Most people have at best a fuzzy idea of just what a firewall is and how it really works. Thanks to Hollywood and the many Mission Impossible-like movies, quite a few think it has something to do with disassembling a fax machine and hooking it to an iPod.
In its most pure state, a firewall is actually a very straightforward and simple thing. A firewall inspects packets as they arrive on an interface, searching a table until it finds a matching rule to determine what it should do with each packet, and then follows the action the rule specifies.
If the packet does not match a specific rule, a default action decides the packet's fate, generally known as falling through the bottom of the rules. For firewalls, the generally accepted good default action is Deny. That is, unless we explicitly permit a particular access, the packet is dropped. This allows us to permit what we know and block what we do not.
Generally there are three ways to deploy a firewall: as a Router/NAT Gateway, on an endpoint as a Host-based Firewall, or as a Transparent/Bridging firewall. I will cover the first two in this chapter—the Router and the Host.
This kind of firewall sits between different LAN subnets at Layer 3 and filters traffic sent to it for forwarding. It cannot prevent attacks between individual nodes on the same subnet (see the section "Transparent/Bridge Firewall" later in this chapter). It may perform Network Address Translation (NAT) on traffic that passes through it. Since it must have an accessible IP address (in order for hosts to route to it), it is vulnerable to direct attacks from other hosts on the network. All three tools discussed in this chapter support acting as a NAT gateway.
This firewall coexists with the host and is designed to protect, which can be risky if this is the only line of defense for the host: if the firewall is compromised, so is the host (this is a possible fail-open condition—a no no in firewall security terms). Host-based firewalls are an excellent idea, but only when used with a Defense in Depth strategy of using both host- and network-based firewalls and IPS for total system protection. All three tools discussed in this chapter can be used to protect an endpoint.
The Transparent/Bridge firewall sits a level lower (at Layer 2) than the Routing firewall, and it filters traffic sent through it. When placed between two nodes on the same subnet, it can filter traffic sent between the nodes. Some Transparent/Bridge firewalls employ spanning tree algorithms and therefore are more like filtering bridges. Since it isn't directly addressed, it's often called a bump in the wire or transparent, and it is immune to direct attacks above Layer 2. (If it tracks sessions, however, it is still vulnerable to indirect resource exhaustion attacks; some of the tools covered in Chapter 3 can be used in this fashion.)
The essential firewall tools for the most common operating systems are:
Includes FreeBSD, NetBSD, OpenBSD, SunOS, Mac OS X, and others.
Includes all the different flavors of Linux distributions (over 150 well known at last count) such as Red Hat/Fedora Core, Debian/Ubuntu, SUSE, CentOS, Gentoo, Linspire, and others.
Includes Windows 98 and up. This chapter covers how FW/ICS is used from Windows XP forward.
There are quite a few very good firewall products you may want to investigate yourself, but this chapter focuses on firewall software that either comes with the operating system or is available for free.
At a minimum, a firewall should be able to defend itself—to control access to and from its interfaces. By blocking all traffic sent to the device, or locking down the box, we can consider ourselves fairly secure. There are still issues with sessions initiated from the device, however. A truly paranoid policy blocks everything both in and out unless specifically permitted by the user. Two of the three tools described allow you to do just that, if you like. Sadly, Windows Firewall does not support blocking sessions initiated from itself, just connections to itself.
This chapter shows you how to lock down your system from all connections from the outside. Configured properly, your system will become almost undetectable to Layer 3 and above scans. Layer 2 scans such as ARP scans can still locate your system, but with no services to connect to, it becomes difficult to attack your system directly. All three firewalls do an exceptional job of this.
A locked-down box is great when you are working from it, but completely worthless when you are not in front of the keyboard. You might find it handy to have at least SSH opened on your Linux systems or Remote Desktop Protocol on your Windows systems so you can access them remotely. It's a good idea to have a hardware-based firewall in front of your Windows systems to filter connections by IP.
Many services, such as X11, must listen on TCP/UDP ports in order to function even if only locally, but we can lock down the box to prevent others from connecting to them and allow only a limited number of services. There is not a direct one-to-one correlation, but generally the more ports you have open, the greater your exposure to attack, and therefore the greater your risk of compromise. Always use the fewest required connections.
What is required depends on why your business needs a server in the first place. If the server is a web server, of course you need port 80 open (or whatever port on which you decide to host HTTP), and a good choice is to also open 443 for SSL support. Since these are the only ports required for serving HTTP/S, they are the only ports that should be open, unless this server is doing dual-duty as some other server (e.g., SMTP); for each service this host is offering, you need to evaluate what ports are required. Remember, each port increases the attack surface area of your host.
If at all possible, it is better from a security (and generally also a performance) standpoint to have several Bastion Hosts each running a single service instead of a single Super Server running all the services on one host. If a single Bastion is compromised, it does not directly affect the other services. This means that an SMTP vulnerability will not take down your HTTP/S server at the same time. The chances that an attacker can obtain the administrator login credentials for the compromised machine are high, so systems sharing a common authentication system (NT Domain, NIS, LDAP, TACACS, RADIUS, Kerberos, and so on) could still be at risk. However, the segregation of services into separate hosts still allows the vulnerable machine to be shut down while leaving the other services up and running.
Having a remote administration port open is also very handy. For my Linux servers, I have SSH opened and listening, sometimes on a nonstandard port just to keep things interesting. For my Windows platforms, Remote Desktop Protocol is very useful, but I strongly recommend against allowing RDP connections to/from the public Internet. Use some sort of VPN or secure port tunneling to provide access to your RDP hosts.
A slightly more secure approach to filtering by port is to filter by host. By locking down in-bound connections to only those hosts we trust, we increase our security posture significantly. When combined with port filtering, we get the best compromise between security and convenience. It is also generally a hassle to set up, because you need to know which hosts to trust on which ports.
However, filtering by host is a good compromise solution when you must serve sensitive ports to at least portions of the public Internet (as with the Windows RDP administration service). By knowing where you will be most likely to manage the system from, you can lock it down so that only you (or anyone else on your local subnet, if you're behind a NAT) can access that remote server.
Admittedly, the subsequent sections of this chapter are a crash course in the basics of getting commonly used operating systems locked down and useful. Important discussions about firewalls can take a whole book or more. Here are a few general books that can greatly expand your knowledge in the field:
The Tao of Network Security Monitoring: Beyond Intrusion Detection by Richard Bejtlich (Addison-Wesley Professional) covers firewalls, intrusion detection, and much more.
Building Internet Firewalls, by Elizabeth D. Zwicky, Simon Cooper, and Brent Chapman (O'Reilly) is a bit older (published in January 2000), but still covers important topics in firewall architecture and security design. Pick up a copy of the second edition and keep your eye out for a third.
Firewalls: The Complete Reference by Keith Strassberg, Gary Rollie, and Richard Gondek (McGraw-Hill/Osborne Media) is also a little older (published in May 2002 and covers some fairly expensive firewall hardware, but is also really good.
Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems by Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Fredrick, and Ronald W. Ritchey (Sams) is another awesome security book published in 2002, and covers great information on enterprise firewall architecture—what to put where to maximize security resources.
You should buy and read additional books written expressly for your particular product.