VNU Net: Turning up the heat on firewalls

Apr 21, 2000, 15:57 (1 Talkback[s])
(Other stories by Ken Mann)

By Ken Mann, VNU Net

A firewall puts up a barrier that controls the flow of traffic between hosts, networks and domains. The safest firewall would block all traffic, but that defeats the purpose of the connection. Strict control over selected traffic is needed, according to a logical security policy. A firewall can also conceal the topology of your internal network and network addresses from public view.

1. Know your basics
Before selecting a firewall you should know that the most common security techniques in use are:

• Packet filtering firewalls (static filtering routers):
  Packet filters work by distinguishing destinations based on IP addresses or specific bit patterns. Most security policies, however, require finer control. Because of the limited information checked, packet filters are unable to protect against application-level attacks and may be susceptible to sophisticated IP fragmentation and IP source routing attacks. This type of firewall is usually found in routers, so they're economical and fast. Because a router is needed to connect to the internet anyway, this firewalling is effectively free.

• Application layer firewalls (aka gateways or circuit-level proxies):
  Application layer firewalls concentrate on the application layer of theOSI reference model. Working at this level enables these firewalls to usededicated security proxies to examine the entire data stream (most of eachpacket) for every connection attempt.

A virtual 'air-gap' exists in the firewall between the inside and outside networks, and proxies bridge this gap by working as agents for internal and external users. The proxies are specific for applications such as FTP, telnet or protocols such as IIOP and Oracle SQL*Net. In this application approach, information flows through the firewall, but no outside packets do - providing a failsafe system. Typically, they support security policies which require fine-grain control.

• Stateful multilayer inspection firewalls (dynamic filtering):
  These firewalls analyse all packet communication layers and extract the relevantcommunication and application state information. They parse IP packets andkeep state information about connections in the operating system kernel.

Instead of examining the contents of each packet, the firewalls compare the bit patterns to packets that are already known to be trusted. Stateful multilayer-inspection can be faster than application layer firewalls - the proxy mechanism is at a much lower level - but they are also more complex. They can have some of the advantages and disadvantages of both packet filtering and application layer firewalls.

Of the three firewall types, which delivers the best performance? The question can only be answered on a case-by-case basis, after considering your network topology, the services you plan to use and the services you plan to offer. In some circumstances, a simple packet-filtering router can be just as secure as a firewall costing 10-20 times as much. The converse is also true: buying an expensive firewall gives little security if it is not properly configured.

2. Use NAT with firewalls
Network Address Translation (NAT), by itself, is not a security procedure. Instead, NAT hides the internal network addressing from the external network and lets hosts on private IP networks communicate with hosts on public networks. If configured with static address mapping, intruders can discover the addresses and attack hosts as if no firewall was in place.

NAT-capable devices provide secure filtering capabilities. For example, a NAT device can simply deny all connection requests coming from the outside and randomly assign IP addresses for internal hosts initiating connections to the outside. Many NAT devices allow static IP translation so that internal hosts can be made publicly available. However, restricting access to those hosts also requires packet filtering.

3. Firewalls cause problems too
Consider the case where your organisation's web server publishes a Java applet that makes calls to a JDBC client. It then sends messages to a JDBC server (a TCP service) running on a particular port of a host on your site.

As the administrator of your site, you configure your firewall to allow this traffic in either direction. But you may have neither knowledge nor control of the remote site where your applet was downloaded.

If a firewall at that site is configured to deny traffic destined for thatsame port, you have a problem. Deploying it across an intranet, over whichyou have some control, will work, but not over the internet, over whichyou have no control.

4. Concurrent sessions
You need to determine the maximum number of concurrent connections that a firewall can maintain, and the maximum data throughput supported under multiple firewall configurations. Generally, firewalls give better overall performance when running on high-end Unix or Linux rather than Windows NT, because Unix and Linux are able to better exploit the underlying hardware platform.

However, this advantage can be neutralised by using slower 10Mbps ethernet cards or even 34Mbps (E3) cards. To exploit the capacity of a feature-rich firewall, you really need 100Mbps ethernet connections. If you require encryption (i.e. for a VPN), the maximum data throughput will be very much lower, unless you can offload encryption onto hardware; so enable encryption only on specific services.

5. Increase firewall performance
The performance of a firewall can benefit from an increase in memory and CPU resources - including SMP (symmetrical multiprocessing) - but only under certain conditions. Adding memory can increase throughput, but not until the connections to the firewall expand to fill existing RAM. Only then will adding memory have any effect.

Naturally, the faster the CPU, the faster the processing of firewall rules. But running a firewall on an SMP machine may or may not improve performance. Firewall vendors report that either their products won't run on some machines or can't benefit from the increased horsepower that SMP makes available.

6. System integration
System integration depends on integrating the firewall into your existingnetwork infrastructure. Choosing between the single vendor and thebest-of-breed approach is difficult because there are advantages to bothstrategies.

Single-vendor systems are centralised routers and firewalls from the samevendor which let you take advantage of proprietary features and provide acommon management system.

The best-of-breed solution lets you tailor your firewall strategy to suityour specific needs. However, this approach may be harder to integrate anddoes not provide common management.

From an administrative viewpoint, single-vendor solutions offer common centralised management consoles for tying together your firewall products and integrating them into a larger enterprise network. Various aspects of the firewall's security can be managed alongside tasks such as access control lists and routing and filtering configurations.

Firewall configurations in single-vendor products can be centrally managed by copying configuration files to multiple firewalls with minimal customisation.

Multiple systems remotely managed through a single console give you direct control over your firewalls regardless of their location on the network.

7. Best-of-breed
Best-of-breed products let you tailor network security needs without relying on a single vendor. The advantage here lies in the ability to get the appropriate features at the right level for your network, which leads to more competitive pricing.

For example, sites with direct E1/PRI connections may need data encryptionor VPNs to the central site. These features require more sophisticatedmanagement and reporting functionality and therefore generally cost moreto implement. Smaller remote offices may require packet filtering on modemlinks or ISDN BRI; the management requirements here are fewer and thedevices will cost less as a result.

The disadvantage of best-of-breed products include multiple managementinterfaces and firewalls' differing abilities which complicate efforts atsetting up a secure environment. Learning multiple management consoles,the inability to copy multiple configurations across sites and the loss ofproprietary features may outweigh the advantages to best-of-breed.

However, common management platforms are now available for centralised management in a multi-vendor environment, such as Checkpoint Software'sOpen Platform for Secure Enterprise Connectivity (OPSEC) initiative.Security on routers and firewalls from several vendors is managed throughthe common management application. However, you must license themanagement product and ensure that your firewalls are supported. Andtechnical support may be complicated.

The key point with best-of-breed solutions is to know what you're securing. Be sure administrators thoroughly understand security issues and products and examine the advantages of a multi-vendor environment compared to the risk - and cost - of a compromised system.

8. Use one set of criteria
Firewalls are a single aspect of security, and in the longer term, their management will be consolidated with management of VPNs and the corporate network. Towards this end, system and network management vendors are moving towards a policy-based management approach in which an IT manager can develop and implement one set of access criteria for the enterprise network and VPN for each network user.

9. Features vs security policy
The more features available on your firewall, the more implementation options available to you and the more robust security for your organisation becomes. But more features alone don't translate into more security; your level of security is determined by your security policy (what you want to secure and why).

Your security policy should dictate which features you need in a firewall today and help you to anticipate what you'll need tomorrow.

10. Logging and reporting
While enterprise-scale firewalls have excellent logging facilities, firewall appliances tend to lack robust security event logging and reporting. And the amount of reporting available in terms of historical logs and realtime alerting will largely determine how well you can lock down your network.

The four basic types of logging are SNMP traps, syslog, local logging to a text file and console logging. SNMP and syslog log information to a network host and provide more centralised reporting and historical analysis.

Many firewall appliances claim to log via SNMP traps, but they typically log only security events, such as user authentication. Denial of Service (DoS) attacks, IP spoofing and other attempts at breaching security aren't reported via SNMP, but they can be logged through other mechanisms.

Logging via an external syslog utility is common and gives vendors a simple way to integrate logging into an existing network. Syslog is common on all Unix hosts, and several Windows 95/98 and NT syslog programs are available.

Local logs kept on the firewall appliance wrap around - replacing the oldest entries as needed - when the log becomes full. Logging on the firewall is useful for realtime troubleshooting, but getting the information from the firewall for historical analysis is difficult.

11. Logging to an external file
If security logging can't be captured to an external file, you'll have adifficult time managing your security. No level of automated filtering cantake the place of log analysis done by administrators because concentratedattacks take place over time.

Port scanning is fairly non-intrusive, but it still yields valuable information about would-be hackers. To catch a port scan in progress, you'll need to trap that information and be on the console as it's happening. Some vendors offer products that log security events to a telnet console. They'll tell you to leave a telnet session running and capture the screen to a local file. While this does provide logging of a sort, it also leaves that management session open to anyone with access to the workstation running the telnet client. It also could result in having the telnet session disconnected in a DoS attack.

12. Security alerting
Security alerting - notifying you of attack via pager, email or on the console - provides around-the-clock notification of events that might indicate an attack in progress. Hackers typically attack when the office is closed and the attack would go unnoticed. A firewall appliance with alerting features lets you take swift action in the event of an attack.

For example, multiple connection attempts with a bad user name or password pairs might indicate an attack on the firewall itself - something you'd want to know about immediately.

Similarly, security alerting is essential when dealing with DoS attacks. These attacks can devastate connectivity by sucking up resources from legitimate users. Without security alerting, discovering these attacks and restoring connectivity leaves your network vulnerable or inoperable until the attack is found and halted.

Related Stories:

• RootPrompt.org: Auditing Your Firewall Setup(Apr 10, 2000)
• GBdirect: Firewalling with Linux(Apr 09, 2000)
• Linux Firewall and Security Site: Configuring an Internet Firewall and Home LAN With Linux(Apr 09, 2000)
• ZDNet: Linux Firewall On A 486: A Guard-Penguin For Your DSL Or Cable Modem... [Linux Router Proj.](Apr 05, 2000)
• LinuxLock.org: Interview with Rick Johnson of PMFirewall(Mar 30, 2000)
• LinuxHelp.net: IPtables Firewall Script(Mar 26, 2000)
• LinuxMonth: Designing Mason [firewall] Rulesets for Multiple Machines(Mar 27, 2000)
• LWN: LWN reviews two firewalling books(Feb 29, 2000)
• Computer Bits: Firewalling with iptables(Feb 28, 2000)