Firewall
Overview
Firewalls are an important component of secure network architecture. They provide a secure gateway to other trusted and un-trusted networks, and help to ensure the confidentiality, integrity and availability of your information assets. Firewalls provide several types of protection since they can:
· block unwanted network traffic;
· direct incoming traffic to more trustworthy internal systems;
· hide vulnerable systems from the Internet;
· log traffic to and from the private network; and
· hide information like system names, network topology, network device types, and internal user ID’s from the Internet.
Considerable research, planning, and a thorough understanding of your business, network, topology and security policies are needed to successfully implement firewall systems. This document establishes the minimum standards for the procurement, installation, configuration, and maintenance of a network firewall.
Firewall limitations:
Firewalls are not an absolute guarantee of network security. They only extend a perimeter defense around a network. Once an attacker (who may be an authorized user) gains access to the protected network, all systems are at risk.
Firewalls also do not prevent attacks through network “backdoors” like dial-up modem connections, direct leased-line connections, or other network departure points. Only network traffic that actually passes through the firewall will be held to its rules; the firewall cannot enforce a policy against traffic using any other network entry points.
Firewall Standards
Minimum
Security Option
|
Description |
Benefits |
Disadvantages |
|
No stand-alone firewall required. Use packet-filtering router or modem to
control access. The use of a freeware
firewall, such as Linux server using the IPFW firewall code. |
Low cost (no additional hardware required – use
existing router or modem). |
Does not provide adequate security since it is
vulnerable to application level attacks.
Limited logging capabilities. |
Implementation
1. Router requirement
If a court
computer or network has a dedicated connection to an un-trusted network, such
as the Internet, then access lists (programmed rules that determine which
traffic is permitted through the router) must be programmed into each existing
router to limit inbound Internet access to the trusted network. However,
unrestricted outbound Internet is allowed.
If services such as Web
and FTP are going to be made available to un-trusted networks such as the
Internet, then the router must be used to establish a demilitarized zone (DMZ)
as shown in Diagram 1. If
a court has a dial-up connection to the Internet then a freeware firewall, such
as ZoneAlarm, shall be used to protect against Internet based attacks. The courts will not install “X.0” versions
(first generation) of products since they have not been proven and the risk of
encountering operational and security related issues is higher.
Routers shall have the following characteristics and capabilities:
· A product of an established vendor – according to the Gartner Group the following vendors are segment leaders:
o Cisco (http://www.cisco.com/warp/public/44/jump/routers.shtml)
o Nortel (http://www.nortelnetworks.com/products/routers/)
o 3Com (http://www.3com.com/)
o Enterasys (http://www.enterasys.com/xpedition/)
o Intel (http://www.intel.com/network/connectivity/products/routers.htm)
o Lucent (http://www.lucent.com/products/)
o Nokia (http://www.nokia.com/networks/systems_and_solutions/products/1,23802,103,00.html)
· Employ techniques such as “access lists” to permit or deny traffic to specified host systems based on Internet Protocol (IP) address and port number
·
The ability to log critical events for review and
evaluation
2. Remove
Unnecessary Services
Any unnecessary service must be disabled in any router that is reachable from a potentially hostile network. The services listed below shall be disabled if they are not actively being used:
· TCP and UDP “Small Services”
· Finger
· NTP
· CDP
In addition, peer-to-peer services with no business use, such as Napster, Gnutella, Glacier, and Quake, must not be allowed through the router.
3. IP Spoofing
Access control lists shall be configured to discard packets arriving on interfaces that are not viable paths from the supposed source addresses of those packets. For example, on a two-interface router connecting a corporate network to the Internet, any datagram that arrives on the Internet interface, but whose source address field claims that it came from a machine on the corporate network, shall be discarded.
4. Source
Routing
A packet filtering router shall be configured to reject any packets containing the source route option. If an attacker has knowledge of some trust relationship between your hosts, source routing may be used to make it appear that the malicious packets are coming from a trusted host.
5. Logging
From a security point of view, the most important events usually recorded by system logging are interface status changes, changes to the system configuration, and access list matches. The router must log this information for review and potential investigation.
6. Physical Router Security
Physical access to the router must be controlled with locked doors and other controls to prevent any unauthorized changes to the router configuration or operational status. In addition, precautions shall be taken to assure proper environment alarms (temperature, humidity, etc.) and backup systems are available to assure the router remains online.
Administration
1. Remote
Administration
All remote management schemes, including interactive access, HTTP, and SNMP, are vulnerable. Any unencrypted remote access carries some risk, but access over a public network such as the Internet is especially dangerous. As a result, remote administration of the routers over the public Internet shall be avoided if possible. If remote administration is required, then restrict access to appropriate IP addresses.
2. Router Upgrades
The router administrator shall monitor the vendor’s
mailing list and security related mailing lists in order to be aware of
vulnerabilities with the router. Necessary router upgrades must be installed in
a timely manner. After any upgrade, the router shall be tested to verify proper
operation prior to going operational.
Optimum
Security Option
|
Description |
Benefits |
Disadvantages |
|
Requires hardware or software based firewall. |
Affordable price (cost starts at $1,000) does not
require operating system expertise, is simpler to maintain, & better
throughput performance. |
Limited features may not prevent more
sophisticated attacks. |
Implementation
1.
Firewall requirement
If a
court network has a dedicated connection to an un-trusted network, such as the
Internet, then a stand-alone commercial firewall must be in place to protect
the internal computer and network from the un-trusted network. If a court computer is connected to the
Internet via dial-up or dedicated connection, then a personal firewall shall be
installed on that computer and that computer must not contain confidential or
sensitive information. All connections
from a court’s network to external networks shall pass through approved
firewalls. The firewall must be
configured to limit both inbound and outbound Internet traffic. If services such as Web and/or
FTP are going to be made available to un-trusted networks, such as the
Internet, then the firewall shall be used to establish a demilitarized zone
(DMZ). All non-firewall related
software, such as compilers, editors, communication software, etc. will be
deleted or disabled.
The firewall shall have the following characteristics and capabilities:
· A product of an established vendor – according to the Gartner Group, the following vendors are market leaders:
o Enterprise Firewalls - Check Point Firewall-1, Axent Raptor, Network Associates Gauntlet
o Firewall Appliances – Cisco Pix, Check Point Firewall-1 on Nokia, Watchguard Firebox II, SonicWall, WatchGuard SOHO
o Embedded Firewalls – Check Point SecureClient
· Certified by the National Security Agency (NSA) or the International Computer Security Association (ICSA).
· Support a "deny all services except those specifically permitted" design policy, even if that is not the policy initially used.
· Support a custom security policy.
· Accommodate new services and needs if the security policy of the organization changes.
· Contain advanced authentication measures or the hooks for installing advanced authentication measures.
· Employ techniques to permit or deny services to specified host systems, as needed.
· Log access to and through the firewall.
· Use a flexible, user-friendly IP-filtering language that is easy to program and can filter on a wide variety of attributes, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface.
· The firewall typically shall also act as a mail gateway for Internet e-mail, reducing direct SMTP connections between site and remote systems.
· The firewall shall accommodate public access to the site, such that the firewall can protect public information servers while segregating them from other site systems that do not require the public to have access (i.e. DMZ capability).
· If the firewall requires an operating system, such as UNIX, a secured version of the operating system shall be included, along with other security tools, as necessary to ensure firewall host integrity--and all operating system patches will have been installed.
· The firewall's strength and correctness must be verifiable. Its design shall be simple so that administrators can understand and maintain it. The firewall and any corresponding operating system will be updated with patches and other bug fixes.
·
Technical support services shall be included.
· Training services shall be included.
· System documentation shall be included.
If the court does not have the personnel, time, or technical expertise to install and support the firewall in-house, then consideration will be given to outsource the firewall operations to a managed security service. Managed security services shall include:
- A provider with a strong history and
track record of customer service.
- Clearly defined Service Level Agreements
and processes for validation.
- Up-to-date technology, redundant
Operating Centers, best-practice based policies and procedures for its own
systems, and compliance with key industry standards such as: NFPA, 1600,
BS7799, FFIEC, and SAS-70.
- Clear identification of personnel
responsible for the court’s account and a requirement of non-disclosure
agreements.
- Financial resources and stability to
continually invest in service improvements as well as a stable,
profitable, and sustainable business model.
A professional
technician with appropriate knowledge and training in networking and security
concepts must install the firewall. The
firewall will be placed between the internal “trusted” network and the external
“un-trusted” network. If services such
as Web and FTP are going to be made available to un-trusted networks, such as
the Internet, then a demilitarized zone (DMZ) will be established. Diagram 2 (above) illustrates
this recommended architecture.
2. Remove Unnecessary Services
A determination of which Internet services to allow or deny must be driven by the needs of the court. Any services not required by a business need must not be allowed to pass through the firewall. Common services to consider include: HTTP (Web), SSL (Secure Socket Layer), DNS (domain name service), FTP (file transfer protocol), Telnet, Finger, and Real Audio. Authentication and firewall rule sets will be used to limit which users may have access to these services and what addresses can be accessed.
3. Authentication
User name and password authentication shall be
required for access to services other than HTTP. Passwords must conform to the
strong password requirements as defined in the Access Controls standard.
4. Routing
Applications gateway firewalls will not be
configured to route any traffic between the external interface and the internal
network interface, since this could bypass security controls. All external to
internal connections shall go through the application proxies.
5.
Source Routing
Packet filtering routers will be configured to reject
packets containing source route option. If an attacker has knowledge of some
trust relationship between your hosts, source routing can be used to make it
appear that the malicious packets are coming from a trusted host.
6. IP Spoofing
Authentication based on source address must be combined with another security scheme to protect against IP spoofing attacks. Policy regarding packet routing has to be clearly written so that they will be handled appropriately if and when there is a security problem.
7. Domain Name Server (DNS) Resolution
If the firewall is to run as a DNS server, then the firewall must be
configured to hide information about the network so that internal host data are
not visible to the outside world. Diagram
3 (below) illustrates optimum security DNS placement.
8. Mail Services
Dedicated e-mail servers will reside within the internal network. The firewall shall act as a mail gateway for Internet e-mail, reducing direct SMTP connections between site and remote systems. Diagram 4 (below) illustrates optimum security mail server placement.
Administration
1.
Qualification
of the Firewall Administrator
Two firewall administrators (one
primary and one backup) shall be designated and shall be responsible for the
maintenance and upkeep of the firewall. The administrators must have hands-on
experience with networking concepts, design, and implementation so that the
firewall is configured correctly and administered properly. Firewall
administrators will receive training on the firewalls in use and in network
security principals and practices. The primary administrator shall make changes
to the firewall and the backup shall only do so in the absence of the primary
administrator so there is no simultaneous or contradictory access to the
firewall.
2.
Capture and review of system logs
Audit trails and system logs for
external network connections will be produced and reviewed weekly. Any accounts
related to these connections that are not used on a monthly basis shall be
deactivated.
3. Remote Firewall Administration
The preferred method for firewall
administration is directly from an attached terminal. Physical access to the
firewall terminal will be limited to the firewall administrator and the backup
administrator.
Where remote access for firewall
administration must be allowed, it shall be limited to access from other hosts
on the internal network. Remote access over un-trusted networks, such as the
Internet, requires end-to-end encryption and strong authentication to be
employed.
4. User Accounts
Only the primary firewall
administrator and backup administrator will be given user accounts on the
firewall. The primary firewall administrator or backup administrator must make
any modification of the firewall system software.
5. Firewall Backup
The firewall software must be
backed up before configuration changes are made and at least on a monthly
basis. Backup files shall be stored securely so that the media is only
accessible to the appropriate personnel in a time of need.
6. Documentation
Appropriate
firewall documentation will also be maintained at an off site storage location
at all times. The documentation shall be updated any time the firewall
configuration is modified. Such information must include, but not be limited
to:
·
Network diagram
(including all IP addresses of all network devices)
·
IP addresses of relevant
hosts of the Internet Service Provider (routers, DNS servers, etc.)
·
Configuration
parameters, such as access lists, etc.
7. Physical Firewall Security
Physical
access to the firewall must be tightly controlled to prevent any unauthorized
changes to the firewall configuration or operational status, and to eliminate
any potential for monitoring firewall activity. In addition, precautions shall
be taken to assure that proper environmental alarms (temperature, humidity,
moisture) and backup systems are available to assure the firewall remains
online.
8. Firewall Incident Handling
Incident
reporting is the process whereby certain anomalies are reported or logged on
the firewall. The firewall shall be configured to log security related events
on daily, weekly, and monthly basis so that network activity may be analyzed
when needed. Firewall logs will be examined on a daily basis to determine if
attacks or other anomalies have been detected. The firewall shall use access
lists to reject any kind of probing or scanning tool that is directed to it so
that information being protected is not leaked out by the firewall.
9. Upgrading the firewall
The firewall administrator(s) shall monitor the
vendor’s firewall mailing list or maintain some other form of contact with the
vendor to be aware of all required upgrades. Before an upgrade of the firewall
component, the firewall administrator must verify with the vendor that an
upgrade is required. Necessary upgrades will always be installed in a timely
manner. After any upgrade the firewall shall be tested to verify proper operation prior to going operational.
10. Logs and Audit Trails (Audit Events Reporting and Summaries)
The following security-relevant events will be
recorded on the firewall’s audit trail logs: hardware and disk media errors,
login and logout activity, connect time, any use of the system administrator
privileges, inbound and outbound e-mail traffic, TCP network connect attempts,
and in-bound and out-bound proxy traffic types.
11.
Revision and Update of Firewall Policy
Given
the rapid introduction of new technologies, and the tendency for the courts to
continually introduce new services, firewall security policies and standards
will be reviewed on a regular basis. As network requirements change, so shall
the security policy. Appropriate management personnel must approve all changes
to the firewall policy and standards.
Maximum Security Option
|
Description |
Benefits |
Disadvantages |
|
Requires software-based “enterprise”
firewall. |
Supports a wide range of protocols for both
inbound and outbound connections, capable of providing complex security
capabilities. |
High costs ($10,000 to $30,000), high maintenance
and support requirements due to necessity of operating system expertise. |
Implementation
In addition to the optimum security requirements listed above, all inbound Internet traffic is prohibited. Multiple layers of security are required, including packet filter routers and multiple firewalls.