GTRI_B-1

F3 Explorers Guild: Firewalls & Filters

Jason Kau

Applied Networking

Georgia Tech Research Institute

jason.kau@gtri.gatech.edu

404-894-8806

GTRI_B-2

Firewall vs. Filter

Firewall

A firewall provides network access control, i.e. which users ("who") are allowed to access which resources ("what") at what time ("when").

• So called modern "Deep Packet/Application Inspection" firewalls increasingly "enumerate badness", i.e. user A is allowed to access resource B during time period C as long as user A is not doing "something bad" to resource B. "Something bad" is usually detected via updatable signatures.

• "Enumerating badness" is a losing battle as worms, viruses, peer-2-peer, spam, phishing fraud, etc. grow at much higher rate than legitimate applications. "Enumerating badness" in the form of updatable signatures does not protect against 0-day attacks.

GTRI_B-3

Firewall vs. Filter

Firewall

• Fight back by focusing on "enumerating goodness" in the configuration of firewall(s)—only allow needed network applications and specific functionality within those network applications.

• Best security: "enumerate goodness" by configuration and "enumerate badness" within those allowed applications.

GTRI_B-4

Firewall vs. Filter

Filter

A filter is a specialized product that provides fine-grained content control over specific network applications. The firewall has given network access to a resource but a filter inspects the content requested of the resource, the content returned from the resource, and/or the content known to be available from the resource and determines its suitability for end-user consumption.

• Firewalls can act as content filters but rarely do content filters act as firewalls.

• Specialized content filtering solutions usually offer "deepest", most "feature-rich" and "flexible" filtering.

GTRI_B-5

Firewall vs. FilterExamples of FirewallsNetwork-based: Cisco PIX/ASA/FWSM, Juniper Netscreen, Check Point VPN-1, Microsoft ISA, Fortinet, Watchguard. Host-based: ISS BlackICE (home) & Desktop Protector (enterprise)

Examples of FiltersMail: Barracuda Spam Firewall, Symantec Mail Security, SurfControl Risk Filter, MailScannerWeb/P2P/IM: Bluecoat ProxySG, SurfControl Threat Filter, FaceTime, Websense, Barracuda Spyware FirewallWeb/Mail: Aladdin eSafe Gateway

Examples of Firewalls + FiltersHost-based: Norton Personal Firewall/Internet Security (home) & Symantec Client Security (enterprise)Network-based: Symantec Enterprise Firewall, Securiant SpiderISA

GTRI_B-6

DOE-BellSouth Firewall & Filtering Solution:

Cisco FWSM firewall + Websense filtering

How it works

Cisco FWSM firewall sends web URLs to Websense server which instructs FWSM to block or allow the URLs based on pre-defined Websense categories or school system-defined whitelists/blacklists.

Sample Websense Categories

Adult Material - Adult Content, Lingerie & Swimsuit, Nudity, Sex, Sex EducationDrugs - Abused Drugs, Marijuana, Prescribed Medications, Supplments & Unregulated Compounds

GTRI_B-7

DOE-BellSouth Firewall & Filtering Solution:

Limitations

• Border solution only, i.e. deployed at border between school system and the State of Georgia/BellSouth—no intra-school system protection.

• No virus/worm scanning for web downloads.

• No spyware/malware scanning for web downloads.

• No ability to rewrite web requests to enable site-specific safety features, e.g. force Google and Yahoo safe search.

• No content caching to improve performance.

GTRI_B-8

DOE-BellSouth Firewall & Filtering Solution:

Limitations Continued

• No true URL category detection for HTTPS URLs because non-proxy solution—relies on reverse DNS for Websense categorization of HTTPS URLs because of encrypted nature of HTTPS.

• No built-in IPS (intrusion prevention system) with updatable signatures to detect exploits, worms, and attacks and thus less ability to "enumerate badness" within allowed network applications compared to some firewall solutions.

• No spyware, spam, virus, phishing fraud, inappropriate or dangerous content filtering for email.

GTRI_B-9

Expanding on the DOE-BellSouth Solution

Layering of Firewalls

• Best practice is "defense-in-depth". Firewall at border; firewall at school level; host firewall on desktop/servers.

• Border-School-Host firewall paradigm is very costly. Decide on where your firewalls have the best security pay-off. Use BellSouth as border firewall, re-use previous border firewall as "sensitive" servers firewall or DMZ, investigate if your routers/switches can act as semi-firewalls to provide access control decisions and act as school level firewalls, use host firewall on servers, etc.

• As centrally managed "super" client (combined anti-virus, anti-spyware, & firewall) offerings mature and if budget permits, evaluate a host firewall implementation for all clients.

GTRI_B-10

Expanding on the DOE-BellSouth Solution

Layering of Firewalls Continued

• Firewall configuration should "enumerate goodness". Don't block known TCP/IP ports and addresses used by past exploits or worms—instead allow only those applications needed on your network. If budget, allows, pick firewalls with built-in in-line IPS so you can more thoroughly "enumerate badness" within allowed applications.

GTRI_B-11

Expanding on the DOE-BellSouth Solution

Virus Scanning for the Web

• DOE-BellSouth Cisco FWSM firewall + Websense solution does not provide virus scanning of downloads.

• Is virus scanning for web downloads necessary if you have host-based anti-virus? Defense-in-depth says yes; budgets may say no.

• Are web downloads really the primary source of viruses these days? Not compared to e-mail.

• All known proxy solutions (Bluecoat ProxySG, Network Appliance Netcache, Cisco Content Engine, Microsoft ISA, Squid), some non-proxy content filters (Aladdin eSafe), and some firewalls (Fortinet, Cisco ASA in the future) provide virus scanning of web downloads.

GTRI_B-12

Expanding on the DOE-BellSouth Solution

Virus Scanning for the Web Continued

• If budget does not allow defense-in-depth of virus scanning of downloads, turn to "enumerate goodness" principle. Create a whitelist of allowed web download sites, e.g. only allow the download of .EXE files from download.com, microsoft.com, etc. This can be accomplished with DOE-BellSouth Websense solution.

GTRI_B-13

Expanding on the DOE-BellSouth Solution

Spyware Scanning for the Web

• DOE-BellSouth Cisco FWSM firewall + Websense solution does not provide spyware scanning for downloads.

• Debate rages between host-based or network-based anti-spyware solutions. Defense-in-depth says both; budgets may say no.

• Debate on how well network anti-spyware scanning even works because spyware can be recompiled with obfuscation infinite number of times. Host-based Spyware solutions can restrict what spyware can do by "enumerating OS-level badness".

• Network solution only provides protection when you're on-site—notebooks taken offsite are not protected

GTRI_B-14

Expanding on the DOE-BellSouth Solution

Spyware Scanning for the Web Continued

• Specialized spyware network gateways (Bluecoat Spyware Interceptor, Barracuda Spyware Firewall, Aladdin eSafe, Facetime) offer best network-based spyware scanning compared to firewalls/proxies.

• "Enumerate badness" helps block spyware downloads. Block download of "spyware drive-by-installs"—block downloads of .OCX, .CAB, .EXE files (except from sites in the web download whitelist), etc. This can be accomplished with the DOE-BellSouth Websense solution.

GTRI_B-15

Expanding on the DOE-BellSouth Solution

Content Caching

• DOE-BellSouth Cisco FWSM firewall + Websense solution does not provide caching.

• Commercial caching market largely died several years as bandwidth became cheap. Several players exited the market (F5, Inktomi) and remaining vendors focused on "web security", e.g. Cacheflow change its name to Bluecoat.

• However DOE-BellSouth K12 contract provides relatively low bandwidth connectivity. 1.5 Mbps per school. Typical DSL is 1.5 Mbps PER HOME with 3 Mbps increasingly available.

• Thus caching proxy may be of great benefit to K12 environment.

GTRI_B-16

Expanding on the DOE-BellSouth Solution

Content Caching Continued

• Cheap cache solution: Linux server(s) running Squid.

• Expensive cache solutions: Microsoft ISA, Barracuda Spyware Firewall (higher-end models do caching), Bluecoat ProxySG. Expensive solutions should give you additional filtering capabilities (virus scanning, spyware filtering, etc.). • Caching proxy allows true detection of HTTPS URLs for Websense, SmartFilter, SurfControl, etc. categorization.

GTRI_B-17

Expanding on the DOE-BellSouth Solution

Improve "Enumerating Badness" firewall capability

• DOE-BellSouth Cisco FWSM firewall + Websense solution does not support updatable signatures to look for exploits, worms, and attacks. Thus, you're limited in your ability to "enumerate badness" within those network applications you allow if you use the FWSM as your border firewall.

• Consider supplementing the DOE-BellSouth Cisco FWSM firewall with a signature-based in-line IPS from a vendor like SourceFirce, Toplayer, 3Com TippingPoint, Cisco IPS, Juniper IDP, etc. In-line IPS is a $10K investment at the 10 Mbps to 20 Mbps performance range.

GTRI_B-18

Expanding on the DOE-BellSouth Solution

Improve "Enumerating Badness" firewall capability continued

• Order of implementation for your school system (from best to worst in terms of most security bang for the buck)

1) border firewall

2) school level firewall

3) host firewalls (wait until "super" client matures)

3) border IPS

4) school level IPS

GTRI_B-19

Expanding on the DOE-BellSouth Solution

Email Scanning

• DOE-BellSouth Cisco FWSM firewall + Websense provides no email protection.

• Emails are vehicles for the transport of spyware, viruses, phishing fraud, pornographic images, spam, etc.

• Email solution needs to deal to address all this "badness". Many open source and commercial solutions in this area from software add-ons to Microsoft Exchange to dedicated hardware appliances.

GTRI_B-20

Expanding on the DOE-BellSouth Solution

Email Scanning Continued

• For performance and security reasons, email filtering should be done on dedicated network filtering appliances or filtering servers. SPAM and virus scanning can be extremely computationally intensive and slow down legitimate email receiving/sending. Only expose the email filters directly to inbound connections from the Internet, preferably in a DMZ.

• Children-specific policies can make you "more CIPA compliant". E.g., filtering out images in emails to students ensures no pornographic images reach them.

GTRI_B-21

Further Discussion on Instant Messaging and Chat

• Should schools even allows IM/chat? What are the legal liabilities a school faces by allowing IM/chat or by offering official chat server?

• IM can be a vehicle for dangerous file transfers. Encryption-over-IM systems like OTR (Off the Record) can defeat network-based IM filters ability to limit or restrict IM functionality.

• Only some network-based IM filtering solutions can do virus scanning for IM file transfers (e.g. FaceTime can, Bluecoat cannot)—and this assumes encryption-over-IM system is not used so the IM filtering system can tell a file transfer is occurring.

• With DOE-BellSouth solution, ensure Websense "Web Chat" category is enabled to block known web-based chat sites and block known IM client download sites.

GTRI_B-22

Further Discussion on Instant Messaging and Chat

• "Enumerating goodness" in firewall configuration helps block IM but "enumerating badness" in firewall configuration, e.g. block access to specific AOL Instant Messenger login servers, may be necessary as IM clients are "smart" and will try to find any outbound "holes" in firewall.

GTRI_B-23

Further Discussion on Peer-2-Peer

• Although Peer-2-Peer can be used for legitimate purposes, it is primarily a means to distribute illegal (from a copyright standpoint), dangerous (contains viruses or spyware), and pornographic content.

• Several Peer-2-Peer networks support chat themselves, e.g. Kazaa and SoulSeek.

• Ensure the Websense category "Peer-to-Peer" is enabled to block access to known Peer-2-Peer client download sites.

• "Enumerating goodness" firewall configuration should prevent most Peer-2-Peer applications from working.

GTRI_B-24

Case Study: Jasper County School District

• Cisco PIX firewall at border configured to "enumerate goodness".

• Cisco 2600 series routers and 350 bridges at schools acting as "semi-firewalls" by only allowing a set of supported applications among schools—i.e., more "enumerating goodness".

• RedHat Enterprise Linux Dell server for email content filtering. Primarily open source solution: MailScanner, SpamAssassin, Razor, several RBLs, McAfee, Sophos, ClamAV.

• Sophos Anti-Virus for Desktops; centrally managed.

• Bluecoat ProxySG for web content filtering and caching; blocks Spyware "drive-by-installs", forces search engine safe search, blocks many SurfControl categories.