sign in sign up
<<
Home , Antivirus software, DMZ (computing)

WHITE PAPER Network : A Simple Guide to Firewalls There are experts who say, “If you are connected to the , you need a .” The decision may not be A Simple Guide to Firewalls more complicated than that. However, you’ll probably consider a combina- Loss of irreplaceable is a very real tion of factors. Start with the basic for any business owner whose questions you’d ask about any other network connects to the outside world. security system. Remote access for employees and con- nection to the Internet may improve Do I Have Anything Worth communication in ways you’ve hardly Protecting? imagined. Access to the Internet can Be sure to consider: open the world to communicating with customers and vendors, and is an • Confidential client, supplier, or immense source of information. But employee information that might these same opportunities open a local expose you to a lawsuit if you allow area network (LAN) to the possibility someone else to capture it of attack by thieves and vandals and abuse by your own employees. • Intellectual property that gives you a competitive edge in the market Figuring out the right amount of secu- CONTENTS rity for your network takes some con- • Critical business records that would sideration. The first thing to consider is have to be recovered and/or Why a Firewall—Am I Really at what your data is worth. A quick recreated Risk? ...... 1 answer is, “Maybe more than you think.” When you consider the value of What Is a Firewall? ...... 2 It isn’t always safe to assume that no your data, remember risks such as legal one else wants your data. Some hack- Types of Attack ...... 2 liability and loss of competitive edge, or ers operate on a nonprofit basis. They the effect of lost production if your net- Firewall Technologies ...... 3 may capture data or vandalize your work is compromised. Many analysts system just because they can. Additional Firewall Features say very bluntly, “If you are on the and Functionality ...... 4 Internet, you need a firewall.” Aren’t My Valuables Already Choosing a Firewall ...... 5 The benefits of connecting to the Inter- Adequately Protected? Designing a Firewall into net are clear. This paper discusses the The truth is that if you have valuable Your Network ...... 6 risks you face when you connect to the electronic property, it may not be as Internet, describes the types of attacks safe as you would like to think it is. Conclusion ...... 6 that can occur, and offers an overview You can do a lot to protect your sys- of firewall technology, which can protect tem if you: your network from hackers. Specifically, the paper discusses the implementation • Back up your information every of a firewall and what you should con- night sider in choosing the type of firewall you require. • Set up unshared folders behind tough passwords and password Why a Firewall—Am I rules Really at Risk? • Use your access or browser Anyone can become a hacker. It to filter incoming traffic from all doesn’t require a technological whiz but trusted sites kid to wreak havoc on your network. A wide range of tools and utilities can Unfortunately, hackers have many be easily downloaded from the Inter- sophisticated software tools at their net; and with their help, almost any- disposal. Given enough time and one can become a competent hacker determination, a skilled hacker may at the touch of a button. get through the standard safeguards.

1 If he does, he can run software pro- • It screens outgoing traffic to limit grams to break your passwords. If Internet use and/or access to remote you have valuable data on your net- sites. work and the network is exposed to outside , chances are very Screening Levels good you need a firewall. A firewall can screen both incoming and outgoing traffic. Because incom- What Is a Firewall? ing traffic poses a greater threat to the A firewall is a system that enforces an network, it’s usually screened more access control policy between two closely than outgoing traffic. networks—such as your private LAN and the unsafe, public Internet. The When you are looking at firewall firewall determines which inside ser- hardware or software products, you’ll vices can be accessed from the out- probably hear about three types of side, and vice versa. The actual means screening that firewalls perform: 3DES Data Standard by which this is accomplished varies • Screening that blocks any incoming (168-bit) widely, but in principle, the firewall can be thought of as a pair of mecha- data not specifically ordered by a DMZ demilitarized zone nisms: one to block traffic, and one to user on the network permit traffic. A firewall is more than DoS denial of service the locked front door to your net- • Screening by the address of the FTP work—it’s your security guard as sender well. HTTP Hypertext Transfer Protocol • Screening by the contents of the ICSA International Firewalls are also important because communication Security Association they provide a single “choke point” where security and audits can be Think of screening levels as a process LAN local area network imposed. A firewall can provide a net- of elimination. The firewall first work administrator with data about determines whether the incoming NAT Network Address Translation what kinds and amount of traffic transmission is something requested POP3 Post Office Protocol, Version 3 passed through it, how many attempts by a user on the network, rejecting were made to break into it, and so on. anything else. Anything that is SMTP Simple Mail Transfer Protocol Like a closed circuit security TV sys- allowed in is then examined more TCP/IP Transmission Control tem, your firewall not only prevents closely. The firewall checks the sender’s computer address to ensure Protocol/Internet Protocol access, but also monitors who’s been sniffing around, and assists in identi- that it is a trusted site. It also checks VPN fying those who attempt to breach the contents of the transmission. your security. WAN wide area network Types of Attack Basic Purpose of a Firewall Before determining exactly what type Basically, a firewall does three things of firewall you need, you must first to protect your network: understand the nature of security threats that exist. The Internet is one • It blocks incoming data that might large community, and as in any com- contain a hacker attack. munity it has both good and bad ele- ments. The bad elements range from • It hides information about the net- incompetent outsiders who do dam- work by making it seem that all age unintentionally, to the proficient, outgoing traffic originates from the malicious hackers who mount deliber- firewall rather than the network. ate assaults on companies using the This is called Network Address Internet as their weapon of choice. Translation (NAT).

NETWORK SECURITY 2 Generally there are three types of Denial-of-Service Attacks attack that could potentially affect DoS attacks are purely malicious. your business: They don’t result in any gain for the hacker other than the “joy” of render- • Information theft: Stealing company ing the network, or parts of it, confidential information, such as unavailable for legitimate use. DoS employee records, customer records, attacks overload a system so that it or company intellectual property isn’t available—they deny your abil- ity to use your network service. To • Information sabotage: Changing overload the system, the hacker sends information in an attempt to dam- very large packets of data or programs age an individual or company’s rep- that require the system to respond utation, such as changing employee continuously to a bogus command. medical or educational records or uploading derogatory content onto To launch a DoS attack, a hacker must your Web site know the IP address of the target machine. A good firewall doesn’t • Denial of service (DoS): Bringing reveal its own IP address or the IP down your company’s network or addresses on the LAN. The hacker servers so that legitimate users can- may think he has contacted the net- not access services, or so that nor- work when he has only contacted the mal company operations such as firewall—and he can’t lock up the production are impeded network from there. Furthermore, when a hacker launches an attack, Attempts to Gain Access some firewalls can identify the incom- A hacker may attempt to gain access ing data as an attack, reject the data, for sport or greed. An attempt to gain alert the system administrator, and access usually starts with gathering track the data back to the sender, information about the network. Later who can then be apprehended. attacks use that information to achieve the real purpose—to steal or destroy Firewall Technologies data. Firewalls come in all shapes, sizes, and prices. Choosing the correct one A hacker may use a port scanner—a depends mainly on your business piece of software that can map a net- requirements and the size of your net- work. It is then possible to find out work. This section discusses the dif- how the network is structured and ferent types of firewall technologies what software is running on it. and formats available. Once the hacker has a picture of the Above all, no matter what type of network, he can exploit known soft- firewall you choose or its functional- ware weaknesses and use hacking ity, you must ensure that it is secure tools to wreak havoc. It is even possi- and that a trusted third party, such as ble to get into the administrator’s files the International and wipe the drives, although a good Association (ICSA), has certified it. password will usually foil that effort. The ICSA classifies firewalls into three categories: packet filter fire- Fortunately, a good firewall is immune walls, application-level proxy servers, to port scanning. As new port scan- and stateful packet inspection fire- ners are developed to get around this walls. immunity, firewall vendors produce patches to maintain the immunity. Packet Filter Firewall Every computer on a network has an address commonly referred to as an IP

3 address. A packet filter firewall checks incoming communication to see if it the address of incoming traffic and was requested, and rejects anything turns away anything that doesn’t that wasn’t. Requested data proceeds match the list of trusted addresses. to the next level of screening. The The packet filter firewall uses rules to screening software determines the deny access according to information state of each packet of data, hence the located in each packet such as: the term stateful packet inspection. TCP/IP port number, source/destina- tion IP address, or data type. Restric- Additional Firewall Features tions can be as tight or as loose as you and Functionality want. In addition to the security capability An ordinary router on a network may of a firewall, a wide range of addi- be able to screen traffic by address, tional features and functionalities are but hackers have a little trick called being integrated into standard fire- source IP spoofing that makes data wall products. These include support appear to come from a trusted source, for public Web and e-mail servers, even from your own network. Unfor- normally referred to as a demilitarized tunately, packet filter firewalls are zone (DMZ), content filtering, virtual prone to IP spoofing and are also private networking (VPN) encryption arduous and confusing to configure. support, and antivirus support. And any mistake in configuration could potentially leave you wide open Demilitarized Zone Firewalls to attack. A firewall that provides DMZ protec- tion is effective for companies that Application-Level invite customers to contact their net- An application-level proxy server work from any external source, examines the application used for through the Internet or any other each individual IP packet to verify its route—for example, a company that authenticity. Traffic from each appli- a Web site or sells its products cation—such as HTTP for Web, FTP or services over the Internet. for file transfers, and SMTP/POP3 for e-mail—typically requires the instal- The deciding factors for a DMZ fire- lation and configuration of a different wall would be the number of out- application proxy. Proxy servers often siders or external users who access require administrators to reconfigure information on the network and how their network settings and applica- often they access it. tions (i.e., Web browsers) to support the proxy, and this can be a labor- A DMZ firewall creates a protected intensive process. (“demilitarized”) information area on the network. Outsiders can get to the Stateful Packet Inspection protected area but can’t get to the rest Firewall of the network. This allows outside users to get to the information you This is the latest generation in firewall want them to have and prevents them technology. Stateful packet inspection from getting to the information you is considered by Internet experts to don’t want them to have. be the most advanced and secure fire- wall technology because it examines Content Filtering all parts of the IP packet to determine A Web site filter or content filter whether to accept or reject the extends the firewall’s capability to requested communication. block access to certain Web sites. You can use this add-on to ensure that The firewall keeps track of all requests employees do not access particular for information that originate from content, such as pornography or your network. Then it scans each

NETWORK SECURITY 4 racially intolerant material. With this the most pernicious forms of com- functionality you can define cate- puter hacking. Users can quickly gories of unwelcome material and damage entire networks by unknow- obtain a service that lists thousands ingly downloading and launching of Web sites that include such mater- dangerous computer viruses. Compa- ial. You can then choose whether to nies have lost enormous amounts of totally block those sites, or to allow money due to resulting lost produc- access but log it. Such a service tivity and network repair costs. should automatically update its list of banned Web sites on a regular basis. Firewalls are not designed to remove or clean viruses, but they can assist Virtual Private Networks with virus detection, which is an A VPN is a private data network that important part of an overall virus makes use of the public network protection plan. infrastructure, that is, the Internet. The idea of the VPN is to give the It is important to note that a firewall company the same capabilities as a can only protect the network from the private leased line but at much lower wide area device to which it is cost. A VPN provides secure sharing attached. A remote access server or a of public resources for data by using PC with a modem could provide a encryption techniques to ensure that back door into your network that cir- only authorized users can view or cumvents the firewall. The same is “tunnel” into a company’s private true if an employee inserts a virus- network. infected into a PC. The ultimate place for antivirus software Companies today are looking at VPNs is on every user’s PC; however, a fire- as a cost-effective means of securely wall can assist in virus detection by connecting branch offices, remote requiring that every user’s PC have workers, and privileged partners/cus- the latest antivirus software running tomers to their private LANs. A grow- and enabled before the firewall per- ing range of firewalls now have VPN mits that user to access the Internet or encryption capability built in or offer download e-mail. it as an optional extra. This offers companies a simple, cost-effective Choosing a Firewall alternative to traditional private Firewall functions can be imple- leased lines or modem remote access. mented as software or as an addition to your router/gateway. Alternatively, When implementing a VPN, you need dedicated firewall appliances are to ensure that all devices support the increasing in popularity, mainly due same level of encryption and that it is to their ease of use, performance sufficiently secure. To date, 168-bit improvements, and lower cost. Data Encryption Standard (3DES) is the strongest level of encryption pub- Router/-Based Firewalls licly available and is deemed unbreak- Certain routers provide limited firewall able by security experts. One thing to capabilities. These can be augmented bear in mind is that the stronger the further with additional software/ encryption level, the more processing firmware options. However, great care power is required by the firewall. A must be taken not to overburden your small number of firewall vendors are router by running additional services now offering VPN hardware accelera- like a firewall. Enhanced firewall- tion to improve VPN traffic perfor- related functionality such as VPN, mance. DMZ, content filtering, or antivirus protection may not be available or Antivirus Protection may be expensive to implement. Everyone should be concerned about the threat of viruses, which are among

5 Software-Based Firewalls your firewall policy. For example, will Software-based firewalls are typically the firewall explicitly deny all services sophisticated, complex applications except those critical to the mission of that run on a dedicated UNIX or Win- connecting to the Internet? Or is it dows NT server. These products intended to provide a metered and become expensive when you account audited method of “queuing” access for the costs associated with the soft- in a nonthreatening manner? Decisions ware, server , server like these are less about engineering hardware, and continual maintenance than politics. required to support their implementa- tion. The next decision is what level of monitoring, redundancy, and control It is essential that system administra- you want. This involves juggling tors constantly monitor and install needs analysis with risk assessment, the latest operating system and secu- and then sorting through the often rity patches as soon as they become conflicting requirements in order to available. Without these patches to determine what to implement. cover newly discovered security holes, the software firewall can be Where firewalls are concerned, the rendered useless. emphasis should be on security rather than connectivity. You should con- Dedicated Firewall Appliances sider blocking everything by default, and only allowing the services you Most firewall appliances are dedicated, need on a case-by-case basis. If you hardware-based systems. Because block all but a specific set of services, these appliances run on an embedded you make your job much easier. operating system specifically tailored for firewall use, they are less suscepti- ble to many of the security weaknesses Conclusion inherent in Windows NT and UNIX Security breaches are very real and operating systems. These high-perfor- very dangerous. Every company now mance firewalls are designed to sat- recognizes how easily it can become isfy the extremely high throughput the victim of deliberate or random requirements or the processor-inten- attacks, and how much damage these sive requirements of stateful packet attacks can cause. The good news is inspection firewalls. that 3Com Corporation is just as aware of the threats, and is developing better Because there is no need to harden and stronger security solutions. Small the operating system, firewall appli- and midsize companies and remote ances are usually easier to install and offices in particular can take advan- configure than software firewall prod- tage of new 3Com firewall solutions ucts, and can potentially offer plug- that are less costly and complicated to and-play installation, minimal mainte- administer than traditional firewalls. nance, and a very complete solution. They also prove to be extremely cost- While firewalls are only one compo- effective when compared to other nent of an overall security system, firewall implementations. they are a vital component, and com- panies must invest the time required Designing a Firewall into to evaluate the best system for their needs—and then deploy it as quickly Your Network as possible. Security breaches are an Once you have familiarized yourself ever-present danger, and there’s no with all of the different firewalls on time like the present to protect your the market, the next step is to define company’s valuable data.

NETWORK SECURITY 6 3Com Corporation, Corporate Headquarters, 5400 Bayfront Plaza, Santa Clara, CA 95052-8145

To learn more about 3Com solutions, visit www.3com.com. 3Com Corporation is publicly traded on Nasdaq under the symbol COMS.

The information contained in this document represents the current view of 3Com Corporation on the issues discussed as of the date of publication. Because 3Com must respond to changing market conditions, this paper should not be inter- preted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only; 3Com makes no warranties, express or implied, in this document.

Copyright © 2000 3Com Corporation. All rights reserved. 3Com is a registered trademark and the 3Com logo is a trade- mark of 3Com Corporation. Windows NT is a trademark of . UNIX is a trademark of UNIX Laboratories. Other company and product names may be trademarks of their respective companies.

503090-001 9/00