What is another common name for a firewall box or a system placed directly between a trusted network and an untrusted one?

2 Network Firewalls

Network firewalls (see checklist: “An Agenda For Action For Network Firewalls”) are a vital component for maintaining a secure environment and are often the first line of defense against attack. Simply stated, a firewall is responsible for controlling access among devices, such as computers, networks, and servers. Therefore the most common deployment is between a secure and an insecure network (for example, between the computers you control and the Internet), as shown in Figure 6.1.

An Agenda for Action for Network Firewalls

The following checklist lists the major tasks for network firewalls (check all tasks completed):

The use of network address translation (NAT) should be considered a form of routing, not a type of firewall.

Organizations should only permit outbound traffic that uses the source IP addresses in use by the organization.

Compliance checking is only useful in a firewall when it can block communication that can be harmful to protected systems.

When choosing the type of firewall to deploy, it is important to decide whether the firewall needs to act as an application proxy.

Management of personal firewalls should be centralized to help efficiently create, distribute, and enforce policies for all users and groups.

In general, a firewall should fit into a current network’s layout. However, an organization might change its network architecture at the same time as it deploys a firewall as part of an overall security upgrade.

Different common network architectures lead to very different choices for where to place a firewall, so an organization should assess which architecture works best for its security goals.

If an edge firewall has a DMZ, consider which outward-facing services should be run from the DMZ and which should remain on the inside network.

Do not rely on NATs to provide the benefits of firewalls.

In some environments, putting one firewall behind another may lead to a desired security goal, but in general such multiple layers of firewalls can be troublesome.

An organization’s firewall policy should be based on a comprehensive risk analysis.

Firewall policies should be based on blocking all inbound and outbound traffic, with exceptions made for desired traffic.

Policies should take into account the source and destination of the traffic in addition to the content.

Many types of IPv4 traffic, such as that with invalid or private addresses, should be blocked by default.

Organizations should have policies for handling incoming and outgoing IPv6 traffic.

An organization should determine which applications may send traffic into or out of its network and make firewall policies to block traffic for other applications.

However, in response to the richer services provided over modern networks (such as multimedia and encrypted connections), the role of the firewall has grown over time. Advanced firewalls may also perform Network Address Translation (NAT), which allows multiple computers to share a limited number of network addresses (explained later in this chapter). Firewalls may provide service differentiation, giving certain traffic priority to ensure that data is received in a timely fashion. Voice over IP (VoIP) is one type of application that needs differentiation to ensure proper operation. This idea is discussed several times in this chapter, since the use of multimedia services will only continue to increase. Assuming that email and VoIP packets arrive at the firewall at the same time, VoIP packets should be processed first because the application is more susceptible to delays.

Firewalls may also inspect the contents (the data) of packets. This can be done to filter other packets (learn new connections), block packets that contain offensive information, and/or block intrusion attempts. Using the mail analogy again, in this case you open letters and determine what to accept based on what is inside. For example, you unfortunately have to accept bills, but you can deny credit-card solicitations.

1. Network Firewalls

Network firewalls are a vital component for maintaining a secure environment and are often the first line of defense against attack. Simply stated, a firewall is responsible for controlling access among devices, such as computers, networks, and servers. Therefore the most common deployment is between a secure and an insecure network (for example, between the computers you control and the Internet), as shown in Figure 21.1. This chapter refers to the secure network as the internal network; the insecure network is the external network.

The purpose of the firewall and its location is to have network connections traverse the firewall, which can then stop any unauthorized packets. A simple firewall will filter packets based on IP addresses and ports. A useful analogy is filtering your postal mail based only on the information on the envelope. You typically accept any letter addressed to you and return any letter addressed to someone else. This act of filtering is essentially the same for firewalls.

However, in response to the richer services provided over modern networks (such as multimedia and encrypted connections), the role of the firewall has grown over time. Advanced firewalls may also perform Network Address Translation (NAT), which allows multiple computers to share a limited number of network addresses (explained later in this chapter). Firewalls may provide service differentiation, giving certain traffic priority to ensure that data is received in a timely fashion. Voice over IP (VoIP) is one type of application that needs differentiation to ensure proper operation. This idea is discussed several times in this chapter, since the use of multimedia services will only continue to increase. Assuming that email and VoIP packets arrive at the firewall at the same time, VoIP packets should be processed first because the application is more susceptible to delays.

Firewalls may also inspect the contents (the data) of packets. This can be done to filter other packets (learn new connections), block packets that contain offensive information, and/or block intrusion attempts. Using the mail analogy again, in this case you open letters and determine what to accept based on what is inside. For example, you unfortunately have to accept bills, but you can deny credit-card solicitations.

The remainder of this chapter provides an overview of firewall policies, designs, features, and configurations. Of course, technology is always changing, and network firewalls are no exception. However, the intent of this chapter is to describe aspects of network firewalls that tend to endure over time.

Network firewalls

Network firewalls are used to ensure that no one is able to connect to the home router. The router will have a variety of management services running on it such as the website that is used to configure the router among other services. Because the router is connected to the public Internet, we don’t want anyone being able to connect to the router and make any changes on it from the public Internet. Because of that, the router should be configured with the firewall on the router preventing any sort of network access to the router itself, which will typically be configured by the manufacturer of the router before the router is sold. Without having the firewall in place, an attacker could attempt to break into the router, and if they were successful, they would then be able to reconfigure the router to allow themselves access to one or more of the computers or devices on the home network.

22 Summary

Network firewalls are a key component of providing a secure environment. These systems are responsible for controlling access between two networks, which is done by applying a security policy to arriving packets. The policy describes which packets should be accepted and which should be dropped. The firewall inspects the packet header and/or the payload (data portion).

There are several different types of firewalls, each briefly described in this chapter. Firewalls can be categorized based on what they inspect (packet filter, stateful, or application), their implementation (hardware or software), or their location (host or network). Combinations of the categories are possible, and each type has specific advantages and disadvantages.

Placement of the firewall with respect to servers and internal computers is key to the way these systems will be protected. Often servers that are externally available, such as Web servers, will be located away from other internal computers. This is often accomplished by placing these servers in a DMZ. A different security policy is applied to these computers so the access between computers in the DMZ and the internal network is limited.

Improving the performance of the firewall can be achieved by minimizing the rules in the policy (primarily for software firewalls). Moving more popular rules near the beginning of the policy can also reduce the number of rules comparisons that are required. However, the order of certain rules must be maintained (any rules that can match the same packet).

Parallel firewalls can provide greater performance improvements. These systems consist of a load balancer and an array of firewalls, where all the firewalls in the array are identical. When a packet arrives at the system, it is sent to one of the firewalls in the array. The load balancer maintains short packet queues, which can provide greater system bandwidth and possibly a lower latency.

Regardless of the firewall implementation, placement, or design, deployment requires constant vigilance. Developing the appropriate policy (set of rules) requires a detailed understanding of the network topology and the necessary services. If either of these items change (and they certainly will), that will require updating the policy. Finally, it is important to remember that a firewall is not a complete security solution but is a key part of a security solution.

Finally, let us move on to the real interactive part of this chapter: review questions/exercises, hands-on projects, case projects, and optional team case project. The answers and/or solutions by chapter can be found in the Online Instructor's Solutions Manual.

2.3.1 Network Level Controls

•

Network firewalls implement limited connectivity between an internal network and the Internet and networks of other partner organizations, permitting only the necessary communication and protecting against network probing and reconnaissance by external agents.

Network Intrusion Detection and Prevention Systems (IDPS) passively monitor network traffic, detect malicious activities, and, if activity is detected, create alerts and take active steps to eliminate the threat by either denying the malicious traffic, or logically removing the malicious computer from the network. IDPS can be signature based where network communication contents match a known pattern or signature of a known threat or attack.

A threat sometimes exploits a vulnerability that is yet to be identified or corrected by the manufacturer and a signature may not exist as yet. Such a threat is called a zero-day threat (or attack). IDPS can also be behavior based where network communication patterns are monitored against their usual, normal behavior. An aberration in behavior pattern may indicate malicious activity, typically exhibited by zero-day attacks.

Network access authentication implements a sign-on before a computer is permitted to logically join the internal network. It is more commonly used for wireless networks.

Virtual private networks implement an authenticated, encrypted, and limited communication from an external untrusted computer or network to an internal network, and are often used to connect from home and remote computers.

Network access control implements network access authentication as well as dynamic vulnerability scanning and detection when a computer joins a network, and if the joining computer is found to be vulnerable, then the computer is placed in a separate, quarantine network permitting only the remediation of the vulnerabilities such as downloading patches, implementing anti-virus software, etc.

Server Firewalls

In addition to the network firewalls described within this chapter, the firewall on the Windows Operating System should also be enabled and configured to allow just the needed network connections. By installing and configuring the Windows firewall to block all unexpected network connections, if any unauthorized software is installed on the server that software won’t be able to be contacted. Ideally, any outbound network connections that aren’t expected should also be blocked so that any software installed can’t phone home. While legitimate software phoning home isn’t necessarily a problem, unauthorized software shouldn’t be allowed to phone home as it may be passing confidential data to the controller or the server may be part of a bot-net.

FAQ

Phoning Home

Phoning home is a phrase that is used to describe when an application makes network requests back to the person or company that has created the software. Both legitimate and illegitimate software can be configured to phone home, and sometimes for legitimate reasons. Legitimate software such as Windows will phone home in order to check for updates or to upload crash information looking for updates that could fix the problem.

Illegitimate software will usually try and phone home often, especially if the application is designed to be part of a bot-net. It would need to contact a computer under the control of the person who controls the bot-net. Once the application has made contact to the control computer, it would be able to receive commands to do anything that the bot-net operator wanted, including capturing data and uploading it to the bot-net operator.

2 Contents

1.

Introduction

Network Firewalls

Firewall Security Policies

Rule-Match Policies

A Simple Mathematical Model for Policies, Rules, and Packets

First-Match Firewall Policy Anomalies

Policy Optimization

Policy Reordering

Combining Rules

Default Accept or Deny?

Firewall Types

Packet Filter

Stateful Packet Firewalls

Application Layer Firewalls

Nation-State Backed

Host and Network Firewalls

Software and Hardware Firewall Implementations

Choosing the Correct Firewall

Firewall Placement and Network Topology

Demilitarized Zones

Perimeter Networks

Two-Router Configuration

Dual-Homed Host

Network Configuration Summary

Firewall Installation and Configuration

Supporting Outgoing Services through Firewall Configuration

Forms of State

Payload Inspection

Secure External Services Provisioning

Network Firewalls for Voice and Video Applications

Packet Filtering H.323

Firewalls and Important Administrative Service

Protocols

Routing Protocols

Internet Control Message Protocol

Network Time Protocol

Central Log File Management

Dynamic Host Configuration Protocol

Internal IP Services Protection

Firewall Remote Access Configuration

Load Balancing And Firewall Arrays

Load Balancing in Real Life

How to Balance the Load

Advantages and Disadvantages of Load Balancing

Highly Available Firewalls

Load Balancer Operation

Interconnection of Load Balancers and Firewalls

Firewall Management

Summary

Chapter Review Questions/Exercises

True/False

Multiple Choice

Exercise

Hands-On Projects

Case Projects

Optional Team Case Project

Server Firewalls

In addition to the network firewalls described within this chapter, the firewall on the Windows Operating System should also be enabled and configured to allow just the needed network connections. Depending on the version of the Windows Operating System that is installed, the default state of the firewall will depend. On Windows Server 2003 the firewall is in a state which allows all network traffic to be passed from the server to the network and from the network to the server. On Windows Server 2008 and higher the firewall is configured by default to allow almost no data to be transferred from the computer to the network or from the network to the computer. By installing and configuring the Windows firewall to block all unexpected network connections, if any unauthorized software is installed on the server that software won’t be able to be contacted. Ideally, any outbound network connections that aren’t expected should also be blocked so that any software installed can’t phone home. While legitimate software phoning home isn’t necessarily a problem, unauthorized software shouldn’t be allowed to phone home as it may be passing confidential data to the controller or the server may be part of a bot-net.

FAQ

Host Firewalls

A host firewall works just like a network firewall, and acts as an initial filter between the host and any attached network(s). The host firewall will allow or deny inbound traffic based on the firewall’s specific configuration. Typically, host firewalls are session-aware firewalls that allow control over distinct inbound and outbound application sessions.

As with network firewalls, host firewalls should be configured according to the guidelines presented under “Firewall Configuration Guidelines”: starting with Deny All policies, and Allow rules should only be added for the specific ports and services used on that particular asset.

Selecting network security devices

At a minimum, some form of network firewall is usually required. Additional security—provided by IDS, IPS, and a variety of specialized and hybrid devices, such as Unified Threat Management (UTM) devices, Network Whitelisting devices, Application Monitors, and Industrial Protocol Filters—may be desired as well, depending upon the specific situation. Typically, the security level or criticality of the zone (see “Criticality”) dictates the degree of security that is required. Table 10.1 maps the criticality of a zone to required security measures of NERC CIP and NRC CFR 73.54, as well as recommended enhancements to improve security beyond regulatory requirements.

Table 10.1. Perimeter Security Requirements by Criticality

Table 10.1 recommends that both a firewall and an IPS be used at each security perimeter. This is because firewalls and IPS devices serve different functions. Firewalls enforce what types of traffic are allowed to pass through the perimeter by what is called “shallow packet inspection.” Intrusion Prevention Systems on the other hand perform “deep-packet inspection” (DPI) by closely examining the traffic that is allowed through in order to detect “legitimate” traffic with malicious intent—that is, exploit code, malware, and so on—that is transferred over allowed paths. Using both devices together provides two mutual benefits: first, it allows the IPS to perform inspection of the “content” of all traffic allowed in through the firewall; second, the firewall limits the allowed traffic based on the defined parameters of the security zone, freeing the IPS to focus its resources on just that traffic and therefore enabling it to enforce a more comprehensive and robust set of IPS rules.

It is important to understand the distinction between “detection” and “prevention” in the context of intrusion prevention systems. Recall that the most important priorities of industrial networks are availability and performance. In other words, the network cannot tolerate accidental dropping of packets between hosts that are located on levels low within the ISA 95 model (i.e. Levels 1–3). This would occur if the security device generates a “false positive” and mistakenly interprets a valid packet as invalid and blocks it from reaching its destination. However, this may not necessarily be the case between industrial and business zones (i.e. Levels 3 and 4). This is the reason IDS is the preferred security appliance within industrial zones (placed “out-of-band” to network traffic) and IPS is used between industrial and business zones, or between semitrusted DMZs and untrusted business zones (placed “in-line” to all network traffic).

We have also learned that industrial protocols consist of common standards like Modbus and DNP3, but also depend heavily on vendor-specific proprietary protocols that have been optimized for a particular system. It is not common for major IT network security suppliers like Cisco, HP ProCurve, Juniper, Checkpoint, and others to offer solutions for industrial networks. So what options exist to implement advanced DPI analysis with industrial protocols? The answer is a new class of industrial security appliances that are industrial protocol aware and possess the capability to analyze and inspect both open and proprietary protocols. Companies supplying these devices include Tofino/Belden, Secure Crossing, ScadaFence, SilentDefense, and others. At the time this book was written, many other startups were in progress, and readers are encouraged to research the market thoroughly in order to fully understand all of the available options. In addition, OEM-branded solutions or recommended third-party solutions may be available from your control system vendors. Once an appropriate solution is selected and deployed, DPI can then be used to analyze specific industrial protocol functions. Figure 10.3 illustrates the increased security capability of firewalls, IDS/IPS devices, and application session monitoring systems.

In the most critical areas, application-layer session monitoring provides a valuable and necessary level of assurance, as it is able to detect low-level protocol anomalies (such as a base64-encoded application stream inside of an HTTP layer 4 80/tcp session, used by many APTs and botnets) and application policy violations (such as an unauthorized attempt to write a new configuration to a PLC). However, unless monitoring very simple application protocols where the desired contents are distinctly packaged within a single packet or frame, the application session must be reassembled prior to monitoring as illustrated in Figure 10.4.

The most stringent network security device may be the data diode, also referred to as a unidirectional gateway. A data diode is, very simply, a one-way network connection—often a physically restricted connection that uses only one fiber-optic strand from a transmit/receive pair. By only using TX optics on the source side, it is physically impossible for any digital communications to occur in a highly sensitive network area containing control system devices, while supervisory data may be allowed to communicate out of that highly secure zone into the SCADA DMZ or beyond. In certain instances, such as for the storage of highly sensitive documents, the diode may be reversed, such that information can be sent into a secure zone that is then physically prevented from communicating that information back outside of the zone. During this “flip” phase, the previous communication flow should be terminated to disable any ability for two-way communication to occur at any point in time through the gateway.