need help to answer firewall question......

From: noname (noname@example.com)
Date: 05/05/02 

From: noname <noname@example.com>
Date: Sun, 05 May 2002 12:43:36 +0800

Dear all,

I manage the firewall in my company. I was asked by my boss about the
capability of our existing firewall (a Checkpoint). He specifically
asked whether it knows *who* is coming in to our private network and
*what* he has done.

My boss used an analogy: suppose the tcp ports are like doors to a
building, network traffic will be like people carrying documents. A
different protocol port will be like a different door. People with
documents will come in and out of these doors. The firewall will then be
like a security guard guarding the building. A security guard can check
*who* the people are (authenticate them), where they come from, where
they are going, inspect the documents they are carrying, and direct them
to the appropriate door if they are found to be valid visitors, and even
follow them.

So he asked: can the firewall do *all* these?

I answered: Not a packet-filtering/stateful inspection firewall. It can
do some or most of these, but not all. An application-proxy firewall can
definitely do more, but still has its limitation. What the checkpoint
basically does is to check the source address of the packet, its
destination address, its protocol/port, check the rulebase to see if it
matches, and let it pass if it does, and drop/reject if it doesn't.
Checkpoint does have resource rules that work with security servers to
inspect more (eg, mail viruses, url strings, etc), but it still doesn't
authenticate visitors-at-large from the Internet.

Then he asked: So how do I know *who* is coming in from the Internet,
and *what* is he doing? Everyday, Internet users all over the world are
accessing our web servers, etc. How do I know whether they are
legitimate users or not? What about traffic between the web servers and
the application servers, or the application servers and the database
servers? How do I know whether they are legitimate or not? How do I know
whether they are triggered by legitimate transactions? Or is someone
trying to do something funny through the database port, say, getting our
customers database records illegally?

I answered: Network and host-based IDSes allow us to monitor intrusion
at network and host levels respectively. And IDS will alert us if there
are exceptional activities. Their logs and the servers logs can capture
the source addresses of the users. We can block source addresses of
these intruders

As to know *who* actually is coming in from the Net and who is doing
what, it is difficult for standard web port. The secure equivalent of
http is SSL, which have client and/or server authentication. This will
help us identify the users. As to communication between web and app
server, between app and db servers, similarly, the two
services/applications on both ends should authenticate each other first
before actual communication. And these application should have their own
logs. If the applications are written such that there are no or
insufficient authentication, no logs, then the developers have to
improve on it.

He is not convinced. He says the firewall or the network must be able to
do all these; cannot depends on the servers or applications.

Maybe my reply is not satisfactory, doesn't hit the bull's eye, or I did
not understand him, or the way I phrase it is not understood by him. (Or
maybe he is right? There are firewalls that can do that.......)

I wonder if someone here can help and advise me on how best to respond
to his queries, and lead me to any products that can help to address his
concern.

Thanks.

Relevant Pages

  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: terminal services quirkyness question
    ... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... We have a cisco firewall services module that we us for our head ... So, for a given network, you can move ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)
  • Need help to answer firewall question.....
    ... I manage the firewall in my company. ... network traffic will be like people carrying documents. ... Checkpoint does have resource rules that work with security servers to ... authenticate visitors-at-large from the Internet. ...
    (comp.security.firewalls)
  • Re: Syncing iptables rules between two servers
    ... Horizon Network Security ... Syncing iptables rules between two servers ... Is there anyone that know about how I can "sync" iptables rules on two ... somehow ruining the whole thing of having a firewall if you make it ...
    (Security-Basics)
Quantcast