Académique Documents
Professionnel Documents
Culture Documents
Robert Thompson
Abstract
The purpose of this document is to inform the reader of plausible and preferred network
defense through the use of firewalls. There are several different types of firewalls, each have
their own specific uses, pros/cons, and applicability. This document will explain in detail how
four different types of firewalls perform and behave, where they should be implemented based
on needs and necessities, and my suggestions will be subject to the context of each individual
situation. Also contained in this document is a guideline to building firewall policies based on
the organizations necessities; these include but are not limited to: the type of firewalls being
used, the types of applications the organization uses in conjunction with how they communicate
with the network (Sourced and Destination), and firewall rulesets which will apply to the
timeline of policy implementation, and a suggested budget (based on current equipment pricing)
is proposed.
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 3
Contents
Benefits ......................................................................................................................................... 10
Conclusion .................................................................................................................................... 10
References ..................................................................................................................................... 12
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 4
Introduction to Firewalls
Firewalls are logical network systems that can operate on various different levels of the
OSI model; their overall goal is to control the flow of network traffic based on authentication,
connection types, traffic types, and applications. The method of which firewalls accomplish their
tasks is dependent on the type of firewall it is. The three main types of firewalls discussed here
are Packet Filtering, Stateful Inspection, Application Proxy Gateway, and Application firewalls.
Firewalls also offer other services for networks such as DHCP, NAT, and VPN gateways.
Packet Filtering firewalls operate at Layer Two (Data Link) and Layer Three (Network)
of the OSI model. A Packet Filtering firewall is the most basic type of firewall; by filtering
packets, as the name suggests, it is able to control what is allowed through the firewall based on
the address in the headers of the packets. The flow of traffic can be administered via whats
known as a ruleset to accept or deny that traffic. This method is effective and quick, but does
have its weaknesses. Packet Filtering rulesets are built around the address that the traffic is
directed to and/or from, and the ports the traffic is communicating to and/or from (Technology,
NIST Firewall Guide and Policy Recommendations, 2002). One of the primary weaknesses to
this type of firewall is the ability for hosts to spoof their addresses (MAC or IP) in order to get
Stateful Inspection firewalls are similar to Packet Filter firewalls through the idea that
they filter traffic in the same method, but Stateful Inspection also operates on Layer Four
(Transport) of the OSI model; by monitoring the active connections from source to destination,
Stateful Inspection firewalls can keep track of packets that traverse through it. For example:
according to convention, the source port of a remote host will typically attempt to connect over a
port above 1023 and connect to the protected host (the host that the firewall is protecting) on a
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 5
port lower than 1023. If a remote hosts attempts to connect to the host on a port higher than
1023, the traffic is denied. Stateful Inspection firewalls are administered with state tables
which can be modified to allow or deny traffic as necessary by the administrator (Technology,
NIST Firewall Guide and Policy Recommendations, 2002). This type of firewall shares the same
Application Proxy firewalls operate similarly to the previously mentioned firewalls, but
also have the option of an added functionality: authentication. Authentication can manifest in
different forms depending on the application and the firewall configuration, from biometric
authentication to source address authentication (Technology, NIST Firewall Guide and Policy
Recommendations, 2002). Application Proxy Gateways also handle the communication between
the two sources differently than the other firewall types. Instead of the two hosts communicating
with each other, the proxy forms two connections, one with itself and the source, and another
with itself and the destination. All traffic is filtered through the proxy, accepted or denied as per
the ruleset defined for the firewall (Technology, NIST SP 800-41, Revision 1, Guidelines on
Firewalls and Firewall Policy, 2009). Unlike the previous firewalls, this firewall type is not
prone to address spoofing because it does not allow connections between the hosts directly; the
hosts must authenticate with the proxy in order to communicate with their destinations.
Application Proxy firewalls perform whats called full packet awareness which basically
inspects the packets for known malicious signs or code (Cobb, 2010). In this aspect, it is more
secure than the previous types of firewalls, however it takes time to inspect packets in such a
way effectively making this type of firewall inefficient for high-bandwidth networks
Application Firewalls are specifically designed to inspect packet data directed towards
inspect packets for malicious code, malformed commands (such as min-max character arguments
for logins), or executable binary data in emails just to name a few examples. These firewalls
function similarly to Stateful Inspection firewalls, but only focus on application behavior
(Technology, NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy, 2009).
Firewalls are a fundamental part of any modern network infrastructure. All firewalls filter
traffic based on rulesets, meaning they allow access control to hosts behind the firewall ensuring
only traffic deemed acceptable/safe/authorized to communicate with the host. This prevents
otherwise malicious or unwanted traffic from communicating with the hosts acting as a
foundational layer of security for infrastructure. Not only can they protect networks from
external access, but they can protect assets from possible internal threats as well. Segmenting
portions of the internal network keeping resources isolated from one another decreases
plausibility of internal threats. Suppose an unauthorized individual manages to get past the initial
firewall (edge)? The rest of the network is completely exposed to the intruder without additional
access control, able to access anything. Employees are not something to disregard either; should
a disgruntled employee have unregulated access to all resources or other sensitive information
that doesnt actually pertain to their position, the amount of damage that could be caused is
immeasurable.
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 7
Different firewalls have different purposes; as explained in the previous section, not all
firewalls are equal. It is important to use the right firewall for the right purpose. The two most
common methods of implementing firewalls are either applying the firewalls on top of operating
systems, or appliance based. Both have advantages and disadvantages; applying firewalls on top
of OSs allows for expandability and scalability of resources needed for the firewall to handle the
load (or amount of traffic) the network needs to handle, however firewalls applied in this manner
are subject to vulnerabilities inherent to the operating system is it implemented on. Appliance-
based firewalls (network appliances such as routers) are not prone to such vulnerabilities;
general terms means that they only run the firmware necessary for the firewall software to
function (stripped down to only the necessary systems). Because of this though, they are not as
scalable as the prior (Technology, NIST Firewall Guide and Policy Recommendations, 2002).
Following industry standard methodologies, risk assessment must be taken on the assets
and applications of the organization in order to appropriately deploy the right firewall in the right
place and create rulesets for the firewalls to follow; both of these aspects are what will inevitably
form the firewall policy. There are five key steps of interest to pay attention to when creating this
Documenting what should and should not be on the machines/hosts that you are protecting will
allow quick reference while troubleshooting, as well as help control what occurs on your
vulnerabilities will assist in mitigating plausible security risks associated with those applications.
The security of your network is only as strong as the weakest link; (3) Cost-benefit (or risk-
reward) analysis of measures taken to protect those applications This matrix will define what
does and does not need protection; spending too much on protecting something that would cause
no harm to the organization is a waste of resources. In contrast, spending too little or short-
cutting security measures creates vulnerabilities in your organization; (4) Creating a traffic
matrix Identifying the types of traffic that need to be authorized to traverse the network for the
organization to function. This includes the protocols, ports, methods of data transfer (inbound
and outbound) associated with each application; (5) Finally, defining the rulesets for the firewalls
to abide by Rulesets are the bread and butter of firewalls that make them so flexible with
control. Rulesets map out the type of traffic allowed (via protocol), the ports those protocols are
permitted to communicate over, the source addresses allowed to communicate over those ports
and protocols, and the destination addresses permitted to be communicated with over those ports
and protocols (Technology, NIST Firewall Guide and Policy Recommendations, 2002).
Depending on the size and purpose of the organization, equipment and hardware/software
will vary. Enterprise firewall appliances can vary in price as well, depending on the features
required for the organization. Basic enterprise firewall solutions can cost anywhere from
~$400.00 for small devices with VPN support (getITnew, n.d.) all the way to ~$10,000.00+ for
devices with features such as Denial of Service protection, Spoofing protection, Malformed
Packet protection, and an abundance of additional features (getITnew, n.d.); completion of the
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 9
risk assessment will determine what type of firewall solution is necessary for the organization, as
well as determine what types of features the organization is interested in. Time/labor costs for the
technicians performing the risk assessment of the network should also be considered while
The longest process of implementing a firewall solution is the initial risk assessment;
shortcuts should not be taken during this process in order to accurately gather as much data as
you can on your own network in order to understand what is at risk. This process will also help
you define what types of protection you will require. Risk assessment functions as a never-
ending cycle, so the timeline is not exact. The first step in a typical risk assessment is the Review.
The goal this portion is to fully evaluate the systems and services your network is utilizing, and
to determine which are crucial to the functionality of the organizations purpose redundant
services should be terminated. The second step is Examination. During this phase, each service
and system should be fully evaluated for inherent vulnerabilities; in the context of firewalls, you
are specifically looking at ports and protocols that these services function over. The final stage is
Testing. This phase is conducted after the implementation of the firewalls and their rulesets. The
first two phases of the risk assessment will provide the data necessary to create the rulesets that
will govern the firewalls. Risk assessment is a repeating process, therefore it is never truly
Evaluation System
During initial evaluation of your network, you should test what you can and cannot
access without the firewall. Document exactly what it is you can communicate with; ports,
services, hosts, protocols, etc. This data will be used to perform your risk assessment. After risk
assessment has been conducted, follow up by installing and configuring the proper firewalls and
perform the same assessment again, documenting the results. Keep records of your
documentation for later reference and troubleshooting. Consider this documentation during
Benefits
Protecting assets is key in the modern business continuity models of today. Proprietary
information, customer information, and Personally Identifiable Information are just a few
examples of what is at risk without basic security of your network. Firewalls are one of the first
lines of defense when it comes to protecting private networks; without them, your network is
completely exposed to public view and unauthorized traffic. Firewalls also provide a means to
monitor what is happening on your network through the use of logs, effectively providing a way
Conclusion
A lot goes into the proper application of firewall technology. Understand that firewalls
are just a single piece of the puzzle when it comes to securing a network; networks are systems in
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 11
and of themselves, all the dimensions working together like a machine to serve us. Technology
changes rapidly over time, and where new vulnerabilities arise, it can affect the entire system
through a snowball effect. This is why constant risk assessment and documentation is necessary
knowing where and when changes were made to the system will give direction for further
changes and modifications to the systems when necessary. Firewall ruleset assessment is part of
security audits, therefore updates can be made as needed over the life of the organization.
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 12
References
https://www.sans.org/reading-room/whitepapers/auditing/scoping-security-assessments-
project-management-approach-33673
Cobb, M. (2010, March). The Benefits of Application Proxy Firewalls. Retrieved from
SearchSecurity: http://searchsecurity.techtarget.com/answer/The-benefits-of-application-
proxy-firewalls
getITnew. (n.d.). ASA5505-SEC-BUN-K9 Cisco ASA 5505 Security Appliance. Retrieved from
getITnew.com: http://getitnew.com/asa5505-sec-bun-
k9ciscoasa5505bundle.aspx?gclid=CJTIvNW-yc4CFQKTfgodQy4Gig
getITnew.com: http://getitnew.com/srx3600base-
dcjunipersrxservicesgateway.aspx?gclid=CPiF4KO_yc4CFVOUfgodZKUN6g
guide_on_firewall_and_firewall_pol_800_41.pdf
Rev1/sp800-41-rev1.pdf