F IREWALL/VPN REFERENCE GUIDE

Transcription

1 STONEGATE 5.3 F IREWALL/VPN REFERENCE GUIDE F IREWALL V IRTUAL PRIVATE NETWORKS

2 Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: Third Party Licenses The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website: U.S. Government Acquisitions If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense ( DoD ), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations ( DFAR ) in paragraph (c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government s rights in the Software will be as defined in paragraph (c) (2) of the Federal Acquisition Regulations ( FAR ). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions. Product Export Restrictions The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities. General Terms and Conditions of Support and Maintenance Services The support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: Replacement Service The instructions for replacement service can be found at the Stonesoft website: Hardware Warranty The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: Trademarks and Patents The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos , , , , , , , , , , , , , and and US Patent Nos. 6,650,621; ; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; 7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Revision: SGFRG_

3 TABLE OF CONTENTS INTRODUCTION CHAPTER 1 Using StoneGate Documentation How to Use This Guide Documentation Available Product Documentation Support Documentation System Requirements Supported Features Contact Information Licensing Issues Technical Support Your Comments Other Queries CHAPTER 2 Introduction to Firewalls The Role of the Firewall Firewall Technologies Packet Filtering Proxy Firewalls Stateful Inspection StoneGate Multi-Layer Inspection Additional Firewall Features Authentication Deep Packet Inspection and Unified Threat Management Integration With External Content Inspection.. 21 Load Balancing and Traffic Management Logging and Reporting Network Address Translation (NAT) VPNs Firewall Weaknesses Complexity of Administration Single Point of Failure Worms, Viruses, and Targeted Attacks CHAPTER 3 Introduction to StoneGate Firewall/VPN The StoneGate Security Platform StoneGate Firewall/VPN System Components.. 27 Firewall/VPN Engines Main Benefits of StoneGate Firewall/VPN Advanced Traffic Inspection Built-in Clustering for Load Balancing and High Availability Multi-Link Technology Built-in Inbound Traffic Management QoS and Bandwidth Management Integration with StoneGate IPS Clustered Multi-Link VPNs CHAPTER 4 StoneGate Firewall/VPN Deployment Deployment Overview Supported Platforms General Deployment Guidelines Positioning Firewalls External to Internal Network Boundary Internal Network Boundaries DMZ Network Boundaries INTERFACES AND ROUTING CHAPTER 5 Single Firewall Configuration Overview to Single Firewall Configuration Configuration of Single Firewalls Dynamic Firewall Interface Addresses Internal DHCP Server Configuration Workflow Task 1: Create Single Firewall Elements Task 2: Define Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define an ADSL Interface Task 5: Define a Wireless Interface Task 5: Define IP Addresses Task 6: Define Modem Interfaces Task 7: Install the Firewall Engine Task 8: Install a Firewall Policy Example of a Single Firewall Deployment Setting up a Single Firewall Adding a New Interface to an Existing Configuration Table of Contents 3

4 CHAPTER 6 Firewall Cluster Configuration Overview to Firewall Cluster Configuration Benefits of Clustering Communication Between the Nodes Hardware Configuration of Firewall Clusters Load Balancing Standby Operation Network Interfaces and IP Addresses Clustering Modes How Packet Dispatch Works Configuration Workflow Task 1: Create a Firewall Cluster Element Task 2: Create Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Configure Physical or VLAN Interfaces Task 5: Install the Firewall Engines Task 6: Install a Firewall Policy Using a Firewall Cluster Internal DHCP Server Node State Synchronization Security Level for State Synchronization Manual Load Balancing Examples of Firewall Cluster Deployment Setting up a Firewall Cluster Adding a Node to a Firewall Cluster CHAPTER 7 Routing and Antispoofing Overview to Routing and Antispoofing Configuration of Routing and Antispoofing Reading the Routing and Antispoofing Trees.. 62 Multi-Link Routing for Single and Clustered Firewalls Default Elements Configuration Workflow Task 1: Add Router or NetLink Task 2: Add Network(s) Task 3: Refresh Firewall Policy Using Routing and Antispoofing Policy Routing Multicast Routing Modifying Antispoofing Examples of Routing Routing Traffic with Two Interfaces Routing Internet Traffic with Multi-Link Routing Traffic to Networks That Use Same Address Space ACCESS CONTROL POLICIES CHAPTER 8 Firewall Policies Overview to Firewall Policies Policy Hierarchy How StoneGate Examines the Packets Configuration of Policy Elements Default Elements Configuration Workflow Task 1: Create a Firewall Template Policy Task 2: Create a Firewall Policy Task 3: Create a Firewall Sub-Policy Task 4: Install the Policy Using Policy Elements and Rules Validating Policies Connection Tracking vs. Connectionless Packet Inspection Policy Snapshots Continue Rules Adding Comments to Rules Examples of Policy Element Use Protecting Essential Communications Improving Readability and Performance Restricting Administrator Editing Rights CHAPTER 9 Access Rules Overview to Access Rules Configuration of Access Rules Considerations for Designing Access Rules.. 89 Default Elements Configuration Workflow Task 1: Define the Source and Destination Task 2: Define the Service Task 3: Select the Action and Action Options Task 4: Select Logging Options Task 5: Add User Authentication Requirements Task 6: Restrict the Time When the Rule Is Enforced Task 7: Restrict the Rule Match Based on Source VPN Table of Contents

5 Using Access Rules Allowing System Communications Configuring Default Settings for Several Rules 95 Using Continue Rules to Set Logging Options Using Continue Rules to set the Protocol Using Aliases in Access Rules Creating User-Specific Access Rules Using Domain Names in Access Rules Interface Matching in Access Rules Examples of Access Rules Example of Rule Order Example of Continue Rules Example of User-Specific Rules CHAPTER 10 Inspection Rules Overview to Inspection Rules Configuration of Inspection Rules Considerations for Designing Inspection Rules 106 Exception Rule Cells Default Elements Configuration Workflow Task 1: Activate Deep Inspection in Access Rules Task 2: Activate the Relevant Inspection Checks Task 3: Define the Exceptions Task 4: Eliminate False Positives Task 5: Add Custom Inspection Checks Using Inspection Rules Setting Default Options for Several Inspection Rules Example of Inspection Rules Eliminating a False Positive CHAPTER 11 Network Address Translation (NAT) Rules Overview to NAT Static Source Translation Dynamic Source Translation Static Destination Translation Destination Port Translation Configuration of NAT Considerations for Designing NAT Rules Default Elements Configuration Workflow Task 1: Define Source, Destination, and Service Task 2: Define Address Translation Task 3: Define the Firewall(s) that Apply the Rule Task 4: Check Other Configurations Using NAT and NAT Rules NAT and System Communications Example of a Situation Where a Contact Address is Needed Contact Addresses and Locations Outbound Load Balancing NAT Proxy ARP and NAT Protocols and NAT Examples of NAT Dynamic Source Address Translation Static Address Translation NAT with Hosts in the Same Network CHAPTER 12 Protocol Agents Overview to Protocol Agents Connection Handling Protocol Validation NAT in Application Data Configuration of Protocol Agents Configuration Workflow Task 1: Create a Custom Service with a Protocol Agent Task 2: Set Parameters for the Protocol Agent Task 3: Insert the Service in Access Rules Using Protocol Agents FTP Agent H.323 Agent HTTP Agent HTTPS Agent ICMP Agent MSRPC Agent NetBIOS Agent Oracle Agent Remote Shell (RSH) Agent Services in Firewall Agent SIP Agent SMTP Agent SSH Agent SunRPC Agent Table of Contents 5

6 TCP Proxy Agent TFTP Agent Examples of Protocol Agent Use Preventing Active Mode FTP Logging URLs Accessed by Internal Users CHAPTER 13 TLS Inspection Overview to TLS Inspection Configuration of TLS Inspection Default Elements Configuration Workflow Task 1: Create Server Protection Credentials Elements Task 2: Create Client Protection Certificate Authority Elements Task 3: Specify TLS Inspection Options in the Firewall Properties Task 4: Exclude Traffic From Decryption and Inspection Task 5: Create a Custom Service Task 6: Create an IPv4 Access Rule Using TLS Inspection Security Considerations Virus Scanning of Decrypted TLS Traffic Examples of TLS Inspection Server Protection Client Protection CHAPTER 14 Web Filtering Overview to Web Filtering Configuration of Web Filtering Default Elements Configuration Workflow Task 1: Prepare the Firewall Task 2: Create User Response Messages Task 3: Blacklist/Whitelist Individual URLs Task 4: Configure Web Filtering Rules in the Policy Examples of Web Filtering Allowing a Blocked URL CHAPTER 15 Spam Filtering Overview to Spam Filtering Configuring Spam Filtering Configuration Workflow Task 1: Define Spam Filtering for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Select Traffic Not to Be Filtered Using Spam Filtering Anti-Spoofing and Anti-Relay Protection Handling Address Forgery Spam Filter Sensitivity Settings Spam Filtering Rules DNS-Based Blackhole Lists CHAPTER 16 Virus Scanning Overview to Virus Scanning Configuration of Virus Scanning Configuration Workflow Task 1: Activate the Anti-Virus Feature for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Define the Content Not to Be Scanned Using Virus Scanning Integrated Scanning vs. Content Inspection Server Limitations of Virus Scanning on Clusters CHAPTER 17 External Content Inspection Overview to Content Inspection Configuration of Content Inspection Default Elements Configuration Workflow Task 1: Create a CIS Server Element Task 2: Create a Custom Service for Content Inspection Server Redirection Task 3: Define Access Rules for Redirection Task 4: Configure NAT Rules for Content Inspection Server Redirection Using Content Inspection Example of Content Inspection Inspecting Internal User s Web Browsing and File Transfers Table of Contents

7 CHAPTER 18 Situations Overview to Situations Configuration of Situations Situation Contexts Anti-Virus Contexts Protocol-Specific Contexts System Contexts Default Elements Configuration Workflow Task 1: Create a Situation Element Task 2: Add a Context for the Situation Task 3: Associate Tags and/or Situation Types with the Situation Task 4: Associate the Situation with a Vulnerability Using Situations Example of Custom Situations Detecting the Use of Forbidden Software CHAPTER 19 Applications Overview to Applications Configuration of Applications Default Elements Configuration Workflow Task 1: Define TLS Matches Task 2: Create Access Rules Examples of Applications Blocking Application Use Logging Application Use CHAPTER 20 Blacklisting Overview to Blacklisting Risks of Blacklisting Whitelisting Configuration of Blacklisting Configuration Workflow Task 1: Define Blacklisting in Access Rules Task 2: Define Analyzer-to-Firewall or Analyzer-to-Sensor Connections Task 3: Define Inspection Rules in the IPS Policy Using Blacklisting Automatic Blacklisting Monitoring Blacklisting Examples of Blacklisting Blacklisting Traffic from a Specific IP Address Manually Automatic Blacklisting with IPS USERS AND AUTHENTICATION CHAPTER 21 Directory Servers Overview to Directory Servers Configuration of Directory Servers Internal User Database Authentication Server User Linking External Directory Server Integration User Agents for Active Directory Configuration Workflow Task 1: Create an LDAP Server or an Active Directory Server Element Task 2: Add an LDAP Domain Task 3: Add Users and User Groups or Link Users Task 4: Install and Configure the User Agent Examples of Directory Servers Using the Internal User Database Using StoneGate with a Microsoft Active Directory Server CHAPTER 22 User Authentication on the Firewall Overview to User Authentication on the Firewall 188 Configuration of User Authentication on the Firewall Default Elements Configuration Workflow Task 1: Define User Authentication in IPv4 Access Rules Task 2: Configure User Authentication Interfaces Example of User Authentication on the Firewall. 191 Authenticating VPN Client Users CHAPTER 23 External User Authentication Overview to External User Authentication Configuration of External User Authentication Directory Servers for External User Authentication RADIUS Authentication TACACS+ Authentication Authentication Methods Federated Authentication Table of Contents 7

8 Default Elements Configuration Workflow Task 1: Define Servers Task 2: Associate Authentication Methods with Servers Task 3: Define User Authentication in IPv4 Access Rules Task 4: Configure User Authentication Interfaces Examples of External User Authentication Using StoneGate with a Microsoft Active Directory Server Using SecurID Authentication with StoneGate VPN Clients TRAFFIC MANAGEMENT CHAPTER 24 Outbound Traffic Management Overview to Outbound Traffic Management Configuration of Multi-Link Load Balancing Methods Standby NetLinks for High Availability Link Status Probing Configuration Workflow Task 1: Create NetLink Elements Task 2: Configure Routing for NetLinks Task 3: Combine NetLinks into Outbound Multi-Link Elements Task 4: Create NAT Rules for Outbound Traffic Using Multi-Link Multi-Link with a Single Firewall Multi-Link with a Firewall Cluster Using Multiple Outbound Multi-Link Elements. 211 Examples of Multi-Link Preparing for ISP Breakdown Excluding a NetLink from Handling a QoS Class of Traffic Balancing Traffic According to Link Capacity Balancing Traffic between Internet Connections 212 CHAPTER 25 Inbound Traffic Management Overview to Server Pool Configuration Configuration of Server Pools Multi-Link for Server Pools Default Elements Configuration Workflow Task 1: Define Hosts Task 2: Combine Hosts into a Server Pool Element Task 3: Configure the External DNS Server Task 4: Create an Inbound Load Balancing Rule Task 5: Set up Server Pool Monitoring Agents Using Server Pools Dynamic DNS (DDNS) Updates Using Server Pool Monitoring Agents Examples of Server Pools Load Balancing for Web Servers Setting up Multi-Link and Dynamic DNS Updates CHAPTER 26 Bandwidth Management And Traffic Prioritization Overview to Bandwidth Management and Traffic Prioritization Bandwidth Management Traffic Prioritization Effects of Bandwidth Management and Prioritization Configuration of Limits, Guarantees, and Priorities for Traffic Default Elements Configuration Workflow Task 1: Define QoS Classes Task 2: Define QoS Policies Task 3: Assign QoS Classes to Traffic Task 4: Define QoS for Physical or VLAN Interfaces Using Bandwidth Management and Traffic Prioritization Implementation Options Designing QoS Policies Communicating Priorities with DSCP Codes Managing Bandwidth of Incoming Traffic Examples of Bandwidth Management and Traffic Prioritization Ensuring Quality of Important Communications 230 Preparing for ISP Breakdown Limiting the Total Bandwidth Required Table of Contents

9 VIRTUAL PRIVATE NETWORKS CHAPTER 27 Overview to VPNs Introduction to VPNs IPsec VPNs Tunnels Security Associations (SA) Internet Key Exchange (IKE) Perfect Forward Secrecy (PFS) AH and ESP Authentication Tunnel and Transport Modes VPN Topologies CHAPTER 28 VPN Configuration Overview to VPN Configuration Configuration of VPNs Default Elements Configuration Workflow Task 1: Define the Gateway Settings Task 2: Define the Gateway Profile Task 3: Define the Gateways Task 4: Define the Sites Task 5: Create Certificates Task 6: Define the VPN Profile Task 7: Define the VPN Element Task 8: Modify the Firewall Policy Task 9: Configure VPN Clients and External Gateway Devices Using VPNs VPN Logging Using a Dynamic IP Address for a VPN End-Point Using a NAT Address for a VPN End-Point Supported Authentication and Encryption Methods FIPS Mode GOST-Compliant Systems Message Digest Algorithms Authentication Methods Encryption Algorithms Using Pre-Shared Key Authentication Using Certificate Authentication Validity of Certificates Internal VPN Certificate Authority External Certificate Authorities Configuring VPNs with External Gateway Devices Clustering and VPNs Multi-Link VPN Examples of VPN Configurations Creating a VPN Between Three Offices Creating a VPN for Mobile Users Creating a VPN That Requires NAT APPENDICES APPENDIX A Command Line Tools Management Center Commands Engine Commands Server Pool Monitoring Agent Commands APPENDIX B Default Communication Ports Management Center Ports Firewall/VPN Engine Ports APPENDIX C Predefined Aliases Pre-Defined User Aliases System Aliases APPENDIX D Regular Expression Syntax Syntax for StoneGate Regular Expressions Special Character Sequences Pattern-Matching Modifiers Bit Variable Extensions Variable Expression Evaluation Stream Operations Other Expressions System Variables Independent Subexpressions Parallel Matching Groups APPENDIX E Schema Updates for External LDAP Servers APPENDIX F SNMP Traps and MIBs APPENDIX G Multicasting The General Features of Multicasting Multicasting vs. Unicasting Multicasting vs. Broadcasting IP Multicasting Overview Table of Contents 9

10 Multicasting Applications Internet Group Management Protocol Membership Messages Ethernet Multicasting Multicasting and StoneGate Unicast MAC Multicast MAC Multicast MAC with IGMP Glossary Index Table of Contents

11 INTRODUCTION In this section: Using StoneGate Documentation - 13 Introduction to Firewalls - 17 Introduction to StoneGate Firewall/VPN - 25 StoneGate Firewall/VPN Deployment

12 12

13 CHAPTER 1 USING STONEGATE DOCUMENTATION Welcome to StoneGate High Availability Firewall/VPN solution by Stonesoft Corporation. This chapter describes how to use this Guide and related documentation. It also provides directions for obtaining technical support and giving feedback about the documentation. The following sections are included: How to Use This Guide (page 14) Documentation Available (page 15) Contact Information (page 16) 13

14 How to Use This Guide This Reference Guide provides information that helps administrators of StoneGate firewalls understand the system and its features. It provides high-level descriptions and examples of the configuration workflows. This guide is divided into several sections. The chapters in the first section provide a general introduction to StoneGate firewalls. The sections that follow each include chapters related to one feature area. The last section provides detailed reference information in tabular form, and some guideline information. For other available documentation, see Documentation Available (page 15). Typographical Conventions The following conventions are used throughout the documentation: Table 1.1 Typographical Conventions Formatting User Interface text References, terms Command line User input Command parameters Informative Uses Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is in monospaced bold-face. Command parameter names are in monospaced italics. We use the following ways to indicate important or additional information: Note Notes prevent commonly-made mistakes by pointing out important points. Caution Cautions prevent breaches of security, information loss, or system downtime. Cautions always contain critical information that you must observe. Tip Tips provide additional helpful information, such as alternative ways to complete steps. Example Examples present a concrete scenario that clarifies the points made in the adjacent text. 14 Chapter 1 Using StoneGate Documentation

15 Documentation Available StoneGate technical documentation is divided into two main categories: Product Documentation and Support Documentation. Each StoneGate product has a separate set of manuals. Product Documentation The table below lists the available product documentation. Table 1.2 Product Documentation Guide Reference Guide Installation Guide Online Help Administrator s Guide User s Guide Appliance Installation Guide Description Explains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Management Center, Firewall/VPN, and StoneGate IPS. Instructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Management Center, Firewall/VPN, and IPS. Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Web Portal. An HTML-based system is available in the StoneGate SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StoneGate IPsec VPN Client. Instructions for end-users. Available for the StoneGate IPsec VPN Client and the StoneGate Web Portal. Instructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling, etc.). Available for all StoneGate hardware appliances. PDF guides are available at The StoneGate Administrator s Guide, and the Reference Guides and Installation Guides for StoneGate Management Center, Firewall/VPN, and StoneGate IPS are also available as PDFs on the Management Center CD- ROM. Support Documentation The StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios. The latest StoneGate technical documentation is available on the Stonesoft website at Documentation Available 15

16 System Requirements The certified platforms for running StoneGate engine software can be found at the product pages at The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes, available at the Stonesoft Support Documentation pages. Supported Features Not all StoneGate features are supported on all platforms. See the Appliance Software Support Table at the Stonesoft Support Documentation pages for more information. Contact Information For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at Licensing Issues You can view your current licenses at the License Center section of the Stonesoft website at For license-related queries, Technical Support Stonesoft offers global technical support services for Stonesoft s product families. For more information on technical support, visit the Support section at the Stonesoft website at Your Comments We want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, feedback@stonesoft.com. To comment on the documentation, documentation@stonesoft.com. Other Queries For queries regarding other matters, info@stonesoft.com. 16 Chapter 1 Using StoneGate Documentation

17 CHAPTER 2 INTRODUCTION TO FIREWALLS This chapter introduces and discusses the underlying security principles of firewalls in general. In this chapter we will discuss what firewalls are, which different types of firewalls there are, how they are used, what they are capable of, as well as what their possible weaknesses are. The following sections are included: The Role of the Firewall (page 18) Firewall Technologies (page 18) Additional Firewall Features (page 21) Firewall Weaknesses (page 23) 17

18 The Role of the Firewall Firewalls are the primary tool for perimeter access control between networks with different security levels. Firewalls control the traffic between networks and deny access that does not look like acceptable business use as defined by the administrators. The generally accepted principle of access control is whatever is not expressly permitted is denied. The most secure network is achieved when nobody and nothing is permitted entry to the protected network. In most cases, such a network is naturally too limited, so a firewall must be introduced to allow specific limited services to pass in a safe way. That means that in order for any traffic to be allowed into the network, it must first match an explicit allow rule. There are three main types of platforms for running a firewall: Dedicated firewall appliances. Firewall software installed on a server dedicated to be used as a firewall. Firewall software running as a virtual machine in a virtualized server environment. The StoneGate Firewall/VPN is available on all of these platform types. Regardless of the type of platform, the network structure in which the firewalls are placed must be carefully designed so that there are no loopholes or back doors. Firewalls can only control traffic that actually passes through them; even the most carefully planned firewall system can be undermined by a single back door that allows traffic to circumvent the firewall. In addition to access control, modern firewall devices often include a variety of additional integrated features, such as intrusion prevention systems (IPS), content filtering, anti-virus, and anti-spam. In this chapter, the additional features are discussed separately, and the main discussion concentrates on the primary role of access control. Such additional features in StoneGate firewalls are covered in more detail in section Additional Firewall Features (page 21) and in other chapters of this book. Firewall Technologies This section presents an overview to the main firewall techniques, and explains how StoneGate uses them. The discussion here is limited to the traditional firewall component of a firewall system; the various additional inspection features that modern firewalls often incorporate are discussed separately. Traditional firewall features are commonly achieved through three main techniques: packet filtering proxy firewalls stateful inspection. The next sections first discuss these techniques separately and then explains how they can be utilized together to achieve an optimal balance between performance and security. 18 Chapter 2 Introduction to Firewalls

19 Packet Filtering Packet filtering examines the header information of packets and allows or stops each packet individually. In addition to firewalls, such simple access control lists (ACLs) are implemented on most common routing devices. Pure packet filters cannot protect against protocol misuse or other malicious contents in higher levels of the protocol stack. However, for some simple network protocols, packet filtering can be light on firewall resources and even provide an adequate level of protection. Proxy Firewalls Proxy firewalls are firewalls running application proxy services. Proxies are a man-in-the-middle, and they establish their own separate connections to both the client and the server. This type of firewall is fully application-aware, and therefore very secure, but at the same time there s a trade-off in performance due to the inevitable increase in overhead. Illustration 2.1 Proxy Firewall Model Stateful Inspection Stateful inspection firewalls are aware of basic networking standards and use historical data about connections in determining whether to allow or stop a packet. They track the established connections and their states in dynamic state tables and ensure that the connections comply with the security policies and protocol standards. Since stateful inspection understands the context of connections (and therefore can relate the returning packets to appropriate connections), connections already determined to be secure can be allowed without full examination based on previous packets. This is especially important with services such as FTP, which can open several related connections that do not match a single basic profile. Even though Stateful inspection has some application awareness, it concentrates on protocols, not on inspecting data at the application layer. Firewall Technologies 19

20 StoneGate Multi-Layer Inspection StoneGate Multi-Layer Inspection combines application layer inspection, stateful inspection, and packet filtering technologies flexibly for optimal security and system performance. Like stateful inspection, StoneGate uses state tables to track connections and judge whether a packet is a part of an established connection or not. The StoneGate firewall also features application-layer inspection through specific Protocol Agents, when necessary, for enhanced security to inspect data all the way up to the application layer. The StoneGate firewall can also act as a packet filter for types of connections that do not require the security considerations of stateful inspection. Illustration 2.2 Multi-layer Inspection Model By default, all StoneGate firewall Access rules implement stateful inspection, but the administrator can flexibly configure rules with simple packet filtering or an additional layer of application level security as needed. StoneGate firewalls apply application level inspection with or without proxying the connections, depending on what is required. Application level inspection can be selected to certain types of traffic by attaching a connection to a protocol-specific Protocol Agent. Protocol Agents are also used to handle protocols that generate complex connection patterns, to redirect traffic to content inspection servers, and to modify data payload if necessary. For example, the FTP Protocol Agent, can inspect the control connection and only allow packets containing valid FTP commands. If an FTP data connection is opened using a dynamically assigned port, the Protocol Agent reads the port and allows the traffic. If NAT (network address translation) is applied to the connection, the Protocol Agent can also modify the IP address and port transported in the packet payload to allow the connection to continue despite the NAT. The Protocol Agents are covered in more detail in Protocol Agents (page 127). 20 Chapter 2 Introduction to Firewalls

21 Additional Firewall Features A firewall can have several different functions on a network. Although a firewall s main function is to control network access, they can be used in several complementary roles depending on the firewall product used. This discussion concentrates on the main features available in StoneGate products. Authentication The primary task of any firewall is to control access to data resources, so that only authorized connections are allowed. Adding an authentication requirement to firewall policies allows the firewall to also consider the user before access is granted. For more information on authentication in StoneGate, see User Authentication on the Firewall (page 187) and External User Authentication (page 193). Deep Packet Inspection and Unified Threat Management Deep packet inspection includes measures such as virus detection, Web content filtering, intrusion detection, or some other check of the actual data being transferred. When several such features are combined together with a firewall, the solution is often called unified threat management (UTM). StoneGate offers a UTM solution that includes: Virus checking. URL filtering. Intrusion detection. By combining several features, a UTM solution simplifies the physical network setup and makes the administration simpler. However, device performance limits can be quickly reached when several advanced inspection features are active. Therefore, UTM firewalls are generally used in environments where the traffic load stays relatively low even at peak times. When higher traffic volumes are needed, external content inspection servers and IPS devices are more often used for further inspecting the traffic. For more information on the advanced traffic inspection features in StoneGate, see Inspection Rules (page 103), Virus Scanning (page 151), and Web Filtering (page 143). Integration With External Content Inspection External content inspection servers (CIS) are a preferred choice in high traffic environments, as they offer better hardware optimization. Content inspection services can be run on a dedicated physical or virtual server that can be configured, scaled, and exchanged independently from the firewall. The firewall redirects the traffic to the CIS, which either strips anything deemed malicious from the packet or drops the packet altogether, according to what the security rules in force on the CIS define. Screened traffic continues to the destination. Additional Firewall Features 21

22 Illustration 2.3 Content Screening with CIS Client Firewall Server For instance, incoming SMTP traffic could be forwarded from the firewall to the CIS for virus and content checking. The CIS removes suspicious content and the scrubbed packets are returned back to the firewall for routing to their final destination. For more information on integrating a CIS with StoneGate, see External Content Inspection (page 155). In addition to sending traffic to external content inspection, StoneGate Firewalls also integrate with StoneGate IPS. The firewalls accept blacklisting requests from the IPS and can therefore stop traffic that the IPS has detected to be harmful. For more information on integration with external StoneGate IPS components, see Blacklisting (page 173). Load Balancing and Traffic Management As an access controller with address translation duties, a firewall is also a natural point for affecting the distribution of traffic load. StoneGate firewalls utilize the Stonesoft s patented Multi-Link technology to flexibly use several standard network links to increase bandwidth and provide automatic failover when links go down. For more information on traffic management in StoneGate, see Outbound Traffic Management (page 205) and Inbound Traffic Management (page 213). Outbound bandwidth can be additionally managed through QoS measures by setting priorities, limits, and guarantees for different types of traffic. For more information on the QoS features in StoneGate, see Bandwidth Management And Traffic Prioritization (page 221). Logging and Reporting Content Inspection Server As a perimeter security device a firewall is a primary tool for logging the traffic that crosses or attempts to cross the network perimeter. Properly recorded log data can be used to monitor the capacity of networks, detect network misuse and intruders, and even to establish evidence to use against attackers. Since a firewall operating in any corporate-type setting will quickly generate huge masses of log data, it is essential to have efficient tools to access and manage the logs in the form of filtered views, statistics, and reports. Consolidating logs from several sources is also vital in supporting the administrators in fully understanding the numerous network events. For more information on logging in StoneGate, see the Management Center Reference Guide. 22 Chapter 2 Introduction to Firewalls

23 Network Address Translation (NAT) Network address translation (NAT) modifies the IP headers of packets, changing IP address and port information for the source and/or destination. Originally created to alleviate the problem of the rapidly diminishing IP address space, NAT has an added benefit; it can be used to conceal the private IP addresses of hosts and the structure of an internal network. In fact, NAT enables even hiding an entire network behind a single public IP address. As handy as NAT is, it is important to understand that NAT is not primarily a security feature. It simply a method of modifying packets that lends itself to security applications. For more information on NAT in StoneGate, see Network Address Translation (NAT) Rules (page 113). VPNs VPNs (virtual private networks) conceal and encrypt traffic between end-points to establish a virtual, secure tunnel through an insecure network. In IPsec VPNs, a firewall transparently encrypts and decrypts data exchanges at the network layer with some other IPsec VPN end-point on behalf of any number of computers. IPsec VPNs can also provide remote access to internal resources for individual client computers that have a VPN client application installed. IPsec VPNs are a good fit for VPN access that involves many communicating parties and/or many different applications. SSL VPNs (secure socket layer virtual private networks) provide clientless access by utilizing the SSL encryption features included in Web browsers. Users log in to a portal to access those resources that administrators have specifically configured. SSL VPNs are a good fit when there is a need to provide remote access to a few specific resources from various different types of devices and platforms. StoneGate SSL VPN is available as a separate appliance product. For more information on StoneGate SSL VPN, refer to the SSL VPN Administrator s Guide. IPsec VPN features are integrated in the firewall. For more information on IPsec VPNs, see Overview to VPNs (page 235). For more information on how IPsec VPNs are configured in StoneGate, see VPN Configuration (page 243). Firewall Weaknesses Complexity of Administration When a complex system is maintained with limited resources, the ease of administration becomes crucial. A great part of the benefits of a security system are wasted if administrators find it difficult to keep up with monitoring the system and the requests for adjusting its policies, if upgrades have to be postponed due to the effort required, or if there is no support for checking and finding errors in the configuration. Ease of administration is central to the StoneGate Management Center. StoneGate s centralized management system provides the administrators more visibility into the whole network, simplifies and automates system maintenance tasks, and reduces the work required to configure the system. If you think the system could work even better for you, let us know by writing to feedback@stonesoft.com. Firewall Weaknesses 23