FIREWALL Any system or device that allows safe network traffic to pass while restricting or denying unsafe traffic. Overview Firewalls are usually dedicated machines running at the gateway point between your local network and the outside world and are used to control who has access to your private corporate network from the outside.for example, over the Internet. More generally, a firewall is any system that controls communication between two networks. In today.s networking environment in which corporate networks are connected to the Internet. inviting hackers to attempt unauthorized access to valuable business information.a corporate firewall is essential. A firewall is an essential component of a company.s security policy and is one of the primary means for enforcing that policy. A firewall acts as a kind of police officer to monitor, control, arrest, and incarcerate malicious traffic, logging all questionable traffic to allow the administrator to determine the cause or source of the attack. Types A corporate firewall can either be a dedicated machine such as a packet filtering router or a rack mountable firewall appliance or firewall software that the administrator must install on a dual-home hardened system. Both approaches are popular and each has its advantages and disadvantages. A personal firewall is a firewall used to protect a single machine, typically a home user connected to the Internet using dial-up, Asymmetric Digital Subscriber Line (ADSL), or cable modem connections. The personal firewall marketplace has exploded in the last few years as broadband Internet access services have become widely deployed. Personal firewalls are usually implemented as software to be installed on users. machines, but the first personal firewall that was offered in appliance form was Firebox from WatchGuard Technologies in 1997. Personal firewalls also come preinstalled on some ADSL and cable modem routers to protect home users and Small Office/Home Office (SOHO) networks. An offshoot of personal firewalls is the agent-based firewall. Agent-based firewalls are installed on every machine on a network, but their configuration is managed remotely using policies configured on a central policy server. At the enterprise level, this scenario is called a distributed firewall, and it is becoming a popular approach to secure servers on a network. The advantage here is that servers can be protected not just from hackers on the Internet but also from malicious users inside the corporate network. The agent also serves as an extra level of protection if the regular network firewall has been compromised. Another name for this approach is host-resident firewall, since it involves moving firewall security from the network.s perimeter to the hosts themselves, a process that scales much better as perimeter traffic increases. A new type of firewall is a combination of virtual private networking (VPN) and firewall software. This combination can be used for different purposes from enabling mobile users to connect securely to a corporate intranet over the Internet (using VPN and firewall software installed on their laptops) to enabling e-commerce sites to provide their users with secure access to their services (using rack-mounted VPN/Firewall appliances). In general, the firewall software is placed in front of (nearer the Internet) than the VPN software to simplify configuration. The main problem with this combination is that the VPN slows down access through the firewall, so a method of implementing this combination that is growing more popular is using dedicated high-performance VPN/Firewall appliances. Finally, a different approach to implementing firewalls is outsourcing your firewall services to a Managed Firewall Service Provider (MFSP). This is becoming a popular alternative for small to mid-sized companies that cannot afford to hire trained security experts to configure, monitor, and maintain a firewall. Some analysts expect this segment of the market to grow to $1.5 billion by the end of 2002. Architecture In its simplest form, a firewall is a router (or dualhomed computer with two network interface cards) that filters incoming network packets. This configuration is usually called a packet-filtering router. By comparing the source addresses of these packets with an access list specifying the firewall.s security policy, the router determines whether to forward the packets to their intended destinations or stop them. The firewall can simply examine the Internet Protocol (IP) address or domain name from which the packet was sent and determine whether to allow or deny the traffic. To specify a list of IP addresses which the router will permit or deny, an access control list (ACL) or access list (AL) is configured on the router. The router can filter both inbound and outbound packets. A related form of firewall is the network-level firewall because it operates at the network layer of the Open Systems Interconnection (OSI) reference model for networking. Network-level firewalls are transparent to users and use routing technology to determine which packets are allowed to pass and which will be denied access to the private network. Network-level routers can be configured to block certain types of IP traffic while permitting others to pass. Usually this is done by disabling or enabling different Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports on the firewall system. For example, TCP port 25 is usually left open to permit Simple Mail Transfer Protocol (SMTP) mail to travel between the private corporate network and the Internet, while other ports (such as port 23 for Telnet) might be disabled to prevent Internet users from accessing other services on corporate network servers. The difficulty with this approach is that the size of the access list for the firewall can become huge if a large number of domains or ports are blocked and a large number of exceptions are configured, and a large access list can slow down the router. Another difficulty is that some ports are dynamically assigned at random to certain services (such as remote procedure call services) on startup, so it is more difficult to configure firewalls to control access to these ports using static access lists. Network-level firewalls are sometimes known as screening routers since they screen different types of traffic, and they are usually combined with packet-filtering using access lists for better security. Routers that employ stateful filtering maintain an internal table of allowed TCP connections and only allow incoming connections to be established if they conform to this table. Stateful filtering is an alternative to access lists and is often used to control outbound traffic and reduce the size of access lists. Another type of firewall is the circuit-level gateway, which is usually implemented as part of a proxy server. Circuit-level gateways essentially operate at a higher level of the OSI model protocol stack than networklevel firewalls do. With a circuit-level gateway, connections with the private network are hidden from the remote user. The remote user connects with the firewall, and the firewall forms a separate connection with the network resource being accessed after changing the IP address of the packets being transmitted in either direction through the firewall using a process called Network Address Translation (NAT). The result is a sort of virtual circuit between the remote user and the network resource. This is a safer configuration than a packetfiltering router because the external user never sees the IP address of the internal network in the packets he or she receives, only the IP address of the firewall. A popular protocol for circuit-level gateways is the SOCKS v5 protocol. Circuit-layer gateways are typically used in conjunction with packet-filtering and network-layer protection. Another more advanced type of firewall is the application gateway, which is also usually included in a proxy server. Application gateways do not allow any packets to pass directly between the two networks they connect. Instead, proxy applications running on the firewall computer forward requests to services on the private network and then forward responses to the originators on the unsecured public network. Application gateways generally authenticate a user.s credentials before allowing access to the network, and they use auditing and logging mechanisms as part of their security policy. Application gateways generally require lots of configuration by users to enable their client machines to function properly, but they are more granular in their configurability than network-level firewalls. For example, if a File Transfer Protocol (FTP) proxy is configured on an application gateway, it can be configured to allow some FTP commands but deny others. You could also configure an SMTP proxy on an application gateway that would accept mail from the outside (without revealing internal e-mail addresses) and then forward the mail to the internal mail server. However, because of the additional processing overhead, application gateways have greater hardware requirements and are generally slower than other types of firewalls. Other advanced features used by firewalls include . Execution control lists (ECLs): These are like access lists but instead control which applications can be executed over the firewall. . Intrusion Detection Systems (IDSs): Usually separate systems from firewalls but sometimes packaged with them, IDSs complement a regular firewall by allowing administrators not just to prevent intrusion into their private networks but also to detect and analyze the source of this intrusion. Implementation Before looking at implementing firewalls, it is a good idea to first review some firewall terminology: . Host: Any computer attached to your network. . Bastion host: A host directly exposed to the Internet. Bastion hosts need to be .hardened. to make them more secure by removing nonessential services and software. Web servers and mail servers are two examples of common types of bastion hosts. . Perimeter network: An extra network located between your corporate network and the Internet. Also called a DMZ, which stands for demilitarized zone. The simplest way of implementing a firewall is to use a packet-filtering router with port screening at the junction between your private network and the Internet. All traffic flows through this point, and the router handles the entire job of securing your network from attack. For more extensive protection than a simple packetfiltering router, install circuit-level or applicationgateway firewall software on a dual-homed hardened system and use it in place of (or in addition to) the dedicated router. A screened-host firewall allows a bastion host located on the private network to be accessed from the Internet while preventing other hosts from being compromised. This is perhaps less secure than locating the bastion host outside the private network, but it allows easier access to the bastion host for configuration and maintenance. A screened subnet architecture employs an intermediate network (the perimeter network) between the private and public networks, each of which are connected to the perimeter network using a separate screening router. One or more bastion hosts are then located on the perimeter network. For greater protection, the perimeter network may be split into two segments using another router or a dual-homed host running firewall software. Still another configuration makes each bastion host dual-homed, with one interface of each bastion host connected to the perimeter network segment adjacent to the Internet and the other interface connected to the perimeter network segment adjacent to the private network. You can make the topology even more complex by having separate perimeter networks for each bastion host, and so on. Advantages and Disadvantages Although firewalls are essential for networks connected to the Internet, a firewall is only as effective as its configuration. A misconfigured firewall is worse than no firewall at all since it provides the user with a false sense of security that the network is protected. In other words, firewalls cannot configure themselves and are only as smart as the administrators configuring them. Another misconception is that a carefully configured firewall is all your network needs to be safe from attack. This is hardly the case. Network security begins with the development of a comprehensive security policy on paper and is implemented using a variety of systems and services including firewalls, perimeter networks, antivirus software, an intrusion detection system (IDS), and good network management practices. In addition, administrators need to be on top of possible new threats by subscribing to security newsletters, watching for notices of bugs and fixes from operating system and application vendors, reviewing firewall logs regularly, and educating users about the practices of safe computing. Marketplace For the corporate segment of the market, firewall products range from dedicated routers to software to install on hardened dual-homed hosts. A popular dedicated router firewall product is the PIX firewall service from Cisco Systems, included with IOS 11.2 and higher as the Cisco Firewall Feature Set. PIX comes in different flavors depending on whether the need is enterprise or Small Office/Home Office (SOHO) protection, and by some analysts. estimates is used by half of all large companies. In the enterprise software firewall market, popular products include Firewall-1 from CheckPoint Software Technologies, Microsoft Proxy Server from Microsoft Corporation, and many others. The new Microsoft Internet Security and Acceleration (ISA) Server integrates firewall and Web caching functionality and supports policy-based security. In the personal firewall arena, some popular products include BlackICE Defender from Network Ice Corporation, Norton Personal Firewall from Symantec Corporation, eSafe from Aladdin Networks, ZoneAlarm from Zone Labs, Secure Desktop from Sybergen Networks, McAfee Personal Firewall from Network Associates, CyberArmor from InfoExpress, and PC Firewall from ConSeal. In general, personal firewalls come with a standardized default configuration that provides a basic level of security, but remember that firewalls are only as smart as the person who configures them. Personal firewalls are also not a substitute for antivirus software and are usually ineffective in dealing with Trojan horses. Distributed firewalls are popular in corporate environments and are typically used to protect critical servers using firewall agents that are remotely managed from a central policy server. Examples in this market include CyberArmor Enterprise Personal Firewall from Info Express and McAfee Active Virus Defense Suite from Network Associates. Several vendors offer combinations of firewall and VPN software that can be used to provide secure remote access to corporate networks. Examples include VPN-1 Gateway (a combination of Firewall-1 and VPN-1) from CheckPoint Software, Raptor Firewall with PowerVPN from Symantec, GuardianPro with Guardian IPSec VPN from NetGuard, and eTrust Firewall with eTrust VPN from Computer Associates. In the VPN/Firewall appliance arena, Cobalt Networks and Axent Technologies have teamed up to provide a 1U-high rack-mountable VPN/Firewall appliance called VelociRaptor that is based on the Linux operating system. Gigabit products in this market include Cisco.s PIX 535 firewall and NetScreen-1000ES from NetScreen Technologies, both of which support Triple DES encryption for greater security (although using 3DES slows down performance to about 600 megabits per second [Mbps]). In the outsourced managed firewall services sector, two popular providers include DefendNet Solutions, whose DefendNet Enterprise solution uses CheckPoint Software.s Firewall-1 product and targets companies with more than 250 users, and RIPTech, whose sentry monitoring system works with several popular firewalls including PIX, Raptor, and Firewall-1. Another managed firewall service provider is NetSolve. Notes TruSecure, in conjunction with ICSA Labs, acts as an independent standards body that certifies firewall products and provides a number of resources on their Web site relating to firewalls and network security. See www.icsalabs.com for more information. The best way to begin configuring a packet-filtering firewall is to block all packets at first and then start allowing access to the internal network on a case-bycase basis. Make sure that internal network addresses do not cross the firewall to the outside world and do not store sensitive data on the machine running the firewall software itself. Treat your firewall machine as expendable. the worst possibility should be a hacker.s damage to the firewall; this would simply leave your private network securely disconnected from the outside world. You can disable all unnecessary network services on your firewall machine to protect the firewall itself from attack. If you are concerned only about controlling outgoing access from your network and your users do not need to be able to remotely access your network over the Internet, a packet-filtering router or circuit-level gateway type of firewall is probably sufficient. For users who frequently need to remotely access your network, however, an application gateway is generally best. See Also: appliance, network security, proxy server, router NETWORK SECURITY Network security is not only a broad topic but also an essential one for today.s network administrator. Attempts to intrude, disrupt, and deface business and corporate networks has never been higher, facilitated in part by the ubiquitous presence of the Internet and broadband Internet access. The vulnerability of today.s networks to security attacks is compounded by lack of awareness by corporate management, overworked IT (information technology) staff, rapid software upgrade cycles that encourage the release of buggy software, widespread availability on the Internet of easy-to-use hacking and cracking tools, and vulnerabilities in the underlying Transmission Control Protocol/Internet Protocol (TCP/ IP) itself, the networking protocol used by the Internet. Some of the risks faced by networks today include . Denial of service (DoS) attacks that tie up a network.s resources so that legitimate users cannot gain access to them . Trojan horse programs that install back doors to allow valuable network credentials to be stolen and misused or that install remote control programs that provide intruders with full access to network resources . Viruses that invade networks through e-mail attachments and wreak havoc with important files . Network operating systems and applications whose default configurations are insecure and permit a wide range of attacks to be performed . Public Web sites that expose credit card information stored in databases through buffer overflows and script issues . Wireless networks with weak or no encryption that can be accessed easily by anyone driving by with a wireless-enabled laptop Some of the tools and techniques network administrators can use to secure their networks include . Physical security: Simply locking the server room is a step that should not be overlooked. Users should also be taught not to write down their passwords on slips of paper taped under their keyboards and to be alert for malicious social engineering and persons calling and posing as network administrators and asking for passwords to fix alleged network problems. . Virus protection: Subscribing to a virus protection service is essential for hosts connected to the Internet. . Authentication: Properly configuring authentication methods are a necessary step to ensure against unauthorized logons. For high-security environments users can be provided with smart cards and other authentication tokens. Biometrics can also be employed if required, enabling users to be authenticated using fingerprint or retina scanners. . Access control: Properly securing resources with suitable permissions is a necessary step to ensure against unauthorized resource access. Periodic auditing of access controls is also important. . Auditing: Periodic auditing of security logs is essential, as even intelligent risk-analysis systems may miss certain kinds of attacks. . Encryption: Using a protocol such as Internet Protocol Security (IPsec) can ensure the integrity and privacy of data transmitted over the network, and other protocols such as Pretty Good Privacy (PGP) can be used to secure e-mail. . Firewalls: This is an essential tool for securing the perimeter of a network connected to the Internet, but firewalls must be properly configured and maintained and their logs should be periodically reviewed. . Remote access: Remote access systems can be made more secure by implementing callback and other features. If the Internet is used for remote access, virtual private networks (VPNs) can employ IPsec for greater security. . Intrusion detection: Installing an intrusion detection system (IDS) is becoming an essential part of corporate network security. Usually, the more intelligence these systems have the better, but they cannot replace the intelligence of the network administrator. . Patches: Operating systems and applications are frequently found to be buggy or insecure, and vendors issue fixes to address these problems. Keeping up to date regarding available patches and applying them in timely fashion is essential for today.s network administrators. Web servers are especially viewed as targets by attackers, and they require considerable attention to maintain security and protect against newly discovered vulnerabilities. . Backups and fault tolerance: Every system is liable to be breached at some point, so having redundant hot standby systems is important in mission-critical e-commerce systems, and regular backups that are periodically restored for testing purposes are often the last line of defense against attackers damaging corporate databases. . Security policy: Developing, internally publishing, monitoring, and enforcing a corporate security policy is a vital step in securing your network. . Training: Making sure that IT staff are trained in using security tools is essential unless network operations are outsourced to other companies. Visit the SANS Institute at www.sans.org. Visit the CERT Coordination Center at www.cert.org. See Also: access control, auditing, authentication protocol, backup, biometric authentication, denial of service (DoS), disaster recovery, encryption, fault tolerance, firewall, hacking, Internet Protocol Security (IPsec), intrusion detection system (IDS), remote access, virtual private network (VPN), virus PROXY SERVER An application that acts as an intermediary between a private network and the Internet. Overview Proxy servers act as secure gateways to the Internet for client computers, and are usually components of firewalls. They are transparent to client computers.a user interacting with the Internet through a proxy server is not aware that a proxy server is handling the requests unless the user tries to access a resource that the proxy server is configured to disallow. Similarly, the Web server receiving the requests from the proxy server interprets these requests as though they came directly from client computers. Types Two basic types of proxy servers are used in network firewall environments: . Circuit-level gateways: These are used to establish virtual circuits (VCs) between machines on the internal private network and the proxy server on the border of the private network. The proxy server controls all connections between the internal private network and the external public network. If a client on the private network wants to access the Internet, for example, the Hypertext Transfer Protocol (HTTP) request packet generated by the client.s Web browser traverses the virtual circuit to the proxy server; the proxy server then changes the source IP address of the packet to that of the external (public) network interface of the proxy server and forwards the packet onto the Internet. When a remote HTTP server on the Internet sends a response, the proxy server routes this response back through the virtual circuit to the client that made the request. . Application-level gateways: These operate at Layer 7 (the application layer) and can be used to implement security policies for analyzing packets that reach the external (public) interface of the proxy server from distrusted public networks. These security policies can examine packet addresses and other header information, permit or deny packets on the basis of their contents, and modify the address, header, or contents of packets that they monitor in order to hide key information about the internal network.s applications and services. Application-level gateways provide proxy services only for specifically configured applications and protocols such as HTTP, File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Telnet. For each type of application for which you want to regulate access through the firewall, you must install and configure a related proxy service on the proxy server. Applications and protocols for which a proxy service is not installed cannot be accessed through the firewall. Uses Proxy servers are generally used to secure private networks connected to unsecured public networks such as the Internet. They have greater functionality than packet filtering routers because they operate at a higher level of the protocol stack and afford greater control over monitoring and managing network access. A proxy server functioning as a security agent for a private network is an essential part of a firewall. Advantages and Disadvantages The advantages of using a proxy server include the following: . It provides a single, secure gateway to manage between your private corporate network and the public Internet. . It can provide different types of access to the Internet for different groups of users as appropriate. . It can monitor and track Internet usage for each user. . It can enable multiple users to share a single highspeed Internet connection. Instead of using a proxy server, you could provide modems for, and run telephone lines directly to, each user who needs Internet access, but this option is costly. You can also configure a physically separate network with several computers that have shared Internet access, but this is cumbersome for users. See Also: firewall, packet filtering, proxy cache server, virtual circuit INTRUSION DETECTION SYSTEM (IDS) Any system used to detect attacks on a host or network. Overview Intrusion detection systems (IDSs) can detect, log, report, and even respond to a wide variety of attempts to compromise a network.s security. IDSs range from simple tools such as network sniffers and application logs to complex, distributed systems costing thousands of dollars. They can be implemented as software installed on computers, blades inserted into enterprise Ethernet switches, or dedicated network appliances. An IDS is an essential component of a network security policy and is complementary to a firewall.a firewall prevents certain kinds of intrusion, but an IDS detects what gets through the firewall. An IDS is not a .silver bullet. that solves all network security issues.a poorly implemented or unmonitored IDS is worse than no IDS at all because it provides a false sense of security. The reports generated by an IDS are typically 90 percent false positives and usually require human intelligence to distinguish the real attacks from the false ones. There are two basic types of IDS: . Network IDS (NIDS): These are systems that capture network traffic and analyze it looking for evidence of attacks. NIDS generally determines which traffic is hostile on the basis of predefined rules or signatures. These signatures must be kept up to date by downloading new versions from the vendor to ensure that NIDS continues to be effective in patrolling the network. NIDS are operating-system independent and can be implemented without modifying your network.s infrastructure. On the downside, they increase network traffic, thus consuming valuable bandwidth, and are difficult to implement in a switched environment. . Host-based IDS: These are applications installed on critical hosts such as Web servers that monitor such things as Transmission Control Protocol (TCP) sessions, port activity, file integrity, and log files. Host-based IDSs are platform-specific solutions that must be installed on any servers considered in danger of attack. This distinction between the two types of IDS is beginning to be blurred as vendors combine aspects of both types into newer IDS applications and appliances. Vendors are also beginning to add .intelligent. patternrecognition functionality into their IDSs to enable them to detect attacks for which no signatures currently exist. The use of artificial intelligence (AI) in IDS systems is probably the big goal in the network security field for the next decade. Implementation This example deals with the implementation of a NIDS. A typical NIDS consists of two components: . Sensors: These capture network traffic on various segments and forward it to the management station. . Management station: This receives reports from sensors of possible intrusions and then logs the information in a database, generates reports for human inspection, notifies administrators of the occurrence, and (if configured to do so) shuns harmful traffic. To detect intrusion at the perimeter of a network connected to the Internet, a sensor would typically be deployed in the perimeter network (otherwise known as a demilitarized zone [DMZ]) where the firewall is located. Marketplace The IDS market has exploded over the last few years, with the result that IDS has often become a buzzword that vendors use to market products that have little IDS functionality. Examples of host-based IDS include Intruder Alert from Axent Technologies, Dragon Squire from Enterasys Networks, Kane Security Enterprise from Intrusion.com, and RealSecure OS Sensor from Internet Security Systems. Popular network IDSs include NetProwler from Axent Technologies, Cisco Secure IDS from Cisco Systems (available as both a stand-alone appliance and as a module for Cisco Catalyst 6000 series switches), eTrust Intrusion Detection from Computer Associates, Armor from nCircle Network Security, BlackICE Sentry from Network Ice Corporation, and NFR from Network Flight Recorder. Some popular free UNIX-based IDS tools include Shadow, Snort, and Pakemon. Issues One of the main difficulties in deploying NIDS is that most enterprise networks are now switch-based instead of hub-based. All stations connected to a hub share the same broadcast and collision domain, and by connecting a NIDS sensor to a hub, traffic to and from every station can be easily monitored. Ethernet switches are different, however.each attached station forms its own private segment and to monitor traffic effectively would, in theory, require a NIDS sensor for each port. One workaround for this problem is to use port mirroring (spanning) to copy portions of traffic from each port on the switch to a mirror port to which the sensor can then be attached. The problem with doing this, however, is that it adds an extra processing load to the switch and is difficult to implement in full-duplex configurations. Cisco solves this problem in its Catalyst 6000 series of enterprise switches by providing its Cisco Secure IDS product as a blade that can be installed in the switch to monitor traffic directly on the backplane. By configuring access control lists (ACLs), administrators can then pull up different kinds of traffic such as Hypertext Transfer Protocol (HTTP) to get more targeted information about possible intrusions. Another solution is provided by Shomiti Systems, which sells .taps. that let you unobtrusively listen in to traffic on any 10/100 Mbps Ethernet link and copy traffic to a second switch to which IDS sensors are attached. This way, no extra processing burden is placed on the network.s backbone switches.