«Table of Content Executive Summary Brief survey of firewall concepts What is the problem? What is a firewall? What skills are necessary to manage a ...»
(Updated May 2009)
Table of Content
Brief survey of firewall concepts
What is the problem?
What is a firewall?
What skills are necessary to manage a firewall?
Do firewalls have a downside?
What are the options?
Managed Network Firewall Service
Personal or host-based firewalls
Special constructs for researchers:
Which computer systems should be protected?
NUIT’s approach to firewall deployment
Balancing effectiveness and costs
Mixing and matching firewall solutions
NUIT planned service offering
Non-NUIT Managed Network Firewalls
Appendix A – Firewall Vendor Recommendation
Cisco – PIX and FWSM
Ease of management and administration of the platform
Installation into the infrastructure
Appendix B – Personal Firewall Software
Appendix C – Firewall Service Pricing
Executive Summary Firewalls are one component of a strategy to combat malicious activities and assaults on computing resources and network-accessible information. Other components include anti-virus software and intrusion detection software. Most computers within Northwestern are protected by anti-virus software.
NUIT has prepared this document to orient both technical and management staff to the capabilities of firewall software, and to assist those persons to decide on an appropriate level of participation in this technology. While several approaches were considered for individual users, departments, and divisions, NUIT recommends that the University adopt a systematic approach to this security issue. Common equipment and common management approaches will leverage investments to increase overall security.
Brief survey of firewall concepts What is the problem?
Due to ongoing occurrences of network security incidents and the increased requirements to protect institutional information, there is interest within University departments for a method of controlling the traffic that is allowed to access their computers. The ideal solution would be for each computer or networked device to be secured from intrusion and patched to eliminate vulnerabilities; however, this is not always a realistic scenario. The challenge lies in not only understanding the vulnerabilities of a system and in configuring a system to behave securely, but also in enforcing the security best practices for all the devices within one’s domain. Products that have a default install of “unsecure” make this task all the more difficult. Many departments find it difficult to enforce security policies or to educate end users or themselves on how to do this. As a result of these concerns, many departments are looking for a way to control the traffic that is allowed to access their computer systems.
Although firewalls are not a complete solution to preventing security attacks against a host or the network itself, they can add another layer of security when properly deployed. A firewall is by no means a panacea; it’s simply another tool to assist in controlling the types of traffic that a host must deal with. The only completely secure firewall is one that blocks all traffic; however, a computer with no network connectivity is not a very useful one these days.
What is a firewall?
A firewall is a device or software that can inspect traffic at a deeper level than most network elements. It can be software that resides on a host  and inspects traffic before it is allowed to interact with any other applications on that host. This type of firewall is known as a host-based firewall or personal firewall. A second type of firewall is a network firewall that does not reside on the computer system that it’s protecting. It is a standalone device that must be inserted into the network so that it can inspect traffic that flows through it and make decisions on whether it will allow or deny a particular packet or flow of packets. Neither type of firewall has any “magic” that can decipher good traffic from bad traffic. The firewall makes a decision using the information that has been provided by the person responsible for the systems being protected. This information is expressed as a set of rules known as the “ruleset”. The ruleset should follow a department’s security policy, which is an essential component to establishing security. If one can’t define what traffic should be allowed, then rules can’t be developed to enforce it.
What skills are necessary to manage a firewall?
The management of a firewall requires a detailed understanding of data networking elements (routers and switches), as well as a detailed understanding of network protocols (the languages used when systems communicate over the network). Furthermore, it requires the ability to translate these concepts along with a security policy into an effective ruleset that can be applied to the firewall.
Beyond installation of the firewall into the network, firewalls must be configured with rulesets that accept or deny the types of traffic specific to the department’s security policy. The collection of rules that make up the ruleset must be logically defined in the format dictated by the firewall’s operating system and in the proper order.
Both routers and switches are network elements that require experience to effectively deploy and firewalls that perform these same functions have the same requirement. There are two general modes of operation for network firewalls.
Network firewalls can act as routers (route mode) or switches (transparent mode). Route mode is the more traditional mode used by firewalls and requires modifications to the existing infrastructure in order to accommodate the new networks that are created for the protected hosts. NAT (network address translation) is a special form of route mode and will not be distinguished from route mode for the purposes of this discussion. Route mode also requires that the IP addresses of the protected hosts changed. Transparent (switch) mode allows for a more seamless installation yet still requires an understanding of switching technology to safely deploy.
Do firewalls have a downside?
Putting every host behind a network firewall requires that all traffic go through the firewall in order to access resources on the other side. There is some benefit to putting up a barrier between a user and network resources but there are also negative effects.
Firewalls are high-touch systems that need to look much deeper into a packet than a simple switch or routing device. As a packet flows through a firewall, many processes need to occur: 1) a connection must be accepted from the outside, 2) information about the connection must be stored, 3) a decision must be made about how to process the packets associated with that connection, and 4) new connections to the inside need to be established. This processing needs to happen separately for each connection or communication between two hosts and in both directions. Comparing this processing with that of a low-touch network element such as a switch or router, firewalls will cause delay that could affect the flow of information between hosts on a network. The amount of delay experienced through a firewall is dependent on how the firewall is implemented.
Firewalls that process in hardware will be faster than firewalls that process in software.
The complexity and high-touch aspect of firewalls also limits the new applications that can be supported behind a firewall since the firewall must be updated to understand each new application. This is especially important in a university department that requires high bandwidth applications or advanced services such as jumbo packets, IP version 6 or encryption. The original design of the Internet stressed the end-to-end argument that put intelligence and complexity at the edges while keeping devices in the middle simple and efficient. This design is important to researchers because it does not put up a barrier to the development of new and innovative applications.
Recommendations What are the options?
In determining the placement and method of attaching firewalls to the network, there are several alternatives to consider. Placement of the firewall determines what set of users can be protected from each other and how easily a solution can be managed both from NUIT’s perspective and the University community. When deciding on how to incorporate a firewall into a security strategy, department administrators have two options from which to choose: managed network firewall service or a host-based firewall. The managed network firewall service is a stand-alone firewall appliance that is deployed in the network. Host-based firewalls comprises of a software running on a host and can be utilized where a managed network firewall is impractical or unfeasible (as discussed below), or as an additional layer of control in conjunction with a managed network firewall. The features and concerns of both the options, which were identified at the time of assessment, are outlined below.
Managed Network Firewall Service The recommended solution is the firewall service option where the network firewall is installed, managed and maintained by NUIT. Choosing to purchase a firewall service from NUIT has several benefits. The department will be alleviated of the everyday management of the device, which will be backed up and monitored by NUIT. Should the device fail, NUIT will replace it on the spot and put the configurations back to get the department up and running quickly. The appliance would be a best-of-breed solution that NUIT certifies for installation into the University network. Such a device will have the features necessary to run applications supported by the University.
The firewall features of this enterprise class equipment are outlined below:
• Bandwidth capacity from 160Mbps to 1 Gbps (firewalls with much higher bandwidth capacity are available to cater to custom requirements)
• Do not preclude features such as remote access VPN, multicast, H.323, VoIP, etc.
• Support for multiple deployment options (route mode, NAT mode and transparent mode)
• Robustness features such as hardware processing and several mechanisms to prevent DoS attacks.
• Enhanced logging and management.
In addition to the powerful feature set, the managed network firewall service
provides additional benefits to technical administrators:
• Support contracts are handled by NUIT while customer pays an easily budgeted annual fee.
• Ability for the customer to manage their own rulesets; while NUIT manages the rest of the firewall.
• Software upgrades would be handled as part of the service.
• Customers can take advantage of future NUIT services such as correlation of logs that will enhance the overall security of the University.
• Positions the customer for new firewall services that will provide immediate protection against new attacks that may arise.
Personal or host-based firewalls Host-based firewalls can be very effective in defining a security policy because they are only responsible for a single host. For the majority of hosts that are client  PC’s, a single rule such as “don’t allow any communication to this host unless this host initiated the conversation” will suffice. This type of rule can be easily applied with most firewalls, but may be too restrictive for hosts that need to accept outside connections. An example of such a host would be one participating in a video conference. In general, if the hosts within a domain are homogenous with respect to their security policy, firewalls (host-based and network) will be very effective. Management issues occur when the host security policies are unique for each host. In this case management of each individual host-based firewall will be time consuming without a centralized management console.
Depending on the licensing and central management features, host-based firewalls can also be expensive. For those departments that are able to upgrade to Windows XP/Vista or Windows 2000 a host-based firewall is included with the price of Windows. The Linux operating system also has a built-in firewall.
Separate firewall products often come with subscription support that can be valuable when no other layers of protection are deployed. See Appendix B for a brief discussion of this software.
Host-based firewalls can be used alone or in conjunction with a network firewall for an added layer of security. The benefits of host-based firewalls are
• A host is protected even if it is moved from network to network (as with mobile devices)
• Certain operating systems provide host-based firewalls free of charge (Windows XP/Vista, Mac OS X, Linux)
• Host-based firewalls can have very effective rulesets since they enforce the security policy for a single host.
Host-based firewalls have the following issues that may decrease their
effectiveness when used for servers or clients with diverse security requirements:
• A host-based firewall on a heavily loaded computer may delay processing needed for other tasks the host is required to do. Therefore, host-based firewall software may not be a good solution for a server.
• Host-based firewalls are only as secure as the underlying operating system and may be more susceptible to DoS attacks.
• Managing several host-based firewalls with unique rulesets will be difficult without additional management software.
Special constructs for researchers:
The operational requirements for research computer systems are very different from the operational requirements of administrative computer systems.
Administrative systems look very much like the business world and firewalls that exist today meet their needs nicely; however, research systems cannot be accommodated with firewalls that exist in the industry today.