Logical/Technical Security Controls - Part 3

Most organizations today must provide remote access to customers and employees to remain competitive. Access from users outside your security perimeter may be accomplished via the Internet, direct dial-up, point-to-point T1s, or frame relay. But no matter how you provide access to external users, you should provide a layer of separation between them and your internal network. This layer of separation might simply take the form of a dial-up device configured as a RADIUS client or a set of firewalls configured as a DMZ.

A DMZ is a network segment located between external and internal firewalls. Devices between the two firewalls are accessible by the outside world, typically via the Internet. The purpose of the external firewall is to filter packets to allow only traffic destined for the devices located in the DMZ. The internal firewall prevents any traffic from passing unless it consists of packets between one of the DMZ devices and a specific device on the internal network.

In the network depicted in Figure 1, traffic from users connected to the Internet can pass through the external firewall only if they are destined for one of the web servers in the DMZ, and only if seeking to connect to port 80 (standard web server service port). Once connected to one of the web servers, a user can use an application located on the server to request information from an associated database server within the internal network. Although the internal firewall won't allow the user direct access to either of the database servers, it will allow the application on the web server to communicate with the database servers, and obtain the information the user requested.

You can also use firewalls to protect segments of your internal network. The following section explains the various ways firewalls work to protect your resources from unwanted guests.

Firewalls provide protection against unwanted traffic from outside and inside your network. Three approaches taken by firewall vendors to provide this protection are static packet filtering, stateful packet inspection, and deep packet inspection. Firewalls are categorized based on their ability to perform one or more of these functions.

Static packet filtering

A device that provides static packet filtering services is considered a first generation firewall. Figure 2 provides an example of how this process works.

In Panel A, a remote workstation is attempting to access Port 25 on the Web server, IP address 164.250.250.21. Port 25 is the default port for SMTP, a messaging protocol. The external firewall is configured to allow traffic for the Web server only if it is destined for Port 80. Port 80 is the default Web services port. When the workstation's packet reaches the firewall, the destination address and port are checked and compared to the list of allowed address/port combinations. Since it doesn't match, the packet is dropped (discarded); no communication takes place.

Panel B depicts a successful packet transmission. Unlike the packet in Panel A, the destination address and port match an address/port pair allowed to pass. The firewall sends the packet on to the network segment on which the Web server is located.

As with stateful packet filtering and deep packet inspection, this process can be placed either at the perimeter of your network or at the entry point to a network segment containing sensitive data.

Stateful packet inspection (dynamic packet filtering)

Stateful packet inspection firewalls work in much the same way as static packet inspection devices. The primary difference lies in the stateful inspection device's ability to determine whether packets are parts of established sessions between devices on either side of the firewall.

A stateful firewall device builds a state table to track each session initiated by a system on the internal network. Any traffic attempting to pass through the firewall into the protected network or segment is checked to see if it's associated with a session in the state table. If it isn't, the packet isn't allowed to pass. Another feature is the ability of a stateful firewall to dynamically open and close ports as they're needed by authorized sessions. Let's look at Figure 3 as we step through an example of how dynamic packet filtering works.

Two devices on the internal network have initiated sessions with devices on the Internet. These sessions are listed in the state table. 168.234.235.34 is connected to a SMTP service and 168.234.235.34 is connected to a Web server. This is a scaled down version of a state table, but it's enough to represent stateful operation.

A device on the Internet attempts to send a packet to 168.234.235.34 with the intent of connecting to Microsoft SQL Server Port 1434. Although an address/port rule may not exist to block this packet, the fact that no system on the internal network is engaged in a Port 1434 session with an external device is enough to cause the firewall to drop the packet.

Deep packet inspection

Firewalls capable of deep packet inspection are the most sophisticated of the three types represented in this article. They are actually a combination of intrusion detection/prevention and stateful packet inspection services. A deep packet inspection firewall looks at the payload or data section of a packet. It makes decisions about whether to pass the packet based on the contents of a state table or the contents of the payload.

The payload contents are inspected through signature matching, protocol anomaly checking, or with the use of heuristics. Signature matching is the process of comparing known malware or other attack patterns to the data contained in the payload. If there is a match, the packet is dropped. Anomaly checking is the process of comparing the packet format to what is expected based on the packet type and the protocol specified in the packet header. Heuristic algorithms are another way of determining if a payload contains unwanted data. But instead of trying to make a perfect match to a known attack signature, heuristic algorithms make an "educated guess" about the probability of the presence of hostile code.

Finally, behavior watching algorithms, concerned with the behavior of communication traffic rather than payload signatures, can also be employed by deep inspection firewalls. For example, they watch for PING sweeps, repeated attempts to connect to a port on the internal network, and other unusual network behavior to determine if an attack is underway.

Regardless of the approach your firewall may use, when a possible attack is identified, the device can notify appropriate personnel, block the suspect traffic, or simply log the event. The choice as to how to handle an event is made by you or a member of your staff.

Go to Part 1...

See the rest of the series...

PING sweep - PING is the acronym for Packet INternet Groper. It's a TCP/IP utility typically used to determine if a specific IP address is active. For example, if a technician is troubleshooting network connectivity for a PC with IP address 192.168.125.32, she might enter the following at the command line of her PC:

ping 192.168.125.32

If the troublesome PC is connected to the network and responding to packets sent to it, the technician would see the following:

Pinging 192.168.125.32 with 32 bytes of data:

Reply from 192.168.125.32: bytes=32 time=73ms TTL=243

Reply from 192.168.125.32: bytes=32 time=73ms TTL=243

Reply from 192.168.125.32: bytes=32 time=72ms TTL=243

Reply from 192.168.125.32: bytes=32 time=73ms TTL=243

Ping statistics for 192.168.125.32:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 72ms, Maximum = 73ms, Average = 72ms

If the address is not active on the network, she would see the following on her screen::

Pinging 192.168.125.32 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.125.32:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

When an attacker wants to discover devices on your network, he might use the PING utility to step or "sweep" through a range of IP addresses he believes exists in your enterprise.

Each time he receives the response above, he knows he's hit an active device. This type of activity is also performed by certain types of malware looking for more systems to infect.