- Email: [email protected]
Firewall Types
3 Firewall Types
3.1 Chapter objectives 9 Identifying the advantages and disadvantages of stateless and stateful packet filters 9 Implementing circuit-level gateways 9 Certifying application proxies 9 Selecting criteria As previously explained, a firewall puts up a barrier that controls the flow of traffic among domains, hosts, and networks. The safest firewall blocks all traffic, but that defeats the purpose of making the connection. According to a logical security policy, you need strict control over selected traffic. Organizations typically put a firewall between the public Internet and a private and trusted network. A firewall can also conceal the topology of your inside networks and network addresses from public view, here, as well as elsewhere. But, that's only the beginning. This chapter is intended to present a brief overview of firewall types available, as well as the relative advantages and disadvantages of each. It is intended to lay out a general roadmap for administrators who want to publish information for public consumption while preventing unauthorized access to their private or confidential network. The information presented in this chapter is intended to simplify what can sometimes be intimidating or complex security and network setups. This chapter is not intended to be a complete manual on firewall types. Unfortunately, the nature of firewall technology does
49
50
3.2
Types of firewalls
not allow for a uniform "drop-in" installation setup, so every private network administrator should research the topic of firewalls and network security to find a personalized solution or type that best fits their needs. This chapter should not be used as a replacement for knowledgeable network or security administrators.
3.2
T y p e s of firewalls Conceptually, there are three types of firewalls. Now, let's start off with a brief review of all three of the basic firewall types:
Simple packet filtering: IP or filtering firewalls--block all but selected network traffic
9 Application-layer firewalls: Proxy servers--act as intermediary to make requested network connections for the user 9 Stateful multilayer-inspection firewalls 1 The preceding firewall types are not as different as you might think, and the latest technologies are blurring the distinction to the point where it's no longer clear whether any one is "better" or "worse." As always, you need to be careful to choose the type that meets your needs. (For further information, see Chapter 4.) Which is which depends on what mechanisms the firewall uses to pass traffic from one security zone to another. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that "higher level" layers depend on. In order from the bottom, these layers are physical, data link, network, transport, session, presentation, and application. The important thing to recognize is that the lower level the forwarding mechanism, the less examination the firewall can perform. Generally speaking, lower level firewalls are faster but are easier to fool into doing the wrong thing. 2
3.2.1
Simple packet filtering: IP or filtering firewalls An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information (source, destination, port, and packet type).
$.2 Typesofflrewalls
51
In other words, these types of firewalls generally make their decisions based on the source, destination addresses, and ports in individual IP packets. A simple router is the "traditional" packet-filtering firewall because it cannot make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern simple packet-filtering firewalls have become increasingly sophisticated and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many simple packet-filtering firewalls is that they route traffic directly though them, so to use one, you either need to have a validly assigned IP address or need to use a "private Internet" address. Simple packet-filtering firewalls tend to be very fast and tend to be very transparent to users. In Figure 3.1, a simple packet-filtering firewall, called a screened host firewall, is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network layer. The single host is a bastion host; a highly defended and secured strong point that (hopefully) can resist attack.
Note:
Figure 3.1
Screened host firewall
Mostcommerciallyavailablerouterscomewith someformof integratedfirewallsecurity. Chapter4 discusseswhattypestheycomewith.
/
~ _ . .
'~
Nointernettraffic allowed
"~
PretteCtrkd / L ~ ~ I I ~ ~
.
~
~
/
I. . . . ~ l ~ ~
On, ,ra ,c
or,rom
~ I.nter.net ~
as,,on
house is permitted by the router
Bastion host
I Chapter3
52
31.2 Types of firewalls
Example of simple packet-filtering firewall In Figure 3.2, a simple packet-filtering firewall called a screened subnet firewall is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a network of screened hosts. A filtering firewall is more secure, but lacks any sort of useful logging. It can block the public from accessing a private system, but it will not indicate what connections have been made to the Internet from the inside. Filtering firewalls are absolute filters. They do not support individual access control. So a private server cannot be made accessible to a particular outside user without opening it up to the entire public. N o w packet filters work by distinguishing packets based on IP addresses or specific bit patterns. Packet filters are unable to protect against application-level attacks and may be susceptible to sophisticated IP fragmentation and IP source routing attacks because of the limited information accessed. This kind of firewall is typically found in routers, so they're economical and fast. There usually is no extra charge, because you probably need a router to connect to the Internet in the first place. You'll probably find that it will install any filter you want, even if the router belongs to your network service provider. Or your router can simply be a computer that runs an operating system
Figure 3.2
Screened subnet firewall
No internet traffic allowed Protected network
t
~
Only traffic to or from the DMZ network is permitted by the router
~
Internet
-I I~ *---~
Bastion host
i
3.2
Types of firewalls
53
like Windows NT or Novell NetWare and contains two network interface cards (a dual-homed system).3
Note:
3.2.2
[Most security policies require finer control than this.
A p p l i c a t i o n - l a y e r firewalls: Proxy servers Application-layer firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Because the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application-layer firewalls can be used as network address translators (NATs), because traffic goes in one "side" and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some cases may affect performance and may make the firewall less transparent. Early application-layer firewalls such as those built using the Trusted Information Systems (TIS) firewall toolkit (www.tis.com/) are not particularly transparent to endusers and may require some training. Modern application-layer firewalls are often fully transparent. Application-layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than simple packet-filtering firewalls.
Example:Application-layer firewall In Figure 3.3, an application-layer firewall called a dual-homed gateway is represented. A dual-homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it. By acting as an intermediary between the private network and the outside, proxy servers allow indirect Internet access. All network requests made by an internal computer to an outside source are intercepted by the proxy server, which logs the request and then passes it along to the outside. Similarly, data passed back to an internal
,,,
I Chapter 3
54
3.2 Typesof firewalls IP routingand/orforwardingis disabled
Figure 3.3 Dual-homed gateway
~.
network
_1
user from the outside is received by the proxy server, logged, and then passed along. Furthermore, application-layer firewalls, or gateways, focus on the application layer of the OSI reference model of network architecture. Working at this level allows them to use dedicated security proxies to examine the entire data stream for every connection attempt. A virtual "air gap" exists in the firewall between the inside and the outside networks, and proxies bridge this gap by working as agents for internal or external users. The proxies are specific for applications such as FTP or Telnet or protocols such as Internet Inter-ORB Protocol (IIOP) and Oracle's SQL*Net. In the application approach, information flows through the firewall, but no outside packets do, thus providing a virtually "fail-safe" architecture. Typically, they support security policies that require fine-grain control.
3.2.3
Stateful multilayer-inspection firewalls Stateful multilayer-inspection firewalls extract the relevant communication and application state information and analyze all packet communication layers. They keep state information about connections in the operating system kernel and parse IP packets. The firewalls compare the bit patterns to packets that are already known to be
3.4
Firewalltypes drawbacks
55
trusted instead of examining the contents of each packet. Stateful multilayer-inspection firewalls can be faster than application-layer firewalls (the proxy mechanism is at a lower level), but they are more complex. They also have some of the advantages and shortcomings of each of the previous two firewall types.
3.3 Understanding firewall types Now you are probably asking yourself, of the preceding three different types of firewalls, which is most secure and delivers the best performance? As is so often the case, this question can only be answered on a case-by-case basis after you consider the topology of your network, the services you plan to use, and the services you plan to offer. In limited circumstances, a simple packet-filtering router can be just as secure as a firewall costing 10 or 20 times as much. The reverse is also true: Buying an expensive firewall will give little security if it is not properly configured.
3.4 Firewall types drawbacks The problem with filtering firewalls is that they inhibit access to the private network from the Internet. Only services on systems that have pass filters can be accessed. With a proxy server, users can login to the firewall and then access the private network. Also, the rapid growth of network client-server technology makes supporting and controlling developing network services a constant challenge. Finally, the future of firewalls lies someplace between simple packet-filtering firewalls and application-layer firewalls. It is likely that simple packet-filtering firewalls will become increasingly "aware" of the information going through them, and application-layer firewalls will become increasingly "low level" and transparent. The result will be a fast packet-screening system that logs and audits data as they pass through. Increasingly, firewalls (simple packet filtering and application layer) incorporate encryption so that they may protect traffic passing between them over the Internet. Firewalls with end-toend encryption can be used by organizations with multiple points of Internet connectivity to use the Internet as a "private backbone" without worrying about their data or passwords being sniffed.
I Chapter3
56
3.5
Summary
3.5 Summary As explained in earlier chapters, a firewall on a computer network is a device that protects a private local network from the rest of the world (public parts of the same network or the Internet at large). The role of a firewall is typically filled by a computer (or computers) that can reach both the private network and the Internet, thereby allowing it to restrict the flow of data between the two. The protected network, therefore, cannot reach the Internet, and the Internet cannot reach the protected network unless the firewall computer allows it. For someone to reach the Internet from inside the protected network, they must login to the firewall (via Telnet, rlogin, etc.) and use the Internet from there. With the preceding in mind, a dual-homed system (i.e., a system with two network connections) is the simplest form of a firewall. A firewall can be set up with IP forwarding or "gatewaying" turned off, and accounts can be given to everyone on the network~that is, if system users can be trusted. The users can then login to the firewall and run their network services (FTP, Telnet, mail, etc.) from there. Thus, the only computer on the private network that knows anything about the outside world is the firewall with this setup. Therefore, a default route is not needed by the other systems on the protected network. Such a system relies entirely on all users being trusted, and that's its greatest weakness. It is, therefore, not recommended. Nevertheless, firewalls are indispensable assets in most organizations today. However, like all technologies, firewalls can create problems of their own. Imagine the case where your organization's Web server publishes a Java applet that makes calls to a Java Database Connectivity (JDBC) client. It then sends messages to a JDBC server (a Transmission Control Protocol [TCP] service) running on a particular port of a host at your site. As the administrator of your site, you configure your firewall (see Chapter 7 for detailed information) to allow this traffic in either direction. But, you may have neither knowledge nor control of the remote site whose browser downloaded your applet. If a firewall at that site is configured to deny traffic destined for this same port, you have a problem. This is an instance where an intranet over which you have control can provide a more certain solution than the Internet, over which you have relatively little control.
3.6
References
57
Finally, implicit in this discussion has been the notion that the firewall is positioned to protect internal hosts (like DataBase Management Systems [DBMS]) from outsiders. However, an Internet firewall is only a controlled gateway. It cannot stop attacks from malicious insiders, nor can it take the place of education and security policies and procedures. An Internet firewall is part of an overall security plan. Because the majority of network and system attacks occur from inside of the corporate networks and are launched by "inside" or trusted people, you may also want to consider additional firewalls behind the perimeter ("bastion") firewall defense. Chapter 4 will show you how to choose the right firewall to do this.
3.6
References Q
0
Q
John Wack, Ken Cutler, and Jamie Pole, "Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology," National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, January, 2002. "Information Security: Mechanisms and Techniques," National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, January, 2002. Shirley Radack (Ed.), "Selecting Information Technology Security Products," National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, 2004.
I Chapter3
3.1 Chapter objectives 9 Identifying the advantages and disadvantages of stateless and stateful packet filters 9 Implementing circuit-level gateways 9 Certifying application proxies 9 Selecting criteria As previously explained, a firewall puts up a barrier that controls the flow of traffic among domains, hosts, and networks. The safest firewall blocks all traffic, but that defeats the purpose of making the connection. According to a logical security policy, you need strict control over selected traffic. Organizations typically put a firewall between the public Internet and a private and trusted network. A firewall can also conceal the topology of your inside networks and network addresses from public view, here, as well as elsewhere. But, that's only the beginning. This chapter is intended to present a brief overview of firewall types available, as well as the relative advantages and disadvantages of each. It is intended to lay out a general roadmap for administrators who want to publish information for public consumption while preventing unauthorized access to their private or confidential network. The information presented in this chapter is intended to simplify what can sometimes be intimidating or complex security and network setups. This chapter is not intended to be a complete manual on firewall types. Unfortunately, the nature of firewall technology does
49
50
3.2
Types of firewalls
not allow for a uniform "drop-in" installation setup, so every private network administrator should research the topic of firewalls and network security to find a personalized solution or type that best fits their needs. This chapter should not be used as a replacement for knowledgeable network or security administrators.
3.2
T y p e s of firewalls Conceptually, there are three types of firewalls. Now, let's start off with a brief review of all three of the basic firewall types:
Simple packet filtering: IP or filtering firewalls--block all but selected network traffic
9 Application-layer firewalls: Proxy servers--act as intermediary to make requested network connections for the user 9 Stateful multilayer-inspection firewalls 1 The preceding firewall types are not as different as you might think, and the latest technologies are blurring the distinction to the point where it's no longer clear whether any one is "better" or "worse." As always, you need to be careful to choose the type that meets your needs. (For further information, see Chapter 4.) Which is which depends on what mechanisms the firewall uses to pass traffic from one security zone to another. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that "higher level" layers depend on. In order from the bottom, these layers are physical, data link, network, transport, session, presentation, and application. The important thing to recognize is that the lower level the forwarding mechanism, the less examination the firewall can perform. Generally speaking, lower level firewalls are faster but are easier to fool into doing the wrong thing. 2
3.2.1
Simple packet filtering: IP or filtering firewalls An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information (source, destination, port, and packet type).
$.2 Typesofflrewalls
51
In other words, these types of firewalls generally make their decisions based on the source, destination addresses, and ports in individual IP packets. A simple router is the "traditional" packet-filtering firewall because it cannot make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern simple packet-filtering firewalls have become increasingly sophisticated and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many simple packet-filtering firewalls is that they route traffic directly though them, so to use one, you either need to have a validly assigned IP address or need to use a "private Internet" address. Simple packet-filtering firewalls tend to be very fast and tend to be very transparent to users. In Figure 3.1, a simple packet-filtering firewall, called a screened host firewall, is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network layer. The single host is a bastion host; a highly defended and secured strong point that (hopefully) can resist attack.
Note:
Figure 3.1
Screened host firewall
Mostcommerciallyavailablerouterscomewith someformof integratedfirewallsecurity. Chapter4 discusseswhattypestheycomewith.
/
~ _ . .
'~
Nointernettraffic allowed
"~
PretteCtrkd / L ~ ~ I I ~ ~
.
~
~
/
I. . . . ~ l ~ ~
On, ,ra ,c
or,rom
~ I.nter.net ~
as,,on
house is permitted by the router
Bastion host
I Chapter3
52
31.2 Types of firewalls
Example of simple packet-filtering firewall In Figure 3.2, a simple packet-filtering firewall called a screened subnet firewall is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a network of screened hosts. A filtering firewall is more secure, but lacks any sort of useful logging. It can block the public from accessing a private system, but it will not indicate what connections have been made to the Internet from the inside. Filtering firewalls are absolute filters. They do not support individual access control. So a private server cannot be made accessible to a particular outside user without opening it up to the entire public. N o w packet filters work by distinguishing packets based on IP addresses or specific bit patterns. Packet filters are unable to protect against application-level attacks and may be susceptible to sophisticated IP fragmentation and IP source routing attacks because of the limited information accessed. This kind of firewall is typically found in routers, so they're economical and fast. There usually is no extra charge, because you probably need a router to connect to the Internet in the first place. You'll probably find that it will install any filter you want, even if the router belongs to your network service provider. Or your router can simply be a computer that runs an operating system
Figure 3.2
Screened subnet firewall
No internet traffic allowed Protected network
t
~
Only traffic to or from the DMZ network is permitted by the router
~
Internet
-I I~ *---~
Bastion host
i
3.2
Types of firewalls
53
like Windows NT or Novell NetWare and contains two network interface cards (a dual-homed system).3
Note:
3.2.2
[Most security policies require finer control than this.
A p p l i c a t i o n - l a y e r firewalls: Proxy servers Application-layer firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Because the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application-layer firewalls can be used as network address translators (NATs), because traffic goes in one "side" and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some cases may affect performance and may make the firewall less transparent. Early application-layer firewalls such as those built using the Trusted Information Systems (TIS) firewall toolkit (www.tis.com/) are not particularly transparent to endusers and may require some training. Modern application-layer firewalls are often fully transparent. Application-layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than simple packet-filtering firewalls.
Example:Application-layer firewall In Figure 3.3, an application-layer firewall called a dual-homed gateway is represented. A dual-homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it. By acting as an intermediary between the private network and the outside, proxy servers allow indirect Internet access. All network requests made by an internal computer to an outside source are intercepted by the proxy server, which logs the request and then passes it along to the outside. Similarly, data passed back to an internal
,,,
I Chapter 3
54
3.2 Typesof firewalls IP routingand/orforwardingis disabled
Figure 3.3 Dual-homed gateway
~.
network
_1
user from the outside is received by the proxy server, logged, and then passed along. Furthermore, application-layer firewalls, or gateways, focus on the application layer of the OSI reference model of network architecture. Working at this level allows them to use dedicated security proxies to examine the entire data stream for every connection attempt. A virtual "air gap" exists in the firewall between the inside and the outside networks, and proxies bridge this gap by working as agents for internal or external users. The proxies are specific for applications such as FTP or Telnet or protocols such as Internet Inter-ORB Protocol (IIOP) and Oracle's SQL*Net. In the application approach, information flows through the firewall, but no outside packets do, thus providing a virtually "fail-safe" architecture. Typically, they support security policies that require fine-grain control.
3.2.3
Stateful multilayer-inspection firewalls Stateful multilayer-inspection firewalls extract the relevant communication and application state information and analyze all packet communication layers. They keep state information about connections in the operating system kernel and parse IP packets. The firewalls compare the bit patterns to packets that are already known to be
3.4
Firewalltypes drawbacks
55
trusted instead of examining the contents of each packet. Stateful multilayer-inspection firewalls can be faster than application-layer firewalls (the proxy mechanism is at a lower level), but they are more complex. They also have some of the advantages and shortcomings of each of the previous two firewall types.
3.3 Understanding firewall types Now you are probably asking yourself, of the preceding three different types of firewalls, which is most secure and delivers the best performance? As is so often the case, this question can only be answered on a case-by-case basis after you consider the topology of your network, the services you plan to use, and the services you plan to offer. In limited circumstances, a simple packet-filtering router can be just as secure as a firewall costing 10 or 20 times as much. The reverse is also true: Buying an expensive firewall will give little security if it is not properly configured.
3.4 Firewall types drawbacks The problem with filtering firewalls is that they inhibit access to the private network from the Internet. Only services on systems that have pass filters can be accessed. With a proxy server, users can login to the firewall and then access the private network. Also, the rapid growth of network client-server technology makes supporting and controlling developing network services a constant challenge. Finally, the future of firewalls lies someplace between simple packet-filtering firewalls and application-layer firewalls. It is likely that simple packet-filtering firewalls will become increasingly "aware" of the information going through them, and application-layer firewalls will become increasingly "low level" and transparent. The result will be a fast packet-screening system that logs and audits data as they pass through. Increasingly, firewalls (simple packet filtering and application layer) incorporate encryption so that they may protect traffic passing between them over the Internet. Firewalls with end-toend encryption can be used by organizations with multiple points of Internet connectivity to use the Internet as a "private backbone" without worrying about their data or passwords being sniffed.
I Chapter3
56
3.5
Summary
3.5 Summary As explained in earlier chapters, a firewall on a computer network is a device that protects a private local network from the rest of the world (public parts of the same network or the Internet at large). The role of a firewall is typically filled by a computer (or computers) that can reach both the private network and the Internet, thereby allowing it to restrict the flow of data between the two. The protected network, therefore, cannot reach the Internet, and the Internet cannot reach the protected network unless the firewall computer allows it. For someone to reach the Internet from inside the protected network, they must login to the firewall (via Telnet, rlogin, etc.) and use the Internet from there. With the preceding in mind, a dual-homed system (i.e., a system with two network connections) is the simplest form of a firewall. A firewall can be set up with IP forwarding or "gatewaying" turned off, and accounts can be given to everyone on the network~that is, if system users can be trusted. The users can then login to the firewall and run their network services (FTP, Telnet, mail, etc.) from there. Thus, the only computer on the private network that knows anything about the outside world is the firewall with this setup. Therefore, a default route is not needed by the other systems on the protected network. Such a system relies entirely on all users being trusted, and that's its greatest weakness. It is, therefore, not recommended. Nevertheless, firewalls are indispensable assets in most organizations today. However, like all technologies, firewalls can create problems of their own. Imagine the case where your organization's Web server publishes a Java applet that makes calls to a Java Database Connectivity (JDBC) client. It then sends messages to a JDBC server (a Transmission Control Protocol [TCP] service) running on a particular port of a host at your site. As the administrator of your site, you configure your firewall (see Chapter 7 for detailed information) to allow this traffic in either direction. But, you may have neither knowledge nor control of the remote site whose browser downloaded your applet. If a firewall at that site is configured to deny traffic destined for this same port, you have a problem. This is an instance where an intranet over which you have control can provide a more certain solution than the Internet, over which you have relatively little control.
3.6
References
57
Finally, implicit in this discussion has been the notion that the firewall is positioned to protect internal hosts (like DataBase Management Systems [DBMS]) from outsiders. However, an Internet firewall is only a controlled gateway. It cannot stop attacks from malicious insiders, nor can it take the place of education and security policies and procedures. An Internet firewall is part of an overall security plan. Because the majority of network and system attacks occur from inside of the corporate networks and are launched by "inside" or trusted people, you may also want to consider additional firewalls behind the perimeter ("bastion") firewall defense. Chapter 4 will show you how to choose the right firewall to do this.
3.6
References Q
0
Q
John Wack, Ken Cutler, and Jamie Pole, "Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology," National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, January, 2002. "Information Security: Mechanisms and Techniques," National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, January, 2002. Shirley Radack (Ed.), "Selecting Information Technology Security Products," National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, 2004.
I Chapter3