Professional Documents
Culture Documents
Firewall topics
Why firewall? What is a firewall? What is the perfect firewall? What types of firewall are there? How do I defeat these firewalls? How should I deploy firewalls? What is good firewall architecture? Firewall trends.
What is a firewall?
As many machines as it takes to:
be the sole connection between inside and outside. test all traffic against consistent rules. pass traffic that meets those rules. contain the effects of a compromised system.
Firewall components
All of the machines in the firewall
are immune to penetration or compromise. retain enough information to recreate their actions.
Easy to use
Secure
Ease of use vs. degree of security Cheap, secure, feature packed, easy to administer? Choose three. Default deny or default accept
What you firewall matters more than which firewall you use.
Internal security policy should show what systems need to be guarded. How you deploy your firewall determines what the firewall protects. The kind of firewall is how much insurance youre buying.
Ground-floor windows
mail servers web Servers old buggy daemons account theft vulnerable web browsers
..ACK,URG,SYN .
DATA
Types of firewall
Packet filters Proxy gateways Network Address Translation (NAT) Intrusion Detection Logging
Packet filters
How Packet filters work
Read the header and filter by whether fields match specific rules. SYN flags allow the router to tell if connection is new or ongoing.
Weaknesses in SPF
All the flaws of standard filtering can still apply. Default setups are sometimes insecure. The packet that leaves the remote site is the same packet that arrives at the client. Data inside an allowed connection can be destructive. Traditionally SPFs have poor logging.
Proxy firewalls
Proxy firewalls pass data between two separate connections, one on each side of the firewall.
Proxies should not route packets between interfaces.
Types: circuit level proxy, application proxy, store and forward proxy.
State is being kept by the IP stack. Spoofing IP & DNS still works if authentication isnt used. Higher latency & lower throughput.
Application proxy
FW transfers only acceptable information between the two connections. The proxy can understand the protocol and filter the data within. Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
Types of NAT
Many IPs inside to many static IPs outside Many IPs inside to many random IPs outside Many IPs inside to one IP address outside Transparent diversion of connections
Weaknesses of NAT
Source routing & other router holes Can be stupid about complex protocols
ICMP, IP options, FTP, fragments
Can give out a lot of information about your network. May need a lot of horsepower
Intrusion detection
Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events. Can log suspicious sessions for playback Tend to be very good at recognizing attacks, fair at anticipating them Products: Abirnet, ISS Real Secure, SecureNetPro, Haystack Netstalker
Logging
Pros:
Very cheap Solves most behavioral problems Logfiles are crucial for legal recourse
Cons:
Very programmer or administrator intensive Doesnt prevent damage needs a stable environment to be useful
Types of logging
program logging syslog /NT event log sniffers
Argus, Network General, HP Openview, TCPdump
Commercial Logging
Logging almost all commercial firewall packages stinks
No tripwires No pattern recognition No smart/expert distillation No way to change firewall behavior based on log information No good way to integrate log files from multiple machines
Firewall Tools
All types of firewall are useful sometimes. The more compartments on the firewall, the greater the odds of security. Belt & suspenders
Firewall topology
Webserver placement RAS server placement Partner network placement Internal information protection (intranet firewalling)
Last checks
Day 0 Backups made? Are there any gaps between our stated policy and the rules the firewall is enforcing?
Auditing
A firewall works when an audit finds no deviations from policy. Scanning tools are good for auditing conformance to policy, not so good for auditing security.
Sample configurations
Good configurations should:
limit Denial of Service. minimize complexity for inside users. be auditable. allow outside to connect to specific resources.
Inside
Inside secure multimedia & database content to provided to multiple Internet destinations. Web server is acting as authentication & security for access to the Finance server.
Inside
High availability
Firewall Trends
Toaster firewalls Call-outs / co-processing firewalls VPNs Dumb protocols LAN equipment & protocols showing up on the Internet Over-hyped content filtering
Firewall certification
Buy your own copy of ISS and certify firewalls yourself.
Downside of firewalls
single point of failure difficult to integrate into a mesh network highlights flaws in network architecture can focus politics on the firewall administrator