McAfee NGFW Reference Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

Transcription

1 McAfee NGFW Reference Guide for Firewall/VPN Role 5.7 NGFW Engine in the Firewall/VPN Role

2 Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the McAfee website: Revision: SGFRG_

3 TABLE OF CONTENTS INTRODUCTION CHAPTER 1 Using SMC Documentation How to Use This Guide Documentation Available Product Documentation Support Documentation System Requirements Supported Features Contact Information CHAPTER 2 Introduction to Firewalls The Role of the Firewall Firewall Technologies Packet Filtering Proxy Firewalls Stateful Inspection Multi-Layer Inspection Additional Firewall Features Authentication Deep Packet Inspection and Unified Threat Management Integration With External Content Inspection.. 22 Load Balancing and Traffic Management Logging and Reporting Network Address Translation (NAT) VPNs Firewall Weaknesses Complexity of Administration Single Point of Failure Worms, Viruses, and Targeted Attacks CHAPTER 3 Introduction to McAfee NGFW in the Firewall/VPN Role The McAfee NGFW Solution SMC Components Firewall/VPN Engines Main Benefits of McAfee Firewall/VPN Advanced Traffic Inspection Built-in Clustering for Load Balancing and High Availability Multi-Link Technology Built-in Inbound Traffic Management QoS and Bandwidth Management Integration with IPS and Layer 2 Firewalls Clustered Multi-Link VPNs CHAPTER 4 NGFW Deployment in the Firewall/VPN Role Deployment Overview Supported Platforms General Deployment Guidelines Positioning Firewalls External to Internal Network Boundary Internal Network Boundaries DMZ Network Boundaries INTERFACES AND ROUTING CHAPTER 5 Single Firewall Configuration Overview to Single Firewall Configuration Configuration of Single Firewalls Dynamic Firewall Interface Addresses Internal DHCP Server Security Strength of Management Connections 45 Configuration Workflow Task 1: Create Single Firewall Elements Task 2: Define Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define Tunnel Interfaces Task 5: Define an ADSL Interface Task 6: Define a Wireless Interface Task 7: Define IP Addresses Task 8: Define Loopback IP Addresses Task 9: Define Modem Interfaces Task 10: Install the Firewall Engine Task 11: Install a Firewall Policy Example of a Single Firewall Deployment Setting up a Single Firewall Adding a New Interface to an Existing Configuration Table of Contents 3

4 CHAPTER 6 Firewall Cluster Configuration Overview to Firewall Cluster Configuration Benefits of Clustering Communication Between the Nodes Hardware Security Strength of Management Connections 53 Configuration of Firewall Clusters Load Balancing Standby Operation Network Interfaces and IP Addresses Clustering Modes How Packet Dispatch Works Configuration Workflow Task 1: Create a Firewall Cluster Element Task 2: Create Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define Tunnel Interfaces Task 5: Configure Physical or VLAN Interfaces Task 6: Define Loopback IP Addresses Task 7: Install the Firewall Engines Task 8: Install a Firewall Policy Using a Firewall Cluster Internal DHCP Server Node State Synchronization Security Level for State Synchronization Manual Load Balancing Examples of Firewall Cluster Deployment Setting up a Firewall Cluster Adding a Node to a Firewall Cluster CHAPTER 7 Master Engine and Virtual Firewall Configuration Overview to Master Engine and Virtual Firewall Configuration Configuration of Master Engines and Virtual Firewalls Configuration Workflow Task 1: Create a Master Engine Element Task 2: Create Virtual Resource Element(s) Task 3: Configure Master Engine Interfaces Task 4: Create a Virtual Firewall Element Task 5: Configure Virtual Firewall Interfaces Task 6: Install a Firewall Policy Using Master Engines and Virtual Firewalls Moving a Virtual Firewall to a Different Master Engine Using Master Engines and Virtual Firewalls With Domains Example of Master Engine and Virtual Firewall Deployment Deploying Virtual Firewalls for MSSP Customers CHAPTER 8 Routing and Antispoofing Overview to Routing and Antispoofing Configuration of Routing and Antispoofing Reading the Routing and Antispoofing Trees.. 74 Multi-Link Routing Default Elements Configuration Workflow Task 1: Add Router or NetLink Task 2: Add Network(s) Task 3: Refresh Firewall Policy Using Routing and Antispoofing Policy Routing Multicast Routing Modifying Antispoofing Monitoring Routing Examples of Routing Routing Traffic with Two Interfaces Routing Internet Traffic with Multi-Link Routing Traffic to Networks That Use Same Address Space ACCESS CONTROL POLICIES CHAPTER 9 Firewall Policies Overview to Firewall Policies Policy Hierarchy How the Engine Examines Traffic Configuration of Policy Elements Default Elements Configuration Workflow Task 1: Create a Template Policy Task 2: Create a Policy Task 3: Create a Firewall Sub-Policy Task 4: Install the Policy Table of Contents

5 Using Policy Elements and Rules Validating Policies User Responses Connection Tracking vs. Connectionless Packet Inspection Policy Snapshots Continue Rules Adding Comments to Rules Naming Rules Examples of Policy Element Use Protecting Essential Communications Improving Readability and Performance Restricting Administrator Editing Rights CHAPTER 10 Access Rules Overview to Access Rules Configuration of Access Rules Considerations for Designing Access Rules Default Elements Configuration Workflow Task 1: Define the Source and Destination Task 2: Define the Service Task 3: Select the Action and Action Options Task 4: Select Logging Options Task 5: Add User Authentication Requirements Task 6: Restrict the Time When the Rule Is Enforced Task 7: Restrict the Rule Match Based on Source VPN Using Access Rules Allowing System Communications Configuring Default Settings for Several Rules 111 Using Continue Rules to Set Logging Options Using Continue Rules to Set the Protocol Using Aliases in Access Rules Creating User-Specific Access Rules Using Domain Names in Access Rules Interface Matching in Access Rules Examples of Access Rules Example of Rule Order Example of Continue Rules Example of User-Specific Rules CHAPTER 11 Inspection Policies Overview to Inspection Policies Configuration of Inspection Policies Verifying and Tuning Inspection Considerations for Designing Inspection Policies Exception Rule Cells Default Elements Configuration Workflow Task 1: Create an Inspection Policy Task 2: Activate Deep Inspection in Firewall Policies Task 3: Activate the Relevant Inspection Checks Task 4: Define the Exceptions Task 5: Eliminate False Positives Task 6: Add Custom Inspection Checks Using Inspection Policies Setting Default Options for Several Inspection Exceptions Importing Snort Rules Libraries Example of Inspection Rules Eliminating a False Positive CHAPTER 12 Network Address Translation (NAT) Overview of NAT Element-Based NAT Static Source Translation Dynamic Source Translation Static Destination Translation Destination Port Translation Configuration of NAT Considerations for Designing NAT Rules Default Elements Configuration Workflow Task 1: Define Source, Destination, and Service Task 2: Define Address Translation Task 3: Define the Firewall(s) that Apply the Rule Task 4: Check Other Configurations Using NAT and NAT Rules NAT and System Communications Example of a Situation Where a Contact Address is Needed Contact Addresses and Locations Outbound Load-Balancing NAT Table of Contents 5

6 Proxy ARP and NAT Protocols and NAT Examples of NAT Dynamic Source Address Translation Static Address Translation NAT with Hosts in the Same Network CHAPTER 13 Protocol Agents Overview to Protocol Agents Connection Handling Protocol Validation NAT in Application Data Configuration of Protocol Agents Configuration Workflow Task 1: Create a Custom Service with a Protocol Agent Task 2: Set Parameters for the Protocol Agent Task 3: Insert the Service in Access Rules Using Protocol Agents FTP Agent GRE Agent GTP Agent H323 Agent HTTP Agent HTTPS Agent MGCP Agent MSRPC Agent NetBIOS Agent Oracle Agent RTSP Agent SCCP Agent Services in Firewall Agent Shell Agent SIP Agent SMTP Agent SSH Agent SunRPC Agent TCP Proxy Agent TFTP Agent Examples of Protocol Agent Use Preventing Active Mode FTP Logging URLs Accessed by Internal Users CHAPTER 14 TLS Inspection Overview to TLS Inspection Configuration of TLS Inspection Default Elements Configuration Workflow Task 1: Create Server Credentials Elements Task 2: Create Client Protection Certificate Authority Elements Task 3: Exclude Traffic from Decryption and Inspection Task 4: Activate TLS Inspection Using TLS Inspection Security Considerations Virus Scanning of Decrypted TLS Traffic URL Filtering Decrypted TLS Traffic Examples of TLS Inspection Server Protection Client Protection CHAPTER 15 URL Filtering Overview to URL Filtering Configuration of URL Filtering Default Elements Configuration Workflow Task 1: Prepare the Firewall Task 2: Create User Response Messages Task 3: Blacklist/Whitelist Individual URLs. 165 Task 4: Configure URL Filtering Rules Examples of URL Filtering Allowing a Blocked URL CHAPTER 16 Spam Filtering Overview to Spam Filtering Configuring Spam Filtering Configuration Workflow Task 1: Define Spam Filtering for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Select Traffic Not to Be Filtered Using Spam Filtering Anti-Spoofing and Anti-Relay Protection Handling Address Forgery Spam Filter Sensitivity Settings Spam Filtering Rules Table of Contents

7 DNS-Based Blackhole Lists CHAPTER 17 Virus Scanning Overview to Virus Scanning Configuration of Virus Scanning Configuration Workflow Task 1: Activate the Anti-Virus Feature for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Define the Content Not to Be Scanned Using Virus Scanning Integrated Scanning vs. Content Inspection Server Limitations of Virus Scanning on Clusters CHAPTER 18 External Content Inspection Overview to Content Inspection Configuration of Content Inspection Default Elements Configuration Workflow Task 1: Create a CIS Server Element Task 2: Create a Custom Service for Content Inspection Server Redirection Task 3: Define Access Rules for Redirection Task 4: Configure NAT Rules for Content Inspection Server Redirection Using Content Inspection Example of Content Inspection Inspecting Internal User s Web Browsing and File Transfers CHAPTER 19 Situations Overview to Situations Configuration of Situations Situation Contexts Correlation Contexts Anti-Virus Contexts DoS Detection Contexts Scan Detection Contexts Protocol-Specific Contexts File Contexts System Contexts Default Elements Configuration Workflow Task 1: Create a Situation Element Task 2: Add a Context for the Situation Task 3: Associate Tags and/or Situation Types with the Situation Task 4: Associate the Situation with a Vulnerability Using Situations Example of Custom Situations Detecting the Use of Forbidden Software CHAPTER 20 Applications Overview to Applications Configuration of Applications Default Elements Configuration Workflow Task 1: Define TLS Matches Task 2: Create Access Rules Examples of Applications Blocking Application Use CHAPTER 21 Blacklisting Overview to Blacklisting Risks of Blacklisting Configuration of Blacklisting Configuration Workflow Task 1: Define Blacklisting in Access Rules Task 2: Define Exceptions in the Inspection Policy Using Blacklisting Manual Blacklisting Monitoring Blacklisting Whitelisting USERS AND AUTHENTICATION CHAPTER 22 Directory Servers Overview to Directory Servers Configuration of Directory Servers Internal User Database Authentication Server User Linking External Directory Server Integration User Agents for Active Directory Configuration Workflow Task 1: Create an LDAP Server or an Table of Contents 7

8 Active Directory Server Element Task 2: Add an LDAP Domain Task 3: Add Users and User Groups or Link Users Task 4: Install and Configure the User Agent Examples of Directory Servers Using the Internal User Database Integrating a Microsoft Active Directory Server 206 CHAPTER 23 User Authentication on the Firewall Overview to User Authentication on the Firewall 208 Configuration of User Authentication on the Firewall Default Elements Configuration Workflow Task 1: Define User Authentication in IPv4 Access Rules Task 2: Configure User Authentication Interfaces Example of User Authentication on the Firewall. 211 Authenticating VPN Client Users CHAPTER 24 External User Authentication Overview to External User Authentication Configuration of External User Authentication Directory Servers for External User Authentication RADIUS Authentication TACACS+ Authentication Authentication Methods Federated Authentication Default Elements Configuration Workflow Task 1: Define Servers Task 2: Associate Authentication Methods with Servers Task 3: Define User Authentication in IPv4 Access Rules Task 4: Configure User Authentication Interfaces Examples of External User Authentication Integrating a Microsoft Active Directory Server 220 Using SecurID Authentication with Stonesoft IPsec VPN Clients TRAFFIC MANAGEMENT CHAPTER 25 Outbound Traffic Management Overview of Outbound Traffic Management Configuration of Multi-Link Load-Balancing Methods Standby NetLinks for High Availability Link Status Probing Configuration Workflow Task 1: Create NetLink Elements Task 2: Configure Routing for NetLinks Task 3: Combine NetLinks into Outbound Multi-Link Elements Task 4: Create NAT Rules for Outbound Traffic Using Multi-Link Multi-Link with a Single Firewall Multi-Link with a Firewall Cluster Using Multiple Outbound Multi-Link Elements. 231 Examples of Multi-Link Preparing for ISP Breakdown Excluding a NetLink from Handling a QoS Class of Traffic Balancing Traffic According to Link Capacity Balancing Traffic between Internet Connections 233 CHAPTER 26 Inbound Traffic Management Overview to Server Pool Configuration Configuration of Server Pools Multi-Link for Server Pools Default Elements Configuration Workflow Task 1: Define Hosts Task 2: Combine Hosts into a Server Pool Element Task 3: Configure the External DNS Server Task 4: Create an Inbound Load- Balancing Rule Task 5: Set up Server Pool Monitoring Agents Using Server Pools Dynamic DNS (DDNS) Updates Using Server Pool Monitoring Agents Examples of Server Pools Load Balancing for Web Servers Table of Contents

9 Setting up Multi-Link and Dynamic DNS Updates CHAPTER 27 Bandwidth Management and Traffic Prioritization Overview to Bandwidth Management and Traffic Prioritization Bandwidth Management Traffic Prioritization Effects of Bandwidth Management and Prioritization Configuration of Limits, Guarantees, and Priorities for Traffic Default Elements Configuration Workflow Task 1: Define QoS Classes Task 2: Define QoS Policies Task 3: Assign QoS Classes to Traffic Task 4: Define QoS for Interfaces and VPNs Using Bandwidth Management and Traffic Prioritization Designing QoS Policies Communicating DSCP Markers Managing Bandwidth of Incoming Traffic Collecting QoS Class-Based Statistics Examples of Bandwidth Management and Traffic Prioritization Ensuring Quality of Important Communications 256 Preparing for ISP Breakdown Limiting the Total Bandwidth Required VIRTUAL PRIVATE NETWORKS CHAPTER 28 Overview to VPNs Introduction to VPNs IPsec VPNs Tunnels Security Associations (SA) Internet Key Exchange (IKE) Perfect Forward Secrecy (PFS) Authentication Header (AH) and Encapsulating Security Payload (ESP) Authentication Tunnel and Transport Modes IPsec VPN Topologies for Policy-Based VPNs CHAPTER 29 Policy-Based VPN Configuration Overview to Policy-Based VPN Configuration Configuration of Policy-Based VPNs Default Elements Configuration Workflow Task 1: Define the Gateway Settings Task 2: Define the Gateway Profile Task 3: Define the Gateways Task 4: Define the Sites Task 5: Create Certificates Task 6: Define the VPN Profile Task 7: Define the VPN Element Task 8: Modify the Firewall Policy Task 9: Configure VPN Clients and External Gateway Devices Using VPNs VPN Logging Using a Dynamic IP Address for a VPN End-Point Using a NAT Address for a VPN End-Point Supported Authentication and Encryption Methods FIPS Mode GOST-Compliant Systems Message Digest Algorithms Authentication Methods Encryption Algorithms Using Pre-Shared Key Authentication Using Certificate Authentication Validity of Certificates Internal VPN Certificate Authorities External Certificate Authorities Configuring Policy-Based VPNs with External Gateway Devices Clustering and Policy-Based VPNs Multi-Link and Policy-Based VPNs Providing Encryption for the Route-Based VPN in Tunnel Mode Examples of Policy-Based VPN Configurations. 289 Creating a Policy-Based VPN Between Three Offices Creating a Policy-Based VPN for Mobile Users 291 Creating a Policy-Based VPN That Requires NAT Table of Contents 9

10 CHAPTER 30 Route-Based VPN Configuration Overview to Route-Based VPN Configuration Configuration of the Route-Based VPN Default Elements Configuration Workflow Task 1: Define Tunnel Interfaces Task 2: Configure Routing and Antispoofing for Tunnel Interfaces Task 3: Define the Gateways Task 4: Define the VPN Profile Task 5: Define Route-Based VPN Tunnels Task 6: Add Access Rules to Allow the Traffic Task 7: Refresh Firewall Policy Using the Route-Based VPN Configuring the Route-Based VPN with External Gateway Devices Using the Route-Based VPN in Tunnel Mode Using the Route-Based VPN with Dynamic Routing Examples of Route-Based VPN Configurations Protecting Dynamic Routing Communications. 302 Configuring a Route-Based VPN with an External Gateway APPENDICES APPENDIX A Command Line Tools Security Management Center Commands NGFW Engine Commands Server Pool Monitoring Agent Commands APPENDIX B Default Communication Ports Security Management Center Ports Security Engine Ports APPENDIX C Predefined Aliases Predefined User Aliases System Aliases APPENDIX D Situation Context Parameters Correlation Context Parameters Regular Expression Parameter Other Context Parameters APPENDIX E Regular Expression Syntax SMC Regular Expression Syntax Special Character Sequences Pattern-Matching Modifiers Variable Expression Evaluation Stream Operations System Variables Independent Subexpressions Parallel Matching Groups Tips for Working With Regular Expressions APPENDIX F Schema Updates for External LDAP Servers APPENDIX G SNMP Traps and MIBs APPENDIX H Multicasting The General Features of Multicasting Multicasting vs. Unicasting Multicasting vs. Broadcasting IP Multicasting Overview Multicasting Applications Internet Group Management Protocol Membership Messages Ethernet Multicasting Multicasting and McAfee Firewalls Unicast MAC Multicast MAC Multicast MAC with IGMP Glossary Index Table of Contents

11 INTRODUCTION In this section: Using SMC Documentation - 13 Introduction to Firewalls - 17 Introduction to McAfee NGFW in the Firewall/VPN Role - 25 NGFW Deployment in the Firewall/VPN Role

12 12

13 CHAPTER 1 USING SMC DOCUMENTATION This chapter describes how to use this guide and related documentation. It also provides directions for obtaining technical support and giving feedback about the documentation. The following sections are included: How to Use This Guide (page 14) Documentation Available (page 15) Contact Information (page 16) 13

14 How to Use This Guide The McAfee NGFW Reference Guide for Firewall/VPN Role provides information that helps administrators of McAfee NGFW in the Firewall/VPN role to understand the system and its features. It provides high-level descriptions and examples of the configuration workflows. This guide is divided into several sections. The chapters in the first section provide a general introduction to McAfee NGFW in the Firewall/VPN role. The sections that follow each include chapters related to one feature area. The last section provides detailed reference information in tabular form, and some guideline information. For other available documentation, see Documentation Available (page 15). Typographical Conventions The following conventions are used throughout the documentation: Table 1.1 Typographical Conventions Formatting User Interface text References, terms Command line User input Command parameters Informative Uses Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is in monospaced bold-face. Command parameter names are in monospaced italics. We use the following ways to indicate important or additional information: Note Notes prevent commonly-made mistakes by pointing out important points. Caution Cautions prevent breaches of security, information loss, or system downtime. Cautions always contain critical information that you must observe. Tip Tips provide additional helpful information, such as alternative ways to complete steps. Example Examples present a concrete scenario that clarifies the points made in the adjacent text. 14 Chapter 1 Using SMC Documentation

15 Documentation Available Stonesoft technical documentation is divided into two main categories: Product Documentation and Support Documentation (page 16). Each SMC product has a separate set of manuals. Product Documentation The table below lists the available product documentation. Table 1.2 Product Documentation Guide Reference Guide Installation Guide Online Help Administrator s Guide User s Guide Appliance Installation Guide Description Explains the operation and features of the SMC comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available as separate guides for McAfee Security Management Center and McAfee Firewall/VPN, and as a combined guide for McAfee IPS and McAfee Layer 2 Firewall. Instructions for planning, installing, and upgrading the SMC. Available as separate guides for McAfee Security Management Center and McAfee Firewall/VPN, and as a combined guide for McAfee IPS and McAfee Layer 2 Firewall. Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the Management Client and the Web Portal. An HTML-based system is available in the SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-by-step. Available as a combined guide for McAfee Firewall/VPN, McAfee IPS, and McAfee Layer 2 Firewall, and as separate guides for the SSL VPN and the IPsec VPN Client. Instructions for end-users. Available for the IPsec VPN Client and the Web Portal. Instructions for physically installing and maintaining McAfee NGFW appliances (rack mounting, cabling, etc.). Available for all McAfee NGFW appliances. PDF guides are available at current/. The McAfee SMC Administrator s Guide, and the Reference Guides and Installation Guides for McAfee Security Management Center, McAfee Firewall/VPN, McAfee IPS, and McAfee Layer 2 Firewall are also available as PDFs on the Security Management Center DVD. Documentation Available 15

16 Support Documentation The McAfee support documentation provides additional and late-breaking technical information. These technical documents support the SMC guide books, for example, by giving further examples on specific configuration scenarios. The latest technical documentation is available at System Requirements The certified platforms for running the McAfee Next Generation Firewall from Intel Security (NGFW) can be found at the product pages at firewall_vpn/. The hardware and software requirements for the SMC and version-specific details for all software products can be found in the Release Notes available at Supported Features Not all features are supported on all platforms. See the Appliance Software Support Table for more information. Contact Information For general information about SMC products, visit our web site at 16 Chapter 1 Using SMC Documentation

17 CHAPTER 2 INTRODUCTION TO FIREWALLS This chapter introduces and discusses the underlying security principles of firewalls in general. In this chapter we will discuss what firewalls are, which different types of firewalls there are, how they are used, what they are capable of, as well as what their possible weaknesses are. The following sections are included: The Role of the Firewall (page 18) Firewall Technologies (page 19) Additional Firewall Features (page 21) Firewall Weaknesses (page 24) 17

18 The Role of the Firewall Firewalls are the primary tool for perimeter access control between networks with different security levels. Firewalls control the traffic between networks and deny access that does not look like acceptable business use as defined by the administrators. The generally accepted principle of access control is whatever is not expressly permitted is denied. The most secure network is achieved when nobody and nothing is permitted entry to the protected network. In most cases, such a network is naturally too limited, so a firewall must be introduced to allow specific limited services to pass in a safe way. That means that in order for any traffic to be allowed into the network, it must first match an explicit allow rule. There are three main types of platforms for running a firewall: Dedicated McAfee NGFW appliances. Firewall software installed on a server dedicated to be used as a firewall. Firewall software running as a virtual machine in a virtualized server environment. McAfee Firewalls are available on all of these platform types. Regardless of the type of platform, the network structure in which the firewalls are placed must be carefully designed so that there are no loopholes or back doors. Firewalls can only control traffic that actually passes through them; even the most carefully planned firewall system can be undermined by a single back door that allows traffic to circumvent the firewall. In addition to access control, modern firewall devices often include a variety of additional integrated features, such as intrusion prevention systems (IPS), content filtering, anti-virus, and anti-spam. In this chapter, the additional features are discussed separately, and the discussion focuses on the primary role of access control. Such additional features in McAfee Firewalls are covered in more detail in section Additional Firewall Features (page 21). 18 Chapter 2 Introduction to Firewalls

19 Firewall Technologies This section presents an overview to the main firewall techniques, and explains how McAfee Firewalls use them. The discussion here is limited to the traditional firewall component of a firewall system; the various additional inspection features that modern firewalls often incorporate are discussed separately. Traditional firewall features are commonly achieved through three main techniques: packet filtering proxy firewalls stateful inspection. The next sections first discuss these techniques separately and then explains how they can be utilized together to achieve an optimal balance between performance and security. Packet Filtering Packet filtering examines the header information of packets and allows or stops each packet individually. In addition to firewalls, such simple access control lists (ACLs) are implemented on most common routing devices. Pure packet filters cannot protect against protocol misuse or other malicious contents in higher levels of the protocol stack. However, for some simple network protocols, packet filtering can be light on firewall resources and even provide an adequate level of protection. Proxy Firewalls Proxy firewalls are firewalls running application proxy services. Proxies are a man-in-the-middle, and they establish their own separate connections to both the client and the server. This type of firewall is fully application-aware, and therefore very secure, but at the same time there s a trade-off in performance due to the inevitable increase in overhead. Illustration 2.1 Proxy Firewall Model Firewall Technologies 19

20 Stateful Inspection Stateful inspection firewalls are aware of basic networking standards and use historical data about connections in determining whether to allow or stop a packet. They track the established connections and their states in dynamic state tables and ensure that the connections comply with the security policies and protocol standards. Since stateful inspection understands the context of connections (and therefore can relate the returning packets to appropriate connections), connections already determined to be secure can be allowed without full examination based on previous packets. This is especially important with services such as FTP, which can open several related connections that do not match a single basic profile. Even though Stateful inspection has some application awareness, it concentrates on protocols, not on inspecting data at the application layer. Multi-Layer Inspection Multi-Layer Inspection combines application layer inspection, stateful inspection, and packet filtering technologies flexibly for optimal security and system performance. Like stateful inspection, the McAfee Firewall uses state tables to track connections and judge whether a packet is a part of an established connection or not. The McAfee Firewall also features application-layer inspection through specific Protocol Agents, when necessary, for enhanced security to inspect data all the way up to the application layer. The McAfee Firewall can also act as a packet filter for types of connections that do not require the security considerations of stateful inspection. Illustration 2.2 Multi-layer Inspection Model By default, all McAfee Firewall Access rules implement stateful inspection, but the administrator can flexibly configure rules with simple packet filtering or an additional layer of application level security as needed. McAfee Firewalls apply application level inspection with or without proxying the connections, depending on what is required. Application level inspection can be selected to certain types of traffic by attaching a connection to a protocol-specific Protocol Agent. 20 Chapter 2 Introduction to Firewalls