Firewalls and VPNs

Principles and Practices

Richard Tibbs
Edward Oakes

Chapter 6 Determining Requirements for the Firewall

Objectives

 List and describe the basic components of a

firewall policy
 Design a network to improve the effectiveness
of firewall rules
 Determine the network services a company or
organization will need to allow external users to
access

Determining Requirements for the Firewall 2

Objectives continued

 Analyze and document the Internet services

employees need access to
 List and restrict vulnerable network services
which should not be permitted to enter or leave
the network
 Design a network to utilize port forwarding and
NAT where appropriate to enhance security

Determining Requirements for the Firewall 3

Introduction

 Two main functions of a firewall:

 Protecting the internal network from external attacks
 Controlling access of internal machines to the
internet
 Determine which services will be available from
both sides of the firewall
 Services internal network will provide to outside
world (e.g. DNS, Web services, e-mail)
 Internet services that internal users will be allowed to
access
Determining Requirements for the Firewall 4
Firewall Policy

 Successful deployment – planning and

documentation
 Without – effectiveness may drop up to 30%
 Firewall policy – high-level document describing
acceptable incoming & outgoing traffic
 Understanding of technology not needed
 Firewall policy is guide to firewall administrator
for decision making

Determining Requirements for the Firewall 5

Firewall Policy (continued)

 All must support the policy rather than bend to

meet users requests
 Must ensure that rules will not restrict normal
business activities
 Involve all stakeholders
 Involve stakeholders early
 Must be readable by average non-technical
users
 Must be available to internal users to access &
review
Determining Requirements for the Firewall 6
Firewall Policy in depth

 Minimum firewall policy should include (details

on following slides)
 Purpose
 Explanation on how firewall handles traffic
 Services or applications that are allowed
 Services or applications that are denied
 How changes are requested & approved

Determining Requirements for the Firewall 7

Purpose -
Firewall Policy in Depth (continued)
 Describe why there is need for firewall
 Describe how a firewall will meet that goal
 To ensure secure and reliable network is
always available by:
 Protecting the internal network from external attacks
and threats
 Controlling access of internal machines to the
internet
 Ensuring that external internet users have access
only to those resources and services needed for job

Determining Requirements for the Firewall 8

How Firewall Handles Traffic -
Firewall Policy in Depth (continued)
 Use a layered approach or defense in depth
 2 opposing strategies
 Allow everything and only block specific items or
ports
 Defeats firewall
 Maximum flexibility
 Required of most: DNS, SMTP, HTTP
 Maybe: IM, NetMeeting

Determining Requirements for the Firewall 9

How Firewall Handles Traffic -
Firewall Policy in Depth (continued)
 2 opposing strategies continued
 Deny everything and only allow traffic that is
explicitly permitted
 Restrictive network & therefore greater level of protection
 Users ask permission
 Often denied: DHCP, TFTP, SNMP, Window File Sharing

Determining Requirements for the Firewall 10

Firewall Changes -
Firewall Policy in Depth (continued)
 Proper document is extremely important
 Rules start out simple & quickly grow complex
as new applications & exceptions are added
 Should be formal procedure & approval process
 Hardening and patching is still required
 Next slide example:
Firewall Change Request Form

Determining Requirements for the Firewall 11

Sample Firewall Request Form

Determining Requirements for the Firewall 12

User Education
 Once firewall policy is created, it must be
communicated to users
 Training session
 Department meeting
 Face-to-face, not written communications
 Users must understand purpose and not view as
a new set of restrictions
 Opportunity for other security training
 Passwords, updating virus software, email
attachments, confidentiality, secure & insecure
websites

Determining Requirements for the Firewall 13

User Education

 Extra attention must be paid to social

engineering
 Social engineering – convincing someone to
give out valuable information
 Ask for positive ID
 Never give out your PIN or personal passwords
 Don’t allow shoulder surfing
 Most losses are due to internal attacks

Determining Requirements for the Firewall 14

Network Design

 Place key groups or

departments on
isolated subnets to
provide higher level of
control
 Different strategy for
Accounting & Sales in
Figure 6.2 & Table 6.1

Determining Requirements for the Firewall 15

Firewall Rule Syntax

 Syntax of rules or exceptions are slightly

different for every firewall
 Normally include:
 Action
 Source address and port
 Destination address and port
 Protocol

Determining Requirements for the Firewall 16

Shorewall Rules

 Uses policy file (/etc/shorewall/policy) and rules

file (/etc/shorewall/rules) for configuration

Determining Requirements for the Firewall 17

Cisco Access List Entries

 ACLs are evaluated sequentially so place most

heavily used rule first
 3 types of ACLs:
 Standard
 Extended – look at both source & destination
address
 Dynamic (lock and key)

Determining Requirements for the Firewall 18

Flow of Traffic (Incoming & Outgoing)

 Direction of traffic is important

 Shorewall/Bering uses keywords
 net – systems on external network or internet
 fw – the firewall
 loc – systems on the local or internal network
 Cisco rules for incoming and outgoing are on
every interface
 Comparison on next slide

Determining Requirements for the Firewall 19

Determining Requirements for the Firewall 20
Services to offer to Outside World

 Three main services to allow through firewall

 DNS
 SMTP
 HTTP
 Common practice – use a separate physical
server for each service
 Enhances security and reliability
 Only 1 port on each server will be available

Determining Requirements for the Firewall 21

DNS services

 DNS is invisible to most users

 DNS problems often give the appearance of
network outage
 DNS uses port 53 (TCP & UDP)
 DNS uses TCP for zone transfers between
master & slave (secondary) DNS servers
 Most organizations have 1 or more slave
(secondary) DNS servers as backups
 Normal DNS queries from client computers to
the server use the UDP protocol
Determining Requirements for the Firewall 22
DNS services continued
Sample incoming Shorewall Rules
/etc/shorewall/rules

Sample incoming Cisco ACL entry for same

Sample outgoing Shorewall Rules

/etc/shorewall/rules

Sample incoming Cisco ACL entry for same

Determining Requirements for the Firewall 23

SMTP services

 SMTP allows computers to connect to each

other and send e-mail
 SMTP uses port 25
 All local e-mail clients should route e-mail first
to local SMTP server
 Restrict SMTP server to make outgoing port 25
SMTP connections only
 If computer becomes infected, virus’s attempts to
propagate itself or send spam will be reject by
firewall

Determining Requirements for the Firewall 24

SMTP services continued

 Sample incoming Shorewall rule

 Sample outgoing Shorewall rule

Determining Requirements for the Firewall 25

HTTP & HTTPS services
 HTTP uses TCP port 80
 HTTPS uses TCP port 443
 Web servers must be patched regularly
 Many packages & tools install personal web
servers on workstations
 Block all other incoming TCP port 80 & 443
connections
 Sample income Shorewall rule

Determining Requirements for the Firewall 26

 Structured Query Language (SQL)
 Typically databases are stored on Intranet
servers for inside users
 Additional protection, firewall should block access
 Only the systems on the server subnet & Systems
Management subnet will need to connect
 Each vendor uses different port(s)

Determining Requirements for the Firewall 27

Sample incoming rule for databases

Determining Requirements for the Firewall 28

 Generalized service rules
 Incoming
 Allow incoming DNS connections to DNS server(s)
 Allow incoming SMTP connections to the SMTP mail server
 Allow incoming HTTP connections to the web server
 Allow incoming HTTPS connections to the web server
 Allow return traffic from established TCP connections for the
server subnet
 DENY all other incoming Internet traffic bound for the server
subnet
 Outgoing
 Allow outgoing DNS connections from the DNS server(s)
 Deny all other outgoing DNS connections
 Allow outgoing SMTP connections from the SMTP mail server
 Deny all other SMTP connections
Determining Requirements for the Firewall 29
Order & Performance for Rules

 Evaluated top down

 Rules should be order by most often hit/used
 logic
 Previous slide addendum:
 If the deny all others was first, then all other rules are
useless

Determining Requirements for the Firewall 30

What Internet Services to Allow

 Impossible to make everyone happy & keep

network secure
 Users will always let you know if they are
unable to access something; they will never let
you know if they have too much access
 Must determine what level of risk is acceptable

Determining Requirements for the Firewall 31

Instant Messaging (IM)
 Real-time synchronous online chat using text
messages
 Security concerns:
 File sharing
 Video & audio compunctions

Determining Requirements for the Firewall 32

Instant Messaging (IM) continued
 Firewall can block IM port, however, most will
search for other ports to establish a connection
 Solutions
 Education users
 Corporate policy

Determining Requirements for the Firewall 33

NetMeeting

 Most widely used H.323 protocol application for

audio & video conferencing
 NetMeeting dynamically allocates an incoming
port between 1024 and 65536
 Impossible to use without opening access to
over 60,000 ports
 Careful risk analysis of benefits

Determining Requirements for the Firewall 34

Peer-to-Peer (P2P) Applications

 MP3 music sharing has popularized P2P

 Problems:
 Copyright and illegal distribution of materials
 Inadvertently sharing confidential corporate
documents
 Blocking all incoming connections to user
computers that are not established connections
will still allow P2P applications

Determining Requirements for the Firewall 35

Network & System Management
Services
 Recommend a VPN connection be used
 ICMP
 Ping – testing network connectivity
 Telnet – terminal-based application to gain console
access to servers & network equipment
 FTP – tool used to exchange files between systems
 SSH – same types of services offered by telnet & FTP
but with two-way encryption
 Windows Terminal Services – [Link] client
program to remotely manage servers
 Full Windows login to a remote host
Determining Requirements for the Firewall 36
Services that should not leave local
network

Determining Requirements for the Firewall 37

Network Address Translation (NAT)

 Allows computers on
the internal network
to use a private set
of IP addresses
 Internal network
shares a single
Public IP address
for external Internet
communications

Determining Requirements for the Firewall 38

Demilitarized Zone (DMZ)

 Zone between Internet & local network

 Originally a military term, for example, the zone
between North and South Korea is a DMZ.
 DNS Mail & Web servers can be placed in
DMZ

Determining Requirements for the Firewall 39

Summary
 This chapter focused on creating a firewall
policy and configuration
 Purpose of the firewall – to protect the internal
network
 User education is the key for understanding
rules and successful implementation
 More restrictive networks means less
exposure to an attack

Determining Requirements for the Firewall 40