This is my first tutorial (about time!), and I would welcome any suggestions on improving it. As I have knocked it up pretty quickly, there may be a few modifications required.

I thought that I should write a little Tutorial on the purposes of Firewalls within a network. I am doing this for I recently discovered that there is a misconception that Firewalls only purpose is to protect an Internet Connection. But if you work in a large organisation (and I know that some of you do, or have) the majority of your Firewalls will not be used for this purpose.

Firstly, I would like to discuss the issue of Depth of Security. On a side note, Depth of Security should be implemented with ANY security function. Whether it be Firewalls, Password, Permissions etc.

Question. Why did the golfer wear 2 pairs of socks?
Answer. In case he gets a hole in one.

Really bad joke (don’t flame me!). This basically means that you should not rely on one security point to provide all of the security.

What if it failed?
What if there was a misconfiguration?

Your basically fux0r3d!! That is why people should try to implement Depth in their Security. If you have a Firewall protecting your Internet connection, and on the Internet facing side of your Firewall is a Router. What is the harm in putting Access Control Lists (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213757,00.html) (ACL’s) on the Router?

There is no harm.

Example. What if you have a Firewall misconfiguration (whoops, I accidentally allowed all incoming NETBIOS through by Firewall) hopefully these NETBIOS requests would be dropped by your Router, and you would be safe. Phew!

Now that you have read a little about Depth of Security, you may have a better understanding about why companies may use multiple Firewalls on their network. Here are some of these reasons:

1. I will start with what we are all familiar with. Firewalling an Internet Connection. Not much explanation is required here, you need to protect your network from the wild, wild west, that is the Internet.

2. You may also want to protect some important servers (for example, security administration servers, or servers that contain confidential data) from people located on your Internal Network. By doing this, you can restrict access via Firewall rulesets to the people who really need access to them.

3. Large networks usually have Business to Business (http://searchcio.techtarget.com/sDefinition/0,,sid19_gci214411,00.html) (B2B) relations, and a lot of this is done over a dedicated line (http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211919,00.html) . Which is basically an entry point into your network, which is not over the Internet but through a connection your network has with a telecommunication provider. As you cannot trust these B2B connections, there is a good reason to restrict their traffic with a Firewall to only access what they need.

4. KorpDeath is quoted as saying “Yeah like keeping the buggy software engineer's testlab the hell away from the corporate LAN”. And rightly so! What if these software engineers inadvertently flooded your network and chewed up all of the bandwidth? How pissed off would the boss be if they cannot access their favourite web page? And here we have another reason for segregating areas of your network with Firewalls.

I hope that someone out there in AO land has gained a bit of info out of this, and any feedback is welcomed.

Security is like an union. The more layers (rings) you have, the better.

Good read. Keep it up ;)

I think this is a really cool tutorial, and you can't feel that this is your first about time....
I really like it...

Kudos. I'm surprised more people haven't realised the need for depth in security, and if they have; I'm surprised they haven't written a tutorial on it. Once again, good job.

A good introduction to the subject. Many large companies (especially financial services) do this kind of thing now. Often more then one type of firewall will be used so that an exploit that succeeds against one will not working against another (of course this can get a little expensive).

SoggyBottom, I actually have a different way of approaching security. I prefer to keep the systems as minimalistic as possible.

The reasoning for this is simple, security is made up of two things: functionality and assurance. The perfect balance is exactly the functionality you require and nothing more, because as you add to the system, its assurances go down.

Consider for a moment a system that you wish to protect, let's evaluate it at 99% secure just to make the math easy. Next let us add a firewall to this system, also 99%. Now how secure is our total system? well 99% of 99%= 98.01% In most situations of course we would use lower numbers and it would be a question of does the firewall increase the base system's security more than it's own lackings? That however just complicates the question at this level. ;)

Also consider that an organization only has X resources (time, money, people, systems, etc) so you start seeing things like: "Does it make more sense to purchase 10 XTS-300 systems at $80k each, and each requiring 9 full time admins... or would it be more secure have 300 linux systems with snort and ipchains with 3 full time admins for every ten systems? Obviously if you need the computing power the 300 systems would be the way to go, but it sure as heck ain't going be as secure. ;)

The same concept is used in physical security with man traps, or single points of entry that are much easier to effectively control than countless openings using all kinds of different security controls.

In more secure complicated environments you won't really see many internal firewalls, instead they migrate the concepts of labeled security to the network controllers as well, allowing in effect several different networks existing in hierarchical levels, along the lines of the Bell-LaPadula model, this allows discretionary access systems such as NT/Linux to exist within a overall manadatory access control system, which allows for far greater simplicity than checking signatures and ports and ACLs all the time. :)

catch

catch, you can also do the math backwards... effectively
(this is the way statistics works... take a decision sciences class at a local college... they will tell you the same thing)


99% secure system (1% insecure)
99% secure firewall (1% insecure)

.01 (1%) insecure system * .01 insecure firewall = .0001 (or .01% - a more secure system)

think about it logically. they would have to find an exploit that gets through both your firewall and your system... basicallly and exploit that just happens to fall into BOTH 1% categories.

I wasn't trying to show you up in correcting you, just explain both the Math behind it, as well as the security risk. Adding a firewall with a few problems can never hurt your systems security. It can slow things down, but that's about it. Even if someone hacks into your outer security, your inner stuff is safe.

Common sense time: which is more secure,

1) a house with locks
2) a house with locks, guard dogs, and ADT system, a chain link fence with barbed wire on top, another fence on the outside with electricity running through it, a moat (fully equipped with moat monsters) and a small militia to protect it.

---
2) -> even if the guard dogs are asleep, the power goes out and the ADT doesn't work, the militia took the weekend off and the moat monsters all died for lack of food, you still have your fences with barbed wire and your house locks.


In catch's defense - the more you add, the more confusing things get...

just my two cents.

yea i like the tutorial but i have 1 question what is the best firewall to get i have been looking around and so far i like Black Ice but do any of u know a better 1? if so plz let me know

*lord-of-dragons*, please search through the archives for that question. i think it's only been asked about 1500 times so far. you may want to delete the thread to avoid a negging.

I have taken a decisions science class, but you are foreggeting one thing extra firewalls don't mitigate extra security issues, they deal with the same concerns and a single failing in any of them can lead to a full compromise, review DOD-STD-5200.28 section B3 on system design. If you add extra stuff that doesn't mitigate different risk, there is an over all reduction in assurance as you have more to the system and consequently greater room for error.

You are not adding guard dogs and such... you are just adding a second lock on top of the first one or right next to it if it is a different type of firewall, with the caveat, that if either lock is broken the door can be opened.

For security to work in a layered manner, each needs to protect the faults of others, if a firewall has an exploit that allows you to break the stack, the second firewall can't save you. in this case you'd need something else like network flags or mandatory access controls to protect you. That is why you only count the insecurities. :)

catch

I'm with sickyourIT. But I'll go along with it bc I haven't gotten sick of answering this one yet :D . Lord_Of_Dragons, two of the best *free* firewalls I know of are ZoneAlarm's free version and "Tiny Personal Firewall" (don't let the name fool you). You can get ZoneAlarm at http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp and Tiny Personal Firewall at http://www.tinysoftware.com/home/tiny2?s=8449627821723386738A1&la=EN&va=&pg=tpf5-download . Also, there is a thread about ZoneAlarm going on right now at http://www.antionline.com/showthread.php?s=&threadid=245735 . Hope this is helpful, but you could probably just search on Google or look through old AO threads and get a faster, better answer.

Nice read,
'HArd on the outside, soft on the inside' is setting up for failure. One day you single point of defence will fail.

Cheers SoggyBottom.

'Hard on the outside, soft on the inside

Commonly known as the "Crustacean Architectural Design"... :)

Just remember to be careful when doubling up on software firewalls, too often you will see new holes emerge because of incompatabilities when using multiple firewalls on one computer. Hardware firewalls, NAT routers, et cetera, do work good together, and are okay to double, even triple up.

And it is also advisable when using a multi-tiered hardware/appliance firewall architecture, that you try and mix up the type of firewall you have. (ie. Checkpoint, SideWinder etc...).

The reason being if you have a 2 tier architecture with the same firewalls on each tier, and the internet facing firewall has been compromised due to a vulnerability, chances are the 2nd tier will be susceptible to the same attack.

Catch,

that works in a multiple door system, not in a redundancy system


Incoming
|
Firewall 1 Firewall 2 Firewall 3
\ | /
\ | /
Server

then yes, assurances go down



Incoming
|
firewall 1
|
Firewall 2
|
Firewall 3

this provides redundancy. a hole in firewall 1 that was blocked at firewall 2 would not lower assurances...


unless we are talking about software firewalls as opposed to two different hardware firewall appliances...


(edit - sorry about the incompleteness the first time i posted this. i hit send too early)

Assuming data is being passed, all an attacker need to do is compromise _any_ firewall, dedicated or or otherwise and the attacker controls _all_ the traffic on the system.
Now if you have stacked firewalls like that, how can they have different rules? Firewall 1 allows connections to port 80, but firewall 2 doesn't? Your web admins will love that. The fact is you are still better off with the single firewall to manage your rules, if you wish to use a firewall at all.

Really firewalls are ideal at segregating network traffic and do little to nothing for securing servers (as the firewalls need to allow traffic to the server's points of entry anyhow.)

The a strong hard rule with security is, if you add to a system without altering its functionality, you reduce its security. Really it goes further then that, if you add to a system's surface at all you reduce its security. This is why adding things like labeled security will increase a system's security and why adding things like additional allow discretionary access control, allows does not effect the system's security.

Adding extra firewalls doesn't reduce the surface, passed traffic touches all the stacked firewalls. (not to mention the introduced latency)

catch

i wasn't necessarily refering to different rules.

assuming that all firewalls do have natural flaws >>GASP<< and that by using differing redundancy, any firewall-specific exploits would be taken care of.

I'm refering to security holes, not misset rules.

I know you are, which is my point, _unless_ the firewalls had different rules, you are not gaining any new functionality, therefore: more = less secure.

catch

more only = less secure in a parallel instance. i tried drawing that in a text box above, but it didn't work out. see below jpeg.

when run in serial redundancy = more security.


<had to bust out the autocad on this one>

now, read the disclaimer. catch does have a point in that if one firewall is compromised, any network traffic can be seen. on the other hand, if one of the upper layer (fw1 or 2) firewalls is comprimised, the third should still catch most attacks/exploits.

No, I am sorry but that is just plain incorrect.

Data going from the internet to the server touches _all three_ firewalls! therefore it is no different as the attacker can pick now from 4 systems (the three firewalls and the server) to attack, and _any_ of those will have very bad consequences. Unlike a system with only a single firewall. When you add more in this manner you are adding surface area for the attacker to target.

IF... if you were using three different firewalls, and each one was told to block everything, then you would have a different situation, but you are forgetting the fact that they must pass data for the server to work.

Do you understand?

catch

i understand.

adding more firewalls stacked in such a way does not add more surface area unless they all use different public ip's. assuming your using some sort of NAT, you really should be better off...

/bow
i give up though.

Observe:

Client > firewall1 > firewall2 > firewall3 > server

compared to:

Client > firewall > server

Which has more surface area?

catch

In a 3 tiered firewall architecture model, why the hell would you open up traffic through all 3 firewalls to allow connectivity to your Internal network? If I was asked to allow similiar ttraffic through I would tell them to piss off!!

In a multi-tiered (lets say 3) firewall design, would you place your Webserver on the Internal network (behined the 3 firewalls) or behind the first firewall?

The whole idea of multi-tiered firewall design is to segregate (or DMZ) "risky" parts of your network. Servers that would be located between firewalls 1 and 3 (which is all segregated from the Internal network and Internet) would be stuff like webservers, proxies, mail servers, authentication servers... All stuff that you want to protect.

My point being, sure, if you have a multi-tiered design (say 3), opening up holes in all 3 firewalls for each connection requirement is not providing you any security what-so-ever. But if you have a multi-tiered design like this, you should NEVER allow single connections straight through all 3....

yes this is a different point, as now the network is being compartmentalized, and that is a good thing, that is different than inline redundancy.

catch

Where did Soggy say anything about inline firewalls? I'm unclear on that catch. You obviously know your stuff but I think including my comment about those pesky engineers should've made his point quite clear. Right?

My comment was about using firewalls to protect your internal network from not only the Internet but those pesky software AND hardware engineers, who are more than happy to "test" equipment or software without regard to corporate policy or network management.

Simple segregation of traffic by using various firewalls throughout the network would reduce the risk of an internal "attack".

Anyway both points are valid and explained quite well. Keep up the good work. :thumbsup:

Soggy didn't say anything about inline firewalls, but several other people, including sickyourIT did.

My initial response to Soggy was just to express that there are two good camps to security, lots of layers or minimization... but nothing inbetween. :)

frequently these are used togther with minimalistic systems placed together in layers.

catch

a few links to check out....


http://www.informit.com/isapi/product_id~%7B8364C994-C622-4EEF-9160-3F4B7E71C1C4%7D/element_id~%7B2E14AE68-C212-4C2A-9F99-E34D514A4DB2%7D/st~%7BD2A629B3-0A2F-4A11-B595-07175F7CEF60%7D/content/articlex.asp

http://www.shmoo.com/mail/fw1/nov98/msg00502.html

http://www.greatcircle.com/firewalls-book/contents.html (good text file on firewalls)

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/1584_pp.htm (parallel reasons and references - ie different firewalls for different apps, etc.)


worth a click.

(just thought i would put my references up, so people wouldn't think i was out of my mind.)