The Ideal Firewall Overview The chapters at the end of this book review a number of commonly used (and a few less commonly used) firewall packages and toolkits. We'll provide detailed information on the strengths and weaknesses of each, but as firewall implementation changes with time (they get better, usually) only those firewalls that are currently available will be covered. What should you look for when you are examining firewalls? How would you set up the ideal firewall for your network? These are the questions that will be answered here. First, you'll determine the security needs for your organization and network. Second, you'll see how the ideal firewall should be configured for varying degrees of paranoia. Third, you'll learn about the various ongoing tasks you'll need to perform with even the most automated and secure firewall. Finally, you'll find out what you should do when your network is actually under attack. This chapter is broken down into two major parts. The first part, "Defining Your Security Requirements," will help you figure out what general type of security your business requires. The second part will then explain exactly how to configure your border gate ways to achieve that level of− security. You may find that you'll read back and forth between the two sections to gain a full understanding of the problem. Defining Your Security Requirements No two networks have exactly the same security requirements. A bank, for example, is going to be a bit more concerned than a retail clothing store about network intrusions. The type of security concern varies as well as the degree—in a University computing lab the administrator is just as concerned about hosting the source of hacking attacks as well as being the target of them. To decide just how much effort to expend in securing your network, you need to know the value of the data in your network, the publicity or visibility of your organization, and the harm that could be caused by loss of service. You should also consider how much disruption or imposition you can live with on your network in the name of security. Similar organizations have similar requirements, so you can compare the needs of your network to those organizational types listed below. Home Offices A home office is the simplest Internet connected network. Usually, a home office has two to three computers connected in a peer to peer fashion on a small LAN. These networks either have a− − modem attached to each computer so users can connect to the Internet or they have one computer or device that mediates access to the Internet whenever any of the users need an Internet connection. Sometimes the device that connects to the Internet is an inexpensive network hub and NAT router. The typical home office budget can't afford to dedicate a computer to be a network fire wall.− Sometimes the Internet service provider is relied upon to keep the hackers out. However, this is not a particularly effective technique because ISPs vary in competence and workload, and they never customize security to fit your needs—they provide only a "one size fits all" solution that is− − − 182 necessarily lax because they don't know how their customers will use the Internet. Just because most firewalls are prohibitively expensive for home use doesn't mean you are helpless. Chapter 13, "Security Utilities" details a number of "mini firewalls" that are intended to be− installed on personal computer directly, as well as popular low cost NAT routers which provide very− strong default security. Small firewall less networks can still (and should) install current operating− system patches to protect the computers from TCP/IP attacks such as Ping of Death and the Out of Band attack. File sharing should be turned off for computers that are connected to the Internet (or, for more advanced operating systems such as Windows NT and Unix, those services should be disconnected from the network adapter or modem that is connected to the Internet). Any unnecessary services should also be turned off so network intruders can't exploit them. A recent welcome development is the proliferation of devices that include simple stateful packet filters with Network Address Translation and Internet connectivity via dial up modem or Ethernet− connectivity to a cable or DSL modem. These inexpensive devices greatly increase the security of home office networks by hiding the identity of computers on the LAN and by foiling packet based− exploits, but they do not provide the full range of protection provided by full spectrum firewalls.− The reason home office networks aren't exploited more often is because their network connections are usually intermittent, their connection speed is low so it takes along time to hack into them, and they seldom provide services (such as websites) that hackers can exploit (with the notable exception of home offices that hook Windows computers directly to the Internet and do not turn off file and printer sharing, or Windows NT/2000 computers that leave IIS activated.) Most hackers exploit random targets of opportunity, so a computer that spends most of its time detached from the Internet isn't going to make a very juicy target. The biggest threat to the home office network is from someone who knows about the network and has a specific reason to attack it. Disgruntled or former employees, business competitors, or an individual with a personal axe to grind are the most likely culprits. Cable modem and DSL users have become a favored target of hackers however, because their connection speeds are high, their connections are always on, and because they often have no security in place, and their computers are left in the default installation state without security patches applied. The best way to permanently connect a home office telecommuter to a corporate network is to use a small firewall built to do exactly that, like the SonicWALL SOHO. These fire walls are complete,− real firewalls that include IPSec and can be remotely managed through the VPN by the corporate IT staff. In this configuration, the home office is just like any other branch office—connected through a VPN to a firewall with a single public IP address and configured to perform Network Address Translation so the connection can be shared by a few computers. Unfortunately, these devices run about $500n about $500 each, so they're not particularly cost effective for many users. The next best way is to use a small NAT device that can pass a single IPSec connection, like the Linksys Cable/DSL Router with IPSec passthrough. In this configuration, the device doesn't come with IPSec, but it will allow a single computer with an IPSec client to establish connections and route through it. It provides the inherent firewalling provided by all NAT devices, and can be used to share a single Internet connection amongst multiple users. Neither your ISP nor the corporate IT group will see anything other than the single IP address of the NAT device, from which all connections including the IPSec connection will appear to come. This configuration is not really remotely manageable by the IT staff without potentially creating security problems, so it's most effective for users with some technical skill. This method will also work with proprietary VPN solutions like PPTP, L2TP, etc. as long as the NAT device can properly translate the protocol. This 183 solution would cost about $150 including the price of the hardware NAT device and the license for the IPSec software client. Small Service Businesses Small service business networks, with a typical computer count of around a dozen or so, often have a dedicated computer for file and print services and, in many cases, a dedicated connection to the Internet. Although few small service businesses actually have firewalls, they all should. The potential loss of data and business productivity due to a network intrusion more than justifies the cost of one extra computer and some software. You don't want to go overboard with security in a small service business, however, and very few small service businesses will go to great lengths to bulletproof their networks because a cost/benefit analysis will usually show that less stringent security is sufficient. Consider, for example, a heating and air conditioning company that has a small network with an Internet connection. The company's− computers have little that would interest either a random hacker or a rival company that might engage in industrial espionage. The network users want as few restrictions as possible on how they access the Internet, so it is difficult to justify draconian network policies. Tip The small service business network administrator should be concerned about security, but the appropriate policy for the firewall is to permit by default, and to specifically deny packets, protocols, and services on the firewall that the administrator judges to be dangerous. Professional Firms Like the small service business, a small confidential practice such as a law firm, accounting firm, psychiatry practice, or medical specialist may have a half dozen to a dozen or more computers connected in a LAN with an intermittent or permanent Internet connection. The small confidential practice should have a more stringent security requirement than the typical small business, however, because the practice's computers contain confidential information that invite specific and targeted attack from network intruders over the Internet. Tip Because of the sensitivity of the information and the attraction this type of network presents to hackers, the network administrator of a small confidential practice should be cautious (denying packets, protocols, and ports by default unless the rules established specifically allow them) or strict (not routing IP packets at all and allowing only proxied network traffic through the firewall) about security. Manufacturers A large network with 50 to 100 computers is a much more tempting target to the average hacker, especially if the network has expensive network equipment and VPN links to other large computer networks. This is the type of network used by medium to large corporations, and the very size and− − complexity of corporate networks make them easier for hackers to attack. Large corporate networks also may be subject to specific targeted attacks for the purposes of industrial espionage or anticompetitive denial of service. Since corporations have more employees (and former employees) than smaller businesses do, the corporations are also much more likely to come under attack from insiders or former insiders. A corporation with a lot of public visibility (such as Sony, Microsoft, Pepsi, or Disney) also has the problem of hackers trying to penetrate their networks for the greater bragging rights than would be 184 achieved by hacking other, less well known companies (such as McMaster Carr or Solar− − Turbines). Tip Network administrators of large corporate networks need to take extra care that their networks are not compromised because the potential cost of lost productivity is proportionately greater in the larger networks than it is in small ones, and because the large corporate network makes a much more tempting target for hackers. A cautious (deny routing by default) or strict (no routing at all) policy is most appropriate for these kinds of networks. Government Bureaus The networks used by governmental bureaus have all of the characteristics of corporate networks (they are often large, have interesting hardware, and provide links to other networks), but governmental networks are also tempting targets because of their political nature. The Bureau of Reclamation has little to worry about, but the FBI, on the other hand, is under almost constant siege from the very hackers they chase. As a general rule, the more visible the organization, the more likely it is to attract the ire of a hacker with an agenda. Tip Network administrators of governmental bureaus should be either strict (allowing no routing) or paranoid (minimizing any sort of Internet risk, regardless of the constraints that places on their own network use), depending on the visibility and sensitivity of the organization. Special care should be taken to secure websites in order to deny hackers an easy way to embarrass the bureau and to advertise their own causes. Universities or Colleges University network administrators have the vexing problem of having to defend their systems from internal attacks as well as external ones. The periodic influx of new students ensures a fresh crop of hackers who will always be pushing at the security boundaries of the network. The students must have computers and access to the Internet, but the administrative staff of the school also needs a secure work environment. Most schools cope with this problem by having two (or more) separate networks, each with a different security policy and with carefully controlled access between the networks. The public access student network typically has a severely restrictive policy and is frequently checked for viruses, Trojan horses, modified system settings, and so on. Tip The university or college network administrator usually takes a cautious (deny by default) or a strict (proxy only, no routing) approach to managing the school's administrative networks. The network administrator also takes a fairly open approach to managing the students' network, while taking special care to keep the networks separate and while keeping a close eye on the state of the student network. Internet Service Providers The ISP network administrator has a problem similar to that of the university network administrator. The ISP network administrator must keep hackers from the Internet at bay and internal hackers contained, for the customers of the ISP expect to be protected from each other as well as from the outside. In addition, customers expect to have full Internet access—they want to decide for themselves which protocols and services to use. 185 Tip Most ISPs use a firewall to protect their network service computers (DNS server, mail server, and so on) in a cautious or strict configuration and use a packet filter in a more liberal configuration (permission by default) to stop the most obvious Internet attacks (Ping of Death, source routed packets, malformed IP and ICMP packets,− etc.) from reaching their clients. At the client's request, many ISPs will apply more strict security policies to the client connection on a per client basis.− Online Commerce Companies For most companies, the Internet connection is a convenience. For online commerce companies, the reliable operation of the connection and the services that flow over it are the lifeblood of the company. A used bookstore that accepts inquiries for titles over the Internet can afford for its website to be down every once in a while, but an online bookstore that transacts all of its business over the Internet cannot. In addition to preventing denial of service attacks, the administrator of an online − − commerce network must be aware of a more dire threat—the theft of customer information, including financial transaction data (especially credit card numbers). Consumers expect that the data they provide to your online company will remain confidential, and there may be severe public relations problems if the data gets out, as well as legal repercussions if the company is found negligent in its security precautions. An online commerce company often has two networks to protect—the internal network used by company employees and another network, perhaps located on the company premises or maybe located at an ISP, that provides the company's online interface to its Internet customers. Each network will have separate security policies; in fact, the online interface must be protected from unauthorized access from the interior network, and vice versa.− Tip Because of the severe repercussions of both denial of service and data theft attacks, − − − the smart network administrator for an online commerce company will implement a strict (proxy only, no routing) firewall policy for the company's Internet servers. The administrator may establish a more permissive (cautious or concerned) policy for a separate administrative network if the staff needs freer Internet access for business activities that are not business critical. Financial Institutions As a general rule, if there is money or there are things worth money flowing over the network, the administrator is going to be particularly careful about who can access the network and how they go about it. The more money there is, the stricter the rules for access will be. Therefore, banks and credit unions never allow any direct Internet access to their financial networks (the ones that directly convey money from one account to another) or even to the administrative networks that bank officials use to perform more mundane tasks. A growing trend in financial institutions is to allow customers to perform online banking through their web browsers over the Internet. This, of course, means that a web server of some sort must be linked both to the Internet and to the protected financial computers. If you work for a financial institution, you should be sure that every possible measure is taken to secure that web server and protect the customers' account information. Tip Those banking systems that allow any sort of Internet access implement strict (proxy access only) or paranoid (custom crafted with special purpose network software) policies to protect 186 their computers. Hospitals In a hospital network, unlike all the previous types of networks, people can die if the computers stop working. For this reason, the patient care hospital networks that have medical equipment attached to them are seldom connected to the Internet in any form. Administrative networks may be connected, but those links are carefully secured because of the risk of divulging or destroying confidential patient data. The networks in research labs, however, are typically closely and permissively attached to the network because scientists work best in an open environment where information exchange is made easy. Tip Like those of banks and universities, the hospital network administrator breaks his networks into several mutually untrusting sections. Life critical equipment simply is not connected to the− Internet. A strict policy is adopted for administrative computers (they still need e mail, after all),− while research LANs have a cautious or concerned policy. Military Organizations Military networks, like hospital networks, can have terminal repercussions when security is penetrated. Like governmental bureaus, hackers or espionage agents often have a specific target or axe to grind with the military. But not all military networks are the same—the civilian contractors managing a contract to purchase, warehouse, and distribute machine tools will have a different set of security requirements than the Navy war college's academic network, and neither of those will be designed with anywhere near the level of paranoia that goes into constructing the real time battle− information systems that soldiers use to wage war. Tip The administrator of a military network must match the firewall policy of the LAN to the type of work performed on it. Classified and administrative networks will have at least a cautious (default deny) or strict (proxy only, no routing) policy, while Secret and above information systems will be divorced from the Internet entirely. Intelligence Agencies Some organizations have the dual goals of safeguarding their own networks while simultaneously finding ways to circumvent the walls keeping them out of other people's networks. You can be sure that the professional agents in these organizations have a dossier on and an action plan to exploit every operating system bug or protocol weakness there is. But knowing about a hole and plugging it are two different issues, and sometimes the hackers can steal a march on the spooks. In an odd turn of fate, the NSA has in fact taken the Linux source code, tightened up security in areas they find important, and released the code back to the free software community. This has given hackers and open source advocates a bit of indigestion—do you trust it because it is open− and you can check the source code, or do you mistrust it because of its source? Tip It is a good bet that the administrators of these kinds of networks go one step beyond implementation of a strict firewall security—I would be very surprised if these secrecy professionals used any commercial software to firewall their networks. The truly paranoid will only trust software that they personally examine for back doors and weaknesses compiled with similarly inspected software tools. 187 Configuring the Rules Once you've determined the degree of paranoia that is justified for your network (or networks if you manage more than one), you can set up the firewalling rules that keep the hackers out. Every firewall allows you to establish a set of rules that will specify what trans firewall traffic will be− allowed and what will not, as well as to establish and manipulate these rules. The following chapters will discuss the specifics of how each firewall is configured. In the remainder of this chapter, however, you'll learn about these rules generically and how you should establish them so that your firewall won't have any obvious and easily avoidable weaknesses. You'll also learn about the care and feeding of a running firewall and what you can do when you discover it has come under attack. Rules about Rules Every firewall worth its weight in foam packing peanuts will have a number of features or characteristics of rules in common. You need to understand these rules and features because they form the building blocks of the logic that will either keep the hackers out or let them in. Apply in Order When deciding whether or not to allow a packet to pass the firewall, well constructed firewall− software will start with the first rule in its rule set and proceed toward the last until the packet is either explicitly allowed, explicitly disallowed, or until it reaches the end of the rules (whereupon the packet is allowed or dropped by default). The rules must always be evaluated in the same order to avoid ambiguity about which rule takes precedence. Some strong firewalls take a "best rule fitting the problem" approach rather than an ordered rule set approach. While this may in fact provide stronger security, it can be very difficult for an administrator to determine which rule will be applied in a specific circumstance. Per Interface Firewall software should be able to discriminate between packets by the interface they arrive on and interface they will leave from. This is essential because the firewall can't really trust the source and destination addresses in the packets themselves; those values are easily forged. A packet arriving on an external interface that says it is from inside your network is an obvious flag that something fishy is going on. Per Type of Packet (TCP, UDP, ICMP) Your firewall must be able to filter based on packet type because some are essential to network operation, while other types are just recipes for trouble. For example, you will want to allow ICMP echo reply packets to pass into your network from the outside (so your client computers can verify connectivity to outside hosts), but you may not want to pass ICMP echo request packets in to those same clients. After all, there's no sense letting hackers build a list of potential targets on your LAN. Some protocols use UDP on a particular port while others use TCP, and you don't want to let UDP traffic through on a port that has been opened for TCP or vice versa. 188 Per Source and Destination Addresses Your firewall must classify traffic according to where it comes from and where it is going. You may want to allow external computers to establish connections to publicly accessible internal or DMZ web and FTP servers, but not to establish connections to internal client computers. You probably want to allow internal clients to establish connections going the other way, however. Your firewall should be able to permanently block troublesome hosts and networks from performing any access at all, and should be able to deny all access to sensitive computers inside your network that don't need Internet connectivity. Per Source and Destination Ports Similarly, you will want to control TCP and UDP packets according to which ports they're coming from and going to. You should allow external users to connect from any port on their own computers to just those internal ports that are used by externally visible services (such as HTTP and FTP). Don't allow external users to connect to just any port on internal computers, because Trojan horses such as Back Orifice work by opening up a port above 1023 (most operating systems restrict user programs from opening ports below this value) for hackers to connect to. However, users inside your network need to be able to initiate connections using source ports greater than 1023 with the destination port of any common TCP protocol ports (such as HTTP, FTP, Telnet, and POP). You might want to limit your users to just a few destination ports, or you may allow connections to arbitrary external ports. Per Options Originating hosts and routers can set a variety of options in the header of IP packets. Some options are notorious for being used to circumvent security, with source routing as the most abused of all the options. Most firewalls simply drop source routed packets. Because none of the IP options are− required for normal Internet traffic, strong firewalls simply drop any packets that have options set. Per ICMP Message Type As mentioned above, some ICMP packets are required for the Internet to cope with network problems. But, many ICMP packets (sometimes the same essential packets) can also be used in unconventional ways to crash computers on your network. The firewall must be able to determine, based on the message type and how it is used, whether or not that ICMP packet is safe to pass. Per ACK Bit for TCP The firewall must be able to tell the difference between a packet that is requesting a connection and one that is merely sending or replying over an already established connection. The difference between these two types of packets is just one bit—the ACK bit. Packets requesting a connection have it cleared, all others have it set. You will use this rule characteristic most often with the source and destination characteristics to allow connections to only those ports you specify and in only the direction you allow. Protocol Specific Proxying Rules For strong security, packet filtering rules aren't secure enough. The above packet rules only− concern themselves with the header of IP or ICMP packets; the data payload is not inspected. Packet rules won't keep viruses out of e mail nor will they hide the existence of internal computers.− Proxies provide greater security but also limit any ICMP, IP, TCP, or UDP level attacks to the 189 gateway machine. Proxies also ensure that the data flowing through the firewall actually conforms to the format specified by the protocols that the firewall is proxying for those ports. Logging A good firewall will not only block hazardous network traffic but will also tell you when it is doing so, both with alerts and with messages written to a log file. You should be able to log (at your discretion) every packet dropped or passed through the firewall. These logs should be able to grow large enough to track activity over days or weeks, but the logs should never be allowed to grow so large that they fill all of the firewall's hard drive space and crash the computer. The alert mechanism should not only pop up windows on the firewall's console but also send e mail− to an arbitrary address (such as your pager e mail gateway, if you are really serious about− responding quickly to network attacks and you don't mind those occasional midnight false alarms). Graphical User Interface While not necessary for firewall security or performance, a graphical user interface for manipulating rule sets makes it much easier to set up and configure firewalls. Rules for Security Levels We've divided the spectrum of security into five levels that will be a good fit for most organizations. Using the first half of this chapter, you should be able to identify which of these levels applies most closely to your organization. Once you've matched your organization to one of the following security levels, you can use the rules we lay out as a starting point for your firewall policy. The general levels are as follows: • Aware • Concerned • Cautious • Strict • Paranoid For each security level we'll explore the rules, restrictions, and procedures that a network administrator will enact to provide that level of security in the network. Aware There are some things every security network administrator should do regardless of the degree of security warranted by the network contents or the type of organization the network serves. These actions and prescriptions plug obvious security holes and have no adverse affect on Internet accessibility. The security aware administrator should: • Install the latest operating system patches on both the client and server computers in the network. • Keep network user accounts off of Internet service computers such as web servers, FTP servers, and firewalls, and have separate administrative accounts with different passwords for these machines. • Regularly scan the system logs for failed logon attempts to network services and failed connection attempts to web servers, FTP servers, etc. 190 [...]... e−mail messages to everyone in the user's personal address book, thus propagating itself to all of them and appearing to come from the activating user The worm also rifles through the shared directory structure on the computer and propagates itself to other machines on the local network The worm then goes on a rampage, destroying programming code, office documents, and other useful work−related materials,... documents The only allowable method to transfer executable content through the firewall should be in a non−executable form like BIN−HEX or compressed format This prevents users from clicking on Trojan horse attachments and executing them The extra level of indirection ensures that they will at least manually inspect the files before running them Paranoid The strategy for paranoid installations is to either... message appears in the victim's inbox containing the message text "I received your e−mail and shall send you a reply ASAP Till then, take a look at the attached zip docs." The sender's address would be the valid address of a close friend or coworker The attached executable file would be called zipped_files.exe Upon clicking the attachment, the Trojan horse functionality is activated The worm creates... (including that of Windows NT), that is no longer the case The bug (since fixed) ignored improper fragment offset values which allowed the second (or later) fragment to occupy the memory location of the first fragment and to provide the header information the network stack was looking for (header information that had not been checked by the firewall) Although the bug has been fixed, most cautious network... cautious network administrators choose to reassemble fragmented packets at the firewall or just drop them since the fragmentation feature is largely obsolete ICMP, TCP, and UDP Some of the packet rules listed in the previous sections become redundant when the cautious administrator denies all packets by default You may want to leave them in your rule set so you can switch from deny−by−default to allow−by−default... your firewall at all Use the Secure Shell (SSH), instead because it provides much greater security for a remote terminal In addition, we don't explicitly list the rule you should block access out to ports above 1023 because the commonly accessed services live below 1023 See Table 10.5 for a few additional rules that the cautious administrator will want to configure in the firewall Table 10.5: The Additional... of the bastion host The same ICMP and IP rules described for the previous section should be applied to protect the bastion host from denial−of−service attacks Service Rules (Proxying) The basic strategy behind strict security is to proxy only the most useful protocols: HTTP and SMTP These two protocols, which are easy to control and keep track of, allow most of the functionality of the Internet to be... want to configure for be ech clients excee all IP packets regardless of used o to be ded to rep whether they able to inbou surve ly contain TCP or UDP traffic hear nd: y your out inside them See Table 10.2 the Thes internal bo for an overview of the rules, reply of e network un then read pinged packe for further for an explanation of d: hosts ts computeWh each 4 infor rs to y Allow m Table 10.2: IP Service... protocol either TCP The TCP rules you create are like the UDP rules with one difference—you can use the ACK bit of a packet to stop connections from being initiated from one direction or the other Blocking inbound packets with the ACK bit cleared (C) for a particular port allows only outbound connections to be initiated, but allows subsequent data traffic for that connection—all of which will have the ACK... because network clients can easily bypass them The packet filter can also lock out troublesome external IP addresses and subnets, as well as deny external access from the outside to specific internal computers such as file and database servers Packet Rules (Filtering) The packet rules control the flow of several different kinds of packets through the filter or firewall They are as follows: • ICMP Rules • . but the FBI, on the other hand, is under almost constant siege from the very hackers they chase. As a general rule, the more visible the organization, the. firewalls? How would you set up the ideal firewall for your network? These are the questions that will be answered here. First, you'll determine the