Question

13 What are the pros and cons of a software based firewall vs firewall device (physical device/equipment)

14 What are the best practices for rule development. How many rules, would be too many to regulate the firewall traffic.

Answer 1

13)

Connecting your network to the Internet without a firewall is like leaving the front door of your office wide open when you leave on vacation. Chances are high that someone will eventually walk in and steal your valuables.

Many machines and software programs come equipped with firewall programs, but when you’re protecting sensitive data, it’s better to know what you’re getting -- and what you could have instead. A competent firewall will safeguard your business from attempts by hackers to steal confidential data, just as a locked front door deters thieves from ransacking your home. Small and mid-size business owners are increasingly opting to install firewalls for this reason, with 44 percent of such companies planning to purchase firewalls within the coming 12 months, according to a recent survey by Forrester Research, of Cambridge, Mass. The most important criteria for small and mid-size businesses is simple manageability, according to the report.

The good news is, there are just two basic types of firewalls to consider: hardware-based and software-based. Here is a rundown of how they work and why they may or may not work for you.

Hardware Firewalls (firewall device)

Hardware firewalls are integrated into the router that sits between a computer and an Internet modem. They typically use packet filtering, which means they scan packet headers to determine their source, origin, destination addresses, and whether the incoming traffic is related to an outgoing connection, such as a request for a website. This information is compared to a set of user-created rules that determine whether the packet should be forwarded or blocked. If you have a wired or wireless router installed, check it to see whether it already includes a hardware firewall. Most do.

The pros to a hardware firewall are:

• A single hardware firewall can protect your entire network, which is a boon for companies with multiple computers.
• Because they don't run on your computers, they don't affect system performance or speed.
• Hardware firewalls work more efficiently for businesses that use a broadband Internet connection, such as DSL or cable modem.
• A hardware firewall won't easily be disabled by malicious software, as software firewalls can be.
• The cost of one hardware firewall to protect multiple computers may ultimately be lower than installing licensed software firewalls on each PC in the office.

The cons to a hardware firewall are:

• Routers can be expensive, ranging upwards of several hundred dollars.
• They may be more difficult to configure, especially for novices.
• Hardware firewalls treat outgoing traffic from the local network as safe, which can be a hazard if malware, such as a worm, penetrates your network and attempts to connect to the Internet.

Software firewalls

Software firewalls are installed on individual computers. They intercept each request by the network to connect to the computer and then determine whether the request is valid. Software firewalls can also be configured to check suspicious outgoing requests.

The pros to a software firewall are:

• Top-rated software firewalls cost less than $50, so they're a more economical choice for an office that has, say, fewer than four or so machines.
• They're easier to configure than hardware routers. You can determine the level of protection you want with a few clicks during the installation process, and provide different security levels according to the machine or user. The highest level of security may block all cookies and JavaScript, which will cause some Web pages not to load or it may display them improperly. This is particularly true for members-only sites.
• They’re flexible. You can specify which applications are allowed to connect to the Internet, thus reducing the possibility that malware will do so. A potential scenario where a software firewall would be advantageous is in the case of an e-mail worm that creates its own e-mail server, like the recent "MyDoom" worm, which may not be recognized by a router because of its trusted origin.
• You can take it with you. A software firewall protects the computer it's installed on no matter where that computer is connected. This is an important feature for business travelers with laptops.

The cons to a software firewall are:

• Software firewalls use more system resources, such as memory and disk space, than hardware firewalls, therefore dragging on your computer.
• You must purchase a separate copy for each computer connected to the network, racking up charges fast.
• Software firewalls can't be configured to mask your IP address. Instead, they close unused ports and monitor traffic to and from open ports.

14)

When you modify a firewall configuration, it is important to consider potential security risks to avoid future issues. Security is a complex topic and can vary from case to case, but this article describes best practices for configuring perimeter firewall rules.

Block by default

Block all traffic by default and explicitly allow only specific traffic to known services. This strategy provides good control over the traffic and reduces the possibility of a breach because of service misconfiguration.

You achieve this behavior by configuring the last rule in an access control list to deny all traffic. You can do this explicitly or implicitly, depending on the platform.

Allow specific traffic

The rules that you use to define network access should be as specific as possible. This strategy is referred to as the principle of least privilege, and it forces control over network traffic. Specify as many parameters as possible in the rules.

A layer 4 firewall uses the following parameters for an access rule:

• Source IP address (or range of IP addresses)
• Destination IP address (or range of IP addresses)
• Destination port (or range of ports)

As many parameters as possible should be specified in the rule used to define network access. There are limited scenarios where any is used in any of these fields.

Specify source IP addresses

If the service should be accessible to everyone on the Internet, then any source IP address is the correct option. In all other cases, you should specify the source address.

It’s acceptable to allow all source addresses to access your HTTP server. It’s generally not acceptable to allow all source addresses to access your server management ports (22 for Linux SSH and 3389 for Windows RDP) or database (1433 for SQL Server, 1521 for Oracle, and 2206 for MySQL). Be as specific as practical about who can reach these ports. When it is impractical to define source IP addresses for network management, you might consider another solution like a remote access VPN as a compensating control to allow the access required and protect your network.

Specify the destination IP address

The destination IP address is the IP address of the server that runs the service to which you want to allow access. Always specify which server (or group of servers) can be accessed. Configuring a destination value of any is discouraged, because doing so could create future issues, such as a security breach or server compromise for a protocol that you might not intend to use on a server that might be accessible by default. However, destination IPs with a destination value of any can be used if there is only one IP assigned to the firewall, or if you want both public and servicenet access to your configuration.

Specify the destination port

The destination port corresponds to the service that needs to be accessed. This value of this field should never be any. The service that runs on the server and needs to be accessed is defined, and only this port needs to be allowed. For example, allowing all ports will greatly impact the security of the server by allowing a malicious entity to perform a dictionary attack to guess the password, as well as execute exploits for any port and protocol that is configured on the server.

Avoid using too wide a range of ports. If dynamic ports are used, firewalls sometimes provide inspection policies to securely allow them through.

Examples of bad configurations

This section describes bad examples of firewall rules, but also shows some alternative good rules to follow when configuring firewall rules.

permit ip any any - Allows all traffic from any source on any port to any destination. This is the worst type of access control rule. It contradicts both of the security concepts of denying traffic by default and the principal of least privilege. The destination port should be always specified, and the destination IP address should be specified when practical. The source IP address should be specified unless the application is built to receive clients from the Internet, such as a web server. A good rule would be permit tcp any WEB-SERVER1 http.

permit ip any any WEB-SERVER1 - Allows all traffic from any source to a web server. Only specific ports should be allowed; in the case of a web server, ports 80 (HTTP) and 443 (HTTPS). Otherwise, the management of the server is vulnerable. A good rule would be permit ip any WEB-SERVER1 http.

permit tcp any WEB-SERVER1 3389 - Allows RDP access from any source to the web server. It is generally a bad practice to allow everyone access to your management ports. Be specific about who can access the server management. A good rule would be permit tcp 12.34.56.78 3389 WEB-SERVER1 (where 12.34.56.78 is the IP address of the administrator’s computer on the Internet).

permit tcp any DB-SERVER1 3306 - Allows MySQL access from any source to the database. Database servers should never be exposed to the whole Internet. If you need database queries to run across the public Internet, specify the exact source IP address. A good rule would be permit tcp 23.45.67.89 DB-SERVER1 3306 (where 23.45.67.89 is the IP address of the host on the Internet that needs access to the database). A best practice would be to allow database traffic over a VPN and not in clear text across the public Internet.