In the fourth part of this series on information security Stewart Twynham of Bawden Quinn reveals everything you ever wanted to know about firewalls, but were afraid to ask.
A few words of caution
A little knowledge is a dangerous thing ' and no more so than when it comes to choosing, installing and managing firewalls which control the flow of data between networks. Firewalls are designed to prevent malicious disclosure, alteration or destruction of information. They are a necessary component of ANY connection to the Internet. After all, when you connect to the Internet, the whole of the Internet also happens to be connected to you'
Firewalls are the first, and one of the most important parts of a balanced security policy. When properly configured, they protect against hackers and worms, but they probably won't protect against viruses, or malicious/incompetent users. This is because they operate at what's known as the network layer ' controlling how computers talk to one another, not what they actually say.
By design, firewalls DO NOT protect against:
- Any communications which don't actually pass through them. For example, a laptop could dial up to the internet independently and bypass the firewall, putting the whole network at risk.
- Anything hidden inside legitimate communications. For example, a virus can be hidden inside an email, or a worm might use an exploit inside a legitimate networking protocol.
Firewalls range in complexity: the simplest are to information security what a 10-year-old copy of Quicken is to the accounting profession. The more sophisticated products are like a modern financials package ' they can do some really clever things, but you have to know what you're doing when you set them up.In the coming weeks, we will discuss:
- Anti-Virus protection, its limitations, and dealing with Spam
- Good housekeeping, backup and physical security
- Training, acceptable use policies and legislation
- ISPs, Domains, Web design and Hosting
- The impact of new technology ' VPNs, WiFi, Broadband, et al
In order to assess and compare firewalls objectively, we've created something called the 6Ms. You may find them useful, since they outline what matters most when installing and using a firewall:
- Manager - Somebody, somewhere, must have overall charge of the firewall. Their responsibility is to ensure the settings and configuration actually reflect security policy, and that the firewall is maintained, monitored, tested and supported on an ongoing basis. Numerous firewalls end up being shoved into cupboards where no-one has a clue about them ' how they're configured, or even if they are doing the job that everyone thinks they are. That's usually when we discover that they are not'
- Make - It is important to understand that the make of the firewall, the technology used, etc will have a significant bearing on the level of security. No technology is foolproof, but many of the low-cost devices on the market are so weak that they are best avoided. Well-known brands from leading security manufacturers are more secure, and are generally better supported.
- Methodology - Firewalls need configuration. A firewall without proper configuration is like a security guard who doesn't know what he or she is supposed to be guarding. The risks, the needs of the business, policies, processes and procedures need to be translated into a set of coherent firewall 'rules' that dovetail with the operation of the business.
- Measurement - No-one installs a car alarm or house alarm without testing it. Yet many firewall installations are not properly tested ' the most they will get is a simple 'port scan', which doesn't actually reflect a real attempt to break-in. Recently, we tested six 'professionally installed' firewalls, and broke into all six in just 10 minutes ' discovering over 100 configuration errors in the final analysis. This also demonstrates the importance of choosing properly trained and qualified installers.
- Monitoring - Businesses often connect their alarm systems to monitoring systems, so when the alarm is set off by a burglar at 3am in the morning, they and the police can be alerted. Yet firewall logs are often not checked from one month to the next ' even though they are protecting the very same assets. The chances are, attempted break-ins to your premises are rare, but if you've read our previous articles, you'll know that attempts to break into your network happen every three minutes.
- Maintenance - A firewall is no different to any other piece of computer equipment. It requires regular updating and patching, and when it goes wrong, it needs repair or replacement. Firewalls usually represent a single point of failure for most companies. Surviving without Internet access while a replacement device is found and correctly reconfigured could be a costly business. The alternative is to try to do without the firewall for an afternoon, whereupon the company soon discovers a far worse fate awaits them'
The technologies used within modern firewalls vary widely, and some are far less effective than others. The more popular types are:
- NAT (Network Address Translation). NAT has nothing to do with security par se but instead allows many computers to share a single address on the Internet. A side effect of NAT 'hides' the internal computer network from the outside world, but in actual fact devices which rely solely on NAT are remarkably easy to defeat, provide very lax security anyway, and are usually used by devices which themselves have such glaring omissions in their security, are best avoided in any commercial setting.
MYTH: NAT makes a good firewall
By hiding many computers behind a single Internet Protocol (IP) address and using unroutable private addresses, many people believe NAT provides a good firewall. In actual fact, this is only part of the story, since NAT is only concerned with moving incoming information to the right destination internally. NAT doesn't check for 'state' ' ie the nature of the information. It only works in the inbound direction, doesn't normally offer any form of logging capability, and offers little or no protection against spoofing and denial of service attacks. Typically, the networks hidden behind NAT firewalls can be identified, 'port scanned' and then attacked with relatively ease. And because there is no logging capability, you won't even know about it!
Packet filters block the 'ports' used by computers on the outside to open new connections on your computer. The principle is fine, except you cannot block every port or no legitimate data would get through either. Therefore, there will always be some holes in your firewall to allow the data in. As a result of this and similar deficiencies to those found in NAT firewalls, packet filters were superseded in 1993 by stateful inspection. Amazingly packet filtes are still used today in a great many low-end firewall and router products.
In stateful packet inspection, all communication is analysed to see if it is expected ' either as an allowed connection, or as a valid response from a request made earlier. For example, if you send a request for a Web page from www.microsoft.com, the firewall will allow that page to be sent back into the network ' but it must actually come from www.microsoft.com, and it must actually be a Web page. Once again, however, this doesn't mean that there isn't a virus or some other malicious code inside that Web page' just that the communication is expected.
A correctly-configured stateful inspection firewall appears to the outside world as though it doesn't exist. You can't 'ping' it, you can't 'port scan' it ' it will only respond positively to valid responses that it is expecting from known machines. But incorrectly configured stateful inspection defences are easily made redundant, leaving your network wide open to abuse.
Deep stateful inspection
A recent development has been to add further intelligence to stateful inspection. Hackers have been quick to exploit deficiencies in operating systems and applications. To the uninitiated, these attacks appear magically bypass firewalls. In actual fact they ride over the back of a legitimate communication. Deep stateful inspection is an important development that will soon feed through to the SME marketplace 'this type of solution would have prevented the Code Red, SQL/Slammer, WebDAV, MSBlast, and numerous other worms and exploits. Naturally, however, deep stateful inspection will also add another level of complexity to the configuration and installation of firewalls.
How can I get a firewall?
A Personal Firewall is a software application that sits on your machine, and provides some protection to external attack. Some are free, and vary widely in their abilities (just as anti-virus software does). All suffer from one serious defect: they run on your machine. Like any other application such as MS Word,they can be susceptible to crashes, virus attack or simple user error, leaving you open to attack. While they are essential for roving laptops, something far more substantial is recommended for a fixed office or network.
Very low cost integrated routers should be avoided if at all possible. They are very popular at the moment ' especially for broadband applications ' with some even costing less than £50. Despite some pretty incredible claims about 'protecting your network from hackers', most offer negligible security as they only use NAT or packet filter technologies, and many are shipped with ridiculous security holes. High quality 'appliances' (see below) from well-known security manufacturers start from as little as a few hundred pounds and are a much safer bet.
Software-based firewalls often appear a cheap alternative, since in many cases the programs are free, and can run on redundant hardware. Some products use stateful inspection which is far more sophisticated than the NAT firewall or packet filters you'll find in most integrated routers. But only the more expensive commercial software (such as Checkpoint NG) includes any form of 'application level' protection. The downside is the level of experience required to set up and maintain such devices, and the fact that they often run on top of proprietary operating systems such as Linux or Windows. Securing (hardening) the operating system is a time-consuming process and not for the faint hearted. Actual cost savings and the level of risk introduced if mistakes are made make these products difficult to recommend.
MYTH: Linux is much more secure
There is a strong sense of 'legendary security' when people talk about Linux, the Unix-based open-source operating system. Yet this faith is not always justified. Linux took off at a time when its only competitors were Windows 95/98 and NT ' hardly the best examples of 'out of the box security'. Things have moved on, and Zone-H recently reported Linux hacking had overtaken attacks on Windows systems by an order of magnitude since the beginning of 2003. Although Windows is far from perfect, it is often easier to manage and update than its Linux counterpart. If you're concerned about the number of patches necessary to maintain Microsoft products. Just think for a minute how the open-source Web server Apache, that runs on Linux, might have got its name!
Low-cost firewall appliances are fast becoming the norm for many small businesses. An appliance is typically a PC or similar, pre-installed with firewall software, all shoehorned into a neat box. A good quality appliance from a well known security manufacturer such as Checkpoint, Watchguard, Netscreen, Nokia (yes, the phone people) or Sonic Wall can cost as little as a few hundred pounds for a small office/home office, while larger installations can start at just over a thousand pounds. Overall, these devices offer excellent security for little more than the price of a PC.
Managed appliances ' the safest route for small networks
As we have discussed, firewalls perform a vital function, but can be easily misconfigured, are often not checked from one month to the next, or don't have the support or backup that a 'business critical' device requires.
As a result, we recommend that businesses seriously consider outsourcing their firewall security to a suitably experienced service provider, just as many businesses outsource their alarm system. Having personally worked with over 30 Internet Service Providers in seven countries around Europe, we recommend Star Internet, which already supplies many of the top 20 firms of accountants and solicitors in the UK, Star can provide a good quality stateful inspection firewall which is professionally configured, monitored and managed 24x7, from as little as £100 per month. Overall, this represents exceptionally low Total Cost of Ownership (TCO), while providing a level of protection critical in an industry where a company will rise or fall on its reputation.
- If you connect your PC, laptop, or network to the Internet, you MUST use some form of firewall. It is non-optional.
- Single PC/laptop users can choose to use personal firewall software. Because it runs on your PC, it can be susceptible to crashes and attacks from viruses and so on, rendering your PC vulnerable.
- The cheapest NAT firewalls and Packet filters are not sufficiently secure for commercial use.
- Small networks should use a firewall appliance. Competent devices start from as little as a few hundred pounds ' look for names such as Checkpoint, Watchguard, Netscreen, Nokia, and Sonic Wall.
- Star Internet can provide a professionally installed, fully managed firewall with 24 hour monitoring from £100 per month, with scalable solutions up to FTSE-sized companies.
- Good firewalls are not just 'plug and play'. Get any device professionally installed ' look for relevant certification (for example, Checkpoint CCSA/CCSE, Cisco CCNA/CCIE) or some other evidence of vendor approved training ' otherwise don't risk your network. Expect a 10-20 user network to take up to two days of planning and installation. Anyone who comes in 'cold' and installs a firewall in an hour is not securing your network properly!
Further reading: Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection