Chapter 9. Firewalls ppsx

Chapter 9. Firewalls

On completing this chapter, you will be able to

• Explain the basics of firewalls

• Describe the different types of firewalls

• Describe some firewall enhancements

• Explain firewall placement in a network

This chapter covers a variety of types of firewalls, including devices such as PIX,

software solutions such as Check Point, and personal firewalls. The chapter defines

firewalls and explores their purpose and use in today's large-scale IP-based networks,

where attacks can occur from within and from external sources.

Protecting the confidentiality of information, preventing unauthorized access, and

defending against external and internal attacks remain primary concerns of all network

managers today. IT departments must defend against these threats. All network

architectures should be based on sound security policies designed to address all the

weaknesses and threats that can occur in today's large IP-based networks. Because of the

ever-changing nature of remote connectivity especially with the increased use of virtual

private networks (VPNs) and the requirement for instant access to core network

resources, networks have policies that allow access to the Internet, where the amount of

busy or noisy traffic from non-legitimate devices is vast. Firewalls play important roles in

defending against these threats.

As discussed in Chapter 5, "Security Policies," every network should be based on a sound

security policy. The security policy should describe firewalls in detail and, more

specifically, the location, placement, and configuration of firewalls in the network, as

well as whether the firewall is hardware based, software based, or even PC based.

Network vulnerabilities must be constantly monitored, found, and addressed because they

define points in the network that are potential security weak points (or loopholes) that can

be exploited by intruders or hackers. All networks are possible targets because an

intruder's motivation can be based on a number of factors cash profit; revenge;

vandalism; cyber terrorism; the excitement of a challenge; the search for prestige,

notoriety, or experience; curiosity; or the desire to learn the tools of trade, just to name a

few.

Sometimes the biggest security threat comes from within an organization, in particular

from displeased employees who gain access to internal systems by abusing usernames

and passwords. Identification of the weak points of the network and, therefore, the

placement and configuration of the firewall are extremely important.

NOTE

Internal abuse is often well meaning. To get their jobs done, people sometimes

circumvent security that they perceive as getting in the way. Such actions that open

security holes or break security rules are examples of internal abuse with no malicious

intent.

Now that you are aware of some of the reasons a network must have a sound security

policy and why intruders (hackers) want to exploit a poorly designed network, let's

discuss some of the firewall features and definitions before moving on to some of the

available firewalls in today's marketplace.

Firewall Basics

A firewall is defined as a gateway or access server (hardware- or software-based) or

several gateways or access servers that are designated as buffers between any connected

public network and a private network. A firewall is a device that separates a trusted

network from an untrusted network. It may be a router, a PC running specialized

software, or a combination of devices. A Cisco firewall router primarily uses access lists

to ensure the security of the private network.

Figure 9-1 displays a network in which firewalls are typically located between the trusted

networks and untrusted networks.

Figure 9-1. Firewall Placement

Data-driven, application-layer attacks have proliferated in recent years, with a dramatic

rise in the late 1990s and the 21st century. With this increase, it has become clear that the

existing solution set that was based on access lists is not adequate to counter these threats

in a cost-efficient manner. Standalone devices are becoming an integral part of

implementing effective security. Firewalls are primarily designed to address the countless

threats posed to an organization's network by permitting access only to valid traffic.

Identifying valid traffic is a difficult task, and therefore security personnel should be well

aware of existing intrusion techniques and attacks. Just as a reference, the following list

presents a brief overview of common attack types.

• TCP SYN flood attacks: This form of denial-of-service (DoS) attack randomly

opens up a number of TCP ports to make network devices use CPU cycles for

bogus requests. By tying up valuable resources on the remote host (both CPU

cycles and memory), the CPU is busy with bogus requests. In turn, legitimate

users are affected by denial of access or poor network response. This type of

attack renders the host unusable.

• E-mail attacks: This form of DoS attack sends a random number of e-mails to a

host. E-mail attacks are designed to fill inboxes with thousands of bogus e-mails

(also called e-mail bombs), thereby ensuring that the end user cannot send or

receive legitimate mail.

• CPU-intensive attacks: This form of DoS attack ties up system resources by using

programs such as Trojan horses (programs designed to capture usernames and

passwords from a network) or enabling viruses to disable remote systems.

• Teardrop: A teardrop attack exploits an overlapping IP fragment implementation

bug in various operating systems. The bug causes the TCP/IP fragmentation

reassembly code to improperly handle overlapping IP fragments, causing the host

to hang or crash.

• DNS poisoning: In this attack, the attacker exploits the DNS server, causing the

server to return false IP addresses to a domain name query.

• UDP bomb: A UDP bomb causes the kernel of the host operating system to panic

and crash by sending a field of illegal length in the packet header.

• Distributed denial-of-service (DDoS): This attack uses DoS attacks run by

multiple hosts. The attacker first compromises vulnerable hosts using various

tools and techniques. Then the actual DDoS attack on a target is run from the pool

of all these compromised hosts.

• Chargen attack: This type of attack causes congestion on a network (high

bandwidth utilization) by producing a high-character input after establishing a

User Datagram Protocol (UDP) service or, more specifically, the chargen service.

• Out-of-band attacks Applications or even operating systems such as Windows 95

have built-in vulnerabilities on data port 139 (known as WinNuke) if the intruders

can ascertain the IP address.

• Land.C attack: This attack uses a program designed to send TCP SYN packets

(TCP SYN is used in the TCP connection phase) that specify the target's host

address as both source and destination. This program can use TCP port 113 or 139

(source/destination), which can also cause a system to stop functioning.

• Spoof attack: In a spoof attack, the attacker creates IP packets with an address

found (or spoofed) from a legitimate source. This type of attack can be powerful