CHAPTER 3: Network Devices 126 Firewalls A firewall protects a secure internal network from a public insecure network. Firewalls are devices or software that has the ability to control the traffic that’s sent from an external network, such as the Internet, to an internal network or local computer. As we’ll see later in this chapter, the features that are provided by a firewall will vary depending on the type you choose for your network. The most common implementation today is the use of a firewall between an organization’s internal network and the Internet. Firewalls can be very complex because they provide more features that just packet filtering. They can also provide multiple layers of protection, including actually scanning the information stored in the packets to search for malicious data. They use advanced techniques to monitor connections, to log potential intrusions, and to act upon these incidents. Firewall Architecture A firewall is a combination of techniques and technologies used to con- trol the flow of data between networks. A firewall enables all traffic to pass through to each network; however, it compares the traffic to a set of rules that determine how the traffic will be managed. If the traffic matches the rules for acceptable data, the traffic is passed on to the network. If the rule specifies that the data be denied, the traffic cannot continue and will be bounced back. Although some implementations may do this differently, the same basic functionality is used. NOTES FROM THE FIELD… Monitoring Traffic Through Firewalls As Internet access has become a more common fix- ture in organizations, so has monitoring the Web sites visited by personnel in those organizations. Firewalls are used to prevent unauthorized access to the inter- nal network from the Internet, but also enable organi- zations to monitor what their employees are accessing on the Internet. Companies can check the firewall logs to determine what sites an employee visited, how long they spent there, what files they downloaded, and other information that the employee may consider private. Companies may also stipulate the privacy of client information, or those with a presence on the Web may include or create a separate policy that deals with the privacy of a visitor to their Web site. In terms of actual clients (those people with whom a company does business), the policy should state the level of privacy a client can expect. This may include the protection of client information, including information on sales, credit card numbers, and so forth. In the case of police, this might include information on a person’s arrest record that can’t be concealed under the Public Information Act and open records laws, personal information, and other data. For both clients and visitors to Web sites, a company may stipulate whether information is sold to third parties that may send you advertisements, spam, or phone solicitations. Network Devices 127 Dual-Homed Host Firewalls A dual-homed firewall consists of a single computer with two physical net- work interfaces. This computer acts as a gateway between two networks. The server’s routing capability is disabled so that the firewall can handle all traffic management. Either an application-level proxy or circuit-level firewall is run to provide data transfer capability; you must be careful not to enable routing within the network operating system or you will bypass your firewall software. Figure 3.6 shows a dual-homed host firewall configuration. Screened Host Firewalls Screened host firewall configurations are considered by many to be more secure than the dual-homed firewall. In this configuration, you place a screening router between the gateway host and the public network. This enables you to provide packet filtering before the packets reach the host com- puter. The host computer could then run a proxy to provide additional secu- rity to this configuration. As packets travel into the internal network, they only know of the computer host that exists. Figure 3.7 shows an illustration of a screened-host configuration. Screened Subnet Firewalls A screened subnet firewall configuration takes security to the next level by further isolating the internal network from the public network. An addi- tional screening router is placed between the internal network and the fire- wall proxy server. The internal router handles local traffic while the external router handles inbound and outbound traffic to the public network. This pro- vides two additional levels of security. First, by adding a link internally, you FIGURE 3.7 A Screened Host Firewall. FIGURE 3.6 A Dual-Homed Host Firewall. CHAPTER 3: Network Devices 128 can protect the firewall host from an attack by an internal source. Second, it makes an external attack much more difficult because the number of links is increased. Figure 3.8 shows the screened subnet firewall configuration. Firewall Types There are three basic categories of firewalls: packet level, application level, and circuit level. Each uses a different security approach, thus providing different advantages and disadvantages. One additional feature that was dis- cussed earlier is encryption services. Most firewalls provide some sort of cryptographic services for data transfers. When you have a complete understanding of the features and type of security that is needed from a firewall, you can then determine the imple- mentation that bests fits the environment. Packet Level Firewall A packet level firewall is usually a form of screening router that examines packets based upon filters that are set up at the network and transport layers. You can block incoming or outgoing transfers based on a TCP/IP address or other rules. For example, you may choose to not allow any incoming IP con- nections, but enable all outgoing IP connections. You can set up rules that will enable certain types of requests to pass while others are denied. Rules can be based on source address, destination address, session protocol type, and the source and destination port. Because this works at only three layers, it is a very basic form of protection. To properly provide security to the network, all seven layers must be protected by a full-featured conventional firewall. Application Level Firewall The application level firewall understands the data at the application level. Application layer firewalls operate at the application, presentation, and session layers. Data at the application level can actually be understood and monitored to verify that no harmful information is included. An example of an application level firewall is an Internet proxy or mail server. Many uses are available through some form of proxy; however, these functions are usually very intensive to provide security at that level. In addition, clients FIGURE 3.8 A Screened Subnet Firewall. Network Devices 129 must be configured to pass through the proxy to use it. Proxy servers are also used to mask the original origin of a packet. For example, an Internet proxy will pass the request on; however, the source listed in the packet is the proxy server address. The overall server doesn’t just filter the packets, it actually takes in the original and retransmits a new packet through a dif- ferent network interface. Circuit Level Firewall A circuit level firewall is similar to an application proxy except that the secu- rity mechanisms are applied at the time the connection is established. From then on, the packets flow between the hosts without any further checking from the firewall. Circuit level firewalls operate at the transport layer. Firewall Features As firewalls have evolved, additional feature sets have grown out of or been added to these implementations. They are used to provide faster access and better security mechanisms. As encryption techniques have improved, they are being incorporated more into firewall implementations. Also, caching is being provided for services such as the World Wide Web. This enables pages to be cached for a period of time, which can dramatically speed up the user experience. New management techniques and technologies such as virtual private networks (VPNs) are now being included as well. Content filtering is another major feature of a firewall. Because of the possible damage a Java applet, JavaScript, or ActiveX component can do to a network in terms of threatening security or attacking machines, many companies filter out applets completely. Firewalls can be configured to fil- ter out applets, scripts, and components so that they are removed from the Hypertext Markup Language (HTML) document that is returned to a computer on the internal network. Preventing such elements from ever being displayed will cause the Web page to appear differently from the way its author intended, but any content that is passed through the firewall will be more secure. DMZ DMZ is short for demilitarized zone and is a military term used to signify a recognized safe area between two countries where, by mutual agreement, no troops or war-making activities are allowed. There are usually strict rules regarding what is allowed within the zone. In computer security, the DMZ is a neutral network segment where systems accessible to the public Internet are housed, and which offers some basic levels of protection against attacks. CHAPTER 3: Network Devices 130 The creation of these DMZ segments is usually done in one of two ways: Layered DMZ implementation Multiple interface firewall implementation In the first method, the systems are placed between two firewall devices with different rule sets, which allows systems on the Internet to connect to the offered services on the DMZ systems, but prevents them from connect- ing to the computers on the internal segments of the organization’s network (often called the protected network). Figure 3.9 shows a common installa- tion using this layered approach. As shown in Figure 3.10, the second method is to add a third inter- face to the firewall and place the DMZ systems on that network segment. This allows the same firewall to manage the traffic between the Internet, the DMZ, and the protected network. Using one firewall instead of two lowers the costs of the hardware and centralizes the rule sets for the network, mak- ing it easier to manage and troubleshoot problems. Currently, this multiple interface design is the preferred method for creating a DMZ segment. In either case, the DMZ systems offer some level of protection from the public Internet while they remain accessible for the specific services they provide to external users. In addition, the internal network is protected by a firewall from both the external network and the systems in the DMZ. FIGURE 3.9 A Layered DMZ Implementation. Network Devices 131 Because the DMZ systems still offer public access, they are more prone to compromise and thus they are not trusted by the systems in the protected network. This scenario allows for public services while still maintaining a degree of protection against attack. The role of the firewall in all of these scenarios is to manage the traffic between the network segments. The basic idea is that other systems on the Internet are allowed to access only the services of the DMZ systems that have been made public. If an Internet system attempts to connect to a service not made public, the firewall drops the traffic and logs the information about the attempt (if configured to do so). Systems on a protected network are allowed to access the Internet as they require, and they may also access the DMZ systems for managing the computers, gathering data, or updating content. In this way, systems are exposed only to attacks against the services that they offer and not to underlying processes that may be running on them. FIGURE 3.10 A Multiple Interface Firewall DMZ Implementation. Test Day Tip DMZs can be a difficult topic to initially understand. In reviewing information about how they work, try to remember that the DMZ is a “no man’s land” that provides a separation between your LAN and an external WAN like the Internet. CHAPTER 3: Network Devices 132 ACLs ACLs are access control lists, which are used to control access to specific resources on a computer. An ACL resides on a computer and is a table with information on which users have specific rights to files and folders on the machine. The operating system uses this attribute of the file or folder to determine whether a user is allowed or denied specific privileges to the object. By using the ACL you can provide users of the network with the rights they need to access these files or folders. However, in doing so, it is advisable that you only provide users with the minimum amount of access required by users to perform their jobs. Proxy Server (Caching Appliances) A proxy server is a server that performs a function on behalf of another system. In most cases this is a system that is acting as a type of gateway between the Internet and a company network. The employees who wish to access the Internet will perform actions as they normally would with their browser, but the browser will submit the request to the proxy server. The proxy server will then transmit the request on the Internet and receive the results. The results will then be sent to the original requester. A nice feature of the proxy server is that the Web pages that are not encrypted will be saved in a cache on the local hard disk. If another user requests the same page, the proxy server will not request the page from the Internet, but retrieve it from the hard disk. This saves quite a bit of time by not having to wait on Internet requests, which may be coming from an overburdened Web server. The proxy server can cache information going both ways; because it can cache requests going out, it can also act as a proxy for Internet users making requests to the company Web server. This can help keep traffic minimized on the company network. Another feature of the proxy server is that it can act as the physical gate- way between the Internet and company network by filtering out specific infor- mation, especially if you use the proxy server to act as a proxy between the Internet and the company Web server. Filtering can be configured for allowing or not allowing packets if they meet one or more of the following specified cri- teria: specific port, direction of transfer, or source or destination of packets. Tunnels and Encryption Tunneling is used to create a virtual tunnel (a virtual point-to-point link) between you and your destination using an untrusted public network as the medium. In most cases, this would be the Internet. When establishing a tunnel, commonly called a VPN (which we’ll discuss in the next sec- tion), a safe connection is being created between two points that cannot be Network Devices 133 examined by outsiders. In other words, all traffic that is traveling through this tunnel can be seen, but cannot be understood by those on the out- side. All packets are encrypted and carry information designed to provide authentication and integrity. This ensures that they are tamperproof and thus can withstand common IP attacks, such as the man-in-the-middle (MITM) and packet replay. When a VPN is created, traffic is private and safe from prying eyes. VPNs A VPN provides users with a secure method of connectivity through a public internetwork such as the Internet. Most companies use dedicated connec- tions to connect to remote sites, but when users want to send private data over the Internet they should provide additional security by encrypting the data using a VPN. When a VPN is implemented properly, it provides improved wide-area security, reduces costs associated with traditional WANs, improves produc- tivity, and improves support for users who telecommute. Cost savings are twofold. First, companies save money using public networks (such as the Internet) instead of paying for dedicated circuits (such as point-to-point T1 circuits) between remote offices. Second, telecommuters do not have to pay long-distance fees to connect to Remote Access Service (RAS) servers. They can simply dial into their local ISPs and create a virtual tunnel to the office. A tunnel is created by wrapping (or encapsulating) a data packet inside another data packet and transmitting it over a public medium. Tunneling requires three different protocols: Carrier Protocol The protocol used by the network (IP on the Inter- net) that the information is traveling over. Encapsulating Protocol The protocol (PPTP, L2TP, IPSec., Secure Shell [SSH]) that is wrapped around the original data. Passenger Protocol The original data being carried. Essentially, there are two different types of VPNs: site-to-site and remote access. Site-to-Site VPN Site-to-site VPNs are normally established between corporate offices that are separated by a physical distance extending further than a normal LAN. VPNs are available in software (such as Windows network operating sys- tems) and hardware (firewalls such as Nokia/Checkpoint and SonicWALL) implementations. Generally speaking, software implementations are easier CHAPTER 3: Network Devices 134 to maintain. However, hardware implementations are considered more secure, because they are not impacted by operating system vulnerabilities. For example, suppose Company XYZ has offices in Boston and Phoenix. As shown in Figure 3.11, both offices connect to the Internet via a T1 con- nection. They have implemented VPN-capable firewalls in both offices, and established an encryption tunnel between them. The first step in creating a site-to-site VPN is selecting the protocols to be used. Common protocols associated with VPN are Point-to-Point Tunnel- ing Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), SSH, and IP Secu- rity (IPSec). PPTP and L2TP are used to establish a secure tunnel connection between two sites. Once a tunnel is established, encryption protocols are used to secure data passing through the tunnel. As data is passed from one VPN to another, it is encapsulated at the source and unwrapped at the target. The process of establishing the VPN and wrapping and unwrapping the data is transparent to the end user. Most commercially available firewalls come with a VPN module that can be set up to easily communicate with another VPN-capable device. Micro- soft has implemented site-to-site VPN tools on the Windows 2003 plat- form using either RRAS or the newest rendition of Microsoft’s proxy server, Microsoft ISA Server 2006. Whichever product or service is chosen, it is important to ensure that each end of the VPN is configured with identical protocols and settings. FIGURE 3.11 A Site-to-Site VPN Established Between Two Remote Offices. Network Devices 135 Remote Access VPN A remote access VPN, known as a private virtual dial-up network (PVDN), differs from a site-to-site VPN in that end users are responsible for estab- lishing the VPN tunnel between the workstation and their remote office. An alternative to connecting directly to the corporate VPN is connecting to an enterprise service provider (ESP) that ultimately connects to the cor- porate VPN. In either case, users connect to the Internet or an ESP through a point of presence (POP) using their particular VPN client software (Figure 3.12). Once the tunnel is set up, users are forced to authenticate with the VPN server, usually by username and password. A remote access VPN is a great solution for a company with sev- eral employees working in the field. The remote access VPN allows these employees to transmit data to their home offices from any location. RRAS offers an easy solution for creating a remote access VPN. FIGURE 3.12 A Remote-Access VPN Solution Using Regular Internet POPs. . clients and visitors to Web sites, a company may stipulate whether information is sold to third parties that may send you advertisements, spam, or phone solicitations. Network Devices 127 Dual-Homed. either case, users connect to the Internet or an ESP through a point of presence (POP) using their particular VPN client software (Figure 3.12). Once the tunnel is set up, users are forced to authenticate