Lesson 8 | Firewall Strategies and Goals |
Objective | Assess common firewall strategies and goals. |
How to assess Firewall Strategies and Goals
The first step in designing a secure firewall strategy is to physically secure the
firewalls themselves. Entire networks have been brought down because a cleaning person turned off a server in the middle of the night to save
power. Read the following paragraph to learn more about the importance of physical security.
Physical Security
Many corporations or organizations have implemented sophisticated solutions, only to have the policy defeated because the actual machine was not physically secured. Commonly, an organization will place its firewall and network in a public area, exposing it to tampering. Others will forget to restrict access to otherwise secure rooms.
Often, a hacker will use a non-Internet security breach to open an Internet security hole through which to breach a system.
Such breaches might include:
- An open door to the room containing the firewall equipment,
- An employee who removes or introduces information manually,
- An employee who divulges passwords and other information,
- Or an employee who accidentally gives the network a virus.
Firewall security
In addition, you should ensure that the firewall:
- Configures the most comprehensive and extensive monitoring tools on the choke points[1]
- Implements some type of logging, preferable at every device in your firewall
- Uses firewall tokens or a reverse lookup on an IP address to verify the user point of origin
-
Incorporates the account database for user authentication
-
Is using the most current
intrusion detection[2] modules
- Uses comprehensive logging devices and techniques
- Provides alarm mechanisms such as a visible or audible alert from your computer
- Responds to unacceptable activity by breaking the TCP/IP connection or automatically setting off alarms
Firewalls allow for end-user authentication. Most proxy servers provide integration with a user account database. The proxy can also use the account database to provide more detailed logs by providing information based on users and group memberships.
Intrusion detection
Intrusion detection is used to compare incoming packets to previously received ones
during a connection and alert the administrator of inconsistencies. Intrusion detection is the natural progression of what was
Checkpoint's stateful inspection
Stateful inspection
It is well known that packet filters and application-level gateways have difficulties filtering UDP.
This is because UDP is stateless. In fact, packet filters are also stateless, meaning that they traditionally do not have the ability to track past connections and transactions. The result is that they cannot correlate attacks that occur over periods of time.
Stateful inspection (also called stateful multi-layer inspection), a term introduced by CheckPoint Corporation, allows a firewall to analyze
packets and view them in context. This means that if it is able to capture a particular series of connections, it can effectively store these in a
database, then refer to back this database during similar, subsequent connections. Stateful inspection also looks deeper into packets, viewing different UDP and TCP information. Once it finds a pattern of activity, it can then make decisions based on the rules you create. The word "multi-layer" refers to its ability to track activity at various levels of the OSI, particularly the application and session levels. If a pattern analyzed over a period of time meets a rule, then it can be blocked or allowed, depending upon how that particular firewall processes its rules. Stateful multi-layer inspection occurs at a firewall, and is generally meant as an enhancement to packet filters, but has also been applied to application gateways, as well. Many firewall manufacturers, including Cisco (PIX), Axent (Raptor), and Network Associates (Guardian) have also adopted this technology.
Virtual private networks
Some firewalls are now providing
virtual private network (VPN)[3] services. VPNs extend a company's network over a public medium such as the Internet. Because anyone with access to the public medium could eavesdrop on the data as it travels over the network, all data transmitted over a VPN is encrypted. The VPN encapsulates all the encrypted data within an IP packet and routes it normally over the
Internet.
[1]Choke point:An intersection between a company's private and a public network used to monitor, filter, and verify all inbound and outbound traffic.
[2]Intrusion detection: Intrusion detection is a relatively new technology used with firewalls. It allows firewalls to perform specified actions when suspicious activity occurs.
[3](VPN)Virtual Private Network: An extended local area network (LAN) that enables an organization to conduct secure, real-time communication.