Firewalling Basics
Josh Ballard
Network Security
Analyst

Outline
 Firewall Types
 Default Deny vs. Default Allow
 Campus Offerings
 The Importance of Scope

Firewall Types - Filtering
 Firewall Technology has come a long way
 The basic types are:
 Linear ACLs (“packet filter”)
 Stateful Firewall
 Stateful “Packet Inspection”
 Bridging vs. Routing

Firewall Types -
Packet Filters
 Evaluates traffic packet by packet according to a singular ruleset.
 Filters based on only IP address, IP protocols, ports, and in some cases things like TCP flags.
 Can not filter based on “direction,” but simply whether the packet matches the ACL or not.

Firewall Types -
Stateful Firewall
 Tracks state of connections for protocols such as TCP, UDP, ICMP.
 Evaluates rules only on the first packet of a session.
 As such, can be configured to do
“directional” protection.
 Filters illegal packet types and nonestablished connections.

Firewall Types - Stateful w/ Packet Inspection
 Works similarly to a stateful firewall, except that it contains
“connection fixups.”
 Some protocols won’t work properly without a fixup, e.g. FTP,
RTSP, etc.
 Requires more overhead, but breaks fewer things in a default deny world.

Firewall Types -
Bridging vs Routing
 A bridge operates as a transparent entity between two layer 2 networks.
 A routing firewall operates at the layer 3 boundaries to networks.
 Each has advantages and disadvantages, though we choose by default to do routed firewalls.

Default Deny vs.
Default Allow
 It is just how it sounds. This is the default posture for what the fate of a non-matched packet in the ACL.
 Default deny is obviously a stronger posture, but requires more initial investment to achieve, and can potentially cause more problems.

Campus Offerings
 For approximately the past year, we have been developing and offering firewall services.
 Based on the Cisco
PIX/ASA/FWSM platform.

Campus Offerings
 We are in the process of deploying
FWSM-based firewalls “virtually” in front of all data center systems.
 This allows for differing policy levels for each group of systems in the data center.
 We can also deploy FWSM technology to buildings or departments as applicable and requested.

Campus Offerings
 With our licensing of Trend Micro, we also have access to host-based firewalls, as well as the Windows firewall.
 Both of these are controllable by you as the admin with appropriate knowledge of your services and their scopes.

The Importance of
Scope
 AKA: Why is firewalling important?
 Consider this example:
 Windows Server 2003 System
 Running IIS and Exchange
 Running RDP for Adminstrative
Control
 Why is scoping important in this example?

The Importance of
Scope (2)
 Another example - multi-tiered
 UNIX system running Apache and other web software that ties to a database backend.
 UNIX system running Oracle database software
 Both systems running SSH
 Why is scoping important in this example?

The Importance of
Scoping (3)
 So the questions to answer to write a policy are:
 What should we explicitly not allow?
 What services are running on the systems in questions?
 Who needs to access those services?
 What should happen to a packet that isn’t explicitly matched?

Conclusion
 Firewalling is an important piece of any security infrastructure, both networkbased and host-based.
 It is by no means an end-all be-all solution, but can limit your exposure greatly.

Questions?