Big Red Doors... and Walls

Firewall Deployment Considerations

Cornell Security Seminar, August 29, 2001

This web page is also available as a PowerPoint presentation.

Purpose

• If we do not define and execute a common process for planning, integrating, deploying and operating our solutions, then the chances of leveraging our experiences are near zero.

What is a firewall?

... "prevents unauthorized access to information resources by placing a barrier between an organization's network and an unsecured network" such as the Internet.

Rich Kosinski, president and founder of Internet Security Corporation

Why do I need a firewall?

The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint...

Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done.

It is the embodiment of the corporate data access policy.

What can a firewall do?

Firewall policies generally implement one of two basic design policies:

• Deny any service unless it is expressly permitted
  Need to know

• Permit any service unless it is expressly denied
  Need to protect

What can't a firewall do?

• A firewall can't really protect you against threats inside your network

• Firewalls can't protect very well against things like viruses

• Firewalls can't protect against attacks that don't go through the firewall

"They buy a $50 modem with petty cash, plug it into a PC on the network and... dial out to a local service provider. What they don't realize is that they have just made the company network part of the Net."

False Sense of Security

See illustration

Part of a system

Protection Objective ... Risk ... Control (firewall)
See illustration

Protection Objectives

The most important thing about a firewall is that it implements an access control policy

To permit someone or some product to configure a firewall based on what they think it should do, then they are making policy for your organization

All aspects of the environment change continuously - and must be re-evaluated continuously

Risk

Risks are threats to your objectives

Risk Assessment should address:

• What is at risk?
• What is its value?
• What are the threats?
• What is the probability of occurrence?

The Key Issue

• The key issue is POLICY, not PLUMBING

Controls

• Must address identified risks directly
• Must be cost effective:
  Control Cost vs Value of At Risk Asset
• Support Protection Objectives

Acceptable Risk

See illustration

Three types

Firewalls come in three basic flavors:

1. Packet-filtering routers
2. Application level (proxy) servers
3. Hybrid

Filtering Rules

• Filter by:
  ­ Protocol
  ­ Source Address
  ­ Destination Address
  ­ Source Port
  ­ Destination Port
  ­ ACK Bit Status

Filtering Rule Example

• Allow outgoing telnet sessions from any internal address to any external server
• Disallow any incoming telnet connections

  See illustration

1. Allows outgoing telnet connections to be initiated
2. Allows incoming packets that are part of an existing session
3. Blocks incoming attempts to open a connection*
4. Enforces our policy - "Deny if not expressly permitted"

Simple Firewall Implementation

See illustration

The Key Issue

The key issue is POLICY, not PLUMBING

Firewall Standards to Consider

• Firewall Definition
• Who is Playing The Role Of Defined Decision Maker?
• Default To Denial
• Regular Auditing
• Logs
• Intrusion Detection
• Contingency Planning
• External Connections
• Extended User Authentication
• Virtual Private Networks
• Firewall Access Privileges
• Secured Subnets
• Network Management Systems
• Disclosure Of Internal Network Information
• Secure Back-Up
• Firewall Dedicated Functionality
• Firewall Change Control
• Posting Updates
• Monitoring Vulnerabilities
• Standard Products
• Firewall Physical Security

MANAGEMENT REQUIREMENTS

• Real-Time Traffic Monitoring
  ­ How do I monitor the performance of my network?

• Device Management
  ­ Can I use my existing network management tools?

• User Management
  ­ Can I simply define and implement user or group specific usage profiles?

• Compatibility
  ­ How well does the system integrate with my existing security infrastructure?

USABILITY REQUIREMENTS

• Broad Application Support
  ­ Can I support any TCP or UDP application?

• User Transparency
  ­ Is the firewall transparent to the end user?

• Stack Modification
  Does the client portion require a modification to the existing Winsock, IP stack, or MAC driver?

Cornell Specific Services

Acceptable Services

Dangerous Services

• NFS and NIS
  ­ nfsd, mountd, statd, lockd, ypserv, ypbind ...
• UNIX "r" Commands
  ­ rlogind, rshd, rexecd, rexd, rwall ...
• TCP "Small Services"
  ­ echo, chargen, daytime, discard
• Routing
  ­ routed, traceroute, IP forwarding, source routing
• Informational
  - rstatd, fingerd, rusersd, rwhod, icmp echo

Well Known Evil Ports

• http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
• Ports used by trojans (2001-03-08)
• The table shows examples of existing trojans and ports being used
  • The lower ports are often used by trojans that steals password and either mail the passwords to attackers or hide them in FTP-directories
  • The higher ports are often used by Remote Access trojans that can be reached over the network
  • If you find probes directed against ports normally not used, it may be someone trying to connect to a trojan inside your network

Architectural considerations

• The Cornell Challenge
  • 65,535 ports tcp/udp = 131070 possible services
  • >40,000 active NetIDs
  • >850 subnets
    
    
  • Crafting a single solution to satisfy all of the possibilities is not reasonable to expect
  • Crafting standards and processes that are flexible enough to meet these needs IS reasonable

Application Security

• The application is the first layer of defense
• Most applications have mechanisms available to control access to the information that is managed by that application
• Providing access controls at this provides the most flexible control environment

Host based firewall

• The next line of defense is at the host level, whether a workstation or server
• Most operating systems for servers have this capability or is readily available
• There are a number of options available for the client (or desktop) devices

Departmental Firewalls, Managed Firewall Service

• At this level, a separate firewall would be installed for the designated subnet or department
• It could be managed by the owning department, in accordance with a university standards,
  • by CIT or an external provider under a detailed Service Agreement.

"Gateway" firewall to the Internet

• This would consist of a single high performance firewall (or array) through which all commodity internet traffic would pass
• It would be owned and operated by a single campus entity, CIT
• This device need not constrain traffic under normal conditions
  • It would provide the ability to selectively limit inappropriate traffic when other mechanisms indicate the presence of an attack

Companion Technologies

Firewalls are often complemented by

VPN

A Virtual Private Network is a mechanism to extend the policies under which the network operates out into the Internet itself

IDS

An Intrusion Detection System is designed to identify traffic that the security policy defines as inappropriate. Many implementations are integrated with the firewall to such an extent that it can modify the ruleset on the firewall in response to actual traffic conditions. It also serves as a useful tool to monitor the effectiveness and condition of the firewall itself.

Purpose

• If we do not define and execute a common process for planning, integrating, deploying and operating our solutions, then the chances of leveraging our experiences are near zero.

Questions ??

This page is developed and maintained by the Office of Information Technologies. Please write to us with your feedback at security@cornell.edu.