The "No Network is 100% Secure" series
- Firewalls -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
Why are firewalls needed?: Firewalls have been around for decades. However it was
not uncommon to visit a data center that did not have firewall protection
as recently as 2004 or so. Prior to around 2000, hackers, crackers, virus attacks
and so on were typically viewed by IT Managers as more of a nuisance than as a
serious threat to the safety, security, reliability and integrity of their
enterprise. Dealing with
these activities was (and still is, to some degree) viewed as "unproductive"
work, since blocking unwanted access to a network is generally related more to
revenue protection than it is to revenue generation. However, these days, the
decision of whether to assign resources and spend money to protect against
hackers, crackers, viruses, denials of service and so on is no longer open to
discussion. Once the
realm of so-called "script kiddies", hacking, phishing and other illegal activities
is now big business. Serious criminal organizations are now involved in many of
these attacks. Consequently, IT Managers have been forced to allocate much more
money and resources for network and data center security than ever before.
Current estimates are that about one third of today's IT budget goes towards
protecting the network from illegal intrusions and attacks.
Helping IT Managers select and deploy enterprise security mechanisms and best practices
has kept Consultants like myself quite busy in recent years.
What is a firewall?: In it's simplest form, a firewall is a mechanism that is
designed to prevent unauthorized access to or from a private network. This
methodology is typically implemented by placing a firewall computer, appliance,
device or capabilities at the entry point into the IT data center. The firewall
is typically set to block ports and services that are not allowed anywhere within
the enterprise. For example, most IT organizations do not allow Telnet access to
anything. Therefore, port 23 (Telnet) would typically be blocked from any IP address
to any address. Some Data Centers, such as remote colo, have the need for
Administrators to be able to connect to servers remotely, so the main firewall
might be set to allow SSH (port 22), but only for packets originating from specific
IP addresses belonging to authorized Admin computers. Many IT Organizations will
also block all UDP packets, no matter where they originate from. This type of
firewall methodology is very effective
in keeping the meteor sized chunks of mal-intended traffic out of a network.
There are, however, some services that simply cannot be blocked at the border.
An example would be SMTP (port 25) which is used to transmit e-mail. There are
ways to get around this that are beyond the scope of this paper, but for now,
suffice it to say that blocking all incoming SMTP packets is not realistic. So
networks have all of these SMTP packets running around looking for vulnerabilities to
exploit and ads for Viagra looking for e-mail addresses to spam. This is an over-
simplified example, to be sure. But the way to effectively block unwanted traffic
on a computer
to computer basis is with an "on the box" firewall. This would be implemented
using IPF, IP Tables, IP Chains or in the case of a PC, with something like
Zonealarm. The "on the box" firewall" in our example case would be set to block
everything except for
required services such as port 25, port 22 and possibly POP (port 110), IMAP
Webmail and so forth.
In this way, even if a hacker was able to get past the main firewall, the intrusion
attempt would be blocked further down the line. Of course the best strategy is to
block bad people as soon as possible so that's where "best practices", Intrusion
Detection Systems (IDS), utilizing a "DMZ" and things of that nature come in.
As an example, a very simple but often overlooked best practice is to turn off
all services that are not needed on every computer and server in the network.
There are literally thousands of "port scans" going on at any given time, looking
for vulnerabilities in your network to exploit. Firewall port blocking and turning off
unneeded services will greatly reduce your risk of having a vulnerability
exploited.
However, all of that aside, in our simple, one
mail server network example, the objective would be to set the on the box firewall
rules so tight that even if the main firewall wasn't there, the mail server would
still be protected. It would also be a wise best practice to keep the e-mail
application service patched to the latest revision and to protect against having
a lax server configuration setup that begs to be exploited by a clever hacker.
Will implementing firewalls as described protect my network 100%?:
Unfortunately, no. Not even
close, although this was a common misperception when IT Managers first started
deploying firewalls some ten years ago. Installing a firewall is sort of like
putting a "kill switch" in your car. It's still easy enough to steal the car...
it's just that the crooks have to work a little to do so. Even with aggressive
firewall deployment, networks are still beaucoup exposed.
This issue is further clouded by sales people, in some cases. IT Managers are
sometimes led to believe that security is an issue that technology alone can
solve. Spend enough money (buying products that this salesman sells) and poof!
The problem goes away! Consider this: you can purchase the biggest and very best
firewall product that's out there. But if it's installed haphazardly and if it is
configured with a silly, ineffective rule set, you're pretty much as
vulnerable as if you had no firewall at all! In my opinion, IT managers would
do better investing in making sure that the core security fundamentals are in
place before pulling out their checkbook.
So then what?: IT managers need to understand the problem before they can fix
the problem. I would recommend doing an audit and testing the network for
vulnerabilities as a first step. Once management understands where the biggest
holes are, a responsive and sensible project plan can be developed to address
the greatest areas of weakness. If a comprehensive testing methodology is in
place, it will be a lot easier to measure how effective various security
initiatives have been in tightening up the network. Laying solid groundwork is
key to implementing projects that deliver effective results.
Other White Papers in this "No Network is 100% Secure" series delve into this issue
further.
White papers are being written to include best practices, trojans, virus attacks,
bots, denial of service (DoS) attacks, phishing, phlashing and other security topics
of interest
to IT Managers and others. We welcome your feedback. We can also put on security
oriented seminars for interested groups and organizations. These are done in
conjunction with our Partner, Tektel In Beaverton, Oregon. IT Organizations are
also welcome to engage
Easyrider LAN Pro
to do security assessments and best
practice consulting to look at specific problems and concerns that you might have.
Easyrider LAN Pro
is also a premier Network Operation Center (NOC) design
consultancy, having designed and deployed many of the area's enterprise class
NOCs. No matter how careful you are and no matter how secure your network is, it's
just a question of when, not if, your data center gets hacked. So then it becomes
a question of how long will it take your Administrators to notice the virus, bot,
trojan, DoS or whatever was done? With a comprehensive, proactive, professionally
staffed NOC and professional grade monitoring software, the answer is: probably not
very long (as in seconds/minutes). With a NOC designed and built by
Easyrider LAN Pro
the answer is usually:
your NOC Techs should see the attack in progress and will probably be able to stop it
before any serious damage is done. Please feel free to contact
Easyrider LAN Pro if you'd like to
discuss deploying a NOC or upgrading your existing monitoring capabilities.
Next in the security white paper series:
Virus White Paper
Cloud Computing White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Virtual Machine Security White Paper
Monitoring Basics 101 White Paper
Power Grid Aurora Vulnerability White Paper
Shelfware White Paper
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro