The Most Comprehensive Firewalls Resource Available
Keep your network data secure by installing and maintaining an effective
firewall system. Get complete coverage of all major firewall technologies,
learn how to properly design and configure firewalls, know what to watch for
when evaluating products, and discover best practices for management and
Get in-depth, objective advice on installing and configuring today's most
popular firewalls including Check Point Firewall-1 4.1 and NG, Cisco PIX,
Microsoft ISA Server, NetScreen, SonicWall and Symantec --and learn
strategies for successful network design and firewall placement.
Gain insight into common methods for attacking firewalls--including software
bugs, viruses, and misconfigurations. Learn firewall best practices and how
to improve the overall security of your firewall installation. This
multipurpose guide contains all the implementation and administration
information you need to keep your network safe from unauthorized access:
> Restrict access to your network without compromising usability and
> Understand the strengths and limitations of firewall technology
> Get in-depth explanations of network and port address translation, VPNs,
authentication, virus protection, content filtering, and more
> Learn about the various architectures available today--application and
circuit-level gateways, packet filters, and stateful packet inspection
> Find out how hackers commonly go about breaking into a network
> Get details on platforms and features for key products from Check Point,
Cisco, Symantec, Microsoft, and others
> Manage your firewall installation using built-in tools, objects, and
> Supplement your firewall system by implementing human controls such as
education and log monitoring
> Understand the details of implementing the Cisco Secure Policy Manager
> Learn the latest on Check Point NG Firewall-1, Cisco IOS Firewall
Feature Set, and Linux IP Tables
Keith Strassberg, CPA, CISSP, is an experienced information systems security
consultant. With Greenwich Technology Partners since 1999, Keith assists
numerous clients in developing risk assessment methodologies and information
Gary Rollie, MSCE, CCNA,CCNP, is a senior performance engineer with Greenwich
Technology Partners. Gary's strengths are in LAN/WAN, Web Server, Application
Server, SQL Server, Oracle Server technologies including infrastructure
design, integration, implementation, performance testing, and problem
Richard J. Gondek, CCIE, CISSP, is a security and internetworking consultant
with expertise in large scale network design, perimeter systems and network
hardening, and emerging technologies (such as network traffic management and
local and wide area wireless networking). He joined Greenwich Technology
Partners in 1999.
Chapter 1: Introduction
The Internet has arguably become the most diverse virtual entity ever
developed by human kind. The sheer numbers of users grow by the hundreds of
thousands from all parts of the world on a regular basis, with no end in
sight. The Internet is the virtual common place where everyone is welcome to
do business, communicate, research information, or simply enjoy surfing the
Net. The vastness of the Internet, along with the differences among its
visitors, creates a most unique melting pot. However, it also contains a
great potential for misuse, abuse, and criminal activity. This potential for
mischief has driven the need for security practices and devices to protect
Almost as pervasive as the Internet is the "hacker" and its malicious cohort,
the "cracker," who spend their time breaking into computer systems.
Unfortunately, mystical computer skills are no longer required to
successfully penetrate today's systems. Enter a new term into the world's
vocabulary: the script kiddie. A script kiddie isn't armed with magical
computer powers but rather with a computer program whose sole purpose is to
find and break into computer systems. The script kiddie doesn't understand
how the program is able to break in, only how to use it. The script kiddie is
even losing its place in the process, as programs are becoming intelligent
enough to function unattended, scanning and comprising systems in bulk. The
net effect of this is that the frequency, intensity, and sources of attacks
have significantly increased in recent years.
Internet users must understand that this underground is part of the Internet,
and eventually it will find their systems. The Internet spans the globe, and
law-enforcement authorities are not equipped to bring even a small fraction
of these evildoers to justice. But all is not lost: while there are numerous
tools available to protect systems, the firewall still stands as the biggest
and best weapon for keeping the evil forces lurking along the miles and miles
of the information superhighway at bay.
Firewalls: The Complete Reference is a hands-on guide to designing, building,
and maintaining today's most popular firewalls. This guide is a
vendor-independent resource for new firewall implementations and can be used
as an ongoing desktop reference for firewall administration. It contains
information useful for all types of firewall users, including large corporate
firewall administrators, small office administrators, individuals, and
Definition of a Firewall
The basic function of a firewall is to screen network communications for the
purposes of preventing unauthorized access to or from a computer network.
Firewalls take on many different shapes and sizes, and sometimes the firewall
is actually a collection of several different computers. For the purposes of
this book, a firewall is the computer or computers that stand between trusted
networks (such as, internal networks) and untrusted networks (such as the
Internet), inspecting all traffic that flows between them. Firewalls have the
> All communications pass through the firewall. * The firewall permits
only traffic that is authorized. * The firewall can withstand attacks upon
Simply put, a firewall acts as the buffer between a trusted network and an
untrusted network. The name firewall is actually derived from a technique
used in construction in which a wall is constructed from fire-retardant
materials to prevent or least slow down the spreading of a fire. Essentially
it is a barrier. In a network, the firewall is a point of enforcement to
guard against attacks from other networks.
A firewall can be a router, a personal computer, a host, or a collection of
hosts set up specifically to shield a private network from protocols and
services that can be abused from hosts outside the trusted network. A
firewall system is usually located at a network perimeter, such as a site's
connection to the Internet. However, firewall systems can and should be
located inside the network perimeter to provide additional and more specific
protection to a smaller collection of hosts.
The way a firewall protects the trusted network depends on the firewall
itself, and the policies/rules that are applied to it. Here are the four main
categories of firewall technologies available today:
As with all technology solutions, firewall technology is subjected to the
normal advancement and lifecycles that products and technologies undergo.
Chapters 4 and 5 provide more in-depth information on the various firewall
types and technologies.
Why Use a Firewall?
The first question that people may ask is, why use a firewall? Why not just
configure individual systems to withstand attack? The simplest answer is that
the firewall is dedicated to only one thing-deciding between authorized and
This prevents having to make compromises between security, usability, and
functionality. Without a firewall, systems are left to their own security
devices and configurations. These systems may be running services that
increase functionality or ease administration but are not overly secure, are
not trustworthy, or should only be accessible from specific locations.
Firewalls are used to implement this level of access control. If an
environment lacks a firewall, security relies entirely on the hosts
themselves. Security will only be as strong as the weakest host. The larger
the network, the more complex it becomes to maintain all hosts at equally
high levels of security. As oversights occur (such as only applying a
critical security patch to 14 of the 15 web servers), break-ins occur because
of simple errors in configuration and inadequate security patching.
The firewall is the single point of contact with untrusted networks.
Therefore, instead of ensuring multiple machines are as secure as possible,
administrators can focus on the firewall. This isn't to say that the systems
available through the firewall shouldn't be made as secure as possible; it
just provides a layer of protection against a mistake.
Firewalls are excellent auditors. Because all traffic passes through them,
the information contained in their logs can be used to reconstruct events in
case of a security breach. In general, firewalls mitigate the risk that
systems will be used for unauthorized or unintended purposes (for example,
getting hacked). What exactly are the risks to these systems that firewalls
are protecting against? Corporate systems and data have three primary
attributes that are protected by a firewall:
> Risk to confidentiality The risk that an unauthorized party will access
sensitive data or that data is prematurely disclosed. A business could easily
lose millions of dollars from simply having their business plan, company
trade secrets, or financial information exposed. * Risk to data integrity The
risk of unauthorized modification to data, such as financial information,
product specifications, or prices of items on a web site. Businesses grow and
thrive on the accuracy of the information their systems produce. How can the
best decisions be made if the system information becomes unreliable? (What
are the sales levels? Which accounts receivable are accurate?) * Risk to
availability System availability ensures systems are appropriately resilient
and available to users on a timely basis (that is, when users require them).
Unavailable systems cost corporations real dollars in lost revenue and
employee productivity as well as in intangible ways through lost consumer
confidence and negative publicity.
Common Types of Attacks
The preceding section discussed why individuals and corporations implement
firewalls. Now the question is, exactly how do attackers gain unauthorized
access to systems? Motivations for such attacks are numerous and often range
from "to see if it could be done," to using the compromised systems to attack
other systems, to performing corporate espionage, and even for simple
malicious reasons such as disrupting and/or damaging systems.
There are literally dozens of different ways an intruder can gain access to a
system. Chapter 6 provides additional information on common methods for
attacking firewalls; however, a brief list of the most common attacks is
> Social engineering An attacker tricks an administrator or other
authorized user of a system into sharing their login credentials or details
of the system's operation. * Software bugs An attacker exploits a programming
flaw and forces an application or service to run unauthorized or unintended
commands. Such attacks are even more dangerous when the program runs with
additional or administrative privileges. Such flaws are commonly referred to
as buffer overflow attacks or format string vulnerabilities.
For excellent reading on the buffer overflow and format string attacks, refer
to the following sites: http://www.insecure.org/stf/smashstack.txt
> Viruses and/or Trojan code An attacker tricks a legitimate user into
executing a program. The most common avenue for such an attack is to disguise
the program in an innocent-looking e-mail or within a virus. Once executed,
the program can do a number of things, including installing backdoor
programs, stealing files and/or credentials, or even deleting files. * Poor
system configuration An attacker is able to exploit system configuration
errors in available services and/or accounts. Common mistakes include not
changing passwords on default accounts (both at the system and application
levels) as well as not restricting access to application administration
programs or failing to disable extraneous and unused services.
In addition to attempting to gain unauthorized access to systems, malicious
individuals may attempt to simply disrupt systems. For critical and highly
visible applications, the cost to the business could be just as severe. These
attacks are referred to as denial of service (DoS) attacks. A DoS attack is
an incident in which a user, network, or organization is deprived of a
resource or service they would normally have. The loss of service is usually
associated with the inability of an individual network service, such as
e-mail or web, to be available or the temporary loss of all network
connectivity and services.
Although Chapter 3 will provide an in-depth discussion on network design and
firewall placement, we will introduce these topics here. Firewalls can and
should be installed wherever two networks with different security
requirements are interconnected. The most common usage of a firewall is
between the Internet connection and the local area network. Other common
firewall uses include protecting connections to external third parties, such
as market data providers, and between sensitive areas of an internal network.
When discussing networks, this book will use the concept of the network
perimeter, which is the complete border of the local area network. Ingress
and egress points are formed when the local area network is connected to
another network, such as the Internet. These connection points are almost
On the surface, defining the network perimeter seems simple. However, with
the advent of the virtual private network, the actual perimeter becomes
fuzzy. Virtual private network technologies allow remote users to connect
through the firewall as if they were on the local network. They have become
extensions of the corporate network, but the hosts themselves are outside the
protection provided by the corporate firewall. Malicious individuals who
compromise these users can use them as a conduit through the corporate
firewall. Administrators should consider installing local personal firewalls
on these hosts to achieve a uniform level of security at the perimeter.
Firewall Strengths and Weaknesses
A firewall is just one piece of an overall security architecture. However, as
a single piece of the architecture, it is designed to fill a very important
requirement within the overall design. As with everything, firewalls have
strengths and weaknesses.
Common firewall strengths include: * Firewalls are excellent at enforcing the
corporate security policy. They should be configured to restrict
communications to what management has determined to be acceptable. *
Firewalls are used to restrict access to specific services. For example, the
firewall permits public access to the web server but prevents access to the
Telnet and other nonpublic daemons. The majority of firewalls can even
provide selective access via authentication functionality. * Firewalls are
singular in purpose. Therefore, compromises do not need to be made between
security and usability. * Firewalls are excellent auditors. Given plenty of
disk space or remote logging capabilities, a firewall can log any and all
traffic that passes through it. * Firewalls are very good at alerting
appropriate people of events.
Common firewall weaknesses include: * Firewalls cannot protect against what
is authorized. You might be wondering what this means. Firewalls protect
applications and permit the normal communications traffic to those
applications-otherwise, what is the point? If the applications themselves
have flaws, a firewall will not stop the attack because, to the firewall, the
communication is authorized. * Firewalls are only as effective as the rules
they are configured to enforce. An overly permissive rule set will diminish
the effectiveness of the firewall. * Firewalls cannot stop social engineering
or an authorized user intentionally using their access for malicious
> Firewalls cannot fix poor administrative practices or a poorly designed
security policy. * Firewalls cannot stop attacks in which traffic does not
pass through them.
Good Security Practices
Although a complete discussion on best practices regarding firewall
configuration and management is beyond the scope of this book (many volumes
are available on this topic), it is still useful to introduce a number of
important concepts that can and will improve the overall security of a
firewall. These concepts apply to both the firewall and the systems protected
by that firewall. Also note that the following concepts and practices are not
mutually exclusive, and when properly implemented together, they can achieve
higher levels of security.
Help Your Systems Help Themselves
Except in some very rare situations, systems and applications are not
installed in their most secure configurations. In addition, services
extraneous to the desired functionality of your system or application are
installed and activated by default. It is good practice to enable only the
bare-minimum services and accounts necessary for the proper operation of a
system. Countless intrusions occur because an unused service or account
superfluous to the operation of the system was compromised. The practice of
disabling unnecessary services and reconfiguring other services for greater
security is often referred to as host hardening. Here is a small checklist to
follow when hardening hosts: * Disable any and all unneeded or unnecessary
services. * Remove unneeded accounts and groups. Change the passwords to
and/or disable default application and system accounts. Disable accounts that
do not require interactive logins. * Reconfigure remaining services for
increased security. * Secure any and all administrative functions. * Use
strong passwords. Strong passwords are passwords that are greater than seven
characters and are a mixture of upper- and lowercase letters, numbers, and
other alphanumeric characters.
The SANS institute (www.sans.org) publishes a number of "best practice"
guides for securing operating systems.
Patch! Patch! Patch!
Consistently applying the torrent of patches released today is a daunting and
often overlooked process. New vulnerabilities are being discovered
constantly. A system that was secure one minute could turn completely
vulnerable the next. To stay on top of your systems, subscribe to multiple
bug-notification mailing lists as well as vendor mailing lists for installed
software. Popular vulnerability-notification services are maintained by the
following organizations: * Internet Security Systems maintains its xforce
database and mailing list at http://www.iss.net/xforce. * SecurityFocus
maintains a copy of the Bugtraq archive and mailing list at
http://www.securityfocus.com. * The Computer Incident Emergency Response Team
(CERT) can be found at http://www.cert.org. * The Common Vulnerabilities and
Exposures (CVE) database is available at http://www.cve.mitre.org.
After applying patches, you should ensure that system security was not
weakened. As an example, Sun is notorious for having their Solaris cluster
patches reenable services.
Appliance vs. Operating System
Historically, firewalls ran on top of a general-purpose operating system such
as Windows NT or Unix. They functioned by modifying the system kernel and
TCP/IP stack to monitor traffic. Therefore, these firewalls were at the mercy
of problems present in the operating systems they ran on top of. To achieve a
high level of security, it was necessary to harden, patch, and maintain the
operating system (as described in the previous section). This could be a
time-consuming and difficult task especially if there was a lack of expertise
or time to adequately secure and maintain a fully functional operating
system. Today, however, a number of firewall vendors distribute their
firewalls as appliances.
Appliances integrate the operating system and the firewall software to create
a fully hardened, dedicated firewall device. The integration process removes
any and all functionality not required to screen and firewall packets. In
addition, a fully functional administrative interface is provided to further
simplify configuration and maintenance of the firewall. Firewall appliances
do not require a significant amount of host hardening when being deployed
(usually changing default passwords is all that is required).
Administrators can focus on developing rule sets instead of reconfiguring and
patching a general-purpose operating system. Appliances significantly reduce
operating and maintenance costs over operating system-based firewalls. This
book discusses a number of appliance firewalls, including the Cisco PIX,
Netscreen, SonicWall, and Check Point FireWall-1 on the Nokia IPSO platform.
Although the firewall itself is an excellent security tool, it should not be
completely relied upon. As stated before, firewalls cannot protect against
what is authorized. What happens if an intruder bypasses the firewall?
Consider the scenario in which an intruder is able to use HTTP to exploit
your web server, gaining shell access to that system. The firewall will
permit this traffic because HTTP is permitted to the web server, and the
attacker can use this as a conduit to attack other servers and systems on the
network without the protection of the firewall. If these systems are not
configured in a secure manner, it won't be long until the entire
infrastructure is compromised.
When you're implementing systems, it is good practice to implement redundant
controls to limit or prevent system damage in the event a control fails.
(It's like having a steering wheel lock for your car, even though there is a
lock on the door.) Redundant controls include the following: * Hardening your
internal hosts to withstand attacks in case the firewall fails or is
bypassed. * Running services in restricted environments (for example, via the
Unix chroot command) and with minimal privileges. * Implementing multiple
firewalls from different vendors or implementing packet filters on network
routers. This reduces exposure to a specific flaw in the firewall itself. *
Implementing human controls such as education, log monitoring, and alerting.
* Putting in place systems to automatically detect and alert administrators
to unauthorized or malicious activity. These systems are referred to as
intrusion-detection systems (IDS).
Creating a Security Policy
The corporate information security policy is the foundation that establishes
corporate information as an asset that must be protected. It defines the
corporation's sensitivity to risk and the consequences for a breach of
security. The corporate security policy also defines how data should be
protected; the firewall is the implementation of this policy. For smaller
organizations that do not have a large database of formalized policies, it is
incredibly useful to document the purposes of the network and use the
firewall to restrict usage accordingly.
Policy empowers administrators to deny the many requests for new firewall
access that are always submitted. Without clearly defining what should and
should not be permitted through the firewall, over time the firewall's
effectiveness is reduced as more and more services are permitted.
Monitoring and Logging
Any system can be penetrated given sufficient time and money. But penetration
attempts will leave evidence, entries in logs, and so on. If people are
watching systems diligently, attacks can and will be detected and stopped
before they are successful. Therefore, it is extremely important to monitor
system activity. Applications should record system events that are both
successful and unsuccessful. Verbose logging and timely reviews of those logs
can alert administrators to suspicious activity before a serious security
Auditing and Testing
One of the most important things that can be done after configuring your
firewall is to ensure that the level of security you planned to achieve is in
fact what was achieved, as well as verify that nothing was overlooked. A
number of freeware and commercial tools are available that can be used to
test the security of the firewall and the systems behind it. Chapter 6
details common attack and testing methodologies for firewalls. Security is an
ongoing process; once a system is implemented, it is integral that the
configurations be thoroughly tested. Audits are used to periodically make
assessments to evaluate security.