Multiple Firewalls - Depth of Security Tutorial
Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Multiple Firewalls - Depth of Security Tutorial

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    371

    Multiple Firewalls - Depth of Security Tutorial

    This is my first tutorial (about time!), and I would welcome any suggestions on improving it. As I have knocked it up pretty quickly, there may be a few modifications required.

    I thought that I should write a little Tutorial on the purposes of Firewalls within a network. I am doing this for I recently discovered that there is a misconception that Firewalls only purpose is to protect an Internet Connection. But if you work in a large organisation (and I know that some of you do, or have) the majority of your Firewalls will not be used for this purpose.

    Firstly, I would like to discuss the issue of Depth of Security. On a side note, Depth of Security should be implemented with ANY security function. Whether it be Firewalls, Password, Permissions etc.

    Question. Why did the golfer wear 2 pairs of socks?
    Answer. In case he gets a hole in one.

    Really bad joke (don’t flame me!). This basically means that you should not rely on one security point to provide all of the security.

    What if it failed?
    What if there was a misconfiguration?

    Your basically fux0r3d!! That is why people should try to implement Depth in their Security. If you have a Firewall protecting your Internet connection, and on the Internet facing side of your Firewall is a Router. What is the harm in putting Access Control Lists (ACL’s) on the Router?

    There is no harm.

    Example. What if you have a Firewall misconfiguration (whoops, I accidentally allowed all incoming NETBIOS through by Firewall) hopefully these NETBIOS requests would be dropped by your Router, and you would be safe. Phew!

    Now that you have read a little about Depth of Security, you may have a better understanding about why companies may use multiple Firewalls on their network. Here are some of these reasons:

    1. I will start with what we are all familiar with. Firewalling an Internet Connection. Not much explanation is required here, you need to protect your network from the wild, wild west, that is the Internet.

    2. You may also want to protect some important servers (for example, security administration servers, or servers that contain confidential data) from people located on your Internal Network. By doing this, you can restrict access via Firewall rulesets to the people who really need access to them.

    3. Large networks usually have Business to Business (B2B) relations, and a lot of this is done over a dedicated line . Which is basically an entry point into your network, which is not over the Internet but through a connection your network has with a telecommunication provider. As you cannot trust these B2B connections, there is a good reason to restrict their traffic with a Firewall to only access what they need.

    4. KorpDeath is quoted as saying “Yeah like keeping the buggy software engineer's testlab the hell away from the corporate LAN”. And rightly so! What if these software engineers inadvertently flooded your network and chewed up all of the bandwidth? How pissed off would the boss be if they cannot access their favourite web page? And here we have another reason for segregating areas of your network with Firewalls.

    I hope that someone out there in AO land has gained a bit of info out of this, and any feedback is welcomed.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Security is like an union. The more layers (rings) you have, the better.

    Good read. Keep it up
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Member
    Join Date
    May 2003
    Posts
    43
    I think this is a really cool tutorial, and you can't feel that this is your first about time....
    I really like it...

  4. #4
    Junior Member
    Join Date
    May 2003
    Posts
    12
    Kudos. I'm surprised more people haven't realised the need for depth in security, and if they have; I'm surprised they haven't written a tutorial on it. Once again, good job.

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    A good introduction to the subject. Many large companies (especially financial services) do this kind of thing now. Often more then one type of firewall will be used so that an exploit that succeeds against one will not working against another (of course this can get a little expensive).
    Quis custodiet ipsos custodes

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    1,004
    SoggyBottom, I actually have a different way of approaching security. I prefer to keep the systems as minimalistic as possible.

    The reasoning for this is simple, security is made up of two things: functionality and assurance. The perfect balance is exactly the functionality you require and nothing more, because as you add to the system, its assurances go down.

    Consider for a moment a system that you wish to protect, let's evaluate it at 99% secure just to make the math easy. Next let us add a firewall to this system, also 99%. Now how secure is our total system? well 99% of 99%= 98.01% In most situations of course we would use lower numbers and it would be a question of does the firewall increase the base system's security more than it's own lackings? That however just complicates the question at this level.

    Also consider that an organization only has X resources (time, money, people, systems, etc) so you start seeing things like: "Does it make more sense to purchase 10 XTS-300 systems at $80k each, and each requiring 9 full time admins... or would it be more secure have 300 linux systems with snort and ipchains with 3 full time admins for every ten systems? Obviously if you need the computing power the 300 systems would be the way to go, but it sure as heck ain't going be as secure.

    The same concept is used in physical security with man traps, or single points of entry that are much easier to effectively control than countless openings using all kinds of different security controls.

    In more secure complicated environments you won't really see many internal firewalls, instead they migrate the concepts of labeled security to the network controllers as well, allowing in effect several different networks existing in hierarchical levels, along the lines of the Bell-LaPadula model, this allows discretionary access systems such as NT/Linux to exist within a overall manadatory access control system, which allows for far greater simplicity than checking signatures and ports and ACLs all the time.

    catch

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    217
    catch, you can also do the math backwards... effectively
    (this is the way statistics works... take a decision sciences class at a local college... they will tell you the same thing)


    99% secure system (1% insecure)
    99% secure firewall (1% insecure)

    .01 (1%) insecure system * .01 insecure firewall = .0001 (or .01% - a more secure system)

    think about it logically. they would have to find an exploit that gets through both your firewall and your system... basicallly and exploit that just happens to fall into BOTH 1% categories.

    I wasn't trying to show you up in correcting you, just explain both the Math behind it, as well as the security risk. Adding a firewall with a few problems can never hurt your systems security. It can slow things down, but that's about it. Even if someone hacks into your outer security, your inner stuff is safe.

    Common sense time: which is more secure,

    1) a house with locks
    2) a house with locks, guard dogs, and ADT system, a chain link fence with barbed wire on top, another fence on the outside with electricity running through it, a moat (fully equipped with moat monsters) and a small militia to protect it.

    ---
    2) -> even if the guard dogs are asleep, the power goes out and the ADT doesn't work, the militia took the weekend off and the moat monsters all died for lack of food, you still have your fences with barbed wire and your house locks.


    In catch's defense - the more you add, the more confusing things get...

    just my two cents.
    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  8. #8
    Member
    Join Date
    Sep 2002
    Posts
    51
    yea i like the tutorial but i have 1 question what is the best firewall to get i have been looking around and so far i like Black Ice but do any of u know a better 1? if so plz let me know

  9. #9
    Senior Member
    Join Date
    Mar 2003
    Posts
    217
    *lord-of-dragons*, please search through the archives for that question. i think it's only been asked about 1500 times so far. you may want to delete the thread to avoid a negging.
    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  10. #10
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I have taken a decisions science class, but you are foreggeting one thing extra firewalls don't mitigate extra security issues, they deal with the same concerns and a single failing in any of them can lead to a full compromise, review DOD-STD-5200.28 section B3 on system design. If you add extra stuff that doesn't mitigate different risk, there is an over all reduction in assurance as you have more to the system and consequently greater room for error.

    You are not adding guard dogs and such... you are just adding a second lock on top of the first one or right next to it if it is a different type of firewall, with the caveat, that if either lock is broken the door can be opened.

    For security to work in a layered manner, each needs to protect the faults of others, if a firewall has an exploit that allows you to break the stack, the second firewall can't save you. in this case you'd need something else like network flags or mandatory access controls to protect you. That is why you only count the insecurities.

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •