Firewalls Security
Nations without controlled borders cannot ensure the security and safety of their citizens, nor can they prevent piracy and theft. Networks without controlled access cannot ensure the security or privacy of stored data, nor can they keep network resources from being exploited by hackers.
The communication efficiency provided by the Internet has caused a rush to attach private networks directly to it. Direct Internet connections make it easy for hackers to exploit private network resources.
Prior to the Internet, the only widely available way for a hacker to connect from home to a private network was by direct dialing with modems and the public telephony network. Remote access security was a relatively small issue.
When you connect your private network to the Internet, you are actually connecting your network directly to every other network that's attached to the Internet directly. There's no inherent central point of security control—in fact, there's no inherent security at all.
Firewalls are used to create security checkpoints at the boundaries of private networks. At these checkpoints, firewalls inspect all packets passing between the private network and the Internet and determine whether to pass or drop the packets depending on how they match the policy rules programmed into the firewall.
If your firewall is properly configured, is capable of inspecting every protocol you allow to pass, and contains no serious exploitable bugs, your network will be as free from risk as possible. There are literally hundreds of firewall products available, and there are different theories from different security experts on how firewalls should be used to secure your network.
Firewall Elements
Firewalls keep your Internet connection as secure as possible by inspecting and then approving or rejecting each connection attempt made between your internal network and external networks like the Internet. Strong firewalls protect your network at all software layers—from the Data Link layer up through the Application layer.
Firewalls sit on the borders of your network, connected directly to the circuits that provide access to other networks. For that reason, firewalls are frequently referred to as border security.
The concept of border security is important—without it, every host on your network would have to perform the functions of a firewall themselves, needlessly consuming computer resources and increasing the amount of time required to connect, authenticate, and encrypt data in local area, high−speed networks.
Firewalls allow you to centralize all external security services in machines that are optimized for and dedicated to the task. Inspecting traffic at the border gateways also has the benefit of preventing hacking traffic from consuming the bandwidth on your internal network.
By their nature, firewalls create bottlenecks between the internal and external networks, because all traffic transiting between the internal network and the external must pass through a single point of control. This is a small price to pay for security.
Since external leased−line connections are relatively slow compared to the speed of modern computers, the latency caused by firewalls can completely transparent. For most users, relatively inexpensive firewall devices are more than sufficient to keep up with a standard T1 connection to the Internet.
For businesses and ISPs whose Internet traffic is far higher, a new breed of extremely high−speed (and high−cost) firewalls have been developed, which can keep up with even the most demanding private networks. Some countries actually censor the Internet using high−speed firewalls.
Firewalls function primarily by using three fundamental methods:
- Packet Filtering Rejects TCP/IP packets from unauthorized hosts and reject connection attempts to unauthorized services.
- Network Address Translation (NAT) Translates the IP addresses of internal hosts to hide them from outside monitoring. You may hear of NAT referred to as IP masquerading.
- Proxy Services Makes high−level application connections on behalf of internal hosts in order to completely break the network layer connection between internal and external hosts.
You can use devices or servers that perform only one of the above functions; for instance, you could have a router that performs packet filtering, and then a proxy server in a separate machine.
That way, the packet filter must either pass traffic through to the proxy server, or the proxy server must sit outside your network without the protection of packet filtering. Both are more dangerous than using a single firewall product that performs all the security functions in one place.
Most firewalls also perform two other important security services:
- Encrypted Authentication - Encrypted authentication allows external users on the Internet to prove to a firewall that they are authorized users and thereby authorized to open a connection through the firewall to the internal network.
The encrypted authentication might use any number of secure authentication protocols. Once the connection is established, it may or may not be encrypted, depending upon the firewall product in use and whether additional software has been installed on the client to support tunneling.
Using encryption authentication is convenient because it occurs at the transport level between a client software package and the firewall.
Once the connection is open, all normal application software and operating system logon software will run without hindrance—so you don't have to use special software packages that support your specific firewall. Unfortunately, encrypted authentication reduces the security of your firewall.
By its nature, it causes the following problems:
- he firewall must respond on some port because it listens for connection attempts. This can show hackers that the firewall exists.
- The connection could be redirected using ICMP after establishment, especially if it's not encrypted.
- A hacker who monitored the establishment might be able to spoof the address of the authorized client to gain access inside the network without redirecting any existing connections.
- A stolen laptop computer with the appropriate keys could be used to gain access to the network. · Work−at−home employees could become a target for breaking and entering because their computers are able to access the private network.
- The authentication procedure could be buggy or less than completely secure, thus allowing anyone on the Internet to open holes through the firewall.
Each of these risks is less than likely to actually occur. Administrators of medium−to low−risk environments should not feel uncomfortable using encrypted authentication as long as the connection is encrypted for the duration.
- Virtual Private Networks - Virtual Private Networks (VPNs), also called encrypted tunnels, allow you to securely connect two physically separated networks over the Internet without exposing your data to viewing by unauthorized intermediate parties.
VPNs by themselves could be subject to redirection attempts, spoofed connection initiation, and all manner of hacking indignity while the tunnel is being established.
But when implemented as an integral part of a firewall, the firewall authentication and security services can be used to prevent exploitation while the tunnel is being established.
Once established, VPNs are impervious to exploitation so long as the encryption remains secure. And, since firewalls sit at the Internet borders, they exist at the perfect terminal points for each end of the tunnel.
Essentially, your private networks can pass traffic as if they were two subnets in the same domain. VPNs also allow users to address remote internal hosts directly by their hidden IP addresses; Network Address Translators and packet filters would prevent this if the connection attempt came directly from the Internet.
Use leased lines rather than VPNs whenever it is cost effective. Use VPNs for all communications over the Internet between organizational units when leased lines are not available or are cost prohibitive.
If you are using VPNs as your primary connection method between organizational units, you'll have far better performance if you use the same ISP at every site, because the VPN traffic won't have to be routed through the congested commercial Internet exchanges.
Never communicate private information between organizational units over the Internet without using some form of encryption. Unencrypted packet headers contain valuable nuggets of information about the structure of your internal network.
Some firewalls also provide additional subscription−based services that are not strictly related to security, but which many users will find useful:
- Virus Scanning - Searches inbound data streams for the signatures of viruses. Keeping up with current virus signatures requires a subscription to the virus update service provided by the firewall vendor.
- Content Filtering - Allows you to block internal users from accessing certain types of content by category, such as pornography, hate−group propaganda, pornography, hacking information, and pornography. Keeping up with the current list of blocked sites for a specific category also requires a subscription.
Nearly all firewalls use these basic methods to provide a security service. There are literally hundreds of firewall products on the market now, all vying for your security dollar. Most are very strong products that vary only in superficial details.