The Ideal Firewall
Overview
The chapters at the end of this book review a number of commonly used (and a few less commonly
used) firewall packages and toolkits. We'll provide detailed information on the strengths and
weaknesses of each, but as firewall implementation changes with time (they get better, usually) only
those firewalls that are currently available will be covered. What should you look for when you are
examining firewalls? How would you set up the ideal firewall for your network? These are the
questions that will be answered here.
First, you'll determine the security needs for your organization and network. Second, you'll see how
the ideal firewall should be configured for varying degrees of paranoia. Third, you'll learn about the
various ongoing tasks you'll need to perform with even the most automated and secure firewall.
Finally, you'll find out what you should do when your network is actually under attack.
This chapter is broken down into two major parts. The first part, "Defining Your Security
Requirements," will help you figure out what general type of security your business requires. The
second part will then explain exactly how to configure your border gate ways to achieve that level of−
security. You may find that you'll read back and forth between the two sections to gain a full
understanding of the problem.
Defining Your Security Requirements
No two networks have exactly the same security requirements. A bank, for example, is going to be a
bit more concerned than a retail clothing store about network intrusions. The type of security
concern varies as well as the degree—in a University computing lab the administrator is just as
concerned about hosting the source of hacking attacks as well as being the target of them.
To decide just how much effort to expend in securing your network, you need to know the value of
the data in your network, the publicity or visibility of your organization, and the harm that could be
caused by loss of service. You should also consider how much disruption or imposition you can live
with on your network in the name of security.
Similar organizations have similar requirements, so you can compare the needs of your network to
those organizational types listed below.
Home Offices
A home office is the simplest Internet connected network. Usually, a home office has two to three
computers connected in a peer to peer fashion on a small LAN. These networks either have a− −

modem attached to each computer so users can connect to the Internet or they have one computer
or device that mediates access to the Internet whenever any of the users need an Internet
connection. Sometimes the device that connects to the Internet is an inexpensive network hub and
NAT router.
The typical home office budget can't afford to dedicate a computer to be a network fire wall.−
Sometimes the Internet service provider is relied upon to keep the hackers out. However, this is not
a particularly effective technique because ISPs vary in competence and workload, and they never
customize security to fit your needs—they provide only a "one size fits all" solution that is− − −
182
necessarily lax because they don't know how their customers will use the Internet.
Just because most firewalls are prohibitively expensive for home use doesn't mean you are
helpless. Chapter 13, "Security Utilities" details a number of "mini firewalls" that are intended to be−
installed on personal computer directly, as well as popular low cost NAT routers which provide very−
strong default security. Small firewall less networks can still (and should) install current operating−
system patches to protect the computers from TCP/IP attacks such as Ping of Death and the Out of
Band attack. File sharing should be turned off for computers that are connected to the Internet (or,
for more advanced operating systems such as Windows NT and Unix, those services should be
disconnected from the network adapter or modem that is connected to the Internet). Any
unnecessary services should also be turned off so network intruders can't exploit them.
A recent welcome development is the proliferation of devices that include simple stateful packet
filters with Network Address Translation and Internet connectivity via dial up modem or Ethernet−
connectivity to a cable or DSL modem. These inexpensive devices greatly increase the security of
home office networks by hiding the identity of computers on the LAN and by foiling packet based−
exploits, but they do not provide the full range of protection provided by full spectrum firewalls.−
The reason home office networks aren't exploited more often is because their network connections
are usually intermittent, their connection speed is low so it takes along time to hack into them, and
they seldom provide services (such as websites) that hackers can exploit (with the notable
exception of home offices that hook Windows computers directly to the Internet and do not turn off
file and printer sharing, or Windows NT/2000 computers that leave IIS activated.) Most hackers
exploit random targets of opportunity, so a computer that spends most of its time detached from the

Internet isn't going to make a very juicy target. The biggest threat to the home office network is from
someone who knows about the network and has a specific reason to attack it. Disgruntled or former
employees, business competitors, or an individual with a personal axe to grind are the most likely
culprits.
Cable modem and DSL users have become a favored target of hackers however, because their
connection speeds are high, their connections are always on, and because they often have no
security in place, and their computers are left in the default installation state without security
patches applied.
The best way to permanently connect a home office telecommuter to a corporate network is to use
a small firewall built to do exactly that, like the SonicWALL SOHO. These fire walls are complete,−
real firewalls that include IPSec and can be remotely managed through the VPN by the corporate IT
staff. In this configuration, the home office is just like any other branch office—connected through a
VPN to a firewall with a single public IP address and configured to perform Network Address
Translation so the connection can be shared by a few computers. Unfortunately, these devices run
about $500n about $500 each, so they're not particularly cost effective for many users.
The next best way is to use a small NAT device that can pass a single IPSec connection, like the
Linksys Cable/DSL Router with IPSec passthrough. In this configuration, the device doesn't come
with IPSec, but it will allow a single computer with an IPSec client to establish connections and
route through it. It provides the inherent firewalling provided by all NAT devices, and can be used to
share a single Internet connection amongst multiple users. Neither your ISP nor the corporate IT
group will see anything other than the single IP address of the NAT device, from which all
connections including the IPSec connection will appear to come. This configuration is not really
remotely manageable by the IT staff without potentially creating security problems, so it's most
effective for users with some technical skill. This method will also work with proprietary VPN
solutions like PPTP, L2TP, etc. as long as the NAT device can properly translate the protocol. This
183
solution would cost about $150 including the price of the hardware NAT device and the license for
the IPSec software client.
Small Service Businesses
Small service business networks, with a typical computer count of around a dozen or so, often have

a dedicated computer for file and print services and, in many cases, a dedicated connection to the
Internet. Although few small service businesses actually have firewalls, they all should. The
potential loss of data and business productivity due to a network intrusion more than justifies the
cost of one extra computer and some software.
You don't want to go overboard with security in a small service business, however, and very few
small service businesses will go to great lengths to bulletproof their networks because a cost/benefit
analysis will usually show that less stringent security is sufficient. Consider, for example, a heating
and air conditioning company that has a small network with an Internet connection. The company's−
computers have little that would interest either a random hacker or a rival company that might
engage in industrial espionage. The network users want as few restrictions as possible on how they
access the Internet, so it is difficult to justify draconian network policies.
Tip The small service business network administrator should be concerned about security, but the
appropriate policy for the firewall is to permit by default, and to specifically deny packets,
protocols, and services on the firewall that the administrator judges to be dangerous.
Professional Firms
Like the small service business, a small confidential practice such as a law firm, accounting firm,
psychiatry practice, or medical specialist may have a half dozen to a dozen or more computers
connected in a LAN with an intermittent or permanent Internet connection. The small confidential
practice should have a more stringent security requirement than the typical small business,
however, because the practice's computers contain confidential information that invite specific and
targeted attack from network intruders over the Internet.
Tip Because of the sensitivity of the information and the attraction this type of network presents to
hackers, the network administrator of a small confidential practice should be cautious (denying
packets, protocols, and ports by default unless the rules established specifically allow them) or
strict (not routing IP packets at all and allowing only proxied network traffic through the firewall)
about security.
Manufacturers
A large network with 50 to 100 computers is a much more tempting target to the average hacker,
especially if the network has expensive network equipment and VPN links to other large computer
networks. This is the type of network used by medium to large corporations, and the very size and− −

complexity of corporate networks make them easier for hackers to attack.
Large corporate networks also may be subject to specific targeted attacks for the purposes of
industrial espionage or anticompetitive denial of service. Since corporations have more employees
(and former employees) than smaller businesses do, the corporations are also much more likely to
come under attack from insiders or former insiders.
A corporation with a lot of public visibility (such as Sony, Microsoft, Pepsi, or Disney) also has the
problem of hackers trying to penetrate their networks for the greater bragging rights than would be
184
achieved by hacking other, less well known companies (such as McMaster Carr or Solar− −
Turbines).
Tip
Network administrators of large corporate networks need to take extra care that their
networks are not compromised because the potential cost of lost productivity is
proportionately greater in the larger networks than it is in small ones, and because
the large corporate network makes a much more tempting target for hackers. A
cautious (deny routing by default) or strict (no routing at all) policy is most
appropriate for these kinds of networks.
Government Bureaus
The networks used by governmental bureaus have all of the characteristics of corporate networks
(they are often large, have interesting hardware, and provide links to other networks), but
governmental networks are also tempting targets because of their political nature. The Bureau of
Reclamation has little to worry about, but the FBI, on the other hand, is under almost constant siege
from the very hackers they chase. As a general rule, the more visible the organization, the more
likely it is to attract the ire of a hacker with an agenda.
Tip
Network administrators of governmental bureaus should be either strict (allowing no
routing) or paranoid (minimizing any sort of Internet risk, regardless of the constraints
that places on their own network use), depending on the visibility and sensitivity of
the organization. Special care should be taken to secure websites in order to deny
hackers an easy way to embarrass the bureau and to advertise their own causes.

Universities or Colleges
University network administrators have the vexing problem of having to defend their systems from
internal attacks as well as external ones. The periodic influx of new students ensures a fresh crop of
hackers who will always be pushing at the security boundaries of the network. The students must
have computers and access to the Internet, but the administrative staff of the school also needs a
secure work environment.
Most schools cope with this problem by having two (or more) separate networks, each with a
different security policy and with carefully controlled access between the networks. The public
access student network typically has a severely restrictive policy and is frequently checked for
viruses, Trojan horses, modified system settings, and so on.
Tip The university or college network administrator usually takes a cautious (deny by default) or a
strict (proxy only, no routing) approach to managing the school's administrative networks. The
network administrator also takes a fairly open approach to managing the students' network,
while taking special care to keep the networks separate and while keeping a close eye on the
state of the student network.
Internet Service Providers
The ISP network administrator has a problem similar to that of the university network administrator.
The ISP network administrator must keep hackers from the Internet at bay and internal hackers
contained, for the customers of the ISP expect to be protected from each other as well as from the
outside. In addition, customers expect to have full Internet access—they want to decide for
themselves which protocols and services to use.
185
Tip Most ISPs use a firewall to protect their network service computers (DNS server, mail
server, and so on) in a cautious or strict configuration and use a packet filter in a
more liberal configuration (permission by default) to stop the most obvious Internet
attacks (Ping of Death, source routed packets, malformed IP and ICMP packets,−
etc.) from reaching their clients. At the client's request, many ISPs will apply more
strict security policies to the client connection on a per client basis.−
Online Commerce Companies
For most companies, the Internet connection is a convenience. For online commerce

companies,
the reliable operation of the connection and the services that flow over it are the
lifeblood of the
company. A used bookstore that accepts inquiries for titles over the Internet can afford for its
website to be down every once in a while, but an online bookstore that transacts all
of its business
over the Internet cannot.
In addition to preventing denial of service attacks, the administrator of an online − −
commerce
network must be aware of a more dire threat—the theft of customer information,
including financial
transaction data (especially credit card numbers). Consumers expect that the data they
provide to
your online company will remain confidential, and there may be severe public relations
problems if
the data gets out, as well as legal repercussions if the company is found negligent in its
security
precautions.
An online commerce company often has two networks to protect—the internal network used
by
company employees and another network, perhaps located on the company premises or
maybe
located at an ISP, that provides the company's online interface to its Internet
customers. Each
network will have separate security policies; in fact, the online interface must be
protected from
unauthorized access from the interior network, and vice versa.−
Tip Because of the severe repercussions of both denial of service and data theft attacks, − − −
the
smart network administrator for an online commerce company will implement a strict

(proxy
only, no routing) firewall policy for the company's Internet servers. The administrator
may
establish a more permissive (cautious or concerned) policy for a separate
administrative
network if the staff needs freer Internet access for business activities that are not
business
critical.
Financial Institutions
As a general rule, if there is money or there are things worth money flowing over the
network, the
administrator is
going to be
particularly
careful about
who can
access the
network and
how they go
about it. The
more money
there is, the
stricter the
rules for access
will be.
Therefore,
banks and
credit unions
never allow
any direct

Internet
access to their
financial
networks (the
ones that
directly
convey money
from one
account to
another) or
even to the
administrative
networks that
bank
officials use to
perform more
mundane
tasks.
A growing
trend in
financial
institutions is
to allow
customers to
perform online
banking
through their
web browsers
over the
Internet. This,

of course,
means that a
web server of
some sort
must be
linked both to the Internet and to the protected financial computers. If you work for a
financial
institution, you should be sure that every possible measure is taken to secure that
web server and
protect the customers' account information.
Tip Those banking systems that allow any sort of Internet access implement strict
(proxy access
only) or paranoid (custom crafted with special purpose network software)
policies to protect
186
their computers.
Hospitals
In a hospital network, unlike all the previous types of networks, people can die if the computers stop
working. For this reason, the patient care hospital networks that have medical equipment attached
to them are seldom connected to the Internet in any form. Administrative networks may be
connected, but those links are carefully secured because of the risk of divulging or destroying
confidential patient data. The networks in research labs, however, are typically closely and
permissively attached to the network because scientists work best in an open environment where
information exchange is made easy.
Tip Like those of banks and universities, the hospital network administrator breaks his networks
into several mutually untrusting sections. Life critical equipment simply is not connected to the−
Internet. A strict policy is adopted for administrative computers (they still need e mail, after all),−
while research LANs have a cautious or concerned policy.
Military Organizations
Military networks, like hospital networks, can have terminal repercussions when security is

penetrated. Like governmental bureaus, hackers or espionage agents often have a specific target or
axe to grind with the military. But not all military networks are the same—the civilian contractors
managing a contract to purchase, warehouse, and distribute machine tools will have a different set
of security requirements than the Navy war college's academic network, and neither of those will be
designed with anywhere near the level of paranoia that goes into constructing the real time battle−
information systems that soldiers use to wage war.
Tip The administrator of a military network must match the firewall policy of the LAN to the type of
work performed on it. Classified and administrative networks will have at least a cautious
(default deny) or strict (proxy only, no routing) policy, while Secret and above information
systems will be divorced from the Internet entirely.
Intelligence Agencies
Some organizations have the dual goals of safeguarding their own networks while simultaneously
finding ways to circumvent the walls keeping them out of other people's networks. You can be sure
that the professional agents in these organizations have a dossier on and an action plan to exploit
every operating system bug or protocol weakness there is. But knowing about a hole and plugging it
are two different issues, and sometimes the hackers can steal a march on the spooks.
In an odd turn of fate, the NSA has in fact taken the Linux source code, tightened up security in
areas they find important, and released the code back to the free software community. This has
given hackers and open source advocates a bit of indigestion—do you trust it because it is open−
and you can check the source code, or do you mistrust it because of its source?
Tip
It is a good bet that the administrators of these kinds of networks go one step
beyond implementation of a strict firewall security—I would be very surprised if these
secrecy professionals used any commercial software to firewall their networks. The
truly paranoid will only trust software that they personally examine for back doors
and weaknesses compiled with similarly inspected software tools.
187
Configuring the Rules
Once you've determined the degree of paranoia that is justified for your network (or networks if you
manage more than one), you can set up the firewalling rules that keep the hackers out. Every

firewall allows you to establish a set of rules that will specify what trans firewall traffic will be−
allowed and what will not, as well as to establish and manipulate these rules. The following chapters
will discuss the specifics of how each firewall is configured.
In the remainder of this chapter, however, you'll learn about these rules generically and how you
should establish them so that your firewall won't have any obvious and easily avoidable
weaknesses. You'll also learn about the care and feeding of a running firewall and what you can do
when you discover it has come under attack.
Rules about Rules
Every firewall worth its weight in foam packing peanuts will have a number of features or
characteristics of rules in common. You need to understand these rules and features because they
form the building blocks of the logic that will either keep the hackers out or let them in.
Apply in Order
When deciding whether or not to allow a packet to pass the firewall, well constructed firewall−
software will start with the first rule in its rule set and proceed toward the last until the packet is
either explicitly allowed, explicitly disallowed, or until it reaches the end of the rules (whereupon the
packet is allowed or dropped by default). The rules must always be evaluated in the same order to
avoid ambiguity about which rule takes precedence.
Some strong firewalls take a "best rule fitting the problem" approach rather than an ordered rule set
approach. While this may in fact provide stronger security, it can be very difficult for an administrator
to determine which rule will be applied in a specific circumstance.
Per Interface
Firewall software should be able to discriminate between packets by the interface they arrive on and
interface they will leave from. This is essential because the firewall can't really trust the source and
destination addresses in the packets themselves; those values are easily forged. A packet arriving
on an external interface that says it is from inside your network is an obvious flag that something
fishy is going on.
Per Type of Packet (TCP, UDP, ICMP)
Your firewall must be able to filter based on packet type because some are essential to network
operation, while other types are just recipes for trouble. For example, you will want to allow ICMP
echo reply packets to pass into your network from the outside (so your client computers can verify

connectivity to outside hosts), but you may not want to pass ICMP echo request packets in to those
same clients. After all, there's no sense letting hackers build a list of potential targets on your LAN.
Some protocols use UDP on a particular port while others use TCP, and you don't want to let UDP
traffic through on a port that has been opened for TCP or vice versa.
188
Per Source and Destination Addresses
Your firewall must classify traffic according to where it comes from and where it is going. You may
want to allow external computers to establish connections to publicly accessible internal or DMZ
web and FTP servers, but not to establish connections to internal client computers. You probably
want to allow internal clients to establish connections going the other way, however. Your firewall
should be able to permanently block troublesome hosts and networks from performing any access
at all, and should be able to deny all access to sensitive computers inside your network that don't
need Internet connectivity.
Per Source and Destination Ports
Similarly, you will want to control TCP and UDP packets according to which ports they're coming
from and going to. You should allow external users to connect from any port on their own computers
to just those internal ports that are used by externally visible services (such as HTTP and FTP).
Don't allow external users to connect to just any port on internal computers, because Trojan horses
such as Back Orifice work by opening up a port above 1023 (most operating systems restrict user
programs from opening ports below this value) for hackers to connect to. However, users inside
your network need to be able to initiate connections using source ports greater than 1023 with the
destination port of any common TCP protocol ports (such as HTTP, FTP, Telnet, and POP). You
might want to limit your users to just a few destination ports, or you may allow connections to
arbitrary external ports.
Per Options
Originating hosts and routers can set a variety of options in the header of IP packets. Some options
are notorious for being used to circumvent security, with source routing as the most abused of all
the options. Most firewalls simply drop source routed packets. Because none of the IP options are−
required for normal Internet traffic, strong firewalls simply drop any packets that have options set.
Per ICMP Message Type

As mentioned above, some ICMP packets are required for the Internet to cope with network
problems. But, many ICMP packets (sometimes the same essential packets) can also be used in
unconventional ways to crash computers on your network. The firewall must be able to determine,
based on the message type and how it is used, whether or not that ICMP packet is safe to pass.
Per ACK Bit for TCP
The firewall must be able to tell the difference between a packet that is requesting a connection and
one that is merely sending or replying over an already established connection. The difference
between these two types of packets is just one bit—the ACK bit. Packets requesting a connection
have it cleared, all others have it set. You will use this rule characteristic most often with the source
and destination characteristics to allow connections to only those ports you specify and in only the
direction you allow.
Protocol Specific Proxying Rules
For strong security, packet filtering rules aren't secure enough. The above packet rules only−
concern themselves with the header of IP or ICMP packets; the data payload is not inspected.
Packet rules won't keep viruses out of e mail nor will they hide the existence of internal computers.−
Proxies provide greater security but also limit any ICMP, IP, TCP, or UDP level attacks to the
189