Firewalls Firewall - access control tool What is a Firewall?

A firewall is a system, or group of systems, that enforces an access control policy. Typically, access is controlled between the internal network and the Internet, but there are many other situations where a firewall may be required. External connections to business partners Many organizations have permanent connections to remote business partners. This can create a difficult situation as the connection is a required business need, but now someone has access to the internal network from an area where security is not controlled by the organization. A firewall can be used to regulate, and document access from these links. Between Departments Some organizations maintain firewalls between different areas of their network. This is to insure that internal users only have access to the information they require. A firewall can be used at the point of connection between these two networks so that access control can be enforced. What can a firewall protect against? Known forms of direct attack, provided it has been configured to do so. Not all firewalls are the same, so some do a better job of protecting a network than others. Typically, the more protection a firewall provides, the more it is going to cost. There are some operative words in the above statement. The first is "known", as some firewalls must be specifically configured to defeat certain types of attacks. It is impossible to predict every possible exploit that future attackers may attempt to launch. The security field is constantly changing, and new exploits are found every day. This is why it is a good idea to insure that a firewall is always maintained at the latest release and patch level. Another operative phrase is "direct attack", as there are many forms of passive attacks that a firewall can not protect against. For example, there are many exploits with ActiveX and Java (web server programming languages) which allow a rogue web site to read and write files on computers which load its pages. This may be a copy of the systems registry (which stores password information) or even copies of your electronic checkbook data. In order to exploit this weakness however, the web master must first entice you to visit their site. They can not use this exploit to attack your system directly. Their are known exploits however that would allow an attacker to redirect web requests to their server from other systems. Since these ActiveX and Java exploits are programming problems, most firewalls are unable to prevent this type of attack. It is difficult to tell the difference 100% of the time between benign and hostile programming code. To counteract these problems, most firewall vendors give the firewall administrator the ability to filter out all ActiveX or Java programming code. This of course means that all ActiveX and Java programs (good or bad) become disabled. What about viruses? In recent years, many strides have been made to allow firewalls to help protect against virus infection. Checkpoint Firewall-1 accepts plug-ins from three or four vendors which allow mail,

FTP and HTTP file transfers to be checked for viruses when they pass through the firewall. Generally, though, you will need to rely on a purpose built virus scanner for safety. Packet filtering Static filtering Static packet filter controls traffic by blocking or allowing traffic to pass between specific service ports. For example, lets assume that you wish to allow internal users to access web servers on the Internet. Since web browsing uses service port 80, you would need to configure the static filter to allow outbound access to this service port. Static packet filters are dumb filtering devices. They offer little protection against advanced types of attack. They look at a minimal amount of information in order to determine which traffic should be allowed to pass, and which traffic should be blocked. Many routers have the ability to perform static packet filtering. Dynamic filtering Dynamic filtering takes static packet filter one step further in that it maintains a connection table in order to monitor the state of a communication. This is a powerful feature which can be used to better control traffic flow. For example, lets assume that an attacker sends a system a packet of data which has a payload designed to crash the system. They may perform some packet trickery in order to make this packet look like a reply to information requested by the internal system. A regular packet filter would see this packet, be fooled into thinking that this was a reply to a data request, and happily pass the information along to the internal system. A dynamic packet filter would not be so easily fooled however. When the information was received, the dynamic packet filter would reference its connection table (sometimes referred to as a "state" table). When reviewing the table entries, it would realize that the internal system never actually connected to this external system in order to place a data request. Since this information had not been explicitly requested, the dynamic packet filter would throw the packet in the bit bucket. Deep packet inspection Stateful Inspection is very similar to dynamic packet filtering. Both maintain a state table in order record active sessions. Stateful Inspection adds the additional feature of being able to screen the data portion of the packet. Note that this does not occur with all services and the system must be specifically coded to do so. Administrators are allowed to interface with the inspection engine using the Inspect language. Proxy servers and firewalls A proxy server (sometimes referred to as an application gateway or forwarder) is an application that mediates traffic between a protected network and the Internet. Proxies are often used instead of filtering to prevent traffic from passing directly between networks. With the proxy acting as mediator, the source and destination systems never actually "connect" with each other. The proxy plays middle man in all connection attempts. Since proxies must "understand" the application protocol being utilized, they can also implement protocol-specific security. For example, an inbound FTP proxy can be configured to filter out all

"put" and "mput" requests received by an external system. This could be used to create a read-only FTP server as people outside the firewall would be unable to send the FTP server the commands required to initiate a file write. They could however perform a file "get" which would allow them to receive files from the FTP server, just not write any. Most proxy servers are application specific. In order to support a new protocol via a proxy, a proxy must be developed for it. There are proxies known as SOCKS proxies. These do not understand the application they are supporting. They simply provide connectivity for a specific port. Policy design and management An access control policy is simply a corporate policy that states what type of access is allowed across an organizations network perimeter. For example the organization may have a policy that states "our internal users can access Internet web sites, FTP sites or send SMTP mail, but we only want to allow inbound SMTP mail from the Internet to our internal network". Access is usually specified by: Direction - Traffic from the Internet to the internal network (inbound), or traffic from the internal network heading towards the Internet (outbound). Service - The type of server application that will be accessed. For example web access (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP). Specific Host - Sometimes more granularity is required than simply specifying direction. For example, an organization may wish to allow inbound HTTP access, but to only a specific computer. Conversely, they may only have one business unit that they wish to grant Internet web server access to. Individual Users - Many organizations have a business need to let only certain individuals perform specific activities but do not want to open up this type of access to everyone. For example, the company CFO may need to be able to access internal resource from the Internet because they do a lot of traveling. In this case, it would be the job of the device that is enforcing the access control policy to authenticate anyone trying to gain access to insure that only the CFO can get through. Time of Day - Sometime an organization may wish to restrict access, but only during certain hours of the day. For example, an access control policy may state "Internal users can access web servers on the Internet only between the hours of 5:00 PM to 7:00 AM. Quality of Service - An organization may wish to restrict access based on the amount of available bandwidth. For example, lets assume that an organization has a web server that is accessible from the Internet and they want to insure that access to this system is always responsive. The organization may have an access control policy that allows internal users to access the Internet, but at a restricted level of bandwidth if a potential client is currently accessing the web server. When the client is done accessing the server, the internal users would have 100% of the bandwidth available to access Internet resources. If an organization does not have an access control policy, one should be recorded in writing. This helps to insure that the organization has a clearly defined policy regarding network usage and that a proper firewall product can be select to fill their needs.