S 2.73 Selecting a suitable firewall

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management, Administrators

After a security policy has been determined for the firewall, it must be decided which components are to be used for the implementation of the firewall. A suitable configuration is to be selected.

The following are possible configurations:

• Exclusive use of a packet filter

This configuration consists exclusively of a packet filter which filters the information of the lower layers and either accepts or denies packets according to special regulations.

• dual-homed gateway

This configuration consists of an application gateway which is fitted with two network interfaces and which is used as the sole junction between two networks. Application gateways filter information on layer 7 of the OSI layer model. The dual-homed gateway must be configured in such a way that no packets can pass unfiltered, i.e. IP forwarding must be switched off, in particular.

• Screened Sub-net

A screened sub-net is a sub-network between a network requiring protection and an external network, with firewall components checking connections and packets.

A screened sub-net consists of an application gateway and one or two packet filters. The packet filters are located in front of and/or behind the gateway and together they form a sub-network. A screened sub-net can, for example, contain a dual-homed gateway. The filter rules are created in such a way that each connection from inside or outside has to pass the gateway.

The following combinations are possible:

The following is a list of the advantages and disadvantages of the various configurations.

Exclusive use of a Packet Filter

Advantages:

• easy to implement as the functionality is supplied by many routers

• easy to extend for new services

Disadvantages:

• IP spoofing might be possible

• all services to be permitted must be secure on all computers which can be reached

• complex filter rules

• no test possibilities. In particular, it is not possible to determine whether the order of filter rules has been changed, which occurs with some routers in order to increase the data throughput

• no sufficient logging possible

This configuration can only be used in small networks where all computers are protected against attacks.

Dual-homed Gateway

Advantages:

• extensive logging possible

• internal network structure is concealed

Disadvantages:

• relatively high price (as a powerful computer with two network interfaces is required)

• problems with new services

• take-over of the application gateway by the attacker leads to total loss of security

Additional protection can be obtained by using a packet filter in front of the gateway, e.g. using an existing router. In this case, the router and gateway must be penetrated in order to gain access to the network.

Screened Sub-net

Advantages:

• no direct access to the gateway possible (with configuration 1 and 2)

• internal network structure is concealed

• simplified rules for the packet filters

• additional security by a second packet filter (configuration 1 and 2)

• availability increases if several gateways are used

• extensive logging possible

Disadvantages:

• high price (as a powerful computer with one or two network interfaces and at least one packet filter is required)

• if the packet filters are manipulated in a screened sub-net with an application gateway with an interface (see configuration 2, 4 and 6), a direct connection is possible bypassing the gateway. This can also be a desired function (e.g. in case of new services)

As a result of the above advantages and disadvantages of the various configurations, only a screened sub-net with a dual-homed gateway (configuration 1) is recommended. In this case, the gateway is between the network requiring protection and the external network and must be passed in any case.

So-called proxy processes run on the application gateway. These set up the connection with the target computer after authentication of the user and filter the data in accordance with the information of the application layer. Connections without proxy processes are not possible.

The more flexible but less secure option consisting of an application gateway with just one interface (configuration 2) should only be used if higher flexibility is absolutely necessary.

The computers involved must be set up in such a way that only the essential programs run on them (minimal system), and that these programs are correctly configured and all known weaknesses are eliminated.