Security

Basic principles of network security, part 3: Stop the fire from spreading

Chris Dinsmore examines different types of firewalls and discusses both their advantages and disadvantages.


In part 1 and part 2 of this series, I’ve dealt with information security at the intellectual level—defining a policy, planning a general structure, obtaining management involvement, and preparing our users. Now, it’s time to get physical.

At this point, you need to determine your specific needs and find the best security solutions for your project. In this Daily Drill Down, I’ll cover some hardware and software options and tell you how to wade through them and decide what’s best for your project.

What do you need?
Once again, before I get into the details, I’m going to make my full disclosure disclaimer. I work for a company that sells, services, and supports some of the products about which I’ll be talking. I promise that I’ll always give you my unbiased opinion, and I’ll back up any statements I make.

To a large extent, your security policy defines the products that you should purchase. To keep unauthorized external users out, you need some type of firewall system. To keep unauthorized internal users away from sensitive information, you need some type of user access control system. To allow some users here, some there, and some everywhere, you need some type of user management. And of course, if you have multiple locations and/or remote users, you probably need some type of encryption or VPN capability, as well. Within this broad specification, a lot of options are available. There are three major types of firewall—some of which have user management and access control functionality—from over ten major and dozens of minor vendors. Let’s go over some of our options.

Firewalls
A firewall keeps the outside world (Internet) out and the inside world in, but it allows for information exchange between the two, based on a structured set of rules.

There are three major categories of firewall: packet filters, application layer gateways, and stateful inspection firewalls. We’ll examine each category.

Packet filters
Packet filters block the passage of information from one side of the firewall to the other by looking at the header of every packet and matching it against a set of simple rules. Essentially a router with security features, packet filters usually can control information flow by protocol, port, source, and destination, and they have little or no authentication, user access control, or user management functionality. Some packet filters have VPN and encryption functionality; however, that functionality is usually very basic and not compatible with systems provided by other vendors.

Packet filter firewalls have a few distinct advantages. Hardware-based packet filters are generally the fastest of all security platforms, having little effect on your network’s performance. Packet filters are generally the most stable firewalls. Also, most packet filters are easy to configure and maintain. Although no security platform is “plug and play,” hardware packet filters come pretty close to it. Packet filters are often the least expensive security platforms, too.

Unfortunately, packet filters are considered the least secure of the major firewall types because they offer little protection against advanced attacks and have limited features for handling users, custom protocols, remote management, and other options provided by other firewalls. Since packet filters monitor only the network layer, they are highly susceptible to IP spoofing, denial-of-service attacks based on malformed packets (like the “ping of death”), and SYN flood attacks.

Packet filter type firewalls would be typified by the Cisco PIX series of dedicated hardware security platforms and the various security modules for switches and routers. Software-based packet filtering is available for all major network operating systems at little or no cost. IPChains, FW, and the majority of the available firewall software for the Free UNIX-based operating systems (for example, FreeBSD and Linux) fall into this category, though they offer some of the additional functionality of the other two types of firewall.

Application layer gateways
Also known as secure proxies, application layer gateway firewalls are software based and run on general-purpose hardware with popular network operating systems. They are the most common type of firewall, and vendors offer dozens of options.

No generic set of features or functionality exists with an application layer gateway. However, the general market trends show that the more features you have, the more expensive the software gets. Software can range in cost from free to upwards of $30,000, depending on the feature sets and the scale of your installation.

Basic application layer gateway software is available for all popular network operating systems at little or no cost. This basic software doesn’t include any support for encryption, remote management, user management, or the features that other firewalls provide. Microsoft Proxy, Black Ice, SSQUID, and several of the freeware UNIX-based firewalls fall into this category.

Advanced application layer gateway software, on the other hand, provides significant additional functionality. It may natively support streaming media protocols, such as RealAudio, and it may be able to provide Web and e-mail proxy services. Typically, user management will be integrated, and encryption and VPN functionality are often available. BorderWare, Axent Eagle (formerly Raptor), and NAI Gauntlet are good examples of advanced application layer gateways.

Application layer gateways offer several advantages over packet filters. A packet filter is only able to enforce rules based on network layer information, such as protocol, port, source, and destination. Since application layer gateways are able to view the contents of a packet, they have a much greater level of control. For example, they can filter Web sites based on content or scan e-mail for viruses. The application layer gateway also can provide enhanced logging services over a packet filter, even to the point of logging network usage per user and logging the Web sites that the user visited.

Unfortunately, these gateways have some disadvantages. In a proxy-based architecture, packets are transported up the network stack, through the kernel, and up into user space. The software then processes the information and sends it back down the network stack. As a result, this type of firewall depends heavily on OS stability, performance, processor utilization, memory, and hard drive speed. It becomes a bigger issue when encryption is involved because encryption adds a large amount of processing overhead. Also, application layer gateways provide no protection against common network layer denial-of-service or teardrop attacks.

There is an additional disadvantage: A lot more configuration is required on the part of administrators. Since it’s a proxy server, all of your users’ systems have to be reconfigured to use it for proxy services. Since many applications don’t support proxy connections, you must either change applications or open up holes in your firewall to use those applications.

Stateful inspection firewalls
The final type of firewall—and the type that I consider the most secure and the most versatile—is the stateful inspection firewall. This type of firewall provides most of the functionality of packet filters and application layer gateways combined. And stateful inspection firewalls have an additional advantage: They keep information about the state of network connections through them in what is called a state table.

A properly designed stateful inspection firewall operates in an entirely different way from the other two types of firewall. It’s a little difficult to explain, but I’m going to oversimplify it so that you won’t have to wade through a 30-page explanation of how stateful inspection works.

Let me try to illustrate it. Say that Bob enters a URL and requests a page from a Web site. A stateful inspection firewall records that Bob’s computer has requested a particular file from www.techrepublic.com. It stores this information in a state table and waits for the Web site to respond. Then, when www.techrepublic.com sends the page in response, the firewall will allow it in and forward it to Bob’s computer.

To allow this exchange to take place with other types of firewalls, you’d need to make a rule allowing Bob to send out an HTTP request and another rule to allow HTTP responses in to Bob. Since a stateful inspection firewall knows to let the response back in, you don’t need to open up an incoming response port.

It may not seem like a very big deal when you’re dealing with HTTP, but change that protocol to Telnet, and you have an entirely different picture.

So, how does it work?

To explain this question, I’ll have to go into a little operating system structure. Bear with me. I’m going to use an explanation that’s specific to a particular product, which I usually don’t like to do.

CheckPoint FireWall-1 is the leading stateful inspection firewall in the world, with nearly a 100 percent market share. It’s considered the industry standard for this class of firewall. And more important, its architecture allows me to illustrate this type of firewall.

In most operating systems, you have a kernel, which is the most highly protected set of processes in your computer. First, the kernel, which operates with the highest priority, is assigned resources. The kernel controls all the other processes, and they interface with it in some way. The kernel also interfaces with your hardware through programs called device drivers.

In the case of an OS that’s specifically designed for networking (both UNIX and NT qualify), there is a process called a network wrapper, which sits in between the kernel and the device driver for your network interfaces. The network wrapper controls communications between the networking subsystem and the rest of the operating system, and it contains the network protocol stacks and the IP forwarding subsystem for routing.

FireWall-1 modifies this model, with a shim in between the network drivers, the network wrapper, and the kernel. This shim drops, rejects, or accepts packets, providing basic packet filtering services without using a significant amount of the operating system’s resources. This shim also interfaces with other processes providing such services as encryption, user management, logging, bandwidth management, load balancing, and high availability.

The advantage to this modification, in addition to performance benefits, is that packets are dropped before they have a chance to take advantage of any bugs in the network stack or core operating system. Those network-based attacks I called vulnerabilities of proxies don’t affect this type of firewall. A stateful inspection firewall has much of the stability and speed of a packet filter. Also, since the stateful inspection firewall architecture provides services above the network layer, it can do some of what a proxy firewall can do.

Stateful inspection firewalls have some disadvantages. First, although they are faster than application layer gateways, they don’t provide all the speed of a packet filter. And like proxy firewalls, they depend heavily on the stability of the underlying operating system.

Stateful inspection firewalls also don’t provide the same proxy services that application layer gateways do. If you have applications that require or work best with proxy services (RealAudio, for example), you won’t be able to do the same things.

Finally, stateful inspection firewalls are complicated and difficult to program, debug, maintain, patch, and configure. Consequently, they tend to be the most expensive firewall systems, both in software cost and in administrative training.

A typical stateful inspection firewall configuration will start at $10,000 and can extend into the hundreds of thousands of dollars, whereas a packet filter will generally max out at $20,000 and an application layer gateway at $30,000. Even more importantly, an experienced and certified firewall engineer for one of these firewalls is paid upwards of $75,000 a year.

Several options are available for administrators who want stateful inspection firewalls. As I mentioned earlier, the market leader for stateful inspection firewalls is CheckPoint software’s FireWall-1 series of products. FireWall-1 is available for NT, the popular UNIX operating systems, and soon will become available for Linux. FireWall-1 also provides a very interesting additional function: Client VPN. Through a program called SecuRemote, FireWall-1 can provide a fully encrypted VPN between your firewall and all your remote users.

Nokia provides a dedicated high-performance hardware platform by using FireWall-1 stateful inspection architecture and a specially hardened BSD-based operating system that has been optimized for stability and high availability. As an alternative, NetGuard Guardian firewalls provide stateful inspection through an architecture that’s similar to that of FireWall-1 but at a significantly lower cost—though without many of the extra features.

There are also several firewalls that provide stateful inspection. The latest generation of high-end Cisco PIX firewalls, Axent Eagle and NAI Gauntlet firewalls, and the free FW firewall for BSD provide some level of stateful inspection, as do several other products coming to market now.

What a firewall CAN do
A firewall is your first line of defense against the outside world. A properly implemented firewall, enforcing a comprehensive security policy on a secure network with cooperative users, can protect your network from unauthorized users who try to access it via the Internet.

Just as critical as protecting your network from the outside world, a firewall can protect your company’s confidential information from unauthorized users inside your network. Preventing your programmers from changing their salaries may be as important to you as preventing a hacker from altering your Web site.

What a firewall CAN’T do
Take careful note: A firewall does not provide you with total security—it’s only the first line of defense. Too often I hear people say, “Oh we’re perfectly secure; we have a firewall.” A firewall cannot protect your network from malicious authorized users. If a user is allowed access, a firewall can’t protect your network from that user.

It’s fairly common to have a RAS server that allows your employees to access your network when they’re on the road. Unfortunately, it’s also fairly common to have that RAS server completely unprotected. Telephone numbers will be disclosed, passwords will be cracked, and someone will gain access to your network through the RAS server eventually. You have to separate the RAS server—along with any other access—from the internal network. If you don’t, you’re just waiting for a disaster.

Finally, a firewall cannot protect you from someone walking in the door, sitting down at a machine, and taking over your network. That may sound silly, but think about it. There may be a lot of unused network ports inside your building. When the building was wired originally, the electricians and cable layers probably didn’t know what your office layout would be. You may not even know about all the ways intruders can access your network physically. I’ve seen network ports inside closets, in basements, in bathrooms, and in reception areas too many times to ignore this threat. I’m going to say it again and again: Your network is only as secure as your building.

Wrapping up
In this drill down, I’ve examined the types of firewall, along with their advantages and disadvantages. In part 4 of this series, I’ll cover the process of buying, installing, and configuring this security system. I’ll discuss dealing with vendors and resellers in an effective and efficient way.

As always, please give me your comments and feedback. If I don’t know what you think, I don’t know what to write.

Chris Dinsmore is a senior network architect for the Salinas Group, a prominent network security services and consultancy organization. He’s certified in several major firewall and network management platforms, and hehas eight years of experience in the support, administration, and security fields. Prior to working with the Salinas Group, he operated a successful MIS and network consulting business for seven years.

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox