The "No Network is 100% Secure" series
- Firewalls -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Why are firewalls needed?: Firewalls have been around for decades. However it was
not uncommon to visit a data center that did not have firewall protection
as recently as 2004 or so. Prior to around 2000, hackers, crackers, virus attacks
and so on were typically viewed by IT Managers as more of a nuisance than as a
serious threat to the safety, security, reliability and integrity of their
enterprise. Dealing with
these activities was (and still is, to some degree) viewed as "unproductive"
work, since blocking unwanted access to a network is generally related more to
revenue protection than it is to revenue generation. However, these days, the
decision of whether to assign resources and spend money to protect against
hackers, crackers, viruses, denials of service and so on is no longer open to
discussion. Once the
realm of so-called "script kiddies", hacking, phishing and other illegal activities
is now big business. Serious criminal organizations are now involved in many of
these attacks. Consequently, IT Managers have been forced to allocate much more
money and resources for network and data center security than ever before.
Current estimates are that about one third of today's IT budget goes towards
protecting the network from illegal intrusions and attacks.
Helping IT Managers select and deploy enterprise security mechanisms and best practices
has kept Consultants like myself quite busy in recent years.
What is a firewall?: In it's simplest form, a firewall is a mechanism that is designed to prevent unauthorized access to or from a private network. This methodology is typically implemented by placing a firewall computer, appliance, device or capabilities at the entry point into the IT data center. The firewall is typically set to block ports and services that are not allowed anywhere within the enterprise. For example, most IT organizations do not allow Telnet access to anything. Therefore, port 23 (Telnet) would typically be blocked from any IP address to any address. Some Data Centers, such as remote colo, have the need for Administrators to be able to connect to servers remotely, so the main firewall might be set to allow SSH (port 22), but only for packets originating from specific IP addresses belonging to authorized Admin computers. Many IT Organizations will also block all UDP packets, no matter where they originate from. This type of firewall methodology is very effective in keeping the meteor sized chunks of mal-intended traffic out of a network.
There are, however, some services that simply cannot be blocked at the border. An example would be SMTP (port 25) which is used to transmit e-mail. There are ways to get around this that are beyond the scope of this paper, but for now, suffice it to say that blocking all incoming SMTP packets is not realistic. So networks have all of these SMTP packets running around looking for vulnerabilities to exploit and ads for Viagra looking for e-mail addresses to spam. This is an over- simplified example, to be sure. But the way to effectively block unwanted traffic on a computer to computer basis is with an "on the box" firewall. This would be implemented using IPF, IP Tables, IP Chains or in the case of a PC, with something like Zonealarm. The "on the box" firewall" in our example case would be set to block everything except for required services such as port 25, port 22 and possibly POP (port 110), IMAP Webmail and so forth. In this way, even if a hacker was able to get past the main firewall, the intrusion attempt would be blocked further down the line. Of course the best strategy is to block bad people as soon as possible so that's where "best practices", Intrusion Detection Systems (IDS), utilizing a "DMZ" and things of that nature come in.
As an example, a very simple but often overlooked best practice is to turn off all services that are not needed on every computer and server in the network. There are literally thousands of "port scans" going on at any given time, looking for vulnerabilities in your network to exploit. Firewall port blocking and turning off unneeded services will greatly reduce your risk of having a vulnerability exploited.
However, all of that aside, in our simple, one mail server network example, the objective would be to set the on the box firewall rules so tight that even if the main firewall wasn't there, the mail server would still be protected. It would also be a wise best practice to keep the e-mail application service patched to the latest revision and to protect against having a lax server configuration setup that begs to be exploited by a clever hacker.
Will implementing firewalls as described protect my network 100%?: Unfortunately, no. Not even close, although this was a common misperception when IT Managers first started deploying firewalls some ten years ago. Installing a firewall is sort of like putting a "kill switch" in your car. It's still easy enough to steal the car... it's just that the crooks have to work a little to do so. Even with aggressive firewall deployment, networks are still beaucoup exposed.
This issue is further clouded by sales people, in some cases. IT Managers are sometimes led to believe that security is an issue that technology alone can solve. Spend enough money (buying products that this salesman sells) and poof! The problem goes away! Consider this: you can purchase the biggest and very best firewall product that's out there. But if it's installed haphazardly and if it is configured with a silly, ineffective rule set, you're pretty much as vulnerable as if you had no firewall at all! In my opinion, IT managers would do better investing in making sure that the core security fundamentals are in place before pulling out their checkbook.
So then what?: IT managers need to understand the problem before they can fix the problem. I would recommend doing an audit and testing the network for vulnerabilities as a first step. Once management understands where the biggest holes are, a responsive and sensible project plan can be developed to address the greatest areas of weakness. If a comprehensive testing methodology is in place, it will be a lot easier to measure how effective various security initiatives have been in tightening up the network. Laying solid groundwork is key to implementing projects that deliver effective results.
Other White Papers in this "No Network is 100% Secure" series delve into this issue further. White papers are being written to include best practices, trojans, virus attacks, bots, denial of service (DoS) attacks, phishing, phlashing and other security topics of interest to IT Managers and others. We welcome your feedback. We can also put on security oriented seminars for interested groups and organizations. These are done in conjunction with our Partner, Tektel In Beaverton, Oregon. IT Organizations are also welcome to engage Easyrider LAN Pro to do security assessments and best practice consulting to look at specific problems and concerns that you might have.
Easyrider LAN Pro is also a premier Network Operation Center (NOC) design consultancy, having designed and deployed many of the area's enterprise class NOCs. No matter how careful you are and no matter how secure your network is, it's just a question of when, not if, your data center gets hacked. So then it becomes a question of how long will it take your Administrators to notice the virus, bot, trojan, DoS or whatever was done? With a comprehensive, proactive, professionally staffed NOC and professional grade monitoring software, the answer is: probably not very long (as in seconds/minutes). With a NOC designed and built by Easyrider LAN Pro the answer is usually: your NOC Techs should see the attack in progress and will probably be able to stop it before any serious damage is done. Please feel free to contact Easyrider LAN Pro if you'd like to discuss deploying a NOC or upgrading your existing monitoring capabilities.
Next in the security white paper series:
Virus White Paper
Cloud Computing White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Virtual Machine Security White Paper
Monitoring Basics 101 White Paper
Power Grid Aurora Vulnerability White Paper
Shelfware White Paper
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro