
• To carry out IP packet filtering– Combines a dual-homed host and a screening router– Can function as a gateway or proxy server
Guide to Network Defense and Countermeasures, Second Edition 59
Screened Subnet DMZ
• DMZ– Subnet of publicly accessible servers placed outside
the internal LAN– Called a “service network” or “perimeter network”
• Firewall that protects the DMZ is connected to the Internet and the LAN– Called a three-pronged firewall
Guide to Network Defense and Countermeasures, Second Edition 61
Multiple DMZ/Firewall Configurations
• Server farm– Group of servers connected in their own subnet– Work together to receive requests with the help of
load-balancing software• Load-balancing software
– Prioritizes and schedules requests and distributes them to servers
• Clusters of servers in DMZs help protecting the network from becoming overloaded
• Each server farm/DMZ can be protected with its own firewall or packet filter
Guide to Network Defense and Countermeasures, Second Edition 63
Multiple Firewall Configurations
• Protecting a DMZ with two or more firewalls– One firewall controls traffic between DMZ and Internet– Second firewall controls traffic between protected
LAN and DMZ• Can also serve as a failover firewall
– Advantage• Can control where traffic goes in the three networks
you are dealing with
Guide to Network Defense and Countermeasures, Second Edition 65
Multiple Firewall Configurations (continued)
• Protecting branch offices with multiple firewalls– Multiple firewalls can implement a single security
policy– Central office has a centralized firewall
• Directs traffic for branch offices and their firewalls• Deploys security policy through this firewall using a
security workstation
Guide to Network Defense and Countermeasures, Second Edition 67
Reverse Firewall
• Reverse firewall– Monitors connections headed out of a network
• Instead of trying to block what’s coming in– Helps monitor connection attempts out of a network
• Originated from internal users– Filters out unauthorized attempts
Guide to Network Defense and Countermeasures, Second Edition 69
Comparing Software and Hardware Firewalls
• Software-based firewalls• Hardware-based firewalls• Hybrid firewalls
Guide to Network Defense and Countermeasures, Second Edition 70
Software-Based Firewalls
• Free firewall programs– They are not perfect– Logging capabilities are not as robust as some
commercial products– Configuration can be difficult– Popular free firewall programs
• Netfilter
• ZoneAlarm
• Sygate Personal Firewall
Guide to Network Defense and Countermeasures, Second Edition 71
Software-Based Firewalls (continued)
• Commercial firewall programs: Personal firewalls– Located between the Ethernet adapter driver and the
TCP/IP stack– Inspect traffic going between the driver and the stack– Popular choices
• Norton Personal Firewall
• ZoneAlarm Pro
• BlackICE PC Protection
• Sygate Personal Firewall Pro
– Considered “lightweight” in terms of protection
Guide to Network Defense and Countermeasures, Second Edition 72
Software-Based Firewalls (continued)
• Commercial firewall programs: Enterprise firewalls– Include centralized management option– Capable of installing multiple instances from a
centralized location– Some examples include
• PGP Desktop 9.0
• Check Point NG
• Proventia security products
• Novell’s BorderManager
Guide to Network Defense and Countermeasures, Second Edition 73
Hardware Firewalls
• Advantages– Do not depend on conventional OSs– Generally more scalable than software firewalls
• Disadvantages– They do depend on nonconventional OSs– Tend to be more expensive than software products
Guide to Network Defense and Countermeasures, Second Edition 74
Hybrid Firewalls
• Hybrid firewall– Combines aspects of hardware and software firewalls– Benefits from the strengths of both solutions
Guide to Network Defense and Countermeasures, Second Edition 76
Summary
• Firewall– Hardware or software that blocks unauthorized network
access
• Firewalls are not a standalone solution– Combine them with antivirus software and IDSs
• Firewalls are effective only if configured correctly
• You can use several different firewall configurations to protect a network