Firewall Planning

This chapter is part of the guide about “Firewalls and Firewall Policy in your Network”. The guide begins with the Firewalls and Network Architectures chapter.

The planning phase for choosing and implementing a firewall can begin only after an organization has determined that a firewall is needed to enforce the organization’s security policy. This typically occurs following a risk assessment of the overall system.

A risk assessment includes :

  • the identification of threats and vulnerabilities in the information system;
  • the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have on the organization’s assets or operations (including mission, function, image, or reputation) in the event of a threat exploitation of identified vulnerabilities;
  • the identification and analysis of security controls for the information system.

Basic principles used in the planning of firewall deployments include:

  • Use devices as they were intended to be used. Firewalls should not be constructed of equipment not meant for firewall use. For example, routers are meant to handle routing, not highly complex filtering, which can cause an excess burden on the router’s processor. Additionally, firewalls should not be expected to provide other services, such as acting as a Web server or email server.
  • Create defense-in-depth. Defense-in-depth involves creating multiple layers of security. This allows risk to be better managed, because if one layer of defense becomes compromised, another layer is there to contain the attack. In the case of firewalls, defense-in-depth can be accomplished by using multiple firewalls throughout an organization, including at the perimeter, in front of sensitive internal departments, and on individual computers. For defense-in-depth to be truly effective,firewalls should be part of an overall security program that also includes products such as antivirus and intrusion detection software.
  • Pay attention to internal threats. Focusing attention solely on external threats leaves the network wide open to attacks from within. These threats may not come directly from insiders, but can involve internal hosts infected by malware or otherwise compromised by external attackers. Important internal systems should be placed behind internal firewalls or DMZ environments.
    Keep in mind that the expression “all rules are meant to be broken” applies when building firewalls. While firewall implementers should keep the above rules in mind during planning, every network and organization has unique requirements and idiosyncrasies that could require unique solutions.
  • Security Capabilities
    • Which areas of the organization need to be protected (the perimeter, internal departments, remote office, individual hosts, specific services, mobile clients, etc.) ?
    • Which types of firewall technologies will best address the kinds of traffic that need to be protected (packet filtering, stateful inspection, stateful protocol analysis, application-proxy/circuit-proxy gateway, etc.) ?
    • What additional security features—such as intrusion detection capabilities, VPNs, and content filtering—does the firewall need to support ?
  • Performance (generally for network firewalls only)
    • What amount of throughput, maximum simultaneous connections, connections per second, and latency requirements must be met to prevent the firewall from being a bottleneck for network access, for both current and future traffic needs ?
    • Are load balancing and failover functionally required to ensure high availability ?
    • Is hardware-based vs. software-based firewall preference a consideration ?
  • Integration
    • Will the firewall require specific hardware to properly integrate within the organization’s network infrastructure (specific power capabilities, specific type of network interface card [NIC], specific backup device, etc.) ?
    • Does the firewall need to be compatible with other devices on the network that provide security or other services ?
    • Will installing a firewall require changes to other areas of the network ?
  • Physical Environment (generally a consideration for network firewalls, although it may also apply to the centralized components of host-based or personal firewall implementations)
    • Where will the firewall be physically located to ensure physical security and protection from disasters ?
    • Is there adequate shelf or rack space at the physical location where the firewall will be placed ?
    • Will additional power, backup power, air conditioning, and/or network connections be required at the physical location ?
  • Personnel
    • Who will be responsible for managing the firewall ?
    • Will system administrators require training before the firewall is deployed ?
  • Future Needs
    • Will the firewall meet the future needs of the organization (plans to move to IPv6, anticipated bandwidth requirements, compliance with regulations expected to be implemented, etc.) ?

    • Other items to consider when purchasing and implementing host-based and personal firewalls include:

  • Do workstations or servers meet the minimum system requirements of the firewall being evaluated ?
  • Will the firewall be compatible with other security software on the workstation or server (e.g., antivirus software) ?
  • Can the firewall be centrally managed and allow policies that enforce the organization’s security policy to be pushed to users?
  • Can the firewall report policy violations to a central server?
  • Can the firewall be locked down to prevent anyone but administrators from modifying its settings?

Published in Firewalls - VPN , Wednesday February 4th 2009
Tags: , ,



10 Responses to “Firewall Planning”

  1. Andy says:

    How broadband routers and firewalls work ?

  2. admin says:

    Many broadband routers and firewalls function primarily through the use of Network Address Translation (NAT) to hide the internal systems behind a single external IP address.Are called “NAT routers” or “NAT firewalls”.

  3. Randy says:

    What are the CISCO PIX/ASA features ?

  4. admin says:

    1. Failover functionality whereby two PIXs can provide high-availability services to a network.
    2. Zero-downtime software upgrades.
    3. DHCP server. The PIX now has a built-in DHCP server to provide address allocations for remote office or branch offices.
    4. Object grouping. Administrators can now group network objects (such as devices, networks, and services) into logical groups to simplify access control list (ACL) definition and maintenance.
    5. ACLs for controlling traffic access both inbound and outbound. The PIX can also “precompile” the ACLs using turbo ACLs, which provides for enhanced performance.
    6. Command-level authorization for role-based access control.
    7. Network Address Translation (NAT)both unidirectional as well as bidirectional to support overlapping private address ranges.
    8.Network Time Protocol (NTP) support for clock synchronization to a time server.
    9.Simple Network Management Protocol (SNMP) monitoring with CPU monitoring using SNMPv2.
    10. Virtual firewall services (PIX software 7.x).
    11.Layer 2 transparent firewall (PIX software 7.x).
    12. Software and configuration updates via HTTP and HTTPS.
    13. HTTPS-based command-line interface (CLI) access.
    14. VPN (virtual private network) services providing both LAN-to-LAN and remote-access VPN services.
    15. PPP over Ethernet (PPPoE) support for users connecting the PIX to an xDSL interface (not supported in PIX software 7.x).
    16. Quality of service (QoS) (PIX software 7.x).
    17. Tunneling application control to block and prevent applications that tunnel through web application ports such as instant messaging, peer-to-peer file share, and other applications such as GoToMyPC.
    16. IPv6 networking.
    17. Secure Shell Version 2 (SSHv2) and SNMPv2C (PIX software 7.x).
    18. Multicast support for multimedia applications.
    19. Port Address Translation (PAT) for H.323 and Session Initiation Protocol (SIP) for voice applications.
    20. Deep packet inspection for services such as HTTP, FTP, Extended Simple Mail Transfer Protocol (ESMTP), and more.
    21. Intrusion detection signatures for packet inspection.
    22. VLAN support.
    23. IPS
    24. Network antivirus, antispam, and antiphishing capabilities
    25. Dedicated out-of-band management interfaces

  5. Demeter says:

    What are the NetFilter (Linux) features ?

  6. admin says:

    1. Stateful packet filtering for IPv4 traffic
    2. Network Address Translation (NAT) and Network Address Port Translation (NAPT)
    3. Flexible and extensible infrastructure
    4. Multiple layers of application programming interfaces (APIs) for thirdparty extensions
    5. Large number of plugins/modules

  7. Demeter says:

    What are the Logging and Log-Analysis Tools for firewalls ?

  8. admin says:

    1. Syslog Implemented by most firewalls and uses a relatively simple UDP-based client/server logging method.

    2. Open Platform for Security Log Export Application Programming Interface (OPSEC LEA API) Implemented by Check Point for Firewall-1, OPSEC LEA is an API-based logging format, similar in function to syslog.

  9. Alexia says:

    What are the fields of the TCP segment header ?

  10. admin says:

    Source Port (16 bits)
    Destination Port (16 bits)
    Sequence Number (32 bits)
    Acknowledgement Number (32 bits)
    Data Offset (4 bits)
    Reserved (4 bits)
    Explicit Congestion Notification (ECN, 2 bits)
    Control bits (6 bits from left to right)
    Window (16 bits)
    Checksum (16 bits)
    Urgent Pointer (16 bits)
    Options (variable)
    Padding (variable)

  11. Ken says:

    interesting post

  12. P. Silva says:

    a very good article about Firewall Planning

Leave a Reply


Privacy | About Us | Contact
Copyright © 2008 Home Automation - JAEC - All the rights reserved