network security: a simple guide to firewallsdsianita/695ec/firewall.pdf · network security a...
TRANSCRIPT
WHITE PAPER
NetworkSecurity:A SimpleGuide toFirewalls
Network Security
A Simple Guide to Firewalls
Loss of irreplaceable data is a very realthreat for any business owner whosenetwork connects to the outside world.Remote access for employees and con-nection to the Internet may improvecommunication in ways you’ve hardlyimagined. Access to the Internet canopen the world to communicating withcustomers and vendors, and is animmense source of information. Butthese same opportunities open a localarea network (LAN) to the possibilityof attack by thieves and vandals andabuse by your own employees.
Figuring out the right amount of secu-rity for your network takes some con-sideration. The first thing to consider iswhat your data is worth. A quickanswer is, “Maybe more than youthink.” When you consider the value ofyour data, remember risks such as legalliability and loss of competitive edge, orthe effect of lost production if your net-work is compromised. Many analystssay very bluntly, “If you are on theInternet, you need a firewall.”
The benefits of connecting to the Inter-net are clear. This paper discusses therisks you face when you connect to theInternet, describes the types of attacksthat can occur, and offers an overviewof firewall technology, which can protectyour network from hackers. Specifically,the paper discusses the implementationof a firewall and what you should con-sider in choosing the type of firewallyou require.
Why a Firewall—Am IReally at Risk?Anyone can become a hacker. Itdoesn’t require a technological whizkid to wreak havoc on your network.A wide range of tools and utilities canbe easily downloaded from the Inter-net; and with their help, almost any-one can become a competent hackerat the touch of a button.
There are experts who say, “If you areconnected to the Internet, you need afirewall.” The decision may not bemore complicated than that. However,you’ll probably consider a combina-tion of factors. Start with the basicquestions you’d ask about any othersecurity system.
Do I Have Anything WorthProtecting? Be sure to consider:
• Confidential client, supplier, oremployee information that mightexpose you to a lawsuit if you allowsomeone else to capture it
• Intellectual property that gives youa competitive edge in the market
• Critical business records that wouldhave to be recovered and/orrecreated
It isn’t always safe to assume that noone else wants your data. Some hack-ers operate on a nonprofit basis. Theymay capture data or vandalize yoursystem just because they can.
Aren’t My Valuables AlreadyAdequately Protected? The truth is that if you have valuableelectronic property, it may not be assafe as you would like to think it is.You can do a lot to protect your sys-tem if you:
• Back up your information everynight
• Set up unshared folders behindtough passwords and passwordrules
• Use your access router or browserto filter incoming traffic from allbut trusted sites
Unfortunately, hackers have manysophisticated software tools at theirdisposal. Given enough time anddetermination, a skilled hacker mayget through the standard safeguards.
1
CONTENTS
Why a Firewall—Am I Really atRisk? . . . . . . . . . . . . . . . . . . . 1
What Is a Firewall? . . . . . . . . . 2
Types of Attack . . . . . . . . . . . . 2
Firewall Technologies . . . . . . . . 3
Additional Firewall Features and Functionality . . . . . . . . . . . 4
Choosing a Firewall . . . . . . . . . 5
Designing a Firewall into Your Network . . . . . . . . . . . . . 6
Conclusion . . . . . . . . . . . . . . . 6
If he does, he can run software pro-grams to break your passwords. Ifyou have valuable data on your net-work and the network is exposed tooutside computers, chances are verygood you need a firewall.
What Is a Firewall?A firewall is a system that enforces anaccess control policy between twonetworks—such as your private LANand the unsafe, public Internet. Thefirewall determines which inside ser-vices can be accessed from the out-side, and vice versa. The actual meansby which this is accomplished varieswidely, but in principle, the firewallcan be thought of as a pair of mecha-nisms: one to block traffic, and one topermit traffic. A firewall is more thanthe locked front door to your net-work—it’s your security guard aswell.
Firewalls are also important becausethey provide a single “choke point”where security and audits can beimposed. A firewall can provide a net-work administrator with data aboutwhat kinds and amount of trafficpassed through it, how many attemptswere made to break into it, and so on.Like a closed circuit security TV sys-tem, your firewall not only preventsaccess, but also monitors who’s beensniffing around, and assists in identi-fying those who attempt to breachyour security.
Basic Purpose of a FirewallBasically, a firewall does three thingsto protect your network:
• It blocks incoming data that mightcontain a hacker attack.
• It hides information about the net-work by making it seem that alloutgoing traffic originates from thefirewall rather than the network.This is called Network AddressTranslation (NAT).
• It screens outgoing traffic to limitInternet use and/or access to remotesites.
Screening LevelsA firewall can screen both incomingand outgoing traffic. Because incom-ing traffic poses a greater threat to thenetwork, it’s usually screened moreclosely than outgoing traffic.
When you are looking at firewallhardware or software products, you’llprobably hear about three types ofscreening that firewalls perform:
• Screening that blocks any incomingdata not specifically ordered by auser on the network
• Screening by the address of thesender
• Screening by the contents of thecommunication
Think of screening levels as a processof elimination. The firewall firstdetermines whether the incomingtransmission is something requestedby a user on the network, rejectinganything else. Anything that isallowed in is then examined moreclosely. The firewall checks thesender’s computer address to ensurethat it is a trusted site. It also checksthe contents of the transmission.
Types of AttackBefore determining exactly what typeof firewall you need, you must firstunderstand the nature of securitythreats that exist. The Internet is onelarge community, and as in any com-munity it has both good and bad ele-ments. The bad elements range fromincompetent outsiders who do dam-age unintentionally, to the proficient,malicious hackers who mount deliber-ate assaults on companies using theInternet as their weapon of choice.
NETWORK SECURITY 2
3DES Data Encryption Standard(168-bit)
DMZ demilitarized zone
DoS denial of service
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
ICSA International ComputerSecurity Association
LAN local area network
NAT Network Address Translation
POP3 Post Office Protocol, Version 3
SMTP Simple Mail Transfer Protocol
TCP/IP Transmission ControlProtocol/Internet Protocol
VPN virtual private network
WAN wide area network
Generally there are three types ofattack that could potentially affectyour business:
• Information theft: Stealing companyconfidential information, such asemployee records, customer records,or company intellectual property
• Information sabotage: Changinginformation in an attempt to dam-age an individual or company’s rep-utation, such as changing employeemedical or educational records oruploading derogatory content ontoyour Web site
• Denial of service (DoS): Bringingdown your company’s network orservers so that legitimate users can-not access services, or so that nor-mal company operations such asproduction are impeded
Attempts to Gain AccessA hacker may attempt to gain accessfor sport or greed. An attempt to gainaccess usually starts with gatheringinformation about the network. Laterattacks use that information to achievethe real purpose—to steal or destroydata.
A hacker may use a port scanner—apiece of software that can map a net-work. It is then possible to find outhow the network is structured andwhat software is running on it.
Once the hacker has a picture of thenetwork, he can exploit known soft-ware weaknesses and use hackingtools to wreak havoc. It is even possi-ble to get into the administrator’s filesand wipe the drives, although a goodpassword will usually foil that effort.
Fortunately, a good firewall is immuneto port scanning. As new port scan-ners are developed to get around thisimmunity, firewall vendors producepatches to maintain the immunity.
Denial-of-Service AttacksDoS attacks are purely malicious.They don’t result in any gain for thehacker other than the “joy” of render-ing the network, or parts of it,unavailable for legitimate use. DoSattacks overload a system so that itisn’t available—they deny your abil-ity to use your network service. Tooverload the system, the hacker sendsvery large packets of data or programsthat require the system to respondcontinuously to a bogus command.
To launch a DoS attack, a hacker mustknow the IP address of the targetmachine. A good firewall doesn’treveal its own IP address or the IPaddresses on the LAN. The hackermay think he has contacted the net-work when he has only contacted thefirewall—and he can’t lock up thenetwork from there. Furthermore,when a hacker launches an attack,some firewalls can identify the incom-ing data as an attack, reject the data,alert the system administrator, andtrack the data back to the sender,who can then be apprehended.
Firewall TechnologiesFirewalls come in all shapes, sizes, andprices. Choosing the correct onedepends mainly on your businessrequirements and the size of your net-work. This section discusses the dif-ferent types of firewall technologiesand formats available.
Above all, no matter what type offirewall you choose or its functional-ity, you must ensure that it is secureand that a trusted third party, such asthe International Computer SecurityAssociation (ICSA), has certified it.The ICSA classifies firewalls intothree categories: packet filter fire-walls, application-level proxy servers,and stateful packet inspection fire-walls.
Packet Filter FirewallEvery computer on a network has anaddress commonly referred to as an IP
3
address. A packet filter firewall checksthe address of incoming traffic andturns away anything that doesn’tmatch the list of trusted addresses.The packet filter firewall uses rules todeny access according to informationlocated in each packet such as: theTCP/IP port number, source/destina-tion IP address, or data type. Restric-tions can be as tight or as loose as youwant.
An ordinary router on a network maybe able to screen traffic by address,but hackers have a little trick calledsource IP spoofing that makes dataappear to come from a trusted source,even from your own network. Unfor-tunately, packet filter firewalls areprone to IP spoofing and are alsoarduous and confusing to configure.And any mistake in configurationcould potentially leave you wide opento attack.
Application-Level Proxy ServerAn application-level proxy serverexamines the application used foreach individual IP packet to verify itsauthenticity. Traffic from each appli-cation—such as HTTP for Web, FTPfor file transfers, and SMTP/POP3 fore-mail—typically requires the instal-lation and configuration of a differentapplication proxy. Proxy servers oftenrequire administrators to reconfiguretheir network settings and applica-tions (i.e., Web browsers) to supportthe proxy, and this can be a labor-intensive process.
Stateful Packet InspectionFirewallThis is the latest generation in firewalltechnology. Stateful packet inspectionis considered by Internet experts tobe the most advanced and secure fire-wall technology because it examinesall parts of the IP packet to determinewhether to accept or reject therequested communication.
The firewall keeps track of all requestsfor information that originate fromyour network. Then it scans each
incoming communication to see if itwas requested, and rejects anythingthat wasn’t. Requested data proceedsto the next level of screening. Thescreening software determines thestate of each packet of data, hence theterm stateful packet inspection.
Additional Firewall Featuresand FunctionalityIn addition to the security capabilityof a firewall, a wide range of addi-tional features and functionalities arebeing integrated into standard fire-wall products. These include supportfor public Web and e-mail servers,normally referred to as a demilitarizedzone (DMZ), content filtering, virtualprivate networking (VPN) encryptionsupport, and antivirus support.
Demilitarized Zone FirewallsA firewall that provides DMZ protec-tion is effective for companies thatinvite customers to contact their net-work from any external source,through the Internet or any otherroute—for example, a company thathosts a Web site or sells its productsor services over the Internet.
The deciding factors for a DMZ fire-wall would be the number of out-siders or external users who accessinformation on the network and howoften they access it.
A DMZ firewall creates a protected(“demilitarized”) information area onthe network. Outsiders can get to theprotected area but can’t get to the restof the network. This allows outsideusers to get to the information youwant them to have and prevents themfrom getting to the information youdon’t want them to have.
Content FilteringA Web site filter or content filterextends the firewall’s capability toblock access to certain Web sites. Youcan use this add-on to ensure thatemployees do not access particularcontent, such as pornography or
NETWORK SECURITY 4
racially intolerant material. With thisfunctionality you can define cate-gories of unwelcome material andobtain a service that lists thousandsof Web sites that include such mater-ial. You can then choose whether tototally block those sites, or to allowaccess but log it. Such a serviceshould automatically update its list ofbanned Web sites on a regular basis.
Virtual Private NetworksA VPN is a private data network thatmakes use of the public networkinfrastructure, that is, the Internet.The idea of the VPN is to give thecompany the same capabilities as aprivate leased line but at much lowercost. A VPN provides secure sharingof public resources for data by usingencryption techniques to ensure thatonly authorized users can view or“tunnel” into a company’s privatenetwork.
Companies today are looking at VPNsas a cost-effective means of securelyconnecting branch offices, remoteworkers, and privileged partners/cus-tomers to their private LANs. A grow-ing range of firewalls now have VPNencryption capability built in or offerit as an optional extra. This offerscompanies a simple, cost-effectivealternative to traditional privateleased lines or modem remote access.
When implementing a VPN, you needto ensure that all devices support thesame level of encryption and that it issufficiently secure. To date, 168-bitData Encryption Standard (3DES) isthe strongest level of encryption pub-licly available and is deemed unbreak-able by security experts. One thing tobear in mind is that the stronger theencryption level, the more processingpower is required by the firewall. Asmall number of firewall vendors arenow offering VPN hardware accelera-tion to improve VPN traffic perfor-mance.
Antivirus ProtectionEveryone should be concerned aboutthe threat of viruses, which are among
the most pernicious forms of com-puter hacking. Users can quicklydamage entire networks by unknow-ingly downloading and launchingdangerous computer viruses. Compa-nies have lost enormous amounts ofmoney due to resulting lost produc-tivity and network repair costs.
Firewalls are not designed to removeor clean viruses, but they can assistwith virus detection, which is animportant part of an overall virusprotection plan.
It is important to note that a firewallcan only protect the network from thewide area device to which it isattached. A remote access server or aPC with a modem could provide aback door into your network that cir-cumvents the firewall. The same istrue if an employee inserts a virus-infected floppy disk into a PC. Theultimate place for antivirus softwareis on every user’s PC; however, a fire-wall can assist in virus detection byrequiring that every user’s PC havethe latest antivirus software runningand enabled before the firewall per-mits that user to access the Internet ordownload e-mail.
Choosing a FirewallFirewall functions can be imple-mented as software or as an additionto your router/gateway. Alternatively,dedicated firewall appliances areincreasing in popularity, mainly dueto their ease of use, performanceimprovements, and lower cost.
Router/Firmware-Based FirewallsCertain routers provide limited firewallcapabilities. These can be augmentedfurther with additional software/firmware options. However, great caremust be taken not to overburden yourrouter by running additional serviceslike a firewall. Enhanced firewall-related functionality such as VPN,DMZ, content filtering, or antivirusprotection may not be available ormay be expensive to implement.
5
Software-Based FirewallsSoftware-based firewalls are typicallysophisticated, complex applicationsthat run on a dedicated UNIX or Win-dows NT server. These productsbecome expensive when you accountfor the costs associated with the soft-ware, server operating system, serverhardware, and continual maintenancerequired to support their implementa-tion.
It is essential that system administra-tors constantly monitor and installthe latest operating system and secu-rity patches as soon as they becomeavailable. Without these patches tocover newly discovered securityholes, the software firewall can berendered useless.
Dedicated Firewall AppliancesMost firewall appliances are dedicated,hardware-based systems. Becausethese appliances run on an embeddedoperating system specifically tailoredfor firewall use, they are less suscepti-ble to many of the security weaknessesinherent in Windows NT and UNIXoperating systems. These high-perfor-mance firewalls are designed to sat-isfy the extremely high throughputrequirements or the processor-inten-sive requirements of stateful packetinspection firewalls.
Because there is no need to hardenthe operating system, firewall appli-ances are usually easier to install andconfigure than software firewall prod-ucts, and can potentially offer plug-and-play installation, minimal mainte-nance, and a very complete solution.They also prove to be extremely cost-effective when compared to otherfirewall implementations.
Designing a Firewall intoYour NetworkOnce you have familiarized yourselfwith all of the different firewalls onthe market, the next step is to define
your firewall policy. For example, willthe firewall explicitly deny all servicesexcept those critical to the mission ofconnecting to the Internet? Or is itintended to provide a metered andaudited method of “queuing” accessin a nonthreatening manner? Decisionslike these are less about engineeringthan politics.
The next decision is what level ofmonitoring, redundancy, and controlyou want. This involves jugglingneeds analysis with risk assessment,and then sorting through the oftenconflicting requirements in order todetermine what to implement.
Where firewalls are concerned, theemphasis should be on security ratherthan connectivity. You should con-sider blocking everything by default,and only allowing the services youneed on a case-by-case basis. If youblock all but a specific set of services,you make your job much easier.
ConclusionSecurity breaches are very real andvery dangerous. Every company nowrecognizes how easily it can becomethe victim of deliberate or randomattacks, and how much damage theseattacks can cause. The good news isthat 3Com Corporation is just as awareof the threats, and is developing betterand stronger security solutions. Smalland midsize companies and remoteoffices in particular can take advan-tage of new 3Com firewall solutionsthat are less costly and complicated toadminister than traditional firewalls.
While firewalls are only one compo-nent of an overall security system,they are a vital component, and com-panies must invest the time requiredto evaluate the best system for theirneeds—and then deploy it as quicklyas possible. Security breaches are anever-present danger, and there’s notime like the present to protect yourcompany’s valuable data.
NETWORK SECURITY 6
3Com Corporation, Corporate Headquarters, 5400 Bayfront Plaza, Santa Clara, CA 95052-8145
To learn more about 3Com solutions, visit www.3com.com. 3Com Corporation is publicly traded on Nasdaq underthe symbol COMS.
The information contained in this document represents the current view of 3Com Corporation on the issues discussed asof the date of publication. Because 3Com must respond to changing market conditions, this paper should not be inter-preted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presentedafter the date of publication. This document is for informational purposes only; 3Com makes no warranties, express orimplied, in this document.
Copyright © 2000 3Com Corporation. All rights reserved. 3Com is a registered trademark and the 3Com logo is a trade-mark of 3Com Corporation. Windows NT is a trademark of Microsoft. UNIX is a trademark of UNIX Laboratories. Othercompany and product names may be trademarks of their respective companies.
503090-001 9/00