|
|
| Previous | Table of Contents | Next |
When choosing a firewall, understanding the way a firewall works in order to evaluate its fitness for your needs is important. Essentially two basic types of firewall architecture exist: router architecture and advanced architecture. The following sections will explain them for you.
At one end of the spectrum are packet-filtering routers. A packet-filtering firewall can stop connections from flowing across the firewall boundary effectively and inexpensively. Packet- filtering firewalls examine each packet passing through them. The filtering rules define which packets are passed and which are dropped (or returned to sender). For security policies that do not require examining data at higher layers (such as the application layer), the packet-filtering router provides security by simply prohibiting connection establishment or data transfer across it according to the filtering rules set by the security manager.
However, a packet filter cannot be used safely for certain kinds of traffic, such as X Window System connections that appear at unpredictable high-numbered (unprivileged) ports. Packet filters also cannot support certain types of security policies, such as per-user or time-of-day restrictions.
Most router manufacturers include packet-filtering capabilities in their products. All of the major router vendors, including 3Com Corp., ACC (Advanced Computer Communications), Bay Networks, Cisco Systems, Livingston Enterprises, and Network Systems Corporation have products that can do simple packet filtering. Most of them are quite similar. The Livingston and Network Systems Corporation products, however, have additional security features built into them that increase their power when used as firewalls.
The security in a router that is acting as a packet filter is based on a filter rule set. These filter rules describe TCP and UDP packets in terms of source and destination addresses and application port numbers. To protect services inside the firewall, a network manager establishes rules that permit or deny access to packets flowing through the firewall to each service.
Evaluating Routers
The products evaluated in this section are as follows:
Because most products in this space are similar, picking two common examples for the filter-inside-a-router product line is instructive. In this chapter, you’ll read about the Cisco 2500 series and the Livingston FireWall IRX, which are both very popular and well-accepted in the marketplace.
The Cisco 2500 series of routers is designed first and foremost to route network traffic. As a secondary function, Cisco has incorporated some limited packet filtering technology. Cisco’s packet filtering rules (called access lists) can be used by many organizations as an effective firewall, and are particularly suited to small organizations or ones with a small number of multi-user systems.
The Cisco 2514 has two LAN interfaces and two WAN interfaces and is typical of the 2500 series. Because it has two LAN interfaces, the Cisco 2514 is often used as a firewall. For organizations with only a single router, Cisco’s low-end 2501 router with a single WAN and single LAN interface would be sufficient, and give a great deal of protection for about $2,000. All 2500 routers run the same software, Cisco’s IOS.
Some routers, such as the 2500, also allow filtering based on the lower-level protocols IP and ICMP (Internet Control Message Protocol).
Although Cisco’s access lists are confusing to configure and manage, it’s the same confusion that network managers are already learning to clear up for the rest of the router. Learning to build access lists once you already know how to cope with Cisco’s configuration language is not difficult. However, building such access lists requires a fairly technical knowledge on the part of the network manager about security.
One major disadvantage of using a router as a firewall is that attacks on the network can go undetected because routers have little or no logging or printing capability. There are networks that can effectively use a firewall with no real logging of attempted attacks. Decentralized organizations such as university campuses and those with no strong central security policy usually rely on hosts to secure themselves and log any attacks. If the number of hosts in your network is very small, or if the network is so decentralized that a strong firewall policy is ineffective, then using a router as a firewall may be the right choice for you.
Most security managers, however, like to know when their domain is under attack with greater precision than a product such as the Cisco 2500 can provide. For this situation they can use Livingston’s FireWall IRX, a multi-protocol router that has been enhanced by Livingston for use as a firewall. The FireWall IRX adds logging, additional hardware, and a more powerful rule set.
Organizations with loose security requirements will be quite happy with the Livingston FireWall IRX. Although it is still only a stateless packet-filtering router, it offers a powerful and easy-to-use rule set as well as logging capabilities. Even if you’re an all-Cisco shop, the Livingston FireWall IRX is worth considering for the additional power it brings as a firewall.
The Livingston FireWall IRX is not as powerful a router as the Cisco 2514, but it has stronger security and firewall capabilities. Livingston’s packet-filtering rules (called “filters”) permit a more controlled configuration than Cisco’s. The FireWall IRX also can log information, such as the activation of a filtering rule to pass or drop a packet, to a host system on the network.
Livingston’s access lists have a better-designed syntax than Cisco’s (although there are certain very obscure rules that can be expressed easily in Cisco’s syntax but not in Livingston’s) and are easier for network managers to use and understand.
Logging in the FireWall IRX uses the Unix syslog facility. When a FireWall IRX has a message to log, it sends the message to a network host using the syslog protocol. The FireWall IRX has two LAN ports and one WAN port. This feature enables the FireWall IRX to be used as both the connection router to the Internet and a firewall connecting two different Ethernets inside the network, a cost-effective approach.
| Previous | Table of Contents | Next |