Firewalls

By Pete LoshinSpecial to GCNIf your organization connects to the Internet, you should pay attention to your firewalls. You wouldn't leave your office door unlocked at night; neither should you leave your office's systems open to attack via the Internet.Securing an intranet is no simple task; just installing a piece of software won't cut it. A firewall, by itself, is not enough to protect a network, any more than even the strongest dead bolt is all that's needed to protect a building from intruders. But a firewall is an essential component of a successful security strategy.Firewalls come in both hardware and software forms. Although all firewalls are programmed, some are marketed as software products that can be installed on the hardware platform of your choice. Others are sold as standalone hardware units or as features of hardware routers. This guide includes firewalls of both types.Organizations started developing firewall devices in the early days of the Internet, when routers were set up to filter packets based on source and destination.A firewall box compares the addresses of all inbound and outbound IP packets with lists of addresses. If the addresses are OK, the packet goes through; if either of the addresses is restricted, the packet is dropped.Inbound packets must be scrutinized to make sure they are not coming from the wrong networks, while outbound packets are checked to make sure no one inside is trying to access an 'enemy' system. What might look like a user establishing a Telnet session could be a Trojan horse program readying an unauthorized link.Packet filtering firewalls also look at the packet's TCP or User Datagram Protocol ports. The ports numbered from 0 through 1,023, commonly referred to as well-known ports, are associated with specific actions'port 80 for Hypertext Transfer Protocol packets, port 20 for File Transfer Protocol, and so on. Transient ports, numbered higher than 5,000, are assigned by applications for ad hoc use.Combined with IP addresses, ports give firewall implementers an excellent tool for filtering out unauthorized access. For example, you can set up a firewall rule that excludes all packets sent to port 80 except those sent to the public Web server. Or you could exclude all packets sent to port 80 from a network address known to be used by hackers.Packet filtering is a good first pass for security, but it's not enough. If it's the only firewall security you have, you leave plenty of opportunity for attackers who can forge packet headers to look as if they are authorized.More troubling is that a packet filtering firewall could still leave your network assets uncovered by letting attackers gather information about specific hosts and subnets within your intranet'the first step in any attack.One way to shield your internal systems is to use application gateways, also known as proxies. Instead of looking at the lower-layer packet headers, application gateways act as intermediaries between users' systems and external systems.When someone attempts to download a Web page, for example, that user's system makes the request of the application gateway. The gateway scrutinizes the request to make sure it is not for a forbidden destination, type of data or transaction. Then, if the requesting system passes muster, the gateway submits that request to the destination Web site.The destination Web site interacts with the application gateway, treating the gateway as the source of the request; the gateway then passes along any requested material to the original requesting user. In this way, it acts on behalf of the user, so it is often called a proxy.If you use this approach, you need a different proxy for every application that is permitted across the firewall. Usually, this means a proxy for HTTP for Web interaction, FTP for file transfers and Telnet for terminal emulation, as well as for e-mail protocols and several other applications.Proxies are useful because a security manager can control precisely what type of applications can be used across the firewall; if there is no proxy for a specific application, that application can't be used.So packet filtering keeps tabs on what happens at the lower protocol layers, and application gateways control what happens at the application layer. But something fishy still could get past both functions.For example, a packet might seem harmless in its source and destination IP addresses and ports, but it could contain an attack inside the packet's application data. By the same token, a packet might be coming from an unauthorized host but have perfectly acceptable application data.This problem prompted development of another approach to firewall security: stateful packet inspection.Some firewalls include a packet inspection module that is applied to all packets and can analyze the entire packet in the context of all applicable protocols. An extension of this approach is to add 'statefulness' to the module, in which the state of the connections is taken into consideration when analyzing packets.For example, such a module can detect an attempt to send a packet representing itself as a protocol response when in fact no connection had been set up in the first place.In general, packet inspection is more efficient than running application gateway proxies. Inspecting packets is simpler than having to run two separate processes for each packet'one acting as a server to the internal user and one as a proxy client connecting to the external server. As a result, stateful packet inspection can provide security to a larger number of users.The more an attacker knows about your network, the easier it is to mount an attack. Just knowing the IP addresses of a host or a server can open that system'and others'to denial-of-service attacks as well as unauthorized-user hacks. One mechanism often used to keep private networks private is the network address translator, or NAT.The IP defines a set of private network addresses that are not intended to be forwarded to the global Internet. Anyone can use these addresses internally. A NAT serves as a sort of routing proxy for these private addresses. The NAT box has a single IP address, by which it connects to the Internet, and a private address by which it is connected to the private intranet.When a host inside the private intranet wants to connect to a Web site, it sends its request to the NAT box, which translates the packet so that the request appears to be coming from the NAT box itself. When a response comes in, the packet goes directly to the NAT box, which again translates the packet and resends it within the private intranet.NAT originated as a stopgap remedy for the shortage of IP addresses, but it is often used as a security remedy. It is far from a security panacea, as it can introduce as many problems as it solves, but it is often incorporated into firewall products.Basic firewalls all do essentially the same things: filter packets, provide proxy services and do stateful packet inspection. The market is sufficiently mature to require greater product differentiation, so firewalls now frequently include content filtering modules capable of detecting viruses and malicious Java or ActiveX code.The rising tide of distributed denial-of-service attacks has spurred development of countersecurity measures as well. NetScreen Technologies, for instance, last month introduced a software update, ScreenOS 1.66, to its NetScreen 100 hardware firewall that supplies a tenfold increase in the product's ability to repel attacks. With the update, NetScreen 100 can, for example, inspect 20,000 SYN packets per second, the company said.Many firewalls also include virtual private network features, letting remote nodes and networks establish secure connections across the Internet. But strictly speaking, VPN capability is a separate function from the firewall.A firewall's platform also can be an important buying consideration: If you have expertise in Microsoft Windows NT, you might prefer an NT-based firewall.Unix-based firewalls often are touted as being more secure than NT's, particularly those based on open-source versions of Unix such as Berkeley Software Distribution. In most cases, the firewall hardens the operating system by closing security holes and by eliminating unnecessary services that are used by attackers.Ease of use is a frequent though hard-to-pin-down feature often touted by vendors. Regardless of any claims, buyers should be aware that firewall security can be complex and that a simple interface could give users an unrealistic sense of security if the firewall is improperly configured.In deciding whether to buy a hardware device or software, you should weigh the relative factors of performance and flexibility. Firewall appliances can be easier to set up and may also be optimized for improved performance. But software firewalls can be installed on whatever hardware platform is available, and the platform can be upgraded relatively easily if necessary or moved into a different function later. Firewall appliances can be used only as firewalls.It is important to understand that installing a firewall is only one part of a security strategy: User authentication, VPNs, a public-key infrastructure and resource management should all be parts of that strategy as well.With that in mind, however, you can define requirements for your firewall as you evaluate your network's needs. For example, a small branch office could be sufficiently protected by a simple firewall appliance, but an entire department might require a high-volume system of hardware or software.When determining requirements, consider the number of systems behind the firewall, the number of concurrent users, the type of Internet connection in use, the degree to which internal systems must be protected, the resources available to maintain the firewall, and what security functions you want the firewall to perform.Choosing an adequate firewall can be relatively simple. The difficult part begins after it is installed: Security is an ongoing process, and firewall systems must be managed closely if they are to be effective.XXXSPLITXXX-