AOH :: ISNQ5578.HTM|
ITL Bulletin for October 2009
ITL Bulletin for October 2009
ITL Bulletin for October 2009
Site design & layout copyright © 1986-2014 CodeGods
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-7; FORMAT=flowed
Fowarded from: "Lennon, Elizabeth B."
ITL BULLETIN FOR OCTOBER 2009
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON
FIREWALL TECHNOLOGIES AND POLICIES
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
Firewalls are essential devices or programs that help organizations
protect their networks and systems, and help home users protect their
computers, from hostile attacks, break-ins, and malicious software.
Firewalls control the flow of network traffic between networks and
between hosts that employ different security policies.
Firewalls were originally installed at the perimeter of networks, where
hostile threats from external intruders could be detected and stopped.
While these early firewalls provided some protection for an
organization=E2=80=99s internal systems, they could not recognize all instances
and all forms of attack. For example, attacks sent from one internal
host to another often did not pass through the network firewalls.
Networks are now often designed to provide protection at the network
perimeter as well as at other network locations and to detect both
external and internal attacks. Firewalls can now be used to restrict
connectivity to and from internal networks that process personal
information and carry out sensitive functions, such as accounting and
personnel tasks. Firewalls can provide an additional layer of security
by preventing unauthorized access to systems and information, and they
can protect mobile devices that are placed directly onto external
networks. To help organizations use today=E2=80=99s firewall technology
effectively, the Information Technology Laboratory of the National
Institute of Standards and Technology (NIST) recently revised its guide
to firewall technology and the development of firewall policies.=C2=A0
NIST Special Publication 800-41, Revision 1, Guidelines on Firewalls and
Firewall Policy: Recommendations of the National Institute of Standards
Written by Karen Scarfone of NIST and Paul Hoffman of the Virtual
Private Network Consortium, NIST Special Publication (SP) 800-41,
Revision 1, replaces an earlier guide to firewalls that had been issued
in 2002. The updated report provides an overview of firewall technology,
and helps organizations plan for and implement effective firewalls.
The revised publication explains the technical features of firewalls,
the types of firewalls that are available for implementation by
organizations, and their security capabilities.=C2=A0 Organizations are
advised on the placement of firewalls within the network architecture,
and on the selection, implementation, testing, and management of
firewalls. Other issues covered in detail are the development of
firewall policies, and recommendations on the types of network traffic
that should be prohibited.=C2=A0
The appendices to the report contain helpful supporting material,
including a glossary and lists of acronyms and abbreviations used in the
text of the report. Also included in the appendices are listings of
in-print and online resources that provide information on the effective
use of firewalls as a component of a comprehensive approach to
protecting information and information systems.
The revised guide to firewalls and firewall policies is available from
the NIST Web page
Role of Firewalls in Network Communications
There are several types of firewall technologies, which can be most
readily distinguished by which parts of network communications they can
interpret. One way of accomplishing this is by referencing the four
layers of network communications that are described by the Transmission
Control Protocol/Internet Protocol (TCP/IP) interconnection standard:
* The application layer, the highest layer, sends and receives data for
applications such as Domain Name System (DNS), Hypertext Transfer
Protocol (HTTP), and Simple Main Transfer Protocol (SMTP). The
application layer itself is composed of layers of protocols, such as
for message formats and message handling.
* The transport layer provides connection-oriented or connectionless
services for transporting application layer services between networks,
and can provide communications reliability services. Transmission
Control Protocol (TCP) and User Datagram Protocol (UDP) are commonly
used at this layer.
* The internet protocol (or network) layer routes packets across
networks using protocols including Internet Protocol version 4 (IPv4),
IP version 6 (IPv6), Internet Control Message Protocol (ICMP), and
Internet Group Management Protocol (IGMP).
* The hardware (or data link) layer is the lowest layer, controlling
communications on the components of the physical network. The Ethernet
protocol is a data link layer protocol.
The TCP/IP communications layers work together to transfer data between
hosts. When a user wants to transfer data across networks, the data is
passed from the highest layer through intermediate layers to the lowest
layer, with each layer adding more information. The lowest layer sends
the accumulated data through the physical network, and the data is then
passed upwards by the receiving host through the communications layers
to its destination.
Basic firewalls operate at one or a few layers, usually the lower
layers, while the more advanced firewalls operate at all of the layers.
Threats were previously most prevalent in the lower layers of network
traffic, but now threats are common at the application layer.=C2=A0 Firewalls
are still needed to stop the significant threats at the lower layers of
network communications, but the firewalls that examine more layers can
perform more comprehensive examinations. Firewalls that are effective in
the application layer can potentially protect advanced applications and
protocols, and provide services that are user-oriented. For example, a
firewall that operates only in the lower layers usually cannot identify
specific users, but a firewall with application layer capabilities can
provide security services such as enforcing user authentication and
logging events by specific users.
Firewall technology is often combined with other technologies, such as
routing and network address translation (NAT) capabilities. Firewalls
may also include content filtering features and intrusion prevention
technology. See Section 2 of the report for a discussion of the
advantages and disadvantages of these firewall technologies.
The older firewalls were primarily packet filter firewalls. These are
routing devices that provide access control capabilities for host
addresses and communication sessions. Also known as stateless inspection
firewalls, these devices do not keep track of the state of each flow of
traffic that passes though the firewall; as a result, they cannot
associate multiple requests within a single session to each other.
Packet filter technology is still employed in most modern firewalls,
along with other firewall methods. Unlike more advanced filters, packet
filters do not analyze the content of packets. Their access control
functionality is governed by a set of directives referred to as a
ruleset. Packet filtering capabilities are built into most operating
systems and into devices capable of routing, such as a network router
that employs access control lists. Packet filters operate at the network
layer, and can filter both inbound and outbound traffic.
Firewalls with stateful inspection functions improve on the capabilities
of packet filters by tracking the state of connections and by blocking
packets that deviate from the expected state. These firewalls have
greater awareness of the transport layer; packets are intercepted at the
network layer and inspected for adherence to an existing firewall rule,
as packet filters do, but stateful inspection firewalls also keep track
of each connection in a state table that contains information such as
source IP address, destination IP address, port numbers, and connection
Application firewalls add a stateful protocol analysis capability. Some
vendors refer to this feature as deep packet inspection. Stateful
protocol analysis improves upon the standard stateful inspection by
providing basic intrusion detection technology to analyze protocols at
the application layer and identify suspicious events. These firewalls
can allow or deny access based on how an application is running over the
network. An application firewall can determine if an email message
contains a type of attachment that the organization does not permit,
determine if protocols are being used incorrectly, block connections
that are not allowed, and allow or deny access to Web pages. Firewalls
with both stateful inspection and stateful protocol analysis features
provide extensive capabilities to detect and prevent attacks, but they
are not complete intrusion detection and prevention systems (IDPSs).
A firewall that has an application-proxy gateway capability combines
lower-layer access control with upper-layer functionality. These
firewalls contain a proxy agent that acts as an intermediary between two
hosts communicating with each other. The proxy agent never allows a
direct connection between the hosts. Each successful connection attempt
results in the creation of two separate connections; one connection is
between the client and the proxy server, and another connection is
between the proxy server and the destination address. From the
perspective of the two hosts, the connection appears to be direct.
Because external hosts only communicate with the proxy agent, internal
IP addresses are not visible to the outside world. The proxy agent
interfaces directly with the firewall ruleset to determine whether
specific network traffic should be allowed to pass through the firewall.
Some proxy agents can require authentication of each individual network
user. This authentication process can include user identification (ID)
and password, hardware or software token, source address, and
biometrics. Like application firewalls, the proxy gateway operates at
the application layer and can inspect the actual content of the network
Dedicated proxy servers retain proxy control of traffic, but they
usually have much more limited firewalling capabilities than
application-proxy gateway firewalls. Many dedicated proxy servers are
application-specific, and some actually perform analysis and validation
of common application protocols. These servers are usually deployed
behind traditional firewall platforms. The proxy server can filter or
log incoming traffic forwarded by the main firewall, and then forward
the traffic to internal systems. A proxy server can also accept outbound
traffic directly from internal systems, filter or log the traffic, and
pass it to the firewall for outbound delivery. Lately, the use of
inbound proxy servers has decreased considerably because they must mimic
the capabilities of the main server that they are protecting. Most proxy
servers now in use are outbound proxy servers.
Firewall devices may have to encrypt and decrypt specific network
traffic flows between the protected network and external networks. This
function is accomplished through virtual private networks (VPNs), which
use additional protocols to encrypt traffic and provide user
authentication and integrity checking. Common VPN architectures are
gateway-to-gateway and host-to-gateway. Gateway-to-gateway architectures
connect multiple fixed sites over public lines through the use of VPN
gateways. An example of this task is the connection of branch offices to
an organization=E2=80=99s headquarters. The host-to-gateway architecture
provides a secure connection to the network for individual users,
usually called remote users, who are physically located outside of the
organization, such as at home or in a hotel.
Gateway-to-gateway and host-to-gateway VPN functionality is often part
of the firewall itself. Placing it behind the firewall would require the
VPN traffic to be passed through the firewall while encrypted, thus
preventing the firewall from inspecting the traffic. The organization=E2=80=99s
VPN policy can specify the resources that users and groups are
authorized to access.
Firewalls at the edge of a network may have to perform client checks for
incoming connections from remote users and allow or disallow access
based on those checks. This checking process, commonly called network
access control (NAC) or network access protection (NAP), allows access
based on the user=E2=80=99s credentials and the results of the checking process,
assuring that the user=E2=80=99s computer complies with organizational policy
concerning the use of patches, security software, and configuration
Unified threat management (UTM) systems combine multiple security
features into a single system, including a firewall, malware detection
and eradication, and sensing and blocking of suspicious network probes.
This approach may reduce the complexity of setting and maintaining
policies on all of the systems that are deployed at the same location on
a network, but it requires that the UTM have all the desired features to
meet all security objectives.
Web application firewalls are installed in front of the Web server to
detect the placement of malicious software on the computer of users who
are accessing information on the Web, or to deter attempts to solicit
private information from users. These firewalls, which are considered to
be different from traditional firewalls, are a relatively new
technology, with changing capabilities.
Firewalls for virtual infrastructures are another new area of firewall
technology. These firewalls monitor virtualized networking, which allows
more than one operating system running on a single computer
simultaneously to communicate with each other as if they were on a
standard Ethernet. Network activity that passes directly between
virtualized operating systems within a host cannot be monitored by an
external firewall. Some virtualization systems offer built-in firewalls
or allow third-party software firewalls to be added as plug-ins.
Host-based firewalls for servers and personal firewalls for desktop and
laptop personal computers (PCs) provide an additional layer of security
against network-based attacks. These firewalls are software-based,
residing on the hosts that they are protecting and monitoring and
controlling the incoming and outgoing network traffic for a single host.
They can provide more granular protection than network firewalls to meet
the needs of specific hosts. Host-based firewalls are available as part
of server operating systems.=C2=A0 Many host-based firewalls can also act as
intrusion prevention systems (IPSs) that, after detecting an attack in
progress, take actions to thwart the attacker and prevent damage to the
NIST Recommendations to Organizations on the Use of Firewalls and Firewall
NIST recommends that organizations improve the effectiveness and
security of their information systems by taking the following actions:=C2=A0
* Create a firewall policy that specifies how firewalls should handle
inbound and outbound network traffic.
Firewall policies, which are described in Section 4 of the report,
define how organizational firewalls should handle inbound and outbound
network traffic for specific IP addresses and address ranges, protocols,
applications, and content types based on the organization=E2=80=99s information
security policies. Organizations should conduct risk analyses to
identify the acceptable types of network traffic and how they must be
protected, specifying the types of traffic that can pass through the
firewall and under what circumstances. For example, an organization
might permit only necessary Internet Protocol (IP) protocols to pass,
appropriate source and destination IP addresses to be used, particular
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
ports to be accessed, and certain Internet Control Message Protocol
(ICMP) types and codes to be used. Generally, all inbound and outbound
traffic not expressly permitted by the firewall policy should be blocked
because such traffic is not needed by the organization. This practice
will reduce the risk of attack and can also decrease the volume of
traffic carried on the organization=E2=80=99s networks.
* Identify all requirements that should be considered when determining
which firewall to implement.
In planning for and selecting firewalls, organizations should determine
the network areas to be protected, and consider the types of firewall
technologies that will be most effective for protecting the required
types of traffic. Organizations should also take into consideration
firewall performance issues and the integration of the firewall into the
existing network and security infrastructures. The design of the
firewall should take into account any requirements relating to physical
environment and to personnel, and to future needs, such as plans to
adopt new IPv6 technologies or virtual private networks (VPNs).
* Create rulesets that implement the organization=E2=80=99s firewall policy
while supporting firewall performance.
Firewall rulesets should be as specific as possible for the network
traffic that will be controlled. Organizations should determine the
types of network traffic that are required, including the protocols that
the firewall itself may need to use for management. The details of
creating rulesets will vary according to the type of firewall and the
specific firewall product, but the performance of many firewalls can be
improved by optimizing firewall rulesets. For example, some firewalls
check traffic against rules in a sequential manner until a match is
found; for these firewalls, rules that have the highest chance of
matching traffic patterns should be placed at the top of the list
* Manage firewall architectures, policies, software, and other
components throughout the life of the firewall solutions.
The types of firewalls to deploy and their positions in the
organization=E2=80=99s networks can affect the security policies that the
firewalls can enforce. Policy rules should be monitored and changed as
the organization=E2=80=99s requirements change, such as when new applications or
hosts are implemented within the network. The performance of firewall
components should be monitored to enable potential resource issues to be
identified and addressed before performance is adversely affected. Logs
and alerts should also be continuously monitored to identify threats,
both successful and unsuccessful. Firewall rulesets and policies should
be managed through formal change management control processes to avoid
any impact on security and on business operations. Ruleset reviews or
tests should be performed periodically to ensure continued compliance
with the organization=E2=80=99s policies. Firewall software should be patched as
vendors provide updates to address any discovered vulnerabilities.
For information about NIST standards and guidelines related to the use
of firewalls, as well as other security-related publications, see
NIST'ss Web page.
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement by NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.
Content-Type: text/plain; charset="us-ascii"
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News