Network access control .1 Firewalls

A firewall is a device, or a combination of devices, that enforces an access control policy between two or more network segments. In this book, the word firewall is always used to refer to a collection of devices, compatible with the idea that firewalls are architectural solutions incorporating the idea of defense in depth. The termcommercial firewallwill be used to refer to fire-wall products.

As there are many excellent books on firewall technology, this section will be limited to a very brief description of what firewalls are and what they do. Interested readers are pointed towards more specialized texts for a more complete description [19–22].

Firewalls allow or deny connections from one network to another based on a set of rather low-level rules expressed in terms of protocol data. This data is taken from layers 3 to 7 of the protocol stack as defined by the OSI model [1]. In the TCP/IP world, we normally think of layers 5, 6, and 7 as being part of the application, so rules for allowing or denying access are based on network layer, transport layer, and application-level information.

Firewalls do not in general recognize non-TCP/IP protocols, and they have to be specially configured to recognize and deal with application-level traf-fic. From this brief description, it should be evident that firewalls have a very limited set of data with which they can work, and this places limits on what they can reasonably achieve. In recognition of this limitation, most

modern commercial firewalls now include functionality for authenticating users, which is a major step forward, as this enables us to relate a network connection to a person rather than to a network address.

Two important classes of commercial firewall software operate using dif-ferent principles but achieve similar results. Commercial firewalls using the stateful filtering approach route IP packets from one network interface to the other directly. Stateful filtering mechanisms build on simple packet-filtering techniques [23]. The firewall software intercepts packets at the net-work layer as they are being routed and analyzes protocol information from layers 3 to 7, together with information describing the “state” of the connec-tion in order to determine whether the packet should be dropped or allowed to proceed on its journey. For connectionless protocols, such as UDP, this is achieved using avirtual session concept in which state information is stored by the firewall software even though the protocol itself is stateless.

Application-level firewalls, also known as application-gateway firewalls or proxy firewalls, do not directly route packets. Incoming packets are proc-essed by the communications software and handed to a specialized applica-tion capable of understanding the particular high-level protocol being used.

Because they enforce controls at the application layer, proxy firewalls are application specific, which means that every time a new protocol is devel-oped, a new proxy is required to secure it. In reality, most proprietary proto-cols do not have an associated proxy, and proxy servers are used mainly to control standard, RFC-based Internet protocols such as file transfer protocol (FTP) and hypertext transfer protocol (HTTP).

The mode of operation of stateful filtering firewalls is compared with that of application-gateway firewalls in Figure 3.6.

3.4 Network-oriented tools 69

Figure 3.6 Stateful filtering and application-gateway techniques.

In the last few years the distinction between the two technologies has been somewhat blurred due to many vendors now marketing hybrid solu-tions, incorporating features from both types of model.

3.4.3.2 Proxy servers

Proxy servers are only mentioned briefly here, because, as far as security is concerned, they function in a similar way to application-gateway firewalls [24]. Whereas firewalls are concerned with network access control for both inbound and outbound traffic, the focus of proxy servers is on controlling connections that originate within the enterprise. In this capacity, proxy servers are able to add value by requiring authentication of the end user, restricting communication to a defined set of protocols, applying access con-trol restrictions, and carrying out auditing and logging.

It is important to note, however, that generalized proxy servers, and in particular Web proxy servers (which are probably the most common type of proxy server in deployment these days), are not used for security alone. For instance, one of the most important functions of Web proxy servers is that of caching data to improve performance. Strictly speaking, therefore, proxy servers are not security tools and are more correctly regarded as multifunc-tional tools, which nevertheless implement important security funcmultifunc-tionality.

3.4.3.3 Web filters

Web filters are used to control access of internal employees to Web sites.

These tools allow the administrator to selectively block access to certain types of Web sites based on a local policy.

Web filtering products permit or block access to external Web sites on the basis of a locally defined policy. In reality, these tools are used as much to control employee productivity as to increase site security. Web filters do, however, help control Internet risk by preventing users from accessing sites that are likely to host inappropriate content or malicious code.

The decision to allow or block any particular request is made by consult-ing an underlyconsult-ing database of potentially problematic Web sites, which is maintained and regularly updated by the software vendor. Certain products also support agent software, which is used to analyze which Web sites are being accessed by the organization and to update the database accordingly.

This allows organizations to develop a database customized to meet their particular requirements.

As the interpretation of “problematic” varies considerably from organi-zation to organiorgani-zation, sites are classified by topic, providing the administra-tor with the flexibility to define which sites are acceptable for a particular implementation. The degree to which this can be fine tuned varies from product to product, but tools will typically include the ability to block cer-tain categories of sites, apply time-of-day restrictions, and define the way in which attempted accesses are monitored.

Web filter products are used not only to deny access to certain categories of Web sites, but also to monitor activity by providing reports on usage.

Tools that support the notion of users and groups are able to provide statis-tics showing which groups of users are accessing which categories of sites and information relating to individuals. This can be useful for following cer-tain types of suspicious behavior but may also have implications for privacy.

The major commercial offerings provide a range of predefined reports and the ability to create customized reports.

3.4.4 Network security monitoring