A Tribute to Our Oldest and Dearest of Friends - The Firewall Part 1
In my previous article I covered OS and database security in terms of the neglect shown to this area by the information security industry. In the same vein I now take a look at another blast from the past - firewalls.
I will cover the rationale behind firewalls, in terms of what they do for us, some common misconceptions and shortcomings, sources of knowledge on firewalls, and in part 2 I will cover some common misconfigurations and things to watch out for in common business scenarios.
The buzz topics these days are cloud, big data, APT, "cyber"* and BYOD. Firewall was a buzz topic a very long time ago, but the fact that we moved on from that buzz topic, doesn't mean we nailed it. And guess what? The newer buzz topics all depend heavily on the older ones.
There is no cloud security without properly configured firewalls (and moving assets off-campus means even more thought has to be put into this area), and there shouldn't be any BYOD if there is no firewall(s) between workstation subnets and critical infrastructure. Good OS/DB security, plus thoughtful firewall configs sets the stage on which the new short-sighted strategies are played out and retrenched.
We have a lot of bleeding edge software and hardware products in security backed by fierce marketing engines which set unrealistic expectations, advertised with 5 gold star ratings in infosec publications, coincidentally next to a full page ad for the vendor. Out of all these products, the oldest carries the highest bang for our bucks - the firewall.
In fact the firewall is one of the few that actually gives us what we expect to get - network access control, and by and large, as a technology it's mature and it works. At least when we buy a firewall looking for packet filtering, we get packet filtering, unlike another example where we buy a product which allegedly manages vulnerability, but doesn't even detect vulnerability, let alone "manage" it.
Passwords, crypto, filesystem permissions - these are old concepts. The firewall arrived on the scene some considerable number of years after the aforementioned, but before some of the more recent marketing ideas such as IdM, SIEM, UTM etc. The firewall, along with anti-virus, formed the basis of the earliest corporate information security strategies.
Given the nature of TCP/IP, the next step on from this creation was quite an intuitive one to take. Network access control - not a bad idea! But the fact that firewalls have been around corporate networks for two decades doesn't mean we have perfected our approach to configuration and deployment of firewalls - far from it.
New Firewall, New Muesli
"I'm a firewall, I decide which packets are dropped or passed based on source and destination addresses and services". Let's be clear, this article is not about which firewall is the best.
Some firewalls have exotic features - even going back 10 years, Checkpoint Firewall-1 had application layer trackers such as FTP passive mode trackers, earlier versions of which crashed the firewall if enabled - thereby introducing DoS as an innovative add-on. In most cases firewalls need to be able to track conversations and deny/pass packets based on unqualified TCP flags (for example) - but these days they all do this.
Firewalls are not so CPU intensive but they can be memory-intensive if conversations are being monitored and we're being DoS'd - but being a firewall doesn't make a node uniquely vulnerable to SYN-Flood and so on. The list of considerations in firewall design goes on and on but by 2012 we have covered off most of the more important, and you will find the must-haves and the most useful features in any modern commercial firewall... although I wouldn't be sure that this covers some of the UTM all-in-one matchbox size offerings.
Matters such as throughput and bandwidth are matters for network ops in reality. Our concern in security should be more about configuration and placement.
On the matter of which firewall to use, we can go back to the basic tenet of a firewall as in the first paragraph of this subsection - sometimes it is perfectly fine to cobble together an old PC, install Linux on it, and use iptables - but probably not for a perimeter choke point firewall that has to handle some considerable throughput. Likewise, do you want the latest bright flashing lights, bridge of the Starship Enterprise enterprise box for the firewall which separates a 10-node development subnet from the commercial business production subnets?
Again, probably not - let's just keep an open mind. Sometimes cheap does what we need. I didn't mention the term "open source" here because it does tend to evoke quite emotional responses - ok well i did mention it actually, sorry, just couldn't help myself there. There are the usual issues with open source such as lack of support, but apart from bandwidth, open source is absolutely fine in many cases.
Are firewalls still important?
All attack efforts will be successful given sufficient resources. What we need to do is slow down these efforts such that the resources required outweighs the potential gains from owning the network. Effective firewall configuration helps a great deal in this respect. I still meet analysts who underestimate the effect of a firewall on the security posture.
Taking the classic segregated subnet as in a DMZ type configuration, by now most of us are aware at least that a DMZ is in most cases advisable, and most analysts can draw a DMZ network diagram on a white board. But why DMZ?
Chiefly we do this to prevent direct connections from untrusted networks to our most valuable information assets. When an outsider port scans us, we want them to "see" only the services we intend the outside world to see, which usually will be the regular candidates: HTTPs, VPN, etc. So the external firewall blocks access to all services apart from those required, and more importantly, it only allows access to very specific DMZ hosts, certainly no internal addresses should be directly accessible.
Taking the classic example of a DMZ web server application that connects to an internal database. Using firewalls and sensible OS and database configuration, we can create a situation where we can add some considerable time on an attack effort aimed at compromising the database. Having compromised the DMZ webserver, port scanning should then reveal only one or two services on the internal database server, and no other IP addresses need to be visible (usually).
The internal firewall limits access from the source address of the DMZ webserver, to only the listening database service and the IP address of the destination database server. This is a considerably more challenging situation for attackers, as compared with a scenario where the internal private IP space is fully accessible...perhaps one where DMZ servers are not at all segregated and their "real" IP addresses are private RFC 1918 addresses, NAT'd to public Internet addresses to make them routable for clients.
Firewalls are not a panacea, especially with so many zero days in circulation, but in an era where even automated attacks can lead to our most financially critical assets disappearing via the upstream link, firewalls can, and regularly do, make all the difference.
We All "Get" Firewalls...right?
There is no judgment being passed here, but it often is the case that security departments don't have much to offer when it comes to firewall configuration and placement. Network and IT operations teams will try perhaps a couple of times to get some direction with firewalls, but usually what comes back is a check list of "best practices" and "deny all services that are not needed", some will even take the extraordinary measure of reminding their colleagues about the default-deny, "catch all" rule. But very few security departments will get more involved than this.
IT and network ops teams, by the year 2012 AD, are quite averse in the wily ways of the firewall, and without any further guidance they will do a reasonable job of firewall configuration - but 9 times out of 10 there will be shortcomings. Ops peeps are rarely schooled on the art of technical risks. Its not part of their training. If they do understand the tech risk aspects of network access control, it will have been self-taught. Even if they have attended a course by a vendor, the course will cover the usage aspects, as in navigating GUIs and so on, and little of any significance to keeping bad guys out.
Ops teams generally configure fairly robust ingress filtering, but rarely is there any attention given to egress (more on that in part 2 of this offering), and the importance of other aspects such as whether services are UDP or TCP (with the result that one or other other is left open).
Generally, up to now, there are still some gaps and areas where businesses fall short in their configuration efforts, whereas I am convinced that in many cases attention moved away from firewalls many years ago - as if it's an area that we have aced and so we can move on to other things.
So where next?
I would like to bring this diatribe to a close for now, until part 2. In the interim I would also like to point budding, enthusiastic analysts, SMEs, Senior *, and Evangelists in the direction of some rather nice reads. Try out TCP/IP Illustrated, at least Volume 1. Then O' Reilly's "Building Internet Firewalls".
The latter covers the in and outs of network architecture and how to firewall specific commonly used application layer protocols. This is a good starting point. Also, try some hands-on demo work with IPtables - you'll love it (I swear by this), and pay some attention to packet logging.
In Part 2 I will go over some of my experiences as a consultant with a roaming disposition, related to firewall configuration analysis, and I will cover some guiders related to classic misconfigurations - some of which may not be so obvious.
Cross-posted from Security Macromorphosis