Innovating The Next Big Thing October 24, 2014 ph.gif

Strategic Innovator: Journal of Strategic Innovation
Network & Information Security
Terrorism & Counterterrorism
Insurgency & Counterinsurgency
Weapons of Mass Destruction
Homeland Security & Defense
Energy, Infrastructure & Environment
Remembering 9/11

Next Innovator Group

• NextInnovator
• HPinnovator


• NextInnovator(at)

Writers Wanted

Writers Wanted

Feedjit Live Web Stats

Terror Alert Level

Homeland Security

Security Innovators

• The Clausewitz Home Page 
Small Wars Journal
Stratfor Geopolitical Weekly
Computerworld Security Blog
eWeek Security Blog
Information Security
Infoworld Zero Day Security
Cheap Hack: Larry Seltzer's New Blog
Security Insights Blog 
McAfee Audio Parasitics
McAfee Avert Labs Blog
Mike Rothman's Blog
Network Computing Daily Blog
NetworkWorld, Buzzblog
Security Fix, Brian Krebs
ZeroDay, Ryan Naraine
Rethinking Security

Next Innovators

Ghost City
Frontline Sentinel
• Innovation Insights
Over the River
Enderle Group
Security Insights Blog 
McAfee Audio Parasitics
Rethinking Security
• eMarketer 
• CRM Help Desk SW 
Rethink Research
The Gadgeteer
Master the Moment

McAfee AudioParasitics

Books on Terrorism

Books on Network Security

Books on WMD

Barry's Books



ph.gif ph.gif
Network & Information Security Firewalls - The Complete Reference
Nov 25, 2002 – By Keith Strassberg, Gary Rollie, and Richard Gondek

With excerpts from the authors' new book: Firewalls - The Complete Reference.

ISBN: 0072195673
Format: Softcover
400 illustrations
960 pages
Price: $59.99 US

The Most Comprehensive Firewalls Resource Available

Keep your network data secure by installing and maintaining an effective firewall system. Get complete coverage of all major firewall technologies, learn how to properly design and configure firewalls, know what to watch for when evaluating products, and discover best practices for management and deployment.

Get in-depth, objective advice on installing and configuring today's most popular firewalls including Check Point Firewall-1 4.1 and NG, Cisco PIX, Microsoft ISA Server, NetScreen, SonicWall and Symantec --and learn strategies for successful network design and firewall placement.

Gain insight into common methods for attacking firewalls--including software bugs, viruses, and misconfigurations. Learn firewall best practices and how to improve the overall security of your firewall installation. This multipurpose guide contains all the implementation and administration information you need to keep your network safe from unauthorized access:

> Restrict access to your network without compromising usability and functionality

> Understand the strengths and limitations of firewall technology

> Get in-depth explanations of network and port address translation, VPNs, authentication, virus protection, content filtering, and more

> Learn about the various architectures available today--application and circuit-level gateways, packet filters, and stateful packet inspection engines

> Find out how hackers commonly go about breaking into a network

> Get details on platforms and features for key products from Check Point, Cisco, Symantec, Microsoft, and others

> Manage your firewall installation using built-in tools, objects, and services

> Supplement your firewall system by implementing human controls such as education and log monitoring

> Understand the details of implementing the Cisco Secure Policy Manager

> Learn the latest on Check Point NG Firewall-1, Cisco IOS Firewall Feature Set, and Linux IP Tables


Keith Strassberg, CPA, CISSP, is an experienced information systems security consultant. With Greenwich Technology Partners since 1999, Keith assists numerous clients in developing risk assessment methodologies and information classification systems.

Gary Rollie, MSCE, CCNA,CCNP, is a senior performance engineer with Greenwich Technology Partners. Gary's strengths are in LAN/WAN, Web Server, Application Server, SQL Server, Oracle Server technologies including infrastructure design, integration, implementation, performance testing, and problem resolution.

Richard J. Gondek, CCIE, CISSP, is a security and internetworking consultant with expertise in large scale network design, perimeter systems and network hardening, and emerging technologies (such as network traffic management and local and wide area wireless networking). He joined Greenwich Technology Partners in 1999.

Chapter 1: Introduction

The Internet has arguably become the most diverse virtual entity ever developed by human kind. The sheer numbers of users grow by the hundreds of thousands from all parts of the world on a regular basis, with no end in sight. The Internet is the virtual common place where everyone is welcome to do business, communicate, research information, or simply enjoy surfing the Net. The vastness of the Internet, along with the differences among its visitors, creates a most unique melting pot. However, it also contains a great potential for misuse, abuse, and criminal activity. This potential for mischief has driven the need for security practices and devices to protect Internet resources.

Almost as pervasive as the Internet is the "hacker" and its malicious cohort, the "cracker," who spend their time breaking into computer systems. Unfortunately, mystical computer skills are no longer required to successfully penetrate today's systems. Enter a new term into the world's vocabulary: the script kiddie. A script kiddie isn't armed with magical computer powers but rather with a computer program whose sole purpose is to find and break into computer systems. The script kiddie doesn't understand how the program is able to break in, only how to use it. The script kiddie is even losing its place in the process, as programs are becoming intelligent enough to function unattended, scanning and comprising systems in bulk. The net effect of this is that the frequency, intensity, and sources of attacks have significantly increased in recent years.

Internet users must understand that this underground is part of the Internet, and eventually it will find their systems. The Internet spans the globe, and law-enforcement authorities are not equipped to bring even a small fraction of these evildoers to justice. But all is not lost: while there are numerous tools available to protect systems, the firewall still stands as the biggest and best weapon for keeping the evil forces lurking along the miles and miles of the information superhighway at bay.

Firewalls: The Complete Reference is a hands-on guide to designing, building, and maintaining today's most popular firewalls. This guide is a vendor-independent resource for new firewall implementations and can be used as an ongoing desktop reference for firewall administration. It contains information useful for all types of firewall users, including large corporate firewall administrators, small office administrators, individuals, and general enthusiasts.

Definition of a Firewall

The basic function of a firewall is to screen network communications for the purposes of preventing unauthorized access to or from a computer network. Firewalls take on many different shapes and sizes, and sometimes the firewall is actually a collection of several different computers. For the purposes of this book, a firewall is the computer or computers that stand between trusted networks (such as, internal networks) and untrusted networks (such as the Internet), inspecting all traffic that flows between them. Firewalls have the following attributes:

> All communications pass through the firewall. * The firewall permits only traffic that is authorized. * The firewall can withstand attacks upon itself.

Simply put, a firewall acts as the buffer between a trusted network and an untrusted network. The name firewall is actually derived from a technique used in construction in which a wall is constructed from fire-retardant materials to prevent or least slow down the spreading of a fire. Essentially it is a barrier. In a network, the firewall is a point of enforcement to guard against attacks from other networks.

A firewall can be a router, a personal computer, a host, or a collection of hosts set up specifically to shield a private network from protocols and services that can be abused from hosts outside the trusted network. A firewall system is usually located at a network perimeter, such as a site's connection to the Internet. However, firewall systems can and should be located inside the network perimeter to provide additional and more specific protection to a smaller collection of hosts.

The way a firewall protects the trusted network depends on the firewall itself, and the policies/rules that are applied to it. Here are the four main categories of firewall technologies available today:

> Packet filters * Application gateways * Circuit-level gateways * Stateful packet-inspection engines

As with all technology solutions, firewall technology is subjected to the normal advancement and lifecycles that products and technologies undergo. Chapters 4 and 5 provide more in-depth information on the various firewall types and technologies.

Why Use a Firewall?

The first question that people may ask is, why use a firewall? Why not just configure individual systems to withstand attack? The simplest answer is that the firewall is dedicated to only one thing-deciding between authorized and unauthorized communications.

This prevents having to make compromises between security, usability, and functionality. Without a firewall, systems are left to their own security devices and configurations. These systems may be running services that increase functionality or ease administration but are not overly secure, are not trustworthy, or should only be accessible from specific locations. Firewalls are used to implement this level of access control. If an environment lacks a firewall, security relies entirely on the hosts themselves. Security will only be as strong as the weakest host. The larger the network, the more complex it becomes to maintain all hosts at equally high levels of security. As oversights occur (such as only applying a critical security patch to 14 of the 15 web servers), break-ins occur because of simple errors in configuration and inadequate security patching.

The firewall is the single point of contact with untrusted networks. Therefore, instead of ensuring multiple machines are as secure as possible, administrators can focus on the firewall. This isn't to say that the systems available through the firewall shouldn't be made as secure as possible; it just provides a layer of protection against a mistake.

Firewalls are excellent auditors. Because all traffic passes through them, the information contained in their logs can be used to reconstruct events in case of a security breach. In general, firewalls mitigate the risk that systems will be used for unauthorized or unintended purposes (for example, getting hacked). What exactly are the risks to these systems that firewalls are protecting against? Corporate systems and data have three primary attributes that are protected by a firewall:

> Risk to confidentiality The risk that an unauthorized party will access sensitive data or that data is prematurely disclosed. A business could easily lose millions of dollars from simply having their business plan, company trade secrets, or financial information exposed. * Risk to data integrity The risk of unauthorized modification to data, such as financial information, product specifications, or prices of items on a web site. Businesses grow and thrive on the accuracy of the information their systems produce. How can the best decisions be made if the system information becomes unreliable? (What are the sales levels? Which accounts receivable are accurate?) * Risk to availability System availability ensures systems are appropriately resilient and available to users on a timely basis (that is, when users require them). Unavailable systems cost corporations real dollars in lost revenue and employee productivity as well as in intangible ways through lost consumer confidence and negative publicity.

Common Types of Attacks

The preceding section discussed why individuals and corporations implement firewalls. Now the question is, exactly how do attackers gain unauthorized access to systems? Motivations for such attacks are numerous and often range from "to see if it could be done," to using the compromised systems to attack other systems, to performing corporate espionage, and even for simple malicious reasons such as disrupting and/or damaging systems.

There are literally dozens of different ways an intruder can gain access to a system. Chapter 6 provides additional information on common methods for attacking firewalls; however, a brief list of the most common attacks is provided here:

> Social engineering An attacker tricks an administrator or other authorized user of a system into sharing their login credentials or details of the system's operation. * Software bugs An attacker exploits a programming flaw and forces an application or service to run unauthorized or unintended commands. Such attacks are even more dangerous when the program runs with additional or administrative privileges. Such flaws are commonly referred to as buffer overflow attacks or format string vulnerabilities.

For excellent reading on the buffer overflow and format string attacks, refer to the following sites:

> Viruses and/or Trojan code An attacker tricks a legitimate user into executing a program. The most common avenue for such an attack is to disguise the program in an innocent-looking e-mail or within a virus. Once executed, the program can do a number of things, including installing backdoor programs, stealing files and/or credentials, or even deleting files. * Poor system configuration An attacker is able to exploit system configuration errors in available services and/or accounts. Common mistakes include not changing passwords on default accounts (both at the system and application levels) as well as not restricting access to application administration programs or failing to disable extraneous and unused services.

In addition to attempting to gain unauthorized access to systems, malicious individuals may attempt to simply disrupt systems. For critical and highly visible applications, the cost to the business could be just as severe. These attacks are referred to as denial of service (DoS) attacks. A DoS attack is an incident in which a user, network, or organization is deprived of a resource or service they would normally have. The loss of service is usually associated with the inability of an individual network service, such as e-mail or web, to be available or the temporary loss of all network connectivity and services.

Firewall Placement

Although Chapter 3 will provide an in-depth discussion on network design and firewall placement, we will introduce these topics here. Firewalls can and should be installed wherever two networks with different security requirements are interconnected. The most common usage of a firewall is between the Internet connection and the local area network. Other common firewall uses include protecting connections to external third parties, such as market data providers, and between sensitive areas of an internal network. When discussing networks, this book will use the concept of the network perimeter, which is the complete border of the local area network. Ingress and egress points are formed when the local area network is connected to another network, such as the Internet. These connection points are almost always firewalled.

On the surface, defining the network perimeter seems simple. However, with the advent of the virtual private network, the actual perimeter becomes fuzzy. Virtual private network technologies allow remote users to connect through the firewall as if they were on the local network. They have become extensions of the corporate network, but the hosts themselves are outside the protection provided by the corporate firewall. Malicious individuals who compromise these users can use them as a conduit through the corporate firewall. Administrators should consider installing local personal firewalls on these hosts to achieve a uniform level of security at the perimeter.

Firewall Strengths and Weaknesses

A firewall is just one piece of an overall security architecture. However, as a single piece of the architecture, it is designed to fill a very important requirement within the overall design. As with everything, firewalls have strengths and weaknesses.


Common firewall strengths include: * Firewalls are excellent at enforcing the corporate security policy. They should be configured to restrict communications to what management has determined to be acceptable. * Firewalls are used to restrict access to specific services. For example, the firewall permits public access to the web server but prevents access to the Telnet and other nonpublic daemons. The majority of firewalls can even provide selective access via authentication functionality. * Firewalls are singular in purpose. Therefore, compromises do not need to be made between security and usability. * Firewalls are excellent auditors. Given plenty of disk space or remote logging capabilities, a firewall can log any and all traffic that passes through it. * Firewalls are very good at alerting appropriate people of events.


Common firewall weaknesses include: * Firewalls cannot protect against what is authorized. You might be wondering what this means. Firewalls protect applications and permit the normal communications traffic to those applications-otherwise, what is the point? If the applications themselves have flaws, a firewall will not stop the attack because, to the firewall, the communication is authorized. * Firewalls are only as effective as the rules they are configured to enforce. An overly permissive rule set will diminish the effectiveness of the firewall. * Firewalls cannot stop social engineering or an authorized user intentionally using their access for malicious purposes.

> Firewalls cannot fix poor administrative practices or a poorly designed security policy. * Firewalls cannot stop attacks in which traffic does not pass through them.

Good Security Practices

Although a complete discussion on best practices regarding firewall configuration and management is beyond the scope of this book (many volumes are available on this topic), it is still useful to introduce a number of important concepts that can and will improve the overall security of a firewall. These concepts apply to both the firewall and the systems protected by that firewall. Also note that the following concepts and practices are not mutually exclusive, and when properly implemented together, they can achieve higher levels of security.

Help Your Systems Help Themselves

Except in some very rare situations, systems and applications are not installed in their most secure configurations. In addition, services extraneous to the desired functionality of your system or application are installed and activated by default. It is good practice to enable only the bare-minimum services and accounts necessary for the proper operation of a system. Countless intrusions occur because an unused service or account superfluous to the operation of the system was compromised. The practice of disabling unnecessary services and reconfiguring other services for greater security is often referred to as host hardening. Here is a small checklist to follow when hardening hosts: * Disable any and all unneeded or unnecessary services. * Remove unneeded accounts and groups. Change the passwords to and/or disable default application and system accounts. Disable accounts that do not require interactive logins. * Reconfigure remaining services for increased security. * Secure any and all administrative functions. * Use strong passwords. Strong passwords are passwords that are greater than seven characters and are a mixture of upper- and lowercase letters, numbers, and other alphanumeric characters.

The SANS institute ( publishes a number of "best practice" guides for securing operating systems.

Patch! Patch! Patch!

Consistently applying the torrent of patches released today is a daunting and often overlooked process. New vulnerabilities are being discovered constantly. A system that was secure one minute could turn completely vulnerable the next. To stay on top of your systems, subscribe to multiple bug-notification mailing lists as well as vendor mailing lists for installed software. Popular vulnerability-notification services are maintained by the following organizations: * Internet Security Systems maintains its xforce database and mailing list at * SecurityFocus maintains a copy of the Bugtraq archive and mailing list at * The Computer Incident Emergency Response Team (CERT) can be found at * The Common Vulnerabilities and Exposures (CVE) database is available at

After applying patches, you should ensure that system security was not weakened. As an example, Sun is notorious for having their Solaris cluster patches reenable services.

Appliance vs. Operating System

Historically, firewalls ran on top of a general-purpose operating system such as Windows NT or Unix. They functioned by modifying the system kernel and TCP/IP stack to monitor traffic. Therefore, these firewalls were at the mercy of problems present in the operating systems they ran on top of. To achieve a high level of security, it was necessary to harden, patch, and maintain the operating system (as described in the previous section). This could be a time-consuming and difficult task especially if there was a lack of expertise or time to adequately secure and maintain a fully functional operating system. Today, however, a number of firewall vendors distribute their firewalls as appliances.

Appliances integrate the operating system and the firewall software to create a fully hardened, dedicated firewall device. The integration process removes any and all functionality not required to screen and firewall packets. In addition, a fully functional administrative interface is provided to further simplify configuration and maintenance of the firewall. Firewall appliances do not require a significant amount of host hardening when being deployed (usually changing default passwords is all that is required).

Administrators can focus on developing rule sets instead of reconfiguring and patching a general-purpose operating system. Appliances significantly reduce operating and maintenance costs over operating system-based firewalls. This book discusses a number of appliance firewalls, including the Cisco PIX, Netscreen, SonicWall, and Check Point FireWall-1 on the Nokia IPSO platform.

Layer Defenses

Although the firewall itself is an excellent security tool, it should not be completely relied upon. As stated before, firewalls cannot protect against what is authorized. What happens if an intruder bypasses the firewall? Consider the scenario in which an intruder is able to use HTTP to exploit your web server, gaining shell access to that system. The firewall will permit this traffic because HTTP is permitted to the web server, and the attacker can use this as a conduit to attack other servers and systems on the network without the protection of the firewall. If these systems are not configured in a secure manner, it won't be long until the entire infrastructure is compromised.

When you're implementing systems, it is good practice to implement redundant controls to limit or prevent system damage in the event a control fails. (It's like having a steering wheel lock for your car, even though there is a lock on the door.) Redundant controls include the following: * Hardening your internal hosts to withstand attacks in case the firewall fails or is bypassed. * Running services in restricted environments (for example, via the Unix chroot command) and with minimal privileges. * Implementing multiple firewalls from different vendors or implementing packet filters on network routers. This reduces exposure to a specific flaw in the firewall itself. * Implementing human controls such as education, log monitoring, and alerting. * Putting in place systems to automatically detect and alert administrators to unauthorized or malicious activity. These systems are referred to as intrusion-detection systems (IDS).

Creating a Security Policy

The corporate information security policy is the foundation that establishes corporate information as an asset that must be protected. It defines the corporation's sensitivity to risk and the consequences for a breach of security. The corporate security policy also defines how data should be protected; the firewall is the implementation of this policy. For smaller organizations that do not have a large database of formalized policies, it is incredibly useful to document the purposes of the network and use the firewall to restrict usage accordingly.

Policy empowers administrators to deny the many requests for new firewall access that are always submitted. Without clearly defining what should and should not be permitted through the firewall, over time the firewall's effectiveness is reduced as more and more services are permitted.

Monitoring and Logging

Any system can be penetrated given sufficient time and money. But penetration attempts will leave evidence, entries in logs, and so on. If people are watching systems diligently, attacks can and will be detected and stopped before they are successful. Therefore, it is extremely important to monitor system activity. Applications should record system events that are both successful and unsuccessful. Verbose logging and timely reviews of those logs can alert administrators to suspicious activity before a serious security breach occurs.

Auditing and Testing

One of the most important things that can be done after configuring your firewall is to ensure that the level of security you planned to achieve is in fact what was achieved, as well as verify that nothing was overlooked. A number of freeware and commercial tools are available that can be used to test the security of the firewall and the systems behind it. Chapter 6 details common attack and testing methodologies for firewalls. Security is an ongoing process; once a system is implemented, it is integral that the configurations be thoroughly tested. Audits are used to periodically make assessments to evaluate security.

» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...

AddThis Social Bookmark Button

blog comments powered by Disqus

Search SecurityInnovator

ph.gif ph.gif
Support This Site

Newest Articles

• 7/23 McAfee Blogs: W32/Worm-AAEH Replaces Cryptor With One Used by Dofoil Downloaders
• 7/23 McAfee Blogs: The Firewall is Turning 25, but is it Really All Grown Up?
• 7/22 RSIS Report: “The Six’s” Guiding Principles in Negotiating with Iran
• 7/21 McAfee Blogs: 10 Experts, One Topic, 800 Million AETs
• 7/16 McAfee Blogs: Texas Tech University HSC Unifies Security and Compliance with McAfee SIEM Solutions
• 7/15 McAfee Blogs: Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities
• 7/15 McAfee Blogs: Continuous Incident Response
• 7/14 McAfee Blogs: Dofoil Downloader Update Adds XOR-, RC4-Based Encryption
• 7/12 Frontline Sentinel: The Impact of Red Team Drills
• 7/12 Frontline Sentinel: Integrating Threat Intelligence Into Your Security Program
• 7/12 Frontline Sentinel: Creating a Secure Guest Network
• 7/12 Frontline Sentinel: Onward Through the Cloud
• 7/8 McAfee Blogs: More Choices for Encryption to Protect Your Data-At-Rest
• 7/7 McAfee Blogs: CryptoWall Ransomware Built With RC4 Bricks
• 7/2 McAfee Blogs: Operation Dragonfly Imperils Industrial Protocol
• 7/2 McAfee Blogs: Don’t Settle for Less with Your IPS
• 7/1 McAfee Blogs: How Volusion Used McAfee SIEM to Meet New Security Needs
• 6/27 McAfee Blogs: McAfee Named A Leader in Secure Web Gateways 2014 Magic Quadrant
• 6/26 McAfee Blogs: Learn More About McAfee’s Next Generation Firewall Secret Weapon
• 6/23 HP Security Products Blog: Disrupting the innovator’s dilemma
• 6/23 McAfee Blogs: Multiparty authentication and cryptosystems in the IoT – part 3
• 6/19 HP Security Products Blog: Can the law keep up with technology advances?
• 6/19 McAfee Blogs: Buyer Beware: This Smartphone Comes with Malware Pre-Loaded
• 6/19 McAfee Blogs: Multiparty authentication and cryptosystems in the IoT – part 2
• 6/18 McAfee Blogs: Hackers Score a Goal with World Cup Scams
• 6/18 McAfee Blogs: How The State of Colorado Secured its Infrastructure with McAfee SIEM
• 6/17 Connect News: 2014 Connect NonStop Availability Awards: Call for 2014 Entries
• 6/17 McAfee Blogs: Bridging the Tech Gap: A Snapchat Primer for Parents
• 6/17 McAfee Blogs: Workplace Wearables and the Loss of Privacy
• 6/17 McAfee Blogs: Thinking About Next-Generation Security and Cyberwarfare
• 6/16 HP Security Products Blog: Does personal accountability need to shift in business?
• 6/16 McAfee Blogs: What is Fake Antivirus Software?
• 6/13 CRS Report: U.S.-Vietnam Nuclear Cooperation Agreement: Issues for Congress
• 6/13 CRS Report: The Evolution of Cooperative Threat Reduction: Issues for Congress
• 6/11 McAfee Blogs: Celebrating our partners’ success
• 6/11 McAfee Blogs: Celebrating our partners’ success
• 6/11 McAfee Blogs: Microsoft Patch Tuesday: June 2014
• 6/9 RSIS Report: In Response to Gareth Porter’s Ridiculous Attack
• 6/9 HP Security Products Blog: What about 'the machine'?
• 6/9 HP Security Products Blog: Day 2 at Discover
• 6/9 McAfee Blogs: CISOs: What the New CSIS and McAfee Global Cost of Cybercrime Study Means for Your Business
• 6/5 McAfee Blogs: Teen Cyberbullying Triples, Emotional Impact Grows
• 6/5 McAfee Blogs: Apple Makes a Strong Push for the Internet of Things, But Will It be Secure?
• 6/4 HP Security Products Blog: Advanced analytics made easy with HAVEn
• 6/4 HP Security Products Blog: Viva Las Vegas! HP Enterprise Security Products represent at HP Discover 2014
• 6/4 McAfee Blogs: Massive Law Enforcement Operation Tells two Malware Variants it’s ‘Game Over’
• 6/4 McAfee Blogs: Backing Up the Claims: ESG Validates McAfee NGFW Strengths
• 6/3 RSIS Report: Five Compromises to Avoid in a Comprehensive Agreement with Iran
• 6/3 McAfee Blogs: The Privacy Problems with Mobile Messaging Apps
• 6/3 McAfee Blogs: Teens’ Online Behavior Can Get Them in Trouble

AddThis Feed Button

Barry's Books


ph.gif Top ph.gif

© 2008 SecurityInnovator. All rights reserved.