CS-0277 An Introduction to Firewalls and the Firewall Selection Process

SCOPE: This document is intended to give the reader a basic understanding of network firewalls and the firewall selection process. It addresses what a firewall can and cannot do, different ways firewalls function, architectures used in firewall solutions, and important characteristics of effective firewalls. It outlines a selection process organizations should use to determine which firewall solution will best fit their needs. INTRODUCTION: With the large number of firewall solutions available today, firewall selection and implementation can be a time-consuming and overwhelming process. The appealing manner in which "firewall" solutions are marketed, along with claims of easy installation and management, can lead organizations to make the decision to implement a firewall solution without taking time to thoroughly examine the need for one. Organizations with a connection to the Internet or to any other "untrusted" network may need to implement a firewall solution. However, they should consider the impact a firewall will have on all network services, resources and users, and how a firewall will fit in with their particular business needs and network infrastructure. Organizations should determine what their specific requirements are, analyze their current network infrastructure and use that information as a basis for their decision. WHAT IS A FIREWALL?
Definition:

A Network Firewall is a system or group of systems used to control access between two networks -- a trusted network and an untrusted network -- using pre-configured rules or filters.

A firewall is a set of related programs, located at a network, gateway server that protects the resources of a private network from users from other networks. An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to. Computer security

borrows this term from firefighting, where it originated. In firefighting, a firewall is a barrier established to prevent the spread of fire. Firewalls can be composed of a single router, multiple routers, a single host system or multiple hosts running firewall software, hardware appliances specifically designed to provide firewall services, or any combination thereof. They vary greatly in design, functionality, architecture, and cost. HOW FIREWALLS FUNCTION: There are two security design logic approaches network firewalls use to make access control decisions. These two approaches have opposite logic but the intent of both is to control access. The two approaches are:

Everything not specifically permitted is denied. Everything not specifically denied is permitted.

There are proponents for each approach, but the one most often recommended is everything not specifically permitted is denied. This approach takes a proactive stance to unwanted or unauthorized access. It works on the premise that all access is denied until a rule or filter is configured that will specifically allow access. It provides more security by default, but it can also be considered too restrictive. . In many instances, legitimate traffic suffers until the correct variables are identified and rules or filters are configured and implemented that will allow traffic to pass. The opposite design logic, everything not specifically denied is permitted, takes a reactive stance to unwanted or unauthorized access. It works on the premise that all access is allowed until a rule or filter is configured that will specifically deny it. It provides less security initially, but is considered more flexible because legitimate traffic does not suffer.

WHAT IT DOES: A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If the filters flag an incoming packet of information, it is not allowed through. With a firewall in place, the landscape is much different. Firewalls use one or more of three methods to control traffic flowing in and out of the network: Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded. Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. Stateful inspection - A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information

is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.

There are several types of firewall techniques: 1) Packet filter: Packet filtering is the simplest packet screening method. A packet filtering firewall does exactly what its name implies -- it filters packets. The most common implementation is on a router or dual-homed gateway. The packet filtering process is accomplished in the following manner. Each packet is examined individually without regard to other packets that are part of the same connection.

A packet filtering router usually can filter IP packets based on some or all of the following fields:

Source IP address, Destination IP address, TCP/UDP source port, TCP/UDP destination port

PACKET FILTERING ROUTER 2) Application gateway:

Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. An application gateway/proxy firewall operates in the following manner. When a client issues a request from the untrusted network, a connection is established with the application gateway/proxy. The proxy determines if the request is valid (by comparing it to any rules or filters) and then sends a new request on behalf of the client to the destination. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. By using this method, a direct connection is never made from the trusted network to the untrusted network and the request appears to have originated from the application gateway/proxy. The request is answered in the same manner. The response is sent back to the application gateway/proxy, which determines if it is valid and then sends it on to the client. By breaking the client/server model, this type of firewall can effectively hide the trusted network from the untrusted network. It is important to note that the application gateway/proxy actually builds a new request, only copying known acceptable commands before sending it on to the destination.

APPLICATION GATEWAY FIREWALL Unlike packet filtering and stateful packet inspection, an application gateway/proxy can see all aspects of the application layer so it can look for more specific pieces of information. From a security standpoint, the application gateway/proxy packet screening method is far superior to the other types of packet screening. However, this method isn't always the most practical to use. Application gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts. These include: Information hiding, in which the names of internal systems need not necessarily be made known via DNS to outside systems, since the application gateway may be the only host whose name must be made known to outside systems, Robust authentication and logging, in which the application traffic can be pre-authenticated before it reaches internal hosts and can be logged more effectively than if logged with standard host logging, Cost-effectiveness, because third-party software or hardware for authentication or logging need be located only at the application gateway, and Less-complex filtering rules, in which the rules at the packet filtering router will be less complex than they would if the router needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest.

3) Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

Unlike a packet filtering firewall, a circuit-level gateway does not examine individual packets. Instead, circuit-level gateways monitor TCP or UDP sessions. Once a session has been established, it leaves the port open to allow all other packets belonging to that session to pass. The port is closed when the session is terminated. In many respects this method of packet screening resembles application gateways/proxies and adaptive proxies, but circuit-level gateways operate at the transport layer (layer 4) of the OSI model.

OPEN SYSTEM INTERCONNECTION (OSI) MODEL Firewall Components: The primary components (or aspects) of a firewall are:

Network policy, Advanced authentication mechanisms, Packet filtering, and Application gateways.

NETWORK POLICY:

There are two levels of network policy that directly influence the design, installation and use of a firewall system. The higher-level policy is an issue-specific, network access policy that defines those services that will be allowed or explicitly denied from the restricted network, how these services will be used, and the conditions for exceptions to this policy. The lower-level policy describes how the firewall will actually go about restricting the access and filtering the services that were defined in the higher-level policy. ADVANCED AUTHENTICATION: Advanced authentication measures such as smart cards, authentication tokens, biometrics, and software-based mechanisms are designed to counter the weaknesses of traditional passwords. While the authentication techniques vary, they are similar in that the passwords generated by advanced authentication devices cannot be reused by an attacker who has monitored a connection. Given the inherent problems with passwords on the Internet, an Internet-accessible firewall that does not use or does not contain the hooks to use advanced authentication makes little sense. Some of the more popular advanced authentication devices in use today are called one-time password systems. Since firewalls can centralize and control site access, the firewall is the logical place for the advanced authentication software or hardware to be located. Although advanced authentication measures could be used at each host, it is more practical and manageable to centralize the measures at the firewall. If the hosts do not use advanced authentication, then intruders could attempt to crack passwords or could monitor the network for login sessions that would include the passwords. The site systems may still require static passwords before permitting access, however these passwords would be immune from exploitation, even if the passwords are monitored, as long as the advanced authentication measures and other firewall components prevent intruders from penetrating or bypassing the firewall. WHAT IT PROTECTS YOU FROM: There are many creative ways that unscrupulous people use to access or abuse unprotected computers: Remote login - When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer. Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program. SMTP session hijacking - SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (Spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the Spam difficult to trace. Operating system bugs - Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of. Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash. E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages.

Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer. Viruses - Probably the most well known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data. Spam - Typically harmless but always annoying, Spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer. Redirect bombs - Hackers can use ICMP to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up. Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network! Most firewall products disable source routing by default. One of the best things about a firewall from a security standpoint is that it stops anyone on the outside from logging onto a computer in your private network. While this is a big deal for businesses, most home networks will probably not be threatened in this manner. Still, putting a firewall in place provides some peace of mind.

TYPES OF FIREWALLS:
There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced. Free Firewall Many software and desktop firewalls are free. Many of these firewalls are Linux or BSD based and can be quickly set up to protect a small to medium size company quickly. Also free firewalls often come in the form of a desktop firewall (sometimes called a personal firewall) Desktop Firewall Any software installed on an operating system to protect a single computer, like the one included with Windows XP, is called a desktop or personal firewall. This type of firewall is designed to protect a single desktop computer. This is a great protection mechanism if the network firewall is compromised. Software Firewall This type of firewall is a software package installed on a server operating system, which turns the server into a full-fledged firewall. Many people do not consider this the most secure type of firewall as you have the inherit security issues of the underlying operating system. This type of firewall is often used as an application firewall. This means the firewall is optimized to protect applications such as web application and

email servers. Software firewalls have complex filters to inspect the content of the network traffic to insure that type of traffic is properly formatted. This type of firewall is usually behind hardware firewalls. Hardware Firewall A hardware firewall is a dedicated hardware device with a proprietary operating system or a stripped down operating system core. These firewalls include network routers with additional firewall capabilities. These firewalls are designed to handle large amounts of network traffic. Hardware firewalls are often placed on the perimeter of the network to filter the Internet noise and only allow pre-determined traffic into the network. Sometimes hardware firewalls are used in conjunction with software firewalls so the hardware firewall filters out the traffic and the software firewall inspects the network traffic. When hardware firewalls are bombarded with bogus network traffic they drop the unwanted traffic only letting in the right traffic. This not only protects the software firewall but allows the software firewall only has to inspect proper network traffic thus the combination optimizes the network throughput. FIREWALL APPLIANCE: A firewall appliance typically sits behind the gateway (usually a router) to the untrusted network. This architecture resembles the packet filtering router and dual-homed Gateway architectures in that all traffic must pass through the appliance. In most instances these appliances come pre-configured on their own box. They may also have other services built in, such as Web servers and e-mail servers. Because they usually don't need the extensive configuration that other firewalls often require, they are touted as being much simpler and faster to use. Some manufacturers market them as "plug-and-play" firewall solutions.

FIREWALL APPLIANCE WHAT FIREWALLS CAN DO: Firewall solutions can have both positive and negative effects on a network. POSITIVE EFFECTS: When implemented correctly, firewalls can control access both to and from a network. They can be configured to keep unauthorized or outside users from gaining access to internal or private networks and services. They can also be configured to prevent internal users from gaining access to outside or unauthorized networks and services. Many firewalls can be deployed within an organization to compartmentalize and control access to services between departments and other private networks.

Firewalls can be configured to require user authentication. This allows network administrators to control access by specific users to specific services and resources. Authentication also allows network administrators to track specific user activity and unauthorized attempts to gain access to protected networks or services.
User authentication:

Firewalls can provide auditing and logging capabilities. By configuring a firewall to log and audit activity, information may be kept and analyzed at a later date. Firewalls can generate statistics based on the information they collect. These statistics can be useful in making policy decisions that relate to network access and utilization.
Auditing and logging:

Some firewalls function in a way that can hide internal or trusted networks from external or untrusted networks. This additional layer of security can help shield services from unwanted scans.
Security:

Firewalls can also provide a central point for security management. This can be very beneficial when an organization's human resources and financial resources are limited. NEGATIVE EFFECTS: Although firewall solutions provide many benefits, negative effects may also be experienced. In some networks, firewalls create a traffic bottleneck. By forcing all network traffic to pass through the firewall, there is a greater chance that the network will become congested.
Traffic bottlenecks:

Firewalls can create a single point of failure. In most configurations where firewalls are the only link between networks, if they are not configured correctly or are unavailable, no traffic will be allowed through.
Single point of failure:

Firewalls can frustrate users when network resources or services are blocked or unavailable to them, or they are required to authenticate to gain access and forget their passwords. The added security provided by the firewall may not be perceived as worth the increase in the technical support load.
User frustration:

A firewall often adds to network management responsibilities and makes network troubleshooting more complex. If network administrators don't take time to respond to each alarm and examine logs on a regular basis, they will never know if the firewall is doing its job. All firewalls require ongoing administrative support, general maintenance, software updates, security patches and proper incident handling, increasing the responsibilities of the administrators who are often already overworked.
Increased management responsibilities:

WHAT FIREWALLS CANNOT DO: The most common misconception about firewalls is that they guarantee security for your network. A firewall cannot and does not guarantee that your network is 100% secure. To achieve greater protection, a firewall should be used in conjunction with other security measures. Even then, there is no guarantee that the network will be 100% secure.

Firewalls cannot offer any protection against inside attacks. For a firewall to be effective, all traffic must pass through it. Users on the internal or trusted network often have access to the protected services without having to go through the firewall. A high percentage of security incidents today come from inside the trusted network. Firewalls cannot protect against unwanted or unauthorized access through back doors on your network. Back doors are typically created when an internal user dials out from an unauthorized modem and establishes a connection to an untrusted network. This behavior can be innocent in that the user doesn't even realize they are opening a back door, but it is just as threatening as shutting down the firewall. In most implementations, firewalls cannot provide protection against viruses or malicious code. Since most firewalls do not inspect the payload or content of the packet, they are not aware of any threat that may be contained inside. Finally, no firewall can protect against inadequate or mismanaged policies. If a password gets out, your network is at risk. Many security breaches occur because users inadvertently give out passwords or leave their workstations open. Even though the person does not have malicious intent, the results can be damaging to the security of the network. IMPORTANT ASPECTS OF EFFECTIVE FIREWALLS: Regardless of which security design logic or packet screening method is chosen, two important aspects of the firewall's implementation can determine whether or not a firewall solution will be effective: First, the device or host system on which the firewall solution resides must be secure. If the system can be compromised, then the firewall can also be compromised. If the firewall you choose is based on a well-known network operating system, make sure the operating system is fully patched and all security updates have been applied. Second, for a firewall to be effective, all traffic to and from your network must pass through it. If a firewall can be physically or logically bypassed, there is no guarantee that your trusted network is safe. The architecture used for your firewall solution is very important.

CONCLUSION: So when determining the firewall, remember there are many different types and even more vendors. One thing to make sure is that you deploy a firewall that your IT team can manage it effectively.