VNU Net: Turning up the heat on firewallsApr 21, 2000, 15:57 (1 Talkback[s])
(Other stories by Ken Mann)
By Ken Mann, VNU Net
A firewall puts up a barrier that controls the flow of traffic between hosts, networks and domains. The safest firewall would block all traffic, but that defeats the purpose of the connection. Strict control over selected traffic is needed, according to a logical security policy. A firewall can also conceal the topology of your internal network and network addresses from public view.
1. Know your basics
A virtual 'air-gap' exists in the firewall between the inside and outside networks, and proxies bridge this gap by working as agents for internal and external users. The proxies are specific for applications such as FTP, telnet or protocols such as IIOP and Oracle SQL*Net. In this application approach, information flows through the firewall, but no outside packets do - providing a failsafe system. Typically, they support security policies which require fine-grain control.
Instead of examining the contents of each packet, the firewalls compare the bit patterns to packets that are already known to be trusted. Stateful multilayer-inspection can be faster than application layer firewalls - the proxy mechanism is at a much lower level - but they are also more complex. They can have some of the advantages and disadvantages of both packet filtering and application layer firewalls.
Of the three firewall types, which delivers the best performance? The question can only be answered on a case-by-case basis, after considering your network topology, the services you plan to use and the services you plan to offer. In some circumstances, a simple packet-filtering router can be just as secure as a firewall costing 10-20 times as much. The converse is also true: buying an expensive firewall gives little security if it is not properly configured.
2. Use NAT with
NAT-capable devices provide secure filtering capabilities. For example, a NAT device can simply deny all connection requests coming from the outside and randomly assign IP addresses for internal hosts initiating connections to the outside. Many NAT devices allow static IP translation so that internal hosts can be made publicly available. However, restricting access to those hosts also requires packet filtering.
3. Firewalls cause problems
As the administrator of your site, you configure your firewall to allow this traffic in either direction. But you may have neither knowledge nor control of the remote site where your applet was downloaded.
If a firewall at that site is configured to deny traffic destined for thatsame port, you have a problem. Deploying it across an intranet, over whichyou have some control, will work, but not over the internet, over whichyou have no control.
4. Concurrent sessions
However, this advantage can be neutralised by using slower 10Mbps ethernet cards or even 34Mbps (E3) cards. To exploit the capacity of a feature-rich firewall, you really need 100Mbps ethernet connections. If you require encryption (i.e. for a VPN), the maximum data throughput will be very much lower, unless you can offload encryption onto hardware; so enable encryption only on specific services.
5. Increase firewall
Naturally, the faster the CPU, the faster the processing of firewall rules. But running a firewall on an SMP machine may or may not improve performance. Firewall vendors report that either their products won't run on some machines or can't benefit from the increased horsepower that SMP makes available.
6. System integration
Single-vendor systems are centralised routers and firewalls from the samevendor which let you take advantage of proprietary features and provide acommon management system.
The best-of-breed solution lets you tailor your firewall strategy to suityour specific needs. However, this approach may be harder to integrate anddoes not provide common management.
From an administrative viewpoint, single-vendor solutions offer common centralised management consoles for tying together your firewall products and integrating them into a larger enterprise network. Various aspects of the firewall's security can be managed alongside tasks such as access control lists and routing and filtering configurations.
Firewall configurations in single-vendor products can be centrally managed by copying configuration files to multiple firewalls with minimal customisation.
Multiple systems remotely managed through a single console give you direct control over your firewalls regardless of their location on the network.
For example, sites with direct E1/PRI connections may need data encryptionor VPNs to the central site. These features require more sophisticatedmanagement and reporting functionality and therefore generally cost moreto implement. Smaller remote offices may require packet filtering on modemlinks or ISDN BRI; the management requirements here are fewer and thedevices will cost less as a result.
The disadvantage of best-of-breed products include multiple managementinterfaces and firewalls' differing abilities which complicate efforts atsetting up a secure environment. Learning multiple management consoles,the inability to copy multiple configurations across sites and the loss ofproprietary features may outweigh the advantages to best-of-breed.
However, common management platforms are now available for centralised management in a multi-vendor environment, such as Checkpoint Software'sOpen Platform for Secure Enterprise Connectivity (OPSEC) initiative.Security on routers and firewalls from several vendors is managed throughthe common management application. However, you must license themanagement product and ensure that your firewalls are supported. Andtechnical support may be complicated.
The key point with best-of-breed solutions is to know what you're securing. Be sure administrators thoroughly understand security issues and products and examine the advantages of a multi-vendor environment compared to the risk - and cost - of a compromised system.
8. Use one set of
9. Features vs security
Your security policy should dictate which features you need in a firewall today and help you to anticipate what you'll need tomorrow.
10. Logging and
The four basic types of logging are SNMP traps, syslog, local logging to a text file and console logging. SNMP and syslog log information to a network host and provide more centralised reporting and historical analysis.
Many firewall appliances claim to log via SNMP traps, but they typically log only security events, such as user authentication. Denial of Service (DoS) attacks, IP spoofing and other attempts at breaching security aren't reported via SNMP, but they can be logged through other mechanisms.
Logging via an external syslog utility is common and gives vendors a simple way to integrate logging into an existing network. Syslog is common on all Unix hosts, and several Windows 95/98 and NT syslog programs are available.
Local logs kept on the firewall appliance wrap around - replacing the oldest entries as needed - when the log becomes full. Logging on the firewall is useful for realtime troubleshooting, but getting the information from the firewall for historical analysis is difficult.
11. Logging to an external
Port scanning is fairly non-intrusive, but it still yields valuable information about would-be hackers. To catch a port scan in progress, you'll need to trap that information and be on the console as it's happening. Some vendors offer products that log security events to a telnet console. They'll tell you to leave a telnet session running and capture the screen to a local file. While this does provide logging of a sort, it also leaves that management session open to anyone with access to the workstation running the telnet client. It also could result in having the telnet session disconnected in a DoS attack.
For example, multiple connection attempts with a bad user name or password pairs might indicate an attack on the firewall itself - something you'd want to know about immediately.
Similarly, security alerting is essential when dealing with DoS attacks. These attacks can devastate connectivity by sucking up resources from legitimate users. Without security alerting, discovering these attacks and restoring connectivity leaves your network vulnerable or inoperable until the attack is found and halted.