12.10 Firewalls & Network Appliances
Security functions implemented within an all-in-one security appliance may include components such as:
-A network switch to provide internal network connectivity between hosts -A router to connect network segments together -An ISP interface for connecting the local network to the Internet -A firewall to filter network traffic -A spam filter to block unwanted emails -A web content filter to prevent employees from visiting inappropriate websites -A malware inspection engine to prevent malware from entering the network -An intrusion detection system (IDS) or intrusion prevention system (IPS) to detect hackers trying to break into systems on the network -An IDS detects intrusion attempts and alerts the system administrator. An IPS detect intrusion attempts, notifies the administrator, and also tries to block the attempt.
While they are less expensive, all-in-one appliances have several drawbacks that you should consider before implementing one:
-All-in-one appliances perform many tasks adequately. However, they usually can't perform any one task extremely well. If high-performance is a concern, then using dedicated appliances might be more appropriate. -All-in-one devices create a single point of failure. Because so many services are hosted by a single device, then all of the services are affected if that device goes down. -All-in-one devices create a single attack vector that can be exploited by an attacker. Compromising the single device could potentially expose many aspects of the network. *Unified threat management (UTM) or unified security management (USM)* is a network gateway defense solution for organizations. UTM is the evolution of the traditional firewall into an all-in-one device that can perform multiple security functions within one single system.
Network appliances are devices that are dedicated to providing certain network services. Common network appliances include:
-Switches, Routers & Firewalls -Wireless access points -Security threat management devices These devices are unlike common network hosts in that they don't typically provide a monitor, keyboard, or mouse connections. Instead, they are designed to be plugged directly into the network and then managed using a web-based interface from the system administrator's workstation. Large organizations typically purchase separate appliances for each network function they require. However, this strategy can be quite expensive. To reduce costs, smaller organizations may choose to use an all-in-one device instead of purchasing separate network appliances. For example, an all-in-one security appliance combines many network security functions into a single device. All-in-one security appliances are also known as unified threat security devices or web security gateways. *This type of device may be the best choice for:* -A small company without the budget to purchase individual components -A small office without the physical space for individual components -A remote office without a technician to manage individual security components
Firewall
A firewall is a device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules. There are two types of firewalls that you should be familiar with: *Network-based firewall* inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the Internet to protect against attacks from Internet hosts. A network firewall is created using two (or more) interfaces on a network device: one interface connects to the private network, and the other interface connects to the external network. *Host-based firewall* inspects traffic received by a specific host. *A best practice is to implement both types of firewalls.* -Firewalls use *filtering rules, sometimes called access control lists (ACLs),* to identify allowed and blocked traffic. A rule identifies characteristics of the traffic, such as: -The interface the rule applies to -The direction of traffic (inbound or outbound) -Packet information such as the source or destination IP address or port number -The action to take when the traffic matches the filter criteria -Windows includes a host-based firewall that you can configure to protect your system from attacks. *Be aware of the following:* -By default, the firewall allows all outgoing Web traffic and responses but blocks all other traffic. -You can configure exceptions to allow specific types of traffic through the firewall. In
Program
Configuring an exception for a program automatically opens the ports required by the application only while the application is running. Be aware of the following: -You can select from a list of known applications or browse to and select an unlisted application. -You do not need to know the port number used; the firewall automatically identifies the ports used by the application when it starts. -After the application is stopped, the required ports are closed.
Port
Configuring an exception for a specific port and protocol (either TCP or UDP) keeps that port open all the time. Be aware of the following: -You must know both the port number and the protocol. -Some services require multiple open ports, so you must identify all necessary ports and open them. -Ports stay open until you remove the exception. When you turn on the firewall, you can block all incoming connections or allow exceptions. If all incoming connections are blocked, any defined exceptions are ignored.When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind:
When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind:
Most SOHO routers and access points include a firewall to protect your private network. By default, most SOHO routers allow all traffic initiated on the private network to pass through the firewall. Responses to those outbound requests are typically also allowed. For example, a user browsing a website will receive the Web pages back from the Internet server. All traffic initiating from the external network is blocked by default. You can configure individual exceptions to allow or deny specific types of traffic. A best practice is to block all ports, then open only the necessary ports. Some firewalls support port triggering, which allows the firewall to dynamically open incoming ports based on outgoing traffic from a specific private IP address and port. On the firewall you identify a private IP address and port, then associate one or more public ports. When the router sees traffic sent from the private network from that host and port number, the corresponding incoming ports are opened. The incoming ports remain open as long as the outgoing ports show activity. When the outgoing traffic stops for a period of time, the incoming ports are automatically closed. Use port triggering to open incoming ports required for specific applications (such as online games). Some applications identify incoming ports dynamically once a session is established with the destination device. The ports that the application might use are typically within a certain range. For some applications, you can configure the application to use a specific port instead of a dynamic port. You can then open only that port in the firewall. If you are unable to configure the application, you will need to open the entire range of possible ports in the firewall. Use port triggering to dynamically open the ports when the application runs instead of permanently opening all required ports. Configure port forwarding to allow incoming traffic directed to a specific port to be allowed through the firewall and sent to a specific device on the private network. Inbound requests are directed to the public IP address on the router to the port number used by the service (such as port 80 for a Web server). The port number is often called the public port. Port forwarding associates the inbound port number with the IP address and port of a host on the private network. This port number is often called the private port. Incoming traffic sent to the public port is redirected to the private port.
