Firewalls And Infrastructure Security

Firewalls and Infrastructure Security

A firewall is a network device, hardware, software, or a combination of the two, whose purpose is to enforce a security policy across its connections. It is comparable to a wall that has a window where the wall serves to keep things out, except those permitted through the window. A security policy acts like the glass in the window; it permits some things to pass, light, while blocking others, air. The heart of a firewall is the security policy that it enforces.

Security policies are a series of rules that define what traffic is permissible and what traffic is to be blocked or denied. These are not universal rules, and there are many different sets of rules for a single company with multiple connections. A web server connected to the Internet may be configured only to allow traffic on port 80 for HTTP, and have all other ports blocked. An e-mail server may have only necessary ports for e-mail open, with others blocked. A key to security policies for firewalls is the same as has been seen for other security policies, the principle of least access. Only allow the necessary access for a function, block or deny all unneeded functionality. How an organization deploys its firewalls determines what is needed for security policies for each firewall.

The security topology will determine what network devices are employed at what points in a network. At a minimum, the corporate connection to the Internet should pass through a firewall. This firewall should block all network traffic except that specifically authorized by the security policy. Blocking communications on a port is simple; just tell the firewall to close the port. The issue comes in deciding what services are needed and by whom, and thus which ports should be open and which should be closed. This is what makes a security policy useful.

The perfect security policy is one that the end user never sees and one that never allows even a single unauthorized packet to enter the network. As with any other perfect item, it will be rare to find the perfect security policy for a firewall.

In order to develop a complete and comprehensive security policy, it is first necessary to have a complete and comprehensive understanding of your network resources and their uses. Once you know what your network will be used for, you will have an idea of what to permit. Also, once a system administrator understands what they need to protect, they will have an idea of what to block.

Firewalls are designed to block attacks before they get to a target machine. Common targets are web servers, e-mail servers, DNS servers, FTP services, and databases. Each of these has separate functionality, and each of these has separate vulnerabilities. Once you have decided who should receive what type of traffic and what types should be blocked, you can administer this through the firewall.

Firewalls enforce the established security policies. They can do this through

a variety of means, including

* * Network Address Translation (NAT)

* * Basic packet filtering

* * Stateful packet filtering

* * Access Control Lists

* * Application layer proxies

One of the most basic security functions provided by a firewall is Network Address

Translation, or NAT. This service allows you to mask significant amounts of information

from outside of the network. This allows an outside entity to communicate with an entity

inside the firewall without truly knowing its address.

Basic packet filtering, the next most common firewall technique, involves looking at packets, their protocols and destinations, and checking that information against the security policy. Telnet and FTP connections may be prohibited from being established to a mail or database server, but they may be allowed for the respective service servers. This is a fairly simple method of filtering based on information in each packet header, like IP

addresses and TCP/UDP ports. This will not detect and catch all undesired packets, but

it is fast and efficient.

To look at all packets, determining the need for each and its data, requires stateful

packet filtering, or stateful packet inspection. Advanced firewalls employ stateful packet filtering to prevent several types of undesired communications. Should a packet come from outside the network, in an attempt to pretend that it is a response to a message from inside the network, the firewall will have no record of it's being requested and can discard it, blocking access. As many communications

...