Firewalling Basics

1. Firewalling Basics Josh Ballard Network Security Analyst

2. Outline • Firewall Types • Default Deny vs. Default Allow • Campus Offerings • The Importance of Scope

3. Firewall Types - Filtering • Firewall Technology has come a long way • The basic types are: • Linear ACLs (“packet filter”) • Stateful Firewall • Stateful “Packet Inspection” • Bridging vs. Routing

4. Firewall Types - Packet Filters • Evaluates traffic packet by packet according to a singular ruleset. • Filters based on only IP address, IP protocols, ports, and in some cases things like TCP flags. • Can not filter based on “direction,” but simply whether the packet matches the ACL or not.

5. Firewall Types - Stateful Firewall • Tracks state of connections for protocols such as TCP, UDP, ICMP. • Evaluates rules only on the first packet of a session. • As such, can be configured to do “directional” protection. • Filters illegal packet types and non-established connections.

6. Firewall Types - Stateful w/ Packet Inspection • Works similarly to a stateful firewall, except that it contains “connection fixups.” • Some protocols won’t work properly without a fixup, e.g. FTP, RTSP, etc. • Requires more overhead, but breaks fewer things in a default deny world.

7. Firewall Types - Bridging vs Routing • A bridge operates as a transparent entity between two layer 2 networks. • A routing firewall operates at the layer 3 boundaries to networks. • Each has advantages and disadvantages, though we choose by default to do routed firewalls.

8. Default Deny vs. Default Allow • It is just how it sounds. This is the default posture for what the fate of a non-matched packet in the ACL. • Default deny is obviously a stronger posture, but requires more initial investment to achieve, and can potentially cause more problems.

9. Campus Offerings • For approximately the past year, we have been developing and offering firewall services. • Based on the Cisco PIX/ASA/FWSM platform.

10. Campus Offerings • We are in the process of deploying FWSM-based firewalls “virtually” in front of all data center systems. • This allows for differing policy levels for each group of systems in the data center. • We can also deploy FWSM technology to buildings or departments as applicable and requested.

11. Campus Offerings • With our licensing of Trend Micro, we also have access to host-based firewalls, as well as the Windows firewall. • Both of these are controllable by you as the admin with appropriate knowledge of your services and their scopes.

12. The Importance of Scope • AKA: Why is firewalling important? • Consider this example: • Windows Server 2003 System • Running IIS and Exchange • Running RDP for Adminstrative Control • Why is scoping important in this example?

13. The Importance of Scope (2) • Another example - multi-tiered • UNIX system running Apache and other web software that ties to a database backend. • UNIX system running Oracle database software • Both systems running SSH • Why is scoping important in this example?

14. The Importance of Scoping (3) • So the questions to answer to write a policy are: • What should we explicitly not allow? • What services are running on the systems in questions? • Who needs to access those services? • What should happen to a packet that isn’t explicitly matched?

15. Conclusion • Firewalling is an important piece of any security infrastructure, both network-based and host-based. • It is by no means an end-all be-all solution, but can limit your exposure greatly.

16. Questions?