Firewalls Part (4)

Posts : 85 أهمية العضو : 0 Join date : 18/11/2008

Firewall Classes :

The following section presents a number of classes of firewalls, each of which provides certain firewall features. Specific firewall classes can be used to respond to specific requirements in the design of an IT architecture.

Grouping firewalls into classes allows for the abstraction of the hardware from the requirements of the service. Service requirements can then be matched against class features. As long as a firewall fits into a specific class, it can support all of the services that the class of firewalls is required to support.

The various classes are as follows:

Class 1 - Personal firewalls
Class 2 - Router firewalls
Class 3 - Low-end hardware firewalls
Class 4 - High-end hardware firewalls
Class 5 - High-end server firewalls

It is important to understand that some of these classes overlap. This is by design, as the overlap allows one type of firewall solution to span multiple classes. Many classes can also be served by more than one hardware model from the same vendor, so that your organization can select a model that suits its present and future requirements.

Apart from the price and feature set, firewalls can be classified on the basis of performance (or throughput). However, manufacturers do not provide any figures of throughput for most classes of firewalls. Where they are provided (typically for hardware firewall devices), no standard measurement process is followed, which makes comparisons between manufacturers difficult. For example, one measure is the number of bits per second (bps), but as the firewall is actually passing IP packets, this measure is meaningless if the packet size used in measuring the rate is not included.

What Firewalls Can't Do

• Insider Attacks
Although a firewall can stop private or secret data from being obtained by attackers, it cannot prevent an insider from taking data out of the facility by simply copying it onto a disk .

• Viruses :

Firewalls cannot protect against users downloading virus-infected software from the Internet, or receiving such software via e-mail. The firewall cannot scan programs for virus signatures due to the large number of ways these programs can be encoded and compressed .

Some vendors are claiming to have "virus detecting" firewalls, but these likely only apply to Windows-on-Intel executables and macro-capable application documents. However, even if virus-detecting firewalls become possible, they will only protect against viruses which gain access via the Internet - and not against the vast majority of viruses which are transferred via disk .

• User Carelessness :

Users can circumvent the firewall in numerous ways. Revealing sensitive information over the telephone, choosing easily cracked passwords, connecting sites inside the protected subnet to a modem, or changing the contents of a configuration file or changing a file access permission can all subvert the security provided by the firewall, allowing attackers to gain access to sites within the protected network.

• OS Holes :

There are many security risks associated directly with operating systems, often due to the fact that they tend to be quickly produced and constantly upgraded. A firewall cannot be expected to secure the various holes in the operating system's security.

• Bugs in Firewall System :

Firewall systems depend on software programs, which will likely have bugs in them due to the extreme complexity involved and the difficulty of exhaustive testing. Naturally, firewalls cannot take into account their own, unknown, bugs.

• Tunnelling :

It is possible for an excluded service to tunnel through the firewall, by being enclosed within the payload of a packet of an allowed service. For example, multicast IP transmissions, used for voice and video traffic, are generally encapsulated in other packets. These transmissions represent a potential threat, as the packets could contain commands to alter security controls.

• Inadequate Policy :

Like software, policies probably can't be perfect. While obvious problems can be seen and dealt with, some policy inadequacies will probably only be revealed by a successful attack. Even if these holes in the policy are fixed, however, there are probably still "unpredictable intersections of human activity which no policy can withstand".

What is firewall security?

You probably know that you need firewall security; in fact, you may even already have a firewall management program in place. But what exactly is firewall security, and what does firewall management entail?

The word firewall originally referred literally to a wall, which was constructed to halt the spread of a fire. In the world of computer firewall protection, a firewall refers to a network device which blocks certain kinds of network traffic, forming a barrier between a trusted and an untrusted network. It is analogous to a physical firewall in the sense that firewall security attempts to block the spread of computer attacks.

Packet filtering firewall:

This type of firewall has a list of firewall security rules which can block traffic based on IP protocol, IP address and/or port number. Under this firewall management program, all web traffic will be allowed, including web-based attacks. In this situation, you need to have intrusion prevention, in addition to firewall security, in order to differentiate between good web traffic (simple web requests from people browsing your website) and bad web traffic (people attacking your website).

A packet filtering firewall has no way to tell the difference. An additional problem with packet filtering firewalls which are not stateful is that the firewall can't tell the difference between a legitimate return packet and a packet which pretends to be from an established connection, which means your firewall management system configuration will have to allow both kinds of packets into the network.

Recommendations:

For readers who are interested in the theoretical aspects of firewalls, a good place to start is the National Institute of Standards and Technology's document, "How to keep your site comfortably secure" In addition, any Internet search engine will return a multitude of links to firewall sites. Most of these will probably be links to commercial sites, but looking through these can result in a surprisingly large amount of useful information.

For readers who are interested in obtaining a firewall system, much of the same advice holds. The NIST's document contains some very practical information on how to go about drawing up a security policy, choosing the firewall system which meets your needs, and even administration of your firewall system.

The Internet Firewalls FAQ \ contains information on where to obtain cheap packet screening tools, and gives a sample set of some filtering rules which may be used.
The FreeBSD handbook gives a lot of detail on enabling and configuring IPFW, the firewall system distributed with FreeBSD. And of course, searching the Internet via almost any search engine will provide a myriad of firewall vendors eager to sell their product.

Conclusion:

It is clear that some form of security for private networks connected to the Internet is essential. A firewall is an important and necessary part of that security, but cannot be expected to perform all the required security functions. A firewall has a specific duty: to control the data entering and leaving the protected network via the firewall host. It cannot do anything more than this, and, if badly configured, can actually do more harm than good by lulling the users of the protected network into a false sense of security.

Aztec Information Management have described a Firewall Philosophy which gives an excellent summary of the important points to keep in mind when considering firewall systems:

• Assume all incoming traffic is potentially hostile .
• Any service not explicitly allowed is denied .
• Assume that the firewall may be subverted .
• Run only the necessary firewall software on the firewall machine .
• Start by disallowing all services, and then only allow those services which are necessary and approved in terms of the security policy .
• Only allow console logins on the firewall .
• Make the firewall as transparent as possible to the users .

A good security policy is the first line of defence against attackers, and the firewall is the means of implementing that security policy. A weak policy will mean a weak firewall, which is easily broken through. Careful configuration is essential: an incorrect implementation of a correct policy also results in a weak firewall. User education is the third element of a successful firewall: the firewall is useless if users bypass it due to ignorance or because of lack of transparency.

The last element of a successful firewall is physical security: if a physical intruder can simply walk off with the firewall machine (or any of the machines on the protected network), all the policy, configuration and user education in the world will be absolutely worthless.

.

موضوع: رد: Firewalls Part (4) الجمعة ديسمبر 05, 2008 2:51 pm

موضوع: رد: Firewalls Part (4) السبت سبتمبر 19, 2009 7:24 pm

يـــعـــطـــيـــك الـــعـــافـــيـــة

» Firewalls Part (2)
» Firewalls Part (3)
» Firewalls Part "1"