Worried about potential security gaps? Follow these seven steps to make sure your installation won’t melt under fire.

Set Up a Flame-Proof Firewall

Worried about potential security gaps? Follow these seven steps to make sure your installation won’t melt under fire.

• By Roberta Bragg
• December 01, 1999

I can still remember when most people thought a firewall was a special wall placed in a building to prevent the spread of fire. Now it’s just what the doctor ordered to protect your company from those heinous hacker homies, and sooner or later it’s going to be your job to put one into operation. Are you up to the job? Do you know how to install a flame-proof firewall? Here are seven sure-fire tips on how to set up a firewall right the first time.

1. Know Why You’re Installing the Firewall

Was this your choice? Been fighting for a firewall? Has it just become company policy? The consultants who brought in the Web site insisted on a firewall? Your boss handed you a box and said, “Here, go install this?” If you know what a firewall is and why you’re installing it, this can help dictate which features to choose during installation and configuration, and even where you place the firewall in your network. So that we’re on the same page, I define a firewall as a service that limits access between the Internet and a private network, between pairs or groups of private networks, or between sensitive and less-sensitive parts of private networks.

More than any other system you’ll configure, a firewall has only one purpose in life, and its purpose may seem to be opposite that availability/usability/ease-of-use credo you’ve had hammered into your head all this time. After all, by definition, a firewall blocks information flow. So ask the question, why are we installing this firewall? You don’t want to make it harder for people to get information, do you?

Time to wake up. Information flow has to be controlled like everything else. The peace, free love, and freedom of information banner just doesn’t fly well in corporate America. Just as we don’t want our precious laptops and automobiles to be “borrowed” by someone else, information in your company is critical to its survival. As rapidly as we expand the boundaries of information access to include our suppliers and customers, we must protect our private information (and theirs).

But again, why are you installing a firewall now? Are you setting up a perimeter defense for your corporate network? Creating a DMZ (demilitarized zone) where Web servers and other systems that need to be accessed by your business partners or customers can reside? Putting up a wall around sensitive areas of your company to assure only the select, authorized, vetted few can get in? Firewalls are often used for all these purposes. Knowing who’s supposed to get in, and who’s not, will help you properly configure the firewall, as well as monitor how well it’s performing.

Understanding the type of systems that sit on either side of the firewall helps you determine which ports to open or close. After all, not all access is determined by user ID. Understanding the way services and applications communicate machine-to-machine can help us control access. Most communication relies on connection to a standard port number (see “Consider These Weaknesses”). Block the wrong port and authorized work can’t continue; leave the wrong ones open and your firewall’s got holes large enough for dragons to fly through.

Take the time to ask:

• What are you trying to protect against? Denial of service? Information theft? Intrusion?
• Who’s likely to be attacking your systems? Vandals? Joyriders? Braggarts? Information spies? Inexperienced users doing stuff they shouldn’t?” (Stupidity is hardly an attack, but the results are the same.)

2. Read the Docs—Know All about Your Firewall

You know the old adage… if all else fails, read the documentation. But you can’t wait for all else to fail here. Fail to fasten your seat belt and hit a brick wall head on—it’s a little to late to read the instructions. Fail to configure your firewall correctly, and you may be open to an attack that can precipitate corporate meltdown. So grab those docs and a good cup of latte and head for a quiet place. All firewalls are not created equal. They don’t even work the same way. Knowing what your firewall is supposed to do, and how to make it do so, can give you the edge you need to set it up right the first time. Firewalls are complex and chances are you don’t set them up every day. Would you try to pilot a jet with your knowledge of driving an automobile?

I wish I had a quarter for every time someone has said to me he found the answer to the problem he spent hours trying to figure out in the documentation. The first firewall I installed had a printout of a sample configuration for very close to my exact needs. Although the documentation was a little unclear, the screenshots showed me how to enter appropriate information and made it easier to add additional features. If the documentation is unintelligible, get some help. Often the manufacturer has updated docs, FAQs, newer versions of utilities, forums, and direct support links on its site.

By the way, this isn’t the time to question anyone’s judgment in choosing this particular firewall. While this intense study of its features (or lack of them), ease of use, and the ability of its publisher to produce usable documentation may make you aware of its shortcomings and make you wish you or the powers that be had chosen another firewall, chances are you’re not going to get anywhere by grumbling. Put the system together, do the best with what you have, and document the need for other things to occur to make your system safe.

A good practice is to make a list of the things the firewall can do, such as blocking services, blocking systems, controlling who can transfer files across the firewall, and recording information about accesses and attempted access. This helps you with the next step.

3. Match Features of the Product to Your Company Security Policy

Your company security policy will tell you which features of the firewall you’ll need to implement—and let you know the things that the firewall can’t do. See No. 6. Don’t know what your corporate security policy is? Find out. Implementing a flame-proof firewall isn’t so hot if what the company really wants to do is to toast marshmallows. Typical implementations require you to:

• Set up filters to block services. Does your company allow Internet Relay Chat (IRC)? Probably not. IRC servers can be used to access IRC client machine files, processes, and programs. Don’t let IRC users apply these features against the unsuspecting. Do you want ping, telnet, FTP , traceroute, or http services to enter your network? How about providing internal users use of these services across the Internet? Fortunately, firewalls are usually set up on the “least privilege” security principle and the “that which isn’t expressly permitted is prohibited” proverb—all ports are blocked. You don’t have to close down those with possible malicious use; you have to open those that you want to allow. Your security policy will tell you which ones to choose.
• Insist that your company establish a security policy. Somebody got a great big dose of security awareness somewhere, or the money wouldn’t have been spent. Tell the powers-that-be that a policy is required for proper setup. If no one will write one, do it yourself. Having a written policy—title it, “This is how I’m going to configure the firewall”—starts the conversation. And, oh, get it approved. Can’t get it approved? Well, they did tell you to set up the firewall, didn’t they? You were going to have to make the choices anyway. Now you’re documenting what you did and allowing management to pass on it.
• Monitor log activity. Once you know which logs are activated or able to be activated and what’s being logged, you can decide how much of this information is necessary to fulfill policy requirements. However, don’t forget another good use of logs: maintenance. You may want to start out logging more information than you think you need and reducing it if you don’t feel it adds anything to the picture. Once again, this may be part of your security policy.

4. Get the Advice of Peers; Take a Class; Hire an Expert

If you haven’t already joined security lists, now’s the time to do it. A good one is ntbugtraq (www.ntbugtraq.com). These lists provide you with an endless stream of inane chatter about risks and perceived risks of OSs and other products, including firewalls. You’re going to have to filter the information, but it does provide a ready source, and a place for you to ask specific information about your firewall and its perceived features, benefits, and holes.

Visit your vendor’s Web site for the latest information and for responses to security-list tirades and public media reviews. In our “new world,” vendors take a proactive approach and alert users to possible holes and fixes for their products. Visit other Web sites as well and see what holes, fixes, and features they offer. Remember, don’t bemoan your boss’ lack of sophistication for picking this product; instead find out how best to implement and use it to protect your network. A frying pan can knock out an intruder as efficiently as a can of mace; you just have to get a little closer.

Talk to your co-workers, talk to your friends. Attend a seminar, meeting, conference, or class. Talk to your fellow attendees; you may find that one of them has experience with this product too. Get the advice of peers, but be sure to follow the advice of experts.

At this point you’re in a great position to judge whether or not a class will help you. If a vendor or third-party instruction is available on your product, check it out. Since you’ve done your homework, you stand a better chance of finding one that fits. Ask for a curriculum outline and match it against your requirements. Don’t be afraid of extra topics. You’re the learner here, right? You’ll also be better prepared for class. You know the features you need to implement—if they aren’t covered, ask why. Many instructors can give additional help that’s not part of the official curriculum, but some may not. The time to ask is before you plunk down your money.

Should you hire an expert to install the system for you? It depends. You now should be in a better position to judge if this is necessary and/or advisable. After all, you need to manage the firewall when it’s up. Don’t isolate yourself from the initial installation and configuration process. If you feel you want to hire an expert, or if you’ve been told to do so, now you’ll be able to judge better the type of expert to get. Make sure that transfer of knowledge is required. You don’t want to have to call the expert back for every change you make. You also want to be able to monitor the system. Although it should be obvious by now that security policies may vary with the company and an external expert should ask you for this type of advice, some may not. Find out your so-called experts’ willingness to follow your rules before they’re hired.

5. Isolate, Install, Test

Ready to go for it? Don’t immediately set the firewall in its chosen place on the network. Even an attack dog needs to be tested for his response to your commands. Place the system in a test lab. Don’t have one? Make a temporary lab with minimum configuration, say, one client, the firewall, and the Internet access line. Keep the rest of the network out of the picture for now. Armed with your policy, notes, and extensive knowledge, install and configure the system.

Now test it. If it’s supposed to block external users from telnet access to internal hosts, come at it from outside and use the telnet command. If you can get to the internal host, you probably configured the system wrong. Find out why and correct it.

Do all users have unlimited access to the Internet? Create some typical user accounts, one with each type of access you’ve designed. Then log on as those users and test.

Not sure what services applications cutting across barriers need to use? Run them and test as well. You’ve got the idea now. You must intimately document each feature once again and develop test scenarios, then apply them. As you tweak your firewall configuration, retest using each test scenario once again. Check the firewall logs for information gathered and lessons learned.

When your system passes your rigorous testing, it’s time to move it to the real world. You may want to allow access a little at a time to make sure all applications, users, and services have access, but only the access they should have.

6. Monitor the Firewall and Network Access

Once you’re up and running, the rule is to monitor constantly. Don’t just monitor the firewall, monitor network access as well. Remember, a firewall is really just a perimeter defense. It can’t protect against all types of attack, and it’s not the only soldier in your arsenal. A firewall can’t protect your network from access that doesn’t go through its system. Many current attack exploits were carried out with social engineering and the use of viruses or Trojans—things that firewalls usually can’t examine packets to detect.

7. Lather, Rinse, Repeat!

You’ve heard the joke about the programmer who was found dead in the shower? He had a bottle of shampoo with him and it said, “Lather, rinse, repeat.” As you should know by now, network defense never ends.

Consider These Weaknesses

Once you install the firewall, you can’t rest. In fact, it’s not a bad idea to pull out this list periodically and make sure you’re still following these steps to a flame-proof firewall.