IT Baseline Protection Manual S 2.73 Selecting a suitable firewall
S 2.73 Selecting a suitable firewall
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
After a security policy has been determined for the firewall, it must be decided which components are to be used for the implementation of the firewall. A suitable configuration is to be selected.
The following are possible configurations:
Exclusive use of a packet filter
This configuration consists exclusively of a packet filter which filters the information of the lower layers and either accepts or denies packets according to special regulations.
dual-homed gateway
This configuration consists of an application gateway which is fitted with two network interfaces and which is used as the sole junction between two networks. Application gateways filter information on layer 7 of the OSI layer model. The dual-homed gateway must be configured in such a way that no packets can pass unfiltered, i.e. IP forwarding must be switched off, in particular.
Screened Sub-net
A screened sub-net is a sub-network between a network requiring protection and an external network, with firewall components checking connections and packets.
A screened sub-net consists of an application gateway and one or two packet filters. The packet filters are located in front of and/or behind the gateway and together they form a sub-network. A screened sub-net can, for example, contain a dual-homed gateway. The filter rules are created in such a way that each connection from inside or outside has to pass the gateway.
The following combinations are possible:
The following is a list of the advantages and disadvantages of the various configurations.
Exclusive use of a Packet Filter
Advantages:
easy to implement as the functionality is supplied by many routers
easy to extend for new services
Disadvantages:
IP spoofing might be possible
all services to be permitted must be secure on all computers which can be reached
complex filter rules
no test possibilities. In particular, it is not possible to determine whether the order of filter rules has been changed, which occurs with some routers in order to increase the data throughput
no sufficient logging possible
This configuration can only be used in small networks where all computers are protected against attacks.
Dual-homed Gateway
Advantages:
extensive logging possible
internal network structure is concealed
Disadvantages:
relatively high price (as a powerful computer with two network interfaces is required)
problems with new services
take-over of the application gateway by the attacker leads to total loss of security
Additional protection can be obtained by using a packet filter in front of the gateway, e.g. using an existing router. In this case, the router and gateway must be penetrated in order to gain access to the network.
Screened Sub-net
Advantages:
no direct access to the gateway possible (with configuration 1 and 2)
internal network structure is concealed
simplified rules for the packet filters
additional security by a second packet filter (configuration 1 and 2)
availability increases if several gateways are used
extensive logging possible
Disadvantages:
high price (as a powerful computer with one or two network interfaces and at least one packet filter is required)
if the packet filters are manipulated in a screened sub-net with an application gateway with an interface (see configuration 2, 4 and 6), a direct connection is possible bypassing the gateway. This can also be a desired function (e.g. in case of new services)
As a result of the above advantages and disadvantages of the various configurations, only a screened sub-net with a dual-homed gateway (configuration 1) is recommended. In this case, the gateway is between the network requiring protection and the external network and must be passed in any case.
So-called proxy processes run on the application gateway. These set up the connection with the target computer after authentication of the user and filter the data in accordance with the information of the application layer. Connections without proxy processes are not possible.
The more flexible but less secure option consisting of an application gateway with just one interface (configuration 2) should only be used if higher flexibility is absolutely necessary.
The computers involved must be set up in such a way that only the essential programs run on them (minimal system), and that these programs are correctly configured and all known weaknesses are eliminated.