Home > network > Firewall Design Consideration: Network Access Policy [interesting]

Firewall Design Consideration: Network Access Policy [interesting]

Firewalls:

– A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.

Basically, a firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.

There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable (previously identified) domain name and Internet Protocol addresses. For mobile users, firewalls allow remote access in to the private network by the use of secure logon procedures and authentication certificates.

Which Protocols to Filter

The decision to filter certain protocols and fields depends on the network access policy, i.e., which systems should have Internet access and the type of access to permit. The following services are inherently vulnerable to abuse and are usually blocked at a firewall from entering or leaving the site:

  • tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and routers, can also be used to read any file on the system if set up incorrectly,
  • X Windows, Open Windows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes,
  • RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files, and
  • rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured can permit unauthorized access to accounts and commands.

Other services, whether inherently dangerous or not, are usually filtered and possibly restricted to only those systems that need them. These would include:

  • TELNET, port 23, often restricted to only certain systems,
  • FTP, ports 20 and 21, like TELNET, often restricted to only certain systems,
  • SMTP, port 25, often restricted to a central e-mail server,
  • RIP, port 520, routing information protocol, can be spoofed to redirect packet routing,
  • DNS, port 53, domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed,
  • UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can be used for unauthorized access,
  • NNTP, port 119, Network News Transfer Protocol, for accessing and reading network news, and
  • gopher, http (for Mosaic), ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services.

While some of these services such as TELNET or FTP are inherently risky, blocking access to these services completely may be too drastic a policy for many sites. Not all systems, though, generally require access to all services. For example, restricting TELNET or FTP access from the Internet to only those systems that require the access can improve security at no cost to user convenience. Services such as NNTP may seem to pose little threat, but restricting these services to only those systems that need them helps to create a cleaner network environment and reduces the likelihood of exploitation from yet-to-be-discovered vulnerabilities and threats.

Usefull Technical Terms :

Abuse of Privilege

When a user performs an action that they should not have, according to organizational policy or law.

Access Control Lists

Rules for packet filters (typically routers) that define which packets to pass and which to block.

Access Router

A router that connects your network to the external Internet. Typically, this is your first line of defense against attackers from the outside Internet. By enabling access control lists on this router, you’ll be able to provide a level of protection for all of the hosts “behind” that router, effectively making that network a DMZ instead of an unprotected external LAN.

Application-Layer Firewall

Firewall systems in which service is provided by processes that maintain complete TCP connection state and sequencing. Application layer firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.

Authentication

The process of determining the identity of a user that is attempting to access a system.

Authentication Token

A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords.

Authorization

The processes of determining what types of activities are permitted. Usually, authorization is in the context of authentication: once you have authenticated a user, they may be authorized different types of access or activity.

Bastion Host

A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be “outside” web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., Unix, VMS, NT, etc.) rather than a ROM-based or firmware operating system.

Challenge/Response

An authentication technique whereby a server sends an unpredictable challenge to the user, who computes a response using some form of authentication token.

Chroot

A technique under Unix whereby a process is permanently restricted to an isolated subset of the file system.

Cryptographic Checksum

A one-way function applied to a file to produce a unique “fingerprint” of the file for later reference. Checksum systems are a primary means of detecting file system tampering on Unix.

Data Driven Attack

A form of attack in which the attack is encoded in innocuous-seeming data which is executed by a user or other software to implement an attack. In the case of firewalls, a data driven attack is a concern since it may get through the firewall in data form and launch an attack against a system behind the firewall.

Defense in Depth

The security approach whereby each system on the network is secured to the greatest possible degree. May be used in conjunction with firewalls.

DNS spoofing

Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.

Dual Homed Gateway

A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks.

Encrypting Router

see Tunneling Router and Virtual Network Perimeter.

Firewall

A system or combination of systems that enforces a boundary between two or more networks.

Host-based Security

The technique of securing an individual system from attack. Host based security is operating system and version dependent.

Insider Attack

An attack originating from inside a protected network.

Intrusion Detection

Detection of break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network.

IP Spoofing

An attack whereby a system attempts to illicitly impersonate another system by using its IP network address.

IP Splicing / Hijacking

An attack whereby an active, established, session is intercepted and co-opted by the attacker. IP Splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP Splicing rely on encryption at the session or network layer.

Least Privilege

Designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorization level at which various actions are performed and decreases the chance that a process or user with high privileges may be caused to perform unauthorized activity resulting in a security breach.

Logging

The process of storing information about events that occurred on the firewall or network.

Log Retention

How long audit logs are retained and maintained.

Log Processing

How audit logs are processed, searched for key events, or summarized.

Network-Layer Firewall

A firewall in which traffic is examined at the network protocol packet layer.

Perimeter-based Security

The technique of securing a network by controlling access to all entry and exit points of the network.

Policy

Organization-level rules governing acceptable use of computing resources, security practices, and operational procedures.

Proxy

A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.

Screened Host

A host on a network behind a screening router. The degree to which a screened host may be accessed depends on the screening rules in the router.

Screened Subnet

A subnet behind a screening router. The degree to which the subnet may be accessed depends on the screening rules in the router.

Screening Router

A router configured to permit or deny traffic based on a set of permission rules installed by the administrator.

Session Stealing

See IP Splicing.

Trojan Horse

A software entity that appears to do something normal but which, in fact, contains a trapdoor or attack program.

Tunneling Router

A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption.

Social Engineering

An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.

Virtual Network Perimeter

A network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks.

Virus

A replicating code segment that attaches itself to a program or data file. Viruses might or might not not contain attack programs or trapdoors. Unfortunately, many have taken to calling any malicious code a “virus”. If you mean “trojan horse” or “worm”, say “trojan horse” or “worm”.

Worm

A standalone program that, when run, copies itself from one host to another, and then runs itself on each newly infected host. The widely reported “Internet Virus” of 1988 was not a virus at all, but actually a worm.

References

Avol94

Frederick Avolio and Marcus Ranum. A Network Perimeter With Secure Internet Access. In Internet Society Symposium on Network and Distributed System Security, pages 109-119. Internet Society, February 2-4 1994.

Bel89

Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review, 9(2):32-48, April 1989.

Cerf93

Vinton Cerf. A National Information Infrastructure. Connexions, June 1993.

CERT94

Computer Emergency Response Team/Coordination Center. CA-94:01, Ongoing Network Monitoring Attacks. Available from FIRST.ORG, file pub/alerts/cert9401.txt, February 1994.

Chap92

D. Brent Chapman. Network (In)Security Through IP Packet Filtering. In USENIX Security Symposium III Proceedings, pages 63-76. USENIX Association, September 14-16 1992.

Ches94

William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security. Addison-Wesley, Reading, MA, 1994.

CIAC94a

Computer Incident Advisory Capability. Number e-07, unix sendmail vulnerabilities update. Available from FIRST.ORG, file pub/alerts/e-07.txt, January 1994.

CIAC94b

Computer Incident Advisory Capability. Number e-09, network monitoring attacks. Available from FIRST.ORG, file pub/alerts/e-09.txt, February 1994.

CIAC94c

Computer Incident Advisory Capability. Number e-14, wuarchive ftpd trojan horse. Available from FIRST.ORG, file pub/alerts/e-14.txt, February 1994.

Com91a

Douglas E. Comer. Internetworking with TCP/IP: Principles, Protocols, and Architecture. Prentice-Hall, Englewood Cliffs, NJ, 1991.

Com91b

Douglas E. Comer and David L. Stevens. Internetworking with TCP/IP: Design, Implementation, and Internals. Prentice-Hall, Englewood Cliffs, NJ, 1991.

Cur92

David Curry. UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, Reading, MA, 1992.

Farm93

Dan Farmer and Wietse Venema. Improving the security of your site by breaking into it. Available from FTP.WIN.TUE.NL, file /pub/security/admin-guide-to-cracking.101.Z, 1993.

Ford94

Warwick Ford. Computer Communications Security. Prentice-Hall, Englewood Cliffs, NJ, 1994.

Garf92

Simpson Garfinkel and Gene Spafford. Practical UNIX Security. O’Reilly and Associates, Inc., Sebastopol, CA, 1992.

Haf91

Katie Hafner and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon and Schuster, New York, 1991.

Hunt92

Craig Hunt. TCP/IP Network Administration. O’Reilly and Associates, Inc., Sebastopol, CA, 1992.

NIST91a

NIST. Advanced Authentication Technology. CSL Bulletin, National Institute of Standards and Technology, November 1991.

NIST91b

NIST. Establishing a Computer Security Incident Response Capability. Special Publication 800-3, National Institute of Standards and Technology, January 1991.

NIST93

NIST. Connecting to the Internet: Security Considerations. CSL Bulletin, National Institute of Standards and Technology, July 1993.

NIST94a

NIST. Guideline for the use of Advanced Authentication Technology Alternatives. Federal Information Processing Standard 190, National Institute of Standards and Technology, September 1994.

NIST94b

NIST. Reducing the Risk of Internet Connection and Use. CSL Bulletin, National Institute of Standards and Technology, May 1994.

NIST94c

NIST. Security in Open Systems. Special Publication 800-7, National Institute of Standards and Technology, September 1994.

Ran93

Marcus Ranum. Thinking About Firewalls. In SANS-II Conference, April 1993.

RFC1244

Paul Holbrook and Joyce Reynolds. RFC 1244: Security Policy Handbook. prepared for the Internet Engineering Task Force, 1991.

Advertisements
Categories: network
  1. February 11, 2013 at 2:07 am

    For the reason that the admin of this site is working, no hesitation very rapidly it will be
    famous, due to its feature contents.

  2. February 14, 2013 at 1:01 pm

    Attractive section of content. I just stumbled upon your web site
    and in accession capital to assert that I get in fact
    enjoyed account your blog posts. Anyway I will be subscribing to your
    feeds and even I achievement you access consistently rapidly.

  3. March 21, 2013 at 10:15 pm

    Hey there would you mind stating which blog platform you’re working with? I’m looking to start
    my own blog in the near future but I’m having a tough time selecting between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking for something unique.
    P.S Apologies for getting off-topic but I had to ask!

  4. April 5, 2013 at 2:46 am

    Can I just say what a relief to find someone that really understands what they’re discussing over the internet. You definitely realize how to bring a problem to light and make it important. A lot more people ought to check this out and understand this side of your story. It’s surprising you’re not more popular given that you definitely possess the gift.

  5. April 13, 2013 at 5:40 am

    My developer is trying to convince me to move to .
    net from PHP. I have always disliked the idea because of the costs.
    But he’s tryiong none the less. I’ve been using Movable-type on a number of websites for about a year and am anxious about switching
    to another platform. I have heard very good things about blogengine.

    net. Is there a way I can transfer all my wordpress content into it?
    Any kind of help would be really appreciated!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: