These inexpensive devices greatly increase the security of home office networks by hiding the identity of computers on the LAN and by foiling packet based− exploits, but they do not prov
Trang 1The Ideal Firewall
Overview
The chapters at the end of this book review a number of commonly used (and a few less commonlyused) firewall packages and toolkits We'll provide detailed information on the strengths and
weaknesses of each, but as firewall implementation changes with time (they get better, usually) only
those firewalls that are currently available will be covered What should you look for when you are
examining firewalls? How would you set up the ideal firewall for your network? These are the
questions that will be answered here
First, you'll determine the security needs for your organization and network Second, you'll see how
the ideal firewall should be configured for varying degrees of paranoia Third, you'll learn about the
various ongoing tasks you'll need to perform with even the most automated and secure firewall
Finally, you'll find out what you should do when your network is actually under attack
This chapter is broken down into two major parts The first part, "Defining Your Security
Requirements," will help you figure out what general type of security your business requires The
second part will then explain exactly how to configure your border gate ways to achieve that level of−
security You may find that you'll read back and forth between the two sections to gain a full
understanding of the problem
Defining Your Security Requirements
No two networks have exactly the same security requirements A bank, for example, is going to be a
bit more concerned than a retail clothing store about network intrusions The type of security
concern varies as well as the degree—in a University computing lab the administrator is just asconcerned about hosting the source of hacking attacks as well as being the target of them
To decide just how much effort to expend in securing your network, you need to know the value of
the data in your network, the publicity or visibility of your organization, and the harm that could be
caused by loss of service You should also consider how much disruption or imposition you can live
with on your network in the name of security
Similar organizations have similar requirements, so you can compare the needs of your network to
those organizational types listed below
Home Offices
A home office is the simplest Internet connected network Usually, a home office has two to three
computers connected in a peer to peer fashion on a small LAN These networks either have a− −
modem attached to each computer so users can connect to the Internet or they have one computer
or device that mediates access to the Internet whenever any of the users need an Internet
connection Sometimes the device that connects to the Internet is an inexpensive network hub and
NAT router
The typical home office budget can't afford to dedicate a computer to be a network fire wall.−
Sometimes the Internet service provider is relied upon to keep the hackers out However, this is not
a particularly effective technique because ISPs vary in competence and workload, and they never
customize security to fit your needs—they provide only a "one size fits all" solution that is− − −
182
Trang 2necessarily lax because they don't know how their customers will use the Internet.
Just because most firewalls are prohibitively expensive for home use doesn't mean you are
helpless Chapter 13, "Security Utilities" details a number of "mini firewalls" that are intended to be−
installed on personal computer directly, as well as popular low cost NAT routers which provide very−
strong default security Small firewall less networks can still (and should) install current operating−
system patches to protect the computers from TCP/IP attacks such as Ping of Death and the Out of
Band attack File sharing should be turned off for computers that are connected to the Internet (or,
for more advanced operating systems such as Windows NT and Unix, those services should bedisconnected from the network adapter or modem that is connected to the Internet) Any
unnecessary services should also be turned off so network intruders can't exploit them
A recent welcome development is the proliferation of devices that include simple stateful packet
filters with Network Address Translation and Internet connectivity via dial up modem or Ethernet−
connectivity to a cable or DSL modem These inexpensive devices greatly increase the security of
home office networks by hiding the identity of computers on the LAN and by foiling packet based−
exploits, but they do not provide the full range of protection provided by full spectrum firewalls.−
The reason home office networks aren't exploited more often is because their network connectionsare usually intermittent, their connection speed is low so it takes along time to hack into them, and
they seldom provide services (such as websites) that hackers can exploit (with the notable
exception of home offices that hook Windows computers directly to the Internet and do not turn offfile and printer sharing, or Windows NT/2000 computers that leave IIS activated.) Most hackers
exploit random targets of opportunity, so a computer that spends most of its time detached from the
Internet isn't going to make a very juicy target The biggest threat to the home office network is from
someone who knows about the network and has a specific reason to attack it Disgruntled or former
employees, business competitors, or an individual with a personal axe to grind are the most likely
culprits
Cable modem and DSL users have become a favored target of hackers however, because their
connection speeds are high, their connections are always on, and because they often have no
security in place, and their computers are left in the default installation state without security
patches applied
The best way to permanently connect a home office telecommuter to a corporate network is to use
a small firewall built to do exactly that, like the SonicWALL SOHO These fire walls are complete,−
real firewalls that include IPSec and can be remotely managed through the VPN by the corporate IT
staff In this configuration, the home office is just like any other branch office—connected through a
VPN to a firewall with a single public IP address and configured to perform Network Address
Translation so the connection can be shared by a few computers Unfortunately, these devices runabout $500n about $500 each, so they're not particularly cost effective for many users
The next best way is to use a small NAT device that can pass a single IPSec connection, like the
Linksys Cable/DSL Router with IPSec passthrough In this configuration, the device doesn't come
with IPSec, but it will allow a single computer with an IPSec client to establish connections and
route through it It provides the inherent firewalling provided by all NAT devices, and can be used to
share a single Internet connection amongst multiple users Neither your ISP nor the corporate IT
group will see anything other than the single IP address of the NAT device, from which all
connections including the IPSec connection will appear to come This configuration is not reallyremotely manageable by the IT staff without potentially creating security problems, so it's most
effective for users with some technical skill This method will also work with proprietary VPN
solutions like PPTP, L2TP, etc as long as the NAT device can properly translate the protocol This
183
Trang 3solution would cost about $150 including the price of the hardware NAT device and the license forthe IPSec software client.
Small Service Businesses
Small service business networks, with a typical computer count of around a dozen or so, often have
a dedicated computer for file and print services and, in many cases, a dedicated connection to the
Internet Although few small service businesses actually have firewalls, they all should The
potential loss of data and business productivity due to a network intrusion more than justifies the
cost of one extra computer and some software
You don't want to go overboard with security in a small service business, however, and very few
small service businesses will go to great lengths to bulletproof their networks because a cost/benefitanalysis will usually show that less stringent security is sufficient Consider, for example, a heating
and air conditioning company that has a small network with an Internet connection The company's−
computers have little that would interest either a random hacker or a rival company that might
engage in industrial espionage The network users want as few restrictions as possible on how theyaccess the Internet, so it is difficult to justify draconian network policies
Tip The small service business network administrator should be concerned about security, but the
appropriate policy for the firewall is to permit by default, and to specifically deny packets,
protocols, and services on the firewall that the administrator judges to be dangerous
Professional Firms
Like the small service business, a small confidential practice such as a law firm, accounting firm,psychiatry practice, or medical specialist may have a half dozen to a dozen or more computersconnected in a LAN with an intermittent or permanent Internet connection The small confidential
practice should have a more stringent security requirement than the typical small business,
however, because the practice's computers contain confidential information that invite specific and
targeted attack from network intruders over the Internet
Tip Because of the sensitivity of the information and the attraction this type of network presents tohackers, the network administrator of a small confidential practice should be cautious (denyingpackets, protocols, and ports by default unless the rules established specifically allow them) orstrict (not routing IP packets at all and allowing only proxied network traffic through the firewall)about security
Manufacturers
A large network with 50 to 100 computers is a much more tempting target to the average hacker,
especially if the network has expensive network equipment and VPN links to other large computernetworks This is the type of network used by medium to large corporations, and the very size and− −
complexity of corporate networks make them easier for hackers to attack
Large corporate networks also may be subject to specific targeted attacks for the purposes of
industrial espionage or anticompetitive denial of service Since corporations have more employees
(and former employees) than smaller businesses do, the corporations are also much more likely tocome under attack from insiders or former insiders
A corporation with a lot of public visibility (such as Sony, Microsoft, Pepsi, or Disney) also has the
problem of hackers trying to penetrate their networks for the greater bragging rights than would be
184
Trang 4achieved by hacking other, less well known companies (such as McMaster Carr or Solar− −
Turbines)
Tip Network administrators of large corporate networks need to take extra care that theirnetworks are not compromised because the potential cost of lost productivity is
proportionately greater in the larger networks than it is in small ones, and becausethe large corporate network makes a much more tempting target for hackers Acautious (deny routing by default) or strict (no routing at all) policy is mostappropriate for these kinds of networks
Government Bureaus
The networks used by governmental bureaus have all of the characteristics of corporate networks
(they are often large, have interesting hardware, and provide links to other networks), but
governmental networks are also tempting targets because of their political nature The Bureau of
Reclamation has little to worry about, but the FBI, on the other hand, is under almost constant siege
from the very hackers they chase As a general rule, the more visible the organization, the more
likely it is to attract the ire of a hacker with an agenda
Tip Network administrators of governmental bureaus should be either strict (allowing norouting) or paranoid (minimizing any sort of Internet risk, regardless of the constraints
that places on their own network use), depending on the visibility and sensitivity ofthe organization Special care should be taken to secure websites in order to denyhackers an easy way to embarrass the bureau and to advertise their own causes
Universities or Colleges
University network administrators have the vexing problem of having to defend their systems frominternal attacks as well as external ones The periodic influx of new students ensures a fresh crop ofhackers who will always be pushing at the security boundaries of the network The students must
have computers and access to the Internet, but the administrative staff of the school also needs a
secure work environment
Most schools cope with this problem by having two (or more) separate networks, each with a
different security policy and with carefully controlled access between the networks The public
access student network typically has a severely restrictive policy and is frequently checked for
viruses, Trojan horses, modified system settings, and so on
Tip The university or college network administrator usually takes a cautious (deny by default) or astrict (proxy only, no routing) approach to managing the school's administrative networks Thenetwork administrator also takes a fairly open approach to managing the students' network,while taking special care to keep the networks separate and while keeping a close eye on thestate of the student network
Internet Service Providers
The ISP network administrator has a problem similar to that of the university network administrator
The ISP network administrator must keep hackers from the Internet at bay and internal hackers
contained, for the customers of the ISP expect to be protected from each other as well as from the
outside In addition, customers expect to have full Internet access—they want to decide for
themselves which protocols and services to use
185
Trang 5Tip Most ISPs use a firewall to protect their network service computers (DNS server, mail
server, and so on) in a cautious or strict configuration and use a packet filter in a
more liberal configuration (permission by default) to stop the most obvious Internet
attacks (Ping of Death, source routed packets, malformed IP and ICMP packets,−
etc.) from reaching their clients At the client's request, many ISPs will apply more
strict security policies to the client connection on a per client basis.−
Online Commerce Companies
For most companies, the Internet connection is a convenience For online commerce companies,
the reliable operation of the connection and the services that flow over it are the lifeblood of the
company A used bookstore that accepts inquiries for titles over the Internet can afford for its
website to be down every once in a while, but an online bookstore that transacts all
of its businessover the Internet cannot
In addition to preventing denial of service attacks, the administrator of an online − −
commercenetwork must be aware of a more dire threat—the theft of customer information, including financial
transaction data (especially credit card numbers) Consumers expect that the data they provide to
your online company will remain confidential, and there may be severe public relations problems if
the data gets out, as well as legal repercussions if the company is found negligent in its security
unauthorized access from the interior network, and vice versa.−
Tip Because of the severe repercussions of both denial of service and data theft attacks, − − −
thesmart network administrator for an online commerce company will implement a strict (proxy
only, no routing) firewall policy for the company's Internet servers The administrator may
establish a more permissive (cautious or concerned) policy for a separate administrative
network if the staff needs freer Internet access for business activities that are not business
critical
Financial Institutions
Trang 6protect the customers' account information.
Tip Those banking systems that allow any sort of Internet access implement strict (proxy access
only) or paranoid (custom crafted with special purpose network software) policies to protect
186
Trang 7their computers.
Hospitals
In a hospital network, unlike all the previous types of networks, people can die if the computers stopworking For this reason, the patient care hospital networks that have medical equipment attached
to them are seldom connected to the Internet in any form Administrative networks may be
connected, but those links are carefully secured because of the risk of divulging or destroying
confidential patient data The networks in research labs, however, are typically closely and
permissively attached to the network because scientists work best in an open environment where
information exchange is made easy
Tip Like those of banks and universities, the hospital network administrator breaks his networks
into several mutually untrusting sections Life critical equipment simply is not connected to the−
Internet A strict policy is adopted for administrative computers (they still need e mail, after all),−
while research LANs have a cautious or concerned policy
Military Organizations
Military networks, like hospital networks, can have terminal repercussions when security is
penetrated Like governmental bureaus, hackers or espionage agents often have a specific target oraxe to grind with the military But not all military networks are the same—the civilian contractors
managing a contract to purchase, warehouse, and distribute machine tools will have a different set
of security requirements than the Navy war college's academic network, and neither of those will be
designed with anywhere near the level of paranoia that goes into constructing the real time battle−
information systems that soldiers use to wage war
Tip The administrator of a military network must match the firewall policy of the LAN to the type of
work performed on it Classified and administrative networks will have at least a cautious
(default deny) or strict (proxy only, no routing) policy, while Secret and above information
systems will be divorced from the Internet entirely
Intelligence Agencies
Some organizations have the dual goals of safeguarding their own networks while simultaneouslyfinding ways to circumvent the walls keeping them out of other people's networks You can be surethat the professional agents in these organizations have a dossier on and an action plan to exploit
every operating system bug or protocol weakness there is But knowing about a hole and plugging it
are two different issues, and sometimes the hackers can steal a march on the spooks
In an odd turn of fate, the NSA has in fact taken the Linux source code, tightened up security in
areas they find important, and released the code back to the free software community This hasgiven hackers and open source advocates a bit of indigestion—do you trust it because it is open−
and you can check the source code, or do you mistrust it because of its source?
Tip It is a good bet that the administrators of these kinds of networks go one stepbeyond implementation of a strict firewall security—I would be very surprised if these
secrecy professionals used any commercial software to firewall their networks Thetruly paranoid will only trust software that they personally examine for back doorsand weaknesses compiled with similarly inspected software tools
187
Trang 8Configuring the Rules
Once you've determined the degree of paranoia that is justified for your network (or networks if youmanage more than one), you can set up the firewalling rules that keep the hackers out Everyfirewall allows you to establish a set of rules that will specify what trans firewall traffic will be−
allowed and what will not, as well as to establish and manipulate these rules The following chapters
will discuss the specifics of how each firewall is configured
In the remainder of this chapter, however, you'll learn about these rules generically and how you
should establish them so that your firewall won't have any obvious and easily avoidable
weaknesses You'll also learn about the care and feeding of a running firewall and what you can dowhen you discover it has come under attack
Rules about Rules
Every firewall worth its weight in foam packing peanuts will have a number of features or
characteristics of rules in common You need to understand these rules and features because they
form the building blocks of the logic that will either keep the hackers out or let them in
Apply in Order
When deciding whether or not to allow a packet to pass the firewall, well constructed firewall−
software will start with the first rule in its rule set and proceed toward the last until the packet iseither explicitly allowed, explicitly disallowed, or until it reaches the end of the rules (whereupon thepacket is allowed or dropped by default) The rules must always be evaluated in the same order toavoid ambiguity about which rule takes precedence
Some strong firewalls take a "best rule fitting the problem" approach rather than an ordered rule setapproach While this may in fact provide stronger security, it can be very difficult for an administrator
to determine which rule will be applied in a specific circumstance
Per Interface
Firewall software should be able to discriminate between packets by the interface they arrive on and
interface they will leave from This is essential because the firewall can't really trust the source anddestination addresses in the packets themselves; those values are easily forged A packet arriving
on an external interface that says it is from inside your network is an obvious flag that something
fishy is going on
Per Type of Packet (TCP, UDP, ICMP)
Your firewall must be able to filter based on packet type because some are essential to network
operation, while other types are just recipes for trouble For example, you will want to allow ICMP
echo reply packets to pass into your network from the outside (so your client computers can verifyconnectivity to outside hosts), but you may not want to pass ICMP echo request packets in to those
same clients After all, there's no sense letting hackers build a list of potential targets on your LAN
Some protocols use UDP on a particular port while others use TCP, and you don't want to let UDP
traffic through on a port that has been opened for TCP or vice versa
188
Trang 9Per Source and Destination Addresses
Your firewall must classify traffic according to where it comes from and where it is going You may
want to allow external computers to establish connections to publicly accessible internal or DMZ
web and FTP servers, but not to establish connections to internal client computers You probably
want to allow internal clients to establish connections going the other way, however Your firewall
should be able to permanently block troublesome hosts and networks from performing any access
at all, and should be able to deny all access to sensitive computers inside your network that don't
need Internet connectivity
Per Source and Destination Ports
Similarly, you will want to control TCP and UDP packets according to which ports they're coming
from and going to You should allow external users to connect from any port on their own computers
to just those internal ports that are used by externally visible services (such as HTTP and FTP)
Don't allow external users to connect to just any port on internal computers, because Trojan horses
such as Back Orifice work by opening up a port above 1023 (most operating systems restrict userprograms from opening ports below this value) for hackers to connect to However, users insideyour network need to be able to initiate connections using source ports greater than 1023 with the
destination port of any common TCP protocol ports (such as HTTP, FTP, Telnet, and POP) You
might want to limit your users to just a few destination ports, or you may allow connections to
arbitrary external ports
Per Options
Originating hosts and routers can set a variety of options in the header of IP packets Some options
are notorious for being used to circumvent security, with source routing as the most abused of all
the options Most firewalls simply drop source routed packets Because none of the IP options are−
required for normal Internet traffic, strong firewalls simply drop any packets that have options set
Per ICMP Message Type
As mentioned above, some ICMP packets are required for the Internet to cope with network
problems But, many ICMP packets (sometimes the same essential packets) can also be used in
unconventional ways to crash computers on your network The firewall must be able to determine,
based on the message type and how it is used, whether or not that ICMP packet is safe to pass
Per ACK Bit for TCP
The firewall must be able to tell the difference between a packet that is requesting a connection andone that is merely sending or replying over an already established connection The differencebetween these two types of packets is just one bit—the ACK bit Packets requesting a connectionhave it cleared, all others have it set You will use this rule characteristic most often with the sourceand destination characteristics to allow connections to only those ports you specify and in only thedirection you allow
Protocol Specific Proxying Rules
For strong security, packet filtering rules aren't secure enough The above packet rules only−
concern themselves with the header of IP or ICMP packets; the data payload is not inspected
Packet rules won't keep viruses out of e mail nor will they hide the existence of internal computers.−
Proxies provide greater security but also limit any ICMP, IP, TCP, or UDP level attacks to the
189
Trang 10gateway machine Proxies also ensure that the data flowing through the firewall actually conforms tothe format specified by the protocols that the firewall is proxying for those ports.
Logging
A good firewall will not only block hazardous network traffic but will also tell you when it is doing so,
both with alerts and with messages written to a log file You should be able to log (at your
discretion) every packet dropped or passed through the firewall These logs should be able to grow
large enough to track activity over days or weeks, but the logs should never be allowed to grow solarge that they fill all of the firewall's hard drive space and crash the computer
The alert mechanism should not only pop up windows on the firewall's console but also send e mail−
to an arbitrary address (such as your pager e mail gateway, if you are really serious about−
responding quickly to network attacks and you don't mind those occasional midnight false alarms)
Graphical User Interface
While not necessary for firewall security or performance, a graphical user interface for manipulating
rule sets makes it much easier to set up and configure firewalls
Rules for Security Levels
We've divided the spectrum of security into five levels that will be a good fit for most organizations
Using the first half of this chapter, you should be able to identify which of these levels applies most
closely to your organization Once you've matched your organization to one of the following security
levels, you can use the rules we lay out as a starting point for your firewall policy The general levelsare as follows:
For each security level we'll explore the rules, restrictions, and procedures that a network
administrator will enact to provide that level of security in the network
Aware
There are some things every security network administrator should do regardless of the degree ofsecurity warranted by the network contents or the type of organization the network serves These
actions and prescriptions plug obvious security holes and have no adverse affect on Internet
accessibility The security aware administrator should:
• Install the latest operating system patches on both the client and server computers in thenetwork
• Keep network user accounts off of Internet service computers such as web servers, FTP
servers, and firewalls, and have separate administrative accounts with different passwords
for these machines
• Regularly scan the system logs for failed logon attempts to network services and failedconnection attempts to web servers, FTP servers, etc
190
Trang 11• Regularly scan system user accounts for the unauthorized addition or modification of useraccounts for network services.
• Disable all unnecessary services on network and Internet servers
• Use virus scanners on your server (at least)
• Perform regular backups
Concerned
A network administrator that is concerned about security will at least install a packet filter and take
the above "security aware" steps The packet filter will not stop a concentrated network attack fromexploiting service protocol weaknesses, but it will stop the simplest denial of service− −
attacks—those based on malformed or maliciously configured ICMP or IP packets
A packet filter in its most lax configuration allows packets to pass by default unless a rule
specifically tells the filter to drop them Proxy servers may be used to enhance network services (by
caching HTML pages, for example) but provide no extra security because network clients can easily
bypass them The packet filter can also lock out troublesome external IP addresses and subnets, as
well as deny external access from the outside to specific internal computers such as file and
database servers
Packet Rules (Filtering)
The packet rules control the flow of several different kinds of packets through the filter or firewall.They are as follows:
• ICMP Rules
• IP Rules
• UDP Rules
• TCP Rules
ICMP controls the flow of IP packets through the Internet IP is therefore essential to the correct
operation of the Internet, but ICMP packets can be forged to trick your computers into redirecting
their communications, stopping all communication, or even crashing The following rules (see Table
10.1) protect your LAN from many ICMP attacks
Table 10.1: ICMP Service Rules
In
Rule Interface
Out Interface
Src IP
Src Port
Dest IP
Dest Port Opt Ack Type ICMP Type Act
* * ICMP Echo Request
* * ICMP Echo Reply
Pass
PassPass
Drop
Trang 129 Ext * * * * * * * ICMP Redirect Drop
10Int11Ext
12Ext13Ext
MP Ec
ho Reply
*
*IC
MP DestinationUnreachable
*
*IC
MP ServiceUnavailable
*
*IC
MP TT
L Exceeded
*
*IC
MP
*
DropDrop
Drop
DropDrop
No
te tha
t whi