Abstract
This chapter answers some of the more commonly asked questions about firewalls. This list of Frequently Asked Questions (FAQ), commonly known on the Internet as "The Firewall FAQ," is maintained by Marcus J. Ranum of V-ONE and is available online at http://www.v-one.com.
WHAT IS A NETWORK FIREWALL?
A firewall is a system or group of systems that enforces an access control policy between two or more networks. The means by which this control is accomplished varies widely, but in principle, the firewall is a pair of mechanisms, one that blocks traffic and one that permits traffic. Some firewalls emphasize blocking traffic, while others emphasize permitting traffic. The most important thing to recognize about a firewall is that it implements an access control policy. If you don’t know what kind of access you want to permit or deny, or you let someone else or some product configure a firewall based on judgment other than yours, that entity is making policy for your whole organization.
WHY WOULD I WANT A FIREWALL?
The Internet is a fun little playground and at the same time a hostile environment. Like any other society, it’s plagued with the kind of people who enjoy the electronic equivalent of writing on other people’s walls with spray paint, tearing off their mailboxes, or just sitting in the street blowing their car horns. Some people get real work done over the Internet, and some must protect sensitive or proprietary data. Usually, a firewall’s purpose is to keep the intruders out of your network while letting you do your job.
Many traditional corporations and data centers have computing security policies and practices that users must follow. If a company’s policies dictate how data must be protected, a firewall is very important because it embodies corporate policy. Frequently, the hardest part of hooking a large company to the Internet is not justifying the expense or effort, but instead convincing management that it’s safe to do so. A firewall not only provides real security but also plays an important role as a security blanket for management.
Last, a firewall can act as your corporate ambassador to the Internet. Many corporations use their firewall systems to store public information about corporate products and services, files to download, bug-fixes, and so forth. Several of these systems (such as uunet.uu.net, whitehouse.gov, gatekeeper.dec.com) have become important parts of the Internet service structure and reflect well on their organizational sponsors.
WHAT CAN A FIREWALL PROTECT AGAINST?
Some firewalls permit only e-mail traffic, thereby protecting the network against any attacks other than attacks against the e-mail service itself. Other firewalls provide less strict protections or block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This protection, more than anything, helps prevent vandals from logging on to machines on your network. More elaborate firewalls block traffic from the outside to the inside but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important because they are a single point where you can impose security and auditing. If someone attacks a computer system by dialing in with a modem, tracing the perpetrator is impossible. In contrast, the firewall can act as an effective phone tap and tracing tool. Firewalls also provide an important logging and auditing function, summarizing topics such as the kinds and amount of traffic that passed through it and how many attempted break-ins occurred recently.
WHAT CAN’T A FIREWALL PROTECT AGAINST?
Firewalls can’t protect against attacks that don’t go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company. Unfortunately, a magnetic tape exports data just as effectively as the Internet. Many organizations whose management is terrified of Internet connections have no coherent policy about protecting dial-in access via modems. It’s silly to build a steel door six feet thick when you live in a wooden house, but a lot of organizations out there buy expensive firewalls and neglect their network’s other numerous back doors. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn’t need a firewall at all: it shouldn’t be hooking up to the Internet in the first place; at least the systems with really secret data should be isolated from the rest of the corporate network.
Firewalls also can’t protect you from traitors inside your company. Although industrial spies might export information through your firewall, they’re just as likely to export it through a telephone, fax machine, or floppy disk. In fact, floppy disks are a far more likely way to leak information from your organization than a firewall!
Firewalls also cannot protect you from stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering. Attackers may break into your network, completely bypassing your firewall, by finding a helpful employee inside who is fooled into granting access to a modem pool.
WHAT ABOUT VIRUSES?
Firewalls can’t protect against viruses very well. Binary files can be encoded for transfer over networks in too many ways, and too many different architectures and viruses exist to try to search for them all. In other words, a firewall cannot replace users’ security consciousness. In general, a firewall cannot protect against a data-driven attack — attacks in which code is mailed or copied to an internal host where it is executed. This form of attack has occurred against various versions of sendmail and GhostScript (a freely-available PostScript viewer).
Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than screening viruses at the firewall, make sure that every vulnerable desktop has virus-scanning software that runs when the machine is booted. Blanketing your network with virus-scanning software protects against viruses that come via floppy disks, modems, and the Internet. Trying to block viruses at the firewall protects against viruses only from the Internet, and most viruses are passed via floppy disks.
WHAT ARE SOME BASIC DESIGN DECISIONS IN A FIREWALL?
The lucky person who is responsible for designing, specifying, and implementing or overseeing the installation of a firewall should consider a number of basic design issues.
The first and most important issue is how your company or organization wants to operate the system. Is the firewall in place to deny all services except those critical to the mission of connecting to the Internet? Or is the firewall in place to provide a nonthreatening but metered and audited method of access? Varying positions between these two carry with them varying degrees of paranoia; the final stance of your firewall may be a political rather than an engineering decision.
The second issue is the level of monitoring, redundancy, and control you want. Having established the acceptable risk level (that is, your level of paranoia), you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, then combine a needs analysis with a risk assessment, and sort the (almost always conflicting) requirements into a laundry list that specifies what you plan to implement.
The third issue is financial. We can’t address this issue in anything but vague terms, but it’s important to try to quantify the cost of both buying and implementing any proposed solutions. For example, a complete firewall product may cost $100,000 at the high end or it may be free at the low end. The free option — doing some fancy configuring on a Cisco or similar router — costs nothing but staff time and cups of coffee. Implementing a high-end firewall from scratch can cost several person-months, which may equate to $30,000 worth of staff salary and benefits. The systems management overhead is also a consideration. Building a home-brew solution is fine, but it’s important to build it so that it doesn’t require constant and expensive fiddling. It’s important, in other words, to evaluate firewalls not only in terms of what they cost now, but also in terms of continuing costs, such as support.
On the technical side, you must make a decision. For practical purposes, we are talking about a static traffic-routing service placed between the network service provider’s router and your internal network. The traffic-routing service may be implemented at an IP level via something like screening rules in a router, or at an application level via proxy gateways and services.
You need to decide whether to place an exposed stripped-down machine on the outside network to run proxy services for Telnet, FTP, news, etc., or to set up a screening router as a filter, permitting communication with one or more internal machines. Both approaches have plusses and minuses — the proxy machine provides a greater level of audit and potential security in return for increased cost of configuration and a decreased level of service provided (because you need a proxy configured for each desired service). The old trade-off between ease-of-use and security comes back with a vengeance.
WHAT ARE THE BASIC TYPES OF FIREWALLS
Conceptually, firewalls come in two flavors: network level and application level. They are not as different as you might think, and latest technologies are blurring the distinction to the point where it’s no longer clear whether one is better or worse. As always, you need to pick the type that meets your needs.
Network-level firewalls generally make their decisions based on the source, destination addresses, and ports in individual IP packets. The traditional network-level firewall is a simple router because it doesn’t make particularly sophisticated decisions about what a packet is talking to or where it came from. Modern network-level firewalls are more sophisticated and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. Many network-level firewalls route traffic directly though them, so to use one you usually need to have a valid IP address block. Network-level firewalls tend to be very fast and transparent to users.
In Figure 1, you see a screened host firewall, in which a router operating at a network level controls access to and from a single host. The single host is a bastion host — a highly-defended and secured strong-point that can resist attack.
Figure 2 shows a screened subnet firewall. In a screened subnet firewall, a router at the network level controls access to and from a whole network. It is similar to a screened host, except that it is effectively a network of screened hosts.
Application-level firewalls are generally hosts running proxy servers, which permit no traffic directly between networks and log and audit traffic passing through them. Because the proxy applications are software components running on the firewall, the proxy is a good place to do lots of logging and access control. Application-level firewalls can be used as network address translators, because traffic goes in one side and out the other after passing through an application that effectively masks the origin of the initiating connection. Having an application in the way may affect performance in some cases and may make the firewall less transparent.
Early application-level firewalls, such as those built using the TIS firewall toolkit (FWTK), are not particularly transparent, and users may require some training. Modern application-level firewalls are often fully transparent. Application-level firewalls tend to provide more detailed audit reports and enforce more conservative security models than network-level firewalls.
Figure 3 shows a dual-homed gateway, a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it.
The future of firewall technology lies somewhere between network-level firewalls and application-level firewalls. It is likely that network-level firewalls will become increasingly "aware" of the information going through them and that application-level firewalls will become increasingly low-level and transparent. The result will be a fast packet-screening system that logs and audits data as it passes through. Increasingly, both network and application firewalls incorporate encryption so they can protect traffic passing between them over the Internet. Organizations with multiple points of Internet connectivity can use firewalls with end-to-end encryption to make the Internet their "private backbone" without worrying about someone sniffing their data or passwords.
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Windows IT Pro
Register
