Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

W O R K S H O P

A Rookie's Guide to Defensive Blocks

June 24, 2002
By Mike DeMaria

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Flame the author

	In this article
	Introduction
	Criminal Intent
	Shunning the Firewall Leapers
	Web Links

Imagine you park your car in the garage and the engine ignites. If you have a firewall or buffer zone between the toasted car and your house, you're safe--in theory anyway. Same is true with your network. The Internet is a hotbed of hostility, with would-be attackers constantly scanning for exploitable systems. Firewalls and DMZs (demilitarized zones) let you control network traffic so your users get Internet access but attackers are stymied--again, in theory anyway.

The rub is that your firewalls and demilitarized zones must be set up correctly. Sounds simple, and if you're an experienced administrator, it may be. But not everyone charged with guarding a network has these skills. It's with less experienced admins in mind that we present this primer. If you've moved beyond the basics, see previous the articles "Building an In-Depth Defense", "Defense Mechanisms" and "New Security Threats - Stronger Defenses."

Baby, Let Me In

Rule No. 1: Firewalls are all about access control. You create a set of rules defining which ports to keep open, which to disallow, and any IP addresses or entire networks to block. A firewall on the edge of your network is effective only if it is configured correctly. And don't forget in-house traffic--firewalls are not just for Internet connections; they should be used to control access from one part of your internal network to another. You never know: That innocent intern at the front desk could be trying to attack your payroll system.

There are three types of firewalls, each with advantages and disadvantages in terms of security and performance:

• Packet-filter firewalls. The simplest firewall is a packet filter. Packet-filter firewalls often are embedded in routers, broadband modems, NAT boxes, advanced switches, traffic shapers and other gear. That's because packet-filter firewalls are simple for vendors to develop, devour few CPUs and have a modest memory overhead. Packet filters inspect traffic one packet at a time with no knowledge of previous packets; each packet is matched against your rule set. Most commonly, rules are based on source address and port or destination address and port. Some packet-filter firewalls allow for looking at TCP flags, such as SYN packets, but this can get ugly fast, especially if you have to do it by hand. Packet-filter firewalls are useful for filtering out specific traffic types. For example, if you never want SNMP or NetBIOS packets to traverse your border router, use a packet filter.

Packet filters have some major security weaknesses, however. They're susceptible to IP spoofing. They can't see TCP sequencing numbers. And perhaps worst of all, they can't determine if a connection was made from inside or outside. Someone on the outside could send packets with a common source port of 53 (DNS) or 80 (HTTP) and effectively scan the entire internal network.

• Stateful packet-filter firewalls. Stateful packet filters are packet filters that overdosed on Jolt. These firewalls maintain a table that stores the state information of every connection and thus can see when a connection is initiated, handshaking and ending. This is much better than a packet filter from a security standpoint because the firewall can protect against out-of-sequence packets and spoofed TCP connections. Attackers also can't pass packets that falsely appear to be from an existing connection. You could make a single rule to reject all incoming SYN connections and not have to worry much about people scanning or connecting to your network through common spoofing methods.

The downside is that stateful firewalls require lots of CPUs and memory, and as the number of connections grows, so do the processing requirements. When you test stateful firewalls, measuring packets per second alone is not adequate. Instead, you need to look at simultaneous connections on networks with many users or on high-traffic Web sites. A firewall that performs well with a few users may not scale to several thousand.

• Proxy firewalls. The proxy is generally the most secure type of firewall because it enforces protocol, though performance is an issue. There are two types of proxy firewalls, application specific (as in protocol, such as HTTP or SMTP) and generic. Generic proxies protect against IP attacks, such as fragmentations and spoofs, but offer no security benefit over stateful packet filters for protocol attacks.

In a proxy, the client and server do not have a direct channel. To the server, the proxy acts as a client, and to the client, the proxy acts as a server--the proxy is the middleman, passing messages between the two.

Application-specific proxies can inspect traffic, some even at Layer 7, and can check for valid HTTP in Web connections and try to detect exploits, such as buffer overflows. But not all proxies are equally intelligent. Typically, they work only at the protocol level, not all the way into the application layer, and if a proxy is checking only protocol syntax, destructive data payloads could get through. Proxy firewalls also are limited in protocol support; they're usually specialized. Performance is another big concern: Some organizations may want one or more specialized proxies to handle HTTP or FTP traffic and to protect the borders with a stateful firewall.