In our previous article “Firewall Best Practices” we discussed some basic firewall information and best practices for managing your network security. In this article we’ll discuss the network firewall products that we mentioned in somewhat more details and explain of the differences between each of them and how they allow you to secure your network.
Stateful vs. Stateless Packet Filtering
Any modern and respectable firewall nowadays supports stateful packet filtering. A firewall that performs stateful packet inspection or stateful inspection keeps track of the state of network connections (such as TCP streams) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
A stateless firewall treats each network packet as an individual packet isolated from the other packets. The means the firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet.
So you want to make sure that your firewall supports stateful inspection and can properly distinguish connection based applications from a possible attack on your network.
IDS vs. IPS
Before you decide between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS), let’s make sure you understand the difference between the two. These two terms refer more to the position in the network and how each of these systems acts rather than referring to a physical device. The answer if you should use IDS or IPS depends on your objective.
The main difference between IDS vs. IPS is that IDS watches a copy of the traffic where IPS watches the real traffic. So, I you want to be alerted of situations, and not affect real traffic, IDS may be for you. Problem here is that since IDS is only watching copied traffic, and alerting you on that, the real offending packet(s) have already passed to their target. Even if you have your IDS setup to update your firewall with blocking rules, the initial attack packet has already gone through. If you want to block a single packet attack (a so-called atomic attack) that will get through the IDS, then maybe you should consider the IPS.
So what are the risks of using IPS? The main risk is that IPS has live traffic passing through it. This means that if IPS fails, or becomes overwhelmed, it will affect live network traffic which can cause availability issues. Some Intrusion Prevention Systems have built-in failure technologies to deal with this sort of scenario, called Fail-open and Fail-closed. Fail-open means that if IPS fails your firewall will continue to pass traffic without further inspection, while Fail-closed means that is the IPS is unable to inspect traffic, no traffic will pass. This decision needs to be in your security policy.
Unified Treat Management
Unified Treat Management (UTM) is an all-inclusive network defense solution that is able to handle multiple security functions in a single application; firewall, intrusion prevention, anti-virus and anti-spam at the gateway level, VPN, and content filtering.
Now that we’ve explained some of the key technologies to take into consideration for your network security management solution, let’s look a little further in the different firewall products we mentioned in our first article in this series.
Cisco 5500 Series ASA Firewall
Cisco ASA is a firewall and anti-malware security appliance from Cisco Systems, not to be confused with the adaptive security algorithm that the Cisco PIX firewall uses for stateful packet filtering. In comparison to the PIX, even the ASA’s simplest model offers much more performance than the basic PIX
All ASA models include a policy based firewall that allows you complete control over inbound as well as outbound network traffic. You can specify which hosts are allowed access through the ASA (Layer 2/3 firewalling) and of course perform Network Address Translation. The layer 7 firewall allows you to create access policies based on application and protocol type. The ASA gives you complete control over traffic leaving your network as well as incoming, for example allowing you to restrict Instant Messaging use to only your approved client application, a feature not always present in other firewall products. Deep packet inspection goes beyond simply analyzing the protocol and port of the attempted connection to discover the application behind it. This makes it virtually impossible for users to circumvent company IT policies.
Other features that the ASA offers include full support for IPSec and SSL VPN endpoints, intrusion prevention, and content security. Content security is added to the ASA by purchasing the CSC-SSM module.
A detailed feature comparison of the different ASA models can be found on Cisco’s website.
Check Point Software Technologies for VPN-1 Power
Check Point VPN-1 Power is an integrated firewall, VPN, and intrusion prevention solution (IPS) and was the first network security gateway to offer data-center-level performance while activating intrusion prevention.
VPN-1 Power differs from other firewall products by offering an enterprise-level firewall that combines security software with open systems running general purpose processors, allowing you to benefit from performance improvements as newer and faster processors become available. It fully supports a multi-core architecture as well. Here are some performance statistics:12 Gbps firewall inspection; 6.1 Gbps intrusion prevention inspection with default settings; and 1.8 Gbps intrusion prevention inspection with strict protection file offers maximum security without compromising performance.
As new applications are introduced and new threats appear, Check Points firewall can adapt and provide proactive protection for these new technologies, for example VoIP or instant messaging.
You can read about all VPN-1’s features here: CheckPoint VPN-1 Power Product Page
ForeScout CounterACT is another appliance based solution and relies on user authentication to determine network access and – if agent-based – compliance with policy. It detects when a device is attempting to connect to the network or to access it remotely and applies the policies that have been created for that device. An example of a basic policy might be to deny network access to any device or user that is not present in the enterprise directory (e.g., Active Directory). The appliance can disable the switch port or perform numerous other network-level actions to deny access. Another feature provides a VLAN firewall capability that can assign endpoints to various VLANs based on policy, and provide the firewall capability in an inline-like fashion without truly sitting as a proxy or a pass-through solution.
Trend Micro InterScan Web Security
A different kind of product is Trend Micro InterScan Web Security Virtual Appliance. This security solution focuses on protecting your network from viruses, Trojans, spyware, and phishing attacks that your network is exposed to by increased Web browsing and e-mail. Attacks can come through corporate e-mail but also through web pages that contain hidden, malicious code. These features combined with the Advanced Reporting and Management Server provides in-depth analysis of enterprise-wide internet usage, providing detailed insight and dealing with issues such as legal liability, loss of productivity, excessive bandwidth consumption, and browsing inappropriate content.
Traditionally, you would address these problems by implementing URL filtering using a Web Proxy and scan for malicious code at the client workstation, two separate approaches. InterScan combines these functions into one solution that addresses malware and the like at the gateway.
Compared to the other products we discuss in this article, InterScan can be deployed either as a virtual machine in an ESX environment or as a bare metal server installation. When installed to a server, the appliance can support transparent bridge mode, proxy mode, and Internet Content Adaptation Protocol (ICAP), deployments, which give you an excellent amount of flexibility.
Microsoft ISA Server
Microsoft ISA Server 2006 is serves multiple purposes and can be deployed in a variety of ways to meet the unique requirements of your organization. It offers an integrated firewall, Web proxy, VPN server, and gateway. ISA Server can be configured to serve every one of these roles or can be set up to with only a subset. This flexibility enables you to implement an ISA Server into your network provide exactly the network security services that you need.
Like Check Point and the Cisco ASA firewall products, ISA Server is a stateful packet inspection firewall. It actually takes both stateful packet inspection and application layer inspection and combines them into one powerful network security gateway solution.
In addition to the firewall roles, ISA Server functions as a Web Proxy server. A Web proxy server accepts Web connections from browsers and other Web applications and forwards those connections. A Web proxy server also accepts incoming connections to Web servers that are part of your network and forward them to appropriate servers. When ISA Server acts as a Web proxy server, its firewall engine is aware of any communications that take place through the proxy service. This functionality enables the firewall’s Web proxy services to provide excellent security for Web connections and protects your network from viruses, worms, hacking attempts and more, including identifying and authorizing users before allowing Web connections through the ISA firewall and Web proxy.
The last feature or role we like to mention about ISA server is its VPN Quarantine (VPN-Q) functionality. This security feature allows you to configure a set of parameters that the VPN client systems must meet before it is allowed to access your corporate network. If a VPN client does not meet the required policy, remote access to your network is blocked for that client.
Monitoring your network firewall
Each of the products discussed in this article provides some form of management interface that you can use to configure your firewall rules and policies, examine logs, and some of them allow you to set up alerting. Once you have your firewall set up and implemented your corporate security policies and tweaked all the rules and remote access policies, it is time to start monitoring your firewall performance and put alerts in place that notify you of any anomalies on your network. Or even better, integrate your network security and firewall monitoring in your existing monitoring solution.
We’ll talk about how to monitor ISA Server in our next article in this series: ISA Server Best Practices & Performance Monitoring.