• RSS
  • Twitter
  • FaceBook

Keeping Your Site Comfortably Secure - Putting the Pieces Together: Firewall Examples

Now that the basic components of firewalls have been examined, some examples of different firewall configurations are provided to give a more concrete understanding of firewall implementation. The firewall examples shown here are:

  • Packet Filtering Firewall,

  • Dual-homed Gateway Firewall,

  • Screened Host Firewall, and

  • Screened Subnet Firewall.

Additionally, a section is provided that discusses methods for integrating dial-in modem access with firewalls. The examples are based loosely on [Ran93], which provides concise but detailed guidance on firewall definition and design. In the examples, assumptions about policy are kept to a minimum, but policy issues that affect the firewall design are pointed out where appropriate. Readers should note that there are many other types of firewalls that are not illustrated here; their absence does not indicate that they are less secure, only that it is impractical to illustrate every potential design. The examples shown here were chosen primarily because they are covered by other literature in more detail and thus serve well as a basis for more study.

Packet Filtering Firewall

The packet filtering firewall (fig. gif) is perhaps most common and easiest to employ for small, uncomplicated sites. However, it suffers from a number of disadvantages and is less desirable as a firewall than the other example firewalls discussed in this chapter. Basically, one installs a packet filtering router at the Internet (or any subnet) gateway and then configures the packet filtering rules in the router to block or filter protocols and addresses. The site systems usually have direct access to the Internet while all or most access to site systems from the Internet is blocked. However, the router could allow selective access to systems and services, depending on the policy. Usually, inherently-dangerous services such as NIS, NFS, and X Windows are blocked.

  
Figure: Packet Filtering Firewall.

A packet filtering firewall suffers from the same disadvantages as a packet filtering router, however they can become magnified as the security needs of a protected site becomes more complex and stringent. These would include the following:

  • there is little or no logging capability, thus an administrator may not easily determine whether the router has been compromised or is under attack,

  • packet filtering rules are often difficult to test thoroughly, which may leave a site open to untested vulnerabilities,

  • if complex filtering rules are required, the filtering rules may become unmanageable, and

  • each host directly accessible from the Internet will require its own copy of advanced authentication measures.

A packet filtering router can implement either of the design policies discussed in section gif. However, if the router does not filter on source port or filter on inbound as well as outbound packets, it may be more difficult to implement the second policy, i.e., deny everything unless specifically permitted. If the goal is to implement the second policy, a router that provides the most flexibility in the filtering strategy is desirable. Again, see [Chap92] as well as [Ches94] for more information.

Dual-homed Gateway Firewall

The dual-homed gateway (fig. gif) is a better alternative to packet filtering router firewalls. It consists of a host system with two network interfaces, and with the host's IP forwarding capability disabled (i.e., the default condition is that the host can no longer route packets between the two connected networks). In addition, a packet filtering router can be placed at the Internet connection to provide additional protection. This would create an inner, screened subnet that could be used for locating specialized systems such as information servers and modem pools.

Unlike the packet filtering firewall, the dual-homed gateway is a complete block to IP traffic between the Internet and protected site. Services and access is provided by proxy servers on the gateway. It is a simple firewall, yet very secure.gif

  
Figure: Dual-homed Gateway Firewall with Router.

This type of firewall implements the second design policy, i.e., deny all services unless they are specifically permitted, since no services pass except those for which proxies exist. The ability of the host to accept source-routed packets would be disabled, so that no other packets could be passed by the host to the protected subnet. It can be used to achieve a high degree of privacy since routes to the protected subnet need to be known only to the firewall and not to Internet systems (because Internet systems cannot route packets directly to the protected systems). The names and IP addresses of site systems would be hidden from Internet systems, because the firewall would not pass DNS information.

A simple setup for a dual-homed gateway would be to provide proxy services for TELNET and FTP, and centralized e-mail service in which the firewall would accept all site mail and then forward it to site systems. Because it uses a host system, the firewall can house software to require users to use authentication tokens or other advanced authentication measures. The firewall can also log access and log attempts or probes to the system that might indicate intruder activity.

The dual-homed gateway firewall, as well as the screened subnet firewall mentioned later in this chapter, provides the ability to segregate traffic concerned with an information server from other traffic to and from the site. An information server could be located on the subnet between the gateway and the router, as shown in figure gif. Assuming that the gateway provides the appropriate proxy services for the information server (e.g., ftp, gopher, or http), the router can prevent direct Internet access to the firewall and force access to go through the firewall. If direct access is permitted to the server (which is the less secure alternative), then the server's name and IP address can be advertised by DNS. Locating the information server there also adds to the security of the site, as any intruder penetration of the information server would still be prevented from reaching site systems by the dual-homed gateway.

The inflexibility of the dual-homed gateway could be a disadvantage to some sites. Since all services are blocked except those for which proxies exist, access to other services cannot be opened up; systems that require the access would need to be placed on the Internet side of the gateway. However, a router could be used as shown in figure gif to create a subnet between the gateway and the router, and the systems that require extra services could be located there (this is discussed more in section gif with screened subnet firewalls).

Another important consideration is that the security of the host system used for the firewall must be very secure, as the use of any vulnerable services or techniques on the host could lead to break-ins. If the firewall is compromised, an intruder could potentially subvert the firewall and perform some activity such as to re-enable IP routing.

[Garf92], [Ran93], and [Ches94] discuss advantages and disadvantages of dual-homed gateways used as firewalls.

Screened Host Firewall

The screened host firewall (fig. gif) is a more flexible firewall than the dual-homed gateway firewall, however the flexibility is achieved with some cost to security. The screened host firewall is often appropriate for sites that need more flexibility than that provided by the dual-homed gateway firewall.

The screened host firewall combines a packet-filtering router with an application gateway located on the protected subnet side of the router.gif The application gateway needs only one network interface. The application gateway's proxy services would pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters or screens inherently dangerous protocols from reaching the application gateway and site systems. It rejects (or accepts) application traffic according to the following rules:

  • application traffic from Internet sites to the application gateway gets routed,
  • all other traffic from Internet sites gets rejected, and
  • the router rejects any application traffic originating from the inside unless it came from the application gateway.

  
Figure: Screened Host Firewall.

Unlike the dual-homed gateway firewall, the application gateway needs only one network interface and does not require a separate subnet between the application gateway and the router. This permits the firewall to be made more flexible but perhaps less secure by permitting the router to pass certain trusted services ``around'' the application gateway and directly to site systems. The trusted services might be those for which proxy services don't exist, and might be trusted in the sense that the risk of using the services has been considered and found acceptable. For example, less-risky services such as NTP could be permitted to pass through the router to site systems. If the site systems require DNS access to Internet systems, DNS could be permitted to site systems. In this configuration, the firewall could implement a mixture of the two design policies, the proportions of which depend on how many and what types of services are routed directly to site systems.

The additional flexibility of the screened host firewall is cause for two concerns. First, there are now two systems, the router and the application gateway, that need to be configured carefully. As noted before, packet filtering router rules can be complex to configure, difficult to test, and prone to mistakes that lead to holes through the router. However, since the router needs to limit application traffic only to the application gateway, the ruleset may not be as complex as for a typical site using a packet filtering firewall (which may restrict application traffic to multiple systems).

The second disadvantage is that the flexibility opens up the possibility that the policy can be violated (as with the packet filtering firewall). This is less of a problem than with the dual-homed gateway firewall, since it is technically impossible to pass traffic through the dual-homed gateway unless there is a corresponding proxy service. Again, a strong policy is essential.

Screened Subnet Firewall

 

The screened subnet firewall is a variation of the dual-homed gateway and screened host firewalls. It can be used to locate each component of the firewall on a separate system, thereby achieving greater throughput and flexibility, although at some cost to simplicity. But, each component system of the firewall needs to implement only a specific task, making the systems less complex to configure.

In figure gif, two routers are used to create an inner, screened subnet. This subnet (sometimes referred to in other literature as the ``DMZ'') houses the application gateway, however it could also house information servers, modem pools, and other systems that require carefully-controlled access. The router shown as the connection point to the Internet would route traffic according to the following rules:

  • application traffic from the application gateway to Internet systems gets routed,
  • e-mail traffic from the e-mail server to Internet sites gets routed,
  • application traffic from Internet sites to the application gateway gets routed,
  • e-mail traffic from Internet sites to the e-mail server gets routed,
  • ftp, gopher, etc., traffic from Internet sites to the information server gets routed, and
  • all other traffic gets rejected.

The outer router restricts Internet access to specific systems on the screened subnet, and blocks all other traffic to the Internet originating from systems that should not be originating connections (such as the modem pool, the information server, and site systems). The router would be used as well to block packets such as NFS, NIS, or any other vulnerable protocols that do not need to pass to or from hosts on the screened subnet.

The inner router passes traffic to and from systems on the screened subnet according to the following rules:

  • application traffic from the application gateway to site systems gets routed,
  • e-mail traffic from the e-mail server to site systems gets routed,
  • application traffic to the application gateway from site systems get routed,
  • e-mail traffic from site systems to the e-mail server gets routed,
  • ftp, gopher, etc., traffic from site systems to the information server gets routed,
  • all other traffic gets rejected.

  
Figure: Screened Subnet Firewall with Additional Systems.

Thus, no site system is directly reachable from the Internet and vice versa, as with the dual-homed gateway firewall. A big difference, though, is that the routers are used to direct traffic to specific systems, thereby eliminating the need for the application gateway to be dual-homed. Greater throughput can be achieved, then, if a router is used as the gateway to the protected subnet. Consequently, the screened subnet firewall may be more appropriate for sites with large amounts of traffic or sites that need very high-speed traffic.

The two routers provide redundancy in that an attacker would have to subvert both routers to reach site systems directly. The application gateway, e-mail server, and information server could be set up such that they would be the only systems ``known'' from the Internet; no other system name need be known or used in a DNS database that would be accessible to outside systems. The application gateway can house advanced authentication software to authenticate all inbound connections. It is, obviously, more involved to configure, however the use of separate systems for application gateways and packet filters keeps the configuration more simple and manageable.

The screened subnet firewall, like the screened host firewall, can be made more flexible by permitting certain ``trusted'' services to pass between the Internet and the site systems. However, this flexibility may open the door to exceptions to the policy, thus weakening the effect of the firewall. In many ways, the dual-homed gateway firewall is more desireable because the policy cannot be weakened (because the dual-homed gateway cannot pass services for which there is no proxy). However, where throughput and flexibility are important, the screened subnet firewall may be more preferable.

As an alternative to passing services directly between the Internet and site systems, one could locate the systems that need these services directly on the screened subnet. For example, a site that does not permit X Windows or NFS traffic between Internet and site systems, but needs to anyway, could locate the systems that need the access on the screened subnet. The systems could still maintain access to site systems by connecting to the application gateway and reconfiguring the inner router as necessary. This is not a perfect solution, but an option for sites that require a high degree of security.

There are two disadvantages to the screened subnet firewall. First, the firewall can be made to pass ``trusted'' services around the application gateway(s), thereby subverting the policy. This is true also with the screened host firewall, however the screened subnet firewall provides a location to house systems that need direct access to those services. With the screened host firewall, the ``trusted'' services that get passed around the application gateway end up being in contact with site systems. The second disadvantage is that more emphasis is placed on the routers for providing security. As noted, packet filtering routers are sometimes quite complex to configure and mistakes could open the entire site to security holes.

Integrating Modem Pools with Firewalls

Many sites permit dial-in access to modems located at various points throughout the site. As discussed in section gif, this is a potential backdoor and could negate all the protection provided by the firewall. A much better method for handling modems is to concentrate them into a modem pool, and then secure connections from that pool.

The modem pool likely would consist of modems connected to a terminal server, which is a specialized computer designed for connecting modems to a network. A dial-in user connects to the terminal server, and then connects (e.g., telnets) from there to other host systems. Some terminal servers provide security features that can restrict connections to specific systems, or require users to authenticate using an authentication token. Alternatively, the terminal server can be a host system with modems connected to it.

  
Figure: Modem Pool Placement with Screened Host Firewall.

Figure gif shows a modem pool located on the Internet side of the screened host firewall. Since the connections from modems need to be treated with the same suspicion as connections from the Internet, locating the modem pool on the outside of the firewall forces the modem connections to pass through the firewall.

The application gateway's advanced authentication measures can be used then to authenticate users who connect from modems as well as from the Internet. The packet filtering router could be used to prevent inside systems from connecting directly to the modem pool.

A disadvantage to this, though, is that the modem pool is connected directly to the Internet and thus more exposed to attack. If an intruder managed to penetrate the modem pool, the intruder might use it as a basis for connecting to and attacking other Internet systems. Thus, a terminal server with security features to reject dial-in connections to any system but the application gateway should be used.

  
Figure: Modem Pool Placement with Screened Subnet and Dual-Homed Firewalls.

The dual-homed gateway and screened subnet firewalls provide a more secure method for handling modem pools. In figure gif, the terminal server gets located on the inner, screened subnet, where access to and from the modem pool can be carefully controlled by the routers and application gateways. The router on the Internet side protects the modem pool from any direct Internet access except from the application gateway.

With the dual-homed gateway and screened subnet firewalls, the router connected to the Internet would prevent routing between Internet systems and the modem pool. With the screened subnet firewall, the router connected to the site would prevent routing between site systems and the modem pool; with the dual-homed gateway firewall, the application gateway would prevent the routing. Users dialing into the modem pool could connect to site systems or the Internet only by connecting to the application gateway, which would use advanced authentication measures.

If a site uses any of these measures to protect dial-in access, it must rigidly enforce a policy that prevents any users from connecting modems elsewhere on the protected subnet. Even if the modems contain security features, this adds more complexity to the firewall protection scheme and adds another ``weak link'' to the chain.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowSecurity.com Monthly Newsletter, written by George Chetcuti, BSc in Computing & IS (Honors), containing news, the hottest tips, security links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Event Log Monitoring solution?