185

C H A P T E R

9

Firewalls and VirtualPrivate Networks

Introduction

In Chapter 8, we discussed the issue of security in remote access networks.In this chapter we will consider how security is applied in remote accessnetworks. In particular, we will discuss how

firewalls

are used to protectcorporate resources from outside intruders and how

virtual privatenetworks

enable branch offices and remote users to access the corporatenetwork in a secure manner via non-secure public networks.

Firewall Protection

As stated in Chapter 8, remote access networking is a necessity in mostcorporations. For most of these corporations, the Internet is the virtualbackbone of their enterprise network, interconnecting an organizationscorporate network and those of its business partners and customers. TheInternet also provides an inexpensive way to link branch offices, tele-commuters, and mobile workers to the corporate network. Unfortunately,linking a corporate network to the Internet exposes it to the outside world.While the security mechanisms discussed in Chapter 8 can deter unauthorizedaccess to the corporate network via the Internet, they are not foolproof. Extra

ch09 Page 185 Thursday, March 11, 1999 3:14 PM

186

Chapter 9

steps are usually taken, in conjunction with those discussed in Chapter 8, toprotect the confidential information located in the corporate network fromexternal unauthorized users.

This protection is provided by implementing appropriate network accesscontrol policies and using firewalls to enforce them. A firewall is a securitysystem that controls access to a protected network, such as a privatecorporate network. The network is being protected from an untrustedpublic network, such as the Internet. As a result, a firewall is located sothat every access request from a public network to the protected networkmust pass through the firewall, eliminating the need for individualprotection of every server and host in the protected network.

A firewall is typically located the point the network connects to theInternet. This location permits the firewall to provide authentication andother security services to remote users in order to prevent unauthorized usersfrom logging in to the network. Figure 9.1 illustrates a firewall-controlledaccess to the corporate network from the Internet.

For a firewall to be effective, companies first need to define theirnetwork security policy. A network security policy identifies the resourcesthat need protection and the threats against them. It then defines how theycan be used and who can use them, and stipulates the actions to be takenwhen the policies are violated. A policy is a set of rules against whicharriving packets are tested. Examples of such rules include what IP trafficthe organization wants to allow into its network, what source addressesshould be excluded from the network, and what destination addresseswithin the network can be accessed from outside the network. Specificactions to be taken include

accept packet

and

reject packet

. The firewall isresponsible for filtering traffic according to the security policy.

Figure 9.1

Firewall-controlled access from the Internet.

Corporate

Network

Firewall

Corporate Premises

Internet

ch09 Page 186 Thursday, March 11, 1999 3:14 PM

Firewalls and Virtual Private Networks

187

Types of Firewalls

Firewalls can be classified into three basic categories:

packet filters

,

proxyservers

(which include

application gateways

and

circuit-level gateways

), and

stateful packet filters

. There is a fourth category that is essentially a hybrid ofthe three main categories. For example, a firewall may be a combination of theapplication gateway and packet filter, or a proxy server and a stateful packetfilter. Figure 9.2 illustrates the different types of firewalls.

Packet Filters

A packet filter is a firewall that inspects each packet for user-definedfiltering rules to determine whether to pass or block it. For example, thefiltering rule might require all Telnet requests to be dropped. Using thisinformation, the firewall will block all packets that have a port number 23(the default port number for Telnet) in their header. Filtering rules can bebased on source IP address, destination IP address, Layer 4 (that is, TCP/UDP) source port, and Layer 4 destination port. Thus, a packet filter makesdecisions based on the network layer and the transport layer.

Packet filters are fast and can be easily implemented in existing routers.Unfortunately, they are the least secure of all firewalls. One disadvantage ofpacket filters is that they have no logging facility that can be used to detectwhen a break-in has occurred. Also, a packet filtering firewall grants or deniesaccess to the network according to the source and destination addresses andthe source and destination ports. Unfortunately, these ports can be spoofed. Asa result, anyone can access network resources once access has been granted toan authorized user.

Figure 9.2

Firewall classification.

Firewalls

Proxy ServersPacket FiltersStateful Packet

Filters

ApplicationGateways

Circuit-LevelGateways

ch09 Page 187 Thursday, March 11, 1999 3:14 PM

188

Chapter 9

Proxy Servers

A proxy service is an application that redirects users requests to the actualservices based on an organizations security policy. All communicationbetween a user and the actual server occurs through the proxy server. Thus, aproxy server acts as a communications broker between clients and the actualapplication servers. Because it acts as a checkpoint where requests arevalidated against specific applications, a proxy server is usually processingintensive and can become a bottleneck under heavy traffic conditions.

Proxy servers can operate at either the application layer or the transportlayer. Thus, there are two classes of proxy servers: application gateways,which operate at the application layer; and circuit-level gateways, whichoperate at the transport layer.

Application Gateways

An application gateway is a proxy server that provides access control atthe application layer. It acts as an application-layer gateway between theprotected network and the untrusted network. Because it operates at theapplication layer, it is able to examine traffic in detail and, therefore, isconsidered the most secure type of firewall. It can prevent certainapplications, such as FTP, from entering the protected network. It can alsolog all network activities according to applications for both accounting andsecurity audit purposes.

Application gateways can also hide information. Since all requests forservices in the protected network pass through the application gateway, itcan provide network address translation (or IP address hiding) functionalityand conceal IP addresses in the protected network from the Internet byreplacing the IP address of every outbound packet (that is, packets goingfrom the protected network to the Internet) with its own IP address.Network address translation also permits unregistered IP addresses to befreely used in the protected network because the gateway will map them toits own IP address when the users attempt to communicate with theoutside world.

Circuit-Level Gateways

A circuit-level gateway is a proxy server that validates TCP and UDP sessionsbefore allowing a connection or circuit through the firewall. It is activelyinvolved in the connection establishment and does not allow packets to beforwarded until the necessary access control rules have been satisfied.

ch09 Page 188 Thursday, March 11, 1999 3:14 PM

Firewalls and Virtual Private Networks

189

A circuit-level gateway is not as secure as an application gatewaybecause it validates TCP and UDP sessions without full knowledge of theapplications that use these transport services. Moreover, once a sessionhas been established, any application can run across that connection. Thisbehavior exposes the protected network to attacks from intruders. Unlikea circuit-level gateway, an application gateway can differentiate theapplications that need to be blocked from those that can be allowed to passthrough the gateway.

Stateful Packet Filters

Although the application gateway provides the best security among thepreceding firewalls, its intensive processing requirement slows downnetwork performance. A stateful packet filtering gateway attempts to providetight security without compromising performance. Unlike the applicationgateway, it checks the data that passes through at the network layer but doesnot process it. The firewall maintains state information for each session,where session states include a combination of communication phase and theendpoint application state. When a stateful packet filtering gateway receivesa data packet, it checks the packet against the known state of the session. Ifthe packet deviates from the expected session state, the gateway blocks therest of the session.

Firewall Architectures

Firewall architecture refers to the manner in which firewall componentsare arranged to provide effective protection against unauthorized users. Itis usually defined after the network security policy has been definedbecause it is supposed to be a model that enforces the security policy.

The network security policy is enforced at defensible boundaries withinthe network called

perimeter networks

. A corporate network usuallycontains multiple perimeter networks that can be classified into threegroups: the

outermost

perimeter

network, one or more

internal