Different Types of Firewalls
Companies such as Cisco and other major vendors have introduced a multitude of firewall products that are capable of monitoring traffic using different techniques. Some of today's firewalls can inspect data packets up to Layer 4 (TCP layer). Others can inspect all layers (including the higher layers) and are referred to as deep packet firewalls. This section defines and explains these firewalls. The three types of inspection methodologies are as follows:
Packet filters (basic access-list filters on routers) are now easy to break, hence the introduction of proxy servers that limit attacks to a single device. A proxy server is a server that sits between a client application, such as a web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. A proxy requests a connection to the Internet based on requests from internal or hidden resources. Proxy servers are application based, slow, and difficult to manage in large IP networks. The next generation of packet filters is stateless firewalls. Basically, a stateless firewall permits only the receipt of information packets that are based on the source's address and port from networks that are trusted.
A stateless firewall was introduced to add more flexibility and scalability to network configuration. A stateless firewall inspects network information based on source and destination address. Figure 9-2 illustrates the inspection depth of a packet filter or stateless firewall. Packets are inspected up to Layer 3 of the OSI model, which is the network layer. Therefore, stateless firewalls are able to inspect source and destination IP addresses and protocol source and destination ports.
Figure 9-2. Stateless Firewall
A stateful firewall limits network information from a source to a destination based on the destination IP address, source IP address, source TCP/UDP port, and destination TCP/UDP port. Stateful firewalls can also inspect data content and check for protocol anomalies. For example, a stateful firewall is much better equipped than a proxy filter or packet filter to detect and stop a denial-of-service attack. A proxy filter or packet filter is ill-equipped and incapable of detecting such an attack. Because the source and destination address are valid, the data is permitted through whether it is legitimate or an attempted hack into the network. Figure 9-3 illustrates the inspection depth of a stateful firewall. Packets are inspected up to Layer 4 of the OSI model, which is the transport layer. Therefore, stateful firewalls are able to inspect protocol anomalies.
Figure 9-3. Stateful Firewall
With deep packet layer inspection, the firewall inspects network information from a source to a destination based on the destination IP address, source IP address, source TCP/UDP port, and destination TCP/UDP port. It also inspects protocol conformance, checks for application-based attacks, and ensures integrity of the data flow between any TCP/IP devices. The Cisco Intrusion Detection System (IDS), which is discussed in Chapter 10, "Intrusion Detection System Concepts," and NetScreen firewall products support deep packet layer inspection. The Cisco PIX Firewall supports stateless and stateful operation, depending on your product. Please refer to the Cisco website for the specific support for your product. Figure 9-4 displays how a device inspects packets with deep packet layer inspection.
Figure 9-4. Deep Packet Layer Firewall
At the time of this writing, the Cisco PIX Firewall did not support deep packet layer inspection. The NetScreen firewall products are capable of deep packet layer inspection and support this method only in hardware-based ASIC chips.
Figure 9-4 displays how a deep packet layer device inspects packets to
Typically, these functions are performed in hardware or are ASIC based and are extremely fast. Any data that matches criteria such as that defined for DoS is dropped immediately and can be logged to an internal buffer, e-mailed to the security engineers, or can send traps to an external Network Management Server (NMS).
Hardware Firewalls: PIX and NetScreen
The PIX is a dedicated hardware-based networking device that is designed to ensure that only traffic that matches a set of criteria is permitted to access resources from networks defined with a secure rating. The PIX Firewall was an acquisition by Cisco Systems in the 1990s. The command-line interface (CLI) is vastly different from Cisco IOS, although recent software developments have made the CLI closer to the traditional Cisco IOS syntax that most readers are familiar with.
The Cisco PIX and Cisco IOS feature sets are designed to further enhance a network's security level. The PIX Firewall prevents unauthorized connections between two or more networks. The latest released versions of Cisco code for the PIX Firewall also perform many advanced security functions such as authentication, authorization, and accounting (AAA) services, access lists, VPN configuration (IPSec), FTP logging, and Cisco IOS-like interface commands. All these features are discussed in the remaining chapters of this book. In addition, the PIX Firewall can support multiple outside or perimeter networks in the demilitarized zones (DMZs).
When reading Cisco documentation about PIX Firewalls, realize that inside networks and outside networks both refer to networks to which the PIX is connected. For instance, inside networks are protected by the PIX, but outside networks are considered the "bad guys." Consider them as trusted and untrusted, respectively.
It is mnemonically convenient to make E0 the "0"utside interface and E1 the "1"nside. On a PIX with additional interfaces, the interfaces are usually separate service subnets or additional inside networks. Other vendors follow the same methodology, although they rename their interfaces to names that are configurable, such as the "Internet" interface.
Typically, the Internet connection is given the lowest level of security, and a PIX ensures that only traffic from internal networks is trusted to send data. By default, no data is permitted at all. Therefore, the biggest problem or issue with a PIX Firewall is misconfiguration, which most crackers use to compromise network functionality. Figure 9-5 illustrates the different PIX interfaces and connections.
Figure 9-5. PIX Interfaces
A PIX Firewall permits a connection-based security policy. For instance, you might allow Telnet sessions to be initiated from within your network but not allow them to be initiated into the network from outside the network.
The PIX Firewall's popularity stems from the fact that it is solely dedicated to security. A router is still required to connect to wide area networks (WANs), such as the Internet, and to perform additional routing tasks and processes (recent versions of PIX OS do support some routing protocols). Some companies also use the PIX Firewalls for internal use to protect sensitive networks such as those of payroll or human resources departments.
Configuration of static and dynamic translation slots is discussed later in the chapter.
All IP packets incoming on any of the interfaces are checked against the ASA and against connection state information in memory.
The ASA follows a certain set of rules, including the following:
It is clear that devices using the ASA offer a more secure environment than devices implementing only the stateless and packet filtering technology. This explains the popularity of the PIX in the industry.
Data Flow for the PIX
The ASA uses the configured security levels at each interface to either permit or deny data flow from one interface to the other. The security levels are numeric values ranging from 0 to 100. Figure 9-6 shows the different security levels.
Figure 9-6. Security Levels
In Figure 9-6, the outside interface has security level 0 and is the least secure. The inside interface has security level 100 and is the most secure. The DMZ interface can be configured with varying security levels. This becomes complex for devices with multiple interfaces. By default, traffic can flow from high-security-level interfaces to low-security-level interfaces. All other traffic flows that are required must be configured. A distinction needs to be made between inbound and outbound traffic.
Imagine that an outbound packet (going from the inside network to the outside world) arrives at the PIX Firewall's inside interface. (PIX Firewalls name interfaces by default as inside and outside; another common interface name is DMZ.) The ASA verifies whether the traffic is permitted. The PIX Firewall checks to see if previous packets have come from the inside host. If not, the PIX Firewall creates a translation slot (also called an xlate) in its state table for the new connection. The translation slot includes the inside IP address and a globally unique IP address assigned by network address translation (NAT). A PIX can perform NAT and often does. However, it is also possible to perform NAT on a different device, such as a packet filtering router placed between the PIX and the inside network (Belt and Braces Firewall architecture). It is also possible to use a registered address inside and not translate at all. NAT is covered in more detail later in this chapter in the section entitled "Enhancements for Firewalls."
The PIX Firewall then changes the packet's source IP address to the globally unique address (unless your network is set up to use a fully public routable address space). The firewall then modifies the checksum and other fields as required and forwards the packet to the appropriate outside interface.
When an inbound packet arrives at the outside interface, it must first pass the PIX Firewall Adaptive Security criteria before any translation occurs. If the packet passes the security tests, the PIX Firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the inside interface. If there are no matching criteria found by the ASA, the packet is dropped and the threat is removed.
A PIX Firewall can be configured as a cut-through proxy, whereby the firewall first queries an authentication server (TACACS+ or RADIUS server). This is a solid feature that allows implementations of security policies on a per-user-ID basis. Once the connection is approved by the AAA server, the PIX Firewall establishes a data flow to maintain the session state. All traffic sent after the authentication phase flows directly between the two hosts with no interaction with the AAA server.
Figure 9-7 displays a typical network with PIX located between an internal and external network.
Figure 9-7. PIX Placement
Figure 9-7 shows a typical network design in which the internal network is protected from devices on the Internet, and only connections made from internal hosts are permitted to the outside (or to the Internet). You can, however, permit outside hosts to connect to resources internally by using access lists (in the older software versions of PIX, these were called conduits). A conduit or PIX access list is basically a rule that breaks the default behavior of the PIX (or the ASA) by permitting connections to internal devices located in the inside interface or the perimeter zone. Why would you permit outside untrusted devices access to sensitive hosts? The answer is that basically most companies, including Cisco, permit the following:
As long as you have a sound security policy in place, it provides the network administrator control of security vulnerabilities for hosts and servers with specific access from the outside world. Unfortunately, no one is immune to hackers trying to break into the network or trying to bring down your websites.
Outside access is usually restricted to DMZ devices in Separate Services Subnet (SSN) configurations (where the SSN is coming off a third port on the PIX). Access from outside to inside is rare and then only when authenticated.
More information on these and other features can be found at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html.
The NetScreen firewalls are deep inspection firewalls providing application-layer protection, whereas the PIX can be configured as stateful or stateless firewalls providing network- and transport-layer protection. Both NetScreen and PIX Firewalls are certified by the ICSA labs and have Common Criteria EAL 4 ratings.
NetScreen was founded on the vision of providing integrated security technologies that offer wire speed performance and are easy to deploy throughout an enterprise network. Juniper Networks acquired Netscreen in April 2004. Unlike Cisco, which is a networking company that provides hardware and software for nearly any network requirement, NetScreen provides network security products only.
NetScreen firewalls are bundled with Ethernet only. There is no support for Token Ring or high speed ISDN, for example; you need a routing device to perform these types of connections. There is, however, a gigabit-enabled firewall solution allowing, for example, a 1 Gb connection to a local-area network (LAN) infrastructure to enable fast processing per port. This operates much as a switch does for users on a large TCP/IP network.
The NetScreen firewall is a deep packet layer, stateful inspection device. It bases all its verification and decision making on a number of different parameters, including source address, destination address, source port, and destination port. The data is checked for protocol conformities.
NetScreen's Deep Inspection firewall is designed to provide application-layer protection for the most prevalent Internet-facing protocols such as HTTP, DNS, and FTP. The Deep Inspection firewall interprets application data streams in the form that a remote device would act upon. Deep Inspection firewalls defragment and reassemble packets and ensure that all data is reorganized into the original state.
Once the Deep Inspection firewall has reconstructed the network traffic, it employs protocol conformance verification and service-field attack pattern matching to protect against attacks within that traffic. These features are all controlled and acted upon by hardware-based ASIC chips to increase performance.
It is important to understand the dataflow for NetScreen firewalls. Except with low-end firewalls, by default, all NetScreen firewalls deny all traffic from any given interface. NetScreen's terminology for inside and external interfaces is user configurable. For example, the interfaces are called trusted interface and untrusted interface or the red zone and blue zone. A zone is merely a collection of physical or logical interfaces. Once the interfaces are placed in user-defined zones (UDZs), policies dictate what traffic is permitted or denied between the defined zones, as per Cisco access-list architecture. As soon as a policy match is made, the packet is sent to the appropriate queue. If no match is made, the packet is thrown into the bit bucket.
NetScreen devices maintain a session table that outlines, among other things, the source, the destination, the source port, and the destination port, and the number of active sessions. Figure 9-8 displays a typical session table entry on the NetScreen firewall and the detailed explanations of each field.
Figure 9-8. NetScreen Firewall Session Information
Additionally, a NetScreen firewall can operate at Layer 2 or Layer 3 mode. This allows a NetScreen firewall to be placed at the edge of the network with no IP address space required, except one address for management. This can be a significant advantage in large IP address networks when there may be a need to readdress IP address space when a firewall is strategically placed. Figure 9-9 illustrates this firewall placement.
Figure 9-9. NetScreen Firewall Placement
More information on these and other features of the NetScreen firewall can be found at the following URL: http://www.netscreen.com/products/at_a_glance/ds_500.jsp.
Check Point Software Firewalls
As most, hardware firewalls provide effective access control, many are not designed to detect and thwart attacks specifically targeted at the application level. Tackling these types of attacks is most effective with software firewalls.
Check Point is a major vendor in the software firewall marketplace today. Software firewalls allow networks and, more specifically, network applications to be protected from untrusted sources such as the Internet. The fact that millions, if not billions, of devices such as PCs, PDAs, and IP phones have instant access to the entire Internet means that commercial enterprises and networks based on country controls are vulnerable to attacks. The relative openness of the web has made it possible for anyone to potentially access a private network. Securing the network perimeter is the core foundation of the Check Point solution.
The Check Point Enterprise suite is an integrated product line that ties together network security, quality of service, and network management for large IP networks.
A software-based firewall is only as secure as the operating system it relies on. If an intruder can break into the server hosting the firewall, that intruder can compromise the firewall rule sets or bypass the firewall completely. Appliance-based firewalls, such as NetScreen or PIX, do not have that vulnerability.
In short, Check Point can provide the following services:
As discussed previously, a Check Point firewall is a software solution and is hardware independent. The firewall software can be installed on a variety of different platforms, including the following:
For more details on this software-based product, please visit http://www.checkpoint.com/products/.
A number of software-based firewalls are designed for desktops with operating systems such as Windows XP. Common client-based firewalls include ZoneAlarm and Sygate. These are often referred to as personal firewalls.
Windows XP has a very basic firewall built into the client adapters that restricts ICMP traffic. ZoneAlarm and Sygate personal firewalls allow the PC user to permit or deny IP-based traffic to and from the client device, such as a PC. For example, a HTTP session initiated to the Internet triggers the personal firewall to prompt the user on whether to forever allow, deny, or block the request. Of course, it still requires an intelligent user and hence is not as popular as the hardware-based solution this chapter has introduced. For demonstration copies of this software, visit www.sygate.com or www.zonelabs.com. These software applications basically allow users to be prompted or notified by alarm when remote devices initiate connections that are supposed to be blocked.