Here is a white paper I wrote recently , the original can be found
under my web site http://www.unix.gr/
======================
Firewall Design White Paper v 1.1
Or a Heretics View of Access Nexuses.
By
Angelos Karageorgiou
First of all let me define what a firewall is and does. Here I will digress a
bit from the commonly accepted wisdom, and will
define a firewall as an access nexus in the digital communication
infrastructure of any organization. That is you build a
firewall not only to protect your internal data but to also be able to overall
enhance your communication abilities.
This paper here is not a set of instructions of how to built an access nexus
it is more like a white paper of things you should
expect from such a device and be able to ask for them from you vendor. Please
do tell them that they are currently availlable
on Open Source Servers. Also keep in mind that the following items are by no
means the full repertory of an access nexus.
These are just some common solutions to every day problems. One can become
very fancy indeed in the applications that the
nexus can support, but let's take a handsome and logical set.
Let us take a case study of a Linux box, substiture for your favorite Unix
like OS here, serving as an access nexus. You are
all familiar with the three-fold implementation of networks, Public, Private
and DMZ so I will not bore you any further with
silly graphics. We also have to take into account that most companies are
using a router as an access point to the internet.
Our router has the ability of having access lists built in, so why do we still
need a firewall to protect some of the machines and
not others ?
Extra Security
The router does have its access lists but you can have another set of
more specific lists using IPCHAINS or
IPTABLES to further control access to your resources. Furthermore
networks tend to exhibit growth patterns akin to
two line programs. Once you plug in a second router your access lists on
the first router are of little use, so it is a very
good idea to redo all the access rules on the firewall too. As for the
strictures of the list keep a balance, too tight and
you make life hard for your users, too loose and you lose.
Accessing the Internet
First and foremost, a firewall must be able to do Network Address
Translation (NAT,masquerading) so that you can
plug in behind the firewall as many machines as you need to access the
net. And of course there is the SOCKS
protocol from NEC for even more strangeness. Socks is a NON transparent
layer which allows NAT unfriendly
applications to traverse the firewall for outside connections.
Easier routing
With more than one routers you only need to add routing entries on the
firewall itself and nowhere else your lan; clients
will never know the complexity of the outside world, and they should not
really care. All routing decisions should be
made on the firewall if possible.
Intrusion Detection
But we are still passing all the internet traffic for them through the
firewall for a very simple reason: Intrusion Detection.
No matter how powerfull a router is , it still cannot beat SNORT in
detecting network abuses. There is a slew of tools
to do analysis of snort alerts and of course my favorite one is snortlog.
RSVP
Now how do I manage the bandwith that my DMZ uses ? Suppose that
bandwidth is expensive, which it is in most
parts of the world, with a Linux box and CBQ one can immediately have a
very finely tuned traffic management system
with no cost and little effort. Just look for the cbqinit script!
VPN (Virtual Private Networking)
There is too much talk about VPNs , there are fine products like Free
S/WAN which allow network to network
secure connections. But let's make it simpler suppose that you have
geographically dispersed users who need access
to some resources on your net. Fire up PoPtoP and you can have these
people access the resources you want them to
have. As a note of good design use a different subnet in the IP address
allocation scheme for PPTPD connections so
you can finetune your IPCHAINS access rules ( see above notes). Also
enable wtmp logging for PPPD or else you
will never know which user connected when.
Usage Monitoring
Traffic graphers like MRTG IPAC are wonderful tools that can give you
graphs of the utilization of the network cards
on your firewall and router. This way you can see patterns of utilization
and make your predictions and purchases
accordingly. Very simply it is a measurement tool for data, and as any
scientist will tell you, there is nothing you can do
without measurements. Also tools like ANTEATER, PWEBSTATS and WEBALIZER
will give you a set of statistics
that will help you understand the character of your lan and the habits of
your users.
Live Traffic Monitoring / Net Debugging
Suppose now that you have a pesky little networking application that you
need to debug. Tools like TRAFSHOW will
enable you to link up your endpoints in no time at all. Many thanks to
the original author of this applicaiton.
Traffic logging
OK your network is fine, but what does it do when you are not there ?
Enter NTOP an exceptional piece of software
that logs almost everything and then some , of the traffic that passes
through your system. I do have a gripe with
NTOP though , it sets the interfaces into PROMISCUOUS mode by default and
starts all the alarms ringing,
you might want to fiddle with the source at the pcap_open_live function
and switch 1 to 0
Economy
Smart Utilization of badwidth means that you must use a cache server like
SQUID or even APACHE's built it caching
mechanism to decrease the latency of web pages received by your users. As
I stated before the target is the enhanced
digital communication or communion if you prefer.
Economy revisited
How much do all these wonderfull things cost ? Nothing you have the
source you can tinker and toy and make things
work and be happy. Compare this with commercial grade appliances and
software, sure they will be better, but how
much better? Do you really get your money's worth for the cash you hand
out ?
Secure Remote Management
Too much has been said about it , and too many bytes wasted. The bottom
line is that OPENSSH rules and PUTTY
rules also. You can administer this box from anywhere in the world and
still be more or less secure since the data
stream is encrypted. Better yet if you want to delegate administration to
another user, install OPENSSL and
WEBMIN and give these people a graphical front - end that enhances their
experience :-)
Standard Services
Last but not least there are all these standard UNIX services like EMAIL,
DNS, FAX and yes email retrieval can be
secured by using an SSL WRAPPER like popSSL and a server side wrapper
like Stunnel.
Colophon:
I will forego all rhetoric on the open source model and make some engineering
remarks. You need a firewall/access nexus so
that you can manage access to resources and data traffic. You must pass ALL
your traffic through your access nexus so that
you can know what goes where and does what. An access nexus should be as
flexible as a swiss army knife, as maleable as
puty and as resilient as a network engineer with a collapsed transatlantic
backbone line :-)
Copyright and Copy 2001 Angelos Karageorgiou. Use freely but do not abuse.
<<BACK to my home page.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
