Network Security: Firewalls


Table of Contents


Introduction - What is Network Security?

Network security involves any and all countermeasures taken to protect a network from threats to its integrity. As modern networks have continued to grow and as more and more networks have been connected to the public Internet, the threats to the integrity and privacy of a company's networks have also grown. The attacks that are made on a network are increasingly more complex and pervasive, and the tools used for such purposes are easy to acquire. For example, anyone can log on to an Internet search engine and perform a search on hacking and be presented with an immense amount of sites that offer information and tools on hacking. Therefore, the need for network security is obvious. But what exactly is involved in a good network security policy?

A network security plan should be as comprehensive as possible. This not only includes physical aspects, such as locating your servers in a secure room, use of fault tolerance and power protection, but also includes all the steps taken to protect the data on your network. This would include setting up user accounts and passwords, setting permissions and access rights, the use of encryption for sensitive data, virus monitoring, and intrusion detection, to name just a few of the critical elements involved. And if your network is connected to any other networks, such as the Internet, then your network security plan should also include the implementation of a firewall. But what exactly is a firewall, exactly who should use it, and how does it work?

Back to Top

What is a Firewall?

The term firewall is used to refer to any hardware or software that acts as a barrier between connected networks. According to the white paper on firewalls by Evident Solutions, "it wasn't until 1992 that the term "firewall" was first applied to a system or group of systems that enforced a security policy between two networks" (www.evidentsolutions.com). A firewall filters the traffic flowing between an internal private network (trusted) and an external public network (untrusted) in order to protect the internal network. It is interesting to note that a firewall not only protects the internal network from attacks from the outside, but it also filters what data can leave the network as well.

Trusted and Untrusted Networks

What are "trusted" and "untrusted" networks? According to Network Associate's white paper, Understanding Firewall Concepts and Components, trusted networks are defined as "the networks inside your security perimeter, and are usually the networks you are trying to protect." It defines untrusted networks as "the network's outside your security perimeter. They are untrusted because they are often beyond your control." In other words, untrusted networks are those that may offer services or information that you need to access, but because you are not in control of administering these networks, they are "untrusted" in the sense that you limit the communications between them and your network. An example of this might be a client network you connect to gain access to certain information. There are also "unknown" networks, which would include any network not specifically defined in your firewall's configuration, which would include the majority of the networks you visit on the Internet.

A firewall generally has at least two interfaces in order to connect your internal network to external networks, the "inside" interface, which connects to your internal LAN, and the "outside" interface, which connects to your router or Internet connection. There may also be additional interfaces, such as a demilitarized zone. Most high end firewalls include support for multiple interfaces, which is often necessary for today's large enterprise networks.

Who needs to use a Firewall?

Chances are, you probably already know that EVERYBODY who connects their network to any other network needs to include a firewall as part of their network perimeter security strategy. So why mention this again here? Because there are still many misconceptions that lead some to believe that nobody would be interested in attacking their network. However, notice some of the statistics that the Computer Security Institute and the U.S. Federal Bureau of Investigation have published about computer crime from a recent survey:

  • 73% of computer systems were reported as being penetrated by outside hackers.
  • 26% reported that proprietary information was stolen.
  • From this information, they estimate that, on average, a corporate network is attacked 12 to 15 times a year.
    (Statistics cited from www.axent.com and www.network-1.com)

Obviously, there is still a need for an increased level of awareness regarding network security. No site should ever feel completely immune to attacks. Therefore, this paper will discuss the various types of technologies that different types of firewalls use (including the advantages and disadvantages of each), as well as provide a brief overview of various high-end firewall systems available from ComTest Technologies in order to help you implement the best possible firewall solution.

Back to Top

How does a Firewall work?

As mentioned earlier, a firewall filters the traffic between your internal network and external networks, applying security policies in order to protect your network. There are various ways that a firewall can do this. The most popular technologies include packet filtering, application level proxies (also referred to as application level gateways, although there is a slight technical differenc in definition, the two terms are generally used interchangeably), and stateful inspection systems. These are discussed in further detail below.

Firewall Technologies

  • Packet Filtering

    This is the most basic means of implementing a firewall. It is a basic feature of routers and computers that are set up to route. Basic packet filtering is based on the information contained in the Layer 3 (IP) header of a packet. Decisions on security are based on the following criteria:

    • Source address
    • Destination address
    • Protocol being used (TCP, UDP, etc.)
    • Port number (21, 23, 80, etc.)

    By configuring a router with a table of filters, this information can be used to either pass or block packets that flow through the router. If a connection request meets the criteria of the filter, then it is allowed to pass, otherwise it is blocked. In this way, packet filters look at the source and destination addresses and leave certain ports either open or closed. The advantage of this is that packet filtering is very fast. However, because the filters are based on static entries, this form of firewall offers the least flexibility and security. There is no way that the validity of a request can be verified in the context of the connection, and various ports are left open to trojan horses or attacks that use IP spoofing. So although this was the original and most inexpensive form of implementing a firewall, most of today's modern networks cannot rely on packet filtering alone to protect their networks. In order to provide the most flexible, secure protection against modern network attacks, application level proxies and stateful inspection systems have come into existence.

  • Application-level Proxies

    According to Webster's New World College Dictionary, proxy is defined as "the authority to act for another." This is the principle behind firewalls that use application-level proxies, or gateways. Instead of operating at a lower level of the protocol stack, these operate at the application layer of the OSI model. Services that are made possible by the application layer include e-mail, file transferring, web browsing, etc. A suite of proxies, including a proxy for each of the protocols (such as POP, FTP, HTTP, etc.) that support these services, fully understands the various protocols and acts in behalf of the services. In order for a connection to be authorized, the whole data stream is inspected. Not only are things like IP addresses in the packet heading verified, but the payload is also checked to see if it contains valid data and that the data belongs to the application. Rules are applied at the application layer, and if the data or the request does not meet the criteria of these rules or if the data just doesn't make sense, then the connection is denied. Every packet is processed, validated, and re-generated by the proxy. This means that applications are not allowed to talk directly to each other, and as a result, this form of firewall is extremely secure and effective, even against application-level attacks. This means that a hacker would not be able to construct data packets that appear to have valid info at the other layers and that pass other inspections, but that actually contain harmful commands in the payload that could harm your network.

    Application-level proxies, or gateways, also make use of NAT (Network Address Translation), which hides your internal network's IP addresses from those on the outside. Instead, all of the traffic that originates inside your network is given the IP address of your firewall (in some cases, the packets may receive a public IP address that is different from your firewall's, but that are used only for that purpose). The firewall keeps track of which packets belong to the different computers on your internal network, and forwards these accordingly. This provides additional protection, since it keeps the IP addresses of your "trusted" network hidden from the eyes of anyone who might have malicious intent.

  • Stateful Inspection

    Lucent Technologies Overview of Firewall Technologies states that "firewalls implementing stateful packet filtering functions screen the data being communicated at one or more layers... to verify that the application is behaving as expected." Stateful inspection uses basic packet filtering, but increases the level of security by also checking that packets belong to a connection and are verified in the context of that connection. If a packet does not match the criteria of a particular session, then the connection is blocked. The difference between this and application-level proxies is that the data of the payload is not actually processed, but only screened based on context. The firewall keeps track of a session and looks to find anything suspicious or incorrect. For example, if during an FTP session the port numbers being used or an IP address were to change, then the firewall would not allow the connection to continue. Also, when a particular session is complete, any ports that were being used are then closed. This means that stateful inspection systems can dynamically open and close ports for each session. This differs from basic packet filtering, which leaves ports in a continuously opened or closed state.

Back to Top

Proxy vs. Stateful - Which one is better?

Although basic packet filtering can be the fastest and cheapest form of a firewall, in most cases it is not secure enough, nor does it offer enough protection against today's security threats. Although IP addresses are checked, attacks that use IP spoofing can still take advantage of open ports. Generally, this basic functionality of routers needs to be enhanced by means of an application-level proxy or stateful inspection system. But which one is better?

Obviously, there are advantages and disadvantages of each. For example, an application-level proxy can process every part of the packet, which means that it is extremely secure. However, this also makes it very processor intensive, meaning that if implemented with an inadequate amount of hardware, it can create a bottleneck on your network's traffic. On the other hand, stateful inspection does less processing and can therefore offer more speed. But because it does not look at or understand all of the info contained in a packet at the higher layers, it does not offer as much security. Not only that, but according to Axent Technologies, "[the] rules must be implemented in the proper order to work as intended. If they are not, the filtering process may actually allow unwanted packets into the protected network." So when does speed outweigh security? What type of firewall should be used?

Summarizing the debate, Joel Snyder, a writer for Network World, said, "Packet filtering (stateful or not) was formerly thought to be faster and more flexible because packets pass through packet filters based on header information at a lower level of the protocol stack... [whereas] application proxies, which interpret packet information on the application level, were thought to be more secure because the firewall actually understood and retransmitted application commands." However, he further stated that "a combination of the two is needed: packet filtering for speed and flexibility in applications that don't require proxying, and proxying for applications such as HTTP in which you want to look in the datastream and let some, but not all, data through." Indeed, today's network needs and security threats require that a firewall be extremely flexible, efficient, and yet secure. An overview of two high end firewalls that provide just that and that are offered by ComTest Technologies is provided below.

Back to Top

Overview of Gauntlet and Raptor

ComTest Technologies provides security consulting and solutions for both UNIX and Windows environments. An overview of two of our most effective and secure solutions is provided below in order to help you secure your network's perimeter. In addition, feel free to contact one of ComTest's security specialists at (808) 831-0600 to find out more about security and for assistance in choosing which firewall is best for your network.

  • Network Associate's Gauntlet Firewall

    Gauntlet offers application-level security services by acting as a communications gateway for all hosts within the perimeter of your network. It also combines the flexibility and speed of network-level security services between network interface drivers and the TCP/IP stack. This means that things like uncontrolled IP packet forwarding, source routed packets, or ICMP redirects, are not allowed. And for situations where the security requirements are not as stringent but the needs for speed are, Gauntlet includes network-level security in the form of an IP screening feature that can be configured to check IP packets based on several criteria. It is fully auditable, controllable, and configurable, and comes with a full array of management utilities.

    For a complete overview of Gauntlet, visit www.nai.com, visit our Staff Directory, or call (808) 831-0600 to speak with one of ComTest's security specialists.

  • Symantec's (AXENT) Raptor Firewall

    Raptor firewall forms a virtual brick against all forms of attack, from internal as well as external sources. By means of explicit rules, set by the administrator, Raptor authorizes all connection attempts by applying these rules at the application level. In addition, it is especially suspicious. As a default setting, it denies any connections not explicitly allowed by a rule. A full range of criteria can be incorporated, giving you a very comprehensive security policy that is tailored to your network's specific needs. And it provides all of this without compromising your network's performance, being capable of throughputs of a fully saturated T3 line at 45 Mbps or greater. And for traffic that is not as dependent on security, packet filters can be created on a per-interface basis.

    They also offer a firewall appliance based on a hardened Linux kernel, the VelociRaptor.

    For a complete overview of Raptor, visit www.symantec.com, visit our Staff Directory, or call (808) 831-0600 to speak with one of ComTest's security specialists.

What about host based intrusion detection, URL blocking and content filtering? ComTest offers a variety of fully integrated solutions, such as BlackICE Defender and the ICE Cap console, WebSense, and eSecurity that can be combined with your firewall for maximum protection. Visit our Product Line List or contact us in order to find out more.

Back to Top

Conclusion

As more and more businesses go online, and as LANs and WANs continue to be interconnected, the need for a comprehensive security solution and policy will continue to be a necessity. The tools, technology, and knowledge available to those who do not have your network's best interests at heart (in other words, hackers) will also continue to grow. So, although a firewall is only one part of your overall security plan, it is certainly a very fundamental and essential part of the foundation on which your network security is based.

Additional Security Links:

Additional Security Resources:

Back to Top


References

This page was written by Will Twiggs, an associate with ComTest Technologies, Inc. For more information or if you have questions about this material, you can contact the author at william@comtest.com

Stateful Inspection versus Proxy Servers by Derek Pence

Overview of Firewall Technologies by Lucent Technologies, Inc.

Has security reached uncharted waters? by Chris DeVoney @ www.zdnet.com

Everything you need to know about network security @ www.axent.com

Firewall choices growing at feverish pace by Joel Snyder

Understanding firewall concepts and components @ www.nai.com

A Security White Paper @ www.network-1.com


This page created by Will Twiggs
Best viewed at "800x600" using MS IE 4+
Last updated on 01/15/2000