Selecting a Firewall Gilbert Held

Transcription

1 Selecting a Firewall Gilbert Held Payoff Although a company may reap significant benefits from connecting to a public network such as the Internet, doing so can sometimes compromise the security of a private network. This article discusses two types of firewalls that provide security by creating barriers between networks. Firewall solutions for three common network scenarios are also discussed. Introduction A firewall is a combination of hardware and software that functions as a programmable barrier to the flow of data between two or more networks. Those networks can be public, private, or a combination of the two. The hardware platform used to construct a firewall depends on the configuration of networks the firewall will protect. Bridge-Based Firewalls If a firewall is required to function as a barrier between two private local area networks (LANs) operating within the same building, a bridge hardware platform may be sufficient. Exhibit 1a illustrates the use of a firewall-based bridge to both interconnect two LANs and function as a programmable barrier between the flow of data from one LAN to another. The firewall obtains barrier capability through packet filtering. Using Bridge-Based Firewalls Packet Filtering When operating on a bridge platform that uses Media Access Control packet addresses as decision criteria for forwarding a packet from one LAN to another, the software in the firewall supersedes the bridging operation. That is, the firewall enables or disables the flow of packets from one network to another according to the packet-filtering criteria previously established. For example, one or more source or destination addresses or groups of addresses could be barred from traversing from one network to another. When operating on a bridge platform, a firewall's filtering capability is limited to source and destination addresses. A firewall cannot make decisions based on the application or any other criteria. This limitation is the result of a requirement for additional filtering to occur at the network layer while the bridge operates at the data link layer. Although filtering is limited, a bridge-based firewall is suitable for many intracompany applications. For example, the use of packet filtering can prevent specific users on one network from attempting to access a print or file server on another network. Although packet filtering is no substitute for password protection for controlling access to servers, it can be used to thwart attempts by users of one network to access resources of another network. Because every query requires a response, using packet filtering to block access requests also reduces intralan communications, which can eliminate or reduce bottlenecks when remote bridges are used to interconnect

2

3 geographically separated LANs. By using a remote bridge-based firewall at each location, users can obtain a degree of control over intralan communications. Exhibit 1b illustrates the use of a remote bridge-based firewall. The connection of geographically separated LANs by remote bridge-based firewalls requires two firewall operations to effectively limit the communications flow on the WAN. If filtering occurs at only one end of the WAN transmission path, a conventional remote bridge can permit all packets with unknown destination addresses to be transmitted over the WAN to the other LAN. Thus, implementing packet filtering on both remote bridges can effectively reduce the traffic over lower-speed WAN circuits in addition to serving as a barrier to unwanted transmission. Router-Based Firewalls A more sophisticated type of firewall, the router-based firewall, is used with a router hardware platform. Unlike a bridge, which operates at the data link layer, a router operates at the network layer. Instead of making forwarding decisions based on the destination address in a packet (as performed by a bridge, without filtering), a router makes decisions that are based on a variety of information that can be included in the network header. In addition, most routers support multiple protocols, such as NetWare Internet Packet Exchange (IPX), Transmission Control Protocol and Internet Protocol (TCP/IP), and Systems Network Architecture(SNA). Routers may support System Network Architecture by using a passthrough facility, encapsulating SNA into TCP/IP, or using IBM Corp.'s recently introduced data link switching to route SNA traffic. Because the Internet Protocol (IP) includes port numbers that define applications such as , Telnet, rlogin, and File Transfer Protocol, it is important that users consider the routerbased firewall's ability to filter using protocol addresses as well as logical port numbers that equate to distinct applications. Exhibit 2a illustrates the use of a router to provide a connection from an organization's Ethernet LAN to the Internet. In this example, the actual connection to the Internet was obtained from an Internet Access Provider. In many instances theinternet access provider furnishes both the router and the connection to the Internet. Thus, many organizations may want to examine the filtering capability of the router bundled with Internet access. Connecting a Corporate LAN to the Internet If the filtering capability is not sufficient to satisfy its communications requirements, an organization may want to install a router-based firewall between the network and the router from the access provider as an additional level of protection. This situation is illustrated in Exhibit 2b. Although the use of a firewall as illustrated in Exhibit 2b appears similar to the use of a router's built-in filtering, there can be enough differences between the two methods to justify the use of a standalone router-based firewall. The examples in the following section explain why some routers may be incapable of providing the level of filtering an organization requires. Examples of Filtering Filtering is required to make certain corporate networking functions more secure for example, employee access to the Internet, employee access to File Transfer Protocol

4

5 servers on the Internet, and customer access to files on a company's file transfer protocol (FTP) server. This section describes examples of each of these functions. Corporate Internet Access In the first example, an organization's Internet connection has been established to permit employees connected to the Ethernet to send and receive over the Internet. The users want to establish a file transfer protocol (FTP) server on their LAN that allows customers to access and retrieve information concerning price quotes, technical bulletins, and similar company information. Although the network manager wants workstation users on the company LAN to use file transfer protocol (FTP) to access file transfer protocol (FTP) servers on the Internet, the manager also wants to limit file transfer protocol (FTP) access to the LAN to customers only. Some routers with a built-in filtering capability permit anything not explicitly precluded. Other routers with a built-in filtering capability operate on the assumption that nothing is permitted unless allowed. This second type of router is less frequently encountered because it requires a more sophisticated degree of filtering and a significant amount of memory to hold permissions rather than exceptions. This type of filtering is usually encountered in router-based firewalls that, as a security precaution, only permit explicitly defined operations. Because the organization wants to transmit over the Internet, certain filtering actions are required. Because the simple mail transport protocol (SMTP) is used to transport as an IP application using port 25, filters should be set using that port assignment. If the router precludes all operations unless explicitly permitted, the following filter actions should be entered: Action Port Source Destination Inbound/Outbound Allow 25 * * Inbound Allow 25 * * Outbound The asterisk (*) functions as a global wildcard permitting any address for source or destination. Thus, the first filter allows inbound traffic using port 25 from any destination address to any source address. The second filter permits outbound using port 25 from any source address to any destination address. The combination of the two filters permits from any user on the Internet to reach any user on the company LAN and vice versa. If the company LAN were using a router that allows all operations that are not precluded, users would not have to enter any filters to use . Employee Access to FTP Servers on the Internet Once the organization's filtering requirements have been satisfied, its file transfer protocol (FTP) requirements should be evaluated. If the router a company is using precludes all operations other than those explicitly permitted, specific filtering is required. Because file transfer protocol (FTP) uses port 21 to transmit control information outbound and port 20 for the actual inbound file transfer, filtering is required to allow organizational users Internet file transfer protocol (FTP) access. To satisfy this requirement, an organization should set up the following filters: Action Port Source Destination Inbound/Outbound Allow 21 * * Outbound Allow 25 * * Inbound

6 The first filter permits any user on the LAN to initiate an file transfer protocol (FTP) request on port 21 to any destination address. The second filter permits files requested through an action on port 25 to flow inbound from any source address on the Internet to any destination address on the LAN. This action establishes the filters necessary for LAN users to access any file transfer protocol (FTP) server on the Internet. Letting Customers Access Files on the Company's FTP Server An organization should decide which filters are required so that selected customers can access files on the organization's file transfer protocol (FTP) server. It is important that the network administrator keep in mind one of the key limitations associated with many routers: their inability to support more than a few filters. An organization may want to contact customers to obtain their network addresses, either as a single workstation address representing one computer required to access the organization's File Transfer Protocol server or as a block of addresses representing a group of workstations at a customer site requiring access to the organization's file transfer protocol (FTP) server. For each customer, filters should take the following form: Action Port Source Destination Inbound/Outbound Allow 21 Address FTPA Inbound Allow 25 FTPA Address Outbound Here, FTPA represents the organization's file transfer protocol (FTP) server address, and Address represents either a customer's single workstation address or block of workstation addresses. Thus, the preceding filters would: Allow inbound traffic on port 21 from the defined source address or group of addresses to the organization's file transfer protocol (FTP) server address. Allow outbound traffic on port 25 from the organization's file transfer protocol (FTP) server address to the destination address or block of destination addresses. If, for example, an organization has 60 customers, the setup of a minimum of 120 filters would be necessary for there to be file transfer protocol (FTP) access from customers. If each customer had several workstations that required access to the company file transfer protocol (FTP) server and each address was noncontiguous, a pair of filters would have to be set up for each workstation. Thus, two workstations per customer requiring access to the organization's File Transfer Protocol server would require the setup of 60* 2 * 2 or 240 filters; three workstations per customer would require 360 filters to be set up, and so on. If the router only supports the use of a handful of filter operations because of memory constraints, an organization will probably need to use a router-based firewall to implement filtering requirements. Most router-based firewalls support the use of hundreds to thousands of filters. However, because each filter requires the router to perform a series of comparison operations, the more filters used, the lower the level of router throughput that can be obtained. Vendor performance specifications should be carefully considered because some firewalls can become network bottlenecks when as few as 50 filters are enabled. Other firewalls may support the use of hundreds of filters before performance is significantly effected.

7 Conclusion Two types of firewalls should be considered to protect the network resources of an organization. In brief: Bridge-based firewalls should be considered if an organization wants to control the flow of information between LANs that are interconnected or can be interconnected by bridges. If an organization wants to connect its private network to a public network, it should consider the use of a router-based firewall to obtain network protection. By carefully examining the filtering capability of a firewall, including its ability to enable or disable the flow of packets based on source addresses, destination addresses, and logical ports, a barrier can be obtained that provides a satisfactory measure of security. Although the filtering capability of a firewall is its primary evaluation feature, other features should be considered before selecting this type of communications product. Exhibit 3 lists some of the additional features of a router-based firewall. This checklist can be used as a basis for comparing vendor products to company requirements. Router-Based Firewall Features Feature Requirement Vendor A Vendor B Filter Construction Number supported Binary linkage LAN Support Token Ring Ethernet Protocol Support TCP/IP IPX SPX RIP SLIP Other WAN Support RS232 V.35 RS-449 Other Author Biographies Gilbert Held Gilbert Held is director of 4-Degree Consulting, a Macon GA-based high-tech consulting group. He is an internationally recognized author and lecturer, having written more than 40 books and 300 technical articles. He earned a BSEE from Pennsylvania Military College, an MSEE from New York University, and MBA and MSTM degrees from The American

8 University. He has represented the US at technical conferences in Moscow and Jerusalem and received numerous awards for excellence in technical writing.