firewall

(fīr´wâl) (n.) A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in concert.

A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

Firewall (computing)From Wikipedia, the free encyclopediaJump to: navigation, search This article is about the network security device. For other uses, see Firewall.

This article needs additional citations for verification.Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (February 2008)

An illustration of where a firewall would be located in a network.

An example of a user interface for a firewall on Ubuntu (Gufw)

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

1. Packet filter : Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.

2. Application gateway : Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

3. Circuit-level gateway : Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

4. Proxy server : Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Contents[hide]

1 Function 2 History

o 2.1 First generation: packet filters

o 2.2 Second generation: application layer

o 2.3 Third generation: "stateful" filters

o 2.4 Subsequent developments

3 Types

o 3.1 Network layer and packet filters

o 3.2 Application-layer

o 3.3 Proxies

o 3.4 Network address translation

4 See also

5 References

6 External links

[edit] FunctionA firewall is a dedicated appliance, or software running on a computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules/criteria.

It is normally placed between a protected network and an unprotected network and acts like a gate to protect assets to ensure that nothing private goes out and nothing malicious comes in.

A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A firewall's function within a network is similar to physical firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.

[edit] HistoryThe term firewall/fireblock originally meant a wall to confine a fire or potential fire within a building; cf. firewall (construction). Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.

The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.[1]

[edit] First generation: packet filters

The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what became a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.

This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the

packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).

TCP and UDP protocols comprise most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

Packet filtering firewalls work on the first three layers of the OSI reference model, which means all the work is done between the network and physical layers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall it filters the packet on a protocol/port number basis (GSS). For example if a rule in the firewall exists to block telnet access, then the firewall will block the IP protocol for port number 23.

[edit] Second generation: application layer

Main article: Application layer firewall

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect if an unwanted protocol is sneaking through on a non-standard port or if a protocol is being abused in any harmful way.

An application firewall is much more secure and reliable compared to packet filter firewalls because it works on all seven layers of the OSI reference model, from the application down to the physical Layer. This is similar to a packet filter firewall but here we can also filter information on the basis of content. The best example of an application firewall is ISA (Internet Security and Acceleration) server. An application firewall can filter higher-layer protocols such as FTP, Telnet, DNS, DHCP, HTTP, TCP, UDP and TFTP (GSS). For example, if an organization wants to block all the information related to "foo" then content filtering can be enabled on the firewall to block that particular word. Software-based firewalls are thus much slower than stateful firewalls.

[edit] Third generation: "stateful" filters

Main article: Stateful firewall

From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam, developed the third generation of firewalls, calling them circuit level firewalls.

Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each individual packet within the packet series. This technology is generally

referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

[edit] Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colors and icons, which could be easily implemented and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).

Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.

Another axis of development is about integrating identity of users into Firewall rules. Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around. The NuFW firewall provides real identity-based firewalling, by requesting the user's signature for each connection.

[edit] TypesThere are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.

[edit] Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's

lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.

Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes.

Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).

[edit] Application-layer

Main article: Application layer firewall

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.

[edit] Proxies

Main article: Proxy server

A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.

[edit] Network address translation

Main article: Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.

Distributed firewallFrom Wikipedia, the free encyclopediaJump to: navigation, search

This article is an orphan, as few or no other articles link to it. Please introduce links to this page from related articles; suggestions are available. (May 2010)

This article may need to be rewritten entirely to comply with Wikipedia's quality standards. You can help. The discussion page may contain suggestions. (August 2009)

A firewall is system or group of system (router, proxy, or gateway) that implements a set of security rules to enforce access control between two networks to protect “inside” network from “outside network. It may be a hardware device or a software program running on a secure host computer. In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet.

Contents[hide]

1 Evolution of distributed firewall 2 Distributed firewall

o 2.1 Basic working

3 Policies

o 3.1 Pull technique

o 3.2 Push technique

4 Components of a distributed firewall

o 4.1 Central management system

o 4.2 Policy distribution

o 4.3 Host-end implementation

5 Threat comparison

o 5.1 Service exposure and port scanning

o 5.2 IP address spoofing

o 5.3 Malicious software

o 5.4 Intrusion detection

o 5.5 Insider attacks

6 References

o 6.1 Books

o 6.2 White papers and reports

[edit] Evolution of distributed firewallConventional firewalls rely on the notions of restricted topology and control entry points to function. More precisely, they rely on the assumption that everyone on one side of the entry point—the firewall—is to be trusted, and that anyone on the other side is, at least potentially, an enemy.

[edit] Distributed firewallDistributed firewalls are host-resident security software applications that protect the enterprise network's servers and end-user machines against unwanted intrusion. They offer the advantage of filtering traffic from both the Internet and the internal network. This enables them to prevent hacking attacks that originate from both the Internet and the internal network. This is important because the most costly and destructive attacks still originate from within the organization. They are like personal firewalls except they offer several important advantages like central management, logging, and in some cases, access-control granularity. These features are necessary to implement corporate security policies in larger enterprises. Policies can be defined and pushed out on an enterprise-wide basis.

A feature of distributed firewalls is centralized management. The ability to populate servers and end-users machines, to configure and "push out" consistent security policies helps to maximize limited resources. The ability to gather reports and maintain updates centrally makes distributed security practical. Distributed firewalls help in two ways. Remote end-user machines can be secured. Secondly, they secure critical servers on the network preventing intrusion by malicious code and "jailing" other such code by not letting the protected server be used as a launch pad for expanded attacks.

Usually deployed behind the traditional firewall, they provide a second layer of defense. They work by enabling only essential traffic into the machine they protect, prohibiting other types of traffic to prevent unwanted intrusions. Whereas the perimeter firewall must take a generalist, common denominator approach to protecting servers on the network, distributed firewalls act as specialists.

Conventional firewalls rely on the notions of restricted topology and control entry points to function. More precisely, they rely on the assumption that everyone on one side of the entry point—the firewall—is to be trusted, and that anyone on the other side is, at least potentially, an enemy.

Some problems with the conventional firewalls that lead to Distributed firewalls are as follows. Due to the increasing line speeds and the more computation intensive protocols that a firewall must support; firewalls tend to become congestion points. This gap between processing and networking speeds is likely to increase, at least for the foreseeable future; while computers (and hence firewalls) are getting faster, the combination of more complex protocols and the tremendous increase in the amount of data that must be passed through the firewall has been and likely will continue to out pace Moore's law. There exist protocols, and new protocols are designed, that are difficult to process at the firewall, because the latter lacks certain knowledge that is readily available at the endpoints. FTP and RealAudio are two such protocols. Although there exist application-level proxies that handle such protocols, such solutions are viewed as architecturally “unclean” and in some cases too invasive. Likewise, because of the dependence on the network topology, a PF can only enforce a policy on traffic that traverses it. Thus, traffic exchanged among nodes in the protected network cannot be controlled. This gives an attacker that is already an insider or can somehow bypass the firewall complete freedom to act. Worse yet, it has become trivial for anyone to establish a new, unauthorized entry point to the network without the administrator's knowledge and consent. Various forms of tunnels, wireless, and dial-up access methods allow individuals to establish backdoor access that bypasses all the security mechanisms provided by traditional firewalls. While firewalls are in general not intended to guard against misbehavior by insiders, there is a tension between internal needs for more connectivity and the difficulty of satisfying such needs with a centralized firewall.

IPsec is a protocol suite, recently standardized by the IETF, which provides network-layer security services such as packet confidentiality, authentication, data integrity, replay protection, and automated key management. This is an artifact of firewall deployment: internal traffic that is not seen by the firewall cannot be filtered; as a result, internal users can mount attacks on other users and networks without the firewall being able to intervene. Large networks today tend to have a large number of entry points (for performance, failover, and other reasons). Furthermore, many sites employ internal firewalls to provide some form of compartmentalization. This makes administration particularly difficult, both from a practical point of view and with regard to policy consistency, since no unified and comprehensive management mechanism exists.

End-to-end encryption can also be a threat to firewalls, as it prevents them from looking at the packet fields necessary to do filtering. Allowing end-to-end encryption through a firewall implies considerable trust to the users on behalf of the administrators. Finally, there is an increasing need

for finer-grained access control which standard firewalls cannot readily accommodate without greatly increasing their complexity and processing requirements.

Distributed firewalls are host-resident security software applications that protect the enterprise network's critical endpoints against unwanted intrusion that is, its servers and end-user machines. In this concept, the security policy is defined centrally and the enforcement of the policy takes place at each endpoint (hosts, routers, etc.). Usually deployed behind the traditional firewall, they provide a second layer of protection.

Since all the hosts on the inside are trusted equally, if any of these machines are subverted, they can be used to launch attacks to other hosts, especially to trusted hosts for protocols like rlogin. Thus there is a faithful effort from the industry security organizations to move towards a system which has all the aspects of a desktop firewall but with centralized management like Distributed Firewalls.

Distributed, host-resident firewalls prevent the hacking of both the PC and its use as an entry point into the enterprise network. A compromised PC can make the whole network vulnerable to attacks. The hacker can penetrate the enterprise network uncontested and steal or corrupt corporate assets.

[edit] Basic working

Distributed firewalls are often kernel-mode applications that sit at the bottom of the OSI stack in the operating system. They filter all traffic regardless of its origin—the Internet or the internal network. They treat both the Internet and the internal network as "unfriendly". They guard the individual machine in the same way that the perimeter firewall guards the overall network. Distributed firewalls rest on three notions:

A policy language that states what sort of connections are permitted or prohibited, Any of a number of system management tools, such as Microsoft's SMS or ASD, and

IPSEC, the network-level encryption mechanism for TCP/IP.

The basic idea is simple. A compiler translates the policy language into some internal format. The system management software distributes this policy file to all hosts that are protected by the firewall. And incoming packets are accepted or rejected by each "inside" host, according to both the policy and the cryptographically-verified identity of each sender.

[edit] PoliciesOne of the most often used term in case of network security and in particular distributed firewall is policy. It is essential to know about policies. A “security policy” defines the security rules of a system. Without a defined security policy, there is no way to know what access is allowed or disallowed. A simple example for a firewall is:

Allow all connections to the web server.

Deny all other access.

The distribution of the policy can be different and varies with the implementation. It can be either directly pushed to end systems, or pulled when necessary.

[edit] Pull technique

The hosts while booting up pings to the central management server to check whether the central management server is up and active. It registers with the central management server and requests for its policies which it should implement. The central management server provides the host with its security policies. For example, a license server or a security clearance server can be asked if a certain communication should be permitted. A conventional firewall could do the same, but it lacks important knowledge about the context of the request. End systems may know things like which files are involved, and what their security levels might be. Such information could be carried over a network protocol, but only by adding complexity.

[edit] Push technique

The push technique is employed when the policies are updated at the central management side by the network administrator and the hosts have to be updated immediately. This push technology ensures that the hosts always have the updated policies at anytime. The policy language defines which inbound and outbound connections on any component of the network policy domain are allowed, and can affect policy decisions on any layer of the network, being it at rejecting or passing certain packets or enforcing policies at the Application Layer.

[edit] Components of a distributed firewall A central management system for designing the policies. A transmission system to transmit these polices.

Implementation of the designed policies in the client end.

[edit] Central management system

Central Management, a component of distributed firewalls, makes it practical to secure enterprise-wide servers, desktops, laptops, and workstations. Central management provides greater control and efficiency and it decreases the maintenance costs of managing global security installations. This feature addresses the need to maximize network security resources by enabling policies to be centrally configured, deployed, monitored, and updated. From a single workstation, distributed firewalls can be scanned to understand the current operating policy and to determine if updating is required.

[edit] Policy distribution

The policy distribution scheme should guarantee the integrity of the policy during transfer. The distribution of the policy can be different and varies with the implementation. It can be either directly pushed to end systems, or pulled when necessary.

[edit] Host-end implementation

The security policies transmitted from the central management server have to be implemented by the host. The host end part of the Distributed Firewall does provide any administrative control for the network administrator to control the implementation of policies. The host allows traffic based on the security rules it has implemented.

[edit] Threat comparisonDistributed firewalls have both strengths and weaknesses when compared to conventional firewalls. By far the biggest difference, of course, is their reliance on topology. If your topology does not permit reliance on traditional firewall techniques, there is little choice. A more interesting question is how the two types compare in a closed, single-entry network. That is, if either will work, is there a reason to choose one over the other?

[edit] Service exposure and port scanning

Both types of firewalls are excellent at rejecting connection requests for inappropriate services. Conventional firewalls drop the requests at the border; distributed firewalls do so at the host. A more interesting question is what is noticed by the host attempting to connect. Today, such packets are typically discarded, with no notification. A distributed firewall may choose to discard the packet, under the assumption that its legal peers know to use IPSEC; alternatively, it may instead send back a response requesting that the connection be authenticated, which in turn gives notice of the existence of the host. Firewalls built on pure packet filters cannot reject some "stealth scans" very well. One technique, for example, uses fragmented packets that can pass through unexamined because the port numbers aren't present in the first fragment. A distributed firewall will reassemble the packet and then reject it. On balance, against this sort of threat the two firewall types are at least comparable.

[edit] IP address spoofing

Reliance on network addresses is not a favored concept. Using cryptographic mechanisms most likely prevents attacks based on forged source addresses, under the assumption that the trusted repository containing all necessary credentials has not been subject to compromise in itself. These problems can be solved by conventional firewalls with corresponding rules for discarding packets at the network perimeter but will not prevent such attacks originating from inside the network policy domain.

[edit] Malicious software

With the spread use of distributed object-oriented systems like CORBA, client-side use of Java and weaknesses in mail readers and the like there is a wide variety of threats residing in the application and intermediate level of communication traffic. Firewall mechanisms at the perimeter can come useful by inspecting incoming e-mails for known malicious code fingerprints, but can be confronted with complex, thus resource-consuming situations when making decisions on other code, like Java. Using the framework of a distributed firewall and especially considering a policy language which allows for policy decision on the application level can circumvent some of these problems, under the condition that contents of such communication packets can be interpreted semantically by the policy verifying mechanisms. Stateful inspection of packets shows up to be easily adapted to these requirements and allows for finer granularity in decision making. Furthermore malicious code contents may be completely disguised to the screening unit at the network perimeter, given the use of virtual private networks and enciphered communication traffic in general and can completely disable such policy enforcement on conventional firewalls.

[edit] Intrusion detection

Many firewalls detect attempted intrusions. If that functionality is to be provided by a distributed firewall, each individual host has to notice probes and forward them to some central location for processing and correlation. The former problem is not hard; many hosts already log such attempts. One can make a good case that such detection should be done in any event. Collection is more problematic, especially at times of poor connectivity to the central site. There is also the risk of coordinated attacks in effect causing a denial-of-service attack against the central machine.

[edit] Insider attacks

Given the natural view of a conventional firewall on the networks topology as consisting of an inside and outside, problems can arise, once one or more members of the policy network domain have been compromised. Perimeter firewalls can only enforce policies between distinct networks and show no option to circumvent problems which arise in the situation discussed above. Given a distributed firewalls independence on topological constraints supports the enforcement of policies whether hosts are members or outsiders of the overall policy domain and base their decisions on authenticating mechanisms which are not inherent characteristics of the networks layout. Moreover, compromise of an endpoint either by an legitimate user or intruder will not weaken the overall network in a way that leads directly to compromise of other machines, given the fact that the deployment of virtual private networks prevents sniffing of communication traffic in which the attacked machine is not involved. On the other side, on the end-point itself nearly the same problems arise as in conventional firewalls: Assuming that a machine has been taken over by an adversary must lead to the conclusion that the policy enforcement mechanisms them self may be broken. The installation of backdoors on this machine can be done quite easily once the security mechanisms are flawed and in the lack of a perimeter firewall, there is no trusted entity anymore which might prevent arbitrary traffic entering or leaving the compromised host. Additionally use of tools like SSH and the like allow tunneling of other applications communication and can not be prevented without proper knowledge of the decrypting credentials, moreover given the fact that in case an attack has shown up successfully the

verifying mechanisms in them self may not be trusted anymore. At first glance, the biggest weakness of distributed firewalls is their greater susceptibility to lack of cooperation by users. What happens if someone changes the policy files on their own? Distributed firewalls can reduce the threat of actual attacks by insiders, simply by making it easier to set up smaller groups of users. Thus, one can restrict access to a file server to only those users who need it, rather than letting anyone inside the company pound on it. It is also worth expending some effort to prevent casual subversion of policies. If policies are stored in a simple ASCII file, a user wishing to, for example, play a game could easily turn off protection. Requiring the would-be uncooperative user to go to more trouble is probably worthwhile, even if the mechanism is theoretically insufficient. For example, policies could be digitally signed, and verified by a frequently-changing key in an awkward-to-replace location. For more stringent protections, the policy enforcement can be incorporated into a tamper-resistant network card.

Interested in learningmore about security?

SANS InstituteInfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Protecting the Next Generation Network-Distributed FirewallsCorporate networks are constantly changing to meet the needs of businesses and continue to expand in ways thatwe couldn't have imagined only a few years ago. Gone are the days of a closed network with one external pointof access. With the expansion of high speed Internet access via DSL and cable modems, users can now work from

home using VPNs. Many companies are expanding their networks even farther with wireless technology allowingaccess for devices that aren't even physically connected to the network. Suddenly the...

Copyright SANS InstituteAuthor Retains Full RightsAD

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.Protecting the Next Generation Network – Distributed FirewallsRobert GwaltneyOctober 7, 2001IntroductionCorporate networks are constantly changing to meet the needs of businesses and continue toexpand in ways that we couldn’t have imagined only a few years ago. Gone are the days of aclosed network with one external point of access. With the expansion of high speed Internetaccess via DSL and cable modems, users can now work from home using VPNs. Manycompanies are expanding their networks even farther with wireless technology allowing accessfor devices that aren’t even physically connected to the network. Suddenly the networks withone or two points of access now have multiple points of access that can change from day to day.Many people think their network is protected because they only use VPN for remote access. But,how secure are the devices on the end of the VPN connection? If the hacker compromises theend user’s machine, they can then use the machine to connect to your corporate network. This iswhat happened to Microsoft in October of 2000 using an employee’s home computer. Securingthese new networks requires a different approach, which distributed firewalls provide.Traditional FirewallsTraditional firewalls are devices often placed on the edge of the network that act as a bouncerallowing only certain types of traffic in and out of the network. Often called perimeter firewalls,they divide the network into two parts—trusted on one side and untrusted on the other. For thisreason they depend heavily on the topology of the network. The firewall is used to enforce acentral policy of what traffic is allowed in and out of the network. When traffic flows throughthe firewall it is evaluated by a set of rules based on ip address, port, etc. and either allowed ordenied. All traffic entering or leaving the network must pass through this point. Thisrequirement itself is often one of the downfalls of the firewall. For example, users might goaround the firewall by using a modem or some other connection to the Internet. Anotherproblem is encrypted tunnels, which provide a hole through the firewall where the traffic isn’tevaluated and flows freely.Distributed FirewallsSteven M. Bellovin of AT&T Research is credited with the idea of distributed firewalls. Unliketraditional firewalls, distributed firewalls are not placed in one location. As the name implies,the distributed firewall is installed throughout the network to all endpoints. Distributed firewallsare based on three main points.

Policy LanguageThe policy language is used to create polices for each of the firewalls. These policies arethe collection of rules, which direct the firewall in how to evaluate the network traffic.

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.System Management ToolsThe system management tools are used to distribute the policy to the firewalls and tocollect logging and reporting information.IPSECIPSEC provides network-level encryption used to secure network traffic and thetransmission of policies. It also provides a more important function of providing a way tocryptographically verify the sender of information. Senders can then be uniquely verifiedby their certificate.How it WorksMost distributed firewalls run in kernel mode and sit at the bottom of the OSI stack. The firewallevaluates all network traffic whether it is from the Internet or the internal network. This protectsthe system much in the same way as a traditional firewall protects the network. After thefirewall is installed on all network endpoints, a central policy is developed. This policy iswritten using the policy language and then compiled in a format to be transferred to eachfirewall. The system management tools are then used to transfer the policy to each firewall.Because the firewalls are in different locations throughout the network and may be on a machinethat changes locations, they cannot depend on the network topology to determine the sender ofthe network traffic. For this they use the certificates provide by IPSEC. These certificatesuniquely identify the sender and don’t depend on the network topology. The firewall thenevaluates the traffic based on the central policy and decides to allow or deny it. The firewall canalso then transfer logging information to a central location where it can be used for reporting.ImplementationIn its purest form of implementation, every network endpoint would contain a firewall and allnetwork traffic would be secured using IPSEC. However, many legacy systems do not offersupport for IPSEC, and many companies already have an investment in traditional firewalls.Therefore most implementations take on some hybrid form.Remote AccessIn a remote access implementation the systems are outside of the traditional firewall andtherefore unprotected. These systems establish a VPN connection through an IPSECgateway setup on the corporate network. The IPSEC tunnels provide protection for thenetwork traffic as it is transferred in and out of the network. A distributed firewall is alsoinstalled on the system that receives the central policy from the corporate network. Thedistributed firewall then enforces the policy and offers it the same protection as machineson the trusted network.

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.Layered ProtectionDistributed firewalls can also be installed on machines that are behind a traditionalfirewall and already on the trusted network. This offers a second layer of protection inthe event that there is an error in the configuration or failure of the traditional firewall.This implementation can also be used to specialize the security on critical servers thatmay need more protection than the traditional firewall provides. They also protect thesystems from internal attacks, which would not pass through an external firewall.E-commerceIn an e-commerce implementation the performance and availability of the server isusually a high priority. Because distributed firewalls are installed on the host system,they allow servers to be placed outside the traditional firewall on the untrusted network.This reduces any performance loss that might be caused by all the traffic flowing throughthe traditional firewall. This also removes the traditional firewall as a single point offailure.These different implementations can also be combined to fit the varying needs of your network.Steve Hunt of Giga Information Group sums it up well.“It’s a migration, or adapting your current infrastructure to meet the new demands. Thesolution involves using all routers, firewalls, and VPNs. To do that, you will need administrationprocesses, but once you have co-ordinated [these], you can have distributedauthorization”(Gerald, p.2).The distributed firewall enables this system of distributed authorization. No longer is networktraffic evaluated only at one point on the network, but it is now evaluated or authorized at everynetwork endpoint. (Figure 1)

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.FeaturesDistributed firewalls may not be the solution for everyone. They enhance the features providedby a traditional firewall in many ways but do have disadvantages. Traditional firewalls performsome tasks better than distributed firewalls. Below is a list of features and issues along with abrief summary of how each type of firewall deals with the situation. Hopefully this will help indetermining the correct type of firewall for your network.Network TopologyAs discussed earlier traditional firewalls depend heavily on network topology becausethey divide the network into trusted and untrusted. Because of their static location theyalso can be circumvented by users going around the firewall. There also can be a

performance bottleneck because they are the single choke point on the network, andtherefore, a single point of failure. Distributed firewalls don’t suffer from thesedisadvantages because they are installed on each system, which removes the single chokepoint on the network. They also operate independent of the network topology becausethey evaluate all traffic that is sent to the machine.(Figure 1)

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.Policy EnforcementTraditional firewalls use rules based on ip address, port, packet flags, etc. Many of theseitems can be spoofed allowing traffic to penetrate the firewall. Distributed firewalls’ useof IPSEC and certificates prevent this. Certificates are not easily spoofed and make this amore secure method of uniquely identifying the sender of the traffic.Knowledge of Network TrafficTo understand this point, here is a brief primer on the three-way handshake used by TCPto establish a connection. Host A wants to make a connection to Host B so it sends apacket with the SYN flag (synchronize) set. When Host B receives the packet from HostA, it replies with a packet that has both the SYN and ACK (acknowledge) flags set. HostA then replies with a packet with the ACK flag and the connection is established.(Figure 2) Traditional firewalls evaluate traffic based on externally visible features. Forexample if a traditional firewall sees a packet with the ACK flag set it may allow itthrough because it assumes its part of a previously ongoing conversation. ACK packetscan be used by some “stealth” port scanners. A distributed firewall, however, since it ison the host system, will know whether it is expecting an ACK packet in response to aconnection it was establishing. It then can make a much more informed decision onwhether to allow or deny the packet.Application-level ProxiesTraditional firewalls do a very good job of providing application-level proxies. Manydistributed firewalls do not include application-level proxies, but this is changing as thetechnology matures.Intrusion DetectionMany traditional firewalls include some form of intrusion detection. However, onlytraffic passing through the firewall will be examined, so this excludes much of the(Figure 2)

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.internal traffic. Distributed firewalls will see more of the internal traffic, but have the

problem that they must all send log information to one central location. This can causeproblems for remote users who may connect over slower networks.Denial of ServiceIn the event of a denial of service attack, a traditional firewall may be able to block someattacks and contain them to the untrusted side of your network. While you wouldn’t haveexternal connectivity, the internal network would function as normal. If only distributedfirewalls were used, the entire network would be affected because there would be nosingle choke point to stop the attack.Inside AttacksDistributed firewalls provide the only protection from an inside attack. Because it is hostbased, the distributed firewall will evaluate all traffic regardless of sender. Traditionalfirewalls will never see the traffic because it is on the internal network and never passesthrough the firewall.Central Management and ReportingBoth traditional and distributed firewalls use methods of central management andreporting. Distributed firewalls do have one advantage. Again, because they are locatedon the host system, you can specialize the firewall policies and place systems in groupsfor easier management. A traditional firewall has one policy for the entire networkCurrent SolutionsSince distributed firewalls are a fairly new technology the list of vendors is quite small. Manyvendors provide additional features. CyberwallPLUS by Network-1 is certified by the ICSA, acertification usually only held by traditional firewalls. CyberArmor by InfoExpress not only hasrules for network traffic but also for applications. When installed, it takes cryptographic hash ofthe executable files. Rules can then be set up for which applications the user can execute.Secure Enterprise by Sygate has a feature they call the VPN Enforcer. The VPN Enforcer isinstalled on your VPN server and will only allow VPN connections from clients that are runningthe distributed firewall and have the current policy. These are just a sample of some of thefeatures that are being added to distributed firewalls.ConclusionAs networks continue to change and expand new tools are needed to keep them secure.Distributed firewalls take a new approach by securing every host on the network. They alsohave no trouble handling the changing topology of today’s networks. This makes them a perfectmatch for telecommuters that work from remote locations and often use a VPN to connect to thecorporate network. As they continue to develop, new features will be added that will only

© SANS Institute 2001, Author retains full rightsKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.increase their security and ease of use. Distributed firewalls just may be the tool to secure nextgeneration networks.ReferencesAndress, Mandy. “Closing the gap in end-user security” 29 August 2000.URL: http://www.infoworld.com/articles/es/xml/00/09/01/000901estca.xmlAnonymous. Maximum Security Second Edition. Indianapolis: SAMS, August 1998. 59-60.

Bellovin, Steven M. “Distributed Firewalls”URL: http://www.research.att.com/~smb/papers/distfw.htmlFogei, Avi. “Distributed firewalls provide options for security topology” July 2000.URL: http://www.serverworldmagazine.com/compaqent/2000/07/firewall.shtmlGeralds, John. “Distributed firewalls – protecting from the inside” 25 July 2000.URL: http://www.vnunet.com/Analysis/1107338Mark, Stuart. “Distributing firewall tasks” 23 April 2001.URL: http://www.zdnet.co.uk/itweek/brief/2001/16/network/Radcliff, Deborah. “Firewalls reach out” 26 March 2000.URL: http://www.computerworld.com/cwi/stories/0,1199,NAV47-81_STO58975,00.htmlURL: http://www.distributedfirewalls.comURL: http://www.infoexpress.com/products/pf/index.htmlURL: http://www.network-1.com/products/index.htmlURL: http://www.sygate.com/products/sms_ov.htmLast Updated: July 25th, 2010

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by LocationSANS WhatWorks in Virtualization and Cloud ComputingSummit 2010Washington, DC Aug 19, 2010 - Aug 22, 2010 Live EventSANS Portland 2010 Portland, OR Aug 23, 2010 - Aug 28, 2010 Live EventSANS Virginia Beach 2010 Virginia Beach, VA Aug 27, 2010 - Sep 03, 2010 Live EventThe 2010 European Digital Forensics and Incident ResponseSummitLondon, UnitedKingdomSep 08, 2010 - Sep 09, 2010 Live EventSANS Network Security 2010 Las Vegas, NV Sep 19, 2010 - Sep 27, 2010 Live EventSANS WhatWorks: Legal Issues and PCI Compliance inInformation Security Summit 2010Las Vegas, NV Sep 22, 2010 - Sep 29, 2010 Live EventSOS: SANS October Singapore 2010 Singapore, Singapore Oct 04, 2010 - Oct 11, 2010 Live EventEU Process Control and SCADA Security Summit 2010 London, UnitedKingdomOct 07, 2010 - Oct 14, 2010 Live EventSANS Gulf Region 2010 Dubai, United ArabEmiratesOct 09, 2010 - Oct 21, 2010 Live EventSANS Geneva Security Essentials at HEG Fall 2010 Geneva, Switzerland Oct 11, 2010 - Oct 16, 2010 Live EventSANS App Sec India 2010 Bangalore, India Oct 18, 2010 - Oct 22, 2010 Live EventCyberSecurity Malaysia SEC 401 Onsite Kuala Lumpur, Malaysia Oct 18, 2010 - Oct 23, 2010 Live EventSANS Boston 2010 OnlineMA Aug 02, 2010 - Aug 09, 2010 Live EventSANS OnDemand Books & MP3s Only Anytime Self Paced