The original definition of a firewall is: “a partition made of fireproof material to prevent the spread of a fire from one part of a building or ship to another or to isolate an engine compartment, as on a plane, automobile, etc.” ¹ Today, in the computer world, the term refers to any piece of hardware/software used to protect a private network from network attacks coming from external networks. It acts as a gatekeeper to keep hackers from reaching the internal network, protecting your crucial network resources from being compromised.

Many people know what a firewall does, but few understand that a firewalls needs careful configuration before it can start protecting your network.

I still remember more than 10 years ago, as I visited clients to talk about the security configuration of their network, many were proud to tell me that they had gotten firewalls installed to protect their network. (At that time, a firewall was considered advanced networking equipment!) But when I logged into their administration menu to check their firewall policies, there were none there! They didn’t know that they needed to “configure” their firewall before it would function properly.

A firewall is actually the deployment tool used carry out your network access policy. The network access policy refers to the organizational management’s intention regarding the various network access rules for both the internal employees and external visitors. Without properly configured firewall rules, a firewall’s existence is meaningless.

Take a packet-filtering firewall as an example. It works on Network and Transport Layer (TCP/IP). It hunts down filtering rules by examining the source port/destination port (Transport Layer) and IP address (IP Layer) to decide whether it will let go a particular packet in or out of your network.

For example, if your company does not allow internal employees to access ftp servers during work time, then you need to set up a firewall rule to block any access to port 20 and 21 of remote server during the office time. The following table illustrates a typical set of firewall access rules to achieve this:

The different columns’ meanings in above table are explained here:

• Direction: The direction of the packet going through the firewall, either IN or OUT, or   EITHER
• Source Addr: The source address;, either internal (INT) or external (EXT)
• Dest. Addr: The destination address, either internal (INT) or external (EXT)
• Protocol: Transport Layer Packet Type, either TCP or UDP
• Source Port: The source port at the TCP layer of the sender
• Dest. Port: The destination port at the TCP layer of the receiver
• ACK set: The acknowledge flag at the Transport Layer of the Packet, either SET (Y) or DOES-NOT-MATTER (Any)

There are many cases when packet filtering rules do not work. For example, if you want to block the users’ access to particular remote web-based email services, chances are that you will not able to control this by blocking certain designated IP numbers (as filling in the Destination Address in the above packet-filtering table) since some web-based services are based on more than one sever of varying IP addresses, and thus cannot be shut down by only a set of fixed IP addresses. In this case, you need the firewall to work at higher layer.

A firewall working at higher layer provides more refined control over network access. For previous example, if you use an application-level firewall, it can screen the URLs of web-based emails access, such as www.hotmail.com for Microsoft’s email services, and does now allow it to pass through.

An application-level firewall can even zoom into the details of the applications’ data passing through - such as the authentication information, application types, and other types of information - to decide to allow or disallow a particular network connection to continue or not. It can even carry out a detailed inspection of the users’ data going through.

A proxy server is one kind of application-level firewall. I’m sure you have heard of this type of server being used in your or some other company’s network. It’s a popular device because it provides more control of the network traffic passing through. However, it also requires more firewall computation power, so it is slower in performance. It also requires modification of the internet network client to go through the proxy before it can access external network resources.

No matter which type of firewall you are deploying, you need to work out the network access policy with senior management. Otherwise, you will not know what rules you need to set up in your firewall rule table. Simply put, you’ll be installing a tool that has no idea how to protect your network.

¹firewall. (n.d.). Dictionary.com Unabridged (v 1.1). Retrieved June 18, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/firewall

Tags: Packet Filtering Firewall Application-Level Firewall

Technorati Tags: firewall, network access policy, firewall rules, packet-filtering firewall, application-level firewall, proxy server, Packet Filtering Firewall, Application-Level Firewall

Screened Subnet Architecture andFirewalls

A firewall’s function is to act as a gatekeeper, keeping Internet “bad guys” out of your internal network. Setting up an effective firewall requires careful planning.

In my view, the Screened Subnet Architecture is a preferred network setup for firewalls to protect your company’s network while at the same time allowing external visitors to access your public service hosts.

What is Screened Subnet Architecture?

Let’s take a look at how a typical Screened Subnet Architecture is setup:

From this diagram, note that there are two, not one, firewalls in the network structure.The exterior firewall is configured to allow external traffic to access the subnet section (Perimeter Network) where you have put the public service hosts (Bastion Hosts) such as your e-mail server, web server, and/or DNS server, for example. The Screened Subnet is  also called “DM Zone”  (demilitarized zone) or simply “DMZ”.The internal firewall acts a second gatekeeper to keep external visitors from directly coming into your internal corporate network.The subnet section where you have put the service hosts is called “Screened Subnet” or “Perimeter Network,” hence the name “Screened Subnet Architecture” has become used for this type of network architecture.

What is the benefit of using Screened Subnet Architecture for a firewall setup?

The advantage of this setup is that if your external hosts are exploited (as they could be since they are serving many external visitors’ requests and are exposed to a greater risk of being hacked), you still have the interior firewall as the second gatekeeper to defend the attacks of the hacker by the exploited hosts. Or if the exterior firewall has been compromised, then the interior firewall can still fend off the hackers’ possible direct intrusion to the corporate internal network.

There are variations of this network setup that serve similar functions. One variation uses a single firewall with three network interfaces: one for the external Internet connection, another for the Screened Subnet, and a third for the internal network. The firewall is configured to allow external visitors to visit the Screened Subnet only, without the authority to access the internal network interface.

This setup, of course, saves the hassle of maintaining two firewalls, making it easier to concentrate on the security maintenance of one single firewall.

However, the disadvantage is that if this only firewall becomes compromised, chances are the attackers can gain access to the internal network by the firewall’s internal interface. This, of course, poses a great security risk to a corporate environment.

Tags:  Exploit Firewall, Firewall Attack, Firewall Hacking, Hacking Firewall

Technorati Tags: Screened Subnet Architecture, Firewalls, Perimeter Network, Bastion Hosts, DM Zone, demilitarized zone, DMZ, Exploit Firewall, Firewall Attack, Firewall Hacking, Hacking Firewall

Here they are:

• not guarantee data integrity
• not support authenticity of the source of data
• no control over how the packets were created
• not support confidentiality- no encryption among different firewalls unless it is incorporated with VPN features
• don’t protect against some Internet threats like virus attack and/or password cracking
• Do not provide protection from insider threats i.e. Insider Attacks
• can’t protect against traffic that doesn’t go through it (example: dial-up modems in the private network can be a backdoor)
• Once pass through it, it can do nothing!
• Single point of failure

Definitely there are more, can you think of some more?

Related topics: Limitations of Firewall, Single Point of Failure

Technorati Tags: Limitations of Firewall, Single Point of Failure

Screened Subnet Architecture refers to setup a firewall (or two firewalls) in a way that there is a separate subnet dedicated for network di-militarized zone (DMZ). The traffic comes from external Internet can only get to the DMZ whereas internal users can access the DMZ only before their traffic going to reach Internet.

Bastion Hosts are hosted in the DMZ. Those hosts are designed to serve external visitors who would like to request services from the network owners. HTTP, FTP and SMTP services are common services provided by Bastion Hosts in DMZ. Since Bastion hosts are aimed at supporting external users’ access, they have to be built against possible Internet attacks.

DMZ is setup in the security concept of layered defending. Exteral hackers, even though they can potentially hack those Bastion hosts in success, they still need to figure out the way to get into the internal networks. This extra layer adds difficulty because all external servers are in DMZ. Hackers are unlikely have any direct access to any hosts in the internal network.

To setup DMZ, the most direct way is to use two firewalls with two network interfaces each. One Firewall is connected to internal network and the other one connected to external Internet. These two firewalls are then joined together using their remaining interface to form a subnet called DMZ.

Another solution is to use a Firewall with three network interfaces. One interface is connected to Internet, the other one to internal network and the last one to a DMZ subnet. In this way, we can configurate the firewall rule to operate the DMZ as a middle network between external and internal network.

Technorati Tags: Screened Subnet Architecture, network di-militarized zone, DMZ, Bastion Hosts

Firewall is a perimeter security device. A perimeter security device is only good at protecting the internal network from external attack. That means if an intrusion originates from internal network, then firewall cannot deal with it.

Statistics shows that most of the network attacks of an organization comes from internal employee and hence most likely comes from internal network. Firewall cannot handle this kind of network attacks.

To compliment Firewall’s limitation in dealing internal network attacks, we need other devices like Intrusion Detection System (IDS), and of course other common security measures in areas like physical security.

Technorati Tags: Firewall, perimeter security device, internal network attacks, Intrusion Detection System, IDS, physical security

Firewall cannot operate properly without careful configuration. It is actually a device that help realize your company (or home)’s Internet Access Policy.

Who decides the Internet Access Policy? The information owner! Many people mistaken this to be done by the company’s system administrator. It is wrong. The administrator’s role is to help implementing the firewall policy as per company’s senior management’s intention. It is afterall not the administrator’s call whether a particular service is allowed or not during a particualr period of time.

Since firewall is the gatekeeper between your company’s internal network with the Internet, it should be an important device that you need to put resources to protect. If it is compromised, the intruder can potentially get the direct access to internal network.

Technorati Tags: Firewall, Internet Access Policy, information owner, firewall policy