How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use How (not) to use your firewallyour firewall

Jurjen N.E. BosJurjen N.E. Bos

Information Security ConsultantInformation Security Consultant

0420

Jurjen N.E. BosJurjen N.E. Bos22


OverviewOverview

IntroductionIntroduction

Principles of information Principles of information securitysecurity

Strengths and weaknesses of a Strengths and weaknesses of a firewallfirewall

Basic principlesBasic principles

ConclusionConclusion

0420



IntroductionIntroduction

A firewall, originally, is a wall that A firewall, originally, is a wall that prevents spreading of fire through a prevents spreading of fire through a buildingbuilding

More generally, it isolates things in case More generally, it isolates things in case of hazardof hazard

Specifically, we will discuss isolating the Specifically, we will discuss isolating the Internet from a company networkInternet from a company network

0420



A firewallA firewall

Internet

Firewall

LAN

0420



Principles of information Principles of information securitysecurity

What do you want to protect?What do you want to protect?•Your dataYour data

• secrecy

• reliability

• availability

•Your hardwareYour hardware•Your reputationYour reputation

0420



What do you want your What do you want your firewall to do?firewall to do?

Increase securityIncrease security

Simplify maintenance of networkSimplify maintenance of network

Save moneySave money

Be user friendly and non-disruptiveBe user friendly and non-disruptive

0420



What can your firewall doWhat can your firewall do

A firewall protects your company LAN A firewall protects your company LAN againstagainst•known threatsknown threats•coming from outsidecoming from outside•via the firewallvia the firewall•at connection levelat connection level•by making things harder to use.by making things harder to use.

0420



What can’t your firewall doWhat can’t your firewall do

•Solve your security problemSolve your security problem•Protect against virusesProtect against viruses•Protect data that doesn’t flow through itProtect data that doesn’t flow through it•Be “user friendly”Be “user friendly”•Protect against every threatProtect against every threat•Protect against attacks from the insideProtect against attacks from the inside

0420



ExamplesExamples

A firewall does not protect against virusesA firewall does not protect against viruses• There’s a new example every month

A firewall does not protect against A firewall does not protect against unknown attacksunknown attacks

• Firewall-1 DOS attack: July 2000

A firewall makes life harderA firewall makes life harder• If you had no front door lock, you wouldn’t have to stay

home for the heating repairman. Wouldn’t that be convenient?

0420



Maintaining a firewallMaintaining a firewall

Most attacks are published in enough Most attacks are published in enough detail that people can figure out for detail that people can figure out for themselves how to attack your machines.themselves how to attack your machines.•Install your system properlyInstall your system properly•Read the news on known holes (e.g. Read the news on known holes (e.g. SANS), and download the patchesSANS), and download the patches• Watch out for fake patches

• Watch out for reliability of your machines

•Read your log filesRead your log files

0420



A firewall is not a machineA firewall is not a machine

A firewall does not only consist of the A firewall does not only consist of the firewall host machine, but also of:firewall host machine, but also of:•A security modelA security model•A list of firewall settings (e.g., allowed A list of firewall settings (e.g., allowed services)services)

•Procedures to maintain the firewall host Procedures to maintain the firewall host machinemachine

•An operator or group of operatorsAn operator or group of operators•A list of guidelinesA list of guidelines

0420



Basic rulesBasic rules

A few trivial but important rules for A few trivial but important rules for security maintenance:security maintenance:•Use multiple layers of protectionUse multiple layers of protection•Keep it simpleKeep it simple•““No, unless” instead of “Yes, if”No, unless” instead of “Yes, if”•Monitor your systemsMonitor your systems

• Not only the firewall, but also the network behind it

•Decide on your security modelDecide on your security model• Risk analysis is a very useful tool

0420



Layers of protectionLayers of protection

A B C

A

B

C

0420



Protocol stackProtocol stack

Application Layer

Transport Layer

Internet Layer

Network Access Layer

SMTP, FTP, Telnet

TCP, UDP, ICMP

IP

Ethernet, ATM

User Layer Word, PDF

0420



Example: firewall settingsExample: firewall settings

•Allow useful low risk services: SMTP, Allow useful low risk services: SMTP, POP (mail) , NNTP (news), HTTP (surfing)POP (mail) , NNTP (news), HTTP (surfing)

•If you If you reallyreally need it, allow services like need it, allow services like DNS (naming), IRC (chat), MBONE (video DNS (naming), IRC (chat), MBONE (video conferencing and the like)conferencing and the like)

•Don’t allow games, NTP(time), RIP, OSPF Don’t allow games, NTP(time), RIP, OSPF (routing), SNMP (management), NIS, (routing), SNMP (management), NIS, WINS (naming)WINS (naming)

0420



Train your usersTrain your users

Users must know basic things in order to Users must know basic things in order to make effective use of security measures:make effective use of security measures:•The Internet is unreliable.The Internet is unreliable.•Security through obscurity doesn’t work Security through obscurity doesn’t work (they won’t notice I have all my (they won’t notice I have all my passwords in a file called “secret”).passwords in a file called “secret”).

•Social engineering is hard to recognise.Social engineering is hard to recognise.

I recommend to write a I recommend to write a guidelines guidelines documentdocument for Internet usage. for Internet usage.

0420



Guidelines for usersGuidelines for users

Things to consider putting in a guidelines Things to consider putting in a guidelines document:document:•Use the connections that are availableUse the connections that are available

• No own phone connections, for example

•No downloading of objectionable materialNo downloading of objectionable material• Filters annoy “good” users, and don’t stop “bad” users

•Don’t trust the outside worldDon’t trust the outside world• Social engineering is a serious threat

•Digital data is often more valuable than Digital data is often more valuable than physical objectsphysical objects

0420



Useful literatureUseful literature

There are a zillion books about There are a zillion books about information security out there. The ones I information security out there. The ones I read recently and liked:read recently and liked:

Elizabeth D. Zwicky, Simon Cooper and Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman: “Building Internet D. Brent Chapman: “Building Internet Firewalls”, second edition, O’ReillyFirewalls”, second edition, O’Reilly

Bruce Schneier: “Secrets and Lies”Bruce Schneier: “Secrets and Lies”

0420



ConclusionConclusion

Basic rules of using any security system:Basic rules of using any security system:•Don’t trust anythingDon’t trust anything

• Don’t put all your eggs in one basket

• Attacks may come from everywhere

•Know what you want to protectKnow what you want to protect• Use the simplest protection that protects it

•Train your usersTrain your users•Stay alertStay alert

0420



How to make a firewall How to make a firewall uselessuseless

Trust your usersTrust your users

Use the default installationUse the default installation

Use a sophisticated self designed system Use a sophisticated self designed system that locks out everything dangerousthat locks out everything dangerous

Assume the firewall will protect you Assume the firewall will protect you foreverforever

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

Documents

Transcript of How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.