Network Security

[ Up ] [ Network Design ] [ Network Monitoring ] [ Network Security ]

What is a Firewall?

Firewalls are software/hardware based security components that divide computer networks into two logical segments:
an unsecured side that remains exposed to computer users from the outside world, typically to provide access to corporate Web servers or other such "public" parts of a network;
and a second, secure side that's off-limits to intruders yet remains accessible to authorized users.

Although it's possible to operate publicly accessible servers within a private network, serious dangers are involved. Even with well-administered firewalls and up-to-date host software, there's always a chance that attackers could use an application-level attack to gain unrestricted access to a computer that is running a server program. If that happens when the server computer is inside a private network, the attacker may gain access to important private data or greatly disrupt the operation of critical internal services.

Because of the dangers of running servers inside private networks, many firewall configurations, employ "DMZ" (demilitarized zone) networks. A DMZ network is intended to provide a safe, relatively neutral "drop area" for communication between inside and outside systems. The network topology is shown in the following figure:

No connections are permitted from the "untrusted" Internet to the private network; instead, Internet users connect to servers on the DMZ network. This server provides all the services that a company wishes to offer to outside users. The DMZ server itself is prevented from initiating connections into the private network; although systems on the private network can use the services provided by the DMZ, the DMZ cannot reach internal services.

Event Logging

Event logging allows administrators to track potential security breaches or other nonstandard activities on a real-time basis by logging output from system error messages to a console terminal or syslog server, setting severity levels, and recording other parameters.

(Syslog, in general, is a Protocol that allows a computer to send logging information to another computer.)

The raw data logged from a firewall can be use for

	Audit Trails---use syslog to track all connections: recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes,
	Real-time alerts---alerts send syslog error messages to central management consoles upon detecting suspicious activity.

See an sample of messages received from a PIX firewall.

Below is a graph depicting the number of attempted Inbound connections (from the Internet to the private network) per hour, over four and a half days.

Note the large amount of activity between 5:00 pm and 7:00 pm on Saturday night.

From another log file, the IP addresses were resolved to machine names (where possible) and the frequency of Inbound attempts is plotted against the originating site of these attempts.

The second graph is a detail of the larger one.

Types of Attack

In general, firewalls are intended to protect network resources from several kinds of attacks:

	Passive Eavesdropping/Packet Sniffing---Attacker uses a packet sniffer to glean sensitive information from data streams between two sites or to steal username/password combinations, either on a private carrier or a public network. Even if applications such as Lotus Notes were to encrypt traffic within their own streams, a sniffer could still detect sites using Notes in a form of traffic analysis. The attacker could then concentrate on transmissions involving that application.
	IP Address Spoofing---An attacker pretends to be a trusted computer by using an IP address that is within the accepted range of IP addresses for an internal network.
	Port Scans---An active method of determining to which ports on a network device a firewall is listening. After attackers discover the "holes" in a firewall, they can concentrate on finding an attack that exploits the applications that use those ports.
	Denial-of-Service Attack---Differs from other types of attack because, instead of seeking access, the attacker attempts to block valid users from accessing a resource or gateway. This blockage can be achieved through SYN flooding a network resource to exhaustion through using half-open sessions (sending TCP packets with the SYN bit set from a false address) or by crafting packets that cause a resource to perform incorrectly or crash.
	Application-Layer Attack---Takes many forms, exploiting weaknesses in server software to access hosts by obtaining the permission of the account that runs an application. For example, an attacker might use Simple Mail Transfer Protocol (SMTP) to compromise hosts that run older versions of sendmail using undocumented commands in the sendmail application.