Network+ Study Guide
|
|
It is popular these days to connect a corporate network to the Internet. By connecting your private network (only authorized users have access to the data) to a public network (everyone connected has access to the data), you introduce the possibility for security break-ins. For this reason, firewalls are implemented. A firewall protects a private network from unauthorized users on a public network.
Firewalls are usually a combination of hardware and software. The hardware is typically a computer or a dedicated piece of hardware (often called a black box) that contains two network cards. One connects to the public side; the other, to the private side. The software controls how the firewall operates and protects your network. It examines each incoming and outgoing packet and rejects any suspicious packets. In general, firewalls work by allowing only packets that pass security restrictions to be forwarded through the firewall.
Note | The Network+ certified system administrator usually does not have the resources to design, install, and manage a firewall. This section is to help you work in an environment where a firewall is already installed. You might also work as part of a team to install or upgrade your company’s firewall solution. This section will give you the tools you need to understand the basic operation of a firewall. |
Firewalls can be placed on top of an existing operating system or be selfcontained. Black box systems are proprietary systems that have external controls and are not controlled by the operating system. If you want to use a general-purpose operating system, you have two options: Unix and Windows NT. Both can support third-party firewall products. Novell makes its own firewall product, BorderManager, which is excellent and runs on NetWare. But at the time of this writing, there are few third-party firewall products for NetWare.
Note | All Windows NT firewalls should be installed on Windows NT Server computers rather than on Windows NT Workstation computers. |
Firewall Technologies
There are many firewall technologies, and they differ in the method they use to restrict information flow. Some, such as access control lists and dynamic packet filtering, are themselves used as firewalls. Others, such as proxies and demilitarized zones, are implemented with other firewall technologies to make a more robust, complete implementation.
Access Control Lists (ACL)
The first form of defense for every network connected to the Internet is access control lists (ACL). These lists reside on your routers and determine which machines (that is, which IP addresses) can use the router and in what direction. ACLs have been around for decades and have other uses apart from a firewall. Figure 8.1 shows how these lists prevent users on Network B from accessing Network A.
Note that data from users in Network A can pass through the router into Network B. IP spoofing attacks (in which someone, presumably a hacker, pretends to have a network address on the inside of a firewall to gain access to a network) can still occur if a user in Network B pretends to be located in Network A. (We’ll discuss IP spoofing later in this chapter.)
The Demilitarized Zone (DMZ)
Most firewalls in use today implement a feature called a DMZ, which is a network segment that is neither public nor local, but halfway between. People outside your network primarily access your web servers, FTP servers, and mail-relay servers. Because hackers tend to go after these servers first, you should place them in the DMZ. A standard DMZ setup has three network cards in the firewall computer. The first goes to the Internet. The second goes to the network segment where the aforementioned servers are located, the DMZ. The third connects to your intranet.
When hackers break into the DMZ, they can see only public information. If they break into a server, they are breaking into a server that holds only public information. Thus, the entire corporate network is not compromised. Last, no e-mail messages are vulnerable; only the relay server can be accessed. All actual messages are stored and viewed on e-mail servers inside the network. As you can see in Figure 8.2, the e-mail router, the FTP server, and the web server are all in the DMZ, and all critical servers are inside the firewall.
Protocol Switching
Protocol switching protects data on the inside of a firewall. Because TCP/IP is the protocol used on the Internet, many external types of attacks, including the Ping of Death and SYN floods (discussed later in this chapter), are based on this protocol stack.
You can choose between two common approaches:
-
Use a different protocol (not TCP/IP) on the internal network inside the firewall. For example, IP-based attacks aimed at your development server will never have any effect if you are using IPX on the internal network side of a router. This approach makes a router a natural firewall.
-
Use TCP/IP on both the internal network and the Internet, and use a different protocol in a dead zone between them. For example, switch from IP to IPX in a dead zone, and then switch back to IP again once inside your network.
You can see both approaches in Figure 8.3. Notice the position of the dead zone between two of the routers, and also notice that the only protocol on the inside of either router is IPX. Any TCP/IP packet from the Internet is unable to pass into the local network because of the difference in protocols.
Note | In both approaches, only the internal network is protected. You still need a firewall to handle any attacks on your network’s access point and protocolswitching device. |
Dynamic Packet Filtering
Packet filtering is the ability of a router or a firewall to discard packets that don’t meet certain criteria. Firewalls use dynamic packet filtering to ensure that the packets it forwards match sessions initiated on the private side of a firewall. A dynamic state list (also known as a state table), held on a firewall, keeps track of all communications sessions between stations inside the firewall and stations outside the firewall. This list changes as communications sessions are added and deleted. Dynamic state lists allow a firewall to filter packets dynamically.
In dynamic packet filtering, only packets for current (and valid) communications sessions are allowed to pass. Someone trying to play back a communications session (such as a login) to gain access will be unsuccessful if the firewall is using dynamic packet filtering with a dynamic state list, because the data sent would not be recognized as part of a currently valid session. The firewall will filter out (or “drop”) all packets that don’t correspond to a current session using information found in the dynamic state list. For example, a computer in Network A requests a Telnet session with a server in Network B. The firewall in between the two keeps a log of the communication packets that are sent each way. Only packets that are part of this current communication session are allowed back into Network A through the firewall.
Figure 8.4 shows a failed attempt to infiltrate a network that is protected with a dynamic state list. Notice that the hacker attempts to insert a packet into the communication stream but fails because he did not have the correct packet number. The firewall was waiting for a specific order of packets, and the hacker’s packet was out of sequence.
Proxy Servers
Proxy servers (also called proxies, for short) act on behalf of a network entity (either client or server) to completely separate packets from internal hosts and from external hosts. Let’s say an internal client sends a request to an external host on the Internet. The request is first sent to a proxy server, where it is examined, broken down, and handled by an application. That application then creates a new packet requesting information from the external server. Figure 8.5 shows the process. Note that this exchange is between applications at the Application layer of the OSI model.
Proxies are good firewalls because the entire packet is dissected, and each section can be examined for invalid data at each layer of the OSI model. For example, a proxy can examine a packet for information contained in everything from the packet header to the contents of the message. Attachments can also be checked for viruses. Messages can be searched for keywords that might indicate the source of a packet.
You can use this type of searching to prevent sensitive information from exiting your organization with the outbound data stream. If your sensitive documents contain a header or footer that includes the words MyCompanyName Confidential, you can set up your proxy server software to search for those keywords. This level of detailed searching degrades performance, however, because it is more time-intensive than checking state lists.
There are many types of proxy servers, including IP, web, FTP (File Transport Protocol), and SMTP (Simple Mail Transfer Protocol). Each type is used for a different purpose and uses different methods.
IP Proxy
An IP proxy hides the IP addresses of all stations on the internal network by exchanging its IP address for the address of any requesting station. You do not want a hacker to know IP addresses specific to your internal network. Web servers on the Internet will also be unable to determine the specific IP address from which a request is being sent. All communications look as if they originate from the proxy server. This type of proxy is also known as Network Address Translation (NAT).
Web (HTTP) Proxy
Web proxies (also called HTTP [Hypertext Transfer Protocol] proxies) handle HTTP requests on behalf of the sending workstation. When implemented correctly, a client’s web browser asks a web server on the Internet for a web page using an HTTP request. Because the browser is configured to make HTTP requests using an HTTP proxy, the browser sends the request to the proxy server. The proxy server changes the From address of the HTTP request to its own network address and sends it to the Internet web server. The response to the HTTP request goes directly to the proxy (because it replaced the sender’s address with its own). The proxy server then replaces its address with the address of the original sender, and the response is delivered to the original sender.
The most popular implementation of a web proxy is a proxy cache server. This server receives an HTTP request from a web browser and then makes the request on behalf of the sending workstation. When the requested page is returned, the proxy server caches a copy of the page locally. The next time someone requests the same web page or Internet information, the page can be delivered from the local cache instead of the proxy server having to formulate a new request to the web server on the Internet. This speeds up web surfing for commonly accessed pages. Web proxies can also increase network security by filtering out content that is considered insecure, such as executables, scripts, or viruses.
FTP Proxy
FTP proxies handle the uploading and downloading of files from a server on behalf of a workstation. An FTP proxy operates in a fashion similar to that of a web proxy. As with web proxies, FTP proxies can filter out undesirable content (viruses and the like).
SMTP Proxy
SMTP proxies handle Internet e-mail. Here, the actual contents of the packet and mail can be automatically searched. Any packets or messages that contain material that is not considered secure can be blocked. Many SMTP proxies allow network virus protection software to scan inbound mail.
Note | Not every firewall falls into a category. Traditional firewall vendors are adding features to their firewalls to make them difficult to classify. Vendors who traditionally offered packet-filtering solutions are now also offering proxy solutions, and vendors who traditionally offered proxy solutions are now also offering packet-filtering solutions. The network administrator can now get a packet-filtering firewall and a proxy firewall combined into one product. Dual-style firewalls are considered hybrids. |
Security Protocols
The security of data that is traversing the Internet is of prime concern to many people, including business owners. For the most part, data is sent across the Internet without any encryption or security. Sensitive data, however, is usually sent using one of several different security protocols. Security protocols are those sets of conditions or rules that define how a secure connection is maintained when transmitting data via an unsecure medium (like the Internet). The Network+ exam tests your knowledge of four of the most popular. They are:
-
L2TP
-
IPSec
-
SSL
-
Kerberos
L2TP
The Layer 2 Tunneling Protocol (L2TP) is a protocol designed by the Internet Engineering Task Force (IETF) that supports non-TCP/IP protocols in virtual private networks (VPNs) over the Internet. It’s a combination of the Microsoft Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technology. Because it operates at the Data Link layer (Layer 2) of the OSI model, it supports many different protocols, such as IPX and AppleTalk. It’s a good protocol to implement when you have two non-TCP/IP networks that need to be connected via the Internet.
IPSec
IPSecurity, or IPSec, is a security protocol designed by the IETF to provide authentication and encryption over the Internet. IPSec works at the Network layer of the OSI model (Layer 3) and secures all applications that operate above it (Layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the Internet.
SSL
The Secure Sockets Layer (SSL) security protocol was developed by Netscape for integration into its Navigator browser. SSL is based on RSA public key encryption, and is used to provide secure Session layer connections over the Internet. It is service-independent, so many different network applications can be secured using SSL. The HTTP Secure (HTTPS) protocol is based on SSL. Eventually, SSL was merged with other Transport layer security protocols by the IETF to form a new protocol called Transport Layer Security (TLS).
Kerberos
Kerberos is not just a protocol, but an entire security system. Created at MIT, it establishes a user’s identity when they first log on to a system that uses Kerberos. That identity and its security credentials are then used throughout an entire logon session. It uses strong encryption to encrypt all transactions and communication. This encryption is freely available, and the source code for it can be freely downloaded from many different sites on the Internet.
Comparing Firewall Operating System Platforms
Most firewalls are implemented as a combination of hardware and software. The hardware is typically a server-class machine. The software is usually specially written and sits on top of an NOS. Firewalls are typically dedicated computers (that is, they don’t do file/print serving or perform any other network function).
Let’s briefly look at each of the four major network operating systems and how each implements a firewall.
Note | Remember that in addition to firewall software, you need at least two NICs (some firewall products use three) to have a functional firewall. |
The Unix Operating System
Unix is the NOS on which the Internet is based and, as such, is also the NOS on which firewalls are based. In Unix, you can unload and lock down individual services. This means that you can configure a Unix server so that only the firewall service is up and running. Proponents of Unix argue that it is more secure than other operating systems because nonessential services can be removed, though knowledgeable Microsoft or Novell administrators can do the same with Windows and NetWare.
To support multiple segments, the firewall needs a number of network interface cards. An advantage of using Unix-based firewalls is that they allow the most network cards (more than 32). NetWare has a practical limit of 16, and Windows is currently limited to 4.
As you learned in Chapter 3, Unix is a command-line based operating system and, thus, doesn’t lend itself to the most friendly firewall platform in the world. However, since the introduction of the X Window interface (and firewall software’s adoption of it), Unix-based firewalls have become easier to use.
Finally, because firewalls must examine hundreds, even thousands, of packetsper second, speed is a major factor in all firewall platforms. Many companies make security products for both Unix and Windows NT/2000. Unix implementations tend to be significantly faster than Windows NT/2000 implementations. If you’re communicating over a T1 line, however, platform speed won’t create a bottleneck. This only becomes a problem when your corporation gets into the higher connection speeds that T3, OC3, and other connections provide (and, therefore, your firewall must be examining more packets per second). In these cases, you should consider Unix-based firewall implementations.
NetWare
NetWare, through the leverage of NDS, provides for easy network administration through NetWare Administrator, the graphical utility that runs on Windows 95/98 and Windows NT/2000. The primary firewall is Novell’s own product, BorderManager. BorderManager installs onto NetWare servers and has a NetWare Administrator snap-in. With this feature, you can continue to use familiar NetWare tools to manage the many aspects of your network, including the firewall.
As a firewall platform NetWare offers two major benefits: speed (which is discussed below) and client compatibility. NetWare is compatible with just about every client platform, including Mac OS, Windows 95/98, Windows NT/2000, DOS, and OS/2. NetWare (with BorderManager) can offer firewall protection for all of these client platforms.
BorderManager integrates with NDS and thus can be managed with NetWare’s single administration utility, NetWare Administrator. This makes BorderManager an easy-to-use firewall product, especially for experienced NetWare network administrators.
NetWare’s core operating system has been optimized for the Intel platform, which is cheap and widely available. Apart from Unix running on a RISC processor, NetWare is considered by the IT industry the fastest, and most efficient, network operating system. BorderManager running on NetWare is one of the fastest firewall software packages available.
Windows NT/2000
As Windows NT and 2000 become more and more popular, firewall developers are porting their software from Unix to Windows. However, because of security problems associated with Windows (see the WinNuke discussion later in this chapter), it doesn’t rival Unix or NetWare for firewall installations. As these problems are solved (through patches and other fixes, and likely in future editions of Windows), Windows NT and 2000 will gain ground in the firewall market.
Most third-party, Windows-based firewalls can integrate with Windows Domain/Active Directory security. This allows proxies to use Windows usernames and passwords.
The primary advantage of a Windows firewall is that it can be managed through a graphical user interface, as can Windows itself. Windows servers (and thus firewalls based on them) are more intuitive to the general user than a Unix operating system, with almost the same level of features. If your network support staff is well versed in Windows, the learning curve for a new firewall will not be as steep as that for another operating system.
Windows, however, isn’t the fastest NOS platform, mainly because of the overhead required to maintain the graphical interface; thus, firewalls running on it aren’t the fastest. To address this issue, some firewall vendors are adding hardware accelerator cards to increase firewall throughput. Microsoft is advancing the line of Windows servers to utilize more than a dozen CPUs and gigabytes of memory in one box so that performance can be increased to much higher levels. These new features will make Windows NT much faster and thus more effective as a firewall platform. With the advent of Windows 2000 servers, high-end throughput speeds are possible.
The Black Box
A black box firewall implementation is your fourth choice. You do not know what operating system is inside the box, but it is definitely not Windows. It might be a special implementation of Unix or a completely proprietary system. These implementations tend to have the fastest throughput because they are designed specifically as firewalls, rather than as file and print network operating systems that run firewall software. Cisco’s PIX Firewall is an example of a proprietary black box system.
The major feature of a black box firewall is simplicity. You don’t have to worry about extraneous features such as file or print services. The box is only a firewall, not a server and a firewall.
Ease of use is not, however, a feature of a black box, which often lacks a screen or an input device. The administrator must rely on connecting to the black box using an external keyboard or terminal to change firewall configuration data. This is not typically a problem with firewalls that don’t require significant configuration (as in simpler network implementations). In this case, once the firewall is configured, you can pretty much leave it alone.
Given the dedicated nature of black box firewalls (they aren’t used to provide other network services) and that they are designed from the ground up as firewalls, they are often very efficient and fast. They use RISC processors and operating systems designed specifically for a firewall. Unfortunately, black boxes cannot be upgraded easily and often must be replaced as new technology is released.
|
|