Chapter 5. System Security Using Firewalls

OBJECTIVES

This chapter covers the following TruSecure-specified objectives for the TICSA exam:

Describe, recognize, or select good firewall architectures, properties, and administration fundamentals.

Understand the role firewalls play in protecting the Internet network.

• All networks connected to the Internet require a means to control what packets move into, and out of, the corporate network. In this chapter, we examine the role of the firewall and how it fits into a company's total security scheme.

Understand the different types of firewalls and how they work.

• Not all firewalls are created equal. You can implement a firewall in several different ways. Firewalls range from simple packet filtering routers to complex and sophisticated Application layer gateways. We examine the types of firewalls available today and how they work.

Understand the different firewall architectures and why they are implemented.

• A firewall architecture is defined by how the firewall and protected hosts are placed on the network. Several common firewall architectures are used to protect corporate assets. We examine each of these common architectures and discuss which architectures meet corporate security requirements.

Understand virtual private networks and how they enhance and support network security provided by firewalls.

• Virtual private networks allow businesses to use the Internet to extend the reach of the private corporate network. In this chapter, we examine how VPNs accomplish this task and why a company would choose to implement a VPN to allow secure remote access to the private network.

Understand virtual private networking protocols.

• Virtual private networks (VPN) are built around a few specialized protocols that allow data to move securely over both intranets and the Internet. In this chapter, we examine these protocols and discuss which ones best fit into a company's security infrastructure.

OUTLINE

Introduction 150

Introduction to Firewalls 150

Types of Firewalls 151

Packet Filtering 151

Circuit Layer Filtering 153

Dynamic Packet Filtering 155

Application Layer Inspection 156

Network Address Translation (NAT) 157

Web Caching Firewalls 159

Integrated Intrusion Detection System (IDS) 159

Firewall Architecture Review 160

Screening Router 160

Multihomed Firewall 161

Screened Subnet or DMZ Segment 161

Bastion Hosts 163

Introduction to VPNs 164

VPN Economics 165

VPN Architectures 166

VPN Server 166

VPN Gateway 167

VPN Server External to Firewall 167

VPN Server Internal to Firewall 168

VPN Server on the Firewall 170

VPN Protocols 170

PPTP 171

L2TP/IPSec 171

Pure IPSec Tunnels 172

STUDY STRATEGIES

• Create a firewall policy based on the needs of your organization. Be sure to accommodate all existing, legitimate needs for access (both outbound and inbound) while blocking all unnecessary or unwanted access. Understand the trade-offs between optimistic and pessimistic firewall policies.

• To familiarize yourself with the broadest possible range of information and best practices, read the references at the end of this chapter.

• Obtain practical experience configuring common firewalls, such as Microsoft ISA Server, Checkpoint Firewall-1, or the Cisco PIX Firewall.