A firewall represents a substantial portion of your network security policy.
Therefore, you must understand exactly what a firewall is and what a firewall can do for you. Each firewall product uses different sets of security features. To understand what a firewall can do to protect your network, review these topics:
v About firewalls
v Understanding Internet security issues
When you connect your network to the Internet, you must use Transmission Control Protocol/Internet Protocol (TCP/IP) and ensure that you configure your network properly. You can prevent many problems with firewall installation and firewall configuration by making sure that you configure TCP/IP properly.
Consequently, you should review the topic, Understanding TCP/IP, networking, and the Internet, before you start planning your firewall installation.
To understand what IBM Firewall for AS/400 can do to protect your network, review these topics:
v IBM Firewall for AS/400 features v IBM Firewall for AS/400 components v Firewall configurations
To learn how to get your firewall up and running, review these topics:
v Planning your firewall installation and configuration.
v Installing and configuring your firewall.
v Configuring your clients to use the firewall for Internet access.
About firewalls
A firewall is a blockade between a secure internal network and an untrusted network such as the Internet. Most companies use a firewall to connect an internal network safely to the Internet. You can use a firewall to secure one internal network from another on an intranet also.
A firewall provides a controlled single point of contact (called a chokepoint) between your secure internal network and the untrusted network. The firewall:
v Lets users in your internal network use authorized resources that are located on the outside network.
v Prevents unauthorized users on the outside network from using resources on your internal network.
When you use a firewall as your gateway to the Internet (or other network), you reduce the risk to your internal network considerably. Using a firewall also makes administering network security easier because firewall functions carry out most of your security policy.
To better understand what a firewall does and how you can use one to protect your network, review these topics:
v Firewall components.
v How a firewall works.
v What a firewall can do to protect your network.
v What a firewall cannot do to protect your network.
Firewall components
A firewall is a collection of hardware and software that, when used together, prevent unauthorized access to a portion of a network.
A firewall consists of the following components:
v Hardware. Firewall hardware usually consists of a separate computer dedicated to running the firewall software functions.
v Software. Firewall software can consist of some or all of these applications:
– Packet filters – Proxy servers – SOCKS servers
– Network address translation (NAT) services – Logging and monitoring software
– Virtual private network (VPN) services
How a firewall works
To understand how a firewall works, imagine that your network is a building to which you want to control access. Your building has a lobby as the only entry point. In this lobby, you have receptionists to welcome visitors, security guards to watch visitors, video cameras to record visitor actions, and badge readers to authenticate visitors who enter the building.
These measures may work well to control access to your building. But, if an unauthorized person succeeds in entering your building, you have no way to protect the building against this intruder’s actions. If you monitor the intruder’s movements, however, you have a chance to detect any suspicious activity from the intruder.
When you define your firewall strategy, you may think it is sufficient to prohibit everything that presents a risk for the organization and allow everything else.
However, because computer criminals constantly create new attack methods, you must anticipate ways to prevent these attacks. As in the example of the building, you also need to monitor for signs that, somehow, someone has breached your defenses. Generally, it is much more damaging and costly to recover from a break-in than to prevent one.
In the case of a firewall, your best strategy is to permit only those applications that you have tested and have confidence in. If you follow this strategy, you must exhaustively define the list of services you must run on your firewall. You can characterize each service by the direction of the connection (from inside to outside, or outside to inside). You should also list users who you will authorize to use each service and the machines that can issue a connection for it.
What a firewall can do to protect your network
You install a firewall between your network and your connection point to the Internet (or other untrusted network). The firewall then allows you to limit the points of entry into your network. A firewall provides a single point of contact (called a chokepoint) between your network and the Internet (see the figure below). Because you have a single point of contact, you have more control over which traffic to allow into and out of your network.
A firewall appears as a single address to the public. The firewall provides access to the untrusted network through proxy or SOCKS servers or network address translation (NAT) while hiding your internal network addresses. Consequently, the firewall maintains the privacy of your internal network. Keeping information about your network private is one way in which the firewall makes an impersonation attack (spoofing) less likely.
A firewall allows you to control traffic into and out of your network to minimize the risk of attack to your network. A firewall securely filters all traffic that enters your network so that only specific types of traffic for specific destinations can enter. This minimizes the risk that someone could use TELNET or file transfer protocol (FTP) to gain access to your internal systems.
What a firewall cannot do to protect your network
While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send over the Internet through
applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it travels to its destination.
Understanding Internet security issues
When connecting to an untrusted network, you must ensure that your security policy provides you with the best protection possible. A firewall certainly represents a large portion of your total security solution. However, because a firewall is only the first line of defense for your network, you must ensure that your security policy provides additional coverage.
To ensure that your firewall provides the protection that you need, review these security concepts:
v Trusted networks v Security policies v Security services
v Network security objectives v Network security considerations v Types of Internet attacks
v Firewall security principles
Figure 1. A firewall controls traffic between your secure network and the Internet
Trusted networks
Any network over which you have control of the security policies is a trusted network. In a trusted network, you (or your organization) can physically configure and audit the computers to ensure that your organization’s security policy is implemented and enforced.
Any network over which you do not have this level of control should be considered an untrusted network. You (or your organization) cannot verify the security practices of any other network. Therefore, you must assume that the other network is not secure and treat traffic from it accordingly. Otherwise, you add a level of risk to your own network operations. If someone compromises the other network’s security, your own network is vulnerable. You have no way of auditing that system to ensure its integrity. You also have no way of protecting yourself if someone on that system attempts to attack your network.
Understanding security policies
A security policy is a written document that defines the security controls that you institute for your computer systems. A security policy also describes the risks that you intend these controls to minimize. Additionally, a security policy defines what actions should be taken if someone breaches your security controls.
The most important rule that your security policy should express is: Anything that is not explicitly permitted should, by default, be denied. In other words, actions that you do not specifically allow should be automatically disallowed. This ensures that new types of attacks are unlikely to get past your defenses, even though you may have no knowledge of them and have nothing in your security controls to defend specifically against them.
A security policy contains such rules as who can have access to certain services or which services can be run from a given computer. The policy also contains
information about what processes and controls you have instituted to enforce these rules. If you connect to the Internet, your security policy should stipulate that you install and use a firewall to control access to and from the Internet.
Once you create a security policy, you must ensure that it is put into effect. This may involve establishing more restrictive password rules, installing and running virus protection software, holding classes to educate users on security rules, and so on.
Security services
The National Institute for Standards and Technology (NIST) defines five major security services. While a firewall provides security for your network, a firewall does not generally provide coverage for all of these NIST security services. To completely protect your network, your security policy should address each of these as well:
Authentication
Assurance that the resource at the other end of the session is really what it claims to be.
Access control
Assurance that the resource requesting access to data or a service has authorization to access the requested data or service.
Integrity
Assurance that the information that arrives is the same as the information that was sent.
Confidentiality
Assurance that sensitive information is not visible to an eavesdropper.
(Encryption is the best way to ensure confidentiality.) Nonrepudiation
Assurance that a transaction can be proven to have taken place;
Nonrepudiation is also called accountability.
Firewalls cannot provide all of these security services. Therefore, you should ensure that you have additional security functions to provide these security services for your network.
Network security objectives
Although the network security objectives that you develop depend on your particular situation, there are some general objectives you should consider:
v Protect your resources:
– Your Internet servers
– Your internal network, workstations, and systems – Your data
– Your company image
v Provide your customers with safe Internet transactions. Ensure that the following conditions are in place:
– Communicating parties can identify each other (authentication).
– Unintended parties cannot read information exchanged between parties (confidentiality).
– Unauthorized parties cannot alter data (integrity).
– Participating parties cannot repudiate transactions (accountability).
Your security policy should describe how you will fulfill these objectives.
Network security considerations
Whenever you create a security policy, you must balance providing services against controlling access to functions and data. With networked computers, security is more difficult because the communication channel itself is open to attack. Although there are several types of Internet attacks, you can characterize such attacks in two ways:
Passive attacks
These attacks are difficult to detect and involve someone tapping or tracing communications. Sniffing is an example of a passive attack. You should assume that someone is eavesdropping on every communication that you send across the Internet or any other untrusted network.
Active attacks
These attacks involve someone trying to break into or take over your computer. Spoofing is an example of an active attack. You may be certain that no one has compromised your own machines. However, you cannot be certain about the machines at the other end of the connection.
Realistically, you must extend your circle of trust to some of those machines or not use the Internet at all.
It may seem that once you start thinking about computer security, you can reach a point where nothing seems safe anymore. Is this justifiable? After all, we do not
(usually) worry about people tapping our telephone conversations or reading our mail. We happily send credit card numbers, private messages, gossip, and scandal when using those media. The difference with the Internet is that the carrier is not a regulated, well-defined entity. In fact, you have no idea through whose computers your message passes on the way to its destination.
Types of Internet attacks
There are several kinds of passive or active attacks of which you should be aware.
These are among the most common:
v Sniffing
v Internet Protocol (IP) spoofing v Denial of service
Sniffing
Computer criminals (crackers) use a technique called sniffing to acquire
information that they can use to break into your systems. Sniffing programs can
″overhear″ critical unencrypted data that passes over the Internet, such as user IDs and passwords. A cracker can take the captured information and use it to gain access to your network.
To protect your network from sniffing attacks, take these security measures:
v Use your firewall filtering rules to control which information (packets) comes into your network. The filter rules can check that packets from external hosts cannot pass through the firewall.
v Use a firewall to translate the internal host names and addresses of any outgoing traffic to the name and address of the firewall. This hides such critical
information from outside users and sniffing programs.
v Educate your users about the risk of using their internal passwords and user IDs to access external hosts. If they do so, attackers could capture this information from the external hosts and use it if they successfully break into your system.
State in your security policy that they must use different user IDs and passwords on external untrusted systems.
Internet Protocol (IP) spoofing
Generally, when you set up a network, you assume that you can trust any given host on that network. Consequently, a network host does not usually require authentication from other hosts on the same network that communicate with it.
When you eliminate authentication between hosts you provide easier and faster communications within the network. However, you should require authentication from hosts outside your network. You cannot assume that you can trust these hosts to be who they say they are.
In an Internet Protocol (IP) spoofing attack, an untrusted external host
impersonates a trusted known host on your network. This impersonation allows the host to bypass your security controls to connect to your network. The impersonation is successful because the external host uses an IP address of a known host on your network. Because the external host users an internal network address, other hosts on the network can communicate with it without requiring authentication.
To prevent IP spoofing, take these security measures:
v Avoid using IP addresses as a means of authenticating a source communication.
This ensures that a″correct″ IP address alone is not sufficient to gain access to your resources.
v Require a password or more secure authentication to access a host, regardless of the origin of the request for access.
v Use encrypted authentication methods.
v Use a firewall to ensure that the originator of a connection is not using IP source forwarding to impersonate another system. This helps ensure that a requesting host identity is authentic.
v Use your firewall to conceal all your internal network IP addresses from outsiders. Typically, a firewall uses a single IP address for all outbound
transactions, regardless of the internal IP address of the user. The firewall routes the inbound traffic to the correct internal host.
The security measures that you use to defend against IP spoofing depend on several factors. These factors include your analysis of the risk your network faces from this type of attack, the amount of money you are willing to spend, and the amount of convenience you are willing to trade for better security.
Denial of service
A denial of service occurs when an attack brings down one or more hosts on your network such that the host is unable to perform its functions properly. This type of attack can affect entire networks.
Although it is difficult to predict the form that a denial of service may take, the following examples illustrate how such an attack can affect your network:
v A rogue packet enters your network and interferes with normal operations because it cannot be processed appropriately.
v Traffic flooding (such as a large number of bogus mail messages) overtaxes your mail server’s processing capabilities, stopping further network traffic.
v A router is attacked and disabled, thereby partitioning your network.
v A virus is introduced that ties up significant amounts of processing resources.
v Devices, such as the firewall or a router, meant to protect the network are subverted.
Firewall security principles
You should follow these principles when you set up a firewall:
v Develop a written network security policy and follow it. The firewall can
implement many aspects of your security policy and become a part of a network security solution.
v Make sure that the only connection to the Internet (or other untrusted network) is through the firewall. Be sure you include any dial-up connections. The firewall should provide a chokepoint, forcing all traffic to and from the Internet to flow through the firewall. Any traffic that bypasses the firewall increases the risks to your network substantially.
v Allow only those activities that you expressly permit. For example, permit only the TCP/IP services that you need (such as HTTP and e-mail) rather than permit all TCP/IP services. This limits the number of security exposures that you must monitor and take precautions against.
v Keep it simple. Configuration errors are a major source of security holes. The firewall should have limited security policy information to keep its configuration as simple as possible.
v Do not allow any direct TCP/IP connections between applications on internal systems and servers on the Internet (or other untrusted network). A direct connection allows the server to learn information about the client system. The server can try to trick the client into performing an inappropriate action by sending certain responses.
v Never trust information from untrusted systems. The routing table update that you receive from a neighboring router may redirect your network traffic to an unintended destination. Be aware that another system can impersonate a secure system. When attackers use this type of attack, they impersonate a trusted
known host on your network. This impersonation, which is also called IP spoofing, allows the host to bypass your security controls to connect to your network.
While these principles are good in theory, as with all security policies, they should be tempered with reality. In some cases, such as when you use a production system to run a public Web server for e-commerce, you should place the public server behind the firewall to protect it and the data it contains. You can carefully open a hole in the firewall to allow any necessary traffic to flow between the Web server and the Internet.
Understanding TCP/IP, networking, and the Internet
The Internet uses TCP/IP as its only communications protocol. Therefore, if you connect to the Internet, you must use TCP/IP for your connection. To successfully work with TCP/IP, you must have a basic understanding of what TCP/IP is, how it works, and how it affects your network. For some basic background information
The Internet uses TCP/IP as its only communications protocol. Therefore, if you connect to the Internet, you must use TCP/IP for your connection. To successfully work with TCP/IP, you must have a basic understanding of what TCP/IP is, how it works, and how it affects your network. For some basic background information