Ten Practical Security Steps
Firewalls
3. Use a modern firewall with stateful inspection and a tight
rule set customized to your site. This may include capabilities
that are described as proxying and dynamic Network Address
Translation.
Firewalls and Network Address Translation (NAT) are included together
because the two functions usually come together in commercial products
and nearly always run on the same computer when open source, UNIX like,
operating systems are used to build custom firewalls. Any firewall
worth considering today, includes sophisticated stateful inspection
which allows state rules to be applied to the otherwise stateless UDP
and ICMP protocols.
No firewall's default rule set should ever be used; each rule set
should be customized to allow only the protocols and services used and
needed at the site. No stateless traffic of any kind should be allowed
in either direction. Incoming traffic should be limited only to
specific IP addresses and ports that are public or semi public
servers. These are most likely HTTP and SMTP. FTP and DNS will also
be common. If HTTP and SMTP servers are on different machines, don't
allow HTTP traffic to the mail server or SMTP traffic to the web
server.
Outgoing traffic should be almost as restrictive. Only those services
needed for work related functions should be allowed; generally they
will be allowed to any IP address. If you have to be, you may be more
permissive with outbound traffic as long as it's stateful. Some
protocols such as FTP and streaming audio are somewhat complex because
they have return traffic that is initiated by the remote server. The
better commercial firewalls recognize this and if the service is
enabled, allow the return traffic without opening arbitrary high TCP
or UDP ports. Even the free, open source UNIX firewalls don't need to
be "punched full of holes" to accomodate these services. Do not open
large blocks of TCP or UDP ports to accomodate one service. Consult
with your vendor or the appropriate news group or mailing lists. If
your firewall requires this, then get a modern firewall that does what
a firewall should in 2001 and not what they did in 1995.
Consistent use of stateful inspection in both directions accomplishes
two things. For outbound traffic it eliminates the need to open the
entire high TCP or UDP port range to incoming traffic. Inbound high
port traffic is not allowed in unless it is a response to locally
initiated outbound requests. Inbound stateful inspection to public
servers assures a normal TCP traffic flow starting with SYN and
SYN/ACK packets. It prevents many invalid packet types that may be
used for denial of service attacks. If only valid TCP conversations
are allowed to open ports, it largely removes system level (IP stack)
errors and restricts errors to application (server) level errors.
Except for possible buffer overflows which may have unpredictable
consequences, remote attackers are limited pretty much to generating
server error messages and exploiting application specific
vulnerabilities.
Don't negate an essential part of network security because you don't
know how to accomodate your user's needs with your current technology.
Let them know you're working on it (be sure you are). This is a good
place to hire a security expert. With the right border technology, all
protocols that should be allowed on the Internet, can be handled with
reasonable security.
Purists correctly say that Network Address Translation (NAT) does not
provide firewall protection. This is certainly true of static NAT
where there is a hardwired connection between internal and external IP
address and ports that goes both ways. Dynamic NAT, where one or a
few IP addresses serve a large internal population of IP addressess
and dynamically assign outgoing ports and possibly IP addresses does,
for all practical purposes, provide rather strong firewall-like
protection to the machines using the dynamic services. If you have an
existing Internet connection you've already settled on dynamic NAT,
static NAT or real IP addresses. If you have static NAT, even though
you have sufficient external IP addresses, switching to dynamic NAT
may get some protection and ability to use services that packet
filtering with static NAT does not. If you have existing hardware NAT
such as provided by Instant Internet and its competitors, carefully
consider how this may be located relative to your firewall to get the
maximum security.
Once your firewall and NAT rules are in place, you shouldn't need to
change them unless new services need to be passed through the
firewall.
Finally, if you have a tight custom rule set, your firewall will
provide a tremendous amount of protection to your computers behind it
but it may itself be vulnerable to attack. If practical use a
bridging firewall which is not visible as a network device. A bridged
firewall with no IP address cannot be attacked remotely but it also
cannot be administered remotely. If you need to use a standard
routing firewall, then make it as secure as possible (see below) as it
could be the best point of attack for potential intruders.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|