Put Everything Together

Once you have determined what the basic components of your firewall are, an unfortunate number of details still have to be determined. You need to figure out how you're actually going to assemble the pieces, and how you're going to provide the support services that will keep them functioning.

7.3.1 Where will logs go, and how?

Logging is extremely important for a firewall. The logs are your best hope of detecting attacks against your site and your best source of information about what happened when an attack succeeds. You will need to keep logs separate from the firewall, where an intruder can't destroy the logs as soon as he or she compromises the firewall. If you have a firewall composed of multiple machines, or you have multiple firewalls, you'll also want to bring all of the logs together to simplify the process of using them. Logging is discussed further in Chapter 10, and Chapter 26.

7.3.1.1 How will you back up the system?

You will need to keep backups of all the parts of your firewalls. These will let you rebuild systems in an emergency, and they will also give you evidence when you discover an attack, allowing you to compare before and after states.

Unfortunately, when you do backups between two machines, they become vulnerable to each other. The machine that you use for backing up your firewall is part of the firewall and needs to be treated appropriately. You may find it more appropriate to do local backups, with a device that's attached to each computer that makes up part of the firewall (be sure to use removable media and remove it; otherwise, a disaster or compromise will take the backups along with the originals). If you have a large and complex firewall, you may want to add a dedicated backup system to the firewall. This system should be part of the firewall system, treated like any other bastion host. It should not have access to internal networks or data, and it should be secured like other bastion hosts.

7.3.1.2 What support services does the system require?

You should carefully examine all cases where the firewall is getting information from external machines, get rid of as many dependencies as possible, and move other services into the firewall wherever possible.

For instance, is the firewall dependent on other machines for name service? If so, interfering with the name service may cause problems with the firewall (even if the firewall only uses name service to write hostnames into logs, problems with the name service can make it unusably slow). If you can, configure firewall machines so that they never use name service for any purpose; if you can't, protect your name server as part of your firewall (though you will still be vulnerable to forged name service packets).

Similarly, if you are using a time service to synchronize clocks on firewall machines, it should use authentication and come from a protected source. Firewall machines should not require or accept routing updates unless they can be authenticated and their sources protected.

7.3.1.3 How will you access the machines?

You will need to do some routine maintenance tasks on the machines (upgrade them, change configurations, add or remove user accounts, reboot them). Are you going to physically go to the machines to do this, or will you use some kind of remote access? If you're going to do it remotely, how are you going to do it securely? Chapter 11,

7.3.1.4 Where will routine reports go, and how?

You will need some sort of reporting on the machine, so that you know it's still functioning normally. Exactly what you need will depend on the administration infrastructure that you have in place, but you will need some way of getting regular log summaries and reports from security auditing systems. You may also want to use a

monitoring system that will show you status on a regular basis.

7.3.1.5 Where will alarms go, and how?

When things go wrong, the firewall should send emergency notifications. The mechanism that is used should be one that attackers can't easily interfere with. For instance, if the firewall machines need to send network traffic to provide emergency notification, it's easy for an attacker to simply take down the network interface. (In some configurations, this may also remove the attacker's access, but if the attack is a denial of service, that isn't important.) Either machines should have ways of sending alarms that are not dependent on the network (for instance, by using a modem), or alarms should be generated by independent monitoring machines that are not on the same network and will produce alarms if they lose contact.

Chapter 8. Packet Filtering

Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. The basic device that interconnects IP networks is called a router. A router may be a dedicated piece of hardware that has no other purpose, or it may be a piece of software that runs on a general-purpose computer running Unix, Windows NT, or another operating system (MS-DOS, Windows 95/98, Macintosh, or other). Packets traversing an internetwork (a network of networks) travel from router to router until they reach their destination. The Internet itself is sort of the granddaddy of internetworks - the ultimate "network of networks".

A router has to make a routing decision about each packet it receives; it has to decide how to send that packet on towards its ultimate destination. In general, a packet carries no information to help the router in this decision, other than the IP address of the packet's ultimate destination. The packet tells the router where it wants to go but not how to get there. Routers communicate with each other using routingprotocols such as the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) to build routing tables in memory to determine how to get the packets to their destinations. When routing a packet, a router compares the packet's destination address to entries in the routing table and sends the packet onward as directed by the routing table. Often, there won't be a specific route for a particular destination, and the router will use a defaultroute; generally, such a route directs the packet towards smarter or better-connected routers. (The default routes at most sites point towards the Internet.)

In determining how to forward a packet towards its destination, a normal router looks only at a normal packet's destination address and asks only "How can I forward this packet?" A packet filtering router also considers the question "Should I forward this packet?" The packet filtering router answers that question according to the security policy programmed into the router via the packet filtering rules.

Some machines do packet filtering without doing routing; that is, they may accept or reject packets destined for them before they do further processing.

Some unusual packets do contain routing information about how they are to reach their destination, using the "source route" IP option. These packets, called source- routed packets, are discussed in Section 4.2.2, in Chapter 4.