Stonesoft 5.5. Firewall/VPN Reference Guide. Firewall Virtual Private Networks

Transcription

1 Stonesoft 5.5 Firewall/VPN Reference Guide Firewall Virtual Private Networks

2 Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: Third Party Licenses The Stonesoft software includes several open source or third-party software packages. The appropriate software licensing information for those products can be found at the Stonesoft website: U.S. Government Acquisitions If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense ( DoD ), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations ( DFAR ) in paragraph (c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government s rights in the Software will be as defined in paragraph (c) (2) of the Federal Acquisition Regulations ( FAR ). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions. Product Export Restrictions The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities. General Terms and Conditions of Support and Maintenance Services The support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: Replacement Service The instructions for replacement service can be found at the Stonesoft website: Hardware Warranty The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: Trademarks and Patents The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos , , , , , , , , , , , , , , and and US Patent Nos. 6,650,621; 6,856,621; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,325,248; 7,360,242; 7,386,525; 7,406,534; 7,461,401; 7,573,823; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2013 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Revision: SGFRG_

3 TABLE OF CONTENTS INTRODUCTION CHAPTER 1 Using Stonesoft Documentation How to Use This Guide Documentation Available Product Documentation Support Documentation System Requirements Supported Features Contact Information Licensing Issues Technical Support Your Comments Other Queries CHAPTER 2 Introduction to Firewalls The Role of the Firewall Firewall Technologies Packet Filtering Proxy Firewalls Stateful Inspection Stonesoft Multi-Layer Inspection Additional Firewall Features Authentication Deep Packet Inspection and Unified Threat Management Integration With External Content Inspection.. 22 Load Balancing and Traffic Management Logging and Reporting Network Address Translation (NAT) VPNs Firewall Weaknesses Complexity of Administration Single Point of Failure Worms, Viruses, and Targeted Attacks CHAPTER 3 Introduction to Stonesoft Firewalls The Stonesoft Security Platform Stonesoft Firewall/VPN System Components.. 27 Firewall/VPN Engines Main Benefits of Stonesoft Firewall/VPN Advanced Traffic Inspection Built-in Clustering for Load Balancing and High Availability Multi-Link Technology Built-in Inbound Traffic Management QoS and Bandwidth Management Integration with Stonesoft IPS and Stonesoft Layer 2 Firewalls Clustered Multi-Link VPNs CHAPTER 4 Stonesoft Firewall/VPN Deployment Deployment Overview Supported Platforms General Deployment Guidelines Positioning Firewalls External to Internal Network Boundary Internal Network Boundaries DMZ Network Boundaries INTERFACES AND ROUTING CHAPTER 5 Single Firewall Configuration Overview to Single Firewall Configuration Configuration of Single Firewalls Dynamic Firewall Interface Addresses Internal DHCP Server Security Strength of Management Connections 43 Configuration Workflow Task 1: Create Single Firewall Elements Task 2: Define Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define Tunnel Interfaces Task 5: Define an ADSL Interface Task 6: Define a Wireless Interface Task 7: Define IP Addresses Task 8: Define Loopback IP Addresses Task 9: Define Modem Interfaces Task 10: Install the Firewall Engine Task 11: Install a Firewall Policy Example of a Single Firewall Deployment Setting up a Single Firewall Adding a New Interface to an Existing Configuration Table of Contents 3

4 CHAPTER 6 Firewall Cluster Configuration Overview to Firewall Cluster Configuration Benefits of Clustering Communication Between the Nodes Hardware Security Strength of Management Connections 51 Configuration of Firewall Clusters Load Balancing Standby Operation Network Interfaces and IP Addresses Clustering Modes How Packet Dispatch Works Configuration Workflow Task 1: Create a Firewall Cluster Element Task 2: Create Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define Tunnel Interfaces Task 5: Configure Physical or VLAN Interfaces Task 6: Define Loopback IP Addresses Task 7: Install the Firewall Engines Task 8: Install a Firewall Policy Using a Firewall Cluster Internal DHCP Server Node State Synchronization Security Level for State Synchronization Manual Load Balancing Examples of Firewall Cluster Deployment Setting up a Firewall Cluster Adding a Node to a Firewall Cluster CHAPTER 7 Master Engine and Virtual Firewall Configuration Overview to Master Engine and Virtual Firewall Configuration Configuration of Master Engines and Virtual Firewalls Configuration Workflow Task 1: Create a Master Engine Element Task 2: Create Virtual Resource Element(s) Task 3: Configure Master Engine Interfaces Task 4: Create a Virtual Firewall Element Task 5: Configure Virtual Firewall Interfaces Task 6: Install a Firewall Policy Using Master Engines and Virtual Firewalls Moving a Virtual Firewall to a Different Master Engine Using Master Engines and Virtual Firewalls With Domains Example of Master Engine and Virtual Firewall Deployment Deploying Virtual Firewalls for MSSP Customers CHAPTER 8 Routing and Antispoofing Overview to Routing and Antispoofing Configuration of Routing and Antispoofing Reading the Routing and Antispoofing Trees.. 70 Multi-Link Routing for Single and Clustered Firewalls Default Elements Configuration Workflow Task 1: Add Router or NetLink Task 2: Add Network(s) Task 3: Refresh Firewall Policy Using Routing and Antispoofing Policy Routing Multicast Routing Modifying Antispoofing Monitoring Routing Examples of Routing Routing Traffic with Two Interfaces Routing Internet Traffic with Multi-Link Routing Traffic to Networks That Use Same Address Space ACCESS CONTROL POLICIES CHAPTER 9 Firewall Policies Overview to Firewall Policies Policy Hierarchy How the Engine Examines Traffic Configuration of Policy Elements Default Elements Table of Contents

5 Configuration Workflow Task 1: Create a Template Policy Task 2: Create a Policy Task 3: Create a Firewall Sub-Policy Task 4: Install the Policy Using Policy Elements and Rules Validating Policies User Responses Connection Tracking vs. Connectionless Packet Inspection Policy Snapshots Continue Rules Adding Comments to Rules Examples of Policy Element Use Protecting Essential Communications Improving Readability and Performance Restricting Administrator Editing Rights CHAPTER 10 Access Rules Overview to Access Rules Configuration of Access Rules Considerations for Designing Access Rules Default Elements Configuration Workflow Task 1: Define the Source and Destination Task 2: Define the Service Task 3: Select the Action and Action Options Task 4: Select Logging Options Task 5: Add User Authentication Requirements Task 6: Restrict the Time When the Rule Is Enforced Task 7: Restrict the Rule Match Based on Source VPN Using Access Rules Allowing System Communications Configuring Default Settings for Several Rules 107 Using Continue Rules to Set Logging Options Using Continue Rules to Set the Protocol Using Aliases in Access Rules Creating User-Specific Access Rules Using Domain Names in Access Rules Interface Matching in Access Rules Examples of Access Rules Example of Rule Order Example of Continue Rules Example of User-Specific Rules CHAPTER 11 Inspection Policies Overview to Inspection Policies Configuration of Inspection Policies Verifying and Tuning Inspection Considerations for Designing Inspection Policies Exception Rule Cells Default Elements Configuration Workflow Task 1: Create an Inspection Policy Task 2: Activate Deep Inspection in Firewall Policies Task 3: Activate the Relevant Inspection Checks Task 4: Define the Exceptions Task 5: Eliminate False Positives Task 6: Add Custom Inspection Checks Using Inspection Policies Setting Default Options for Several Inspection Exceptions Importing Snort Rules Libraries Example of Inspection Rules Eliminating a False Positive CHAPTER 12 Network Address Translation (NAT) Rules Overview to NAT Static Source Translation Dynamic Source Translation Static Destination Translation Destination Port Translation Configuration of NAT Considerations for Designing NAT Rules Default Elements Configuration Workflow Task 1: Define Source, Destination, and Service Task 2: Define Address Translation Task 3: Define the Firewall(s) that Apply the Rule Task 4: Check Other Configurations Using NAT and NAT Rules NAT and System Communications Table of Contents 5

6 Example of a Situation Where a Contact Address is Needed Contact Addresses and Locations Outbound Load Balancing NAT Proxy ARP and NAT Protocols and NAT Examples of NAT Dynamic Source Address Translation Static Address Translation NAT with Hosts in the Same Network CHAPTER 13 Protocol Agents Overview to Protocol Agents Connection Handling Protocol Validation NAT in Application Data Configuration of Protocol Agents Configuration Workflow Task 1: Create a Custom Service with a Protocol Agent Task 2: Set Parameters for the Protocol Agent Task 3: Insert the Service in Access Rules Using Protocol Agents FTP Agent GRE Agent H323 Agent HTTP Agent HTTPS Agent MSRPC Agent NetBIOS Agent Oracle Agent Services in Firewall Agent Shell Agent SIP Agent SMTP Agent SSH Agent SunRPC Agent TCP Proxy Agent TFTP Agent Examples of Protocol Agent Use Preventing Active Mode FTP Logging URLs Accessed by Internal Users CHAPTER 14 TLS Inspection Overview to TLS Inspection Configuration of TLS Inspection Default Elements Configuration Workflow Task 1: Create Server Credentials Elements Task 2: Create Client Protection Certificate Authority Elements Task 3: Exclude Traffic from Decryption and Inspection Task 4: Activate TLS Inspection Using TLS Inspection Security Considerations Virus Scanning of Decrypted TLS Traffic Web Filtering Decrypted TLS Traffic Examples of TLS Inspection Server Protection Client Protection CHAPTER 15 Web Filtering Overview to Web Filtering Configuration of Web Filtering Default Elements Configuration Workflow Task 1: Prepare the Firewall Task 2: Create User Response Messages Task 3: Blacklist/Whitelist Individual URLs. 162 Task 4: Configure Web Filtering Rules in the Policy Examples of Web Filtering Allowing a Blocked URL CHAPTER 16 Spam Filtering Overview to Spam Filtering Configuring Spam Filtering Configuration Workflow Task 1: Define Spam Filtering for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Select Traffic Not to Be Filtered Using Spam Filtering Anti-Spoofing and Anti-Relay Protection Handling Address Forgery Spam Filter Sensitivity Settings Table of Contents

7 Spam Filtering Rules DNS-Based Blackhole Lists CHAPTER 17 Virus Scanning Overview to Virus Scanning Configuration of Virus Scanning Configuration Workflow Task 1: Activate the Anti-Virus Feature for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Define the Content Not to Be Scanned Using Virus Scanning Integrated Scanning vs. Content Inspection Server Limitations of Virus Scanning on Clusters CHAPTER 18 External Content Inspection Overview to Content Inspection Configuration of Content Inspection Default Elements Configuration Workflow Task 1: Create a CIS Server Element Task 2: Create a Custom Service for Content Inspection Server Redirection Task 3: Define Access Rules for Redirection Task 4: Configure NAT Rules for Content Inspection Server Redirection Using Content Inspection Example of Content Inspection Inspecting Internal User s Web Browsing and File Transfers CHAPTER 19 Situations Overview to Situations Configuration of Situations Situation Contexts Correlation Contexts Anti-Virus Contexts DoS Detection Contexts Scan Detection Contexts Protocol-Specific Contexts File Contexts System Contexts Default Elements Configuration Workflow Task 1: Create a Situation Element Task 2: Add a Context for the Situation Task 3: Associate Tags and/or Situation Types with the Situation Task 4: Associate the Situation with a Vulnerability Using Situations Example of Custom Situations Detecting the Use of Forbidden Software CHAPTER 20 Applications Overview to Applications Configuration of Applications Default Elements Configuration Workflow Task 1: Define TLS Matches Task 2: Create Access Rules Examples of Applications Blocking Application Use CHAPTER 21 Blacklisting Overview to Blacklisting Risks of Blacklisting Configuration of Blacklisting Configuration Workflow Task 1: Define Blacklisting in Access Rules Task 2: Define Exceptions in the Inspection Policy Using Blacklisting Manual Blacklisting Monitoring Blacklisting Whitelisting USERS AND AUTHENTICATION CHAPTER 22 Directory Servers Overview to Directory Servers Configuration of Directory Servers Internal User Database Authentication Server User Linking External Directory Server Integration User Agents for Active Directory Table of Contents 7

8 Configuration Workflow Task 1: Create an LDAP Server or an Active Directory Server Element Task 2: Add an LDAP Domain Task 3: Add Users and User Groups or Link Users Task 4: Install and Configure the User Agent Examples of Directory Servers Using the Internal User Database Integrating a Microsoft Active Directory Server 204 CHAPTER 23 User Authentication on the Firewall Overview to User Authentication on the Firewall 206 Configuration of User Authentication on the Firewall Default Elements Configuration Workflow Task 1: Define User Authentication in IPv4 Access Rules Task 2: Configure User Authentication Interfaces Example of User Authentication on the Firewall. 209 Authenticating VPN Client Users CHAPTER 24 External User Authentication Overview to External User Authentication Configuration of External User Authentication Directory Servers for External User Authentication RADIUS Authentication TACACS+ Authentication Authentication Methods Federated Authentication Default Elements Configuration Workflow Task 1: Define Servers Task 2: Associate Authentication Methods with Servers Task 3: Define User Authentication in IPv4 Access Rules Task 4: Configure User Authentication Interfaces Examples of External User Authentication Integrating a Microsoft Active Directory Server 218 Using SecurID Authentication with Stonesoft IPsec VPN Clients TRAFFIC MANAGEMENT CHAPTER 25 Outbound Traffic Management Overview to Outbound Traffic Management Configuration of Multi-Link Load Balancing Methods Standby NetLinks for High Availability Link Status Probing Configuration Workflow Task 1: Create NetLink Elements Task 2: Configure Routing for NetLinks Task 3: Combine NetLinks into Outbound Multi-Link Elements Task 4: Create NAT Rules for Outbound Traffic Using Multi-Link Multi-Link with a Single Firewall Multi-Link with a Firewall Cluster Using Multiple Outbound Multi-Link Elements. 229 Examples of Multi-Link Preparing for ISP Breakdown Excluding a NetLink from Handling a QoS Class of Traffic Balancing Traffic According to Link Capacity Balancing Traffic between Internet Connections 231 CHAPTER 26 Inbound Traffic Management Overview to Server Pool Configuration Configuration of Server Pools Multi-Link for Server Pools Default Elements Configuration Workflow Task 1: Define Hosts Task 2: Combine Hosts into a Server Pool Element Task 3: Configure the External DNS Server Task 4: Create an Inbound Load Balancing Rule Task 5: Set up Server Pool Monitoring Agents Using Server Pools Dynamic DNS (DDNS) Updates Using Server Pool Monitoring Agents Examples of Server Pools Load Balancing for Web Servers Table of Contents

9 Setting up Multi-Link and Dynamic DNS Updates CHAPTER 27 Bandwidth Management and Traffic Prioritization Overview to Bandwidth Management and Traffic Prioritization Bandwidth Management Traffic Prioritization Effects of Bandwidth Management and Prioritization Configuration of Limits, Guarantees, and Priorities for Traffic Default Elements Configuration Workflow Task 1: Define QoS Classes Task 2: Define QoS Policies Task 3: Assign QoS Classes to Traffic Task 4: Define QoS for Interfaces and VPNs Using Bandwidth Management and Traffic Prioritization Designing QoS Policies Communicating DSCP Markers Managing Bandwidth of Incoming Traffic Collecting QoS Class-Based Statistics Examples of Bandwidth Management and Traffic Prioritization Ensuring Quality of Important Communications 254 Preparing for ISP Breakdown Limiting the Total Bandwidth Required VIRTUAL PRIVATE NETWORKS CHAPTER 28 Overview to VPNs Introduction to VPNs IPsec VPNs Tunnels Security Associations (SA) Internet Key Exchange (IKE) Perfect Forward Secrecy (PFS) Authentication Header (AH) and Encapsulating Security Payload (ESP) Authentication Tunnel and Transport Modes IPsec VPN Topologies for Policy-Based VPNs CHAPTER 29 Policy-Based VPN Configuration Overview to Policy-Based VPN Configuration Configuration of Policy-Based VPNs Default Elements Configuration Workflow Task 1: Define the Gateway Settings Task 2: Define the Gateway Profile Task 3: Define the Gateways Task 4: Define the Sites Task 5: Create Certificates Task 6: Define the VPN Profile Task 7: Define the VPN Element Task 8: Modify the Firewall Policy Task 9: Configure VPN Clients and External Gateway Devices Using VPNs VPN Logging Using a Dynamic IP Address for a VPN End-Point Using a NAT Address for a VPN End-Point Supported Authentication and Encryption Methods FIPS Mode GOST-Compliant Systems Message Digest Algorithms Authentication Methods Encryption Algorithms Using Pre-Shared Key Authentication Using Certificate Authentication Validity of Certificates Internal VPN Certificate Authorities External Certificate Authorities Configuring Policy-Based VPNs with External Gateway Devices Clustering and Policy-Based VPNs Multi-Link and Policy-Based VPNs Providing Encryption for the Route-Based VPN in Tunnel Mode Examples of Policy-Based VPN Configurations. 287 Creating a Policy-Based VPN Between Three Offices Creating a Policy-Based VPN for Mobile Users 289 Creating a Policy-Based VPN That Requires NAT Table of Contents 9

10 CHAPTER 30 Route-Based VPN Configuration Overview to Route-Based VPN Configuration Configuration of the Route-Based VPN Default Elements Configuration Workflow Task 1: Define Tunnel Interfaces Task 2: Configure Routing and Antispoofing for Tunnel Interfaces Task 3: Define the Gateways Task 4: Define the VPN Profile Task 5: Define Route-Based VPN Tunnels Task 6: Add Access Rules to Allow the Traffic Task 7: Refresh Firewall Policy Using the Route-Based VPN Configuring the Route-Based VPN with External Gateway Devices Using the Route-Based VPN in Tunnel Mode Using the Route-Based VPN with Dynamic Routing Examples of Route-Based VPN Configurations Protecting Dynamic Routing Communications. 300 Configuring a Route-Based VPN with an External Gateway APPENDICES APPENDIX A Command Line Tools Management Center Commands Engine Commands Server Pool Monitoring Agent Commands APPENDIX B Default Communication Ports Management Center Ports Security Engine Ports APPENDIX C Predefined Aliases Predefined User Aliases System Aliases APPENDIX D Situation Context Parameters Port/Host Scan Detection Parameters Correlation Context Parameters Regular Expression Parameter Other Context Parameters APPENDIX E Regular Expression Syntax Syntax for Stonesoft Regular Expressions Special Character Sequences Pattern-Matching Modifiers Bit Variable Extensions Variable Expression Evaluation Stream Operations Other Expressions System Variables Independent Subexpressions Parallel Matching Groups APPENDIX F Schema Updates for External LDAP Servers APPENDIX G SNMP Traps and MIBs APPENDIX H Multicasting The General Features of Multicasting Multicasting vs. Unicasting Multicasting vs. Broadcasting IP Multicasting Overview Multicasting Applications Internet Group Management Protocol Membership Messages Ethernet Multicasting Multicasting and Stonesoft Firewalls Unicast MAC Multicast MAC Multicast MAC with IGMP Glossary Index Table of Contents

11 INTRODUCTION In this section: Using Stonesoft Documentation - 13 Introduction to Firewalls - 17 Introduction to Stonesoft Firewalls - 25 Stonesoft Firewall/VPN Deployment

12 12

13 CHAPTER 1 USING STONESOFT DOCUMENTATION This chapter describes how to use this Guide and related documentation. It also provides directions for obtaining technical support and giving feedback about the documentation. The following sections are included: How to Use This Guide (page 14) Documentation Available (page 15) Contact Information (page 16) 13

14 How to Use This Guide This Reference Guide provides information that helps administrators of Stonesoft Firewalls understand the system and its features. It provides high-level descriptions and examples of the configuration workflows. This guide is divided into several sections. The chapters in the first section provide a general introduction to Stonesoft Firewalls. The sections that follow each include chapters related to one feature area. The last section provides detailed reference information in tabular form, and some guideline information. For other available documentation, see Documentation Available (page 15). Typographical Conventions The following conventions are used throughout the documentation: Table 1.1 Typographical Conventions Formatting User Interface text References, terms Command line User input Command parameters Informative Uses Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is in monospaced bold-face. Command parameter names are in monospaced italics. We use the following ways to indicate important or additional information: Note Notes prevent commonly-made mistakes by pointing out important points. Caution Cautions prevent breaches of security, information loss, or system downtime. Cautions always contain critical information that you must observe. Tip Tips provide additional helpful information, such as alternative ways to complete steps. Example Examples present a concrete scenario that clarifies the points made in the adjacent text. 14 Chapter 1 Using Stonesoft Documentation

15 Documentation Available Stonesoft technical documentation is divided into two main categories: Product Documentation and Support Documentation (page 16). Each Stonesoft product has a separate set of manuals. Product Documentation The table below lists the available product documentation. Table 1.2 Product Documentation Guide Reference Guide Installation Guide Online Help Administrator s Guide User s Guide Appliance Installation Guide Description Explains the operation and features of the Stonesoft system comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available as separate guides for Stonesoft Management Center and Stonesoft Firewall/ VPN, and as a combined guide for Stonesoft IPS and Stonesoft Layer 2 Firewall. Instructions for planning, installing, and upgrading a Stonesoft system. Available as separate guides for Stonesoft Management Center and Stonesoft Firewall/VPN, and as a combined guide for Stonesoft IPS and Stonesoft Layer 2 Firewall. Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the Stonesoft Management Client and the Stonesoft Web Portal. An HTML-based system is available in the Stonesoft SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-by-step. Available as a combined guide for Stonesoft Firewall/VPN, Stonesoft IPS, and Stonesoft Layer 2 Firewall, and as separate guides for Stonesoft SSL VPN and Stonesoft IPsec VPN Client. Instructions for end-users. Available for the Stonesoft IPsec VPN Client and the Stonesoft Web Portal. Instructions for physically installing and maintaining Stonesoft appliances (rack mounting, cabling, etc.). Available for all Stonesoft hardware appliances. PDF guides are available at current/. The Stonesoft Administrator s Guide, and the Reference Guides and Installation Guides for Stonesoft Management Center, Stonesoft Firewall/VPN, Stonesoft IPS, and Stonesoft Layer 2 Firewall are also available as PDFs on the Management Center DVD. Documentation Available 15

16 Support Documentation The Stonesoft support documentation provides additional and late-breaking technical information. These technical documents support the Stonesoft Guide books, for example, by giving further examples on specific configuration scenarios. The latest Stonesoft technical documentation is available on the Stonesoft web site at System Requirements The certified platforms for running Stonesoft engine software can be found at the product pages at The hardware and software requirements for the version you are running can also be found in the Release Notes available at Supported Features Not all features are supported on all platforms. See the Appliance Software Support Table at the Stonesoft Support Documentation pages for more information. Contact Information For street addresses, phone numbers, and general information about Stonesoft products and Stonesoft Corporation, visit our web site at Licensing Issues You can view your current licenses at the License Center section of the Stonesoft web site at For license-related queries, Technical Support Stonesoft offers global technical support services for Stonesoft s product families. For more information on technical support, visit the Support section at the Stonesoft web site at Your Comments We want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, feedback@stonesoft.com. To comment on the documentation, documentation@stonesoft.com. Other Queries For queries regarding other matters, info@stonesoft.com. 16 Chapter 1 Using Stonesoft Documentation

17 CHAPTER 2 INTRODUCTION TO FIREWALLS This chapter introduces and discusses the underlying security principles of firewalls in general. In this chapter we will discuss what firewalls are, which different types of firewalls there are, how they are used, what they are capable of, as well as what their possible weaknesses are. The following sections are included: The Role of the Firewall (page 18) Firewall Technologies (page 19) Additional Firewall Features (page 21) Firewall Weaknesses (page 24) 17

18 The Role of the Firewall Firewalls are the primary tool for perimeter access control between networks with different security levels. Firewalls control the traffic between networks and deny access that does not look like acceptable business use as defined by the administrators. The generally accepted principle of access control is whatever is not expressly permitted is denied. The most secure network is achieved when nobody and nothing is permitted entry to the protected network. In most cases, such a network is naturally too limited, so a firewall must be introduced to allow specific limited services to pass in a safe way. That means that in order for any traffic to be allowed into the network, it must first match an explicit allow rule. There are three main types of platforms for running a firewall: Dedicated firewall appliances. Firewall software installed on a server dedicated to be used as a firewall. Firewall software running as a virtual machine in a virtualized server environment. Stonesoft Firewalls are available on all of these platform types. Regardless of the type of platform, the network structure in which the firewalls are placed must be carefully designed so that there are no loopholes or back doors. Firewalls can only control traffic that actually passes through them; even the most carefully planned firewall system can be undermined by a single back door that allows traffic to circumvent the firewall. In addition to access control, modern firewall devices often include a variety of additional integrated features, such as intrusion prevention systems (IPS), content filtering, anti-virus, and anti-spam. In this chapter, the additional features are discussed separately, and the discussion focuses on the primary role of access control. Such additional features in Stonesoft Firewalls are covered in more detail in section Additional Firewall Features (page 21). 18 Chapter 2 Introduction to Firewalls

19 Firewall Technologies This section presents an overview to the main firewall techniques, and explains how Stonesoft Firewalls use them. The discussion here is limited to the traditional firewall component of a firewall system; the various additional inspection features that modern firewalls often incorporate are discussed separately. Traditional firewall features are commonly achieved through three main techniques: packet filtering proxy firewalls stateful inspection. The next sections first discuss these techniques separately and then explains how they can be utilized together to achieve an optimal balance between performance and security. Packet Filtering Packet filtering examines the header information of packets and allows or stops each packet individually. In addition to firewalls, such simple access control lists (ACLs) are implemented on most common routing devices. Pure packet filters cannot protect against protocol misuse or other malicious contents in higher levels of the protocol stack. However, for some simple network protocols, packet filtering can be light on firewall resources and even provide an adequate level of protection. Proxy Firewalls Proxy firewalls are firewalls running application proxy services. Proxies are a man-in-the-middle, and they establish their own separate connections to both the client and the server. This type of firewall is fully application-aware, and therefore very secure, but at the same time there s a trade-off in performance due to the inevitable increase in overhead. Illustration 2.1 Proxy Firewall Model Firewall Technologies 19

20 Stateful Inspection Stateful inspection firewalls are aware of basic networking standards and use historical data about connections in determining whether to allow or stop a packet. They track the established connections and their states in dynamic state tables and ensure that the connections comply with the security policies and protocol standards. Since stateful inspection understands the context of connections (and therefore can relate the returning packets to appropriate connections), connections already determined to be secure can be allowed without full examination based on previous packets. This is especially important with services such as FTP, which can open several related connections that do not match a single basic profile. Even though Stateful inspection has some application awareness, it concentrates on protocols, not on inspecting data at the application layer. Stonesoft Multi-Layer Inspection Stonesoft Multi-Layer Inspection combines application layer inspection, stateful inspection, and packet filtering technologies flexibly for optimal security and system performance. Like stateful inspection, the Stonesoft Firewall uses state tables to track connections and judge whether a packet is a part of an established connection or not. The Stonesoft Firewall also features application-layer inspection through specific Protocol Agents, when necessary, for enhanced security to inspect data all the way up to the application layer. The Stonesoft Firewall can also act as a packet filter for types of connections that do not require the security considerations of stateful inspection. Illustration 2.2 Multi-layer Inspection Model By default, all Stonesoft Firewall Access rules implement stateful inspection, but the administrator can flexibly configure rules with simple packet filtering or an additional layer of application level security as needed. Stonesoft Firewalls apply application level inspection with or without proxying the connections, depending on what is required. Application level inspection can be selected to certain types of traffic by attaching a connection to a protocol-specific Protocol Agent. 20 Chapter 2 Introduction to Firewalls

21 Protocol Agents are also used to handle protocols that generate complex connection patterns, to redirect traffic to content inspection servers, and to modify data payload if necessary. For example, the FTP Protocol Agent, can inspect the control connection and only allow packets containing valid FTP commands. If an FTP data connection is opened using a dynamically assigned port, the Protocol Agent reads the port and allows the traffic. If NAT (network address translation) is applied to the connection, the Protocol Agent can also modify the IP address and port transported in the packet payload to allow the connection to continue despite the NAT. The Protocol Agents are covered in more detail in Protocol Agents (page 141). Additional Firewall Features A firewall can have several different functions on a network. Although a firewall s primary function is to control network access, they can be used in several complementary roles depending on the firewall product used. This section concentrates on the main features available in Stonesoft Firewalls. Authentication The primary task of any firewall is to control access to data resources, so that only authorized connections are allowed. Adding an authentication requirement to firewall policies allows the firewall to also consider the user before access is granted. For more information on authentication, see User Authentication on the Firewall (page 205) and External User Authentication (page 211). Deep Packet Inspection and Unified Threat Management Deep packet inspection includes measures such as virus detection, web content filtering, intrusion detection, or some other check of the actual data being transferred. When several such features are combined together with a firewall, the solution is often called unified threat management (UTM). Stonesoft s UTM solution includes: Virus checking. URL filtering. Intrusion detection. By combining several features, a UTM solution simplifies the physical network setup and makes the administration simpler. However, device performance limits can be quickly reached when several advanced inspection features are active. Therefore, UTM firewalls are generally used in environments where the traffic load stays relatively low even at peak times. When higher traffic volumes are needed, external content inspection servers and IPS devices are more often used for further inspecting the traffic. For more information on the advanced traffic inspection features, see Inspection Policies (page 115), Virus Scanning (page 169), and Web Filtering (page 159). Additional Firewall Features 21

22 Integration With External Content Inspection External content inspection servers (CIS) are a preferred choice in high traffic environments, as they offer better hardware optimization. Content inspection services can be run on a dedicated physical or virtual server that can be configured, scaled, and exchanged independently from the firewall. The firewall redirects the traffic to the CIS, which either strips anything deemed malicious from the packet or drops the packet altogether, according to what the security rules in force on the CIS define. Screened traffic continues to the destination. Illustration 2.3 Content Screening with CIS Client Firewall Server Content Inspection Server For instance, incoming SMTP traffic could be forwarded from the firewall to the CIS for virus and content checking. The CIS removes suspicious content and the scrubbed packets are returned back to the firewall for routing to their final destination. For more information on integrating a CIS with Stonesoft Firewalls, see External Content Inspection (page 173). In addition to sending traffic to external content inspection, Stonesoft Firewalls also integrate with Stonesoft IPS and Stonesoft Layer 2 Firewalls. The Firewalls can accept blacklisting requests from the IPS and Layer 2 Firewalls. They can therefore stop traffic that the IPS engines or the Layer 2 Firewalls have detected to be harmful. For more information on Stonesoft IPS and Layer 2 Firewalls, see the IPS and Layer 2 Firewall Reference Guide. Load Balancing and Traffic Management As an access controller with address translation duties, a firewall is also a natural point for affecting the distribution of traffic load. Stonesoft Firewalls utilize Stonesoft s patented Multi- Link technology to flexibly use several standard network links to increase bandwidth and provide automatic failover when links go down. For more information on traffic management, see Outbound Traffic Management (page 223) and Inbound Traffic Management (page 233). Outbound bandwidth can be additionally managed through QoS measures by setting priorities, limits, and guarantees for different types of traffic. For more information on the QoS features, see Bandwidth Management and Traffic Prioritization (page 243). 22 Chapter 2 Introduction to Firewalls