Chapter 9: Firewall Fundamentals and Network Address Translation

Firewall Fundamentals and Network Address TranslationThe information security profession has a number of formalized codes:International Information Systems Security Certification Consortium, Inc (ISC)2 Code of EthicsComputer Ethics Institute (CEI)Internet Activities Board (IAB)Generally Accepted System Security Principles (GASSP)EthicsThis chapter teaches firewall concepts, technologies, and design principles. At the end of this chapter, you will be able to do the following:• Explain the operations of the different types of firewall technologies• Describe firewall technologies that historically have played, and still play, a role in network access control and security architectures• Introduce and describe the function and building blocks of Network Address Translation• List design considerations for firewall deployment• Describe guidelines for firewall ruleset creationContentsA firewall protects network devices from intentional, hostile intrusions that could threaten information assurance (availability, confidentiality, and integrity) or lead to a denial-of-service (DoS) attack. A firewall can protect a hardware device or a software program running on a secure host computer. This chapter introduces the firewall technologies that Cisco uses in routers and security appliances.Introducing Firewall TechnologiesA firewall is a pair of mechanisms that perform these two separate functions, which are set by policies:• One mechanism blocks bad traffic.• The second mechanism permits good traffic.Firewall FundamentalsFirewall: Enforcing Access Control• Must be resistant to attacks• Must be the only transit point between networks• Enforces the access control policy of an organizationProtective measure against the following :• Exposure of sensitive hosts and applications to untrusted users• Exploitation of protocol flaws• Malicious dataCommon propertiesFirewalls in a Layered Defense StrategyStatic Packet-Filtering FirewallsHow Static Packet Filters Map to the OSI ModelStatic Packet Filter in ActionApplication Layer GatewaysApplication layer firewalls provide several advantages:• Application layer firewalls authenticate individuals, not devices• Application layer firewalls make it is harder for hackers to spoof and implement DoS attacks• Application layer firewalls can monitor and filter application data• Application layer firewalls can provide detailed loggingApplication layer firewallsProxy Server Communication ProcessDynamic or Stateful Packet-Filtering FirewallsStateful Packet FilteringStateful packet-filtering firewalls are good to use for the following applications:• As a primary means of defense• As an intelligent first line of defense• As a means of strengthening packet filtering• To improve routing performance• As a defense against spoofing and DoS attacksAdvancedStateful firewalls have the following limitations:• Stateful firewalls cannot prevent application layer attacks• Not all protocols have a state• Some applications open multiple connections• Stateful firewalls do not authenticate users by defaultLimitedApplication Inspection Firewalls, aka Deep Packet InspectionAn application inspection firewall behaves in different ways according to each layer:• Transport layer mechanism• Application layer mechanismThere are several advantages of an application inspection firewall:• Application inspection firewalls are aware of the state of Layer 4 and Layer 5 connections.• Application inspection firewalls check the conformity of application commands.• Application inspection firewalls have the capability to check and affect Layer 7.• Application inspection firewalls can prevent more kinds of attacks than stateful firewalls can. Other Types of FirewallsCisco IOS routers, Cisco ASA Adaptive Security Appliance Software, Cisco Firewall Services Module, and Cisco ASA Services Module offer the capability to deploy a security appliance in a secure bridging mode as a Layer 2 device to provide rich Layer 2 through 7 security services for the protected networkTransparent Firewalls (Layer 2 Firewalls)Transparent Firewalling: Firewall Interfaces All in the Same Subnet Example of Network Address TranslationNAT FundamentalsCisco defines the following list of NAT terms:• Inside local address• Inside global address• Outside local address• Outside global addressNAT tableExample of Port Address Translation (aka NAT Overload) on Cisco IOS RouterTranslating Inside Source AddressStatic TranslationThe deployment modes in NAT operations are as follows:• Static NAT • Dynamic NAT• Dynamic PAT (NAT overload)• Policy NAT• Static PATNAT Deployment ChoicesBest practices documents are a composite effort of security practitioners. This partial list of best practices is generic and serves only as a starting point for your own firewall security policy:• Position firewalls at key security boundaries, separating security domains with different levels of trust.• Firewalls are the primary security device, but it is unwise to rely exclusively on a firewall for security.• Deny all traffic by default and permit only services that are needed.• Implement various firewall technologies, matching your application mix and security policy requirements.• Ensure that physical access to the firewall is controlled.• Regularly monitor firewall logs. Cisco Security Manager and other Cisco management tools are available for this purpose.• Practice change management for firewall configuration changes.Firewall DesignsWhen defining access rules, multiple criteria can be used as a starting point:• Rules based on service control• Rules based on direction control• Rules based on user control• Rules based on behavior controlFirewall Policies in a Layered Defense StrategyFirewall Access Rule Structure: Top-Down Process• Promiscuous rules• Redundant rules• Shadowed rules• Orphaned rulesFirewall rulesFor additional information, refer to these resources:Cisco Systems, Inc. “Configuring Network Address Translation: Getting Started,” Andrew. Cisco Firewall Technology (Cisco Press, 2007).References