Firewalls, Intrusion Prevention and VPNs
The primary purpose of a firewall is to determine whether requests issued by one computing device to initiate a connection with another device should be permitted or not based upon rules configured by the firewall's administrator. There are two types of firewalls: software-based personal firewalls that are basically extensions of the workstation's operating system, and network-based firewalls that are hardware appliances that physically pass traffic using the same mechanisms as network routers and switches.
Software-based, personal firewalls
A software-based, personal firewall is a piece of software that resides on an individual workstation primarily to protect that workstation. Functionally, the objectives of this type of firewall include:
- Preventing unknown, external devices from initiating a communication session with the workstation that is running the firewall software
- Preventing any piece of application software running on the workstation from making unexpected outbound connections to external devices. This capability is very useful in preventing your workstation from attacking or spamming other systems in the event that it is compromised.
The vendors of all major operating systems provide basic firewall functionality with their products free of additional charge. There are third party vendors who market commercial, software-based, personal firewalls with additional features as well. Regardless of the vendor, software-based, personal firewalls can be configured to be effective and are relatively simple to maintain and operate. Virtually all software-based, personal firewalls are configured to block all inbound connection requests to the workstation by default. They also typically block all outbound communication requests except those initiated by applications known to communicate with external devices, such as your web browsers, your e-mail client software, etc.
Most network-based firewalls are network routers enhanced to more efficiently monitor and take action on network traffic that passes through it based upon the source of the traffic, its intended destination and the service that is being requested. To a lesser extent, there are some firewalls that function as network switches rather than routers which makes them more effective in networks that are not heavily segmented into physical and virtual LANs.
Firewalls are usually sold as appliances (i.e., a standalone computer with pre-installed firewall software) through which network traffic can be passed among potentially dozens of network segments that are physically connected to the firewall. While a firewall can be connected to as many distinct network segments as the hardware has physical network connectors, you must keep in mind that the firewall has an overall throughput limit that should not be exceeded.
It is important to note that firewalls only are involved in communications that travel through the firewall hardware - in one network port, out a different network port. Communications between two devices whose network traffic enters the firewall through the same firewall network port are not evaluated against the firewall rule set, since the traffic between the two devices never enters the firewall.
When two devices initiate a communications session that must pass through the firewall, a hardware or software failure could interrupt all traffic between those devices. However, most network-based firewalls give the administrator the option to make the firewall “fail open” or “fail closed”. If you choose to have the firewall “fail open”, then any firewall failure will immediately allow all data to pass to the requested destination IP address and port, regardless of whether it is permitted by the rule set or not. For security-purposes, failing closed is preferable, but there may be compelling business reasons requiring some ports to fail open.
Positioning network-based firewalls
A firewall that is installed between the Internet and your organization’s network is called a “perimeter firewall”. A firewall that is connected to network segments within your organization, but is not directly connected to the organization’s internet router, it is referred to as an “interior firewall”.
While small organizations tend to deploy only a perimeter firewall, larger organizations usually implement both, a perimeter firewall and one or more interior firewalls, with each interior firewall protecting a separate department or group of servers in the organization’s data center.
Trusted zones, untrusted zones and DMZs
A typical setup for a simple firewall for an organization that is hosting an Internet-accessible web application is to have:
- One firewall port connected to the Internet or other network segments containing untrusted devices (“untrusted zone”)
- One or more firewall ports that are each connected to a network segment that connect to institutional servers that hold private data (“trusted zone”)
- One or more firewall ports that are each connected to web servers that are accessed by web application users in the untrusted zone (“demilitarized zone” or “DMZ”)
The rules are usually configured to allow devices in the untrusted zone to initiate web connections with devices in the DMZ, but not with those in the trusted zone. Only devices in the DMZ or another trusted zone may be permitted to initiate communication sessions with devices in the trusted zone. This configuration technique helps to prevent someone on an untrusted network from accessing and potentially compromising private data directly.
How network firewalls work
In a nutshell, firewalls allow or block network traffic between devices based upon rules set up by the firewall administrator. Each rule defines a specific traffic pattern that you want the firewall to detect and the action that you want the firewall to take when that pattern is detected.
When the firewall receives a request from a device on one network port to communicate with a device on another network port, it compares the following information in the request against each firewall rule sequentially from top to bottom until a match is found:
- The network address of the device initiating the communication ("source") is compared against the list of sources contained within the rule
- The network address of the device whose services are requested ("destination") is compared against the list of destinations contained within the rule
- The service being requested (e.g., Web, mail, file transfer, terminal session, etc.) is compared against the list of services contained within in the rule
If the source, the destination and the requested service of a communication request match one of the sources in a firewall rule AND one of the destinations in the same rule AND one of the requested services in the same rule, the associated actions specified by the administrator in the matching rule are taken. These actions may require the firewall to:
- Allow the communication to occur
- Block the communication without notifying the source
- Block the communication and notify the source
- Ask the user initiating the communication to provide valid authentication information (e.g., user ID and password, smart token or biometric data) before allowing the communication
- Set up a Virtual Private Network (VPN) to encrypt the communication session between the source and the firewall. Note – software must be installed on the requesting workstation to complete the VPN connection.
Each rule also instructs the firewall to log that specific rule event or not.
The last rule in the firewall rule set should be a rule that blocks any communication request not covered by the rule set to prevent any undefined source/destination/service combination from succeeding. Most firewalls insert such a rule by default, but you should verify that this is the case.
Other functions that are typically performed by network firewalls:
- Anti-Spoofing - Detecting when the source of the network traffic is being "spoofed", i.e., when an individual attempts to access a blocked service by altering the source address in the message header so it matches a different rule that allows the communication to occur.
- Authentication – Configuring the firewall to allow a specific communication sessions only after the user successfully logs into the firewall. These firewalls typically support multiple authentication methods including locally-stored passwords, directory-based passwords, secure tokens, etc.
- Network Address Translation (NAT) - Changing the network addresses of devices on any side of the firewall to hide their
true addresses from devices on other sides. This prevents devices outside the network
from probing our computers since they would not be directly addressable. There are
two ways NAT is performed:
- One-to-One - where each true address is translated to a unique translated address
- Many-to-One - where the true addresses of all of the devices on one side of a firewall are translated to a single address, usually the address of the firewall itself
Are network firewalls really necessary?
A combination of devices and software services can cover many firewall functions:
- Routers, already on the network, can also block traffic based upon source, destination and requested service using manually entered access control lists
- Anti-spoofing and network address translation can also be performed by most routers
- Servers can be configured to shut down unnecessary services or to screen out specific sources to specific services
But a firewall does it better:
- Network security functions are housed in a consistent, comprehensive package that is far easier to use than having to manage a large number of independent devices and to remember to reapply rules on all applicable devices after one or more are rebuilt
- Being an independent device from your servers and networking devices, a firewall provides an additional layer of defense against network-based threats, requiring a potential intruder to bypass an additional device to be successful
- A firewall can also shield servers and workstations that may be running unused, vulnerable services that may be unknown to the device's administrator
- Available “next generation” firewall technology can provide additional network security services in a single solution
Intrusion detection and intrusion prevention systems
An Intrusion Detection System (IDS) is software that can be installed on a physical or virtual server or can be provided by a vendor as a preprogrammed appliance that reviews all of the network traffic either passing through it or through one or more switches to which the IDS is connected in a manner that allows it to view traffic. Specifically, an IDS is looking for network traffic that is suspicious in nature. Similar to anti-virus/anti-malware software, an IDS relies on a file of malicious traffic patterns or “signatures” that are stored within the IDS and are automatically updated on a regular basis, usually daily. Other things that an IDS can detect are persistent attacks, e.g., brute force attacks (i.e., repeated attempts to log in to a target device trying a different password each time) and probing attacks (i.e., attempts to test whether or not a service is running on any devices across the network or whether the system has vulnerabilities have not be addressed).
Whereas an IDS is designed to detect and report suspicious network traffic, an Intrusion Prevention System (IPS) goes one step farther allowing administrators to specify an action that the IPS can take for each pattern of suspicious network traffic that is detected. The actions that an IPS can take are basically to allow the traffic to proceed or to discard the traffic, ending the network conversation. The IPS also gives administrators the ability to specify which traffic pattern events are captured in the system log.
IDS and IPS functionality is different from firewalls in that firewalls make their allow/block traffic decisions based upon the source IP address, destination IP address and requested service in each network packet. IDS and IPS devices primarily make their decisions based on message content, although source and destination IP addresses and ports may figure into the equation.
Virtual Private Networks
A Virtual Private Network (VPN) is a communications session between devices that can safely traverse public networks and has been made virtually private through the use of encryption technology.
There are two common ways that VPN technology is implemented:
- The first method allows many end user computers and mobile devices to communicate
safely from off-campus to an organization's network. This requires:
- VPN client software being installed and configured on each workstation that needs to establish a VPN session
- One or more servers hosting the VPN server software that are deployed on the campus network
- The second VPN solution is a hardware-based solution that is used primarily by an organization that wants all of its network traffic from one physical site to another physical site (e.g., a connection to a branch office, a connection to another organization) to be encrypted automatically. For this option, all of the VPN configuration work is performed by the network administrator with no user involvement.
The first, software-based method is usually implemented in one of the following ways:
- One implementation uses the functionality already built into the computer’s or mobile device’s operating system and is managed using the operating systems built-in configuration tools, e.g., Control Panel, Preferences, Setup. While configuring this type of VPN on a computer or mobile device is at most moderately complex, it can be frustrating to end users who are uncomfortable configuring their devices. In most cases, they only need to know the host name of the VPN server bank, their ID and password to the VPN and what communications protocol to use – either PPTP (less secure) or IP Sec (more secure, but more involved on the server side). The device can be configured to automatically connect to the VPN at startup, or to start and stop the VPN on-demand.
- The other implementation is based-upon web technology and only requires each VPN user to open up a web browser and to enter the URL of the VPN server bank. The first time a user connects each computer or mobile device to the VPN, the server will download a Java applet to the computer that enables it to perform the VPN client functions. The VPN remains active the entire time the initial browser window used to start the VPN remains open - it can be and typically is minimized on the desktop. While this approach is very simple for the end user to initiate, its reliance on the Java Runtime Environment can add a degree of complexity, and potentially frustration, especially as new Java updates are released.
Next Generation Firewalls
Thanks to the significant improvements in computer processing speeds, memory size and storage space, the newest generation of firewalls now combine some or all of the following function into a single, integrated solution:
- Spam filtering
When considering a next generation firewall, keep in mind that the benefits of deploying a single, integrated solution should be weighed against the inability to combine the “best of breed” in each of the functional categories.