Packet filtering firewalls are typically routers with packet-filtering capabilities. Using a basic packet-filtering router, you can grant or deny access to your site based on several variables, including

Router-based firewalls are popular because they’re easily implemented. (You simply plug one in, provide an access control list, and you’re done.) Moreover, routers offer an integrated solution. If your network is permanently connected to the Internet, you’ll need a router anyway. So, why not kill two birds with one stone?

On the other hand, router-based firewalls have several deficiencies. First, they usually aren’t prepared to handle certain types of denial-of-service attacks. Many of the denial-of-service tactics used on the Internet today are based on packet mangling, SYN flooding, or forcing other TCP/IP-based anomalies. Basic routers aren’t designed for handling these types of attacks, though enterprise class routers can usually deal with them. Second, some low-end routers can’t keep track of session state data though that is discussed more in the stateful section below. Administrators are then forced to keep all ports above 1024 open to handle TCP sessions and session negotiations properly. It’s not generally a good practice to leave unused ports open to the outside.

Finally, using ACLs (access control lists) on high-end routers that are supporting extremely busy networks can contribute to performance degradation and higher CPU load. However, for most low-speed connections (such as T1 circuits) on lower-end routers (such as Cisco 2500 series routers), normal packet filtering will not tax the router to any significant degree.

Stateful packet filtering builds on the packet filtering concept and takes it a few steps further. Firewalls built on this model keep track of sessions and connections in internal state tables, and can therefore react accordingly. These firewalls can detect anomalous situations that violate protocol standards that a plain packet filter cannot. This allows the stateful firewall to block attacks that a packet filter might miss. Because of this, stateful packet filtering-based products are more flexible than their pure packet filtering counterparts. In addition, most stateful packet filtering-based products are designed to protect against certain types of DoS attacks, and to add protection for SMTP-based mail and an assortment of other security-specific features.

Checkpoint pioneered the technique called stateful inspection (SI), which takes stateful packet filtering up one notch. SI enables administrators to build firewall rules to examine the actual data payload, rather than just the addresses and ports.

Another type of firewall is the proxy-based firewall (sometimes referred to as an application gateway or application-proxy). When a remote user contacts a network running a proxy-based firewall, the firewall proxies the connection. With this technique, IP packets are not forwarded directly to the internal network. Instead, a type of translation occurs, with the firewall acting as the conduit and interpreter.

How does this differ from stateful packet filtering and generic packet filtering, you ask? Good question—and one that many people ask. Both packet filters and stateful filtering processes examine incoming and outgoing packets at the network levels (see Chapter 6, “A Brief TCP/IP Primer”). They examine IP source and destination addresses along with ports and status flags, compare them to their rulesets and table information, and then decide whether the packet should be forwarded. Proxy-based firewalls, on the other hand, inspect traffic at the application level in addition to lower levels. A packet comes into the firewall and is handed off to an application-specific proxy, which inspects the validity of the packet and application-level request itself. For example, if a Web request (HTTP) comes into a proxy-based firewall, the data payload containing the HTTP request will be handed to an HTTP-proxy process. An FTP request would be handed to an FTP-proxy process, Telnet to a Telnet proxy process, and so on.

This concept of a protocol-by-protocol approach is more secure then stateful and generic packet filtering because the firewall understands the application protocols themselves (HTTP, FTP, SMTP, POP, and so on). The firewall will reject anything that does not match the protocol specs. It’s more difficult for intruders to sneak past something that is watching more than just the ports and IP addresses. However, notice that I used the word concept in reference to it being more secure. The truth of the matter is that in real-world applications, this approach has had its fair share of problems.

Proxy-based firewalls have always been slower than stateful packet-filtering-based ones. Now, for most networks (10Mbps or slower), this difference is moot. However, for heavily loaded networks (T3s at 45Mbps, multiple T3s approaching 100Mbps, and so on), this becomes a much larger issue. As technology improves, the gap might close, but for now the use of pure proxy-based technology is still a concern for high-volume networks.

In addition to the performance problem, the proxy-based solution also has some adaptability issues. Suppose for example that a new protocol is invented to manage your coffeemakers at home. We’ll call this protocol the Percolation Control System, or PCS for short. Now, let’s also assume that PCS uses TCP and runs over port 666. Administrators of stateful packet filtering-based firewalls will simply have to build a new rule into their firewall allowing traffic over TCP on port 666, and it’s a done deal. Administrators of proxy-based firewalls, however, have a new problem: They don’t have a proxy (yet) for PCS. It’s a brand-new protocol. Although some proxy-based firewalls have a generic proxy for such problems, now we’re back to basic packet filtering, which defeats the purpose of having a proxy to begin with.

However, taking this example one step further, let’s say the proxy-based firewall vendor eventually writes a PCS proxy, and all is well in Coffeeville. Soon after, some mischievous helpdesk contractors resurrect their old copies of network Doom, which also runs over port 666, and they start abusing an old addiction. Low and behold, network Doom won’t make it through the proxy-based firewall, but it will through the stateful packet filtering-based one.

We will cover how this can be used maliciously a little later on, but suffice it to say that the proxy-based approach is a little more secure from a theoretical standpoint— but the products based on this approach can also be a big pain in the butt.

Your first step is to identify your topology, application, and protocol needs. This step is more difficult than it sounds, depending on the size and composition of your network. If you run one of the few homogenous networks in existence and only need to support basic protocols (SMTP, HTTP, FTP, and so on)—you are in luck. The task ahead of you is pretty easy.

But if you are like the majority of the organizations out there, you need to support a mix of platforms, protocols, and applications. Although this might appear to be easy, it can quickly get messy. For example, your application developers might say, “We just need access to the Lotus Notes servers from the Internet.” Sounds simple enough, right? Well, let’s dig a bit deeper. What kind of access? “Well, we need to replicate data to our suppliers, and we need to be able to use the Lotus Notes clients remotely.”

Whoa! That’s a little more in-depth then just “accessing Notes.” It sounds as though we might need to support the ports related to the Notes clients (TCP port 1352). We will need to support the ports relating to the replication process, if the developers want to access anything via the Web interface. Plus, we’ll need to support HTTP (usually over port 80), and what about remote management?

“Oh yeah, we’ll be using PCAnywhere to manage the servers remotely.”

Yuck! Okay, you see where I’m going with this: Simple requests can turn out to be more complex than they initially seem and might defeat the purpose of the firewall to begin with. Plan accordingly! You will need to dig deep into your organization, and make sure you talk to everyone who will be using/depending on this firewall.

Companies focused on e-commerce sometimes separate their product network from that of their internal LAN-based network services. For example, let’s say that you’re building a new e-commerce site selling the new integrated PCS-enabled toaster/ coffeemaker combos. You’ll want 24×7 Web server farms, 24×7 payment processing gateways (often called merchant gateways), possible email servers, and needed support systems (application servers, database servers, and so on). Now, you will most likely want to separate these mission-critical 24×7 systems from less critical day-to-day internal systems, such as the internal email SMTP gateway, the internal FTP sites, the proxy servers, and so on. This quickly becomes a topology issue: How many interfaces will your firewall need to support this configuration? Better yet, how many firewalls will you need? Do you need hot-standby functionality? Will your firewall need to support extended high-availability (HA) protocols such as HSRP and VRRP?

Better to ask these questions beforehand than to get stuck with a solution that won’t scale.

Just as it’s important to understand applications and protocols heading outbound from your organization, you also need to take the time to understand inbound processes as well. This is important for a number of reasons. First, in the end, the applications you are supporting have to work. If you move the middle-tier (the application servers) of your three-tier e-commerce solution to your firewalled segment, and the servers become cut off from their database counterparts, you’ll have a lot of angry users on your hands (and a broken application). At the same time, if a server that is “Internet exposed” has free, unrestricted access to your internal networks and infrastructure, you have a potential security nightmare on your hands if that machine is ever compromised by a hostile intruder.

Again, this is more up-front investigative work you need to perform. This might involve discussions with individual departments. Certain network segments might need to access one another’s resources. To prevent total disruption of your current system, it’s wise to perform a detailed analysis of these relationships first.

Next, based on what you discover about your network and those who use it, you need to evaluate and decide on a firewall product. Before conducting purchasing research, you should generate a list of must-haves. You’ll ultimately base your purchasing decision on this list. Now, the preferred way of handling the next step is to get your top firewall choices into a lab and do some testing. However, not everyone has a test lab and a few extra weeks to play with cool security products. If you do, enjoy it for those of us who don’t!

The next best thing is to get a product demo, visit someone who does have a lab, or ask your vendor for suggestions on how you can see the product in a live environment. If your vendor is good, they’ll most likely be able to help you out. Common criteria most people use in deciding on a firewall include the following:

Also, consider looking at independent testing labs and respected technical, testing-oriented trade magazines for other sources of information.

Finally, after you’ve purchased your firewall, you’ll put your research to good use by implementing your firewall and its supporting ruleset(s). First, make sure that the firewall itself is secured. If the unit is an appliance, chances are there is little outside of changing default passwords that you’ll need to do to harden the unit. However, if it is an NT- or Unix-based firewall, make sure that the OS on which you deploy the firewall software is properly hardened. (See Chapter 20, “Microsoft;” Chapter 21, “Unix;” and Chapter 22, “Novell NetWare,” for more information).

The next step is to put your new firewall into your production environment. If this is planned properly, and in the right environment, you might even be able to transition the firewall into the production environment by moving one server at a time behind it. However, oftentimes it is not this easy. Expect at least a few problems, and also budget some time for network down time. (Also, be prepared to field some fairly angry users.) It is extremely unlikely that you’ll get it right the first time—unless your network environment is extremely simple, or you are a ruleset wizard. If you get it right on the first try, congratulations—you are one of the few! Otherwise, join the ranks of the rest of us, and don’t be too hard on yourself. This stuff isn’t rocket science, but it’s not tinker toy construction, either.

Finally, you’ll need to test your rulesets. For this, I recommend extensive test runs.

There are really two phases:

Consider using the Nmap tool, available from http://www.nmap.org, to take snapshots of your network from an internal perspective (inside the firewall), and from an external perspective (outside the firewall). Make sure the external view is in line with what you expect.

Above all else, remember—DEFAULT DENY should be your mindset. If you don’t know what it is, don’t allow it through your firewall. Better to struggle through learning about protocols and application dependencies than to unknowingly open huge holes into your enterprise. Think minimalist.

Picture this: You have a stateful packet filtering-based firewall that allows inbound traffic through port 80 to a single NT-based Web server. That NT Web server is behind the firewall, with most of the more trivial services shut down. (Workstation service, server service, FTP service, Gopher service—all are disabled.) Your perimeter router is secured, and let us also assume that the firewall itself is properly configured and secured.

But somehow, using this configuration, an intruder is able to get administrative shell access, via Telnet, to your protected NT Web server in under two minutes. How is this possible?

Microsoft’s Internet Information Server (IIS is the Web server used natively on NT and 2000) installs a number of nasty sample scripts by default. Combine this with the RDS/MDAC problem (see Chapter 20 for further explanation), and intruders can not only execute commands remotely on the NT server (via standard HTTP requests), they can build FTP scripts. Using RFP’s msadc.pl Perl exploit script on a vulnerable Windows NT/IIS installation, combined with netcat and the echo command, an intruder can:

So although the configuration appears to be solid, the intruder is sitting there with an administrative shell on your NT machine. What went wrong? Firewalls are not a substitute for end-node security. Even if you deploy the tightest configuration possible on the firewall (short of disconnecting the network), a single open vulnerability on a single end-node can blow your whole model.

Now, a proxy-based firewall would have blocked the netcat shell, because the Telnet traffic over port 80 would not have been viewed as valid HTTP requests. However, proxy-based firewalls would not have stopped the RDS/MSADC. It is valid traffic, and the attacker could have altered his attack accordingly.

This scenario is a bit different. Let’s say that our network policy prohibits the use of unencrypted POP from outside of the organization because it passes clear-text passwords. Let’s assume that using our proxy-based firewall we’ve blocked external POP access to the organization’s POP mail server, which inhibits external users from checking their mail while at home. Let us also assume that we enable the use of SSH outbound.

We discover one day that one of our more clever users is checking his mail from home, using POP remotely. Worse, we soon discover that he is doing so across the Internet via his cable-modem attachment. His POP password is now being sent across the Internet in the clear, validating our original concern. So how could this happen with us blocking inbound POP at the firewall?

There is a neat little feature found in most SSH clients called tunneling. Tunneling enables you to seamlessly transport other types of connections through established SSH sessions. In our scenario, this user would initiate an outbound SSH session from within the organization from the Unix server running POP. He would connect to a server at his ISP, and set up a listening tunnel on the ISP’s server on port 1828 that would redirect a session back to the POP server. This tunnel would then enable him to connect to the internal POP server from home, after he modified his POP client to connect on port 1828 (rather than 110) on his ISP’s machine. As long as the SSH session remained active, the tunnel would work (see Figure 10.2).

Figure 10.2. Firewall blocking POP (port 110) inbound.

The clever user has effectively bypassed our ruleset. Although the POP request comes in encrypted from the ISP’s machine (because it’s over the SSH session), its path to the ISP machine is still out in the open. So where did we go wrong? Well, combine the fact that proxy-based firewalls can’t “peek” inside of encrypted traffic with the rather useful tunneling feature of SSH, and you have the makings of our little problem. Although naive administrators might be tempted to blame the firewall for this problem, the simple fact of the matter is that firewalls have their weaknesses— blocking SSH inbound tunnels is one of them.

These are just two examples. Trust me, there are many more.

BorderManager is the premier firewall for Novell environments, but it will also protect Unix- and NT-based systems. The product offers centralized management, strong filtering, and high-speed, real-time analysis of network traffic. Also, BorderManager offers the capability to create “mini-firewalls” within your organization to prevent internal attacks from departments or local networks.

Checkpoint’s Firewall-1 is one of the most frequently deployed firewalls in the industry today. The product features packet filtering, strong content screening, integrated protection against spoofing, VPN options, real-time scanning for viruses, and a wide assortment of other features. It is one of the most feature-rich firewalls out there, but is also one of the most expensive.

GNAT is a firewall appliance. You can manage the GNAT box with either a command-line or Web-based interface. GNAT filters incoming traffic based on IP source address, destination address, port, network interface, and protocol.

The PIX, along with Firewall-1, are the two most widely deployed firewall products today. The PIX is a firewall appliance that is devoid of any moving parts. It supports IPsec, and can be administered through Telnet or SSH sessions, or through the Cisco Security Policy Manager (CSPM) framework product.