Domain 2: Telecommunications and Network Security

www.giac.org

•  
• Overview
  • Mission Statement
  • FAQ
  • Code of Ethics
  • GIAC Ethics Council
  • Code of Ethics - Violation Submission
  • EEOC Policy
  • Proctor Policy
  • Brief (PDF)
  • Contact
• Why GIAC
  Certification Matters
• Certifications
  • Roadmap
  • Steps To
  • Security Admin
    • GAWN
    • GCFA
    • GCFW
    • GCIA
    • GCIH
    • GCUX
    • GCWN
    • GISF
    • GNET
    • GREM
    • GSEC
    • GSOC
    • GPEN
  • Management
    • GISP
    • GSLC
    • GCPM
    • GCIM
  • Operations
  • Audit
    • G7799
    • GSAE
    • GSNA
  • Legal
    • GLEG
  • Software Security
    • GSSP-C
    • GSSP-JAVA
  • GSE
  • GSE-Malware
  • GSE-Compliance
  • DoD 8570
  • Retired Certifications
• Certified
  Professionals
  • Listings
    • G7799
    • GAWN
    • GCFA
    • GCFW
    • GCIA
    • GCIH
    • GCUX
    • GCWN
    • GISF
    • GISP
    • GNET
    • GREM
    • GSAE
    • GSEC
    • GSLC
    • GSNA
    • GSOC
    • GPEN
    • GCPM
    • GLEG
    • GCIM
    • GSSP-C
    • GSSP-JAVA
    • Retired Certifications
  • Profiles From The
    Front Lines
  • Does Certification Really Matter?
  • GIAC Hero
  • Business Card Logos
• GIAC Gold
• GIAC Platinum
  • GSE
  • GSE-Malware
  • GSE-Compliance
• Skills Test and Report (STAR)
• GIAC Help and Information – NEW
• Challenge Info
• Registration Info
  • GIAC Pricing
  • Venues
  • Challenge Certification
• Exams
  • Practice Tests
  • Deadlines
  • Exam Creation
  • Exam Technical Issues
• Proctor Program – NEW
  • Program Details
  • FAQ
  • KRYTERION Sites
  • Proctor Policy
  • Proctor Forms
  • Computer Requirements
• Retakes & Extensions
• Recertification
• Exam Feedback Procedure
• Grievance Procedure
• Resources
  • Overview
  • Interview with
    Dr. Cole
  • Student Comments
  • D1: Access
  • D2: Network
  • D3: Management
  • D4: Application
  • D5: Cryptography
  • D6: Architecture
  • D7: Operations
  • D8: Planning
  • D9: Law
  • D10: Physical
• ADA Accomodation Policy
• Job Listings
• SANS Portal
• SANS Home
• SANS Software Security Institute
• SANS Reading Room
• Direct Links G7799 GSAE GPCI GSNA GAWN-C GCDS GLFR GLIT GBLC GLEG GFSP GEWF GEIT GHSC GCIP GLDR GCPM GISP GSLC GSPA GCIM GCSC GOEC GISO GISF SSP-CNSA SSP-DRAP SSP-MPA GSEC GGSC-0100 GGSC-0200 GGSC-0400 GPEN GCFW GCIA SSP-GHD GCFA GWAS GCIH GSOC GIPS GCUX GCWN GHTQ GAWN GNET GREM GSIP GSSP-C GSSP-JAVA
•  

• Overview
• Interview with Dr. Cole
• Student Comments
• Domain 1: Access
• Domain 2: Network
• Domain 3: Management
• Domain 4: Application
• Domain 5: Cryptography
• Domain 6: Architecture
• Domain 7: Operations
• Domain 8: Planning
• Domain 9: Law
• Domain 10: Physical

Firewall Technology and Architecture

Category: Telecommunications and Network Security
Author: Matt Norris
Date Added: February 6th, 2007
Relevant Courses: SANS SEC 502 Firewalls

---

Introduction

Originally applied at the border or perimeter between the Internet (untrusted) and the inside (trusted) network, the more current application of firewall technology has been extended to screening unwanted communication within the network. Although there has been extended use of the firewall, it is important to understand that the original classes of firewall still exist and add value in the network landscape. Security architects are applying the technology, new and old, to build layered defenses to protect the internal network from external and internal network threats.

Firewall Delivery

Firewalls can be deployed as either network firewalls or personal firewalls, sometimes known as desktop firewalls. Although both use the same underlying technology, personal firewalls protect only a single host, although network firewalls are typically deployed to protect a larger number of hosts. When deploying network firewall products, there are two delivery methods: software and appliance. Software firewalls are installed on host operating systems, such as Unix or Windows; Appliance firewalls are typically black box systems that are installed on proprietary operating systems where the vendor provides a box ready to configure. Appliances often offer better performance than software solutions, although the gap has been closing. The firewall technology detailed below can be deployed and managed through either delivery method.

Firewall Technology

Many firewall products on the market use a mixture of technologies to protect the network. Before you can determine which technology is the right fit for your network, you need to first understand the underlying firewall concepts and architectures. We must also remember when choosing a firewall product that an enhanced ability to screen network traffic can lead to network overhead and performance issues. Furthermore, it is product performance that often influences how and where the technology is deployed.

Firewall technology has three primary classes, with various levels of screening at each class offering:

• Packet level—nonstateful
• Packet level—stateful
• Proxy

Packet Level—Nonstateful

The nonstateful packet level filter is a first generation traffic screening technology that can filter traffic based on the OSI model network layer and transport layer characteristics of the packet. The screening device filters the packet based on the source and destination network address, the transport layer protocol (TCP, UDP, and ICMP), and the service port number. Nonstateful packet filters block unknown or unwanted traffic at the network level. The filter does not keep track of what traffic has previously passed into the network and makes filtering decisions based on each packet received. The nature of this filter makes the technology fast, although it is susceptible to specific bypass attacks. We typically see this type of technology deployed at the router, switch, or host OS, and traffic is controlled through a series of ACLs (Access Control Lists).

Packet Level—Stateful

Most modern stateful firewall technologies maintain state information on the traffic stream to build on pure packet filtering capabilities. Maintaining the state allows the firewall to determine if a packet should be allowed to pass based on the previous set of packets in that communication stream. Combining state maintenance with select features from proxy firewalls allows the modern stateful firewall to analyze the traffic at most layers of the OSI model, from network to application. Additional functionality of most stateful firewalls allows inspection of connectionless protocols, such as UDP, by tracking the context of the communication stream. Of course, the maintenance of a state table increases overhead, although the stateful firewall typically runs at much higher throughput levels than the traditional application-level proxy firewall.

Proxy

Proxy firewalls are a second-generation technology that prevent the direct packet exchange between two devices and can work at the session or application layer of the OSI model. During the traffic exchange, each device in the conversation speaks only, or handshakes, with the proxy firewall, which in turn relays the conversation between the end devices; the devices at each end of the conversation are prohibited from directly connecting and conversing. Utilization of proxy technology allows for a deeper level of packet inspection than the traditional nonstateful packet filtering firewall and masks the trusted network from direct discovery or attack. Proxies are basically found in two varieties: circuit-level and application-level.

• Circuit-level proxy firewalls work at the session layer of the OSI model for both traffic inspection and blocking. After a client has been authenticated, the proxy creates a virtual circuit between a client and host. To participate in the transaction, the session layer service must be proxy aware and willing; services typically controlled with circuit-level proxy technology include ftp and telnet. Circuit-level proxies do a good job of masking the protected network; however, they do not filter each packet in the conversation after the circuit is established.
• Application-level proxy firewalls, as the name implies, inspect and block traffic at the application layer of the OSI model. To be the middle man in the conversation, the application-level proxy must mirror the services being offered in the protected network. The end client connects directly to the application-level proxy to get the requested service, such as email (SMTP), or web (HTTP/HTTPS). The proxy in turn requests the same service from the network device it is protecting and manages the conversation between client and host. As the application-level proxy is looking deeper into the packet, performance can be negatively impacted when compared to packet filtering technology. Because the application-level proxy needs to mirror the services in the protected network, it can limit the ability to protect all applications. This is typically not an issue with any of the major services, although it can impact the protection of custom services or applications. Enhanced functionalities of most modern application firewalls include web caching, authentication, content-filtering, and the capability to detect and control HTTP tunneling. Some of the characteristics of the application firewall have found their way into the stateful firewall.

Enhanced Firewall Functionality

NAT (Network Address Translation) and PAT (Port Address Translation)

Originally designed as a standalone product, NAT has been absorbed and offered as a feature on almost all modern firewalls. NAT can be used to map a single internal IP address to a single external IP address, whereas PAT allows multiple internal IP addresses to map to and utilize a single external network IP address. The capability to map from one or several internal IP addresses to one external IP address adds a level of anonymity to the internal (or protected) network.

Transparent Firewalls

The transparent firewall maintains most of the characteristics of stateful firewalls; however, it acts at the data link layer, layer two, of the OSI model. The advantage of operating at layer two while inspecting traffic all the way up to the application layer is that the device can operate as an invisible layer of protection. The transparent firewall can be added directly in line of the traffic flow without the need to modify any other network devices. Because the device operates at layer two, it does not need an IP address and therefore cannot be directly attacked from the network. These devices are typically deployed within a network to add an extra layer of stealth protection.

Content Filtering

Integrated into firewall technology, or as add-on technology, filtering traffic based on content is becoming a more common requirement of modern firewalls. The capability to filter based on content allows an entity to restrict employee access to unproductive or inappropriate web sites on the Internet and to help prevent Malware from entering the trusted network. Content filtering is usually deployed utilizing URL filtering for controlling access to web sites. A database of unapproved web sites is maintained as a set of ACLs on the firewall or offloaded to a database that uses the firewall as a simple gateway to allow or deny traffic after the requested URL has been checked and approved or disapproved.

Firewall Architecture

Packet-Filtering Routers (Screening Routers)

In the simplest firewall architecture, the traffic passing from the untrusted to the trusted network is screened through a router parsing a series of ACLs and utilizing nonstateful technology. Traffic can be screened for source or destination IP address, transport layer protocol, and services being requested. This architecture is typically deployed at the perimeter or boundary router and can be used to control access to a DMZ (Demilitarized Zone). When deployed at the perimeter between the trusted and untrusted networks, it most often is augmented by more complete firewall technologies.

Screened Host Firewall

Adding an additional layer of protection, traffic moves from the packet filtering router to a Bastion Host/Firewall device with two network interface cards. The Bastion Host/Firewall connects the trusted network to the untrusted network and typically utilizes stateful and proxy technologies to filter and block traffic up to the application layer.

Dual Homed Host Firewall

Another simple architecture is surrounding a dual or multi-homed Bastion Host/Firewall with packet filtering routers. The routers act to filter the traffic to the Bastion Host/Firewall, which is used to add additional filtering and blocking capabilities to the traffic stream. Traffic must pass through the security filter on the Bastion Host/Firewall as routing on the Bastion Host/Firewall is disabled.

Screened Subnet DMZ

Similar to the dual-homed host firewall, the screened-subnet architecture surrounds a Bastion Host/Firewall with two packet filtering routers to control traffic into and out of the trusted and untrusted network segments. The screened-subnet adds a layer of functionality with an additional Bastion Host/Firewall network interface that filters traffic to and from the DMZ.

Additional Firewall Architecture

There have been many adaptations of the above listed architectures to meet needed security on various levels. Although the technology stays consistent, the design (and often complexity) is modified to meet specific network needs.

• Screened Subnet with Multiple DMZs—Using multiple DMZs offers the architectural advantage of configuring varying levels of security between the DMZs and the untrusted network, between the multiple DMZs, and between the DMZs and the trusted network.
• Dual Firewall Architecture—Two or more firewalls can be used to enhance security by adding additional segments for traffic to pass through and are often used to create DMZs. Although adding complexity, security can additionally be enhanced by deploying multiple vendor technology. It is unlikely that a flaw or vulnerability in one firewall product can be simultaneously found in multiple firewall products.

Terms

ACLs

Access control lists are typically used with packet-filtering technology to define what network traffic is allowed to pass or not pass through a device. Depending on the device, the ACL can filter based on multiple layers of the OSI model in stateful or nonstateful technologies.

Bastion Host

A Bastion Host is a device that is exposed in part or whole to the untrusted network. Bastion hosts are expected to have the capabilities to withstand direct attacks from the untrusted network and can be severs hosting web or email services, routers, or firewalls.

DMZ, Demilitarized Zone

The DMZ is a network segment that exists between the trusted and untrusted networks; it typically offers web, email, remote access, and other services to the untrusted and the trusted network. DMZs offer some level of protection to the hosts that exist within that segment of the network.

Summary

Firewalls are the main preventive measures that are deployed on most networks. In order for a firewall to properly prevent traffic, it must be designed correctly with all connections going through the it. It must also have rule set that follows the principle of least privilege. It is best practice to configure the firewall to be default deny or only allow the traffic it needs and deny all other traffic.

---

• Overview
• Interview with Dr. Cole
• Student Comments
• Domain 1: Access
• Domain 2: Network
• Domain 3: Management
• Domain 4: Application
• Domain 5: Cryptography
• Domain 6: Architecture
• Domain 7: Operations
• Domain 8: Planning
• Domain 9: Law
• Domain 10: Physical

© 2000-2008 The SANS Institute

SANS Web Privacy Policy: www.giac.org/privacy.php - Web Contact: webmaster@giac.org

Phone: 301-654-7267 | Mon-Fri 9am-8pm EST/EDT

(ISC)² and CISSP are registered marks of the International Information Systems Security Certification Consortium, Inc.