Executive Summary

It does not seem too long ago that firewalls were seen as advanced tools used to enforce perimeter network security, and for a while it was commonly thought that only the most paranoid organisations would want to deploy them – military, government and large financial institutions, for example.

But with the explosion in Internet connectivity we have seen a huge increase in the number of computer systems – from large corporate networks to single PC’s for the home user – connected to the public network. Without adequate protection, these systems are  vulnerable to attack from “hackers” and “crackers”, ranging from the unskilled “script kiddies” who download pre-packaged exploits from the Web and launch them indiscriminately against any systems they can find, to the highly sophisticated and intelligent cracker who is capable of crafting his or her own exploits and carefully targeting specific organisations and hosts over a period of time.

Technology Issues

When looking at today’s firewall products, there are three main architectures currently in use :

Static Packet Filtering: Working at the Network Layer of the OSI stack, packet filters make simple deny or permit choices depending on the network address of the packet and a number of rules defined by the administrator. Packet filtering is fast, transparent (no changes are required at the client), flexible and cheap (most routers will provide packet filtering capabilities, pure packet filter firewalls do not require powerful hardware on which to run).

Dynamic Packet Filtering/Stateful Inspection: Stateful Inspection occurs at the MAC or Network Layer, thus making it fast and preventing suspect packets from travelling up the protocol stack. Unlike static packet filtering, however, Stateful Inspection makes its decisions based on all the data in the packet (corresponding to all the levels of the OSI stack). The state of the connection is monitored at all times (hence stateful inspection), allowing the actions of the firewall to vary based on the administrator-defined rules and the state of previous conversations.

Proxy Servers: Working at the Application Layer of the OSI stack, a Proxy Server firewall acts as an intermediary for user requests, setting up a second connection to the desired resource either at the application layer (an application level gateway) or at the session or transport layer (a circuit level gateway). Proxy code actually “stands in” for both client and server operations, relaying valid requests between the trusted and untrusted networks via the proxies. Unlike Packet Filter and Stateful Inspection firewalls, a direct connection is never allowed between the two networks. The penalties paid for this level of security, however, are performance and flexibility.

True proxy servers are undoubtedly the safest, but can impose a severe overhead in heavily loaded networks. Dynamic packet filtering is definitely faster, though most of the high-end firewalls are hybrids these days, incorporating elements of all three architectures.

When shopping for firewalls, it is important to be confident in their ability to repel attackers in an efficient manner, as well as to resist common Denial of Service (DoS) attacks. Apart from personal recommendation, it is usually necessary to accept vendors claims for the efficacy of their products with a leap of faith. Thankfully, that is no longer the case with widely recognised certification schemes in operation from the likes of ICSA and Checkmark.

Business Issues

It should be noted, however, that a firewall is only ever as good as the Security Policy it supports. The Security Policy should be the starting point for all companies, defining which resources are available to which users on the network. Note that this does not always mean that you will be concerned solely with Internet access. One definition of a firewall is “a device that protects a trusted network from an untrusted one”. Both of these could exist within a corporate network.

For example, if you are a large pharmaceutical company, would you think it worthwhile to protect that portion of the network used by the R&D staff from the rest of the computer users in your company? With millions of research dollars riding on each drug in development, the last thing you need is for a disgruntled accounts clerk, upset at this years paltry pay increase, wreaking his revenge by selling all the confidential details on your latest wonder drug to the competition. At the same time, all of your employees naturally require access to the same e-mail and calendaring system, so it is not acceptable to employ completely separate networks. What is required is one corporate network with appropriate security barriers between sensitive and non-sensitive subnets.

Of course, a perimeter firewall usually only has to contend with slow Internet links, whilst an internal firewall will frequently cause a bottleneck if placed on a 100Mbps or Gigabit backbone. In such situations, careful network design is required coupled with  a firewall that is capable of operating at wire speeds if possible.

Management Issues

Apart from raw speed, there are a couple of other things regarding network design need to be considered when deploying firewalls. The first is whether or not you need to support public-facing servers, such as Web and FTP servers. Here, of course, you need to allow some access for users outside your protected network – there is not much point in having a Web server if no one can view it, is there? However, the Web server you make available to the public should not be on your private network, otherwise once someone manages to compromise your Web server, they will have free run of your private intranet. To counter this threat, we make use of something called the De-Militarised Zone (DMZ), which is a separate subnet which is kept isolated from your protected network, but allows restricted access for external users. If you wish to make use of this facility, ensure that your firewall can support more than two network interfaces (or you can create a DMZ using two firewalls).

One of the biggest management headaches after installation of a firewall is caused by the fact that a completely secure perimeter is not always transparent to the user, and this can often lead to problems of users trying to circumvent the corporate security policy to get around some unpopular restriction imposed by the firewall.

If you block dangerous services, chances are that people will find ways to continue using them. Use of port 80 for more than just Web traffic makes it excruciatingly difficult in many cases to block and filter data. More obvious, however, is when users connect their desktop PCs directly to the Internet using a modem. There is no point locking and barring your front door with a firewall if your users are merrily opening the windows at the back – once a user is connected to the ‘net using a modem, there is a potential back door right into your protected network for the savvy cracker to exploit.

Dos/Don'ts

• Make sure that you have a comprehensive security policy in place
  
• Ensure that the firewall rules are constructed to enforce the security policy – not the other way around
  
• Pay careful attention to network design to ensure that your firewall does not act as a bottleneck
  
• Consider using multiple firewalls – both at the network perimeter and internally if necessary
  
• Use a De-Militarised Zone (DMZ) to host your public facing (Web, FTP, etc) servers
  
• Consider the use of dedicated firewall appliances – the turnkey hardware and software approach can save time and money in the long run
  
• If using a software firewall, ensure that the underlying operating system has been hardened and all the latest security patches are installed
  
• Monitor the various security mailing lists to ensure that you are aware of the latest security concerns regarding your firewall, and ensure that patches and fixes are applied as soon as they are released
  
• Make sure your users do not open “back doors” into your network by connecting modems directly to the Internet from their desktop
  
• Make sure that your chosen firewall has been certified by one of the independent certification bodies such as Checkmark or ICSA

Main Vendors

There are a huge number of vendors playing in the firewall market at the moment, with products ranging from simple “personal firewalls” designed to protect a single PC, right up to multi-processor, highly redundant, gigabit firewall appliances.

One of the better known vendors would be Checkpoint, with FireWall-1, one of the first stateful multi-layer inspection firewalls on the market. Recently, this has also been made available in appliance form from Nokia and Intrusion.com. When it comes to government and military installations, the first thing they look for is usually ITSEC E3, or more recently, Common Criteria EAL 4 certification. For a long time, it was CyberGuard who led the field here, with an excellent product based on a B2 secure Unix platform. They have been joined recently by BorderWare (who were actually the first to achieve EAL 4 certification) and CheckPoint, but still manage to offer (in addition to a software only product) a full range of premium firewall appliances from the 100Mbit FireStar up to the multi-processor Gigabit STARLord.

Others worthy of mention, with robust, mature offerings, include Axent (with the Raptor software firewall and the new VelociRaptor appliance) and Network Associates with the well-respected Gauntlet).

This article was written for Computer Weekly Online

Top         Home

NSS Awards

Group Test Reports

Articles/White Papers

Contact

Home

Send mail to webmaster with questions or 
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.