Firewalls

"In more than eighty percent of the computer crimes investigated by the FBI, unauthorized access was gained through the Internet" --- FBI[1]

"In any given year, US government systems are illegally, though not necessarily maliciously, accessed at least 300,000 times." --- Robert Ayers[1]

One in five respondents to a Information Week/Ernst & Young Security Servey admitted that intruders had broken into, or tried to brake into, their corporate networks during the last twelve months.[1]

General Definition ...

A firewall is a system or group of systems that enforces an access control policy between two networks.

More Specifically ...

A firewall is a system that is placed between two networks and possesses the following properties[1]:

1. All traffic from inside to outside, and vice-versa, must pass through it.
2. Only authorized traffic, as defined by the local security policy, is allowed to pass through it.
3. The system is immune to penetration.

In other words ...

A firewall is a mechanism to protect a trusted network from an untrusted network. Typically, the trusted network is the organization's internal network and the untrusted network is the Internet.

The Basic Types of Firewalls

The Network Level Firewall

• makes decisions based on the source addresses, destination addresses, and ports in individual IP packets
• simple routers that will either guide an IP packet to a specific node on the network or not let the packet through

The Application Level Firewall

• proxy server running on a host, which permit no traffic directly between networks, and which can perform elaborate logging and auditing of traffic passing through them
• the proxy servers are application specific (if a new protocol is required by a application, a proxy must be developed for it)

Generally, firewalls are configured to protect against unauthorized interactive logins from the "outside" world.

Some firewalls completely block traffic from the outside to the inside, but allow the inside to communicate freely with the outside.

Others block some of the traffic from the outside to the inside, and block some traffic from the inside to the outside.

A firewall cannot protect against threats that do not go through the firewall.

Examples:

• exporting corporate information through a FAX machine, telephone, paper, or floppy disk
• sharing company passwords that allow access to the corporate network
• bypassing the firewall through a private Internet provider

In other words, for a firewall to work, it must be part of a consistent overall organizational security architecture.

Firewalls do not just protect your network from the Internet ...

The problem of internal hacking (unauthorized access by authorized users) consistently outweighs the problem of external hacking.[1]

Two situations concerning internal network access:

1. Your company has separate but connected networks for different departments. Is it necessary for all users to have access to all of the networks or should a firewall restrict access?
2. Your company has established a strategic partnership with another company and the other company needs to access some of your internal information. A firewall should control, and possibly record, your partners accesses.

A firewall is both the policy, and the implementation of that policy, in terms of network configuration.

There are two levels of network policy that influence the design, installation, and used of a firewall:

Network Service Access Policy

A higher-level, issue-specific policy which defines those services that will be allowed or explicitly denied from the restricted network, plus the way in which these services will be used, and the conditions or exceptions to this policy.[1]

Firewall Design Policy

A lower-level policy which describes how the firewall will actually go about restricting the access and filtering the services as defined in the network service access policy.[1]

To arrive at a network policy a company should ask itself the following questions[1]:

1. Which Internet services does the organization plan to use?
2. Where will the services be used (locally, dial-in, by remote organizations)?
3. What additional needs, such as encryption or dial-in support, may be supported?
4. What risks are associated with providing these services and accesses?
5. What is the cost, in terms of controls and impact on network usability, of providing protection?

Other Concerns ...

A companies overall security policy should also consider:

• outside network access, such as SLIP/PPP connections
• WWW access through e-mail programs
• document shredders
• virus scanners
• floppy disk tracking

A company should develop an overall security strategy, of which a firewall is a part.

[1] NCSA Firewall Policy Guide Version 1.01
[2] Internet Firewall FAQ by Marcus J. Ranum