StoneGate Reference Guide

(1)

Firewall/VPN 5.0

StoneGate Reference Guide

IPS

(2)

2

Legal Information

End-User License Agreement

The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website:

www.stonesoft.com/en/support/eula.html

Third Party Licenses

The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website:

www.stonesoft.com/en/support/third_party_licenses.html

U.S. Government Acquisitions

If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.

Product Export Restrictions

The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

General Terms and Conditions of Support and Maintenance Services

The support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website:

www.stonesoft.com/en/support/view_support_offering/terms/

Replacement Service

The instructions for replacement service can be found at the Stonesoft website:

www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware Warranty

The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website:

www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and Patents

The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; and 7,461,401 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.

Disclaimer

Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright © 2009 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

(3)

3

Using StoneGate

Documentation

Welcome to StoneGate™ High Availability Firewall/VPN solution by Stonesoft

Corporation. This chapter describes how to use this Guide and related documentation. It also provides directions for obtaining technical support and giving feedback about the documentation.

The following sections are included:

How to Use This Guide, on page 14

Documentation Available, on page 15

(14)

14 Chapter 1: Using StoneGate Documentation

How to Use This Guide

This StoneGate Reference Guide provides information that helps administrators of StoneGate installations to understand the system and its features. It provides descriptions of all the configuration tools and gives examples on what you can do with the system.

This guide is divided into several sections. The chapters in the first section provide a general introduction to StoneGate and firewalls. The sections that follow each include the chapters related to one feature area. The last section provides detailed reference information in tabular form, and some guideline information.

For other available documentation, see Documentation Available, on page 15.

Typographical Conventions

The following typographical conventions are used throughout the guide:

We use the following ways to indicate important or additional information:

Note – Notes provide important information that prevents mistakes or helps you complete a task.

Caution – Cautions provide critical information that you must take into account to prevent breaches of security, information loss, or system downtime.

Tip: Tips provide information that is not crucial, but may still be helpful. TABLE 1.1 Typographical Conventions

Formatting Informative Uses

Normal text This is normal text.

User Interface text Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face.

References, terms Cross-references and first use of acronyms and terms are _{in italics.}

Command line File names, directories, and text displayed on the screen are monospaced.

User input User input on screen is in monospaced bold-face.

Command parameters Command parameter names are in monospaced italics.

(15)

How to Use This Guide 15

Documentation Available

StoneGate technical documentation is divided into two main categories: Guide Books and Support Documentation. StoneGate Firewall/VPN and StoneGate IPS have their separate sets of manuals, despite the fact that they are managed through the same user interface. Only the Administrator’s Guide and the Online Help system cover both the Firewall/VPN and IPS products.

Product Documentation

The table below lists the available guides. PDF versions of these guides are available on the Management Center CD-ROM and at http://www.stonesoft.com/support/. TABLE 1.2 Product Documentation

Guide Description

Reference Guide

Explains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Management Center, Firewall/VPN, and StoneGate IPS.

Installation Guide

Instructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Management Center, Firewall/VPN, IPS, and SOHO firewall products.

Online Help

Detailed instructions for configuration and use. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Web Portal. An HTML-based system is available in the StoneGate SSL VPN Administrator through help links and icons.

Administrator’s Guide

Describes how to configure and manage the system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StoneGate IPsec VPN Client. User’s Guide Instructions for end-users. Available for the StoneGate IPsec _{VPN client and the StoneGate Web Portal.}

Appliance Installation Guide Instructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling etc.). Available for all StoneGate hardware appliances.

(16)

16 Chapter 1: Using StoneGate Documentation

Support Documentation

The StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios.

The latest StoneGate technical documentation is available on the Stonesoft website at http://www.stonesoft.com/support/.

System Requirements

The system requirements for running StoneGate, including the approved network interfaces, supported operating systems, and other such hardware and software requirements for StoneGate engines and the Management Center can be found at http://www.stonesoft.com/en/products_and_solutions/products/fw/

Certified_Servers/ (see the technical requirements section at the bottom of the page). The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website.

Contact Information

For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing Issues

You can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do.

For license-related queries, e-mail [email protected].

Technical Support

Stonesoft offers global technical support services for Stonesoft’s product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.

Your Comments

We want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements.

• To comment on software and hardware products, e-mail [email protected]. • To comment on the documentation, e-mail [email protected].

Other Queries

(17)

17

CHAPTER 2

What’s New?

This section lists major changes since the previous release. Most new or reworked features in the software are listed here. Changes that do not significantly affect the way StoneGate is configured are not listed. For a full list of changes in the software, consult the Release Notes.

New Features in Firewall/VPN 5.0, on page 18

(18)

18 Chapter 2: What’s New?

New Features in Firewall/VPN 5.0

Changes in Supported VPN Settings

Support for CAST-128 and Twofish settings has been removed. If your VPNs are using either of these two settings, reconfigure the VPNs before you upgrade the firewall/VPN engines to the new version. Support for the SHA-256, AES-GCM, and Deflate settings has been added.*

Client Security Check for StoneGate VPN Clients

The IPsec VPN clients version 5.0 and higher can perform a local security check based on the status of basic security software (as reported by Windows). The VPN client stops the user from opening a VPN connection if basic security requirements are not met on the client computer. The checks are activated by the Gateway.

• For more details, see the Administrator’s Guide or the Online Help of the Management Client.

Command Line Tool for Resetting VPNs

The new sg-ipsec tool available on the engine command line can be used for resetting VPN tunnels.

• For more details, see Command Line Tools, on page 127.

Connection Tracking Configuration Improved

There are now more options for adjusting the connection tracking on a rule-by-rule basis. Access rules can now be set to enforce one of several connection tracking modes that require varying degrees of adherence to network protocol standards. This may allow handling more types of problematic connections statefully and, on the other hand, may help you in imposing stricter controls on traffic that follows standards well. • For more details, see Connection Tracking vs. Connectionless Packet Inspection, on

page 107.

End-User Notifications

You can set up different ways to notify users when their HTTP or HTTPS connections match an Inspection rule that stops the user’s connection attempt. For example, you can display a message in the user’s browser as a response when the user tries to open an HTTP URL that you have banned. Note that this feature is not available in firewall Access rules at this time.

• For more details, see Administrator’s Guide or the Online Help of the Management Client.

Full VPN Hub Support

You can now forward connections from any type of VPN tunnel to another VPN tunnel. This allows setting up a hub gateway that forwards connections between different Attention → This may change your configuration * The Russian product version has no strong encryption algorithms.

(19)

New Features in Firewall/VPN 5.0 19 sites, allowing centralized inspection and reducing the number of tunnels required at the spoke gateways that connect to each other through the hub compared to

connecting directly. This feature requires SMC version 5.0.1 or higher.

HTTPS Traffic Inspection

The engines can now decrypt HTTPS traffic for inspection. This allows deep packet inspection and other checks for HTTPS traffic as if it was plaintext HTTP traffic. However, decrypted connections cannot be redirected to external content inspection servers (even after re-encryption).

• For more details, see HTTPS Inspection, on page 191.

Log Entry Compression

To prevent overloading the network and the system components with a flood of log entries, excessive (system-generated) antispoofing and (user-configurable) discard events can be automatically compressed by the engine. You can activate this feature globally and on the level of individual physical interfaces. After upgrading,

compression for antispoofing entries is activated on all interfaces. Compression for discard entries is always enabled manually.

Rule Hit Counters

Firewall Access rules now count how many times each rule has matched. You can view the hits as a field in the Access rule table in the policies. Rule hit counters allow you to optimize your policies and eliminate rules that are not needed anymore.

• For more details, see Rule Counter Analysis, on page 110.

SYN Flood Protection

The firewalls can now protect your networks from SYN flood attacks, ensuring the continuity of services even in high-bandwidth environments. You can activate this feature globally and on the level of individual physical interfaces. The SYN flood protection is disabled by default.

VPN Client 2.x Versions no Longer Supported

Legacy VPN Clients (version 2.6 or older) are no longer supported by this engine version. Users must upgrade their StoneGate VPN clients (or install a third party general-use IPsec VPN client) to connect to Firewall/VPN engines version 5.0. Attention → This may change your configuration Attention → This may change your configuration

(20)

20 Chapter 2: What’s New?

Wireless-Only Interfaces on SOHO Firewalls

The SOHO Firewall Properties now allow you to activate wireless Guest or Corporate networking without allocating a physical interface for the same type of access.

Changes in Documentation

What do you think of these changes? E-mail [email protected] to let us know.

More Product-Specific Reference Guides

The background information for understanding the StoneGate Management Center, Firewall/VPN, and IPS products is now covered in the following books:

• Management Center Reference Guide. • Firewall/VPN Reference Guide. • IPS Reference Guide.

The Firewall/VPN and the IPS Reference Guides no longer contain Management Center -specific information.

(21)

21

CHAPTER 3

General Firewall Principles

This chapter introduces and discusses the underlying security principles of firewalls in general. In this chapter we will discuss what firewalls are, which different types of firewalls there are, how they are used, what they are capable of, as well as what their possible weaknesses are.

The Role of the Firewall, on page 22

Firewall Technologies, on page 24

Firewall Functions, on page 29

Requirements for Modern Firewalls, on page 32

(22)

22 Chapter 3: General Firewall Principles

The Role of the Firewall

It is difficult to give an all-inclusive, yet simple definition of a firewall, but here we shall present some outlines that help form a picture of features and functions they have. First, we’ll take a look at which types of threats—in addition to the opportunities—the modern network environment contains, and how firewalls can respond to these concerns.

Hazards of Networking

Internet can be seen today both as an opportunity and a threat. Today, as corporations are more and more dependent on their Internet connections, they are also becoming more and more frequently attacked from the outside by way of exploiting those very connections; be it by adventurous hackers or professional information thieves. In general, it could be said that there is no rhyme or reason to network attacks, and no network is small enough to be safe. Any system can become the target of an attacker, and no matter what the motives for the attack are, the consequences can be severe. Attackers may grab data to sell as mailing lists, to use for credit or financial access, to add to corporate profiles, or to cripple competitors. They may take over computing resources and use them for their financial gain. They may also destroy data for many reasons, including vindictiveness, an urge to show off, or even just boredom.

In addition to such external attacks, internal network attacks are also a serious issue. Although firewalls can limit access between any separate networks, it is beyond the scope of firewalls to give protection against attacks by authorized persons located within the protected network. Other aspects of the corporate security policy must cover that type of risk.

You do not want unauthorized parties to get their hands on confidential data. You also want to ensure that information remains intact, so that no one can alter crucial data unnoticed. And of course, you want your data and resources to be available whenever needed. These three parameters—confidentiality, integrity, and availability—are the main goals of any credible security policy. Firewalls can help to achieve these objectives in the network environment by blocking unauthorized persons from having access to sensitive data, computer memory and processing power.

The Firewall as Protection

The advantages of the Internet in communication and business cannot be attained without proper protection from hostile attackers and without confidence that private information remains private. Firewalls are a cornerstone in the defense strategy that aims at eliminating the misuse of confidential data and resources by any unauthorized parties. A firewall is just one, albeit important, element in the overall corporate security policy.

Firewalls regulate communication on data networks; or more precisely, between networks with different security levels. Their main purpose is to control the traffic that passes through from one network to another, and deny access to network resources

(23)

The Role of the Firewall 23 from undesired or potentially harmful packets and connections—as far as they are distinguishable from allowed traffic. Although an advanced firewall can do much more than filter packets based on sources and destinations, some threats are most efficiently tackled by complimenting the firewall with intrusion detection or intrusion

prevention systems (IDS/IPS), content inspection servers (CIS), and anti-virus

gateways.

The principle of access control is ideally expressed as whatever is not expressly

permitted is denied. By default, nobody and nothing must be permitted entry to the

protected network. That means that in order for any traffic to be allowed into the network, it must first satisfy a specifically designed rule that permits limited access. Typically, internal network clients are granted a more unrestricted access to external networks, but outbound connections must also be controlled.

Some advantages that firewalls can provide include:

• Firewalls can protect the corporate intranet from undesired traffic, including everything from malicious attackers to unsolicited e-mail (spam), on the basis of the corporate security policy implemented by the network administrators.

• Firewalls can secure sensitive corporate information and resources within a local

area network (LAN). This insulates departments such as Research & Development,

or Human Resources from other company departments, limiting the access within any one area to authorized users only.

• Firewalls can concentrate network security policies at a single point, a “choke point”. When policies or administrators change, the instructions, configurations, and passwords need only be changed in one place. One must, however, ensure that the firewall doesn’t turn out to be a single point of failure.

Firewalls can also be used for other purposes, such as monitoring network traffic and the use of network resources, authenticating users, managing network bandwidth and implementing virtual private networks (VPN). These functions will be covered in more detail in section Firewall Functions, on page 29 and in subsequent chapters.

The firewall offers a reasonable amount of protection against Internet intruders, on the condition that the security policies enforced by the firewalls are carefully designed, and there are no loopholes or back doors. Firewalls can only control traffic that actually passes through them; even the most carefully planned firewall system is undermined by a single back door—say, a modem connection from the intranet to the Internet—that allows traffic to circumvent the firewall. See Appendix G, Guidelines for Building Network Security for background information on designing network security.

(24)

Example Solution

Figure 3.1 illustrates an example scenario where the demilitarized zone (DMZ) contains a publicly available pool of servers protected by a firewall. Other firewalls guard particularly sensitive networks within the company intranet, such as those of the Research and Development, Human Resources, and Accounting departments. This multi-layer protection is called defense in depth.

Illustration 3.1 An Example Firewall Deployment in a Corporate Network

This type of solution means there is no direct access from the Internet into the internal network. Anyone trying to access internal resources from the Internet would have to pass through at least one firewall. For example, a company mail server can be located on the firewall-protected DMZ, allowing SMTP-based traffic to that machine but not to the protected intranet.

Firewall Technologies

On the firewall market there is a wide range of both software-based and hardware-based firewall solutions from lightweight, personal firewalls to scalable enterprise-wide systems. Software-based solutions are usually installed on standard hardware, whereas hardware-based appliances are typically proprietary in nature. Either way, the firewalls can be categorized by the way they handle network traffic. In this section we give an overview of the existing firewall technologies, and show you how StoneGate fits on that map.

Traditionally, firewalls can be divided into three main groups: • packet filtering firewalls

• application-level proxy firewalls • stateful inspection firewalls.

Next, we will briefly compare each technology, and bring out their fortes and drawbacks.

(25)

Firewall Technologies 25

Packet Filters

The packet filtering firewall, based on the header information of the packets it receives, allows or denies access to or from the network that it is guarding. Packet filtering firewalls check each packet and can be implemented by most common routing devices.

Packet filters typically contain access control lists (ACLs) to monitor the following header data:

• source IP address • destination IP address • source port

• destination port • ICMP message type • protocol

• packet size

• various header flags.

By combining these parameters, complex policies can be enforced by the packet filter. Packet filters tend to have high performance, because their inspection involves very simple parameters at the network layer of the TCP/IP stack. They typically only inspect up to the network layer, as show in Figure 3.2. With more complex environments, however, the performance of packets filters drops significantly as every packet of every connection is checked against the access control rules.

Illustration 3.2 Packet Filtering Model

In conclusion, packet filtering is neither very flexible nor generally very secure because the network layer lacks the context of each packet. This type of filtering can be easily fooled with techniques such as fragmented packets, or bogus or invalid IP address

(26)

information. Packet filters cannot protect against malicious contents in higher levels of the protocol stack, or examine the actual data portion. Thus, they are often used in combination with application-level proxies. Packet filtering is commonly used also in routers at the network perimeters.

Proxy Firewalls

Proxy firewalls are firewalls running application proxy services. This means that the server establishes a second, different connection to the destination network on behalf of the host from the source network—if the packet meets the security policy criteria for it to pass through. In other words, proxy firewalls mediate communications between two different devices located on different networks.

This type of firewall is fully application-aware, and therefore very secure, but at the same time there’s a trade-off in performance due to the additional overhead required to maintain separate connections and to inspect packets up to the application layer. Illustration 3.3 Proxy Firewall Model

Proxy firewalls can cache information, such as HTML pages, to increase the

performance somewhat, but the application layer awareness still continues to affect performance.

Firstly, application level checking and duplicate connections can drain system

resources, affecting firewall performance. Secondly, the number of services used by a proxy firewall is an issue. Since every service needs its own proxy, the proxy list is always in some sense incomplete, and new applications and services are hard to keep up with.

Traffic inspection takes place at the highest layer of the TCP/IP stack. The necessity of inspecting every layer before returning back down to the physical layer can cause bottlenecks in busy networks.

(27)

Firewall Technologies 27

Stateful Inspection

Stateful inspection technology was developed to overcome the limitations of packet filtering firewalls. Stateful inspection firewalls use additional criteria, such as

historical data about the connection, in determining whether to allow or deny access. They track the established connections and their states in dynamic state tables and ensure that the connections comply with the security policies.

By applying connection status and context information to current connections and packets, some packets are denied access before being further inspected at a higher level, which increases performance. Furthermore, since stateful inspection

understands the context of connections (and therefore can relate the returning packets to appropriate connections), connections already determined to be “secure” can be allowed without further examination. This is especially important with services such as telnet and FTP. Stateful inspection operates just beneath the network layer (in practice, the inspection takes place between the data link layer and network layer). Stateful inspection firewalls have a rather limited capability to inspect data at the application layer. Stateful inspection systems also try to keep state tables for every connection protocol, whether it is conceivable or not.

(28)

StoneGate and Multi-Layer Inspection

With StoneGate, Stonesoft introduces a new firewall technology called Multi-Layer

Inspection. Like stateful inspection, StoneGate uses state tables to track connections

and judge whether a packet is a part of an established connection or not. However, it also features application-layer inspection by implementing specific Protocol Agents, when necessary, for enhanced security. Thus, StoneGate can inspect data all the way up to the application layer to decide whether a packet is granted access or not. Moreover, StoneGate can also act as a packet filter for types of connections that do not require the security considerations of stateful inspection.

Illustration 3.5 Multi-layer Inspection Model

The state of connections provides valuable information for assessing incoming packets. Any packet must be either accepted directly by the policy, be a part of a previously accepted connection, or of a related connection. Whenever packets arrive, the firewall checks them against active connections before proceeding through the rules of the security policy. If a connection has a registered state, all the packets following the opening packet can pass the firewall securely without having to traverse the policy.

By default, most rules in StoneGate security policies implement stateful inspection methods, but the administrator can flexibly configure rules with simple packet filtering for certain types of traffic. For example, SNMP traps from server systems and network devices can pass through the firewall to a management network on the basis of simple packet filtering in case there is no need to enforce a more strict inspection. This kind of flexibility enhances the firewall performance.

Additionally, application level security can be applied to specific rules in the security policy when needed. Multi-Layer Inspection is capable of providing this type of security without the performance degradation of conventional proxy firewalls. StoneGate can

(29)

Firewall Functions 29 implement application level inspection without the need to handle two separate connections. This is achieved with the Protocol Agents, which can be assigned to certain types of traffic.

Protocol Agents are also used to handle complex connections (e.g., Oracle or FTP), to redirect traffic to content inspection servers, to enforce protocol standards, and to modify data payload if necessary. The FTP Protocol Agent, for example, can inspect the control connection and only allow packets containing valid FTP commands. It can also be configured to redirect traffic to a CIS for content screening and to modify IP addresses in the payload in case network address translation is required. The Protocol Agents are covered in more detail in Protocol Agents, on page 161.

In brief, StoneGate Multi-Layer Inspection combines application layer inspection, stateful inspection, and packet filtering technologies flexibly for added security without adversely affecting system performance. The different functions these firewall technologies can perform will be discussed in the next section.

Firewall Functions

A firewall can have several different functions on a network. Although their main function is to control network access, firewalls can typically be configured for other basic network security tasks and even for more complex monitoring and filtering functions.

Access Control

The primary task of any firewall is to control access to data resources, so that only authorized connections are allowed. Access control is enforced in access rules, which are combined into policies. The rules collected into policies reflect the corporate network security policy.

Monitoring and Logging

Firewalls can be used to measure and monitor traffic load and attributes. A very important firewall feature is the ability to log monitored traffic. Properly recorded log data can be used to detect intruders and establish evidence to use against attackers. That kind of forensic evidence may prove to be invaluable in case hacking leads to lawsuits.

More commonly, logging is used to track the use of network resources, building a case for required services or hardware. Logging also helps administrators detect and troubleshoot network misconfigurations or failures.

(30)

Network Address Translation (NAT)

Network address translation (NAT) is a feature that enables the firewall to modify the IP headers of packets it forwards. It was originally created to alleviate the problem of the rapidly diminishing IP address space. Changing the network address of the originating (internal) network has an added benefit; the private IP addresses of hosts and the structure of an internal network can be concealed by a firewall. In fact, NAT enables even hiding an entire network behind a single public IP address.

As handy as NAT can be in terms of scarce public IP addresses and security, it is important to understand that NAT is not primarily a security feature. It is simply a method of modifying packets that lends itself to security applications. For more information on network address translation, See Network Address Translation (NAT) Rules, on page 145.

Authentication

Firewalls are often used to authenticate users accessing network resources from other locations. The various authentication methods ensure that the users trying to connect really are who they claim to be. These methods may involve a third party authentication service based on standard protocols like RADIUS or TACACS+, but it can also be based on the originating IP address or other parameters, such as usernames and passwords. For more information on authentication, see User Authentication, on page 177.

Virtual Private Networks (VPN)

Virtual private networks (VPN) conceal and encrypt traffic between end-points to establish a virtual, secure tunnel through an insecure, typically public, network. Firewalls are used at the tunnel end-points as security gateways (SGW) to encrypt and decrypt data passing between them, creating a gateway-to-gateway VPN. VPNs can also be established between a client machine, such as a remote laptop and the firewall. Figure 3.6 illustrates a simple gateway-to-gateway VPN.

Illustration 3.6 Simple VPN Example

As seen in the illustration, when traffic (a “Hello!” message) leaves Site A, it is encrypted by the firewall. Anyone who intercepts this traffic in transit can only see the encrypted messages. Once the traffic reaches the Site B gateway, the packet is

(31)

Firewall Functions 31 decrypted and re-shaped into its original form. When concealing the traffic this way, any number of computers at the different sites can share resources and communicate with each other safely over the Internet. For more information on virtual private networks, see Chapter 24, Overview to VPNs.

Secure Socket Layer Virtual Private Networks (SSL VPN)

Like virtual private networks, the secure socket layer virtual private networks (SSL VPNs) also conceal and encrypt traffic between end-points to establish a virtual, secure tunnel through an insecure network.

However, the difference between the VPN and the SSL VPN is, that SSL VPN provides secure clientless access by utilizing the SSL encryption features included in all modern Web browsers, allowing users to access resources without additional software installation, whereas VPN relies on the installation and use of specific client software. For more information on secure socket layer virtual private networks, refer to SSL VPN

Administrator’s Guide.

Content Screening and Unified Threat Management

Content screening includes measures such as virus detection, Web content filtering,

intrusion detection, or some other check of the actual data being transferred. When several such features are combined together with a firewall, the solution is often called unified threat management (UTM). StoneGate offers a UTM solution that includes a virus checking and deep packet inspection for the network traffic (including basic URL filtering). By combining several features, a UTM solution simplifies the physical network setup and makes the administration simpler.

UTM firewalls are generally used in environments where the traffic load stays moderate even at peak times. Firewalls are less often used as the primary tool for multiple forms of content inspection in large-scale enterprise systems because of the demands on hardware performance under a heavy traffic flow. Instead, large-scale firewall installations are often more cost-effective when used in combination with

content inspection servers (CIS), which allow content inspection services to be run on

a dedicated server that can be configured, scaled, and exchanged independently from the firewall.

The firewall redirects the traffic to the CIS, which either strips anything deemed malicious from the packet or drops the packet altogether, according to what the security rules in force on the CIS define. Unwanted content can be removed before packets enter the internal network (see Figure 3.7).

(32)

Illustration 3.7 Content Screening with CIS

For instance, incoming SMTP e-mail traffic could be forwarded from the firewall to the CIS for virus and content checking. The CIS removes suspicious content and the “scrubbed” packets are returned back to the firewall for routing to their final destination.

CIS can also be used to control traffic flow to the opposite direction. The HTTP based Web traffic from internal Web servers can be sent from the firewall to a CIS, which can then examine the destination site’s address (URL). If the CIS decides the site is on the list of “inappropriate” sites, the traffic is denied. Approved traffic continues to the requester.

Requirements for Modern Firewalls

As the volume and the importance of Internet traffic keeps growing, it is important that the firewalls are able to meet this growth. This section presents an overview of the types of demands firewalls must meet in rapidly changing network environments.

High Availability

Availability of network services is crucial to user satisfaction and employee productivity. Advanced clustering technologies prevent firewalls from being “bottlenecks” or single points of failure. Firewalls are clustered when two or more firewall nodes function as a single, virtual entity and enforce identical security policies. StoneGate has built-in clustering, so there is no need to set up and maintain additional hardware or software.

The performance of each node in a cluster contributes to the total throughput, eliminating bottlenecks and providing a fault tolerant and reliable firewall. Traffic from a failed node can be switched over to other nodes transparently. The firewall cluster can even handle traffic during maintenance.

Client Server

Content Inspection Server Firewall

(33)

Requirements for Modern Firewalls 33 Illustration 3.8 Eliminating Firewalls as Single Point of Failure through Clustering

In Figure 3.8, we see how a firewall cluster controls all traffic from the Internet to the internal networks. If the firewalls were not clustered, any maintenance break or malfunction would result in loss of connectivity. All traffic to and from the Internet would be halted. In a cluster, other nodes keep the traffic flowing if one or more nodes go offline.

Availability can be further enhanced by balancing the Internet traffic between several

Internet service providers (ISPs). These load balancing features can maintain a

connection even when the line it uses goes down, as the traffic can be automatically directed through alternative routes.

Scalability

As traffic volumes grow, congestion starts to disturb the flow of network traffic sooner or later. The firewall is by definition a “choke point”, through which all traffic must pass. Therefore, it is crucial that the throughput of the firewall will not become the limiting factor for network connections. The possibility to cluster firewalls means that new firewall nodes can be added flexibly as traffic volumes grow, thereby enhancing the load balancing of traffic. Good scalability is especially important if the firewall is used for advanced traffic inspection, such as virus scanning or intrusion detection and prevention.

High Throughput

Gigabit network environments are becoming more and more common, and the firewalls will be required to cope with this evolution. Clustering of firewall nodes also contributes to better throughput, as does the load balancing of multiple ISP links.

(34)

Centralized Management

No knowledgeable network administrator just sets up a firewall, trusting it will guard the network and forget about it ever exists. More measures are required to keep intruders from compromising security and to adjust to the varying needs of the users in the network. This is where a centralized management system can significantly save the administrator’s time.

Centralized management of firewalls, VPNs, and intrusion detection systems (IDS) allows the administrator to do multiple tasks using the same familiar interface, making it easier to combine information from different systems.

All networks benefit from centrally managed firewall security policies, be they geographically widespread, multi-national, or smaller networks. Corporate security policies often co-exist with site-specific rules to provide the required degree of granularity in the implementation of a network security policy. The implementation of corporate-wide, complicated security policies requires a great deal of flexibility from the firewall management system.

Centralized and efficient management of administrator rights can also be seen as a way to minimize the possibility of human error. To avoid unintentional confusion or harm, access to firewall configuration and policies must be carefully planned according to the administrators’ responsibilities.

The capability of remote installation and configuration is another important feature that will become more crucial in the evolving complicated and distributed network solutions.

Firewall Weaknesses

Knowing the benefits that firewalls can offer is most useful when you are equally aware of their weaknesses. A balanced approach is essential to form effective corporate security policies. You must have a good picture of the whole security framework to decide what other measures are needed in addition to firewalls.

Lack of Administration

Complex network environments with multiple Internet interfaces for VPN, remote access, e-business, and cache servers have increased the demand for administrators and administrative skills. This is in part because firewalls cannot provide effective security without careful attention and maintenance.

A firewall must be thoughtfully installed and configured. Security policies need periodic evaluation and regular updates. Too often a firewall gathers dust in a corner for years without a professional administrator. Often only after an attack and serious or complete data loss occurs, is it recognized that the system needs to be actively administered.

(35)

Firewall Weaknesses 35

Internal Attacks

Having well-designed and maintained firewalls is definitely a key ingredient to good network security. But firewalls, content inspection servers, and other devices

examining packets at the network perimeter are ineffective against internal attacks. By some estimates, around 60 percent of all network attacks, including data theft, loss of resources, or destruction of data are launched from within the corporation. These kinds of attacks are much more difficult to defend against, and require different approaches than firewalls or other perimeter defenses.

The implementation of the corporate security policy must address these issues through, for example, security training of employees and host-based virus protection. Intrusion detection systems (IDS), if properly deployed and maintained, can offer another layer of defense against malicious traffic that cannot be blocked with firewalls.

(36)

(37)

37

CHAPTER 4

Introduction to StoneGate

Firewall/VPN

This chapter gives you an overview of the StoneGate Firewall/VPN system’s architecture and how the system inspects traffic.

The StoneGate Security Platform, on page 38

StoneGate Firewall/VPN System Components, on page 39

(38)

38 Chapter 4: Introduction to StoneGate Firewall/VPN

The StoneGate Security Platform

StoneGate Firewall/VPN is part of the StoneGate security platform, which is especially well-suited to complex and distributed network environments. In addition to firewalls and virtual private networking, the StoneGate security platform also provides intrusion detection and prevention.

Illustration 4.1 StoneGate Security Platform in Distributed Networks

The configuration, monitoring, and control of the system is done through a centralized management system that provides a single point of contact for a large number of geographically distributed administrators. The unified management platform provides major benefits for organizations of all sizes:

• Interaction between the firewall and IPS components in the same system creates real security benefits by allowing automatic coordinated responses when a security threat is detected, providing instant blocking of unwanted traffic, and reducing the the need for immediate human intervention.

• Multiple administrators can log in at the same time to efficiently configure and monitor all StoneGate components. The system provides a single user interface that allows unified configuration, monitoring, and reporting of the whole StoneGate security platform with the same tools and within the same user session.

• The reuse of configuration information across components in the system allows you to avoid the laborious and error-prone duplicate work of configuring the same details for all components individually or exporting and importing the configurations between multiple separate systems.

• The system is designed to manage large installations and to be geographically distributed, so it is flexible and allows scaling up the existing components and adding new types of components to the system without sacrificing ease-of-use.

(39)

StoneGate Firewall/VPN System Components 39

StoneGate Firewall/VPN System Components

The StoneGate system components and their roles are illustrated below. Illustration 4.2 StoneGate Security Platform Components

One StoneGate Management Center can manage a large number of both Firewall/VPN and IPS engines. The StoneGate distributed architecture allows deploying the system components effectively in different network environments. You can flexibly add, remove, and reposition StoneGate system components according to need. The different system components are described in Table 4.1.

TABLE 4.1 StoneGate Firewall/VPN System Components

Component Description

Firewall/VPN engines Inspect and filter the traffic. Management Servers and Log

Servers Store all configuration and log data and relay Management Client commands to the engines. Web Portal Servers Provide read-only access to a restricted amount of _{system configuration information and logs.}

Management Clients

Provide a user interface for configuring, controlling, and monitoring all components in the StoneGate system. All tasks are done centrally through a connection to the Management Server.

(40)

40 Chapter 4: Introduction to StoneGate Firewall/VPN

All communications between system components are authenticated and encrypted. The firewall/VPN engines work independently according to their installed configuration, so even if the connections to the Management Center are cut, the firewall/VPN system continues its operation without interruption.

Firewall/VPN Engines

The term firewall engine refers to the combination of the physical device and the firewall/VPN software, including the integrated operating system (a specially hardened version of Linux). There is no need for separate operating system patches or

upgrades; all software on the engines is upgraded during the firewall/VPN software upgrade.

Firewall engines have the following representations in the Management Client: • The Firewall element is a container for the main configuration information directly

related to the firewall.

• The individual physical firewall engines are shown as one or more Nodes under the main Firewall element in some views of the Management Client.

SOHO Firewall Engines

SOHO Firewalls are a special class of StoneGate firewall engines that provide local hosts at small offices or home offices secure access to the corporate network and allow also tunneling Internet traffic to a central site for inspection and monitoring. The SOHO Firewall engines are always StoneGate appliances. SOHO Firewalls are meant for remote deployment at low-traffic sites. SOHO Firewalls do not support advanced StoneGate firewall features such as Multi-Link or clustering.

SOHO Firewalls are configured and managed through the Management Server in the same way as other firewalls. A special SOHO Firewall element represents the configuration of a SOHO Firewall in the Management Client. The configuration information is transferred to the SOHO Firewalls from the Management Server when the configuration is applied to the engines. Like other firewalls, SOHO Firewalls also send information on their operating state to the Management Server and logs to the Log Server. They operate normally even if the Log Server contact fails. SOHO Firewalls also support remote software upgrades through the Management Client.

(41)

Main Benefits of StoneGate Firewall/VPN 41

Main Benefits of StoneGate Firewall/VPN

In addition to standard firewall features, the StoneGate Firewall/VPN system provides additional advanced features. SOHO Firewalls do not support most of these advanced features.

Advanced Traffic Inspection

StoneGate’s traffic inspection process is designed to ensure a high level of security and throughput. Note that SOHO Firewalls provide a simpler traffic inspection feature set with less customization possibilities than what is described below.

The firewalls’ policies determine when to use stateful connection tracking, packet filtering, or application-level security. The system expends the resources necessary for application-level security only when the situation so demands and without

unnecessarily slowing or limiting network traffic.

Some types of connections can be selected for inspection of the data content against harmful or otherwise undesired patterns in connections. The deep packet inspection features provide IPS-type capabilities right on the firewall, and help in finding and stopping malicious or suspicious network activities. You can even inspect the content of encrypted HTTPS connections using the built-in deep packet inspection features. An antivirus scanner complements the standard traffic inspection features when the firewall is licensed for the UTM (unified threat management) feature.

Built-in Clustering for Load Balancing and High Availability

StoneGate provides innovative built-in clustering and load-balancing features that provide several benefits over traditional solutions. Clustering and load-balancing are not supported for SOHO Firewalls.

Traditionally, in order to achieve high availability on the firewall itself, additional hardware switches, software clustering products, or special load balancing devices have been added and maintained. This often results in the transfer of a single point of

failure to another network component—typically the network link.

In StoneGate, however, the clustering of the firewall engines is integrated in the product, thus introducing true built-in high availability and load balancing. The firewall engines dynamically load-balance individual connections between the cluster nodes, transparently transferring connections to available nodes in case a node becomes overloaded or experiences a failure.

A firewall cluster can have a maximum of 16 nodes. With load balancing, the processing of network traffic is automatically balanced between the cluster nodes. This way, the performance of the StoneGate system can be upgraded by simply adding new nodes to the cluster when necessary. Individual nodes can also be taken offline during business hours for maintenance purposes; connections that were handled by that particular engine are transparently redistributed to other online nodes.

StoneGate also comes with built-in technology for high availability and load-balancing between different network connections as explained in the next section.

StoneGate Reference Guide

Firewall/VPN 5.0