Firewall Configuration Strategies

Chapter 3

Learning Objectives

Set up firewall rules that reflect an organization’s overall security approachUnderstand the goals that underlie a firewall’s configurationIdentify and implement different firewall configuration strategiesEmploy methods of adding functionality to your firewall

Establishing Rules and Restrictions for Your Firewall

Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them

All firewalls have a rules file—the most important configuration file on the firewall

The Role of the Rules File

Establishes the order the firewall should followTells the firewall which packets should be blocked and which should be allowedRequirements Need for scalability Importance of enabling productivity of end

users while maintaining adequate security

Restrictive Firewalls

Block all access by default; permit only specific types of traffic to pass through

Strategies for Implementing a Security Policy

Follow the concept of least privilegeSpell out services that employees cannot useUse and maintain passwordsChoose an approach Open Optimistic Cautious Strict Paranoid

Connectivity-Based Firewalls

Have fewer rules; primary orientation is to let all traffic pass through, then block specific types of traffic

Overview to Firewall Configuration Strategies

Criteria Scalable Take communication needs of individual

employees into account Deal with IP address needs of the organization

Scalability

Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed

Productivity

The stronger and more elaborate the firewall, the slower the data transmissions

Important features of firewall: processing and memory resources available to the bastion host

Productivity

Dealing with IP Address Issues

If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?If you mix public and private addresses, how will Web server and DNS servers communicate?Let the proxy server do the IP forwarding (it’s the security device)

Firewall Configuration Strategies

Firewall Configuration Strategies

Settle on general approaches; establish rules for them

Deploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rules

Use security components to defend against common attacks

Using Security Components to Defend Against Attacks

Screening Router

Filters traffic passing between one network and another

Simple, minimally secure

Two interfaces—external and internal—each with its own unique IP address

Performs IP forwarding, based on an access control list (ACL)

Screening Router

Stateful Packet Filtering

Dual-Homed Host

A workstation with an internal interface and an external interface to the Internet

Disadvantage Host serves as a single point of entry to the

organization

Screened Host

Similar to dual-homed host, but the host is dedicated to performing security functions

Sits exposed on the perimeter of the network rather than behind the firewall

Requires two network connections

Also called a dual-homed gateway or bastion host

Screened Host

Two Routers, One Firewall

Router positioned on the outside Performs initial, static packet filtering

Router positioned just inside the network Routes traffic to appropriate computers in the

LAN being protected Can do stateful packet filtering

Two Routers, One Firewall

DMZ Screened Subnet

Screened subnet Network exposed to external network, but partially

protected by a firewall

Three-pronged firewall Three network interfaces connect it to:

External network DMZ Protected LAN

Service network Screened subnet that contains an organization’s publicly

accessible server

DMZ Screened Subnet

Three-Pronged Firewall with Only One Firewall

Advantages Simplification Lower cost

Disadvantages Complexity Vulnerability Performance

Common Service Network Systems

Those that contain Web and mail servers

Those that contain DNS servers

Those that contain tunneling servers

Multiple-Firewall DMZs

Achieve the most effective Defense in DepthHelp achieve load distributionAdded security offsets slowdown in performanceTwo or more firewalls can be used to protect Internal network One DMZ Two DMZs Branch offices that need to connect to main office’s

internal network

Two Firewalls, One DMZ

Two firewalls used to set up three separate networks (tri-homed firewall) Internal protected network (behind DMZ) External private network or service network

(within DMZ) External network (outside DMZ)

Advantage Enables control of traffic in the three networks

Two Firewalls, One DMZ

Two Firewalls, Two DMZs

Setting up separate DMZs for different parts of the organization helps balance the traffic load between them

Two Firewalls, Two DMZs

Multiple Firewalls to Protect Branch Offices

Load Distribution Through Layering of Firewalls

Reverse Firewalls

Inspect and monitor traffic going out of a network rather than trying to block what’s coming in

Help block Distributed Denial of Service (DDoS) attacks

Specialty Firewalls

Protect specific types of network communications (eg, e-mail, instant-messaging)

Examples Mail Marshal and WebMarshal by Marshal Software OpenReach includes a small-scale packet-filtering

firewall for its VPN VOISS Proxy Firewall (VF-1) by VocalData Speedware Corporation sells its own firewall software

Approaches That Add Functionality to a Firewall

Network Address Translation (NAT)

Encryption

Application proxies

VPNs

Intrusion detection systems (IDSs)

NAT

Converts publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside

NAT

Encryption

Takes a request, turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router

Recipient decrypts the message and presents it to the end user in understandable form

Encryption

Application Proxies

Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)

Can be set up with either a dual-homed host or a screened host system

Application Proxies

Dual-homed setup Host that contains the firewall or proxy server software

has two interfaces, one to the Internet and one to the internal network being protected

Screened subnet system Host that holds proxy server software has a single

network interface Packet filters on either side of the host filter out all

traffic except that destined for proxy server software

Application Proxies on aDual-Homed Host

VPNs

Connect internal hosts with specific clients in other organizationsConnections are encrypted and limited only to machines with specific IP addressesVPN gateway can: Go on a DMZ Bypass the firewall and connect directly to the

internal LAN

VPN Gateway Bypassing the Firewall

Intrusion Detection Systems

Can be installed in external and/or internal routers at the perimeter of the network

Built into many popular firewall packages

IDS Integrated into Perimeter Routers

IDS Positioned Between Firewall and Internet

Chapter Summary

How to design perimeter security for a network that integrates firewalls with a variety of other software and hardware components

Rules and restrictions that influence configuration of a security perimeter

Security configurations that either perform firewall functions or that use firewalls to create protected areas