Vous êtes sur la page 1sur 12

SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 1

Robert Thompson

SP 800-41 & Revision 1 (2009) Implementation Plan

University of Advancing Technology


SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 2

Abstract

The purpose of this document is to inform the reader of plausible and preferred network

defense through the use of firewalls. There are several different types of firewalls, each have

their own specific uses, pros/cons, and applicability. This document will explain in detail how

four different types of firewalls perform and behave, where they should be implemented based

on needs and necessities, and my suggestions will be subject to the context of each individual

situation. Also contained in this document is a guideline to building firewall policies based on

the organizations necessities; these include but are not limited to: the type of firewalls being

used, the types of applications the organization uses in conjunction with how they communicate

with the network (Sourced and Destination), and firewall rulesets which will apply to the

aforementioned applications. Finally, suggested standard quality level of equipment, relative

timeline of policy implementation, and a suggested budget (based on current equipment pricing)

is proposed.
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 3

Contents

Introduction to Firewalls ................................................................................................................. 4

Importance to Modern Networks .................................................................................................... 6

Solution & Implementation Outline................................................................................................ 7

Equipment & Budget ...................................................................................................................... 8

Tentative Implementation Timeline ................................................................................................ 9

Evaluation System ........................................................................................................................ 10

Benefits ......................................................................................................................................... 10

Conclusion .................................................................................................................................... 10

References ..................................................................................................................................... 12
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 4

Introduction to Firewalls

Firewalls are logical network systems that can operate on various different levels of the

OSI model; their overall goal is to control the flow of network traffic based on authentication,

connection types, traffic types, and applications. The method of which firewalls accomplish their

tasks is dependent on the type of firewall it is. The three main types of firewalls discussed here

are Packet Filtering, Stateful Inspection, Application Proxy Gateway, and Application firewalls.

Firewalls also offer other services for networks such as DHCP, NAT, and VPN gateways.

Packet Filtering firewalls operate at Layer Two (Data Link) and Layer Three (Network)

of the OSI model. A Packet Filtering firewall is the most basic type of firewall; by filtering

packets, as the name suggests, it is able to control what is allowed through the firewall based on

the address in the headers of the packets. The flow of traffic can be administered via whats

known as a ruleset to accept or deny that traffic. This method is effective and quick, but does

have its weaknesses. Packet Filtering rulesets are built around the address that the traffic is

directed to and/or from, and the ports the traffic is communicating to and/or from (Technology,

NIST Firewall Guide and Policy Recommendations, 2002). One of the primary weaknesses to

this type of firewall is the ability for hosts to spoof their addresses (MAC or IP) in order to get

around the rulesets.

Stateful Inspection firewalls are similar to Packet Filter firewalls through the idea that

they filter traffic in the same method, but Stateful Inspection also operates on Layer Four

(Transport) of the OSI model; by monitoring the active connections from source to destination,

Stateful Inspection firewalls can keep track of packets that traverse through it. For example:

according to convention, the source port of a remote host will typically attempt to connect over a

port above 1023 and connect to the protected host (the host that the firewall is protecting) on a
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 5

port lower than 1023. If a remote hosts attempts to connect to the host on a port higher than

1023, the traffic is denied. Stateful Inspection firewalls are administered with state tables

which can be modified to allow or deny traffic as necessary by the administrator (Technology,

NIST Firewall Guide and Policy Recommendations, 2002). This type of firewall shares the same

weakness as the Packet Filtering type of firewall.

Application Proxy firewalls operate similarly to the previously mentioned firewalls, but

also have the option of an added functionality: authentication. Authentication can manifest in

different forms depending on the application and the firewall configuration, from biometric

authentication to source address authentication (Technology, NIST Firewall Guide and Policy

Recommendations, 2002). Application Proxy Gateways also handle the communication between

the two sources differently than the other firewall types. Instead of the two hosts communicating

with each other, the proxy forms two connections, one with itself and the source, and another

with itself and the destination. All traffic is filtered through the proxy, accepted or denied as per

the ruleset defined for the firewall (Technology, NIST SP 800-41, Revision 1, Guidelines on

Firewalls and Firewall Policy, 2009). Unlike the previous firewalls, this firewall type is not

prone to address spoofing because it does not allow connections between the hosts directly; the

hosts must authenticate with the proxy in order to communicate with their destinations.

Application Proxy firewalls perform whats called full packet awareness which basically

inspects the packets for known malicious signs or code (Cobb, 2010). In this aspect, it is more

secure than the previous types of firewalls, however it takes time to inspect packets in such a

way effectively making this type of firewall inefficient for high-bandwidth networks

(Technology, NIST Firewall Guide and Policy Recommendations, 2002).


SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 6

Application Firewalls are specifically designed to inspect packet data directed towards

individual protocols and applications. Similar to Application-Proxy firewalls, applications

inspect packets for malicious code, malformed commands (such as min-max character arguments

for logins), or executable binary data in emails just to name a few examples. These firewalls

function similarly to Stateful Inspection firewalls, but only focus on application behavior

(Technology, NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy, 2009).

Importance to Modern Networks

Firewalls are a fundamental part of any modern network infrastructure. All firewalls filter

traffic based on rulesets, meaning they allow access control to hosts behind the firewall ensuring

only traffic deemed acceptable/safe/authorized to communicate with the host. This prevents

otherwise malicious or unwanted traffic from communicating with the hosts acting as a

foundational layer of security for infrastructure. Not only can they protect networks from

external access, but they can protect assets from possible internal threats as well. Segmenting

portions of the internal network keeping resources isolated from one another decreases

plausibility of internal threats. Suppose an unauthorized individual manages to get past the initial

firewall (edge)? The rest of the network is completely exposed to the intruder without additional

access control, able to access anything. Employees are not something to disregard either; should

a disgruntled employee have unregulated access to all resources or other sensitive information

that doesnt actually pertain to their position, the amount of damage that could be caused is

immeasurable.
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 7

Different firewalls have different purposes; as explained in the previous section, not all

firewalls are equal. It is important to use the right firewall for the right purpose. The two most

common methods of implementing firewalls are either applying the firewalls on top of operating

systems, or appliance based. Both have advantages and disadvantages; applying firewalls on top

of OSs allows for expandability and scalability of resources needed for the firewall to handle the

load (or amount of traffic) the network needs to handle, however firewalls applied in this manner

are subject to vulnerabilities inherent to the operating system is it implemented on. Appliance-

based firewalls (network appliances such as routers) are not prone to such vulnerabilities;

appliance-based firewalls utilize Application-Specific Integrated Circuits (ASIC), which in

general terms means that they only run the firmware necessary for the firewall software to

function (stripped down to only the necessary systems). Because of this though, they are not as

scalable as the prior (Technology, NIST Firewall Guide and Policy Recommendations, 2002).

Solution & Implementation Outline

Following industry standard methodologies, risk assessment must be taken on the assets

and applications of the organization in order to appropriately deploy the right firewall in the right

place and create rulesets for the firewalls to follow; both of these aspects are what will inevitably

form the firewall policy. There are five key steps of interest to pay attention to when creating this

policy: (1) Identification of applications the organization needs to maintain continuity

Documenting what should and should not be on the machines/hosts that you are protecting will

allow quick reference while troubleshooting, as well as help control what occurs on your

network; (2) Identifications of vulnerabilities inherent to those applications Documenting the


SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 8

vulnerabilities will assist in mitigating plausible security risks associated with those applications.

The security of your network is only as strong as the weakest link; (3) Cost-benefit (or risk-

reward) analysis of measures taken to protect those applications This matrix will define what

does and does not need protection; spending too much on protecting something that would cause

no harm to the organization is a waste of resources. In contrast, spending too little or short-

cutting security measures creates vulnerabilities in your organization; (4) Creating a traffic

matrix Identifying the types of traffic that need to be authorized to traverse the network for the

organization to function. This includes the protocols, ports, methods of data transfer (inbound

and outbound) associated with each application; (5) Finally, defining the rulesets for the firewalls

to abide by Rulesets are the bread and butter of firewalls that make them so flexible with

control. Rulesets map out the type of traffic allowed (via protocol), the ports those protocols are

permitted to communicate over, the source addresses allowed to communicate over those ports

and protocols, and the destination addresses permitted to be communicated with over those ports

and protocols (Technology, NIST Firewall Guide and Policy Recommendations, 2002).

Equipment & Budget

Depending on the size and purpose of the organization, equipment and hardware/software

will vary. Enterprise firewall appliances can vary in price as well, depending on the features

required for the organization. Basic enterprise firewall solutions can cost anywhere from

~$400.00 for small devices with VPN support (getITnew, n.d.) all the way to ~$10,000.00+ for

devices with features such as Denial of Service protection, Spoofing protection, Malformed

Packet protection, and an abundance of additional features (getITnew, n.d.); completion of the
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 9

risk assessment will determine what type of firewall solution is necessary for the organization, as

well as determine what types of features the organization is interested in. Time/labor costs for the

technicians performing the risk assessment of the network should also be considered while

developing a budget for the firewall solution.

Tentative Implementation Timeline

The longest process of implementing a firewall solution is the initial risk assessment;

shortcuts should not be taken during this process in order to accurately gather as much data as

you can on your own network in order to understand what is at risk. This process will also help

you define what types of protection you will require. Risk assessment functions as a never-

ending cycle, so the timeline is not exact. The first step in a typical risk assessment is the Review.

The goal this portion is to fully evaluate the systems and services your network is utilizing, and

to determine which are crucial to the functionality of the organizations purpose redundant

services should be terminated. The second step is Examination. During this phase, each service

and system should be fully evaluated for inherent vulnerabilities; in the context of firewalls, you

are specifically looking at ports and protocols that these services function over. The final stage is

Testing. This phase is conducted after the implementation of the firewalls and their rulesets. The

first two phases of the risk assessment will provide the data necessary to create the rulesets that

will govern the firewalls. Risk assessment is a repeating process, therefore it is never truly

complete (Abdel-Aziz, 2011).


SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 10

Evaluation System

During initial evaluation of your network, you should test what you can and cannot

access without the firewall. Document exactly what it is you can communicate with; ports,

services, hosts, protocols, etc. This data will be used to perform your risk assessment. After risk

assessment has been conducted, follow up by installing and configuring the proper firewalls and

perform the same assessment again, documenting the results. Keep records of your

documentation for later reference and troubleshooting. Consider this documentation during

security audits as well.

Benefits

Protecting assets is key in the modern business continuity models of today. Proprietary

information, customer information, and Personally Identifiable Information are just a few

examples of what is at risk without basic security of your network. Firewalls are one of the first

lines of defense when it comes to protecting private networks; without them, your network is

completely exposed to public view and unauthorized traffic. Firewalls also provide a means to

monitor what is happening on your network through the use of logs, effectively providing a way

to manage and troubleshoot connectivity issues or internal affairs.

Conclusion

A lot goes into the proper application of firewall technology. Understand that firewalls

are just a single piece of the puzzle when it comes to securing a network; networks are systems in
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 11

and of themselves, all the dimensions working together like a machine to serve us. Technology

changes rapidly over time, and where new vulnerabilities arise, it can affect the entire system

through a snowball effect. This is why constant risk assessment and documentation is necessary

knowing where and when changes were made to the system will give direction for further

changes and modifications to the systems when necessary. Firewall ruleset assessment is part of

security audits, therefore updates can be made as needed over the life of the organization.
SP 800-41 & REVISION 1 (2009) IMPLEMENTATION PLAN 12

References

Abdel-Aziz, A. (2011, May). Scoping Security Assessments. Retrieved from SANS:

https://www.sans.org/reading-room/whitepapers/auditing/scoping-security-assessments-

project-management-approach-33673

Cobb, M. (2010, March). The Benefits of Application Proxy Firewalls. Retrieved from

SearchSecurity: http://searchsecurity.techtarget.com/answer/The-benefits-of-application-

proxy-firewalls

getITnew. (n.d.). ASA5505-SEC-BUN-K9 Cisco ASA 5505 Security Appliance. Retrieved from

getITnew.com: http://getitnew.com/asa5505-sec-bun-

k9ciscoasa5505bundle.aspx?gclid=CJTIvNW-yc4CFQKTfgodQy4Gig

getITnew. (n.d.). SRX3600BASE-DC Juniper SRX Services Gateway. Retrieved from

getITnew.com: http://getitnew.com/srx3600base-

dcjunipersrxservicesgateway.aspx?gclid=CPiF4KO_yc4CFVOUfgodZKUN6g

Technology, N. I. (2002, January). NIST Firewall Guide and Policy Recommendations.

Retrieved from FFIEC: http://ithandbook.ffiec.gov/media/27459/nis-

guide_on_firewall_and_firewall_pol_800_41.pdf

Technology, N. I. (2009, September). NIST SP 800-41, Revision 1, Guidelines on Firewalls and

Firewall Policy. Retrieved from NIST: http://csrc.nist.gov/publications/nistpubs/800-41-

Rev1/sp800-41-rev1.pdf

Vous aimerez peut-être aussi