Perimeter security explored: Firewalls

Security expert, Mark Edmead

Perimeter security explored: Firewalls

It's dangerous to dismiss the fact that there is authorized and unauthorized traffic that travels on your network. We've read stories of malicious attacks from hackers and other tales of harmful traffic being passed through your networks from your own employees. How do you limit or control that traffic to make your networks more secure? Firewalls are the first line of defense in your network architecture.

What exactly is a firewall? Many people might think that a firewall is a single device on your network, configured to protect your internal network from the external world. In the real world, a firewall is a system (or a group of systems) that enforces an access control policy between two networks.

The main purpose of a firewall is to disallow unauthorized and/or malicious traffic from traveling on your network. That could be in the form of traffic traveling from the outside to the internal network or traffic originating from the internal network and being sent to the outside world. For a firewall to work it needs to be part of the security architecture, and most important, firewalls can't protect you from attacks that don't go through it. That is, even if you have the most securely configured firewall in the world, if there's another entry point to your network not protected by a firewall, then your network isn't secured.

There are various types of firewalls, including the following:

• Packet filtering firewalls. This type of firewall examines the source and destination address of the data packet and either allows or denies the packet from traveling the network.
• Application layer firewalls. Also known proxy firewalls they are typically firewalls that run on a host computer.
• Stateful inspection firewalls. These firewalls capture and inspect the network packet. They examine the state and the context of the packets.
• Dynamic packet filtering firewalls. These firewalls can remember the network packets and can dynamically decide whether to enable packets to pass through the firewall.
• Kernel proxy firewalls. These firewalls provide a modular multilayer session, typically running in the operating system's lower-level kernel code.

Regardless of which firewall configuration you use there are some basic security strategies that are prudent to observe, such as the following:

1. Explicitly deny all traffic except for what you want. The default policy should be that if the firewall doesn't know what to do with the packet, deny it.
2. Don't rely only on your firewall for protection. While the firewall is there to protect your network, remember that it's only a device, and devices do fail. Make sure you implement what's called "defense in depth." That means that you should have multiple layers of network protection.
3. Make sure all of the network traffic passes through the firewall. If there's another way in to the network (like a modem pool or a maintenance network connection), then this connection could be used to enter the network completely bypassing the firewall protection.
4. If the firewall becomes disabled, then disable all communication. In the event the firewall fails, it's a good security practice to make sure that it fails in such a way that it denies access to incoming or outgoing traffic.

Firewalls should be the first line of defense in your perimeter network architecture. Properly configured a firewall prevents "most" network attacks, but it can't protect the network from network attacks that bypass the firewall or from traitors inside your network.

Other sources of information:

"Building Internet Firewalls" by D. Brent Chapman and Elizabeth D. Zwicky, published by O'Reilly.

Firewall FAQ available at http://www.infosyssec.org/infosyssec/fwfaq.html.

About the author
Mark Edmead CISSP, SSCP, TICSA, is president of MTE Software, Inc. (www.mtesoft.com) and has more than 22 years' experience in software development, product development and network systems security. Fortune 500 companies have turned to Mark often to help them with projects related to Internet and computer security. He was managing editor of SANS Digest (Systems Administration & Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. Mark previously worked for KPMG Information Risk Management Group and IBM's Privacy and Security Group, where he performed network security assessments, security system reviews and development of security recommendations and ethical hacking. Other projects included assisting companies develop secure and reliable network system architecture for their Web-enabled businesses. Mark is co-author of the book Windows NT: Performance, Monitoring and Tuning published by McMillan Press and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.