Firewall Configuration Strategies

Chapter 3
Learning Objectives
Set up firewall rules that reflect an
organization’s overall security approach
Understand the goals that underlie a
firewall’s configuration
Identify and implement different firewall
configuration strategies
Employ methods of adding functionality to
your firewall
Establishing Rules and
Restrictions for Your Firewall

Rules give firewalls specific criteria for

making decisions about whether to allow
packets through or drop them
All firewalls have a rules file—the most
important configuration file on the firewall
The Role of the Rules File
Establishes the order the firewall should
follow
Tells the firewall which packets should be
blocked and which should be allowed
Requirements
 Need for scalability
 Importance of enabling productivity of end
users while maintaining adequate security
Restrictive Firewalls

Block all access by default; permit only

specific types of traffic to pass through
Strategies for Implementing a
Security Policy
Follow the concept of least privilege
Spell out services that employees cannot use
Use and maintain passwords
Choose an approach
 Open
 Optimistic
 Cautious
 Strict
 Paranoid
Connectivity-Based Firewalls

Have fewer rules; primary orientation is to

let all traffic pass through, then block
specific types of traffic
Overview to Firewall
Configuration Strategies

Criteria
 Scalable
 Take communication needs of individual
employees into account
 Deal with IP address needs of the organization
Scalability

Provide for the firewall’s growth by

recommending a periodic review and
upgrading software and hardware as needed
Productivity

The stronger and more elaborate the

firewall, the slower the data transmissions
Important features of firewall: processing
and memory resources available to the
bastion host
Productivity
Dealing with IP Address Issues
If service network needs to be privately
rather than publicly accessible, which DNS
will its component systems use?
If you mix public and private addresses,
how will Web server and DNS servers
communicate?
Let the proxy server do the IP forwarding
(it’s the security device)
Firewall Configuration Strategies
Firewall Configuration Strategies

Settle on general approaches; establish rules

for them
Deploy firewalls, routers, VPN tunnels, and
other tools in a way that will implement
rules
Use security components to defend against
common attacks
Using Security Components to
Defend Against Attacks
Screening Router

Filters traffic passing between one network

and another
Simple, minimally secure
Two interfaces—external and internal—
each with its own unique IP address
Performs IP forwarding, based on an access
control list (ACL)
Screening Router
Stateful Packet Filtering
Dual-Homed Host

A workstation with an internal interface and

an external interface to the Internet
Disadvantage
 Host serves as a single point of entry to the
organization
Screened Host

Similar to dual-homed host, but the host is

dedicated to performing security functions
Sits exposed on the perimeter of the
network rather than behind the firewall
Requires two network connections
Also called a dual-homed gateway or
bastion host
Screened Host
Two Routers, One Firewall

Router positioned on the outside

 Performs initial, static packet filtering
Router positioned just inside the network
 Routes traffic to appropriate computers in the
LAN being protected
 Can do stateful packet filtering
Two Routers, One Firewall
DMZ Screened Subnet
Screened subnet
 Network exposed to external network, but partially
protected by a firewall
Three-pronged firewall
 Three network interfaces connect it to:
 External network
 DMZ
 Protected LAN

Service network
 Screened subnet that contains an organization’s
publicly accessible server
DMZ Screened Subnet
Three-Pronged Firewall with Only
One Firewall

Advantages
 Simplification
 Lower cost
Disadvantages
 Complexity
 Vulnerability
 Performance
Common Service Network
Systems

Those that contain Web and mail servers

Those that contain DNS servers
Those that contain tunneling servers
Multiple-Firewall DMZs
Achieve the most effective Defense in Depth
Help achieve load distribution
Added security offsets slowdown in performance
Two or more firewalls can be used to protect
 Internal network
 One DMZ
 Two DMZs
 Branch offices that need to connect to main office’s
internal network
Two Firewalls, One DMZ
Two firewalls used to set up three separate
networks (tri-homed firewall)
 Internal protected network (behind DMZ)
 External private network or service network
(within DMZ)
 External network (outside DMZ)
Advantage
 Enables control of traffic in the three networks
Two Firewalls, One DMZ
Two Firewalls, Two DMZs

Setting up separate DMZs for different parts

of the organization helps balance the traffic
load between them
Two Firewalls, Two DMZs
Multiple Firewalls to Protect
Branch Offices
Load Distribution Through
Layering of Firewalls
Reverse Firewalls

Inspect and monitor traffic going out of a

network rather than trying to block what’s
coming in
Help block Distributed Denial of Service
(DDoS) attacks
Specialty Firewalls
Protect specific types of network communications
(eg, e-mail, instant-messaging)
Examples
 Mail Marshal and WebMarshal by Marshal Software
 OpenReach includes a small-scale packet-filtering
firewall for its VPN
 VOISS Proxy Firewall (VF-1) by VocalData
 Speedware Corporation sells its own firewall software
Approaches That Add
Functionality to a Firewall

Network Address Translation (NAT)

Encryption
Application proxies
VPNs
Intrusion detection systems (IDSs)
NAT

Converts publicly accessible IP addresses to

private ones and vice versa; shields IP
addresses of computers on the protected
network from those on the outside
NAT
Encryption

Takes a request, turns it into gibberish using

a private key; exchanges the public key
with the recipient firewall or router
Recipient decrypts the message and
presents it to the end user in understandable
form
Encryption
Application Proxies

Act on behalf of a host; receive requests,

rebuild them from scratch, and forward
them to the intended location as though the
request originated with it (the proxy)
Can be set up with either a dual-homed host
or a screened host system
Application Proxies
Dual-homed setup
 Host that contains the firewall or proxy server software
has two interfaces, one to the Internet and one to the
internal network being protected
Screened subnet system
 Host that holds proxy server software has a single
network interface
 Packet filters on either side of the host filter out all
traffic except that destined for proxy server software
Application Proxies on a
Dual-Homed Host
VPNs
Connect internal hosts with specific clients
in other organizations
Connections are encrypted and limited only
to machines with specific IP addresses
VPN gateway can:
 Go on a DMZ
 Bypass the firewall and connect directly to the
internal LAN
VPN Gateway Bypassing the
Firewall
Intrusion Detection Systems

Can be installed in external and/or internal

routers at the perimeter of the network
Built into many popular firewall packages
IDS Integrated into Perimeter
Routers
IDS Positioned Between Firewall
and Internet
Chapter Summary
How to design perimeter security for a network
that integrates firewalls with a variety of other
software and hardware components
Rules and restrictions that influence configuration
of a security perimeter
Security configurations that either perform
firewall functions or that use firewalls to create
protected areas