Network Computingwww.networkcomputing.com

Finally, we’ll provide extensive examples in establishing security with firewalls. Note this article assumes you are already familiar with installing/configuring Unix/Linux packages and with running a firewall.

If your company uses the Internet, chances are that you need a firewall. Fast becoming the most popular form of electronic communication, the Internet brings the entire world to your door. Information security experts suggest that you invest in some method of network security, so you can make sure that it is opportunity knocking at that door, and not a cyber-criminal in disguise.

A firewall is software that provides access control. It monitors access requests and authorizes or rejects the request by using various authentication methods. In other words, a firewall is a system or a group of systems that enforce an access-control policy between two networks as shown in Figure 1.

Figure 1: Firewall example

In an environment without firewalls, network security relies totally on host security, and all hosts must, in a sense, cooperate to achieve a uniformly high level of security. The larger the subnet, the harder it is to maintain all hosts at the same level of security. As mistakes and lapses in security become more common, break-ins occur not as the result of complex attacks, but because of simple errors in configuration and inadequate passwords.^(a)

Of course, firewalls aren't the only answer. Don’t depend on one security solution. Good security is usually found in layers. These layers should comprise a variety of security products and services. Some solutions include network security products (firewalls that could be both internal and external) and information systems security (Infosec) training (employee education through classes and threat/vulnerability briefings). ^(b)

A firewall approach provides numerous advantages to sites by helping to increase overall host security. Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside but permit users on the inside to communicate freely with the outside. But a firewall can protect you against any type of network-borne attack if you unplug it.

With a properly configured firewall, access to the network is controlled and restricted. Only authorized users are granted selective access. However, misconfiguring your firewall is far worse than running without a firewall, because it both engenders a false sense of security and brings your network performance to a crawl.

So, how do you properly configure a firewall? Let’s take a look at a very simple firewall configuration example using Check Point Software Technologies FireWall-1.¹

The configuration of a company’s firewall is determined by that company’s security policy. A FireWall-1 security policy is simple to define and implement. As an example, here's how to define a security policy for a small enterprise with a simple network configuration.

Let's say a small engineering company has 30 employees, a small internal network and a DMZ (demilitarized zone) network, which includes a mail server. Employees use the Internet for e-mail, FTP and HTTP services to communicate with customers and access the Web. Of course, employees require complete Internet access, and the company wants to protect the internal network. At the same time, employees need to receive mail from customers located outside of the corporate network. In the configuration shown in Figure 2, FireWall-1 is installed on a gateway machine.²

Figure 2: Simple Network Configuration

For the configuration shown in Figure 2, a typical security policy might consist of the following:

• External users may access the local network only to send mail to local computers.
• Internal users may access the entire network–localnet, the mail server on the DMZ and the Internet.

This policy protects the private network from untrusted external users but puts no restrictions on local users.^(c)

To implement a security policy, you must perform the following steps:

Using the Object Managers, define the network objects used in the rule base. You do not have to define the entire network, only the objects that are used in the rule base. For the configuration described here, you must define the gateway (FW_local), the mail server (mailsrvr) and the local network (localnet) as shown in Figure 3.³

Figure 3: Workstation Properties Window – Mail Server Definition

FireWall-1 includes more than 150 predefined services to facilitate administration. But you do not have to define commonly used services, such as SMTP. You have to define only custom services used in your network.

The rules for accepting, rejecting and logging packets are known as the rule base. In this simple example, there are only two required rules, corresponding to the policy given in the preceding step. The first rule (external users may only send mail to the mail server) can be expressed in the rule-base editor as shown in Table 1.⁴

The second rule (internal users may access the entire network: localnet, the mail server on the DMZ and the Internet) can be expressed in the rule-base editor as shown in Table 2.⁵

FireWall-1 drops all communications that are not explicitly permitted by the security policy. Rules are examined sequentially, and the first rule that matches a connection is applied. An implicit rule at the end of the rule base drops all connections that do not match the previous rules. You can explicitly define a rule that logs such connections, as shown in Table 3.⁶

Even if you do not define this rule, FireWall-1 will not allow these connections. The advantage of defining this rule is that you now have a record of communication attempts that are not permitted by the security policy. Figure 4 shows the rule-base editor with the three rules defined.⁷

Figure 4: Rule-Base Editor Showing All Rules

The rule base as shown in Figure 4 shows that defining the required rules for a security policy is simple. A basic rule base can be modified with additional rules to meet the specific requirements of any enterprise.

When you install the security policy, you should load the Inspection Code to the gateways. You can also install the security policy on routers using the Open Security Extension module. The security policy is installed using the rule-base editor. The rule-base editor allows you to specify the FireWall-protected machines and enforcement points that will implement the security policy (see Figure 5).⁸ That's all there is to configuring a FireWall-1 server. But how do you ensure that you haven't made any missteps?

Figure 5: Selecting Enforcement Points

To help you avoid any errors of judgment, we'll discuss what can happen if you don't properly configure your server’s operating system.

How do you avoid making big mistakes if you don't properly configure your server’s operating system? You need to implement these basic steps to avoid mistakes in the future:

The FireWall-1 UAM integration does not integrate with content security. SSO rules cannot be used in conjunction with CVP (Content Vectoring Protocol) modules.

The Meta IP 4.1 SP3 UAM does not support multiuser hosts. Any server that is providing network services to multiple users through NT authentication should have specific host-based rules above the SSO rules in the FireWall-1 rule base. Examples of this include servers that allow telnet access, Samba servers and Citrix servers.⁹

Finally, let’s examine FireWall-1 performance/security tuning tasks. This will help you identify obstacles to conquer and avoid pitfalls in getting to an end point with the server.

This final part of the article describes different changes to the FireWall-1 environment that can affect various aspects of firewall performance. Unless specifically mentioned, the techniques and methods (see "Firewall-1 Performance/Security Tuning Tasks") described equally apply to versions 4.0 and 4.1 (including CP2000) of FireWall-1.

Below is a suggested guide of methods and techniques that affect various aspects of FireWall-1 performance on different platforms.

This is by far the most important and frequently used tunable parameter.

Many important FireWall-1 performance characteristics directly or indirectly depend on the amount of memory available to FireWall-1–the number of concurrent connections FireWall-1 is able to sustain, number of concurrent encrypted tunnels and so on.

By default, FireWall-1 allocates 3 MB (Nokia, 5 MB) of memory for its use. Every simple connection (not authenticated, not encrypted and so on) requires about 70 bytes of memory. Encrypted (ISAKMP) traffic requires 3 KB per encrypted tunnel. Based on these values, calculating the amount of memory FireWall-1 will need to support any number of concurrent connections or encrypted tunnels is possible. Check Point’s tests show a good rule of thumb number for busy firewall memory allocation parameter is 16 MB.

In /etc/system

In the registry

The zap utility can be downloaded from Nokia site:

http://devsupport.iprg.nokia.com/resolutions/1261/zap

Again, a good rule of thumb is to increase the connection table limit to 50,000 (default 25,000). With that number of connections, it is also important to increase the table hash size to 65,536 (default 8,192) for faster lookups. Insufficient connection table size leads to connections being dropped and serious performance degradation. Adequate hashing noticeably improves performance.

In $FWDIR/lib/table.def file, 'connections' value:

In environments with a large (greater than 25,000) number of concurrent connections with address translation, increase the NAT table size and hash size. Insufficient NAT table size can lead to serious performance degradation.

In $FWDIR/conf/objects.C file, under under props: section:

:nat_limit (xxx) - to xxx desired value, default 25000

:Nat_hashsize (yyy) - to yyy desired value, power of 2 close to (or over) the table limit

This is especially relevant when working with Half-Word (HW) accelerator.

Add the following registry values (type DWORD):

(default 1Kbytes)

(PacketPoolSize x 2, default 2Kbytes)

This yields significant performance improvement when working with large numbers of concurrent encrypted tunnels.

Session authentication can cause up to 50 percent performance decrease in HTTP performance. The reason for that is the browser opens an HTTP connection for each item in the page, thus causing the authentication to be done for each item. Apart from using standard HTTP user authentication or client authentication, it is possible to implement undocumented implicit client authentication that will only cause session authentication for the first HTTP connection:

Exit any user interface and edit the $FWDIR/conf/objects.C file. Add the following to the props: section:

add two rules

Then install security policy.

This is applicable to both transparent and pure proxy modes:

In $FWDIR/conf/objects.C, under props: section add value:

:http_buffer_size (16384) (or 32768, default buffer size 4096)

According to Check Point’s test results, this causes up to 30 percent proxy throughput improvement.

Make sure to run multiple instances of security servers on multiprocessor systems.

In case of HTTP proxy, for dual CPU system, add the following to the objects.C file.

Here's how to tune the FireWall-1 accelerator card state machine parameters.

In /kernel/drv/luna.conf file

In the registry:1

Changing these values on Solaris significantly improves the FireWall-1 IKE (Internet Key Encryption) performance. On Windows NT, these parameters are set to zero values by default.^(g)10

There are many ways to implement firewalls on today’s corporate networks through effective performance tuning/security. Usually they can be thought of as two mechanisms: one that permits traffic and one that blocks traffic. Whether a company wishes to place more emphasis on permitting or blocking traffic is up to the individuals who set the security policies for that company. You should not leave this to the discretion of the service or product that will supply your security, because only you know what kind of protection your company needs. If you're unsure about what kind of protection is necessary, there are numerous vendors that will help in setting up a secure network.

Firewalls are designed to protect your network from attacks originating from another network. A firewall that undergoes effective performance tuning/security will allow authorized access only to the protected network and deny access to those who don't have it. Some firewalls permit only e-mail traffic through them, thereby protecting the network against any attacks other than attacks against the e-mail service. Other firewalls provide less strict protections and block services that are known to be problems. A more effective firewall will allow users on the protected network to communicate freely with the outside world–this is the reason a company connects its local area network to the Internet. If a company wants to monitor the types and amounts of traffic that are directed at its network, a firewall can effectively supply this information to the system administrator.

Finally, a firewall will not block attempts to break into a network that come from external modems or from internal attacks. In other words, a firewall will not protect against any other attacks except for those originating on external networks. If a company has top secret information that it wants to keep that way, it should not connect any machines with this information to the Internet. It is important to note that this is probably the most effective firewall to implement. Most companies would like to have some kind of Internet access available to their employees. If this is the case, then a firewall implemented at the application level will be able to supply the amount of security necessary to meet the company's needs. Finally, another important point to note is that leaks of information are far more likely to walk out the front door of the office on a floppy disk, rather than over the Internet through your firewall.