8.2 Firewalls
Firewalls are networking devices that manage access to your organization's network resources. Firewalls are normally placed at the ingress/egress interfaces on the network. If the network has various entrance points, position a firewall at each point to offer successful network access control. The core function of a firewall is to monitor and filter traffic. Besides placing firewalls on the perimeter of your network, you can also place firewalls within the network to control access to particular parts of your network.
A firewall device can also be a router running a firewall feature set or it can be a PIX box. Firewalls scrutinize messages passing through. Trusted traffic is permitted and untrusted traffic is blocked. Packet filters, proxy filters, and stateful packet filters are techniques that the firewall uses to provide protection. Many firewalls use two or more techniques. Each technique operates at different layers of the OSI model to filter and manage traffic.
Packet filters use ACLs to examine incoming and outgoing Layer 3 and Layer 4 information. Data is either accepted or explicitly denied, based on previously defined and configured rules. Packet filters are effective and fast because they only examine and handle information up to Layer 4. ACLs use one or all the following information in Layer 3 and Layer 4 to filter data packets:
Source IP address;
Destination IP address;
Source port;
Destination port; and/or
Protocols: IP, TCP, UDP, ICMP
On the other hand, packet filters do not trace the TCP session information that is produced when two computers are conversing with each other. This makes ACLs vulnerable to IP address spoofing. Spoofing is a technique used by hackers to get unauthorized access to computers. The hacker tries to indicate that a packet is being sent from a trusted host by modifying the source IP Address. This creates the impression that the traffic was sourced from an internal computer. In addition, intricate ACLs can be complicated to implement and configure.
Proxy filters are also referred to as application proxy servers and stands between the internal network and outside networks. It acts as a middle means between a user and the outside environment. Proxies examine information from Layer 4 up to, and including, Layer 7. An internal user, requiring to browse a website for instance, first establishes a session with the proxy server. The proxy server in turn authenticates the user and then checks whether the asked for destination IP address is a blocked site. When all information has been authenticated, the proxy server creates a session between itself and the destination (website). Proxies can also create thorough access logs. Although proxies provide an efficient means of protection they reduce performance. Proxies are standard servers running on general operating systems and are susceptible to operating system associated attacks from hackers.
Stateful packet filters, which are also known as stateful inspection provides a better solution by merging the velocity of packet filters with the added efficient security of stored session information by proxies. This ensures enhanced performance and decreases exposure to an attack. The Cisco PIX firewall mostly uses stateful packet filtering to create TCP and UDP connections, and to handle multiple session channels and port number changes. As traffic is sent through the firewall slots are created in session flow tables that holds source and destination IP addresses, TCP protocol data and port numbers. Prior to traffic moving through the firewall again, stateful examinations occur whereby the packets are checked against the session flow tables for an existing connection slot. Packets are only forwarded when a match is established.
8.2.1 The Cisco IOS Firewall Feature Set (CBAC)
The Cisco IOS firewall feature set merges existing Cisco IOS firewall technology and the Context-Based Access Control (CBAC). Upon configuring the Cisco IOS firewall feature set on your Cisco router, the router becomes an effective firewall. The Cisco IOS firewall feature set is designed to permit authorized users access to the network resources. This design prohibits unauthorized, external persons from getting access to the internal network and assists in preventing network attacks. At the core of the Cisco IOS firewall feature set is the Cisco advanced firewall engine. This engine tracks the state and context of network connections to secure traffic flow. It augments security for TCP and UDP applications that use familiar ports by investigating source and destination IP addresses.
The security benefits provided by the Cisco IOS firewall feature set includes: defense against intrusion; monitoring of network traffic through the network perimeter; facilitation of network commerce via the Internet.
8.2.1.1 Authentication Proxy and the Cisco IOS Firewall
Authentication proxy is a feature that became available with Cisco IOS Software Release 12.0.5.T. It allows users to authenticate via the firewall when accessing specific resources. The Cisco IOS firewall is designed to interface with AAA servers using standard authentication protocols to perform this function. The Cisco IOS firewall supports TACACS+ and RADIUS AAA servers. Cisco Secure Access Control Server (CSACS) can perform both TACACS+ and RADIUS functions. Authentication proxy is one of the core components of the Cisco IOS firewall feature set. Prior to the implementation of authentication proxy, access to a resource was usually limited by the IP address of the requesting source and a single policy was applied to that source or network. Authentication proxy permits administrators to limit access to resources on an individual user basis and tailor the privileges of each individual as opposed to applying a generic policy to all users.
Authentication proxy is not a service that is transparent to the user, it requires user interaction. The authentication proxy is activated when the user opens an HTTP session through the Cisco IOS firewall. The firewall verifies whether the user has already been authenticated. If the user was previously authenticated, it permits the connection. If the user has not been previously authenticated, the firewall prompts the user for a username and password and verifies the user input with a TACACS+ or RADIUS server.
8.2.2 Demilitarized Zone (DMZ) Architecture
A network can be divided into three distinct areas based on where traffic originates from, and where its destination is. These areas can be:
Trusted, which is normally a private sector of the network that needs protection against security threats and attacks. Traffic coming from the less trusted areas of the firewall is blocked. In this manner, security is implemented and computers in this area enjoy more protection and security.
Untrusted, which are areas of the network like the Internet segment of the firewall that are open to the element of security threats.
Demilitarized Zone (DMZ), which is an area like a web server, that normally supports computers or services that are used by trusted authorized users and untrusted external individuals. The DMZ therefore resides between a trusted and untrusted area. The DMZ is considered an untrusted area from within the private trusted network. Accordingly, traffic originating from the DMZ is blocked. The DMZ is implemented by using specialized hosts to permit services such as web server, DNS, FTP servers, e-mail relays, and Telnet. These hosts are usually referred to as bastion hosts. Bastion hosts have been hardened through lock down measures, installing security patches and turning off unnecessary services. These bastion hosts are also given the highest security priorities because of their exposure to the untrusted area.