Firewalling Basics

Josh Ballard
Network Security
Analyst

Outline
Firewall Types
Default Deny vs. Default
Allow
Campus Offerings
The Importance of Scope

Firewall Types Filtering

Firewall Technology has
come a long way
The basic types are:
Linear ACLs (packet filter)
Stateful Firewall
Stateful Packet Inspection
Bridging vs. Routing

Firewall Types Packet Filters

Evaluates traffic packet by packet
according to a singular ruleset.
Filters based on only IP address, IP
protocols, ports, and in some
cases things like TCP flags.
Can not filter based on direction,
but simply whether the packet
matches the ACL or not.

Firewall Types Stateful Firewall

Tracks state of connections for
protocols such as TCP, UDP,
ICMP.
Evaluates rules only on the first
packet of a session.
As such, can be configured to
do directional protection.
Filters illegal packet types and
non-established connections.

Firewall Types Stateful w/ Packet

Works similarlyInspection
to a stateful
firewall, except that it contains
connection fixups.
Some protocols wont work
properly without a fixup, e.g.
FTP, RTSP, etc.
Requires more overhead, but
breaks fewer things in a
default deny world.

Firewall Types Bridging vs Routing

A bridge operates as a
transparent entity between two
layer 2 networks.
A routing firewall operates at the
layer 3 boundaries to networks.
Each has advantages and
disadvantages, though we
choose by default to do routed
firewalls.

Default Deny vs.

Default Allow
It is just how it sounds. This is
the default posture for what
the fate of a non-matched
packet in the ACL.
Default deny is obviously a
stronger posture, but requires
more initial investment to
achieve, and can potentially
cause more problems.

Campus Offerings
For approximately the past
year, we have been
developing and offering
firewall services.
Based on the Cisco
PIX/ASA/FWSM platform.

Campus Offerings
We are in the process of deploying
FWSM-based firewalls virtually in
front of all data center systems.
This allows for differing policy
levels for each group of systems in
the data center.
We can also deploy FWSM
technology to buildings or
departments as applicable and
requested.

Campus Offerings
With our licensing of Trend
Micro, we also have access to
host-based firewalls, as well as
the Windows firewall.
Both of these are controllable
by you as the admin with
appropriate knowledge of your
services and their scopes.

The Importance of
Scope
AKA: Why is firewalling
important?
Consider this example:
Windows Server 2003 System
Running IIS and Exchange
Running RDP for Adminstrative
Control

Why is scoping important in

this example?

The Importance of
Scope (2)
Another example - multitiered
UNIX system running Apache
and other web software that
ties to a database backend.
UNIX system running Oracle
database software
Both systems running SSH
Why is scoping important in
this example?

The Importance of
Scoping (3)
So the questions to answer to
write a policy are:
What should we explicitly not
allow?
What services are running on the
systems in questions?
Who needs to access those
services?
What should happen to a packet
that isnt explicitly matched?

Conclusion
Firewalling is an important
piece of any security
infrastructure, both
network-based and hostbased.
It is by no means an endall be-all solution, but can
limit your exposure greatly.

Questions?