- Multi-site Connectivity Advisory Service
- Case studies
- Technical guides
The perimeter of an organisation’s LAN is the obvious place to locate its security protection. However, the perimeter has moved: no longer is there just one ingress to a LAN, but many points of access. Wireless networks, modems, secondary Internet connections and the migration of laptops between networks mean the boundary is constantly moving.
Moreover, it is critical to ensure that new or updated firewalls will be future-proof. The increase in network bandwidth available has been significant in recent years and is stretching firewall resources. Firewalls need to be able to manage the maximum available upstream bandwidth, otherwise a DoS attack could result in firewall failure.
Logically, networks are already isolated by the netblocks that define them. To enable communication, routing protocols allow traffic between configured netblocks. However, do these netblocks need full connectivity with each other?
Figure 5: The spread of infection on a campus LAN
Malicious code — worms in particular — can propagate through many different attack vectors. One of the more common is the Microsoft Windows® NetBIOS/SMB/CIFS.
Attacks taking advantage of insecure NetBIOS/SMB/CIFS fileshares and vulnerabilities in the underlying code are a common cause of swift spreading LAN-based infections. A good form of defence against this is to block these protocols from LANs where not required. The ports TCP/UDP 137, 138, 139 and TCP 445 can be blocked between LAN segments to isolate individual networks from attack. If a computer is compromised by a worm in one segment, only other vulnerable computers on that segment are compromised. However, when core file, print and AD authentication is required, then these protocols will have to be allowed to the network where the servers are located.
With the increased volume of different attack vectors against varying software, the implementation of a default deny policy between networks is becoming common, with exceptions set to allow desired services to operate.
Isolating different classes of users
Different classes of users often require different levels of access to IT systems. Many organisations already separate student and staff networks. The practice is very sensible, as it provides another layer of defence. However, a problem occurs when student and staff traffic meets in open access areas or on wireless networks. It is good policy to allow access to specific information systems only from wired staff networks.
Isolation can be achieved using VLAN technology which is already common on most organisational networks. Many VLANs can exist on a network at the same time, although there are limits on some vendors’ hardware.
VLANs allow networks to be separated so that different policies can be assigned to each. There are additional benefits from a networking perspective, including a reduction in broadcast domain sizes and easier administration.
802.1Q trunking provides a method for multiple VLANs to be fed to networking devices. VLANs are tagged with IDs for differentiation with ID 1 reserved for the default untagged traffic. Most vendors use the 802.1Q standard, except for 3Com®, who use Virtual LAN Trunk. Cisco historically used Inter-Switch Link, but this is now deprecated over 802.1Q. However, security measures which rely on VLANs are not entirely dependable because of the technique of VLAN Hopping. This involves changing the VLAN ID tag on encapsulated packets in a VLAN trunk, but this is not easy to execute on a production network.
Figure 6: Use of VLANs to separate network traffic
A DMZ describes a network in which the host servers are located. Limited connections from the Internet are allowed into the DMZ to provide services like web (HTTP) access and e-mail (SMTP et al). Connections from the DMZ to the internal network are not usually allowed by default, which protects the computers inside from compromised hosts in the DMZ.
Hosts in the DMZ are frequently additionally protected using NAT or PAT to further obfuscate the networking configuration.
A DMZ is often implemented using a third physical interface on the firewall, but an alternative is to use two firewalls in series with the DMZ. This provides an additional level of protection for the internal network.
Figure 7: Organisational Demilitarised Zone implementation
Protecting Sensitive Information Systems
Some computer systems on any network are more critical than others. Computers which store sensitive information present a higher risk because of their attractiveness for attack and its subsequent impact. Sensitive information systems can be protected by a number of different methods and using a combination of these provides defence in depth and enhances overall security.
It is important to ensure computers are built and maintained in a secure manner to prevent intrusion through operating system and configuration vulnerabilities. There are a number of steps that can be taken to secure an operating system, from the most basic at installation stage to more granular changes post-configuration.
It is good practice to ensure the computer is either disconnected from the network entirely or connected to a heavily firewalled development network at build time. Operating systems are often far from secure during installation and being connected to the production network would leave the computer vulnerable. To reduce the risk of a DoS attack, different disk partitions for system volume, user storage, individual services and logs is ideal. It is also worth considering whether all the services enabled are actually required: does IIS or Apache need to be running on all computers?
Post-installation it is essential that all operating system and service patches are applied. This needs to be achieved securely, not via an unprotected network. Anti-virus software needs to be installed, along with the patch management software such as yum, smpatch, Windows® automatic updates, SUS or WSUS.
Once the machine has been configured, all ACLs and permissions set, and all logging and auditing enabled, it is wise to create a machine baseline snapshot. This will give a standard to compare the computer against should it begin to behave differently. It will make it easier to identify additional open ports or CPU-intensive processes.
Figure 8: Host security implementation plan
Increasingly, information systems are isolated from other systems. This can take the form of dedicated VLANs, small netblocks per system groups, NAT, PAT, router ACLs or additional firewalls.
When a system is isolated, the traffic both into and out of the system is restricted which means the system is more difficult to compromise. If the system does get compromised then spread is significantly reduced.
Firewalls installed specifically to protect information systems can provide another layer of protection and dedicated rules. It is recommended that, if possible, two different hardware vendors are used to provide security against vulnerabilities in the firewall code.
The firewall could be host-based or network-based, although it is worth remembering that host-based firewalls are typically inferior. They are inflexible and often fail open, as opposed to network-based firewalls which fail closed.
Protecting a number of machines with a variety of requirements behind a firewall can be achieved with virtual firewalls or different contexts.
An alternative to a fully functioning firewall is to protect information systems using network ACLs. Network ACLs can be implemented on routers or on some network switches. With Cisco Enhanced Images, network ACLs can be implemented on incoming traffic.
Access lists provide the flexibility to filter packets at both ingress and egress of network interfaces, according to IP address, protocol and application.
Even with modern packet-switched Ethernet, there is still a possibility that communications traffic can be sniffed. For example, tools like macof can be used to turn switches into hubs if they are not suitably protected. Secure communications can also be used to prevent antireplay and man-in-the-middle attacks.
All authentication and other sensitive data should be secured. If the protocol being used
does not support secure encryption, then an SSL tunnel can be employed.
All firewalls will have a number of interfaces which can be physical or virtual (or sub). Physical interfaces are where actual cables are connected to attach the firewall to the network infrastructure. All firewalls must have a minimum of two physical interfaces for normal operation, but this is not a limit. Interfaces for DMZ, management and failover all present configuration options.
Virtual interfaces are used when there are fewer physical interfaces available than required, or to support VLANs and/or virtual firewalls/contexts. Virtual interfaces split a physical interface into separate interfaces depending on the 802.1Q trunk. It is recommended that at least the primary firewall for an organisation has physical inside, outside and DMZ (if appropriate) interfaces, as they are, by their nature, more secure than virtual ones.
The provision of failover is a key issue in firewall implementation as fault tolerance needs to be a priority within the network infrastructure.
Failover can be implemented in two ways traditionally: Active/Active and Active/Passive. With the Active/Active method, two firewalls run concurrently, sharing the traffic to provide failover should one fail.
Figure 9: Firewalls in an Active/Active failover operation
With Active/Passive failover, two firewalls run concurrently, but traffic is only handled by one. When failure occurs, the other firewall takes over.
Figure 10: Firewalls in an Active/Passive failover operation
Multiple contexts can be used to create numerous virtual firewalls with different configurations on the same piece of hardware. This enables two devices to balance the load and provide fault tolerance.
Figure 11: Firewalls configured for Active/Active failover operation and load balancing using multiple contexts
Router ACLs and CBAC
Router ACLs were the first protection technology implemented by organisations. However, they can increase resource usage and CPU overhead. Dedicated firewalls are more flexible and can provide better fault tolerance. Router ACLs should only be used to isolate netblocks and implement limited rules. Core Cisco chassis-based routers can offload firewall features using a FWSM which can provide 1,000 virtual firewalls per installation.
CBAC is a Cisco IOS option for existing routers which monitors packets and implements a Layer 3 stateful inspection. This is a good solution for small installations.
CBAC also provides DoS protection and enforces timeout and threshold controls. This includes restricting the total number of half-open sessions and rules based on time scales and hosts.
When a packet is received at an interface it is evaluated against the existing outbound access list, and may be permitted to pass. (A denied packet would simply be dropped at this point.) The packet is then inspected by CBAC to determine the state of the packet’s connection. This information is recorded in a new state table entry created for the new connection.
Based on the state information, CBAC creates a temporary access list entry which is inserted at the beginning of the external interface’s inbound extended access list. This entry is designed to permit inbound packets that are part of the same connection as the outbound packet just inspected. The outbound packet is then forwarded out of the interface.
Later, an inbound packet reaches the interface which is part of the same connection established with the outbound packet. The inbound packet is evaluated against the inbound access list, and is permitted because of the temporary access list entry previously created. The inbound packet is then inspected by CBAC, and the connection’s state table entry is updated as necessary. On the basis of the updated information, the inbound extended access list temporary entries might be modified in order to permit only packets that are valid for the current state of the connection.
Any additional inbound or outbound packets that belong to the same connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required.
When the connection terminates or times out, the connection’s state table entry is deleted and the temporary inbound access list entries are deleted.
Policy Based Routing
PBR is used to enable routers to make decisions on where to route traffic according to policies configured on the device. This can divert traffic around a firewall or ensure it always goes through it.
With backup traffic, it can be useful to ensure that it is diverted around a firewall rather than overwhelming it. A rule can be constructed to identify traffic between a source network and backup machines on particular ports. When a router sees a match for this traffic, it is directed to a particular netblock instead of using the routing table to identify an appropriate entry.
PBR is very flexible and can match packets on not only addresses but ports, protocols and packet size. PBR can also be used to provide cut-through routing between a private network and an organisational network where traffic would usually need to traverse the public Internet.
Figure 12: Policy Based Routing used to route backup traffic
Firewalls can be configured to operate in a number of different modes and some can even operate in multiple virtual modes.
In routed mode, the firewall acts as a router deciding where traffic should go and whether it should traverse the firewall. If the addresses on the inside interfaces are not Internet-facing, then the firewall will have to use NAT or PAT to translate the traffic.
Network Address Translation
NAT allows a single device, such as a router, to act as an agent between the Internet (or ‘public network’) and a local (or ‘private’) network. This means that either a single or a pool of Internet IP addresses is required to represent an entire group of computers to anything outside their network.
When an internal computer requires a connection to the Internet, the NAT router accepts the request and translates the private IP address (e.g. 192.168.1.10) into a public address (e.g. 22.214.171.124). The mapping between them is entered into a table and the request forwarded to the Internet. The return packet is checked against the table to find the originating private IP address and then forwarded inside the network.
If more than one computer requests Internet content, additional IP addresses are used from the pool in a one-to-one relationship. An address is only used while a session is in progress and it is returned to the pool once the request has been completed. Once the pool of addresses has been exhausted, no internal machines can make further Internet connections until an address becomes free. However, one configuration often implemented is to provide one additional public Internet IP address by PAT to enable translation once the NAT pool has been exhausted.
NAT Zero is often used for DMZ computers: a one-to-one mapping is configured so a public-facing Internet IP address is assigned to each computer which NAT translates to a private address.
Port Address Translation
PAT is a similar technology to NAT, except instead of providing an Internet IP address for each internal computer from a pool, it uses a single Internet IP address and a different port for each request.
When a request is received by the PAT router from a computer inside the network, the request is forwarded to the public Internet IP with a source port specific to that request. The source port is entered into a table so the response can be translated back to the original internal private address.
PAT is more often used where only one Internet-facing IP address is available, for example, on home broadband routers (though the technology is often advertised as NAT). PAT could use a maximum of 65535 ports and therefore 65535 simultaneous requests from internal computers. However, there are some limitations: in most implementations PAT will not use the well known ports 0-1023. In addition, the processing power required to use all the remaining ports would be considerable, beyond the scope of most appliances and generally impractical. Cisco, for example, recommend a practical limit of 2000 connections, and therefore ports, using PAT.
An alternative mode of operation is the Transparent, Bridged, Bump-in-the-Wire or Stealth mode firewall. This is a firewall which acts like a traditional network bridge, filtering traffic that traverses it. The two physical interfaces are the two bridge interfaces and are not allocated IP addresses. Traffic between the inside and outside networks is simply bridged. This type of firewall is the easiest to install as it requires no alteration to network numbering, and acts at the data link layer (Layer 2) instead of the network layer (Layer 3). Two key benefits of this mode are the perceived improved security as the firewall device will not be easy to detect, will not appear on a traceroute and will not be accessible if the firewall interfaces are not assigned IP addresses. Secondly, there will be a performance improvement due to the simpler operation and the removal of the routing requirement. For management, an additional physical interface can be configured and placed on a protected management network or managed out-of-band.
The firewall should be placed between the servers and the rest of the network to protect the servers from attack. Other factors to consider include the number of users on the network and the types of traffic that flow through the network.What are the four 4 best practices for firewall rules configuration including allow access? ›
- Block by default. Block all traffic by default and explicitly enable only specific traffic to known services. ...
- Allow specific traffic. ...
- Specify source IP addresses. ...
- Specify the destination IP address. ...
- Specify the destination port. ...
- Examples of dangerous configurations.
ScreenHost firewall/Single home bastion. ScreenHost firewall dual home bastion. Screened Subnet firewall.What are the four major areas firewall must consider? ›
Firewall architecture is built upon four primary components — network policy, advanced authentication, packet filtering, and application gateways.What is a firewall configuration? ›
Firewall configuration involves configuring domain names and Internet Protocol (IP) addresses and completing several other actions to keep firewalls secure. Firewall policy configuration is based on network types called “profiles” that can be set up with security rules to prevent cyber attacks.Where is a firewall located and what is the purpose? ›
At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet. A firewall's main purpose is to allow non-threatening traffic in and to keep dangerous traffic out.What two things are most important when first considering firewall implementation? ›
- Answer: The two most crucial factors to take into account when first thinking about implementing a firewall are:
- 1) Security policy: The security policy outlines the types of traffic that the firewall should allow or reject. ...
- 2) Network topology:
- Internet zone. This zone is insecure and not trusted. ...
- Demilitarized zone. Publicly accessible servers are placed in this zone. ...
- Intranet zone. This zone consists of internal networks. ...
- Internal highly secure zone. Business critical information and services are placed in this zone.
Explanation. The four techniques used by firewalls to control access and enforce a security policy are Service control, Direction control, User control and Behavior control.What are firewall rule priorities? ›
The firewall rule priority is an integer from 0 to 65535 , inclusive. Lower integers indicate higher priorities. If you do not specify a priority when creating a rule, it is assigned a priority of 1000 . The relative priority of a firewall rule determines whether it is applicable when evaluated against others.
- Internet Protocol (IP) packet filtering.
- Network address translation (NAT) services.
- SOCKS server.
- Proxy servers for a variety of services such as HTTP, Telnet, FTP, and so forth.
- Mail relay services.
- Split Domain Name System (DNS)
- Real-time monitoring.
Proxy servers are the most secure type of firewall, as they filter packets through a protected proxy server. This is done before traffic even reaches the network perimeter.Which is the main configuration file for firewall? ›
OpenWrt's firewall management application firewall is mainly configured through /etc/config/firewall . Most of the information in this wiki will focus on the configuration files and content.How do I configure my firewall IP address? ›
- Select the Advanced settings option from the sidebar menu.
- The Windows Firewall with Advanced Security panel will open. ...
- Windows Firewall will open a new window New Inbound Rule Wizard. ...
- A form will appear in the window. ...
- Another window named IP Address will pop up.
Go to Start and open Control Panel. Select System and Security > Windows Defender Firewall. Choose Turn Windows Firewall on or off. Select Turn on Windows Firewall for domain, private, and public network settings.What are the two main types of firewall? ›
The most common firewall types based on methods of operation are: Packet-filtering firewalls. Proxy firewalls.Why is firewall important? ›
Firewalls provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet.What's the purpose of firewall? ›
They can protect devices from malware, application-layer attacks and provide information about assets that are at risk. Firewalls are commonly used to secure home networks from threats coming external networks such as the Internet.What is firewall checklist? ›
The firewall audit checklist not only ensures that your firewall configurations and rules comply with external regulations and internal security policies. It can also help to reduce risk and improve firewall performance by optimizing the firewall rule base.What are the four different security zones? ›
- Uncontrolled Zone. The uncontrolled zone is public domain, such as the internet. ...
- Controlled Zone. The controlled zone might be an organization's intranet network or a demilitarized zone (DMZ). ...
- Restricted Zone.
A security zone is a group of interfaces to which a security policy can be applied to control traffic between zones. For ease of deployment, the Cisco ISA500 has several predefined zones with default security settings to protect your network. You can create additional zones as needed.Between which zones and a DMZ should firewalls be placed? ›
The DMZ subnet is deployed between two firewalls. All inbound network packets are then screened using a firewall or other security appliance before they arrive at the servers hosted in the DMZ. A network DMZ sits between two firewalls, creating a semisafe buffer zone between the internet and the enterprise LAN.Does a firewall sit in front or behind router? ›
Firewall should be place before the router because when outbound traffic comes for our internal network, first firewall allow it and then it enters to internal network. But in many scenarios, it is place after the router as well.Where is the firewall to be placed in the network network architecture? ›
A firewall is a network security device placed at the perimeter of the corporate network, thus all the packets entering and leaving the network go through the firewall first and appropriate actions are taken based on the network rules configured by the organization.What is the firewall and where is it located in the OSI model? ›
Firewalls typically work on the network layer, the transport layer. However, some are also capable of working as high as the application layer, Layer 7. A firewall performs the task of inspecting network activity, looking for cyber threats by comparing data against an extensive catalog of known threats.Is a firewall inside or outside a router? ›
Switch, Router & Firewall: How Are They Connected? Usually router is the first thing you will have in your LAN, a network firewall is between the internal network and the router so that all flows in and out can be filtered. Then the switch follows.Do firewalls look at IP addresses? ›
The initial configuration of a firewall requires several items of information. This information includes both the internal and external interface IP addresses (or the use of DHCP on one of those interfaces), the next-hop gateway, logging, and an administrative password.How do I know if my computer is behind a firewall? ›
- Click on the Windows Start button, and select Control Panel. The Control panel window will appear.
- Click on the Security Center link. The Security Center will appear.
- If the Firewall header says ON, you are running Windows Firewall.
- Access the router's configuration page. Locate an entry labeled Firewall (or similar). Select Enable.
- Select Save and Apply. Wait while the router restarts.
- Add firewall rules and access control lists to meet your security needs.