Thoughts on Firewalls:Topologies, Application Impact, Network Management, Tech Supportand more Deke Kassabian, April 2007
Opening Statements Common desktop & server operating systems are getting better, but are still not network-safe in their default 'out of the box' configuration. Firewalls can provide security help, but seemingly obvious designs can create problems while adding little value. Most end-systems can be operated in a network-safe way without firewalls, though often not in their default configuration, and not without ongoing effort. People sometimes try to solve problems through the use of firewalls without acknowledging their downsides.
Who wants firewalls? • Users want firewalls to protect their machines. • But, users don’t want firewalls to break applications • Network Operators want firewalls to keep attack traffic out • But, Network Operators don’t want firewalls to prevent monitoring and management, and to drive all traffic to port 80
Thinking About Firewals • Firewalls, by design, limit the flow of network traffic. • When the limits help fend off attacks launched over networks, firewalls provide real positive value. • When the limits cause legitimate user applications to break, or prevent new applications from being born, firewalls provides real negative value.
Firewall Placement • Creating large perimeters to protect large numbers of computers with a single firewall is an approach that has some significant problems. Three of these are: • The larger the number of hosts on the "inside", the greater the chance that a vulnerability with one of them will be exploited. • The larger the community of users on the inside, the more likely that no common security policy will suit them all. • The larger the community of users on the inside, the more likely that eventually one of them will become motivated to attempt to compromise another system on the inside, or the security of the firewall itself.
Firewall Placement • The larger the number of hosts on the "inside", the greater the chance that a security vulnerability with any one of them will be exploited. May lead to attacks launched from the outside, exploiting vulnerabilities on the inside. For example, a single system with a default administrator password for a service that the firewall rules permit makes the inside vulnerable. The firewall doesn't provide much help here.
Firewall Placement (2) The larger the community of users on the inside, the more likely that no common security policy will suit them all.Users with a diverse set of applications will have different goals and different network services that matter to them (and different network services that they want to avoid!), and so will have different security policies in mind for implementation on the firewall.
Firewall Placement (3) The larger the community of users on the inside, the more likely that eventually one of them will become motivated to attempt to compromise another system on the inside, or the security of the firewall itself.The firewall is (quite literally) in no position to help here.
Firewall Placement • Taken together, these three points argue against large enterprise (or campus, or school-wide) firewalls as a simple and general solution to a variety of security-related problems. • These points lead me to believe that security is maximized by pushing the control point as close as possible to the resource needing protection.
A firewall for my campus building? • If everyone agrees on a single security policy (eg, http, SMTP, and IMAP are okay SMB and Windows Messenger are bad), then this may work. • Requires everyone to remain actively engaged, since ongoing changes in the firewall policy will be needed. • The control point is closer to the resources protected, so it is an improvement over one-big-firewall-protects-my-campus. • But, still has two big downsides….
Inline firewalls can disrupt net management • A firewall between network management systems and the network electronics restricts the ability to monitor and manage those network devices safely and effectively. • The simple solution of allowing net management traffic to pass through the firewall only compromises the security of both the firewall-protected network and the central network management systems. • One way to address this is to add physical or virtual networks to allow monitoring "out of band". While this works, it add real cost and complexity.
Varying security policy can cause confusion • The second downside is related to applications. • End stations on the "inside" are subject to a specific security policy that may differ from the security policy of the neighboring building • This means that users around campus may have traffic filtered in ways that vary • These variations can cause applications to fail for some while they work for others.
Figure discussion • Subnet (A) has an open policy, no firewall involved. • Subnet (B) has a subnet/workgroup firewall filtering traffic for all desktops, laptops, printers, and servers on subnet (B). • Subnet (C) is topologically the same, but may implement a different set of policies in the firewall. • Subnet (D) firewalls a set of servers, but addresses desktop and laptop security independent of the firewall. • (B) and (C) create “islands” around campus, each may vary from the others, each a potential application issue.
A firewall for every device? • Maybe. Protection for every device is an important goal. That might often involve firewalls. • A firewall for every server seems like a solid idea. And if you can collect a few servers with common policy, that’s a win. • Sometimes the firewall can be host-based rather than a separate piece of hardware. This scales well and may be more flexible. But there are down sides, too.
Other end-stations protection approaches • This is the subject of many good articles on securing computers. Some common measures are: • Use of good passwords on all accounts • Removal of unnecessary network services and limiting permitted services to allow connections only from expected sources • Use of and ongoing updates to virus protection software • A program of regular security updates for the operating system and applications • Manual and automated review of log files that record relevant details of systems activity • This is a partial list, of course. Add your favorites here.
Basic Protection Using Network Infrastructure • Should campus border routers filter potentially harmful traffic? Kind of like the large perimeter problem, right? • Some basic measures at the border can really help. Many networks filter both inbound and outbound traffic at their borders, dropping likely spoofed (forged) traffic. This has clear value and is best accomplished at the router interfaces where a determination about source networks can reasonably be made. • Sometimes, short-term filtering makes sense, eg for an attack in progress. If the routers can implement very helpful short-term measures during an active attack, the short-term trade off may be worth it.
Conclusion • Firewalls can play an important role in enterprise information security • Some topologies reduce the collateral damage risk. • Move the control point as close as possible to the thing you want to protect.
Contact • Deke Kassabian firstname.lastname@example.org • Related paper available at: http://pobox.upenn.edu/~deke/writing/fwatpenn.html