Sunday, April 27, 2008

FIREWALLS & NATs

Firewalls:

A firewall is a network device or host with 2 or more interface one connected to the protected internal network and the other connected to the unprotected networks, such as the Internet.
A firewall controls access in and out the protected internal network.

If you connect an internal network directly to the Internet, you have to make sure that every system on the internal networks is properly secured – which can be nearly impossible because only one careless user can render the entire internal network vulnerable. A firewall is a single point of connection to the Internet. A firewall is like a protective fence that keeps unwanted external data and software out and sensitive internal data and software in.

A firewall runs software that examines the network packets arriving at its network interface and takes appropriate action based on a set of rules. The idea is to define these rules so that they allow only authorized network traffic to flow between the two interfaces.

Just to point out some general characteristics of a firewall:

It must control the flow of packets between the Internet and the internal network

It must not provide dynamic routing because dynamic routing tables are subject to route spoofing (Use of fake routes by Crackers). Instead, the firewall uses static routing tables (Which you can set up with the route command in a Linux system.)

It must not allow any external user to log in as root. That way, even if the firewall system compromised, the Cracker is blocked from using root privileges from a remote login.

It must be kept in a physically secure location
It must distinguish between packets that come from the Internet and packets that come from the internal protected network.
It acts as the SMTP mail gateway for the internal network. Set up the send mail software so that all outgoing mail appears to come from the firewall system
Its user accounts are limited to a few users accounts for those internal users who need access to external systems. External users who need access to the internal network should use at least SSH for remote login.
It keeps a log of all system activities, such as successful and unsuccessful login attempts.
It provides DNS name-lookup service to the outside world to resolve any host name that are unknown to the outside world.
It provides good performance so that it doesn't hinder the internal user's access to specific Internet services (such as HTTP and FTP).

A firewall can take many different forms. Here are Three common forms of a firewall.

Packet filter firewall

This simple firewall uses a router capable of filtering (Blocking or Allowing) packets according to a number of their characteristics, including the source and destination IP addresses, the network protocol (TCP or UDP), and the source destination port numbers. Packet filter firewalls are usually placed at the outermost boundary with an untrusted network, and they form the first line of defense.
Packet filter firewalls are fast and flexible, but they cannot prevent attacks that exploit application-specific vulnerabilities or functions. They can log only a minimal amount of information, such as source IP, destination IP address, and traffic type. Also, they are vulnerable to attacks and IP address spoofing, which involves altering the address information. In network packets in order t make packets appear to come from a trusted host.

Stateful inspection firewall

In this case, the firewall keeps track of network connections that network applications are using. When an application on an internal system uses a network connection to create a session with a remote system, a port is also opened on the internal system. This port receives network traffic from the remote system. For successful connection, packet filter firewalls must permit incoming packets from the remote system. Opening up many ports to incoming traffic creates a risk for intrusion by unauthorized users who abuse the expected conventions of network protocols such as TCP. Stateful inspection firewalls solve this problem by creating a table of outbound network connections, along with each session's corresponding internal port. This state table is then used to validate any inbound packets. This stateful inspection is more secure than a packet filter because it tracks internal ports individually rather than opening all internal ports for external access.

Application-proxy gateway firewall

This firewall acts as an intermediary between internal applications that attempt to communicate with external servers such as web servers. For example, a web proxy receives request for external web pages from the web browser clients running inside the firewall and relays them to the exterior web server as though the firewall requesting web client. The external web server responds to the firewall and the firewall forwards the response to the inside client as thought the firewall was the web server. No direct network connection is ever made from the inside client host to the external web server.

The Application-proxy gateways have some advantages over packet filter firewalls and stateful inspection firewalls. First, application-proxy gateway firewall examine the entire network packet rahter than only the network addresses and ports. This enables these firewalls to provide more extensive logging capabilities than packet filters or stateful inspection firewalls. Another advantage is that application-proxy gateways firewalls can authenticate users directly, while packet filter firewalls and statefull inspection firewalls normally authenticate users based on the IP address of the system (the destination and protocol type). Given that network addresses can be easily spoofed, the authentication capabilities of application-proxy gateway firewalls are superior to those found in packet filter or statefull inspection firewalls.

Most firewalls implement a combination of these firewall functionalities. For example, many vendors of packet filter firewalls or stateful inspection firewalls have also implemented basic application-proxy functions to offset some of the weaknesses associated with their firewalls. In most cases, these vendors implement application proxies to provide better logging of network traffic and stronger user authentication.

In large organizations, you may also have to isolate smaller internal networks from corporate network. You can set up such internal firewalls the same way that you set up Internet firewalls.

Using NATs

Network Address Translation (NAT) is an effective tool that enables you to “hide” the networks addresses of an internal network behind a firewall. In essence, NAT allows an organization to use private network addresses behind a firewall while still maintaining the ability to connect to external systems through the firewall.

There are 3 methods of implanting NAT

Static:

In static NAT, each internal system on the private network has a corresponding external, rout able IP address associated with it. This particular technique is seldom used because unique IP addresses are in short supply...

Hiding:

With hiding NAT, all system behind a firewall share the same external, rout able IP address, while the internal systems use private IP addresses. Thus, with hiding, NAT, a number of systems behind a firewall will still appear to be a single system.

Port Address Translation:

With port address translation, it is possible to place hosts behind a firewall system and still make them selectively accessible to external users.

Static NAT offers the most flexibility, but it is not always practical because of the shortage of IP addresses. Hiding NAT technology is seldom used because port addresses translation is often the most convenient and secure solution

No comments:

Post a Comment