Picking the Right Firewall
<i>Redmond</i>'s new Security Advisor drills down the specifics of what should be considered when selecting your next firewall.
Welcome to my inaugural Security Advisor column. Like many of you I've read this feature since its inception and developed a lot of respect and
admiration for Roberta Bragg, who has been this magazine's Security Advisor from the beginning. I'll try to uphold
Roberta's standard of delivering meaningful, timely and interesting discussion of security-related
topics, and know you'll join me in wishing Roberta all the best in her future endeavors.
Much of my work over the last few years has revolved around firewalls, coinciding with a period in which the firewall industry has changed in significant ways, moving beyond low-level functionality and into the higher-level application realm. Let's take a look at what's been happening, and what it can mean for your environment.
Hardware vs. Software
Let me start with one of the most persistent myths in the firewall world. I often hear the statement, "Hardware firewalls are more secure than software firewalls." According to this theory, a firewall with a single-purpose operating system, such as ScreenOS, used by Juniper Networks' NetScreen appliances, has a very small attack surface. Running a firewall on a multi-purpose operating system, like Microsoft Internet Security and Acceleration (ISA) Server 2004 on Windows Server 2003, creates a larger attack surface; the more complex operating system requires additional services, thus creating additional targets for attackers and reducing system stability.
In theory this is true; but in reality, hardware-based firewalls aren't necessarily more secure. It's been my experience that many of these firewalls don't have required security patches installed because re-imaging the ASIC chip that contains the firewall's OS is too daunting a task for many network administrators. On the other hand, I generally find that administrators regularly apply security patches to multi-purpose operating systems and firewall software. In addition, well-designed firewall software, such as ISA 2004, blocks disallowed network traffic before the OS and its network stack can process it, removing the OS as an attack vector altogether.
The line between hardware and software firewalls continues to blur. Consider that Network Engines sells a firewall appliance that runs ISA 2004, combining elements of both hardware and software firewalls. The distinction is becoming less clear all the time.
Protecting Layer 7
Traditional firewalls operating at Layers 3 and 4 of the Open System Interconnect (OSI) model are unable to protect against newer attacks because they don't inspect traffic at the application layer, or Layer 7 (see "A Brief History of Firewalls"). Most firewall manufacturers responded to this by adding application-layer filtering to their products. When performing this inspection, a firewall takes a single packet, or assembles several packets that make up application traffic, and makes forwarding decisions based on that traffic. An application-layer firewall can also help secure traffic that uses secondary connections, such as FTP. FTP uses a control connection between the client and the server to negotiate a secondary connection for the actual data transfer. Application support lets a firewall monitor the control connection and then allow the secondary connection using the port that the client and server agree on.
|A Brief History of Firewalls
Traditional firewalls operate at Layers 3 and 4 of the Open System Interconnect (OSI) model. The earliest firewalls were Layer 3 devices, operating at the Network Layer. Such firewalls perform simple packet filtering, examining each packet passing through and making a decision about whether to forward or drop the packet. For example, a firewall that only allows outgoing Web traffic would contain a rule that allows packets with destination port 80 from any internal IP address to any IP address on the Internet. To allow the return packets from Internet-based Web servers a second rule is required: Allow packets with source port 80 from any IP address on the Internet to any internal IP address. It didn't take hackers long to figure out that such rules allow them to send any traffic they choose into someone's internal network as long as the attack tools use port 80 as the source port. Because of such vulnerabilities, no serious firewall today relies on packet filtering alone.
Stateful, or circuit-level, inspection was developed to address the limitations of packet filtering. This type of protection operates at Layer 4, the Transport layer. Stateful firewalls examine entire connections between computers, instead of just single IP packets. In the example of outgoing Internet traffic, a stateful firewall allows incoming packets from port 80 on an external computer only if they belong to a connection that was initiated to that port from an internal computer. Other incoming packets are dropped, even if their TCP source port is 80. In addition, stateful inspection also tries to ensure the integrity of the connection itself, guarding against attacks such as TCP session hijacking, which is an attempt to take control of an existing, legitimate connection.
The problem with relying on packet filtering and stateful inspection alone is that most attacks today use legitimate ports and allowed connections. If you're not providing access to a Web server, you can easily protect your network by configuring your firewall to drop all traffic addressed to port 80 on your computers. If you have a public Web server, though, you have to allow inbound traffic to the server on port 80. Packet filtering and stateful inspection allow all such traffic to reach the server. Hackers know this and most of today's attacks use allowed connections. This means that most of today's attacks aren't based on bypassing packet filters or playing tricks with TCP connections. Instead, they attack applications, such as a Web server, mail server, or even a client program like a browser over valid connections and allowed ports.
Some vendors have come up with colorful marketing terms for Layer 7 filtering; Check Point Software Technologies, for instance, calls it Application Intelligence. No matter the term used, application-layer filtering is crucial to protect today's networks. Application-layer capabilities are what most differentiate firewalls today, and finding the right firewall for your exact needs can be a complicated task.
This is because vendors vary greatly on what they consider application-layer filtering to be. One vendor's fine print reveals its "strong" application-layer capabilities are limited to blocking ActiveX and Java programs. Others have more capable solutions, but suffer a significant performance hit because their firewalls weren't designed to do Layer 7 filtering. But several products give you detailed control over a large range of application-layer protocols without impacting network performance too much, so do your homework.
|The Windows Firewall
Windows XP and Windows Server 2003, Service Pack 1 include the same built-in firewall. How does the Windows Firewall compare to the other firewalls covered here?
First, the Windows Firewall is a personal firewall designed to protect a single
computer; as such, it's no replacement for network firewalls that inspect all
incoming and outgoing traffic. But that doesn't mean you should neglect the
Windows firewall if your network is already protected by a firewall.
One primary use of the Windows Firewall is for laptop computers, for which it should be mandatory. Enabling it ensures that nobody can establish an incoming connection to your computer. When traveling I often connect my laptop directly
to the Internet without the protection of a corporate firewall. In such a situation I want to be sure that my computer blocks all incoming connections. Sure, the
Windows Firewall has limited alerting capabilities and doesn't check outgoing
traffic, but sometimes a simple solution that can accomplish a limited goal without confusing users is a good thing.
Things are different for computers connected to your corporate network. You
may think the Windows Firewall provides no benefits if your network is already protected by a firewall, but think again. A firewall at the edge of your network
protects against attacks from the Internet, but the Windows Firewall can also
protect your servers and client computers against attacks from internal users or internal computers infected by malicious programs.
Before enabling the Windows Firewall on all computers, though, do some research. Do you have remote management tasks, such as centralized software, patch or anti-virus management? They can require remote access to computers, which means ensuring that the Windows Firewall is configured to allow such connections. Fortunately, you can configure many aspects of the Windows Firewall centrally via Group Policy, using separate policies based on whether a computer is connected to your corporate network or not. This means you can remotely manage a laptop while it's connected to your network, and enable it to block incoming connections on its own when it's used on the road.
Until you've investigated the right configuration for your network, consider
disabling the Windows Firewall via Group Policy to ensure that your management programs continue to work. For laptop computers, disable the Windows Firewall only while connected to the corporate network, and enable it while connected to any other network.
Firewall Decision Points
In addition to Layer 7 filtering, you'll also want to consider these criteria in your firewall buying decision:
- Protocol support. Does it support the protocols you use in your network, and does it perform the filtering you need? How detailed is the inspection for the protocols it supports? For example, ISA 2004 supports most protocols typically used in a Microsoft networking environment. If you need application-layer protection for protocols more prevalent in a Unix environment, ISA Server may not be the right firewall for you.
- Ease of use. This isn't just an issue of convenience. If configuring the firewall is difficult, you're likely to create an insecure configuration, which can allow hackers to break through even the best firewalls on the market.
- Certifications. Many firewall vendors have chosen to obtain Common Criteria or ICSA Labs certification for their firewalls. These certifications assure that the firewall has passed rigorous independent testing.
- Features. Most firewalls can do more than filter network traffic.
You can find firewalls that are also VPN servers, caching servers,
anti-virus gateways or intrusion
detection systems (IDSes). If you need any of these features, ensure that they're integrated well and that the integration provides value over standalone solutions.
- Price. In the firewall industry, more expensive doesn't necessarily equate to better performance. Prices for firewalls with similar features can vary by thousands of dollars. When comparing prices, make sure you account for the price of optional
features, client licenses, maintenance fees and additional license costs
due to future network growth (see "Firewall Pricing" for
- Reputation. Management sometimes mandates buying a firewall from one of the market leaders. You may find a better and cheaper solution for your network, but before making a purchasing decision, make sure management backs your decision.
- Performance. Firewall vendors
try to dazzle you with numbers about how much network traffic their
firewalls can handle. Often these
numbers aren't important, because your Internet connection turns into a bottleneck before the firewall does. Instead, look for numbers that show typical application-layer filtering
- Support. The quality of customer support varies widely among firewall vendors. Consult with your colleagues and search the Internet to find out whether a firewall vendor can provide the quality of technical support
- Expertise. Review whether
your staff can adequately support
the firewall. If your company is
Windows-focused, avoid a Unix-based firewall, and vice versa.
Firewall prices range from hundreds of dollars to hundreds of thousands of dollars. Assessing costs should always be the last step in deciding on a firewall product, because when you're comparing firewall prices, you're comparing apples with oranges—with a few lemons thrown in. For example, some firewalls are licensed based on seats, others on concurrent connections. Still others require a per-processor license. If client licenses are required, will your calculation be the same when your company grows?
Additional features are another issue: Do the built-in reporting capabilities of one firewall match those that have to be purchased separately with another product? Does installing software on a Linux platform instead of a Windows platform really save you money? Is centralized management something you really need?
Because one organization's firewall requirements aren't the same as those of another, I recommend evaluating pricing as the last item. First, make a list of all firewall products that meet your minimum requirements and try to assign a value to the additional features each has. If you start comparing prices at this point you'll get much more meaningful results.
Of all the criteria, application-layer
protection is the most important
feature of firewalls today. For most buyers it should be the first item evaluated.
Two of the most advanced application-layer firewalls today are Check Point's FireWall-1
and Microsoft's ISA Server. Take a
good look at one or both of them
(evaluation versions of both are
available). Cisco's PIX firewall, the most popular hardware firewall, is very good at packet filtering. But if you add application-layer filtering capabilities via add-ons, you may see performance degradation. WatchGuard Technologies has recently added new features to its line of firewalls, and provides some of the best application-layer protection among hardware firewalls.
Follow these links to the vendors mentioned in this article: