INTRODUCTION TO
FIREWALL
Not too long ago, the “firewall” as
we know it today belonged to an exclusive group of highly trained
network engineers and programmers as a tool set for defending an
organization’s networks.
Back then, a person really needed to
know what he was doing to set up a firewall. Less than a handful of
today’s commercial products were available, and most network
engineers and programmers resorted to building their own firewalls.
This was because, at the time, only a few organizations on the
Internet had to really worry about protecting themselves.
Well, that was then. Today, more
than 100 firewall providers advertise their ware. Unfortunately,
many of these so-called “firewalls” aren’t really doing as much as
you’d think.
To really understand how to protect
networks, we need to first understand what a firewall is made up
of. With this knowledge, we can intelligently decide if we are
building the firewall that serves our needs.
Notice that I still refer to it as
“building” a firewall. Most of us do not build our own firewalls
anymore. Perhaps a few still do, but that’s no longer necessary with
today’s technology. We must, however, still choose the right
combination of products that will successfully protect our networks.
Not all firewalls are created equal.
And not all firewalls are doing the job you may think they’re
created to do.
A firewall should really be doing
more than simply filtering and blocking particular network traffic.
A good firewall should, at the minimum, provide adequate security
for its organization. However, most firewall manufacturers seem to
forget that good security includes: reliability, performance and
management.
By management, I mean providing
intelligent information about the network and firewalls. Most
firewalls today are being set up and forgotten. They’re abandoned
without routine maintenances, penetration tests and auditing.
Generation One
– Packet-filtering Generation
The two major types of “Generation
One” firewalls are: (1) Hardware-based Access Control List (ACL)
routers and (2) Software-based, packet-filtering firewalls. There is
also the combination of the two in both hardware and software
platforms.
Both essentially evolved from
general-purpose routers and computer Operating Systems (mostly UNIX)
in the early days of Internet networking.
Overtime, both router and Operating
System manufacturers were adding more and more capabilities to their
products to function as firewalls.
Generally speaking, these firewalls
perform two main actions:
 | Network Address Translation (NAT): A method used to hide the
network’s architecture inside of the firewall, blocked from the
outside world, and to conserve routable Internet Protocol (IP)
addresses. |
| Packet-filtering: A method by
which network traffic is selectively restricted or allowed
through based on the firewall’s security policy. This policy can
depend on packet types (protocols and port addresses), sources
and/or destination. Different methods of packet filtering have
developed over the years. But surprisingly enough, 90 percent
or more of today’s firewalls are still only performing these two
main actions. |
This generation of firewalls provides
little or no protection to the application layer. For example, an
FTP service can go through HTTP (a web service) with most of today’s
firewalls, and there is nothing that most packet-filtering firewalls
can do about it.
Another case in point: today’s
firewalls for the most part cannot protect an SMTP service from
being attacked by using a Telnet service. But a Telnet service may
be blocked at its default port by the same firewall protecting an
SMTP service.
In summary, packet-filtering
firewalls, while providing basic protection to the internal network,
is ill-fit to protect Internet applications.
Generation Two
– Application Proxy Generation
In the last several years, we are
seeing the emergence of a new type of firewall that still uses both
NAT and packet-filtering methods at the lower layers of the Open
System Interconnection (OSI) model. The only difference is what’s
called the Application Proxy method, which handles the issues facing
Generation One firewalls at the highest layer of the OSI model.
Today’s
Firewall Solution Matrix
|
Protocols / Applications |
OSI
Model Layer |
OSI
Model Description |
Firewall
Generation |
|
DNS, FTP,
HTTP, etc. |
7 |
Application |
Application
Proxy |
|
|
6 |
Presentation |
|
|
|
5 |
Session |
|
|
TCP / UDP |
4 |
Transport |
Packet
Filter |
|
IP |
3 |
Network |
Packet
Filter |
|
|
2 |
Data Link |
|
|
|
1 |
Physical |
|
|
Application Firewall / Application Proxy Firewall – In an
application proxy firewall; all packets are stopped at the
firewall or proxy server (a special type of firewall usually
built for certain applications only). The packets are then
checked for their sources and destination addresses, type of
protocols and port numbers, sometimes even the contents of the
payloads and commands. If the packets pass the inspection, they
are reconstructed and sent out to their destinations. Again,
there are several different implementations of this method.
Since all original packets are destroyed before being forwarded
to their destinations, Generation Two firewalls prevent attacks
based on the weaknesses of the TCP/IP protocols, which were
never designed with security in mind. Moreover, this method
allows the firewall to perform deep inspection that the
packet-filtering method cannot. |
Unfortunately, not all application
proxy firewalls implement 100 percent of the application proxy as I
described it above for each protocol and application. Most only
work for popular applications like HTTP, SMTP, etcetera. Even with
well-known ones like HTTP, Generation Two firewalls don’t always
cover all applications that could tunnel through. One reason for
this is that so many applications are being developed using HTTP.
HTTP is being used to deliver much more than the ordinary web site
content. It’s also being used to deliver radio and video content, as
well as VPN tunnels, peer-to-peer file exchange, music swapping and
other applications that may not be desirable for an organization’s
network.
Another issue is that not all traffic
is clear text, on which the firewall can conduct deep inspection. So
then, how do firewalls inspect what is inside encrypted HTTP
traffic? The answer is that 99.99 percent of today’s firewalls
can’t. How do firewalls know if a secure shell (SSH) session is
doing what it’s supposed to do? They don’t. Routinely, other
services are being tunneled through SSH through these firewalls.
So then, couldn’t one conclude that a
network is only as secure as the SSH and HTTP authentications. The
simple answer is yes. As I like to say, a firewall is only as secure
as its weakest links.
Firewall
Architecture Design
A typical firewall consists of three
or more interfaces, consisting of the: Outside (Connected to
Internet), DMZ (Connected to Service Network) and Inside (Connected
to Internal Network).
The DMZ (De-Militarized Zone) is a term
that stems from the military, describing a buffer zone between two
enemies. The purpose of having a DMZ is to separate the public’s
services from internal services. If DMZ is compromised, internal
resources are remain protected.
Remember: you must always assume that
the attackers will get through at some point. By setting up the
DMZ, we provide less of an attacking surface, which could allow
attackers to try. The services hosted in DMZ are typically DNS, Web
(HTTP), FTP and SMTP servers.
From a firewall policy point of view,
it’s not good enough to think about preventing attackers from
outside of the firewall, or even from DMZ networks. A firewall
design should consider attacks from inside of the firewall. Even
further, a good defense should assume that the attacker is already
inside of the firewall.
Do not assume that everyone inside of
the firewall can be trusted.
Having a way to continually track the
activity in a firewall is critically important. This is probably
the most ignored aspect. Most firewalls are never monitored, and
those that are contain logs insufficient for the audit trail. Almost
all appliance firewalls lack enough disk space to keep meaningful
logs, detailing enough to monitor, troubleshoot and audit. An
additional logging server could be set up for these appliance
firewalls, but the majority of organizations have yet to do so.
These organizations are taking huge risks.
Do not allow applications to connect
directly to the source server without going through an application
proxy first.
Do not depend solely on a perimeter
firewall or firewalls to protect your network. Learn more about our
Air-Tight, Multi-Layer IT Security Defense Systems.
By
Benson Yeung, Senior Partner
Back to Top 
Information Request Form
|
