---

VNU Net: Turning up the heat on firewalls

By Ken Mann, VNU Net

A firewall puts up a barrier that controls the flow of traffic
between hosts, networks and domains. The safest firewall would
block all traffic, but that defeats the purpose of the connection.
Strict control over selected traffic is needed, according to a
logical security policy. A firewall can also conceal the topology
of your internal network and network addresses from public
view.

1. Know your basics
Before
selecting a firewall you should know that the most common security
techniques in use are:

  • Packet filtering firewalls (static filtering
    routers):

    Packet filters work by distinguishing destinations based on IP
    addresses or specific bit patterns. Most security policies,
    however, require finer control. Because of the limited information
    checked, packet filters are unable to protect against
    application-level attacks and may be susceptible to sophisticated
    IP fragmentation and IP source routing attacks. This type of
    firewall is usually found in routers, so they’re economical and
    fast. Because a router is needed to connect to the internet anyway,
    this firewalling is effectively free.
  • Application layer firewalls (aka gateways or
    circuit-level proxies):

    Application layer firewalls concentrate on the application layer of
    theOSI reference model. Working at this level enables these
    firewalls to usededicated security proxies to examine the entire
    data stream (most of eachpacket) for every connection attempt.

A virtual ‘air-gap’ exists in the firewall between the inside
and outside networks, and proxies bridge this gap by working as
agents for internal and external users. The proxies are specific
for applications such as FTP, telnet or protocols such as IIOP and
Oracle SQL*Net. In this application approach, information flows
through the firewall, but no outside packets do – providing a
failsafe system. Typically, they support security policies which
require fine-grain control.

  • Stateful multilayer inspection firewalls (dynamic
    filtering):

    These firewalls analyse all packet communication layers and extract
    the relevantcommunication and application state information. They
    parse IP packets andkeep state information about connections in the
    operating system kernel.

Instead of examining the contents of each packet, the firewalls
compare the bit patterns to packets that are already known to be
trusted. Stateful multilayer-inspection can be faster than
application layer firewalls – the proxy mechanism is at a much
lower level – but they are also more complex. They can have some of
the advantages and disadvantages of both packet filtering and
application layer firewalls.

Of the three firewall types, which delivers the best
performance? The question can only be answered on a case-by-case
basis, after considering your network topology, the services you
plan to use and the services you plan to offer. In some
circumstances, a simple packet-filtering router can be just as
secure as a firewall costing 10-20 times as much. The converse is
also true: buying an expensive firewall gives little security if it
is not properly configured.

2. Use NAT with
firewalls

Network Address Translation (NAT), by
itself, is not a security procedure. Instead, NAT hides the
internal network addressing from the external network and lets
hosts on private IP networks communicate with hosts on public
networks. If configured with static address mapping, intruders can
discover the addresses and attack hosts as if no firewall was in
place.

NAT-capable devices provide secure filtering capabilities. For
example, a NAT device can simply deny all connection requests
coming from the outside and randomly assign IP addresses for
internal hosts initiating connections to the outside. Many NAT
devices allow static IP translation so that internal hosts can be
made publicly available. However, restricting access to those hosts
also requires packet filtering.

3. Firewalls cause problems
too

Consider the case where your organisation’s web
server publishes a Java applet that makes calls to a JDBC client.
It then sends messages to a JDBC server (a TCP service) running on
a particular port of a host on your site.

As the administrator of your site, you configure your firewall
to allow this traffic in either direction. But you may have neither
knowledge nor control of the remote site where your applet was
downloaded.

If a firewall at that site is configured to deny traffic
destined for thatsame port, you have a problem. Deploying it across
an intranet, over whichyou have some control, will work, but not
over the internet, over whichyou have no control.

4. Concurrent sessions
You
need to determine the maximum number of concurrent connections that
a firewall can maintain, and the maximum data throughput supported
under multiple firewall configurations. Generally, firewalls
give better overall performance when running on high-end Unix or
Linux rather than Windows NT, because Unix and Linux are able to
better exploit the underlying hardware platform.

However, this advantage can be neutralised by using slower
10Mbps ethernet cards or even 34Mbps (E3) cards. To exploit the
capacity of a feature-rich firewall, you really need 100Mbps
ethernet connections. If you require encryption (i.e. for a VPN),
the maximum data throughput will be very much lower, unless you can
offload encryption onto hardware; so enable encryption only on
specific services.

5. Increase firewall
performance

The performance of a firewall can
benefit from an increase in memory and CPU resources – including
SMP (symmetrical multiprocessing) – but only under certain
conditions. Adding memory can increase throughput, but not until
the connections to the firewall expand to fill existing RAM. Only
then will adding memory have any effect.

Naturally, the faster the CPU, the faster the processing of
firewall rules. But running a firewall on an SMP machine may or may
not improve performance. Firewall vendors report that either their
products won’t run on some machines or can’t benefit from the
increased horsepower that SMP makes available.

6. System integration
System
integration depends on integrating the firewall into your
existingnetwork infrastructure. Choosing between the single vendor
and thebest-of-breed approach is difficult because there are
advantages to bothstrategies.

Single-vendor systems are centralised routers and firewalls from
the samevendor which let you take advantage of proprietary features
and provide acommon management system.

The best-of-breed solution lets you tailor your firewall
strategy to suityour specific needs. However, this approach may be
harder to integrate anddoes not provide common management.

From an administrative viewpoint, single-vendor solutions offer
common centralised management consoles for tying together your
firewall products and integrating them into a larger enterprise
network. Various aspects of the firewall’s security can be managed
alongside tasks such as access control lists and routing and
filtering configurations.

Firewall configurations in single-vendor products can be
centrally managed by copying configuration files to multiple
firewalls with minimal customisation.

Multiple systems remotely managed through a single console give
you direct control over your firewalls regardless of their location
on the network.

7.
Best-of-breed

Best-of-breed products let you tailor
network security needs without relying on a single vendor. The
advantage here lies in the ability to get the appropriate features
at the right level for your network, which leads to more
competitive pricing.

For example, sites with direct E1/PRI connections may need data
encryptionor VPNs to the central site. These features require more
sophisticatedmanagement and reporting functionality and therefore
generally cost moreto implement. Smaller remote offices may require
packet filtering on modemlinks or ISDN BRI; the management
requirements here are fewer and thedevices will cost less as a
result.

The disadvantage of best-of-breed products include multiple
managementinterfaces and firewalls’ differing abilities which
complicate efforts atsetting up a secure environment. Learning
multiple management consoles,the inability to copy multiple
configurations across sites and the loss ofproprietary features may
outweigh the advantages to best-of-breed.

However, common management platforms are now available for
centralised management in a multi-vendor environment, such as
Checkpoint Software’sOpen Platform for Secure Enterprise
Connectivity (OPSEC) initiative.Security on routers and firewalls
from several vendors is managed throughthe common management
application. However, you must license themanagement product and
ensure that your firewalls are supported. Andtechnical support may
be complicated.

The key point with best-of-breed solutions is to know what
you’re securing. Be sure administrators thoroughly understand
security issues and products and examine the advantages of a
multi-vendor environment compared to the risk – and cost – of a
compromised system.

8. Use one set of
criteria

Firewalls are a single aspect of security,
and in the longer term, their management will be consolidated with
management of VPNs and the corporate network. Towards this end,
system and network management vendors are moving towards a
policy-based management approach in which an IT manager can develop
and implement one set of access criteria for the enterprise network
and VPN for each network user.

9. Features vs security
policy

The more features available on your
firewall, the more implementation options available to you and the
more robust security for your organisation becomes. But more
features alone don’t translate into more security; your level of
security is determined by your security policy (what you want to
secure and why).

Your security policy should dictate which features you need in a
firewall today and help you to anticipate what you’ll need
tomorrow.

10. Logging and
reporting

While enterprise-scale firewalls have
excellent logging facilities, firewall appliances tend to lack
robust security event logging and reporting. And the amount of
reporting available in terms of historical logs and realtime
alerting will largely determine how well you can lock down your
network.

The four basic types of logging are SNMP traps, syslog, local
logging to a text file and console logging. SNMP and syslog log
information to a network host and provide more centralised
reporting and historical analysis.

Many firewall appliances claim to log via SNMP traps, but they
typically log only security events, such as user authentication.
Denial of Service (DoS) attacks, IP spoofing and other attempts at
breaching security aren’t reported via SNMP, but they can be logged
through other mechanisms.

Logging via an external syslog utility is common and gives
vendors a simple way to integrate logging into an existing network.
Syslog is common on all Unix hosts, and several Windows 95/98 and
NT syslog programs are available.

Local logs kept on the firewall appliance wrap around –
replacing the oldest entries as needed – when the log becomes full.
Logging on the firewall is useful for realtime troubleshooting, but
getting the information from the firewall for historical analysis
is difficult.

11. Logging to an external
file

If security logging can’t be captured to an
external file, you’ll have adifficult time managing your security.
No level of automated filtering cantake the place of log analysis
done by administrators because concentratedattacks take place over
time.

Port scanning is fairly non-intrusive, but it still yields
valuable information about would-be hackers. To catch a port scan
in progress, you’ll need to trap that information and be on the
console as it’s happening. Some vendors offer products that log
security events to a telnet console. They’ll tell you to leave a
telnet session running and capture the screen to a local file.
While this does provide logging of a sort, it also leaves that
management session open to anyone with access to the workstation
running the telnet client. It also could result in having the
telnet session disconnected in a DoS attack.

12. Security
alerting

Security alerting – notifying you of
attack via pager, email or on the console – provides
around-the-clock notification of events that might indicate an
attack in progress. Hackers typically attack when the office is
closed and the attack would go unnoticed. A firewall appliance with
alerting features lets you take swift action in the event of an
attack.

For example, multiple connection attempts with a bad user name
or password pairs might indicate an attack on the firewall itself –
something you’d want to know about immediately.

Similarly, security alerting is essential when dealing with DoS
attacks. These attacks can devastate connectivity by sucking up
resources from legitimate users. Without security alerting,
discovering these attacks and restoring connectivity leaves your
network vulnerable or inoperable until the attack is found and
halted.