1 Leveraging Network-based Firewall Services in your Next Generation Wide Area Network Solution Qwest Communications International Inc. Virtual Private Network (VPN) Services June 2001
2 Introduction In 1999, Qwest Communications introduced the industry s first next generation IP-based Virtual Private Network (VPN) solution, built on new network-based technology. This service makes it possible for enterprises to build integrated wide area networks, remote access and Internet access solutions in a feature-rich and economical fashion. One of the key strengths of this solution is that it provides scalable, flexible firewall services to business of all sizes and security needs. Qwest uses leading-edge security technologies to route data across its extensive OC-192 IP backbone and then leverages its advanced Network VPN gateway infrastructure to protect customers from intruders. This effectively eliminates the need to install and administer complex firewalls, yet gives customers a high level of control over their own security management. This paper will focus on the components of managed firewalls within network-based IP-VPN solutions. It will review the need for combining Internet access with IP-VPN networks and discuss the advantages of network-based firewall services. It will explain the underlying architecture behind Qwest VPN and how associated managed firewall functionality is delivered to customers. Finally, it will illustrate the importance of industry certification in the solution that enterprises choose to protect their valuable resources. A Robust Security Solution is Essential for Enterprise Internet Connectivity Network security is more critical than ever. Hackers have repeatedly shown that even novices have the knowledge to wreak havoc on corporate networks. In early 2000, for example, a series of orchestrated denial-of-service attacks cost companies upwards of $1.2 billion in both capital and revenue losses 1. This toll does not include the impact on customer relationships. There are several forms of cyber assault. The most common are Denial of Service (DoS), Distributed Denial of Service (DDoS) and Spoofing attacks. They can be defines, as follows: DoS attacks prevent a server from performing its normal functions because it is flooded with a high volume of irregular requests such as pings. Normally these attacks are launched from one server against another server. These pings overload the processor, monopolizing bandwidth so that legitimate traffic cannot reach the server. DDoS attacks are similar except they are launched from multiple servers. The intention and results are the same. Most DDoS attacks are conducted through code planted on the attacking servers called slaves. The remote or master server can command slaves to launch an attack at any time. Spoofing is another form of cyber assault. Spoof attacks occur when a legitimate source IP address is pirated and used illegitimately to mount an assault on a server. The incoming packet gains access behind the firewall because the address appears legitimate. This is a technique used by hardcore hackers. Large corporations are not the only ones that feel this threat. A survey by the consulting firm HTRC Group of San Jose, Calif., showed that 53 percent of companies with fewer than 100 employees called DoS and DDoS a critical security issue. 1 Yankee Group article, $1.2 Billion Impact Seen as a Result of Recent Attacks Launched by Internet Hackers, by Senior Analyst Matthew Kovar of the Data Communications Planning Service.
3 The Internet itself harbors a wealth of information about how to launch such attacks. With this information readily available, the likelihood of attacks is increasing. Little can be done to prevent the launch of bandwidth attacks, but these attacks can be fended off through proactive security policies. A firewall allows only acceptable traffic to pass through by monitoring incoming and outgoing packets during online sessions. Acceptable traffic is determined by a set of rules, collectively called policies, which are defined by the enterprise or the service provider. Traffic that falls outside the established policy is dropped before it enters the network. Businesses with VPNs have three options for building a firewall: installing firewall software on individual PCs, installing customer premises equipment (CPE) firewall solutions, or subscribing to a service provider s managed firewall solution. Qwest offers a wide range of managed security solutions. Its managed firewall solutions are tiered to meet the performance and perimeter security requirements of small to large enterprises, whether the customer prefers a CPE-based solution or a network-based solution. Subscribing to a network-based solution is particularly attractive to businesses because of the robust nature of this type of solution and the cost-effective environment from which they are introduced. The Network-Based Firewall Qwest delivers its Network-based firewall solutions via distributed Network VPN gateways located at the point in the network where subscribers meet the Internet. Since this type of firewall technology is located on the edge of the network, Qwest has complete control and visibility over subscribers traffic flow. Because of this visibility, the Network VPN gateway is the most strategic point to establish a managed firewall. The Qwest Network VPN gateways integrate advanced policy-based state-aware firewall capabilities and anti-spoofing security services through the IP Services Operating System (isos), together with Remote Authentication Dial-In User Service (RADIUS) authentication support, activity logging, encryption and support for content filtering. Because of the Network VPN gateway s flexibility, Qwest security services can be provided to subscribers as a complete package or individually on a per-subscriber basis. There are many benefits to a network-based firewall: By placing a firewall at the Network VPN gateway, Qwest can readily provide customers with the efficiencies necessary to cost-effectively manage network security. The firewall s location ensures customers do not have to wait for maintenance calls or worry about maintaining the firewall on site. All management, support and upgrade activities are delivered through the network. Qwest network-based firewalls are scaleable, allowing customers to quickly and easily expand, change or enhance their security capabilities as business needs evolve. The Qwest firewall solution allows customers to leverage their existing router infrastructure, resulting in significant savings. Firewall Architecture
4 There are two types of network-based firewalls, state-aware and proxy-based. Qwest offers state-aware firewalls, which are more suitable to VPN applications and rely on advanced packet filtering technologies. They overcome the limitations of other firewall technologies by combining full application-layer awareness with full integration in the client/server model. State-aware firewalls recognize and track application flows that use static Transmission Control Protocol (TCP) and User Diagram Protocol (UDP) ports such as telnet or Hyper Text Transfer Protocol (HTTP). Plus, they also recognize and track applications that create and use dynamic ports such as Fire Transfer Protocol (FTP), streaming media, VoIP/H.323, Microsoft NetMeeting /netshow and Oracle databases. The Qwest high-end state-aware firewall technology intercepts packets at the network layer and conducts analysis on the protocols, extracting the state-related information necessary for policybased security decisions. The firewall does this by associating ingress and egress packets to an IP conversation. When a subscriber connects to a Web site via TCP, the first packet of the connection belongs to no previous conversation, causing the firewall to initiate a new conversation. Using the IP parameters of the initiating packet, the firewall matches the conversation to the security policy to determine whether its packets should be allowed to pass. Response packets that match an existing conversation are allowed through because the initial packet already matched the security policy. IP response packets that match no conversations are dropped, protecting the server against DoS attacks. FTP connections operate in a similar fashion; however, FTP uses the initial connection to negotiate new TCP connections. This creates an opportune opening for a random port to gain access to the network. The firewall recognizes the initial control connection as FTP and critically analyzes all data connections and related negotiations. The firewall then determines the expected TCP connection by evaluating the data connections and negotiations. Applying the security policy, all packets associated with that connection are considered part of that FTP conversation. State-aware filtering enables only solicited TCP, UDP or Internet Control Message Protocol (ICMP) packets onto the network, protecting users from most network-based direct infiltration attack scenarios. User-defined Firewall Security Policies When considering firewall security, enterprises should have the option of creating their own firewall security policies. The Qwest network-based firewalls are equipped with automatic security measures that include default policies, but Qwest gives its customers the added flexibility to uniquely define firewall policies on every port connection. When evaluating a network-based firewall solution, the service provider must customize rule settings for individual customers and their various locations and branch offices. With multiple customers accessing the same Network VPN gateway, discrete policies are critical. A onesize-fits all policy may leave some companies ill protected while others are more restricted than required. Qwest uses Graphical User Interface (GUI) templates available within its Network VPN gateways for rulemaking to enable firewall managers to quickly and seamlessly add new users. The templating feature also enables Qwest customers to add employees at remote and branch offices or telecommuting sites quickly and effectively, with the same level of firewall protection as those at the central location. Using the GUI, Qwest provides customizable firewall settings tailored to individual sites and their user groups.
5 The Qwest advanced gateway technology is able to customize policies using a series of specifications for each rule. These specifications include source, destination, service, action, log, and remark. Source and destination refer to where the data will come from and where it will go. Commands such as any open the door to almost any source, while a peer addr command allows only specific outside traffic through. Users who aren t prepared to be that specific might add options such as host, gateway or network. Service refers to which protocols are accepted or rejected. These may include HTTP, SMTP, FTP and network protocols such as ICMP. Action determines which actions can be taken for the given rule. Typical choices include Accept or Accept via VPN, Drop Traffic and Reject Traffic. The sender of rejected traffic is notified that the data was not allowed to pass. Log determines whether information about the traffic is documented and how detailed it is documented. Logging usually is disabled for normal activity, but activated to track a suspected attack. Remark permits whatever the particular rule allows, such as Allows FTP access. Firewall users who are establishing policies for the first time should thoroughly evaluate their security concerns and potential threats. It is important to work closely with Qwest in setting policies. Qwest will assign a highly skilled implementation engineer to guide customers through this process. The following questions should be considered to help firewall managers bring their needs into sharper focus: What IP addresses must be accessible through the firewall (e.g. FTP, Domain Naming System [DNS], Web and mail servers)? What applications, other than HTTP, FTP, mail protocols and other typical network traffic, will run across the firewall? Is content filtering required? This capability blocks predefined, user-requested content such as sporting events, music, job searches, stock information, etc, thus improving employee productivity. Content filtering is performed through filters that block Uniform Resource Locators (URLs) meeting certain predefined criteria. If customers are not clear about their exact needs, Qwest offers a baseline set of rules that can be implemented until more specific exact needs are defined. Users replacing an existing CPE or software-based firewall with the network-based managed firewall can use their current firewall rule set to define the new rule set. Automatic Protection Features While customization offers protection against specific unwanted traffic, the Qwest networkbased firewall technology also includes additional safeguards to protect against DoS and DDoS attacks, spoofing and other forms of cyber assault. Unlike CPE alternatives, this protection is provided at the network edge, before traffic ever reaches the access link and causes congestion. The firewall protects against both ingress and egress spoofing. Ingress anti-spoofing rules are applied to incoming traffic, protecting otherwise legitimate subscribers from generating spoofed packets and forwarding them to other subscribers. Egress traffic is matched against a set of
6 valid links to ensure the source address matches the subscriber s link, preventing intruders from accessing the network. The Qwest network-based firewall also provides protection against ping attacks by denying all ICMP ping requests that are not coming from legitimate network servers. It also protects against synchronized (SYN) floods by dropping all unsolicited SYN requests. A SYN attack forces servers into an unending loop, tying up bandwidth. The firewall prevents this kind of attack by denying access to packets with the same source and destination addresses. For attacks that originate behind the firewall, policies are easily updated to block traffic from a particular user. If a server behind a firewall is generating floods, the network administrator can update the policies to filter any trigger commands used in the DDoS attack. The logging capability can later be used to search for and analyze questionable dropped packets to help track the assailants and block future assaults. Qwest captures full log activities for individual users for all events, including the acceptance and rejection of packets. Subscriber log files are time-stamped and stored on a log server. Implementation and Provisioning Implementation and provisioning of a managed firewall is a critical component of customer service. Customers require personalized attention and service. Qwest meets this need by building and assigning dedicated teams of IP engineers to each customer. These teams are responsible for understanding the customer s firewall requirements and following through with customer requests. These implementation engineers are responsible for working with customers to design solutions and to serve as a point-of-contact regarding their network-based VPN and firewall services. Certification Security Peace of mind is an important reason customers turn to managed firewalls. The International Computer Security Association (ICSA), the worldwide leader in security assurance services for Internet-connected companies, assures a high level of confidence in a firewall product. The ICSA validates the service provider s inclusion of industry-standard security measures via easyto-use, automatic and seamless security technology. The network-base firewall that Qwest utilizes is offered on the Nortel Networks tm Shasta tm 5000 BSN, which has undergone the rigorous testing required by the ICSA. While ICSA certification does not guarantee a firewall product is foolproof, it does offer a set of standards with which to measure firewall capabilities against other firewall systems and services. ICSA certification criteria are based on resistance to threats and risks, or on successful outcome. It is not based on fundamental design or engineering principles or on an assessment of underlying technology. ICSA conducts both random and annual product or system assessments. Vendors who fail to correct a problem within two to four weeks loose their certification. Conclusion Now more than ever, companies must address network security to ensure uninterrupted business operations. Qwest VPN with its integrate network-based managed firewall solution offers the sophisticated architecture needed in today s dynamic business environment. Industry
7 certified, highly customizable security features coupled with the ease of use and economies of a network-based solution enable companies to feel confident that their security concerns are adequately addressed. Managed firewalls allow enterprises to quickly and easily apply and manage network security based on their unique business requirements. Qwest provides its customers with the advanced expertise necessary to manage their network security faster, efficiently and more cost-effectively than other firewall approaches. With managed firewall solution from Qwest, companies are free to focus on their core competencies without worrying about managing complex network security measures. Qwest Managed Firewall VPN is a managed CPE solution that is available anywhere in the world. Customer is responsible for obtaining Internet connectivity in association with this service. Minimum term of commitment required. Qwest provides Network VPN connectivity in the United States and select countries around the world. In the states of AZ, CO, IA, ID, MN, MT, ND, NE, NM, OR, SD, UT, WA and WY, Qwest provides Internet services in conjunction with a separate Global Service Provider (GSP) that provides customers connectivity to the global Internet. Minimum one year term of commitment. Local loop service, additional customer equipment and installation additional.