Transcript document
F3 Explorers Guild:
Firewalls & Filters
Jason Kau
Applied Networking
Georgia Tech Research Institute
[email protected]
404-894-8806
GTRI_B-‹#›
Firewall vs. Filter
Firewall
A firewall provides network access control, i.e. which users ("who")
are allowed to access which resources ("what") at what time
("when").
• So called modern "Deep Packet/Application Inspection"
firewalls increasingly "enumerate badness", i.e. user A is
allowed to access resource B during time period C as long as user A
is not doing "something bad" to resource B. "Something bad" is
usually detected via updatable signatures.
• "Enumerating badness" is a losing battle as worms, viruses,
peer-2-peer, spam, phishing fraud, etc. grow at much higher rate
than legitimate applications. "Enumerating badness" in the form of
updatable signatures does not protect against 0-day attacks.
GTRI_B-‹#›
Firewall vs. Filter
Firewall
• Fight back by focusing on "enumerating goodness" in the
configuration of firewall(s)—only allow needed network
applications and specific functionality within those network
applications.
• Best security: "enumerate goodness" by configuration and
"enumerate badness" within those allowed applications.
GTRI_B-‹#›
Firewall vs. Filter
Filter
A filter is a specialized product that provides fine-grained content
control over specific network applications. The firewall has given
network access to a resource but a filter inspects the content
requested of the resource, the content returned from the resource,
and/or the content known to be available from the resource and
determines its suitability for end-user consumption.
• Firewalls can act as content filters but rarely do content filters act
as firewalls.
• Specialized content filtering solutions usually offer "deepest", most
"feature-rich" and "flexible" filtering.
GTRI_B-‹#›
Firewall vs. Filter
Examples of Firewalls
Network-based: Cisco PIX/ASA/FWSM, Juniper Netscreen, Check
Point VPN-1, Microsoft ISA, Fortinet, Watchguard.
Host-based: ISS BlackICE (home) & Desktop Protector (enterprise)
Examples of Filters
Mail: Barracuda Spam Firewall, Symantec Mail Security, SurfControl
Risk Filter, MailScanner
Web/P2P/IM: Bluecoat ProxySG, SurfControl Threat Filter,
FaceTime, Websense, Barracuda Spyware Firewall
Web/Mail: Aladdin eSafe Gateway
Examples of Firewalls + Filters
Host-based: Norton Personal Firewall/Internet Security (home) &
Symantec Client Security (enterprise)
Network-based: Symantec Enterprise Firewall, Securiant SpiderISA
GTRI_B-‹#›
DOE-BellSouth Firewall & Filtering Solution:
Cisco FWSM firewall + Websense filtering
How it works
Cisco FWSM firewall sends web URLs to Websense server which
instructs FWSM to block or allow the URLs based on pre-defined
Websense categories or school system-defined whitelists/blacklists.
Sample Websense Categories
Adult Material - Adult Content, Lingerie & Swimsuit, Nudity, Sex,
Sex Education
Drugs - Abused Drugs, Marijuana, Prescribed Medications,
Supplments & Unregulated Compounds
GTRI_B-‹#›
DOE-BellSouth Firewall & Filtering Solution:
Limitations
• Border solution only, i.e. deployed at border between school
system and the State of Georgia/BellSouth—no intra-school system
protection.
• No virus/worm scanning for web downloads.
• No spyware/malware scanning for web downloads.
• No ability to rewrite web requests to enable site-specific safety
features, e.g. force Google and Yahoo safe search.
• No content caching to improve performance.
GTRI_B-‹#›
DOE-BellSouth Firewall & Filtering Solution:
Limitations Continued
• No true URL category detection for HTTPS URLs because nonproxy solution—relies on reverse DNS for Websense categorization
of HTTPS URLs because of encrypted nature of HTTPS.
• No built-in IPS (intrusion prevention system) with updatable
signatures to detect exploits, worms, and attacks and thus less
ability to "enumerate badness" within allowed network applications
compared to some firewall solutions.
• No spyware, spam, virus, phishing fraud, inappropriate or
dangerous content filtering for email.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Layering of Firewalls
• Best practice is "defense-in-depth". Firewall at border; firewall at
school level; host firewall on desktop/servers.
• Border-School-Host firewall paradigm is very costly. Decide on
where your firewalls have the best security pay-off. Use BellSouth
as border firewall, re-use previous border firewall as "sensitive"
servers firewall or DMZ, investigate if your routers/switches can act
as semi-firewalls to provide access control decisions and act as
school level firewalls, use host firewall on servers, etc.
• As centrally managed "super" client (combined anti-virus, antispyware, & firewall) offerings mature and if budget permits, evaluate
a host firewall implementation for all clients.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Layering of Firewalls Continued
• Firewall configuration should "enumerate goodness". Don't block
known TCP/IP ports and addresses used by past exploits or
worms—instead allow only those applications needed on your
network. If budget, allows, pick firewalls with built-in in-line IPS so
you can more thoroughly "enumerate badness" within allowed
applications.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Virus Scanning for the Web
• DOE-BellSouth Cisco FWSM firewall + Websense solution does
not provide virus scanning of downloads.
• Is virus scanning for web downloads necessary if you have hostbased anti-virus? Defense-in-depth says yes; budgets may say no.
• Are web downloads really the primary source of viruses these
days? Not compared to e-mail.
• All known proxy solutions (Bluecoat ProxySG, Network Appliance
Netcache, Cisco Content Engine, Microsoft ISA, Squid), some nonproxy content filters (Aladdin eSafe), and some firewalls (Fortinet,
Cisco ASA in the future) provide virus scanning of web downloads.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Virus Scanning for the Web Continued
• If budget does not allow defense-in-depth of virus scanning of
downloads, turn to "enumerate goodness" principle. Create a
whitelist of allowed web download sites, e.g. only allow the
download of .EXE files from download.com, microsoft.com, etc.
This can be accomplished with DOE-BellSouth Websense solution.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Spyware Scanning for the Web
• DOE-BellSouth Cisco FWSM firewall + Websense solution does
not provide spyware scanning for downloads.
• Debate rages between host-based or network-based anti-spyware
solutions. Defense-in-depth says both; budgets may say no.
• Debate on how well network anti-spyware scanning even works
because spyware can be recompiled with obfuscation infinite
number of times. Host-based Spyware solutions can restrict what
spyware can do by "enumerating OS-level badness".
• Network solution only provides protection when you're on-site—
notebooks taken offsite are not protected
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Spyware Scanning for the Web Continued
• Specialized spyware network gateways (Bluecoat Spyware
Interceptor, Barracuda Spyware Firewall, Aladdin eSafe, Facetime)
offer best network-based spyware scanning compared to
firewalls/proxies.
• "Enumerate badness" helps block spyware downloads. Block
download of "spyware drive-by-installs"—block downloads of .OCX,
.CAB, .EXE files (except from sites in the web download whitelist),
etc. This can be accomplished with the DOE-BellSouth Websense
solution.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Content Caching
• DOE-BellSouth Cisco FWSM firewall + Websense solution does
not provide caching.
• Commercial caching market largely died several years as
bandwidth became cheap. Several players exited the market (F5,
Inktomi) and remaining vendors focused on "web security", e.g.
Cacheflow change its name to Bluecoat.
• However DOE-BellSouth K12 contract provides relatively low
bandwidth connectivity. 1.5 Mbps per school. Typical DSL is 1.5
Mbps PER HOME with 3 Mbps increasingly available.
• Thus caching proxy may be of great benefit to K12 environment.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Content Caching Continued
• Cheap cache solution: Linux server(s) running Squid.
• Expensive cache solutions: Microsoft ISA, Barracuda Spyware
Firewall (higher-end models do caching), Bluecoat ProxySG.
Expensive solutions should give you additional filtering capabilities
(virus scanning, spyware filtering, etc.).
• Caching proxy allows true detection of HTTPS URLs for
Websense, SmartFilter, SurfControl, etc. categorization.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Improve "Enumerating Badness" firewall capability
• DOE-BellSouth Cisco FWSM firewall + Websense solution does
not support updatable signatures to look for exploits, worms, and
attacks. Thus, you're limited in your ability to "enumerate badness"
within those network applications you allow if you use the FWSM as
your border firewall.
• Consider supplementing the DOE-BellSouth Cisco FWSM firewall
with a signature-based in-line IPS from a vendor like SourceFirce,
Toplayer, 3Com TippingPoint, Cisco IPS, Juniper IDP, etc. In-line
IPS is a $10K investment at the 10 Mbps to 20 Mbps performance
range.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Improve "Enumerating Badness" firewall capability
continued
• Order of implementation for your school system (from best to worst
in terms of most security bang for the buck)
1) border firewall
2) school level firewall
3) host firewalls (wait until "super" client matures)
3) border IPS
4) school level IPS
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Email Scanning
• DOE-BellSouth Cisco FWSM firewall + Websense provides no
email protection.
• Emails are vehicles for the transport of spyware, viruses, phishing
fraud, pornographic images, spam, etc.
• Email solution needs to deal to address all this "badness". Many
open source and commercial solutions in this area from software
add-ons to Microsoft Exchange to dedicated hardware appliances.
GTRI_B-‹#›
Expanding on the DOE-BellSouth Solution
Email Scanning Continued
• For performance and security reasons, email filtering should be
done on dedicated network filtering appliances or filtering servers.
SPAM and virus scanning can be extremely computationally
intensive and slow down legitimate email receiving/sending. Only
expose the email filters directly to inbound connections from the
Internet, preferably in a DMZ.
• Children-specific policies can make you "more CIPA compliant".
E.g., filtering out images in emails to students ensures no
pornographic images reach them.
GTRI_B-‹#›
Further Discussion on Instant Messaging
and Chat
• Should schools even allows IM/chat? What are the legal liabilities
a school faces by allowing IM/chat or by offering official chat server?
• IM can be a vehicle for dangerous file transfers. Encryption-overIM systems like OTR (Off the Record) can defeat network-based IM
filters ability to limit or restrict IM functionality.
• Only some network-based IM filtering solutions can do virus
scanning for IM file transfers (e.g. FaceTime can, Bluecoat
cannot)—and this assumes encryption-over-IM system is not used
so the IM filtering system can tell a file transfer is occurring.
• With DOE-BellSouth solution, ensure Websense "Web Chat"
category is enabled to block known web-based chat sites and block
known IM client download sites.
GTRI_B-‹#›
Further Discussion on Instant Messaging
and Chat
• "Enumerating goodness" in firewall configuration helps block IM
but "enumerating badness" in firewall configuration, e.g. block
access to specific AOL Instant Messenger login servers, may be
necessary as IM clients are "smart" and will try to find any outbound
"holes" in firewall.
GTRI_B-‹#›
Further Discussion on Peer-2-Peer
• Although Peer-2-Peer can be used for legitimate purposes, it is
primarily a means to distribute illegal (from a copyright standpoint),
dangerous (contains viruses or spyware), and pornographic content.
• Several Peer-2-Peer networks support chat themselves, e.g.
Kazaa and SoulSeek.
• Ensure the Websense category "Peer-to-Peer" is enabled to block
access to known Peer-2-Peer client download sites.
• "Enumerating goodness" firewall configuration should prevent
most Peer-2-Peer applications from working.
GTRI_B-‹#›
Case Study: Jasper County School District
• Cisco PIX firewall at border configured to "enumerate goodness".
• Cisco 2600 series routers and 350 bridges at schools acting as
"semi-firewalls" by only allowing a set of supported applications
among schools—i.e., more "enumerating goodness".
• RedHat Enterprise Linux Dell server for email content filtering.
Primarily open source solution: MailScanner, SpamAssassin, Razor,
several RBLs, McAfee, Sophos, ClamAV.
• Sophos Anti-Virus for Desktops; centrally managed.
• Bluecoat ProxySG for web content filtering and caching; blocks
Spyware "drive-by-installs", forces search engine safe search,
blocks many SurfControl categories.
GTRI_B-‹#›