COTS SECURITY GUIDANCE (CSG) FIREWALLS CSG-06\G August 2009 2009
This page intentionally left blank. 2009
Foreword The is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment Canada (CSEC). Suggestions for amendments should be forwarded through departmental communications security channels to your Client Services Representative at CSEC. For further information, please contact CSEC s ITS Client Services area by e-mail at itsclientservices@cse-cst.gc.ca or call (613) 991-7654. Effective Date This publication takes effect on 08/28/2009. Carey Frey Director, IT Security Industry Program Government of Canada, Communications Security Establishment Canada 2009 It is not permissible to make copies or extracts from this publication without the written consent of CSEC. 2009 i
This page intentionally left blank. ii 2009
Table of Contents Foreword... i Effective Date... i Table of Contents... iii List of Tables... v List of Figures... v 1 Introduction... 1 1.1 Distinction among IDS, IPS, and Firewalls... 1 2 Overview... 2 2.1 Functional Types of Firewall... 2 2.2 Dedicated Firewall... 2 2.3 Host-based Firewall... 2 2.3.1 Embedded Firewall... 2 2.4 Technology... 2 2.4.1 Static Packet Filtering... 2 2.4.2 Stateful Inspection... 3 2.4.3 Application Proxy... 3 2.4.4 Deep Packet Inspection... 4 2.5 Hybrid Firewall... 4 2.5.1 Other Related Technology... 4 3 Security Issues... 5 3.1 Firewall Filtering... 5 3.1.1 Dedicated Corporate Firewall... 5 3.1.2 Default Allow or Default Deny... 5 3.1.3 Protocols... 5 3.1.4 Inbound and Outbound Traffic... 5 3.1.5 Media Access Control Address Filtering... 6 3.1.6 Ingress/egress filtering... 6 3.1.7 Proper format of IP packets... 6 3.1.8 Length of IP packets... 7 3.1.9 TCP/IP sequence number... 7 3.2 Firewall Types... 7 3.2.1 Static Packet Filtering... 7 3.2.2 Stateful Inspection... 7 3.2.3 Application Proxy... 8 3.2.4 Deep Packet Inspection... 9 3.2.5 Hybrid Firewall... 9 3.2.6 Demilitarized Zone... 9 3.3 Firewalls Features... 11 2009 iii
3.3.1 Logging Capabilities... 11 3.3.2 Central Management... 11 3.3.3 Integration with Existing Network Infrastructure... 12 4 Glossary and Acronyms... 13 4.1 Glossary... 13 4.2 Acronyms... 13 4.3 Technical References... 14 iv 2009
List of Tables Table 1: Security Features Checklist: Firewalls... 15 List of Figures Figure 1: DMZ using two firewalls... 10 Figure 2: DMZ using a tri-homed firewall... 10 2009 v
1 Introduction This document is relevant to the Access Control features of IPS. For the monitoring and reporting features of an IPS, the reader is referred to Intrusion Prevention Systems Guidance. Neither a firewall nor an IPS will protect against passive attacks such as packet sniffers, firewalls and IPS are defences against active attacks. Most firewalls are placed on the perimeter between the external network (usually the Internet) and the internal network. Internal firewalls, however, are often placed on the internal network and are used to separate two or more segments of the internal network from one another. This is useful for a defence in depth strategy, as it controls the amount of damage that a successful intruder or an inside attacker can do. A firewall solution need not consist of a single device. Many hybrid firewall solutions consist of a static packet filter or stateful inspection firewall as an external line of defence, with an application proxy or Deep Packet Inspection (DPI) firewall behind it. 1.1 Distinction among IDS, IPS, and Firewalls While security authorities do not agree completely on where the distinctions lie among firewalls, an IPS and an Intrusion Detection System (IDS), it is generally accepted that a firewall is an access control device, an IDS is a monitoring and reporting device and an IPS lies somewhere between the two in terms of functionality. In reality, almost all firewalls have some monitoring and reporting capability while an IDS that merely reports suspicious or malicious activity is of little value without linkage to an active response mechanism. For the purposes of this document, however, a firewall is considered to be a system or device that enforces a boundary between two or more computer networks and permits or denies traffic based on a defined set of rules. Although some authorities consider an IPS to be an extension of IDS, this document considers them to be a form of firewall, since the primary function of an IPS is to prevent intrusions it is often considered to be an access control device 1. 1 This view may be losing ground as IDS and IPS are increasingly being combined within the same product to provide a single homogeneous solution. NIST Special Publication 800-98 (Guide to Intrusion Detection and Prevention Systems) superseded NIST Special Publication 800-31 (NIST Special Publication on Intrusion Detection Systems) in February 2007. This later publication uses the term Intrusion Detection and Prevention System (IDPS) to refer to both IDS and IPS technologies. They point out that an IPS can be transformed into an IDS simply by disabling all response mechanisms. 2009 1
2 Overview 2.1 Functional Types of Firewall Firewalls are primarily divided into dedicated, host-based, and embedded firewalls. 2.2 Dedicated Firewall A dedicated firewall is a computer that is dedicated to firewall activities. It has no other function than to separate one network from one or more other networks and to reduce the risk of an attacker from one network successfully attacking the other network(s). 2.3 Host-based Firewall A host-based firewall, commonly referred to as a personal firewall, is a service that runs on a user terminal or workstation. Unlike a dedicated firewall, the host-based firewall software runs alongside all other services and applications required by the user. This means that the firewall operates by using a portion of the host computer s processing power and resources. 2.3.1 Embedded Firewall Many border devices, especially routers, come with a firewall capability built in. These are usually simple packet filter devices that screen out obvious or clumsy attacks. Embedded firewalls are a useful line of defence but most are not recommended as primary firewalls. 2.4 Technology The four main approaches to firewalls are static packet filtering, stateful inspection, application proxy and Deep Packet Inspection (DPI). These technologies are described individually here. However, many modern firewalls are hybrid solutions, incorporating more than one of these technologies. 2.4.1 Static Packet Filtering Static packet filtering is very fast, does not require a lot of processing power and is easy to write and understand. A static packet filter looks at the packets coming in or leaving the network and decides whether to allow that transaction to take place, based on information in the headers. This information includes source and destination addresses, source and destination ports, and communications protocol. Static packet filters are rather simplistic since they only look at information in the headers and not the data. This makes it relatively easy to craft attacks that will bypass the static packet filter. Static packet filters are commonly embedded into commercial routers but are not recommended as primary firewalls. Nevertheless, packet filters are very fast, add little overhead and are 2 2009
effective at weeding out unsophisticated but dangerous attacks. For this reason, packet filters are a good first line of defence, usually as part of a hybrid firewall. 2.4.2 Stateful Inspection Stateful inspection, also known as dynamic packet filtering, is a firewall technology that works by ensuring that all packets are either a valid session initiation or part of a previously established session. The firewall keeps track of the state of each Transmission Control Protocol (TCP) connection from the time it is set up until the session either times out or is torn down. For connectionless protocols such as User Datagram Protocol (UDP), stateful inspection firewalls use virtual sessions. For example, when an internal client browser connects to an external web site, it initiates a Hypertext Transfer Protocol (HTTP) connection; the Stateful Inspection Firewall allows this as it is a valid session initiation. Responses from the web server would be a legitimate part of that session and would also be allowed. However, once the session with that web server is terminated, any further traffic from the web server would be rejected since it is no longer part of an established session. This thwarts attacks that rely on sending packets pretending to be part of an ongoing session when no such session has, in fact, been established. Stateful inspection firewalls, like static packet filters, are not recommended as stand-alone firewalls. However, they are commonly combined with either an application proxy or a DPI firewall, as part of a hybrid firewall. 2.4.3 Application Proxy An application proxy accepts connections from clients and connects on behalf of the client to the server. In this way, the client is not directly connecting to the server. This enables untrusted clients to connect to trusted servers, and also allows trusted clients to connect to untrusted servers. This approach provides the capability to detect malicious or malformed elements at the Application layer. However, it is important to review what is being inspected when evaluating proxy software, since the value of an application proxy depends on how thoroughly packets are actually inspected. Some application proxies may introduce additional latency due to the higher level of inspection. This makes these proxies unsuitable for some applications, such as Voice over Internet Protocol (VoIP) that requires very low latency. When using an application proxy, each application needs to have its own proxy written for it. For common protocols, this is not normally a problem. In the case of newer applications, proxies may not be available; however, many proxy based firewalls offer generic proxies that can be created by the operator for new or unique applications. 2009 3
2.4.4 Deep Packet Inspection DPI, also known as Application Intelligence, Content Inspection or Content Processing, combines the best features of stateful inspection and application proxying. Unlike static packet filter and stateful inspection firewalls, DPI examines the data as well as the header part of packets, searching for protocol non-compliance, known viruses, spam characteristics, intrusions or other predefined criteria, to determine whether the packet should be accepted or rejected. DPI has the ability to inspect the entire network stack to look for attacks in supported protocols. Since much of the improvement offered by deep packet inspection relies on looking for specific attack signatures, DPI suffers from some of the same weaknesses as signature-based IDS and anti-malware products - there is an inherent delay between the time a new attack is identified and the time that the vendor can provide an inspection signature. These updated signatures must also be downloaded and installed. 2.5 Hybrid Firewall Most modern firewall systems employ two of the above technologies static packet filtering or stateful inspection for a rapid, low-overhead first line of defence, combined with an application proxying or a full DPI, for a more comprehensive second line of defence. The first line of defence will filter out a large number of nuisance attacks; this reduces the amount of work that must be performed by the second line, allowing it to be more effective. 2.5.1 Other Related Technology 2.5.1.1 Bastion Host A bastion host is a computer that is not located behind a firewall, and is, therefore, fully exposed to attack. Many perimeter firewalls are themselves installed on bastion hosts. Due to their exposure, bastion hosts are designed and configured to withstand attacks. This includes securing whatever network application is running on the bastion host. The more services and applications that run on a computer, the more potential vulnerabilities there are for an attacker to exploit. Each bastion host, therefore, fulfils a single specific role. Services, protocols, programs, and network ports that are not essential to that role are disabled or removed. In addition, bastion hosts do not usually share authentication services with trusted hosts within the network. 4 2009
3 Security Issues For complete security a Firewall should consider all of the following aspects. 3.1 Firewall Filtering 3.1.1 Dedicated Corporate Firewall Running non-essential services on a firewall, especially a border firewall, creates more potential weaknesses for an attacker to exploit. Installing the firewall on a bastion host, with only essential services to support the firewall, will make it more difficult for an attacker to compromise the firewall itself. 3.1.2 Default Allow or Default Deny There are two prevailing philosophies in network access control default deny (default reject) and default allow (default accept). Default deny rejects all traffic by default until firewall rules/policies are applied which allow a set of defined services. Default allow accepts all traffic by default until firewall rules/policies are applied which deny a set of defined services. It is not good commercial practice to implement or consider a default allow policy on a firewall. 3.1.3 Protocols The most common protocols used by attackers are Transmission Control Protocol/Internet Protocol (TCP/IP), User Datagram Protocol/Internet Protocol (UDP/IP), Internet Control Message Protocol (ICMP) and Domain Name System (DNS). Being able to block malicious traffic on all three of these protocols is the minimum requirement for a modern firewall. 3.1.4 Inbound and Outbound Traffic Firewalls should permit the filtering of both inbound and outbound traffic. Filtering inbound traffic will stop services that are not defined in a firewalls rule/policy; this may stop attacks from outside the corporate network. Filtering outbound traffic accomplishes several goals. It limits the ability of an external attacker to use a compromised machine within the corporate network to launch attacks elsewhere; for example, it makes it difficult for an attacker to use compromised machines to launch Distributed Denial of Service (DDoS) attacks, spam campaigns, or other attacks that use compromised computers to attack other networks. It can also prevent inside users from launching attacks from within the corporate network. Even a naïve but curious user engaging in seemingly innocuous behaviour, such as running a traceroute or a port scan, might have serious implications for the corporate reputation. 2009 5
Commercial firewalls used as internal firewalls, to separate two or more segments of the corporate network, need to consider the possibility of insider attacks from either side of the internal firewall. 3.1.5 Media Access Control Address Filtering A Media Access Control (MAC) address is a unique 48-bit number assigned to every network interface card (NIC). Because MAC addresses are uniquely assigned to each card, they can be used to create blacklists and whitelists of computers that are denied/allowed access to the network. This is feasible for small, static networks but becomes less so as the size of the network increases, or as the network becomes more dynamic. In practice, MAC address filtering is easy to circumvent through MAC address modification ("address cloning ). It is a fast and useful access control technique for small, static networks, but should not be relied on without additional access controls. 3.1.6 Ingress/egress filtering In some cases, it is possible to bypass a firewall or other perimeter defence by making it appear as though the traffic is originating from inside the trusted network, by spoofing the source Internet Protocol (IP) address. A good packet filter will recognize that a packet arriving from outside the network, with an IP address purporting to come from inside the network, must be spoofed, and will reject the packet. This is known as ingress filtering. Similarly, the packet filter will recognize that a packet arriving from inside the network, with an IP address purporting to come from outside, must be spoofed, and will reject the packet. This is known as egress filtering. For example, Request for Comments (RFC) 1918 addresses (non-routable addresses) are restricted to internal network communications and should never appear in Internet traffic. Thus, any inbound packet from the Internet, with a source IP address from the blocks 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0.0 to 192.168.255.255, is suspicious and should be blocked. 3.1.7 Proper format of IP packets Many attacks, especially denial of service attacks, rely on specially crafted IP packets to a nonstandard format. For example, the Land attack used an IP packet in which the source and destination IP addresses were identical; until the release of Service Pack 4, this had the effect of crashing Windows NT servers and workstations. Another example was the Teardrop attack, which involved sending fragmented IP packets with overlapping payloads to the target machine; this also caused many early operating systems to crash, as it required them to calculate a negative offset. 6 2009
By checking that the IP packet is correctly formatted, such attacks can be stopped before they do any damage. 3.1.8 Length of IP packets Many attacks can be forestalled by ensuring the packet length is compatible with the protocol. For example the Ping of Death denial of service attack worked by sending an ICMP packet longer than 65,535 bytes; since this is the maximum allowable size of an ICMP packet, early systems did not know how to handle it, and crashed. By checking that the IP packet length is compatible with the protocol in use, such attacks can be stopped before they do any damage. 3.1.9 TCP/IP sequence number TCP/IP sequence numbers are generated at random and are used by computers at both ends of a session to keep track of the order in which packets are sent. Many attacks, most notably Kevin Mitnick s successful TCP hijacking attack on Tsutomu Shimomura s computer 2, rely on the ability to predict TCP/IP sequence numbers. By ensuring that the sequence numbers are generated in an unpredictable manner, the firewall will prevent these attacks from succeeding. 3.2 Firewall Types 3.2.1 Static Packet Filtering Static packet filtering is no longer recommended as a stand-alone firewall solution. However, it is still a valuable component of a hybrid firewall, when combined with application proxying or DPI. A static packet filter provides the following functions: filter on source IP address, filter on destination IP address, filter on source port, filter on destination port and filter on protocol (TCP/UDP/ICMP/etc). 3.2.2 Stateful Inspection Stateful inspection, also known as dynamic packet filtering, is no longer recommended as a stand-alone firewall solution. However, it is still a valuable component of a hybrid firewall, when combined with application proxying or DPI. 2 Takedown: the Pursuit and Capture of Kevin Mitnick, the World's Most Notorious Cybercriminal-By the Man Who Did It; Tsutomu Shimomura (With John Markoff); Hyperion Books, 1996 2009 7
Stateful inspection provides a much higher level of security than static packet filtering by allowing for more granular control while providing more flexibility and being less resourceintensive than application proxying. A Stateful inspection firewall keeps track of the state of each TCP connection from the time it is set up until the session either times out or is torn down. For connectionless protocols such as UDP, stateful inspection firewalls use virtual sessions. Tracking session state allows the firewall to easily reject packets that do not follow the normal sequence for that type of connection. For example, the File Transfer Protocol (FTP) uses a separate data connection for each data transfer. For each connection, the FTP client uses a destination port 20, but dynamically assigns a source port for the server to reply to. These dynamically assigned ports are called ephemeral ports. With a static packet filter, this would require a large number of ports on the firewall to be opened and left open. With a stateful Inspection packet filter, these ports remain closed until one is requested by an FTP client; that port is opened for the duration of the FTP session, and is closed immediately upon session completion. 3.2.3 Application Proxy A proxy server is a computer process that relays a protocol between client and server computer systems. It acts as both client and server, appearing as the server to the client and as the client to the server. When used as a firewall, the proxy server usually runs on a bastion host, which may support proxies for several applications. Clients on one side of the security perimeter do not connect directly to a server on the other side; instead, the client connects to the proxy server, which in turn connects to the server. The application proxy examines each packet and compares it to the rules configured into the firewall. If the packet is found to be acceptable, according to the firewall rules, it is forwarded to its destination, but with the header information replaced. If not, the packet is denied. 3.2.3.1 Session audit The application proxy audits each session established for the associated protocol. This ensures complete coverage of all traffic passed using that particular protocol. 3.2.3.2 Proper protocol format The application proxy ensures that traffic passing through the firewall is properly formatted for the protocol in use. For example, an attempt to establish a telnet session on port 53 (the Domain Name System (DNS) port) will be handled by the DNS application proxy, which will determine that the packets are not properly formatted for DNS and will block the session. 3.2.3.3 Appropriate IP addresses or URLs By allowing connections only to authorized IP addresses or Uniform Resource Locators (URLs), an application proxy can ensure that the application communicates only with servers that are appropriate to that application. 8 2009
For example, a Simple Mail Transfer Protocol (SMTP) proxy will only connect to authorized Message Transfer Agents (MTAs); this ensures that rogue e-mail systems cannot establish an SMTP connection. 3.2.3.4 User authentication By implementing firewall rules to permit or deny access for individuals or groups, an application proxy can be made to authenticate users at the firewall. This is a more flexible solution for large numbers of users than maintaining an Access Control List (ACL). 3.2.3.5 Enforce Protocol Restrictions An application proxy can restrict the direction or capabilities of protocols passing through the firewall. For example, by setting a FTP proxy to allow downloads from the Internet but not allow uploads to the Internet, the FTP proxy can prevent servers on the local network from being used as download repositories for illicit files. 3.2.4 Deep Packet Inspection By examining the data as well as the header part of packets, DPI is able to search for protocol violations within the data payload, enabling it to catch many attacks that would be missed by a static packet filter or a stateful inspection firewall. For example, data driven attacks such as Code Red, NIMDA, and the SQL Slammer worm were not detected by stateful inspection firewalls, because there was nothing unusual in the packet headers to trigger the firewall. Looking at the headers alone, these worms appeared innocuous; the malicious code was contained within the data payloads of the packets. 3.2.5 Hybrid Firewall Hybrid firewalls need to incorporate two firewall technologies a static packet filtering or stateful inspection for a rapid, low-overhead first line of defence, and either application proxying or a full DPI, for the second line of defence. Care must be taken to ensure that these two technologies work together to reduce the workload on the firewall. Nuisance attacks detected by packet filtering need to be blocked before they are encountered by the application proxy or DPI. This will reduce the total number of packets that must be analysed by the latter, allowing it to be more effective. 3.2.6 Demilitarized Zone In computing, a demilitarized zone (DMZ) is a network that lies behind a firewall, but is separated from the main network by a firewall as well. In this manner, even if a host in the DMZ is compromised, the attacker will still have to break through a firewall to successfully attack the corporate network. The DMZ is used to protect the main network from external-facing servers, i.e. servers that must be accessible from, and, therefore, to a certain extent, exposed to the external network. For 2009 9
example, mail servers and web servers are usually required to interface with the Internet; whereas there is little or no requirement for a corporate application server to do so. A DMZ can be set up using two firewalls (Figure 1), with the external-facing servers residing between the external firewall and a secondary firewall. However, a DMZ can also be set up using a single firewall if the firewall has three or more network interfaces (Figure 2). Figure 1: DMZ using two firewalls Figure 2: DMZ using a tri-homed firewall Generally, any service that is being provided to users on an external network should be placed in the DMZ. The most common of these services are web servers, mail servers, ftp servers and DNS servers. In some situations, additional steps need to be taken to be able to provide secure 10 2009
services; for example, due to the confidential nature of e-mail, it is a good idea to store the e- mail on an internal e-mail server and not in the DMZ. The mail server in the DMZ should pass incoming mail to the internal mail server and the internal mail server should pass outgoing mail to the external mail server. 3.3 Firewalls Features 3.3.1 Logging Capabilities A log of all transactions, kept in accordance with the organization s security policies, ensures that a record of all unauthorized actions exists. If these logs are reviewed regularly, they will help to identify attempted and successful break-ins. Logs will also help in determining what damage has been done, how it was accomplished, and sometimes, who was responsible. 3.3.2 Central Management In large networks, where there are multiple firewalls, it is important that the firewalls be capable of being centrally managed and administered, so that they can be supported without having to physically access each firewall on the network. 3.3.2.1 Remote Management Interface Allowing remote management of the firewall via the external (e.g. Internet-facing) interface creates a vulnerability through which an attacker could directly gain control of the firewall. 3.3.2.1.1 Dedicated Management Interface Some firewalls provide a dedicated management interface which is not connected to, or accessible from, the network; this allows remote management of the firewall from dedicated management terminals that are not connected directly to the network. Restricting remote management to this dedicated interface decreases the risk that an attacker might be able to communicate directly with the firewall, as they would require physical access to and authorization to use one of the dedicated management terminals. 3.3.2.1.2 Management Confined to Internal Network Interface Some firewalls do not have a dedicated management interface; in other cases, the network architecture makes it infeasible to manage firewalls without going over the corporate network. In these cases, restricting remote management to the internal (i.e. inward-facing) interface decreases the risk that an external attacker might be able to communicate directly with the firewall, as they would first have to breach the firewall itself in order to compromise an internal machine, from where they could attack the firewall remote management. Most firewalls can be configured to disallow remote management commands from all interfaces other than the internal interface. 2009 11
3.3.2.2 Strong Authentication To prevent attackers from gaining control of the firewall, remote administration of the firewall requires strong authentication. 3.3.2.3 Central Reporting Capability A central reporting capability allows correlation of attacks against multiple hosts and provides security administrators with a clearer picture of the nature and extent of the attack. 3.3.3 Integration with Existing Network Infrastructure The appropriate choice of firewall will depend on the existing network topology and infrastructure. 12 2009
4 Glossary and Acronyms 4.1 Glossary Bastion Host Proxy Server Virus Worm A bastion host is typically a firewall implemented on top of an operating system that has been specially configured and hardened to be resistant to attack. (National Institute of Science and Technology (NIST) Special Publication (SP) 800-41) A computer process--often used as, or as part of, a firewall-- that relays a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client (RFC 2828 Internet Security Glossary) A self-replicating program that runs and spreads by modifying other programs or files (NIST SP 800-61) A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. (NIST SP 800-61) 4.2 Acronyms 3DES AES ACL CMVP CSEC DDoS DES DMZ DNS DoS DPI EAL FTP HTTP ICMP IDPS IDS IP Triple Data Encryption Standard (Triple-DES) Advanced Encryption Standard Access Control List Cryptographic Module Validation Program Communications Security Establishment Canada Distributed Denial of Service Data Encryption Standard Demilitarized Zone Domain Name System Denial of Service Deep Packet Inspection Evaluation Assurance Level File Transfer Protocol HyperText Transfer Protocol Internet Control Message Protocol Intrusion Detection and Prevention System Intrusion Detection System Internet Protocol 2009 13
IPS IT LAN MAC NIC NIMDA NIST RFC SMTP SP TCP TCP/IP UDP UDP/IP URL VoIP Intrusion Prevention System Information Technology Local Area Network Media Access Control Network Interface Card ADMIN spelt backwards (not an acronym) National Institute of Science and Technology Request for Comments Simple Mail Transfer Protocol Special Publication Transmission Control Protocol Transmission Control Protocol/Internet Protocol User Datagram Protocol User Datagram Protocol/Internet Protocol Uniform Resource Locator Voice over Internet Protocol 4.3 Technical References ITSA-11E: CSE Approved Cryptographic Algorithms for the Protection of Protected Information and for Electronic Authentication and Authorization Applications within the Government of Canada; http://www.csecst.gc.ca/documents/publications/itsa-asti/itsa11e-eng.pdf 14 2009
Table 1: Security Features Checklist: Firewalls Product Name: Item Security Features Checklist for Firewalls 1.0 Recommended Features 1.1 Dedicated Corporate Firewall Any corporate firewall separating the corporate Local Area Network (LAN) from the public Internet or any other outside network should be a dedicated firewall, and should not be used to provide other services such as a web server or DNS server, unless these services are required by the firewall itself. Running non-essential services on a firewall, especially a border firewall, creates more potential weaknesses for an attacker to exploit. Installing the firewall on a Bastion Host, with only essential services to support the firewall, will make it more difficult for an attacker to compromise the firewall. 1.1.1 Hardened Corporate Firewall Any corporate firewall separating the corporate LAN from the public Internet or any other outside network should be installed on a Host. 1.2 Default Deny Configuration It should be possible to configure the firewall in a default deny configuration. This should be the default firewall configuration, and the firewall should be thus configured. his allows the level of protection to be set in accordance with corporate policy. 1.3 Inbound and Outbound Traffic The firewall should be able to filter on both inbound and outbound traffic. Filtering inbound traffic will stop attacks from outside the corporate network. Filtering outbound traffic prevents external attackers from using a compromised machine within the corporate network to launch attacks elsewhere, and also prevents inside users from launching attacks from within the corporate network 1.4 MAC Address Filtering For small, static networks, the firewall should be able to filter traffic based on the MAC Address of the sending NIC. Filtering on MAC addresses is a weak defence, since MAC addresses are easy to clone, but it makes life more difficult for the attacker, who will need to find out a valid MAC address. 1.5 Ingress/egress filtering The firewall should be capable of blocking IP packets arriving on the outside interface with a source address from inside the network (ingress filtering) or packets arriving on the inside interface with a source address from outside the network (egress filtering). This prevents an attacker from bypassing the firewall using a spoofed IP source address. It will also help to block certain Denial of Service (DoS) attacks such as the Land Attack. 1.6 Proper format of IP packets The firewall should be capable of checking that IP packets are correctly formatted for the associated protocol. This prevents many attacks which rely on specially crafted IP packets that do not conform to the protocol format. 1.7 Length of IP packets The firewall should be capable of blocking IP packets that are too long for the associated protocol. This will protect against many buffer overflow and DoS attacks. 1.8 TCP/IP sequence number The firewall should ensure that TCP/IP sequence numbers are randomly generated. This will prevent attacks such as TCP Hijacking, which rely on the ability to predict sequence numbers in a TCP/IP session. 1.9 Correctness of port number 2009 15
Product Name: Item Security Features Checklist for Firewalls The firewall should be capable of checking that the port number on the packet is correct for the protocol. This will prevent an attacker from opening up processes on non-standard ports in an attempt to create a back door into the network. 1.10 Packet Filtering The firewall should be capable of supporting Static Packet Filtering or Stateful Inspection, plus an application-level firewall. Static packet filters and Stateful Inspection firewalls are ideal for quick detection and blocking of many easily recognizable attacks. 1.10.1 Source IP address The firewall should be capable of blocking IP packets based on the source address. This allows the administrator to block packets coming from a known or suspected attack machine, or to limit access to an application to a known trusted network. 1.10.2 Destination IP address The firewall should be capable of blocking IP packets based on the destination address. This allows the administrator to limit connections from the outside to a specific set of servers on the inside. 1.10.3 Source Port Filtering The firewall should be able to filter traffic based on source TCP/IP and UDP/IP ports. Filtering on source ports is often done on outgoing packets, in combination with filtering on the IP source address. For example, only an FTP server should be allowed to send packets out using Source Port 21 (the FTP control port), and Source Port 20 (the FTP data port). Similarly, only an HTTP (web) server should be allowed to send packets using source port 80 (HTTP). Source Port Filtering on inbound traffic may be useful in other cases. For example, some known attacks in the past have used unusual source ports, such as 0 or 65535. Filtering out packets with these source ports would stop these attacks. 1.10.4 Destination Port Filtering The firewall should be able to filter traffic based on destination TCP/IP and UDP/IP ports. 1.10.5 Well-known attacks The firewall should be capable of detecting and blocking all well-known, well-documented attacks TCP/IP layer. 1.11 Application Level Firewall The firewall should be capable of supporting Application Proxying and DPI. 1.11.1 Application Proxy The firewall should be capable of supporting Application Proxy for common applications and services. Where an application proxy is available for a particular application or service, it is generally the most secure form of firewall available. 1.11.1.1 Generic proxy The firewall should provide a generic proxy that can be configured by the administrator and should be capable of supporting Application Proxy for non-standard applications and services. This allows the security administrator to create custom proxies, in order to protect a wider range of applications. 1.11.1.2 Session audit The firewall should audit each session established for the relevant protocol. 1.11.1.3 Proper protocol format The application proxy should be capable of ensuring that traffic passing through the firewall is properly formatted for the protocol in use. 1.11.1.4 Appropriate IP addresses or URLs 16 2009
Product Name: Item Security Features Checklist for Firewalls The firewall should be capable of ensuring that the application communicates only with servers that are appropriate to that application. For example, an SMTP proxy should be configured to connect only to authorized MTAs; this prevents rogue e-mail systems from establishing an SMTP connection. 1.11.1.5 User authentication The firewall should be capable of implementing dynamic firewall rules to permit or deny access for individuals or groups. This will allow an application proxy to authenticate users at the firewall. For systems with large numbers of users, this is a more flexible solution than maintaining an ACL. 1.11.1.6 Enforce Protocol Restrictions The firewall should be capable of restricting the direction or capabilities of protocols passing through the firewall. For example, to prevent servers on the local network from being used as download repositories for illicit files, an FTP proxy should be configured to disallow downloads from the local network to the Internet. 1.11 Performance Throughput Insure the interface bandwidth and the total bandwidth supported by the firewall meets the requirements. 1.12 Demilitarized Zone For setting up a DMZ, the firewall should support at least 3 network interfaces. This will allow the firewall to be configured as a tri-homed firewall for setting up a DMZ. 2.0 Conformance to Protocol Standards 2.1 Transmission Control Protocol The firewall should be able to monitor and allow/deny TCP packets. Because TCP is the default protocol used on the Internet, most attacks have a TCP-based version. 2.2 User Datagram Protocol The firewall should be able to monitor and allow/deny UDP packets. Many attackers try to use UDP packets in an attempt to get through a TCP-based firewall. 2.3 Internet Control Message Protocol The firewall should be able to monitor and allow/deny ICMP packets. Many denial of service attacks use ICMP packets such as Echo Request (ping), Echo Reply (ping response), Source Quench, and other lesser known ICMP control message types. Attackers also commonly use Echo Request and Trace-route messages to carry out network reconnaissance. 3.0 Authentication 3.1 Passwords The product should support the departmental / agency security policy or guideline. For strong authentication, mutual authentication is highly recommended, for example with client-side and server-side certificates. 3.1.1 Password Compatibility Where passwords are used, the product should support a choice of password length and format that is compliant with the corporate password policy. 4.0 Public Key Infrastructure Standards 2009 17
Product Name: Item Security Features Checklist for Firewalls 4.1 N/A 5.0 Cryptographic Standards 5.1 Encryption Algorithms The product should use one of the following encryption algorithms approved by CSEC for the use of the Government of Canada for encrypting protected information (Add comment: please note that these will change in 2010): Advanced Encryption Standard (AES) with key length of 128, 192, or 256 bits Triple- Data Encryption Standard (3DES) with 2- or 3-key option 5.2 Key Establishment Algorithms The product should use one of the following algorithms approved by CSEC for the use of the Government of Canada for the establishment of encryption keys: Rivest, Shamir, Adleman (RSA) Other algorithms based on exponentiation of finite fields (e.g., Diffie-Hellman) Key Exchange Algorithm (KEA) Elliptic Curve algorithms For the first two, the modulus should be a minimum of 1024 bits in length; this should increase to 2048 bits by the end of 2010. For Elliptic Curve algorithms over a prime field, the elliptic curve size should be a minimum of 192 bits in length. For EC algorithms over a binary field, the degree of the field should be a minimum of 163 bits in length. These numbers should increase to 256 bits and 283 bits respectively by the end of 2010. This ensures that the algorithms used are of sufficient strength to meet government standards. 5.3 Digital Signature Algorithms The product should use one of the following algorithms approved by CSEC for the use of the Government of Canada for digital signature applications: RSA Digital Signature Algorithm (DSA) Other algorithms based on exponentiation of finite fields (e.g., El-Gamal) Elliptic Curve (EC) Digital Signature Algorithm (ECDSA) For the first three, the modulus should be a minimum of 1024 bits in length; this should increase to 2048 bits by the end of 2010. For EC algorithms over a prime field, the elliptic curve size should be a minimum of 192 bits in length. For EC algorithms over a binary field, the degree of the field should be a minimum of 163 bits in length. These numbers should increase to 256 bits and 283 bits respectively by the end of 2010. This ensures that the algorithms used are of sufficient strength to meet government standards. 5.4 Hashing Algorithms If applicable, the product should use one of the following hash algorithms approved by CSEC for the use of the Government of Canada: Secure Hash Algorithm 1 (SHA-1): SHA-224 SHA-256 SHA-384 SHA-512 18 2009
Product Name: Item Security Features Checklist for Firewalls This ensures that the algorithms used are of sufficient strength to meet government standards. 6.0 Assurance 6.1 Federal Information Processing Standards The product should implement cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to one of the following Federal Information Processing Standards (FIPS): FIPS 140-1 3 FIPS 140-2 This ensures that the product has been reviewed by a dependable independent third party, and that the product design is of sufficient quality to enable it to resist attacks. 6.2 Cryptographic Algorithm Validation Program The cryptographic module should implement cryptographic algorithms validated by the Cryptographic Algorithm Validation Program (CAVP) to the specified standard. The CAVP encompasses validation testing for FIPS approved and NIST recommended cryptographic algorithms. Cryptographic algorithm validation under the CAVP is a prerequisite to the CMVP. 6.3 Common Criteria Evaluation Assurance Level For products evaluated under the Common Criteria, the product should meet the highest available Evaluation Assurance Level (EAL). 6.3.1 Protection Profile or Security Target For products evaluated under the Common Criteria, the product should be evaluated to a Protection Profile or Security Target that addresses security features that are relevant to the organization. This will ensure that the product has been evaluated with regard to security features that are applicable to the organization s needs and/or are relevant to the product s intended use. 7.0 Configurability 7.1 Changeable Default Values Where default security settings exist, the product should be configurable to change default values, (The product should clearly document all default values, especially passwords, in one place) and the default values should be changed upon installation. This will prevent unauthorized users connecting to or using the product by logging in or connecting using the factory default values. 7.2 Responses to Non-standard Packets The product should allow the responses to illegal or non-standard packets to be configured by the security administrator. This will help to prevent attackers from profiling the system defences based on standard responses to non-standard packets. 7.3 Logging The product should be configurable to log transactions in accordance with the organization s security policies. This capability should be enabled in accordance with the organization s security policies upon installation. A log of all transactions, kept in accordance with the organization s security policies, ensures that a record of all unauthorized actions exists. If these logs are reviewed regularly, they will help to identify attempted and successful break-ins. Logs will also help in determining what damage has been done, how it was accomplished, and sometimes, who was responsible. 3 FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1. Modules validated as conforming to FIPS 140-1 and FIPS 140-2 are accepted by the Federal Agencies of both Canada and the United States for the protection of sensitive information. However, a federal agency may choose to only procure a FIPS 140-2 validated module. (http://csrc.nist.gov/groups/stm/cmvp/index.html#04) Validations against FIPS 140-1 will be accepted as equivalent to FIPS 140-2 for legacy components. 2009 19
Product Name: Item Security Features Checklist for Firewalls 8.0 Usability 8.1 Configuration by Users 9.0 Manageability The product should not require any configuration by users. This prevents users from misconfiguring the product, and ensures that they will use the product appropriately and not look for ways to get around using it. 9.1 Central Management The product should be capable of being centrally managed and administered. This ensures that the product can be supported without having to physically access each product device on the network. 9.2 Dedicated Management Interface The product should provide a dedicated management interface and allow remote management commands only through that interface. This will make prevent an attacker from compromising the firewall through the regular network interfaces. 9.2.1 Disallow Management Through External Interface The product should be configurable, and should be configured, to disallow remote management commands from all interfaces other than the internal interface or dedicated management interface. 9.2 Remote Management The product should be compatible with remote server management tools. This ensures that the product does not become an impediment to network administration. 9.3 Authentication of Management Traffic All administrative and management traffic between the central console and the distributed products should be authenticated according to the authentication standards given at Item 3.0 above. 9.4 Encryption of Management Traffic All administrative and management traffic between the central console and the distributed products should be encrypted according to the cryptographic standards given at Item 5.0 above. This ensures that unauthorized users cannot access product information or sensitive information gathered by the products on the network. 10.0 Scalability 10.1 Degree of Scalability The product should be scalable based on the potential/projected growth of the organization. 20 2009