Firewall Technologies Good Practice Guideline

Transcription

1 Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG Prog. Director Mark Ferrar Status Approved Owner Malcolm McKeating Version 1.0 Author Gary Croft Version Date 20/12/2007 Firewall Technologies Good Practice Guideline Ä Crown Copyright 2007

2 Amendment History: Version Date Amendment History /10/2006 First draft for comment /11/2006 Second draft for comment /04/2007 New format applied, minor changes made to references /11/2007 Updated inline with GPG style /11/2007 Final draft for approval Forecast Changes: Anticipated Change When Annual Review November 2008 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Infrastructure Security Team Malcolm McKeating By Head of IT Security Approvals: This document must be approved by the following: Name Signature Title / Responsibility Date Version Malcolm McKeating Head of IT Security 1.0 Distribution: NHS Connecting for Health Information Governance Website Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version Ä Crown Copyright 2007 Page 2 of 33

3 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc 13 2 NPFIT-FNT-TO-INFR-SEC-0001 Glossary of Security Terms Latest Glossary of Terms: List any new terms created in this document. Mail the NPO Quality Manager to have these included in the master glossary above [1]. Term Acronym Definition Ä Crown Copyright 2007 Page 3 of 33

4 Contents 1 About this Document Purpose Audience Content Disclaimer Introduction Background Firewall Overview What is a firewall? Types of Firewall Hardware Firewalls Software Firewalls Client Firewalls 10 4 Classes of Firewall Packet Filter Firewalls Stateful Inspection Firewalls Application Proxy Firewalls Deep Packet Inspection Firewalls Other Firewall Functions and Services Network Address Translation Intrusion Detection Sensor Antivirus Authentication Site to Site VPN Client to Site VPN Quality of Service Management GUI versus CLI Monitoring of Traffic and Alerting Additional Possibilities Goals of a Firewall Connecting internal to lower trust networks Lower trust networks to internal networks Demilitarised Zone access...24 Ä Crown Copyright 2007 Page 4 of 33

5 6.4 3 rd Party Access Access to other internal departments or sites Wireless Access Design Considerations What is being secured? Fit for Purpose Redundancy Options Multilayered Approach Future Proofing...33 Ä Crown Copyright 2007 Page 5 of 33

6 1 About this Document 1.1 Purpose The purpose of this document is to advise technical and policy making personnel of the best practice guidance when implementing Firewall Technology products. These technologies may be used to provide a means of implementing access restrictions internally and externally to reduce the associated risks to the organisation, which are inherent when carrying out communication activities. After completing this guide you should understand: The different firewall technologies which can be implemented on LAN, MAN and WAN infrastructures and across public networks such as the internet. Best practice guidance regarding the implementation of Firewall Technologies and their associated risks. Guidance regarding the design of small and large scale firewall technology implementations for securing organisational networks. 1.2 Audience This document has been written for readers with a general familiarity with electronic communications systems and the underlying network transports which support them. Experience with firewall technologies and the security systems such as encryption and access control frameworks will also be useful in fully understanding this document. 1.3 Content This document comprises this following sections / topics Introduction Firewall Overview Classes of Firewall Other Firewall Functions and Services Goals of a Firewall Ä Crown Copyright 2007 Page 6 of 33

7 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Ä Crown Copyright 2007 Page 7 of 33

8 2 Introduction This guide addresses the issues associated with the deployment of Firewall Technologies within an organisation and provides an overview of the various aspects of deploying Firewall Technology solutions. Included in this guide are the different types and classes of firewalls available, the functions and services they can offer, and the design considerations regarding the goals and security levels required to be achieved. Guidance Includes: The different types and classes of Firewall Technology and their associated benefits and limitations. The added functions and services which a firewall may provide to increase its value to the organisation. An overview of how to meet common goals and the design considerations which should be addressed before deploying firewall technologies. 2.1 Background Firewall Technologies have typically been the most common way to secure user and/or system access from a higher security level environment to a lower security level environment in a secure and efficient manner. The firewall can also grant access from lower security to higher security level environments but at a more granular level. With the boundaries between networks now becoming more blurred, and high speed links frequently available, the choice of what firewall technology solution(s) to implement is increasingly more difficult. In addition to the roles a firewall has traditionally performed new functions and services are also becoming increasingly available which adds value to the device and gives a better Return on Investment (ROI). Network Designers now have to think not only for today s need but also for likelihood of network growth and other influencing factors, while still maintaining a highly available and secure network, often at the heart of which are firewall technologies. Ä Crown Copyright 2007 Page 8 of 33

9 3 Firewall Overview 3.1 What is a firewall? In information technology, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent communications forbidden by the security policy. A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle. 3.2 Types of Firewall There are many product offerings from many vendors, most of which are commercial while some are freely available and maybe developed by groups with a common interest. Some offerings may incorporate a number of software vendors to form a complete solution to the end-user. Whatever the firewall, it can be summarised under two main types: Hardware and Software Hardware Firewalls Some vendors have taken the route to provide dedicated hardware appliances to consumers often with a product range to cover most circumstances, starting from Small Office, Home Office (SOHO) to large scale enterprise machines. Sometimes an organisation may buy a hardware firewall and be able to add further modules or upgrade a license to unlock a software restriction on the hardware, but quite frequently when a hardware firewall no longer serves its purpose a new appliance is bought. Quite often the benefits of the hardware solutions is the provision of good vendor support since the same company may have developed both the underlying Operating System (OS) and the underlying hardware. In addition features such as throughput, OS hardening, patch management, backup, restore and upgrades maybe greatly improved over other offerings along with a user friendly interface to perform these functions and additional configurations Software Firewalls Some vendors also choose to go the software route. Here the customer buys software to install on a platform of choice. This can be a bonus as it allows an organisation to select a device that matches their current and/or future needs to the budget available. Frequently the vendor will provide instruction as to the minimum hardware and OS requirements needed to run their software. This approach also allows the organisation to work to the given skill-set of the employees available when choosing the underlying OS. Many software firewalls can be installed on multiple operating systems such as various versions of UNIX, Linux and Windows. Particular care therefore needs to be taken when selecting the OS, to ensure it matches requirements for security and capacity required by the business. In addition the administrator will also need to harden the OS to suit the needs of a firewall, turning off un-required services that a firewall does not need to function. This Ä Crown Copyright 2007 Page 9 of 33

10 is good security practice and should be done upon initial install and periodically checked. Application of OS patches etc. may inadvertently switch back on a nondesirable service. Increasingly, software firewall vendors are aligning themselves with hardware vendors to bridge the gap between software and hardware firewalls by forming alliances and developing customised and hardened OS on which to run their products. In these product offerings an organisation can obtain the level of customisation offered by a software firewall while also receiving the benefits of hardware firewall vendor. An example of this approach is Nokia IPSO 1 - a proprietary and security-specific operating system Client Firewalls It is worth noting that client firewalls are now becoming increasingly popular and often used as a secondary defence of the end systems or as first defence when a machine such as a laptop moves from the corporate LAN to an un-trusted network (e.g. a wireless network or the internet) that may leave it exposed. Most frequently these are software offerings that are installed as an additional application on the host operating system, or may even come as standard with the OS. These can range from a stand-alone ad-hoc configuration on a single machine to an enterprise security policy that is pushed down to a whole organisation s desktop estate. If the latter is chosen then additional centrally managed hardware will be required. Examples of this setup include Windows Firewall using Group Policy 2 and ISS Preventia Desktop Security 3. For the purposes of this document it will largely cover firewalls as an entity governing access between end systems, but lessons learned can also be directly applied to any such firewall technology that may be applied on an end system Ä Crown Copyright 2007 Page 10 of 33

11 4 Classes of Firewall There are four main classes of firewall, which can be implemented on both the hardware and software options mentioned in the last section. These are detailed in this section and comprise: Packet Filter Firewalls Stateful Inspection Firewalls Application Proxy Firewalls Deep Packet Inspection Firewalls The class of the firewall largely determines its capabilities and therefore its ability to protect an organisation s network. Some classes are better suited to specific environments, whilst other classes may be used with a mixture of environments in order to provide a more robust solution. All firewall classes have common characteristics in that they use certain criteria in order to identify good traffic which is permitted and bad traffic which is not permitted. This will be determined according to the security and access policy in place. When traffic traverses a network it does so in a packet at the network layer. This packet holds information pertaining to the connection taking place, which includes but is not limited to: Senders source address Recipients destination address Service to which the packet pertains (usually port number) Network operation and status flags Actual payload of data to be delivered A device s ability to interpret the above information effectively provides its capability to protect the network. Figure 1 shows the breakdown of a TCP Packer Header, many of the fields help to uniquely identify a communication flow and thereby improve security. Header fields vary according to the protocol in use and due to this some protocols may be easier to track than others. For further reading see: TCP Transmission Control Protocol UDP User Datagram Protocol ICMP Internet Control Messaging Protocol Ä Crown Copyright 2007 Page 11 of 33

12 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number 4-bit header length Reserved (6 bits) U R G A C K P S H R S T S Y N F I N 16-bit window size 16-bit TCP checksum 16-bit urgent pointer Options (if any) Data (if any) 4.1 Packet Filter Firewalls Figure 1 - TCP Packet Header Format This type of firewall is quite simple in that it applies a set of predefined static rules and applies them against the sequence of traffic. If there is a match the connection is permitted or denied according to policy, if there is no match then the connection is filtered by the default rule (normally drop ). Packet filter firewalls use source addresses and destination addresses to identify traffic. The Service may also be used for added security i.e. UDP which provides a connectionless datagram service. As only a small amount of information is looked at to interpret the packet, normally low latency is incurred, however with the availability of low cost, high speed CPU s for devices this is increasingly becoming less of an issue. Packet Filter firewall technology is normally useful as a first line of defence, such as a border router or it can be installed where only a low level of security is needed to deter casual intruders. However, it lacks the ability to understand the relationship between packets in a data flow, each packet is viewed individually but a communications channel can consist of many packets. Therefore replies can easily be spoofed, possibly leading to system or data compromise. Ä Crown Copyright 2007 Page 12 of 33

13 Figure 2 - Packet Filter Firewall allowing all reply traffic through In Figure 2, it is highlighted that a Packet Filter Firewall is not state aware: it has no concept of legitimate reply traffic and spoofed traffic. The spoofed traffic could be malicious or caused by erroneous external factors, this can cause problems to the end application and even compromise security. For Further Reading see Security Focus article An Introduction to IP Spoofing Stateful Inspection Firewalls Stateful inspection firewalls build on the technology of packet filter firewalls but have the awareness to interpret the network operation and status flags of a packet to provide added security. How this is done is usually proprietary to the firewall in use, but generally it involves maintaining a connections table to compare traffic received against traffic sent, to match against anticipated traffic. These tables consume hardware resource normally in the form of physical memory therefore the device needs to be appropriately planned taking into consideration the capacity required hand. High volume physical memory is becoming more available at lower costs so this technology is increasing in popularity. 4 Ä Crown Copyright 2007 Page 13 of 33

14 Figure 3 - Stateful Inspection Firewall dropping spoofed reply traffic In Figure 3, a Stateful Inspection firewall is used. The firewall has built a state table of outgoing permitted traffic and is monitoring the replies. It does this by being protocol aware, for example in Figure 1 the TCP Packet contains relevant fields to accomplish this task. While it is not impossible to spoof a reply, an attacker would have to be very skilled to format an exact packet to be permitted. Stateful Inspection was invented and patented by Check Point 5, it is the de facto standard in network security technology, for further reading please see the Check Point website 6 which details how Check Point uses this technology. Many other vendors also use this technology. One of the market leaders is Cisco 7, it has developed a technique known as Adaptive Security Algorithm Application Proxy Firewalls Application Proxy firewalls open packets at the OSI application layer and process them based on specific application rules. They are then reassembled and forwarded to the desired target device. For example a Packet Filter or Stateful firewall maybe able to permit or deny HTTP (TCP port 80) traffic, an Application Proxy can also be more granular about this decision and block HTTP containing scripts or other unwanted traffic that would be difficult to otherwise identify a b.html#wp Ä Crown Copyright 2007 Page 14 of 33

15 Quite often these systems are deployed as an additional layer of security behind another firewall technology. Normally they provide a few specific functions such as proxying HTTP and FTP traffic on an organisations LAN, other traffic may be sent direct to another gateway or passed through unchecked. Examples of this technology include Microsoft ISA 9 and ModSecurity 10 for Apache. This type of technology is normally limited to what the proxy can understand. There may only be a set amount of services that can be inspected and, if you require sending a non-supported service through the firewall, then problems can arise. Application Firewalls are also resource intensive and can increase network latency. Internet Resources Corporate Network Unsafe Outbound Traffic blocked or quarantined Suitable Traffic Forwarded Outbound Traffic sent to Proxy Reply Traffic sent to Proxy Suitable Traffic Returned Unsafe Inbound Traffic blocked or quarantined Figure 4 - Application Proxy Firewall usage In Figure 4, an Application Proxy Firewall is used. It is capable of blocking and quarantining outbound and inbound traffic according to the security policy in place on the device. This may or may not be relayed back to the end user. Further Reading see Proxy Services GPG 11 and Content Filtering GPG Deep Packet Inspection Firewalls Also known as Next Generation firewalls. This is the newest technique that is currently evolving, it involves employing the features from stateful inspection and application proxy firewalls, along with other security techniques and builds a hybrid solution for a more comprehensive and advanced approach. The level of analysis on packets is greater, working at the layers 2 to 7 of the OSI Model, the lessons learned from the application proxy firewalls can be applied, but also new techniques such as AntiVirus (AV), Intrusion Detection (IDS) and Quality of Ä Crown Copyright 2007 Page 15 of 33

16 Service (QoS) can also be carried out. It is an emerging market and some of the possibilities are still in development. A Security Focus article 13 discusses this technology in detail. Whilst Deep Packet Inspection Firewalls can provide such added features, their introduction may introduce performance and/or security issues. Also, the feature that firewall supplies may only be a subset of that of a dedicated device, therefore your needs should be clearly identified before considering deployment Ä Crown Copyright 2007 Page 16 of 33

17 5 Other Firewall Functions and Services It is worthwhile noting the additional non-firewall features a product or vendor may offer as this can considerably influence the decision of which technology to deploy. Many vendors have known this for a long time and have supplemented the value of their product offers by continually including additional features. Some vendors have even bought stakes in companies that provide these additional features, or formed alliances with them. 5.1 Network Address Translation Network Address Translation (NAT) is a fairly basic feature but normally necessary and sometimes essential for a firewall to carry out its role on the network. If you need to communicate from a network to another network which does not have visibility of the other addressing structure then NAT can be deployed to overcome this limitation. It also provides basic security by hiding internal addressing topology. Furthermore, if your organisation s LAN uses reserved RFC address space and requires a connection to the internet you will need to use NAT. Even if it is possible to route traffic between organisations with reserved addressing schemes it is often better to use NAT for a chosen hide address, rather than route the whole subnets involved. Further Reading see NAT GPG Intrusion Detection Sensor Due to the firewall s location as a control point in a network, it has often been prudent to locate Intrusion Detection System (IDS) sensors within installations (particularly where higher trust networks interconnect to lower trust networks), to provide added security. At this point in a network it can also be advantageous to screen out attacks before they may degrade the service levels available to users and devices. It is also possible for a firewall to provide IDS functions similar to those of a dedicated device, though normally only subsets of matching signatures are available. If a high level of security is required then a dedicated IDS system should be considered. Some product offerings also go as far as to provide Intrusion Prevention System (IPS) which can actually terminate the flows of traffic should an attack be detected. Monitoring for false positives should be carried out to assess whether any issues may result on the network as a consequence. For further reading see IDS and IPS Technologies GPG Ä Crown Copyright 2007 Page 17 of 33

18 5.3 Antivirus Similarly to IDS, the product offerings for Anti-Virus (AV) on a firewall normally consist of a reduced service compared to that of a full product and should be seen as an addition to the existing service. A useful example for this feature would be the screening of HTTP or FTP traffic before it reaches a users PC. However since it cannot detect all viruses in the wild, (i.e. in circulation on the internet) a reputable end system antivirus software package should be installed on user PCs to identify items that are undetected by limitations of the firewall. For further reading see Anti-virus and Malware GPG Authentication Many firewall vendors have developed alliances with key commercial authentication vendors (such as RSA 18 ), and also use open standards authentication such as Radius and Kerberos to provide high standards of security validation. Such vendors incorporate this additional functionality into their products to provide dynamic rules. For example, a firewall maybe able to intercept traffic in-line for particular protocols and authenticate a user from a defined network location who is attempting to access a particular network resource at a given time. This access attempt can be sent to an external database to be queried, often using three factor authentication. If the reply from the external database authorises the connection, a dynamic rule is built. When a protocol cannot be intercepted in-line, often Out-Of- Band (OOB) authentication is available where a user connects to a firewall proprietary Graphical User Interface (GUI) or Command Line Interface (CLI) to authenticate before being permitted access. See Figure 8 Reference the roaming member of the Finance team, who could use OOB or in-line authentication to access resources. 5.5 Site to Site VPN Traditionally fixed links from telecoms companies were the only viable way to interconnect organisations that required secure network communications. With the increase in high speed internet connections at lower costs, site to site Virtual Private Networks (VPN) became a workable alternative while still maintaining data integrity and confidentiality. Quality of service may still be an issue but this needs to be balanced against the business need for availability and cost savings. With the firewall s ability to effectively govern access between networks of differing security, when the need arose to transfer confidential information over unsecured or less secure networks, a logical place to implement this connectivity was on the firewall itself. Many firewall solutions are able to enforce security policies both for Ä Crown Copyright 2007 Page 18 of 33

19 traffic that requires encryption/decryption and traffic in clear that does not require such security. If heavy VPN usage is required it maybe best to consider a dedicated VPN appliance. These often have enhanced hardware to deal with encrypted traffic flows more adequately than a standard firewall. Further Reading see Site to Site VPN GPG Client to Site VPN With the advent of high speed, low cost internet connections in the home, many organisations are providing their employees with secure home-working options. Additionally client to site VPN s are also providing opportunities for remote support working from 3 rd party locations. Many firewall vendors produce their own software packages specifically for this purpose, and often these may be installed on a range of host operating systems. There are also non-vendor client packages that can be configured to work with leading vendors; however these may not be quite as streamlined and sometimes suffer from integration issues. Some vendor-specific software may be configured to ensure firewall and antivirus policies are enforced on the remote machine, whilst also using some of the features from the authentication section earlier. 5.7 Quality of Service Quality of Service (QoS) specifies a guaranteed throughput level for particular network services or protocols, and this feature is becoming increasingly popular due to the high speed networks that are now available in many organisations, along with the simultaneous use of comparatively smaller links such as the a link to a 3 rd party or other company office. QoS can even be applied to the main internet feed for the company. At all of these points bottlenecks can occur, and QoS can provide a mechanism that allows key applications to be given priority while less important applications may have their bandwidth throttled. Whilst it is possible to implement this technology on a firewall it is often better to implement QoS across the actual networking infrastructure, for example on access layer switches. 5.8 Management GUI versus CLI Some vendors only give the option of configuring the firewall and its rule base using a CLI. While this can make some tasks easier it often requires staff to have specific skills to work on the device. Other vendors opt for a GUI which provides a more intuitive user access to administrative functions. Both options may require the installation of vendor specific software, although some allow popular applications such as web browsers and CLI Clients to connect to the systems. In either case it is considered best practice to use a secure channel for management, so encryption such as secure HTTP (HTTPS) or Secure Shell (SSH) should be preferred over 19 Ä Crown Copyright 2007 Page 19 of 33

20 HTTP or Telnet options which are clear-text protocols and may be intercepted by potential attackers. Frequently vendors offer both secure and insecure approaches but often have a preference for one over the other. Also firewall management may be carried out on a single or multiple device basis. This can decrease administration time considerably, and therefore it is important to assess your network infrastructure requirements carefully against available product offerings and their management capabilities, particularly if frequently updated security policies are in place. For further reading refer to Remote Management GPG Monitoring of Traffic and Alerting Many vendor solutions offer proprietary alerting solutions that can be assessed on their own merit against an organisation s needs. Frequently devices support Simple Network Management Protocol (SNMP) which can allow monitoring systems to poll network devices using standard Management Information Bases (MIBs) or vendor specific ones to gain greater information on the status of a system and give early warnings to potential problems. Devices can also be configured to send traps (status warnings and notifications) with information pertaining to any issues that may have been identified. Should the use of SNMP be preferred, then version 3 is recommended as it is considered to be more secure, and previous versions are now considered obsolete by the Internet Engineering Task Force (IETF) 21. It is common practice however, for devices to support more than one version of SNMP. The ability for a firewall device to support SNMP and other monitoring functions may be particularly important to an organisation that needs to maintain high availability for the network. 5.10Additional Possibilities The firewall technologies market is continually evolving and the roles that a device can perform will continue to extend. While it is best practice to use a firewall for enforcing security policy there maybe times when additional less common features are implemented. Some vendors offer services such as DHCP, DNS, Print Server, VoIP Gateway, and switch port capabilities, which can be useful at the lower end of the device market for Small Office/Home Office (SOHO) Ä Crown Copyright 2007 Page 20 of 33

21 An example of such a vendor is Draytek, who provide details of product comparisons on their website 22. Firewall vendors often form alliances with other security vendors to add extra services such as URL Filtering, SMTP scanning and Antivirus to external servers. These then communicate with the firewall and assess the traffic before packets can traverse a firewall policy. A vendor who has embraced such an approach is Check PointÜ. Details of their Open Platform for Security (OPSEC) 23 can be found on the website. JuniperÜ Networks also adopt this approach. Details on their Global Alliances can be seen on the website 24. If the firewall is installed on an underlying OS then software available to the OS could also be utilised. None are recommended and should only be considered if no suitable alternative exists and only a low level of security is required Ä Crown Copyright 2007 Page 21 of 33

22 6 Goals of a Firewall Firewalls are installed for a variety of reasons - often to fulfil multiple roles which change as the network evolves. There are certain best practice requirements that should be adhered to when implementing a solution to perform these roles; the most common requirements are discussed here. 6.1 Connecting internal to lower trust networks This is where an organisation s trusted network is connecting to the internet (which has no trust). In this case it is best practice to restrict the outbound policy to connectivity needed to perform business functions, whilst denying applications that may put the organisation at risk. Enforcing this restriction was once a simple task of denying a port associated with an application. For example, to stop users accessing newsgroups via NNTP, it was simply a case of blocking TCP port 119, as shown in Figure 5. However users and applications can easily side step these counter measures using web based newsreader versions which work over HTTP a protocol which is commonly permitted on networks - and therefore more extended filtering is required. Additionally applications such as Instant Messenger (IM) software have specified TCP ports but will fall back to HTTP or another commonly permitted port should access be denied. VoIP applications such as Skype 25 will walk through ports until an open port is found Ä Crown Copyright 2007 Page 22 of 33

23 Internet Resources Corporate Network NNTP Virtual Server HTTP - Permit NNTP - Drop Figure 5 - Corporate Network Access to Internet Resources Example The complexity of protecting the internal network is increasing therefore choosing a firewall technology to perform all the necessary steps to safeguard the organisations infrastructure may be difficult. This choice is only one aspect of the overall network security strategy, depending upon the organisation s needs and requirements. 6.2 Lower trust networks to internal networks Lower trust networks such as the internet should never be allowed to connect directly to internal trusted networks. Doing so may allow an attacker to compromise a system on the organisational LAN leading to further exploitation of local machines from there. If a business need exists to allow un-trusted networks to communicate with the organisation then a Demilitarised Zone (DMZ) should be created. Ä Crown Copyright 2007 Page 23 of 33

24 Figure 6 - Internet User Restrictions to Corporate Network Access Example In Figure 6, a typical drop all traffic initiated from a lower security network, destined for the higher security corporate network policy is configured. 6.3 Demilitarised Zone access A DMZ is a special sub-network created for communication with networks that have different levels of trust. A DMZ may allow external parties access a company website, whilst at the same time permitting employees on the internal network to also have access to such external resources. The DMZ network should have no direct access to the internal network. Another example is that of a File Transfer Protocol (FTP) server on a DMZ that external 3 rd parties can access, and which could be restricted to a specific network range unique to that 3 rd party (if possible). The FTP server may also have access to the DMZ to initiate a data transfer out to the 3 rd party network. An organisation may also chose to have an internal DMZ that protects a key resource from its internal users while still providing a business functions. For example an Active Directory (AD) server may allow users login functions for their desktops, but only certain support staff are able to access the finance subnet. Devices on a DMZ should be given the minimum level of access to other networks required to support their function. In addition, they should never be given access directly to internal networks - this will safeguard the organisation and contain the threat if a system is compromised. The externally facing DMZ devices will be particularly at risk and therefore patch levels and security policies should be continually reviewed. Ä Crown Copyright 2007 Page 24 of 33

25 6.4 3 rd Party Access Although it is considered good practice to restrict 3 rd party access to your network via a DMZ, this may not always be practical (e.g. for outsourced support purposes). In all cases the access granted should be limited to only what is needed and a DMZ should be used if viable. If the organisation has many 3 rd parties connecting then a dedicated firewall interface could be used to control access. Whilst 3 rd Parties should be responsible for their own inbound security policy, it is bad practice to inadvertently link two external parties together by an inadequate security policy. It is also good practice to have a work-out or guest area connected to a DMZ for contractors and other visitors that are permitted to enter the organisation but not to use the internal network. In these circumstances restricted outbound access to the internet may be allowed, along with an agreement for client VPN software to connect back to another organisation. Whilst the security of distant end-points may not be an organisation s concern they are still responsible for the effects of traffic leaving the organisational network, and so a suitable outbound policy to mitigate this threat is advisable. It is also recommended that LAN technologies such as VMPS or 802.1x be used to further enforce un-regulated PC s into DMZ s. For further information see Securing the Local Area Network GPG 26. Internet Users DMZ Network Corporate Network 3 rd Party Networks Figure 7 - Internet Users, 3rd Party and Corporate Network Access to DMZ Example 26 Ä Crown Copyright 2007 Page 25 of 33

26 In Figure 7 a multi-function DMZ is deployed, it allows both 3 rd Parties and Internet users to connect to systems hosted within it. It is also possible to have separate DMZ s to provide a unique function, which can increase security further. 6.5 Access to other internal departments or sites Internal network access between departments has often been a standard business requirement, but has grown in complexity with functions being run simultaneously from several sites, and with acquisitions and mergers further complicating matters. However there is always a need to restrict access to certain parts of the network to specific users or business areas as appropriate. For example, in Figure 8 accounts staff may need to access billing systems. If these staff have fixed network addresses then this requirement can be easy to administer. However if they work from different locations, or the department is split between sites then this can become more complex. Dynamic access using suitable authentication is often applied to overcome this problem. If an organisation has a network that is so diverse then it is worthwhile considering such a capability when deploying a firewall solution. Figure 8 - Inter-Departmental Access to Corporate Resources Figure 8 shows varying levels of access according to differing factors: Users position on network, static IP address and authentication. Ä Crown Copyright 2007 Page 26 of 33

27 6.6 Wireless Access Many organisations provide wireless access points to allow staff more flexible access to the network. However doing so can increase the risk of unauthorised access. It is common for an organisation to therefore place the wireless access within a DMZ on a firewall as shown in Figure 9. Quite often a VPN Client is used to further secure traffic. This VPN could be terminated on the firewall (or at a device prior to the firewall technology in use) with the job of enforcing the security policy. A further precaution would be for the organisation to configure their wireless access to provide only a subset of the access that would normally be available on the LAN. Figure 9 - Wireless LAN access to Corporate Resources Further Reading see Wireless LAN Technologies GPG Ä Crown Copyright 2007 Page 27 of 33

28 7 Design Considerations When planning a firewall deployment it is critical to assess certain criteria to choose a product offering that will suit the organisations needs within budget. Some of the key areas are discussed in this section. 7.1 What is being secured? Firstly it is beneficial to identify what is being secured, the higher level of security required, the more robust the security solution deployed. There are various standards authorities that firewall vendors can submit their products to in order to have their security claims tested and verified. CESG 28 the National Technical Authority for Information Assurance details Common Criteria Evaluation Assurance Levels: Inadequate Assurance Functionally Tested. Provides analysis of the security functions, using a functional and interface specification of the TOE, to understand the security behaviour. The analysis is supported by independent testing of the security functions. Structurally Tested. Anaysis of the security functions using a functional and interface specification and the high level design of the subsystems of the TOE. Independent testing of the security functions, evidence of developer "black box" testing, and evidence of a development search for obvious vulnerabilities. Methodically Tested and Checked. The analysis is supported by "grey box" testing, selective independent confirmation of the developer test results, and evidence of a developer search for obvious vulnerablitities. Development environment controls and TOE configuration management are also required. Methodically Designed, Tested and Reviewed. Analysis is supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for obvious vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management. Semiformally Designed and Tested. Analysis includes all of the implementation. Assurance is supplemented by a formal model and a semiformal presentation of the functional specification and high level design, and a semiformal demonstration of correspondence. The search for vulnerabilities must ensure relative resistance to penetration attack. Covert 28 Ä Crown Copyright 2007 Page 28 of 33

29 channel analysis and modular design are also required. Semiformally Verified Design and Tested. Analysis is supported by a modular and layered approach to design, and a structured presentation of the implementation. The independent search for vulnerabilities must ensure high resistance to penetration attack. The search for covert channels must be systematic. Development environment and configuration management controls are further strengthened. Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high level design showing correspondence. Evidence of developer "white box" testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised. Source for EAL levels can be found on the CESG website 29 If a device is to be connected to an untrusted network such as the internet then it should be at least EAL4 certified. It should also confirmed that software versions have achieved this status before considering an upgrade. If the level of security required is lower then EAL3 certified could be appropriate, but where possible EAL4 should be chosen. Other assessor standards exist, and can give a confidence level in the product; however these are currently not endorsed by the Infrastructure Security Team, although this maybe revised in the future. 7.2 Fit for Purpose Once the networks to be secured have been identified, a strategy must be defined to determine how to accomplish this. There maybe several elements from the firewall goals section to include and it is important to choose a device that will adequately support these requirements. Vendor websites will often detail a product s capabilities, though it maybe possible to obtain software or hardware on evaluation before committing to a particular product for your solution. If your organisation already has a preferred vendor then it may be simply a case of selecting an upgrade from that vendors range. Careful consideration however, should still be given. 7.3 Redundancy Options Since a firewall is often located in a central position on a network and can provide access to and from various networks for many business critical purposes, it is an important consideration to ensure the device is highly available Ä Crown Copyright 2007 Page 29 of 33

30 Having a single firewall may create a single point of failure (SPoF). Therefore it is good practice to make sure the device has no single component failure if possible. Power Supply, CPU, Memory, Hard Disks or Flash and Network Interface Cards (NIC) failures can all render a device unavailable, and it is possible to have redundancy on any one or all of these components. Some of these options may be dependant upon budget but all are worth noting as possibilities. An example of a Vendor who provides high levels of redundancy is CrossbeamÜ Systems and their X Series range; details are available on the Crossbeam website 30. Should a device fail it is good practice to have a backup. Systems can operate in active/active or active/standby and may use proprietary methods to achieve this configuration. Open standards such as Virtual Router Redundancy Protocol (VRRP) may also be used. During a failover some live traffic disruption may take place which could mean a session needing to be re-established by an end system. Depending on the criticality of the business requirements this may or may not be an issue. If it is likely to cause problems however, then a robust failover solution should be chosen with good device component support. VIP IP Firewall Cluster Node A Node B VIP IP Figure 10 - Firewall High Availability In Figure 10, a basic High Availability (HA) deployment is shown, this could be configured in Active/Active (i.e. both devices receive live traffic and share the load) or 30 Ä Crown Copyright 2007 Page 30 of 33

31 Active/Standby (i.e. where one device is passive and waits for the failure of the other cluster member before resuming active duty). A Virtual IP (VIP) is used in the majority of HA solutions so that devices and users see the firewall cluster as one device. High Availability in a firewall technology can be rendered obsolete by other related environment factors. For example, failure of switch ports, routers, internet and other links, power problems and downtime to the systems it provides the high availability to. Therefore HA should be designed into the network overall and not just into the firewall appliance. Should the business requirements not call for a HA solution, as a minimum the device configuration should be adequately backed up for easy restore, and good support links to the manufacturer should be in place. It is also an idea to stock a cold spare on site. 7.4 Multilayered Approach A firewall vendor may offer a specific required feature whilst not providing the complete solution. In such circumstances multiple vendors could be chosen to fulfil the requirement at hand. It is good practice to use dual layering of firewalls in environments of high security. A vulnerability of a particular vendors software or hardware should only result in a weakness within one layer of the infrastructure, if another vendor s solution is used in parallel. Furthermore, utilising multiple vendors can allow best features to be selected from each. Ä Crown Copyright 2007 Page 31 of 33

32 Internet Webserver Firewall Webserver DMZ Database Firewall Database DMZ Figure 11 - Firewall & DMZ configuration in multilayered approach In Figure 11, internet users are able to connect to the servers in the Webserver DMZ, they have no direct access to the Database servers. The Webservers need connectivity to the Database servers for functionality and this is permitted through the database firewall at a granular level. Ä Crown Copyright 2007 Page 32 of 33

33 Internet Border Router/ Packet Filter Firewall Stateful Inspection Firewall Application Proxy Firewall Internal Users Figure 12 - Multilayered Approach using several types of firewall technology In Figure 12 the setup shows how several types of firewall technology can be integrated to provide a robust solution. Other types of technology such as IDS and AV should still be incorporated where appropriate to increase this offering. 7.5 Future Proofing Acquiring a firewall solution often requires a considerable financial and resource outlay by an organisation. It is therefore considered prudent to choose a device that meets today s requirements whilst also allowing for future growth potential. Choosing a device from a reputable vendor may go someway to securing this need. Ä Crown Copyright 2007 Page 33 of 33