Databus Issue: 2004 3 07/30/2004
Dude, Where’s My Perimeter?
Chris Hall Network Systems EngineerFitting a Firewall Into a Real-World Defense
PDF
Ah, where should we begin? This article was to be an introduction to firewalls, the classic perimeter defense. But, it seems that the perimeter is getting harder and harder to define, and network security has become too big a job to be handled by one appliance. Like the perimeter, the implementation of a network’s security features is increasingly diffused throughout the network, and the process does not begin at the firewall. It begins with policy.
Network security really begins with a statement of intent called a security policy. This policy needs to do a number of things while being short and concise enough to actually:
• Identify the services that the network will provide.
• Define acceptable use of those services.
• Specify who can access the
network’s services and how they will be identified.
Once these basic precepts have been laid out, tortured by committee and chiseled in Jell-O, the tricky part is to decide how to implement them in a meaningful fashion.
Traditionally, this is where things like firewalls come in. In the simplest sense, a firewall is an instrument of policy enforcement. It sits at the interface between your network and the great, dangerous world, and mechanically applies a rule set that controls who can access what parts of your network from the outside world, and how your users, inside the network’s perimeter, can access the outside world, colloquially referred to these days as the Internet.
This was a dandy concept when the perimeter of a network was a simple thing to define, but life has become complicated, as it is prone to do. Application-level protocols have proliferated and mutated, to the point where almost anything can tunnel over port 80 and there is often a real business case for instant messenger, which can be exploited in the same way. At the same time, software has become more complicated, and thus more vulnerable, and these vulnerabilities are exploited in an increasingly automated fashion. It is difficult to effectively guard against all the possibilities with one solution anymore.
So, what shall we do about this? Are firewalls a pointless exercise? Should we just trust our fates to the general goodwill of humankind and try to maintain a positive attitude until the inevitable catastrophe? I, for one, am all for goodwill, optimism, kittens, apple pies, and the whole genre of happy things that those ideas represent. However, in this case I would like to propose a more practical posture, the one that is getting a certain amount of public relations exercise as “defense in depth.”
Defense indepth is not a new idea so much as it is an elaboration on the way that many organizations already do things. The firewall is an important component of this strategy, but not the only important component. Diagram 1 (on the previous page) is of a fairly typical medium-sized network, greatly simplified. I would like to look at some ways to implement security in each part of the network, so that the firewall is one of several safeguards that work together.
Item number one is the public Internet, with all of its promise and all of its malice. It can be a bit shocking to monitor Internet traffic outside your network’s firewall. There is a constant stream of malevolent interest, ranging from ping sweeps and port-scanner activity to actual exploits, aimed at penetrating common services. The trick, obviously, is to provide services to legitimate users, while repelling all of this other traffic.
Item number two, moving inward, is the edge router that ties your network to your ISP’s network. This is the first line of active defense, and is one of the places where misconfiguration can really hurt.
First, it is vital to protect the edge router against unauthorized Telnet
access. Since Telnet does not encrypt passwords in any meaningful sense, this usually means blocking off all Telnet access from outside the network by means of a simple access control list (ACL). If your edge router supports SSH (Secure Shell), it might be worth considering it for remote administration. It is an even better idea to keep the edge router as simple and bulletproof as possible, so that remote administration is not an issue.
The other big issue at the edge router is IP spoofing. There is no reason for traffic, that has a source address inside your network, to be allowed in through the external interface of an edge router. Packets from outside the network, with source addresses from inside the network are bogus by definition and should be excluded. A simple ACL for this purpose prevents attackers from masquerading as inside users to gain unauthorized access.
Item number three is, of course, the firewall, and I will refrain from repeating the endless discussions about which one is best for whom. The classic alternatives are the application-layer proxy and the packet filtering (stateful inspection) firewall. Both approaches work if configured correctly, and I will leave the proselytizing to people who are more ardent about one flavor or the other.
And, what of those lurking figures surrounding the numeral six? Oh yeah, users…Regardless of the elegance of a plan or the timeless beauty of its implementation, it all comes to naught without the educated participation of the network’s users. They are the point of all this, right? Techie folk, like us, are just an operating expense, or so I am told. The purpose of the network, above all, is to serve the users’ needs while protecting the assets of the organization.
Unfortunately, good security is almost always a hassle from a user’s perspective. It is vitally necessary to educate users on the way that a perceived hassle relates to the security of the network and the protection of their own interests. It’s surprising how reasonable most people are willing to be when they receive a cogent explanation of why they are being asked to compromise.
At any rate, an administrator who can’t explain any feature of his network to the least technical user in the shop probably doesn’t understand it himself. Network security is more repetition than rocket science, and talking down to the users, the network is supposed to serve, is a dangerous pursuit. People are inclined to work around restrictions they don’t understand, and some of those workarounds can usher intruders or malicious programs right into the network.
Chris Hall is a network systems engineer for California School Information Services. He can be contacted at chall@csis.k12.ca.us.
