Understanding the Basic Security Concepts of Integrated Network and System Devices
Network devices—such as routers, firewalls, gateways, switches, hubs, and so forth—create the infrastructure of local area networks (on the corporate scale) and the Internet (on the global scale). Securing such devices is fundamental to protecting the environment and outgoing/incoming communications. You also have to be aware of security risks and controls available in the public switched telephone networks (PSTN) infrastructure because PSTNs are often used for computer communications. This section of the chapter introduces the security concepts applicable to physical devices, network topologies, and storage media.
Firewalls
A firewall is a hardware device or software application installed on the borderline of secured networks to examine and control incoming and outgoing network communications. As the first line of network defense, firewalls provide protection from outside attacks, but they have no control over attacks from within the corporate network. Some firewalls also block traffic and services that are actually legitimate.
TIP
Know that a firewall is a hardware or software system designed to protect one network from another network, and be familiar with the various types of firewalls.
A firewall is designed to protect one network from another network.
Because network security is concentrated on configuring the firewall, or at least is built around it, a compromised firewall can mean a disaster for a network. For smaller companies, though, a firewall represents the best investment of time and money. All things considered, a firewall is as indispensable as the Internet itself; however, you should not rely on it exclusively for top-to-bottom network protection.
Increasingly, companies are also deploying firewalls outside the edges of networks, as well as between network segments and even on individual machines, where justified.
Three basic types of firewalls are available, in addition to one—the stateful inspection firewall—that combines the features of the three basic types. Firewall architectures include the following:
- Packet-filtering firewall
- Circuit-level gateway
- Application-level gateway
- Stateful inspection firewall
Packet-Filtering Firewall
Packet-filtering architecture involves checking network traffic for source and destination addresses, source and destination port numbers, and protocol types. Packet filtering allows an administrator to exclude traffic based on its source and destination addresses, and, depending on the device, it can also exclude traffic aimed at specific protocols and ports or traffic that is sent to or from particular addresses. This architecture functions on the Network layer (layer 3) of the Open System Interconnection (OSI) model. Most quality routers (not just firewalls) have packet-filtering functionality built in. Devices made by Cisco Systems, the undisputed leader in the area of network devices in general, employ access lists provided as a feature of the Internetwork Operating System (IOS). For Transmission Control Protocol/Internet Protocol (TCP/IP) traffic control, the two types of access lists are standard andextended.
Only extended lists allow you to check for all the previously listed characteristics and include some other conditions, such as secondary connections. These access lists can be applied to different interfaces to screen network traffic in both directions or in either direction on each interface. You can apply an access list filter to the external interface so the router will discard prohibited packets before it has to spend CPU time on making a routing decision. All packets that are not explicitly permitted are effectively rejected. Similar solutions that come built into the operating system can be found in Windows NT and its TCP/IP implementation, Windows 2000 with the same protocol features plus IP Filtering in the local policies, many Unix-like operating systems, and specialized firewall platforms.
Packet-filtering solutions are considered generally less secure than circuit-level architectures because they still allow packets inside the network regardless of the communication pattern within the session. Thisopens the system to denial-of-services (DoS) attacks (buffer overflow exploits in "allowed" applications on target machines, connections exhaustion, and so on).
Circuit-Level Gateway
Circuit-level architecture involves monitoring TCP/IP session requests between trusted hosts on the LAN and non-trusted hosts on the Internet. This monitoring, performed on the Session layer (layer 5) of the OSI model, is done to determine whether a requested session is legitimate. When hosts establish a session in TCP/IP communications, they conduct a procedure called handshaking, in which peers agree on communication parameters in TCP SYN requests and TCP ACK responses. The firewall ensures that these session establishment packets occur only when prescribed.
3.1 A normal handshake.
Popular attacks, such as DoS, are often launched when an attacker begins the TCP three-step handshake sequence with a SYN packet (and thereby begins to establish a connection) that is never completed. Instead, the attacker emits another SYN packet and initiates another connection that is also never completed (when repeated thousands of times, it causes problems). This attack, called a SYN flood, forces a victim system to use up one of its finite number of connections for each connection the initiator opens. Because these requests arrive so quickly, the victim system has no time to free dangling, incomplete connections before all its resources are consumed. TCP/IP standards suggest acceptable timeout periods that assume a timeout will handle some type of congestion or outage adequately. However, a massive number of connection attempts can occur during the normal default timeout period, thereby exhausting system resources and making the system unavailable for legitimate users. These attacks are detected and prevented in circuit-level architectures where a security device discards suspicious requests. If you receive 2,000 SYN (connection) requests per minute from a single host, you should become suspicious. Security devices can also be configured to do some or all of the following:
- Block any future communications from a suspicious host—This can be problematic if an attacker is using a spoofed source address. Legitimate traffic from that address will be blocked as well.
- Throttle back the rate of responses to requests—You can honor a certain number of requests per minute and discard the rest.
- Expire unanswered initialization requests much more quickly than the default TCP/IP recommendations.
- Notify an administrator of a potential attack in progress.