IT Baseline Protection Manual S 2.70 Developing a firewall concept

-->

S 2.70 Developing a firewall concept

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management

The connection of existing sub-networks with global networks, such as the Internet, leads to a new supply of information. At the same time, the increasing amount of local networks leads to the situation where all workstation computers have access to a wide variety of information.

This networking gives rise to new threats, however, as it is not only possible for information to flow into the network requiring protection from outside, but also in the other direction. Furthermore, the possibility of remote access, i.e. a remote computer (e.g. through the Internet) can execute commands in the local network, poses a threat to the integrity and availability of the local computers and thus indirectly also to the confidentiality of the local data.

A sub-network requiring protection should thus only be connected to another network if this is essential. This particularly applies to connections to the Internet. It should be checked to what extent the network requiring protection can be divided into parts which cannot be connected, which can be connected and which can be connected with limitations. It should also be checked whether a stand-alone system is not sufficient for the connection to the Internet (see S 5.46 Installing stand-alone systems for Internet usage).

In order to guarantee the security of the network requiring protection, a suitable firewall must be used. For the firewall to offer effective protection, the following conditions must be fulfilled. The fire wall must be:

based on a comprehensive security policy

incorporated into the IT security concept of the organisation

installed correctly and

administered correctly.

The connection to an external network can only take place when it has been checked that all risks can be handled by the firewall concept and the personnel and organisational conditions.

There are several ways to implement a firewall. In order to determine which firewall concept is most suitable for the intended uses, it must first be clarified which security objectives are to be fulfilled by the firewall. Examples of security objectives are:

Protection of the internal network against unauthorised remote access,

Protection of the firewall against attacks from the external network, but also against manipulation from the internal network,

Protection of the locally transmitted and stored data against attacks on their confidentiality or integrity,

Protection of local network components against attacks on their availability (this particularly applies to information servers which provide information from the internal area for general use),

Availability of information from the external network in the internal network requiring protection (the availability of this information is secondary to the protection of the local computers and information, however),

Protection against attacks based on IP spoofing or which abuse the source routing option, the ICMP protocol, or routing protocol,

Protection against attacks as a result of the leaking of new software weakness relevant to security. (As it must be considered that the number of potential attackers using an Internet connection is very high, as is their expertise, this security objective is of particular importance).

Based on the security objectives, a security policy must be drawn up which stipulates the tasks of, and requirements placed on, the firewall. This security policy must be included in the IT security strategy of the organisation and thus agreed with the IT management.

The firewall security policy is put into effect by the implementation of the firewall, the selection of suitable hardware components, such as packet filters and application gateways, and the careful implementation of filter rules.

Note:

Selection of a Suitable Packet Filter

Selection of a Suitable Application Gateway

In order for a firewall to offer effective protection of a network against external attacks, several fundamental factors must be fulfilled:

All communication between the two networks must be carried out via the firewall. To achieve this, it must be ensured that the firewall is the only connection between the two networks. Provisions must be taken so that no other external connections bypassing the firewall are permitted (see also S 2.77 Secure Configuration of Other Components).

A firewall must only be used as a protective connection to the internal network. Only the services required for this purpose must be available on the firewall, therefore, and no other services must be offered, such as remote log-in.

Administrative access to the firewall must only be possible via a secure route, e.g. via a secure console, an encrypted connection or a separate network. For the establishment of a secure console, see S 1.32 Establishment of the Consoles, Devices with exchangeable data media, and printers.

A firewall is based on a security policy defined for the network requiring protection and allows only the connections contained herein. It must be possible to permit these connections separately according to IP address, service, time, direction and user.

Suitable personnel must be available for the planning and operation of a firewall. The time required to operate a firewall must not be underestimated. Experience has shown that an analysis of the accumulated log data alone is very time consuming. A firewall administrator must have a detailed knowledge of the IT components used and be trained accordingly.

The users of the local network should only be affected by the use of a firewall to the smallest possible extent.

A firewall can protect the internal network against many of the dangers encountered when connecting to the Internet, but not against all of them. Thus, when a firewall is established and a firewall security policy is elaborated, it is necessary to be aware of the firewall's limits.

Protocols are tested, not the contents. Testing the protocol confirms, for example, that an E-mail was delivered using commands that comply with the rules, but cannot provide any information about the actual content of the E-mail.

The filtering of active contents may only be partially successful.

As soon users are allowed to communicate over a firewall, they can create a tunnel from the protocol they are using for any other protocol. An internal perpetrator could thereby enable an external party to access internal computers.

In reality, it is not possible to restrict Internet access to certain Web servers because too many WWW servers can be used as proxies, making it easy to bypass the blockage of particular IP addresses.

The filter software is often still immature. For instance, it possible that some forms of address are not included. The following example with the BSI Web server shows which possible forms of address are available. The list is far from complete, as individual letters can also be represented by escape sequences.

WWW.BSI.BUND.DE WWW.BSI.DE 194.95.176.226

3261051106

The filtering of spam mails is not yet fully developed. No firewall can determine beyond doubt whether a user wishes to receive a particular E-mail or not. Spam mails will only disappear when it is possible to be sure who the sender is, and it will take a while before this happens.

Firewalls do not safeguard systems against all denial of service attacks. For example, if a perpetrator disables the connection to the provider, even the best firewall cannot help. In addition, protocol implementation errors repeatedly occur in terminal equipment which a firewall cannot intercept.

Unfortunately, many firewalls do not allow security to be increased by connecting various firewalls in series. This is particularly a problem in large firms if firewalls are also used within the firm, for example to create secure subnetworks.

Although a firewall can protect a gateway, it has no influence on the security of communication within the networks

July 1999

home