Print Icon  Printable Page
Print Icon  Web Page

June 2002

Practical Firewalling

The virtual network perimeter has changed the rules of the game for firewalls--and that means changing our tactics.

BY Fred Avolio

The Internet was a very different creature 10 years ago, when the first commercial firewall came online. With new uses, from online shopping and game playing to finance, come new threats. Let's examine some of the ways the Internet is changing how we do business, and how we need to adapt firewall security to accommodate them.

In the early 1990s, firewall pioneer Bill Cheswick described the network perimeter where he worked at Bell Labs as having "a crunchy shell around a soft, chewy center." Diagrams of firewall-protected networks traditionally show the network surrounded by brick walls with a single, fortified access point. It's a useful picture, but it no longer reflects the real world. No network looks that way today. There are all sorts of holes in the perimeter, some because of what we allow through permitted ports--including encrypted connections (VPNs and Web/SSL traffic), instant messaging, e-mail messages with attachments--some because of other practices we permit, such as notebook PCs and PDAs carried from the office, to the home, to the road and back.

Furthermore, it's harder to define how firewalls should distinguish between "them" and "us." You want to block potential attacks while giving business partners, remote salespeople and customers access, but not to everything. You need to adjust how you configure firewalls in three ways (for the purpose of this discussion, let's exclude static packet filters):

The need for speed. Some applications need speed. File transfers and streaming audio and video benefit from high speed more than some other network services--for example, e-mail (which is store and forward). Laying aside the issue of whether your users have a business need for streaming media, the question becomes "can we let this through quickly?"

For this type of traffic, we strike a balance that allows for the stronger (than UDP) packet source identification that TCP provides, while recognizing we get little or no benefit from the extra scrutiny provided by an application gateway. Why? Because no application gateway-based (proxy) firewall makes any kind of security decisions on the contents of the media stream.

Say your firewall is bundled with AV software that scans FTP data. If you need the speed, turn off the scanning and depend on end-system virus scanning. But only permit this for those who need FTP.

You also want to apply this type of analysis to the servers that your firewall protects. If speed is important, loosen the level of security scrutiny while hardening the servers.1

Get more granular where it counts. Only a few users might require certain network services, such as FTP. So, configure your firewall to deny FTP for all, then selectively permit it for the few. Strike a balance between security and manageability based on how easy your firewall is to configure and how often you add users to the "permitted" list.

Through the firewall. OK, so there are ways around your firewall. Make sure you understand and know how to deal with them.

  • If your remote users use VPNs--as they should--terminate them at, or outside, the firewall, so that you can apply security rules. You no doubt already permit SSL packets through your firewall--packets your firewall can't examine. This is a potential secret tunnel through the firewall, but we're stuck with it.2 Make sure your users understand your policy against tunneling.

  • The same goes for instant messaging, whose servers listen on ports "belonging to" other protocols. If instant messaging worries you, deny connections to and from the messaging servers as you discover them.
  • Never respond to a request along the lines of adding an "allow" rule from the outside to inside for some port you've never heard of.
  • If someone is going to run a Web server on his desktop, require him to justify it in detail, and, if you permit it, make sure security policies are enforced.

Sure, you want to use the Internet in new and interesting ways. Business often requires it. And just as true, this can open networks to new attacks. The good news is recognizing those changes will permit you to modify your firewalls to address the growing danger.

1   See Cutting Through Security Clutter.
2   See Break on Through


Columnist FRED AVOLIO (fred@avolio.com) is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.




Copyright 2002 TechTarget