Worried about potential security gaps? Follow these seven steps to make sure your installation won’t melt under fire.

Set Up a Flame-Proof Firewall

Worried about potential security gaps? Follow these seven steps to make sure your installation won’t melt under fire.

I can still remember when most people thought a firewall was a special wall placed in a building to prevent the spread of fire. Now it’s just what the doctor ordered to protect your company from those heinous hacker homies, and sooner or later it’s going to be your job to put one into operation. Are you up to the job? Do you know how to install a flame-proof firewall? Here are seven sure-fire tips on how to set up a firewall right the first time.

1. Know Why You’re Installing the Firewall

Was this your choice? Been fighting for a firewall? Has it just become company policy? The consultants who brought in the Web site insisted on a firewall? Your boss handed you a box and said, “Here, go install this?” If you know what a firewall is and why you’re installing it, this can help dictate which features to choose during installation and configuration, and even where you place the firewall in your network. So that we’re on the same page, I define a firewall as a service that limits access between the Internet and a private network, between pairs or groups of private networks, or between sensitive and less-sensitive parts of private networks.

More than any other system you’ll configure, a firewall has only one purpose in life, and its purpose may seem to be opposite that availability/usability/ease-of-use credo you’ve had hammered into your head all this time. After all, by definition, a firewall blocks information flow. So ask the question, why are we installing this firewall? You don’t want to make it harder for people to get information, do you?

Time to wake up. Information flow has to be controlled like everything else. The peace, free love, and freedom of information banner just doesn’t fly well in corporate America. Just as we don’t want our precious laptops and automobiles to be “borrowed” by someone else, information in your company is critical to its survival. As rapidly as we expand the boundaries of information access to include our suppliers and customers, we must protect our private information (and theirs).

The Proxy Server Connection
Proxy services are applications that run on a firewall. User requests for Internet services such as FTP, telnet, and http are received and forwarded, according to security policy. Proxy servers, therefore, act as gateways and replace connections. The client doesn’t “talk” directly to the service. In fact, use of a proxy service is usually transparent to the user. Proxy services are implemented via software and thus should be used with a mechanism that physically prevents or restricts direct communication between internal and external systems. Examples of such mechanisms are a dual-homed host (a host with two network interfaces) and/or packet filtering. Proxy servers require proxy clients. Web browsers can be configured to act as proxy clients.

But again, why are you installing a firewall now? Are you setting up a perimeter defense for your corporate network? Creating a DMZ (demilitarized zone) where Web servers and other systems that need to be accessed by your business partners or customers can reside? Putting up a wall around sensitive areas of your company to assure only the select, authorized, vetted few can get in? Firewalls are often used for all these purposes. Knowing who’s supposed to get in, and who’s not, will help you properly configure the firewall, as well as monitor how well it’s performing.

Understanding the type of systems that sit on either side of the firewall helps you determine which ports to open or close. After all, not all access is determined by user ID. Understanding the way services and applications communicate machine-to-machine can help us control access. Most communication relies on connection to a standard port number (see “Consider These Weaknesses”). Block the wrong port and authorized work can’t continue; leave the wrong ones open and your firewall’s got holes large enough for dragons to fly through.

Take the time to ask:

  • What are you trying to protect against? Denial of service? Information theft? Intrusion?
  • Who’s likely to be attacking your systems? Vandals? Joyriders? Braggarts? Information spies? Inexperienced users doing stuff they shouldn’t?” (Stupidity is hardly an attack, but the results are the same.)

2. Read the Docs—Know All about Your Firewall

You know the old adage… if all else fails, read the documentation. But you can’t wait for all else to fail here. Fail to fasten your seat belt and hit a brick wall head on—it’s a little to late to read the instructions. Fail to configure your firewall correctly, and you may be open to an attack that can precipitate corporate meltdown. So grab those docs and a good cup of latte and head for a quiet place. All firewalls are not created equal. They don’t even work the same way. Knowing what your firewall is supposed to do, and how to make it do so, can give you the edge you need to set it up right the first time. Firewalls are complex and chances are you don’t set them up every day. Would you try to pilot a jet with your knowledge of driving an automobile?

I wish I had a quarter for every time someone has said to me he found the answer to the problem he spent hours trying to figure out in the documentation. The first firewall I installed had a printout of a sample configuration for very close to my exact needs. Although the documentation was a little unclear, the screenshots showed me how to enter appropriate information and made it easier to add additional features. If the documentation is unintelligible, get some help. Often the manufacturer has updated docs, FAQs, newer versions of utilities, forums, and direct support links on its site.

By the way, this isn’t the time to question anyone’s judgment in choosing this particular firewall. While this intense study of its features (or lack of them), ease of use, and the ability of its publisher to produce usable documentation may make you aware of its shortcomings and make you wish you or the powers that be had chosen another firewall, chances are you’re not going to get anywhere by grumbling. Put the system together, do the best with what you have, and document the need for other things to occur to make your system safe.

A good practice is to make a list of the things the firewall can do, such as blocking services, blocking systems, controlling who can transfer files across the firewall, and recording information about accesses and attempted access. This helps you with the next step.

3. Match Features of the Product to Your Company Security Policy

Your company security policy will tell you which features of the firewall you’ll need to implement—and let you know the things that the firewall can’t do. See No. 6. Don’t know what your corporate security policy is? Find out. Implementing a flame-proof firewall isn’t so hot if what the company really wants to do is to toast marshmallows. Typical implementations require you to:

  • Set up filters to block services. Does your company allow Internet Relay Chat (IRC)? Probably not. IRC servers can be used to access IRC client machine files, processes, and programs. Don’t let IRC users apply these features against the unsuspecting. Do you want ping, telnet, FTP , traceroute, or http services to enter your network? How about providing internal users use of these services across the Internet? Fortunately, firewalls are usually set up on the “least privilege” security principle and the “that which isn’t expressly permitted is prohibited” proverb—all ports are blocked. You don’t have to close down those with possible malicious use; you have to open those that you want to allow. Your security policy will tell you which ones to choose.
  • Insist that your company establish a security policy. Somebody got a great big dose of security awareness somewhere, or the money wouldn’t have been spent. Tell the powers-that-be that a policy is required for proper setup. If no one will write one, do it yourself. Having a written policy—title it, “This is how I’m going to configure the firewall”—starts the conversation. And, oh, get it approved. Can’t get it approved? Well, they did tell you to set up the firewall, didn’t they? You were going to have to make the choices anyway. Now you’re documenting what you did and allowing management to pass on it.
  • Monitor log activity. Once you know which logs are activated or able to be activated and what’s being logged, you can decide how much of this information is necessary to fulfill policy requirements. However, don’t forget another good use of logs: maintenance. You may want to start out logging more information than you think you need and reducing it if you don’t feel it adds anything to the picture. Once again, this may be part of your security policy.

4. Get the Advice of Peers; Take a Class; Hire an Expert

If you haven’t already joined security lists, now’s the time to do it. A good one is ntbugtraq (www.ntbugtraq.com). These lists provide you with an endless stream of inane chatter about risks and perceived risks of OSs and other products, including firewalls. You’re going to have to filter the information, but it does provide a ready source, and a place for you to ask specific information about your firewall and its perceived features, benefits, and holes.

Visit your vendor’s Web site for the latest information and for responses to security-list tirades and public media reviews. In our “new world,” vendors take a proactive approach and alert users to possible holes and fixes for their products. Visit other Web sites as well and see what holes, fixes, and features they offer. Remember, don’t bemoan your boss’ lack of sophistication for picking this product; instead find out how best to implement and use it to protect your network. A frying pan can knock out an intruder as efficiently as a can of mace; you just have to get a little closer.

Talk to your co-workers, talk to your friends. Attend a seminar, meeting, conference, or class. Talk to your fellow attendees; you may find that one of them has experience with this product too. Get the advice of peers, but be sure to follow the advice of experts.

At this point you’re in a great position to judge whether or not a class will help you. If a vendor or third-party instruction is available on your product, check it out. Since you’ve done your homework, you stand a better chance of finding one that fits. Ask for a curriculum outline and match it against your requirements. Don’t be afraid of extra topics. You’re the learner here, right? You’ll also be better prepared for class. You know the features you need to implement—if they aren’t covered, ask why. Many instructors can give additional help that’s not part of the official curriculum, but some may not. The time to ask is before you plunk down your money.

Should you hire an expert to install the system for you? It depends. You now should be in a better position to judge if this is necessary and/or advisable. After all, you need to manage the firewall when it’s up. Don’t isolate yourself from the initial installation and configuration process. If you feel you want to hire an expert, or if you’ve been told to do so, now you’ll be able to judge better the type of expert to get. Make sure that transfer of knowledge is required. You don’t want to have to call the expert back for every change you make. You also want to be able to monitor the system. Although it should be obvious by now that security policies may vary with the company and an external expert should ask you for this type of advice, some may not. Find out your so-called experts’ willingness to follow your rules before they’re hired.

Packet-Filtering Firewall vs. Screening Router
A packet-filtering system selectively routes packets between hosts in a way that implements a network’s security policy. A packet encapsulates data sent across a network. Each packet contains a set of headers with information necessary for its passage. Header information includes:
  • IP source address 
  • IP destination address
  • Protocol (TCP, UDP, ICMP)
  • TCP or UDP source
  • Destination port
  • ICMP message type

Routers also know the interface the packet arrived on and which interface the packet will go out on. A regular router looks at the destination address of each packet and picks the best way to get that packet to its destination. Either the router knows how to send the packet and thus sends it on or it doesn’t and returns it with a “destination unreachable” message.

A screening router examines the packet more thoroughly. It asks the question, “Should I send this packet on its way?” Since Internet services (http, telnet, ping, and so on) reside at standard port numbers, the router can be configured to block or allow Internet connections by specifying the port number. A screening router may be configured, for example, to block all connections from the Internet except SMTP. (You do want to receive email, don’t you?) Or you could configure it to block all connections from certain systems, or allow email and FTP, but block TFTP, RPC, IRC, and the like.

A screening router can’t be configured to let some operations of a service pass but block others. It’s an all-or-nothing approach.

5. Isolate, Install, Test

Ready to go for it? Don’t immediately set the firewall in its chosen place on the network. Even an attack dog needs to be tested for his response to your commands. Place the system in a test lab. Don’t have one? Make a temporary lab with minimum configuration, say, one client, the firewall, and the Internet access line. Keep the rest of the network out of the picture for now. Armed with your policy, notes, and extensive knowledge, install and configure the system.

Now test it. If it’s supposed to block external users from telnet access to internal hosts, come at it from outside and use the telnet command. If you can get to the internal host, you probably configured the system wrong. Find out why and correct it.

Do all users have unlimited access to the Internet? Create some typical user accounts, one with each type of access you’ve designed. Then log on as those users and test.

Not sure what services applications cutting across barriers need to use? Run them and test as well. You’ve got the idea now. You must intimately document each feature once again and develop test scenarios, then apply them. As you tweak your firewall configuration, retest using each test scenario once again. Check the firewall logs for information gathered and lessons learned.

When your system passes your rigorous testing, it’s time to move it to the real world. You may want to allow access a little at a time to make sure all applications, users, and services have access, but only the access they should have.

6. Monitor the Firewall and Network Access

Once you’re up and running, the rule is to monitor constantly. Don’t just monitor the firewall, monitor network access as well. Remember, a firewall is really just a perimeter defense. It can’t protect against all types of attack, and it’s not the only soldier in your arsenal. A firewall can’t protect your network from access that doesn’t go through its system. Many current attack exploits were carried out with social engineering and the use of viruses or Trojans—things that firewalls usually can’t examine packets to detect.

Firewall Architectures
  • Dual-homed host. A computer with at least two network interfaces. To use this architecture in a firewall implementation, routing between these interfaces is disabled. Therefore, packets from the Internet interface can’t be routed directly to the internal, private network. Systems on either network can communicate with the dual-homed host, but not with each other. When accessing either the external from the internal or vice-versa is necessary, proxy services are used.
  • Screened host or bastion host. This host sits on the internal network. Packet filtering at the screening router is set up to allow external hosts (Internet) to access the bastion host and no other systems on the internal network. The typical use of this system might be an email server. The bastion host is also allowed to make certain types of connections to the external world. Internal systems can connect directly to the bastion host.
  • Screened subnet or perimeter network. This architecture implements a perimeter network to isolate the internal network from the Internet. The bastion host can easily come under attack since it’s accessible from the Internet. Conquering the bastion host can mean wide-open access to your internal network. Thus, a screened subnet can provide further protection. A minimum of two screening routers are used to implement this solution—one router between the internal network and the perimeter network, the other between the perimeter network and the Internet.

7. Lather, Rinse, Repeat!

You’ve heard the joke about the programmer who was found dead in the shower? He had a bottle of shampoo with him and it said, “Lather, rinse, repeat.” As you should know by now, network defense never ends.

Consider These Weaknesses

Internet Service Description Port Exploit
SMTP Electronic mail 25 Mail spoofing, penetrating your network with mail exploits
FTP File transfer 20/21 Access to internal information, no strong authentication
NNTP Usenet news 119 Denial of service
telnet Remote terminal access 23 No authentication
http World Wide Web access 80 Access to improperly protected files
DNS Host name address lookup 53 Information about your internal network
Gopher Text-based, menu-oriented tools help users find information 70 Information
WAIS Wide area information service, allows multiple queries such as for documents that contain a phrase; www.ai.mit.edu/the-net/wais.html is a site that provides a WAIS gateway 210 Information
Archie Indexes of anonymous FTP servers for file and directory names, service via telnet and email, and Archie clients pp or Web browsers at http-Archie gateways; www.archie.emnet.co.uk/ 1525 Allowing access to Archie might allow access directly to NFS and mis/yp servers
Finger Looks up info about a user who has an account on the machine being queried: real name, login phone number, office location, when and where most recently logged in 79 Information
POP, POP2, POP3 Internet mail 109,110 Password in clear issues
whois Information about hosts, networks, domains, and administrators 43 Information
talk Two people to hold conversation 517 No authentication, so easy way to do social engineering
IRC IRC Internet relay chat; IRC user uses IRC client or telnet; IRC services many people at the same time 6667 Many servers means access to client files, processes, programs
MBONE Multicast backbone; expanding real-time conference services for audio, video, and electronic whiteboard; uses: Internet Engineering Task Force meetings, space shuttle flight operations Protocol number a, filter by this Can the tunnel be used as a backdoor?
Name services Used over TCP/IP to establish identity, locate a systems, and notify network that NetBIOS system has shut down 137,138 Find easily accessed hosts on system, learn what services are used on hosts
ICMP Internet control message Filter by message code Information source, denial of service attack
Ping Check if can reach host; uses ICMP   Verify there is such a host
Traceroute or tracert Sees route packet takes on way to destination; uses ICMP; find location, names of routers, SNMP; manages routers, bridges, concentrators, hubs, hosts   Find location, names of routers.
SNMP Manages routers, bridges, concentrators, hubs, hosts 161,162 Control these devices
Network Time Protocol NTP—important in synchronizing time, preventing playback attack; Kerberos depends on time synchronization 37 Lack of use of or spoofing the NTP could result in denial of service attacks
NFS Network file system 2049 Clients can read and change files stored on server without having to log in to the server or enter a password; also does log transactions
lpr and lp Print to printer   No reason to do this across the Internet; allows removal of information by printing it remotely from your servers

Once you install the firewall, you can’t rest. In fact, it’s not a bad idea to pull out this list periodically and make sure you’re still following these steps to a flame-proof firewall.

Featured