The main function of a firewall is to centralize access control. If outsiders or remote users can access the internal networks without going through the firewall, its effectiveness is diluted. For example, if a traveling manager has a modem connected to his office PC that he or she can dial into while traveling, and that PC is also on the protected internal network, an attacker who can dial into that PC has circumvented the firewall. If a user has a dial-up Internet account with a commercial ISP, and sometimes connects to the Internet from their office PC via modem, he or she is opening an unsecured connection to the Internet that circumvents the firewall. Firewalls can also be used to secure segments of an organization's intranet, but this document will concentrate on the Internet aspects of firewall policy. For more information on firewalls, see NIST Special Publication 800-10 "Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls." * Firewalls provide several types of protection:
* They can block unwanted traffic.
* They can direct incoming traffic to more trustworthy internal systems.
* They hide vulnerable systems which can't easily be secured from the Internet.
* They can log traffic to and from the private network.
* They can hide information like system names, network topology, network device types, and internal user ID's from the Internet.
* They can provide more robust authentication than standard applications might be able to do. Each of these functions are described in more detail below.
As with any safeguard, there are trade-offs between convenience and security. Transparency is the visibility of the firewall to both inside users and outsiders going through a firewall. A firewall is transparent to users if they do not notice or stop at the firewall in order to access a network. Firewalls are typically configured to be transparent to internal network users (while going outside the firewall); on the other hand, firewalls are configured to be non-transparent for outside network coming through the firewall. This generally provides the highest level of security without placing an undue burden on internal users.
Username/password This is the worst kind, because the information can be sniffed or shoulder-surfed. And more and more and more and more and more and more and more.
One-time passwords One-time passwords using software or hardware tokens, generate a new password for each session. This means that old passwords cannot be reused if they are sniffed or otherwise borrowed or stolen.
Digital Certificates Digital certificates use a certificate generated using public key encryption.
Filtering gateways do have inherent risks including: * The source and destination addresses and ports contained in the IP packet header are the only information that is available to the router in making decision whether or not to permit traffic access to an internal network.
* They don't protect against IP or DNS address spoofing.
* An attacker will have a direct access to any host on the internal network once access has been granted by the firewall.
* Strong user authentication isn't supported with some packet filtering gateways.
* They provide little or no useful logging.
Because an application gateway is considered as the most secure type of firewall, this configuration provides a number of advantages to the medium-high risk site: * The firewall can be configured as the only host address that is visible to the outside network, requiring all connections to and from the internal network to go through the firewall.
* The use of proxies for different services prevents direct access to services on the internal network, protecting the enterprise against insecure or misconfigured internal hosts.
* Strong user authentication can be enforced with application gateways.
* Proxies can provide detailed logging at the application level.
Application level firewalls shall be configured such that out-bound network traffic appears as if the traffic had originated from the firewall (i.e. only the firewall is visible to outside networks). In this manner, direct access to network services on the internal network is not allowed. All incoming requests for different network services such as Telnet, FTP, HTTP, RLOGIN, etc., regardless of which host on the internal network will be the final destination, must go through the appropriate proxy on the firewall. Applications gateways require a proxy for each service, such as FTP, HTTP, etc., to be supported through the firewall. When a service is required that is not supported by a proxy, an organization has three choices: * Deny the service until the firewall vendor has developed a secure proxy - This is the preferred approach, as many newly introduced Internet services have unacceptable vulnerabilities.
* Develop a custom proxy - This is a fairly difficult task and should be undertaken only by very sophisticated technical organizations.
* Pass the service through the firewall - Using what are typically called "plugs," most application gateway firewalls allow services to be passed directly through the firewall with only a minimum of packet filtering. This can limit some of the vulnerability but can result in compromising the security of systems behind the firewall.
Low
When an in-bound Internet service not supported by a proxy is required to pass through the firewall, the firewall administrator shall define the configuration or plug that will allow the required service. When a proxy is available from the firewall vendor, the plug must be disabled and the proxy made operative.
Medium-high
All in-bound Internet services must be processed by proxy software on the firewall. If a new service is requested, that service will not be made available until a proxy is available from the firewall vendor and tested by the firewall administrator. A custom proxy can be developed in-house or by other vendors only when approved by the CIO.
4
|
recommended choice
|
| 3
|
effective option
|
| 2
|
acceptable
|
| 1
|
minimal security
|
| 0
|
unacceptable
|
| Firewall
Architecture
(if any one of these is being implemented)
|
High
Risk Environment
e.g. Hospital
|
Medium
Risk Environment
e.g. University
|
Low
Risk Environment
e.g. florist shop
|
|---|---|---|---|
Packet filtering
|
0
|
1
|
4
|
| Application
Gateways
|
3
|
4
|
2
|
| Hybrid
Gateways
|
4
|
3
|
2
|
A dual-homed firewall is a firewall with two network interfaces cards (NICs) with each interface connected to a different networks. For instance, one network interface is typically connected to the external or untrusted network, while the other interface is connected to the internal or trusted network. In this configuration, a key security tenet is not to allow traffic coming in from the untrusted network to be directly routed to the trusted network - the firewall must always act as an intermediary. Routing by the firewall shall be disabled for a dual-homed firewall so that IP packets from one network are not directly routed from one network to the other.
The decision to use an Intranet firewall is generally based on the need to make certain information available to some but not all internal users, or to provide a high degree of accountability for the access and use of confidential or sensitive information. For any systems hosting COMPANY critical applications, or providing access to sensitive or confidential information, internal firewalls or filtering routers should be used to provide strong access control and support for auditing and logging. These controls should be used to segment the internal COMPANY network to support the access policies developed by the designated owners of information.
Each firewall administrator shall provide their home phone number, pager number, cellular phone number and other numbers or codes in which they can be contacted when support is required.
Security of a site is crucial to the day to day business activity of an organization. It is therefore required that the administrator of the firewall have a sound understanding of network concepts and implementation. For instance, since most firewalls are TCP/IP based, a thorough understanding of this protocol is compulsory. (Also see sections 5.6.1, LAN Administration and 5.7., Awareness and Education, for more information on the knowledge base required of technical administrative roles.) An individual that is assigned the task of firewall administration must have a good hands-on experience with networking concepts, design, and implementation so that the firewall is configured correctly and administered properly. Firewall administrators should receive periodic training on the firewalls in use and in network security principals and practices.
The most secure method of protecting against this form of attack is to have strong physical security around the firewall host and to only allow firewall administration from an attached terminal. However, operational concerns often dictate that some form of remote access for firewall administration be supported. In no case should remote access to the firewall be supported over untrusted networks without some form of strong authentication. In addition, to prevent eavesdropping, session encryption should be used for remote firewall connections. Low
Any remote access over untrusted networks to the firewall for administration must use strong authentication, such as one time passwords and/or hardware tokens.
Medium
The preferred method for firewall administration is directly from the attached terminal. Physical access to the firewall terminal is limited to the firewall administrator and backup administrator.
Where remote access for firewall administration must be allowed, it should be limited to access from other hosts on the COMPANY internal network. Such internal remote access requires the use of strong authentication, such as one time passwords and/or hardware tokens. Remote access over untrusted networks such as the Internet requires end to end encryption and strong authentication to be employed.
High
All firewall administration must be performed from the local terminal - no access to the firewall operating software is permitted via remote access. Physical access to the firewall terminal is limited to the firewall administrator and backup administrator.
The various network segments involved may be under control of different organizations and may operate under a variety of security policies. By their very nature, when networks are connected the security of the resulting overall network drops to the level of the weakest network. When decisions are made for connecting networks, trust relationships must be defined to avoid reducing the effective security of all networks involved.
Trusted networks are defined as networks that share the same security policy or implement security controls and procedures that are provide an agreed upon set of common security services. Untrusted networks are those that do not implement such a common set of security controls, or where the level of security is unknown or unpredictable. The most secure policy is to only allow connection to trusted networks, as defined by an appropriate level of management. However, business needs may force temporary connections with business partners or remote sites that involve the use of untrusted networks. High
All connections from the COMPANY network to external networks must be approved by and managed by the Network Services Manager. Connections will be allowed only with external networks that have been reviewed and found to have acceptable security controls and procedures. All connections to approved external networks will pass through COMPANY-approved firewalls.
Low-medium
All connections from the COMPANY network to external networks must be approved by the Network Services Manager. All connections to approved external networks will pass through COMPANY-approved firewalls. To eliminate a major vulnerability, all connections and accounts related to external network connections should be periodically reviewed and deleted as soon as they are no longer required. Audit trails and system logs for external network connections should be reviewed weekly. Any accounts related to these connections that are not used on a monthly basis should be deactivated. The Network Services Manager will ask functional managers to validate the need for all such connections on a quarterly basis. When notified by the Network System Manager that the need for connection to a particular network is no longer valid, all accounts and parameters related to the connection should be deleted within one working day.
Deciding how to manage DNS services is generally not a security decision. Many organizations use a third party, such as an Internet Service Provider, to manage their DNS. In this case, the firewall can be used as a DNS caching server, improving performance but not requiring your organization to maintain its own DNS database.
If the organization decides to manage its own DNS database, the firewall can (but doesn't have to) act as the DNS server. If the firewall is to be configured as a DNS server (primary, secondary, or caching), it is necessary that other security precautions be in place. One advantage of implementing the firewall as a DNS server is that it can be configured to hide the internal host information of a site. In other words, with the firewall acting as a DNS server, internal hosts get an unrestricted view of both internal and external DNS data. External hosts, on the other hand, do not have access to information about internal host machines. To the outside world all connections to any host in the internal network will appear to have originated from the firewall. With the host information hidden from the outside, an attacker will not know the host names and addresses of internal hosts that offer service to the Internet.
A security policy for DNS hiding might state: If the firewall is to run as a DNS server, then the firewall must be configured to hide information about the network so that internal host data are not advertised to the outside world.
The room in which the firewall is to be physically located must be equipped with heat, air-conditioner, and smoke alarms to assure the proper working order of the room. The placement and recharge status of the fire extinguishers shall be checked on a regular basis. If uninterruptible power service is available to any Internet-connected systems, such service should be provided to the firewall as well.
Firewall logs should be examined on a weekly basis to determine if attacks have been detected.
The firewall administrator shall be notified at anytime of any security alarm by email, pager, or other means so that he may immediately respond to such alarm.
The firewall shall reject any kind of probing or scanning tool that is directed to it so that information being protected is not leaked out by the firewall. In a similar fashion, the firewall shall block all software types that are known to present security threats to a network (such as Active X and Java) to better tighten the security of the network.
The firewall administrator must evaluate each new release of the firewall software to determine if an upgrade is required. All security patches recommended by the firewall vendor should be implemented in a timely manner.
Hardware and software components shall be obtained from a list of vendor-recommended sources. Any firewall specific upgrades shall be obtained from the vendor. NFS shall not be used as a means of obtaining hardware and software components. The use of virus checked CDROM or FTP to a vendor's site is an appropriate method.
The firewall administrator(s) shall monitor the vendor's firewall mailing list or maintain some other form of contact with the vendor to be aware of all required upgrades. Before an upgrade of any of the firewall component, the firewall administrator must verify with the vendor that an upgrade is required. After any upgrade the firewall shall be tested to verify proper operation prior to going operational.
User
All users who require access to Internet services must do so by using COMPANY-approved software and Internet gateways.
A firewall has been placed between our private networks and the Internet to protect our systems. Employees must not circumvent the firewall by using modems or network tunneling software to connect to the Internet.
Some protocols have been blocked or redirected. If you have a business need for a particular protocol, you must raise the issue with your manager and the Internet security officer.
Manager
A firewall shall be placed between the company's network and the Internet to prevent untrusted networks from accessing the COMPANY network. The firewall will be selected by and maintained by the Network Services Manager.
All other forms of Internet access (such as via dial-out modems) from sites connected to the COMPANY WAN are prohibited.
All users who require access to Internet services must do so by using COMPANY-approved software and Internet gateways.
Technician
All firewalls should fail to a configuration that denies all services, and require a firewall administrator to re-enable services after a failure.
Source routing shall be disabled on all firewalls and external routers.
The firewall shall not accept traffic on its external interfaces that appear to be coming from internal network addresses.
The firewall shall provide detailed audit logs of all sessions so that these logs can be reviewed for any anomalies.
Secure media shall be used to store log reports such that access to this media is restricted to only authorized personnel.
Firewalls shall be tested off-line and the proper configuration verified.
The firewall shall be configured to implement transparency for all outbound services. Unless approved by the Network Services manager, all in-bound services shall be intercepted and processed by the firewall.
Appropriate firewall documentation will be maintained on off-line storage at all times. Such information shall include but not be limited to the network diagram, including all IP addresses of all network devices, the IP addresses of relevant hosts of the Internet Service Provider (ISP) such as external news server, router, DNS server, etc. and all other configuration parameters such as packet filter rules, etc. Such documentation shall be updated any time the firewall configuration is changed.
Medium
User
Strong authentication using COMPANY-approved one-time passwords and hardware tokens is required all remote access to internal systems through the firewall.
Manager
The network security policy shall be reviewed on a regular basis (every three months minimum) by the firewall administrator(s) and other top information (security) managers. Where requirements for network connections and services have changed, the security policy shall be updated and approved. If a change is to be made, the firewall administrator shall ensure that the change is implemented and the policy modified.
The details of the COMPANY internal trusted network should not be visible from outside the firewall.
Technician
The firewall will be configured to deny all services not expressly permitted and will be regularly audited and monitored to detect intrusions or misuse.
The firewall shall notify the system administrator in near-real-time of any item that may need immediate attention such as a break-in into the network, little disk space available, or other related messages so that an immediate action could be taken.
The firewall software will run on a dedicated computer - all non-firewall related software, such as compilers, editors, communications software, etc., will be deleted or disabled.
The firewall will be configured to deny all services not expressly permitted and will be regularly audited and monitored to detect intrusions or misuse.
High
User
All non-business use of the Internet from COMPANY systems is forbidden. All access to Internet services is logged. Employees who violate this policy are subject to disciplinary action.
Your browser has been configured with a list of forbidden sites. Any attempts to access those sites will be reported to your manager.
Manager
All non-business use of the Internet from COMPANY systems is forbidden. All access to Internet services is logged. Employees who violate this policy are subject to disciplinary action.
Technician
All access to Internet services is logged.
There is a wide range of Internet services available. Section 4 discusses the most popular services, such as FTP, telnet, HTTP, etc. Other common services are detailed here.
BSD "r" commands, such as rsh, rlogin, rcp, etc., are designed to allow UNIX system users to execute commands on remote systems. Most implementation do not support authentication or encryption and are very dangerous to use over the Internet.
Post Office Protocol (POP) is a client-server protocol for retrieving electronic mail from a server. POP is a TCP-based service that supports the use of nonreusable passwords for authentication, known as APOP. POP does not support encryption - retrieved email is vulnerable to eavesdropping.
Network News Transfer Protocol (NNTP) is used to support Usenet newsgroups. NNTP is a TCP-based service that implements a store and forward protocol. While NNTP is a relatively simple protocol, there have been recent attacks against common NNTP server software. NNTP servers should not be run on the firewall, but standard proxy services are available to pass NNTP.
Finger and whois are similar functions. finger is used to retrieve information about system users. finger often gives out more information than is necessary - for most organizations finger should be disabled or limited at the firewall. Whois is very similar and should also be disabled or limited at the firewall.
The UNIX remote printing protocols lp and lpr allow remote hosts to print using printers attached to other hosts. Lpr is a store and forward protocol, while lp uses the rsh function to provide remote printing capabilities. In general, lp and lpr should be disabled at the firewall unless vendor supplied proxies are available.
Network File System (NFS) allows disk drives to be made accessible to users and systems across the network. NFS uses a very weak form of authentication and is not considered safe to use across untrusted networks. NFS should not be allowed through a firewall.
Real Audio provides for the delivery of digitized audio over TCP/IP networks. - To take advantage of the multimedia capabilities of the World Wide Web, a number of new services have been developed.
Which Internet services to allow or deny must be driven by the needs of the organization. Sample security policy for some of these Internet services that might be required by a typical organization are illustrated in Table 5.2. * Status (Y/N) = whether users can use the service
* Auth (Y/N) = whether any form of authentication (strong or otherwise) is performed before the service can be used.
Purpose
|
Protocols
|
What
|
Why
|
|---|---|---|---|
| Email
|
Users
have a single external email address
|
*
Does not reveal business info.
| |
| SMTP
|
*
A single server or cluster of servers provides email service for organization
|
*
Centralized email is easier to maintain.
* SMTP servers are difficult to configure securely.
| |
| POP3
|
*
POP users must use AUTH identification.
|
*
Prevents password sniffing.
| |
| IMAP
|
*
Groups are encouraged to transition to IMAP.
|
*
Better support for travel, encryption.
| |
| USENET
news
|
NTTP
|
*
blocked at firewall
|
*
no business need
|
| WWW
|
HTTP
|
*
directed to www.my.org
|
*
Centralized WWW is easier to maintain.
* WWW servers are difficult to configure securely.
|
| *
|
all
others
|
routed
|
| Policy
|
|||||
|---|---|---|---|---|---|
| Service
|
Inside
to Outside
|
Outside
to Inside
|
Sample
Policy
| ||
| Status
|
Auth
|
Status
|
Auth
|
||
| FTP
|
y
|
n
|
y
|
y
|
FTP
access shall be allowed from the internal network to the external. Strong
authentication shall be required for FTP access from the outside to the inside.
|
| Telnet
|
y
|
n
|
y
|
y
|
Telnet
access shall be allowed from the inside network to the outside network. For the
telnet from the outside to the inside network, authentication shall be required.
|
| Rlogin
|
y
|
n
|
y
|
y
|
rlogin
to COMPANY hosts from external networks requires written approval from the
Network Services Manager and the use of strong authentication.
|
| HTTP
|
y
|
n
|
n
|
n
|
All
WWW servers intended for access by external users will be hosted outside the
COMPANY firewall. No inbound HTTP will be allowed through the COMPANY firewall.
|
| SSL
|
y
|
n
|
y
|
y
|
Secure
Sockets Layer sessions using client side certificates is required when SSL
sessions are to be passed through the COMPANY firewall.
|
| POP3
|
n
|
n
|
y
|
n
|
The
COMPANY Post Office Protocol server is to be hosted inside the COMPANY
firewall. The firewall will pass POP traffic only to the POP server. The use of
APOP is required.
|
| NNTP
|
y
|
n
|
n
|
n
|
No
external access will be allowed to the NNTP server.
|
| Real
Audio
|
n
|
n
|
n
|
n
|
There
is currently no business requirement for supporting streaming audio sessions
through the COMPANY firewall. Any business units requiring such support should
contact the Network Services Manager.
|
| Lp
|
y
|
n
|
n
|
n
|
Inbound
lp services are to be disabled at the COMPANY firewall
|
| finger
|
y
|
n
|
n
|
n
|
Inbound
finger services are to be disabled at the COMPANY firewall
|
| gopher
|
y
|
n
|
n
|
n
|
Inbound
gopher services are to be disabled at the COMPANY firewall
|
| whois
|
y
|
n
|
n
|
n
|
Inbound
whois services are to be disabled at the COMPANY firewall
|
| SQL
|
y
|
n
|
n
|
n
|
Connections
from external hosts to internal databases must be approved by the Network
Services Manager and used approved SQL proxy services.
|
| Rsh
|
y
|
n
|
n
|
n
|
Inbound
rsh services are to be disabled at the COMPANY firewall
|
| Other,
such as NFS
|
n
|
n
|
n
|
n
|
Access
to any other service not mentioned above shall be denied in both direction so
that only Internet services we have the need for and we know about are allowed
and all others are denied.
|
An organization may wish to support some services without using strong authentication. For example, an anonymous FTP server may be used to allow all external users to download open information. In this case, such services should be hosted outside the firewall or on a service network not connected to corporate networks that contain sensitive data. The table that follows summarizes a method of describing such policy for a service such as FTP.
| Policy
|
Non-Anonymous
FTP service
|
Anonymous
FTP service
|
| Put
server machine outside the firewall
|
N
|
Y
|
| Put
server machine on the service network
|
N
|
Y
|
| Put
server machine on protected network
|
Y
|
N
|
| Put
server machine on the firewall itself
|
N
|
N
|
| Server
will be accessed by everyone on the Internet
|
N
|
Y
|