Firewalls are devices or software that has the ability to control the traffic that’s sent from an external network, such as the Internet, to an internal network or local computer.. scree
Trang 1A firewall protects a secure internal network from a public insecure network
Firewalls are devices or software that has the ability to control the traffic that’s sent from an external network, such as the Internet, to an internal network or local computer As we’ll see later in this chapter, the features that are provided by a firewall will vary depending on the type you choose for your network
The most common implementation today is the use of a firewall between
an organization’s internal network and the Internet Firewalls can be very complex because they provide more features that just packet filtering They can also provide multiple layers of protection, including actually scanning the information stored in the packets to search for malicious data They use advanced techniques to monitor connections, to log potential intrusions, and to act upon these incidents
Firewall Architecture
A firewall is a combination of techniques and technologies used to con-trol the flow of data between networks A firewall enables all traffic to pass through to each network; however, it compares the traffic to a set of rules that determine how the traffic will be managed If the traffic matches the rules for acceptable data, the traffic is passed on to the network If the rule specifies that the data be denied, the traffic cannot continue and will
be bounced back Although some implementations may do this differently, the same basic functionality is used
NoTES FroM ThE FIEld…
Monitoring Traffic Through Firewalls
As Internet access has become a more common
fix-ture in organizations, so has monitoring the Web sites
visited by personnel in those organizations Firewalls
are used to prevent unauthorized access to the
inter-nal network from the Internet, but also enable
organi-zations to monitor what their employees are accessing
on the Internet Companies can check the firewall
logs to determine what sites an employee visited, how
long they spent there, what files they downloaded,
and other information that the employee may consider
private.
Companies may also stipulate the privacy of client
information, or those with a presence on the Web may
include or create a separate policy that deals with the privacy of a visitor to their Web site In terms of actual clients (those people with whom a company does business), the policy should state the level of privacy
a client can expect This may include the protection of client information, including information on sales, credit card numbers, and so forth In the case of police, this might include information on a person’s arrest record that can’t be concealed under the Public Information Act and open records laws, personal information, and other data For both clients and visitors to Web sites, a company may stipulate whether information is sold to third parties that may send you advertisements, spam,
or phone solicitations.
Trang 2work interfaces This computer acts as a gateway between two networks
The server’s routing capability is disabled so that the firewall can handle all
traffic management Either an application-level proxy or circuit-level firewall
is run to provide data transfer capability; you must be careful not to enable
routing within the network operating system or you will bypass your firewall
software Figure 3.6 shows a dual-homed host firewall configuration
screened host Firewalls
Screened host firewall configurations are considered by many to be
more secure than the dual-homed firewall In this configuration, you place
a screening router between the gateway host and the public network This
enables you to provide packet filtering before the packets reach the host
com-puter The host computer could then run a proxy to provide additional
secu-rity to this configuration As packets travel into the internal network, they
only know of the computer host that exists Figure 3.7 shows an illustration
of a screened-host configuration
screened subnet Firewalls
A screened subnet firewall configuration takes security to the next level by
further isolating the internal network from the public network An
addi-tional screening router is placed between the internal network and the
fire-wall proxy server The internal router handles local traffic while the external
router handles inbound and outbound traffic to the public network This
pro-vides two additional levels of security First, by adding a link internally, you
FIGurE 3.7
A Screened Host Firewall.
FIGurE 3.6
A Dual-Homed Host Firewall.
Trang 3can protect the firewall host from an attack by an internal source Second, it makes an external attack much more difficult because the number of links is increased Figure 3.8 shows the screened subnet firewall configuration
Firewall types
There are three basic categories of firewalls: packet level, application level, and circuit level Each uses a different security approach, thus providing different advantages and disadvantages One additional feature that was dis-cussed earlier is encryption services Most firewalls provide some sort of cryptographic services for data transfers
When you have a complete understanding of the features and type of security that is needed from a firewall, you can then determine the imple-mentation that bests fits the environment
Packet Level Firewall
A packet level firewall is usually a form of screening router that examines packets based upon filters that are set up at the network and transport layers You can block incoming or outgoing transfers based on a TCP/IP address or other rules For example, you may choose to not allow any incoming IP con-nections, but enable all outgoing IP connections You can set up rules that will enable certain types of requests to pass while others are denied Rules can
be based on source address, destination address, session protocol type, and the source and destination port Because this works at only three layers, it is
a very basic form of protection To properly provide security to the network, all seven layers must be protected by a full-featured conventional firewall
Application Level Firewall
The application level firewall understands the data at the application level Application layer firewalls operate at the application, presentation, and session layers Data at the application level can actually be understood and monitored to verify that no harmful information is included An example
of an application level firewall is an Internet proxy or mail server Many uses are available through some form of proxy; however, these functions are usually very intensive to provide security at that level In addition, clients
FIGurE 3.8
A Screened Subnet
Firewall.
Trang 4the proxy server address The overall server doesn’t just filter the packets,
it actually takes in the original and retransmits a new packet through a
dif-ferent network interface
Circuit Level Firewall
A circuit level firewall is similar to an application proxy except that the
secu-rity mechanisms are applied at the time the connection is established From
then on, the packets flow between the hosts without any further checking
from the firewall Circuit level firewalls operate at the transport layer
Firewall Features
As firewalls have evolved, additional feature sets have grown out of or been
added to these implementations They are used to provide faster access and
better security mechanisms As encryption techniques have improved, they
are being incorporated more into firewall implementations Also, caching is
being provided for services such as the World Wide Web This enables pages
to be cached for a period of time, which can dramatically speed up the user
experience New management techniques and technologies such as virtual
private networks (VPNs) are now being included as well
Content filtering is another major feature of a firewall Because of the
possible damage a Java applet, JavaScript, or ActiveX component can do to
a network in terms of threatening security or attacking machines, many
companies filter out applets completely Firewalls can be configured to
fil-ter out applets, scripts, and components so that they are removed from
the Hypertext Markup Language (HTML) document that is returned to
a computer on the internal network Preventing such elements from ever
being displayed will cause the Web page to appear differently from the way
its author intended, but any content that is passed through the firewall will
be more secure
DMZ
DMZ is short for demilitarized zone and is a military term used to signify
a recognized safe area between two countries where, by mutual agreement,
no troops or war-making activities are allowed There are usually strict
rules regarding what is allowed within the zone In computer security, the
DMZ is a neutral network segment where systems accessible to the public
Internet are housed, and which offers some basic levels of protection against
attacks
Trang 5The creation of these DMZ segments is usually done in one of two ways:
Layered DMZ implementation
■
■
Multiple interface firewall implementation
■
■
In the first method, the systems are placed between two firewall devices with different rule sets, which allows systems on the Internet to connect to the offered services on the DMZ systems, but prevents them from connect-ing to the computers on the internal segments of the organization’s network
(often called the protected network) Figure 3.9 shows a common
installa-tion using this layered approach
As shown in Figure 3.10, the second method is to add a third inter-face to the firewall and place the DMZ systems on that network segment This allows the same firewall to manage the traffic between the Internet, the DMZ, and the protected network Using one firewall instead of two lowers the costs of the hardware and centralizes the rule sets for the network, mak-ing it easier to manage and troubleshoot problems Currently, this multiple interface design is the preferred method for creating a DMZ segment
In either case, the DMZ systems offer some level of protection from the public Internet while they remain accessible for the specific services they provide to external users In addition, the internal network is protected by
a firewall from both the external network and the systems in the DMZ
FIGurE 3.9
A Layered DMZ
Implementation.
Trang 6Because the DMZ systems still offer public access, they are more prone to
compromise and thus they are not trusted by the systems in the protected
network This scenario allows for public services while still maintaining a
degree of protection against attack
The role of the firewall in all of these scenarios is to manage the traffic
between the network segments The basic idea is that other systems on the
Internet are allowed to access only the services of the DMZ systems that have
been made public If an Internet system attempts to connect to a service not
made public, the firewall drops the traffic and logs the information about the
attempt (if configured to do so) Systems on a protected network are allowed
to access the Internet as they require, and they may also access the DMZ
systems for managing the computers, gathering data, or updating content In
this way, systems are exposed only to attacks against the services that they
offer and not to underlying processes that may be running on them
FIGurE 3.10
A Multiple Interface Firewall DMZ Implementation.
Test day Tip
DMZs can be a difficult topic to initially understand In reviewing information about how
they work, try to remember that the DMZ is a “no man’s land” that provides a separation
between your LAN and an external WAN like the Internet.
Trang 7ACLs are access control lists, which are used to control access to specific resources on a computer An ACL resides on a computer and is a table with information on which users have specific rights to files and folders on the machine The operating system uses this attribute of the file or folder to determine whether a user is allowed or denied specific privileges to the object By using the ACL you can provide users of the network with the rights they need to access these files or folders However, in doing so, it is advisable that you only provide users with the minimum amount of access required by users to perform their jobs
Proxy server (Caching Appliances)
A proxy server is a server that performs a function on behalf of another system In most cases this is a system that is acting as a type of gateway between the Internet and a company network The employees who wish to access the Internet will perform actions as they normally would with their browser, but the browser will submit the request to the proxy server The proxy server will then transmit the request on the Internet and receive the results The results will then be sent to the original requester A nice feature
of the proxy server is that the Web pages that are not encrypted will be saved
in a cache on the local hard disk If another user requests the same page, the proxy server will not request the page from the Internet, but retrieve it from the hard disk This saves quite a bit of time by not having to wait on Internet requests, which may be coming from an overburdened Web server
The proxy server can cache information going both ways; because it can cache requests going out, it can also act as a proxy for Internet users making requests to the company Web server This can help keep traffic minimized
on the company network
Another feature of the proxy server is that it can act as the physical gate-way between the Internet and company network by filtering out specific infor-mation, especially if you use the proxy server to act as a proxy between the Internet and the company Web server Filtering can be configured for allowing
or not allowing packets if they meet one or more of the following specified cri-teria: specific port, direction of transfer, or source or destination of packets
tunnels and encryption
Tunneling is used to create a virtual tunnel (a virtual point-to-point link) between you and your destination using an untrusted public network as the medium In most cases, this would be the Internet When establishing
a tunnel, commonly called a VPN (which we’ll discuss in the next sec-tion), a safe connection is being created between two points that cannot be
Trang 8authentication and integrity This ensures that they are tamperproof and
thus can withstand common IP attacks, such as the man-in-the-middle
(MITM) and packet replay When a VPN is created, traffic is private and
safe from prying eyes
VPNs
A VPN provides users with a secure method of connectivity through a public
internetwork such as the Internet Most companies use dedicated
connec-tions to connect to remote sites, but when users want to send private data
over the Internet they should provide additional security by encrypting the
data using a VPN
When a VPN is implemented properly, it provides improved wide-area
security, reduces costs associated with traditional WANs, improves
produc-tivity, and improves support for users who telecommute Cost savings are
twofold First, companies save money using public networks (such as the
Internet) instead of paying for dedicated circuits (such as point-to-point T1
circuits) between remote offices Second, telecommuters do not have to pay
long-distance fees to connect to Remote Access Service (RAS) servers They
can simply dial into their local ISPs and create a virtual tunnel to the office
A tunnel is created by wrapping (or encapsulating) a data packet inside
another data packet and transmitting it over a public medium Tunneling
requires three different protocols:
■
■ Carrier Protocol The protocol used by the network (IP on the
Inter-net) that the information is traveling over
■
■ Encapsulating Protocol The protocol (PPTP, L2TP, IPSec., Secure
Shell [SSH]) that is wrapped around the original data
■
■ Passenger Protocol The original data being carried.
Essentially, there are two different types of VPNs: site-to-site and remote
access
site-to-site VPN
Site-to-site VPNs are normally established between corporate offices that
are separated by a physical distance extending further than a normal LAN
VPNs are available in software (such as Windows network operating
sys-tems) and hardware (firewalls such as Nokia/Checkpoint and SonicWALL)
implementations Generally speaking, software implementations are easier
Trang 9to maintain However, hardware implementations are considered more secure, because they are not impacted by operating system vulnerabilities For example, suppose Company XYZ has offices in Boston and Phoenix
As shown in Figure 3.11, both offices connect to the Internet via a T1 con-nection They have implemented VPN-capable firewalls in both offices, and established an encryption tunnel between them
The first step in creating a site-to-site VPN is selecting the protocols to
be used Common protocols associated with VPN are Point-to-Point Tunnel-ing Protocol (PPTP), Layer 2 TunnelTunnel-ing Protocol (L2TP), SSH, and IP Secu-rity (IPSec) PPTP and L2TP are used to establish a secure tunnel connection between two sites
Once a tunnel is established, encryption protocols are used to secure data passing through the tunnel As data is passed from one VPN to another, it
is encapsulated at the source and unwrapped at the target The process of
establishing the VPN and wrapping and unwrapping the data is transparent
to the end user
Most commercially available firewalls come with a VPN module that can
be set up to easily communicate with another VPN-capable device Micro-soft has implemented site-to-site VPN tools on the Windows 2003 plat-form using either RRAS or the newest rendition of Microsoft’s proxy server, Microsoft ISA Server 2006
Whichever product or service is chosen, it is important to ensure that each end of the VPN is configured with identical protocols and settings
FIGurE 3.11 A Site-to-Site VPN Established Between Two Remote Offices.
Trang 10differs from a site-to-site VPN in that end users are responsible for
estab-lishing the VPN tunnel between the workstation and their remote office
An alternative to connecting directly to the corporate VPN is connecting
to an enterprise service provider (ESP) that ultimately connects to the
cor-porate VPN
In either case, users connect to the Internet or an ESP through a point
of presence (POP) using their particular VPN client software (Figure 3.12)
Once the tunnel is set up, users are forced to authenticate with the VPN
server, usually by username and password
A remote access VPN is a great solution for a company with
sev-eral employees working in the field The remote access VPN allows these
employees to transmit data to their home offices from any location RRAS
offers an easy solution for creating a remote access VPN
FIGurE 3.12 A Remote-Access VPN Solution Using Regular Internet POPs.