Link to the home page.
Print from PDF version
 

Security Disciplines for Objective 2: Prevention

2-7. Firewalls, VPNs, and Other Network Safeguards

Description

The trend toward increasing network connectivity has increased the threat to information resources. There are many tools available to mitigate the risk of exposure of justice information systems that results from interconnection to public and private networks. This discipline focuses on those that are in the most common use and represent a minimum level of precaution that system owners must take to protect against network-related threats—firewalls, virtual private networks (VPNs), and virus protection systems.

Purpose

Technologies such as firewalls, virtual private networks, and virus protection systems have become a fact of life for justice system managers who want to benefit from the connection to public and private networks but need to protect their information resources from outside, malicious threats. Well-planned and configured implementations of these technologies can mitigate many of the threats associated with data sharing and allow the true value of the information to be achieved.

Principles

  • The rules table in the firewall should reflect an organization’s security policy and be as restrictive as possible. The basic computer security tenet which should be the basis of all security policies is “That which is not expressly permitted is denied.”
  • Whenever public networks are used to provide communications between two parties that may exchange sensitive justice information, a VPN should be used to protect the confidentiality of that information.
  • Up-to-date virus protection software should be maintained on all workstations and servers that process sensitive information.

Policies

A comprehensive set of security policies should be developed and maintained through periodic review and updates. The System Administration, Networking, and Security (SANS) Institute has developed a suggested list of security policies which an organization should consider. They include:

  • Acceptable Use Policy
  • Encryption Policy
  • Audit Policy
  • Antivirus Policy
  • Remote Access Policy
  • Password Protection Policy
  • VPN Security Policy

Best Practices

Firewalls—Firewalls are a security system to protect a network containing servers, client computers, and intelligent communication devices from intentional or accidental damage or unauthorized access implemented by either hardware or software. Firewalls typically provide three fundamental services:

  • Packet filtering rejects packets from unauthorized hosts and rejects connection attempts to unauthorized services. Packet filtering should be implemented to eliminate traffic for services that are not being utilized. It should also be used to eliminate traffic related to specific known security weakness.
  • Network Address Translation (NAT) translates the Internet protocol (IP) addresses of internal hosts to hide them from outside monitoring. NAT can allow use of IP addresses that are not routable on the public Internet.
  • Proxy services make high-level, application-based connections on behalf of internal hosts to break the network layer connection between internal and external hosts. Proxy services can incorporate a high level of intelligence that can scan traffic for known security issues.

Many firewall products incorporate all the above features into a single product, providing multiple security benefits.

Today, most firewall hardware configurations utilize two network adapters on a common machine to create a dual-homed host firewall. One network adapter is attached to an unsecured environment, and the other is connected to a network that is being protected. Many firewalls are equipped with a third interface that creates a demilitarized zone (DMZ). This provides a location to place servers that need to deliver services to external users while still establishing a level of security that would not be available if the server were located directly on an unsecured network, such as the Internet. Examples of servers that might be located on a DMZ are Web servers or electronic mail servers that provide connectivity services to the Internet. Whether two or three interfaces, the basic purpose of these configurations is to limit security risks by putting some intelligent agent between the network interfaces to control access from one interface to another interface. This intelligence may be in the form of a proxy application or a packet filter.

A firewall proxy is an application that acts as an intermediary between trusted and nontrusted networks. The proxy application fulfills requests for service that come from the public network by interfacing with the necessary resources on the private side. By handling the outside request itself, the proxy server makes sure that no “outsiders” communicate directly with private servers. Most security professionals consider the proxy-based firewall to be the most secure; however, the type of traffic (Web, electronic mail, etc.) and service requests that a proxy firewall will handle can be limited.

Packet filter firewalls are another more basic alternative. These firewalls use a rule table that identifies valid communications paths by endpoint (e.g., source address X is allowed to communicate with destination address Y) and the types of messages that can flow over each path. The level of protection offered by a packet filter firewall depends on the quality of the rule table. This technology, when paired with well-thought-out rules governing a packet filter firewall, can limit connections based on source and destination, combining to create a secure and flexible firewall alternative.

The growth of always-on, high-speed Internet connections has helped to proliferate a new type of firewall known as personal firewall software. This software is installed on a user’s computer and evaluates all incoming and outgoing network communications. Personal firewall software performs essentially the same function as a stand-alone, hardware-based firewall, except it only protects the computer on which it is installed. Many security-conscious users are taking a layered approach to firewall deployment. A hardware-based firewall is deployed to protect the majority of system resources that reside on a network, and personal firewall software is used to protect particularly sensitive data on a computer.

Regardless of the type of firewall that is chosen, it is imperative that research be done to determine what services are required. Once this analysis has been performed, the firewall should be configured to allow only the types of traffic that are absolutely necessary. Default settings should be rigorously reviewed. Default passwords should immediately be changed. Additionally, changes should be made to adapt the system to meet the user’s specific needs.

Virtual Private Networks (VPNs)—VPNs are a technology that allows two or more networks and/or hosts to connect over a wide area network (WAN) or public network, such as the Internet, while having the appearance and functionality of being connected with private communications lines. VPNs can be used to connect local area networks (LANs) in different locations (see Figure 2-1: Site-to-Site VPN). The technology is also used to connect individual remote users to resources on a remote network for telecommuting. VPNs operate by encrypting transmissions of data between two systems after each system has authenticated itself to the system with which the communication is being shared.

Figure 2-1: Site-to-Site VPN

Antivirus Software—A computer virus is a malicious set of programming instructions that are disguised and incorporated into files. When activated, they perform some task designed to infect the recipient’s computer. Viruses are typically activated by opening a file that has executable code. The task that a virus performs varies greatly. Some viruses may delete or rename files. The most common computer viruses today are carried as attachments to electronic mail that infect the computer and then send copies of infected files to many other recipients. This is particularly troublesome because the e-mail recipients that receive the infected messages generated from the infected system are taken from its e-mail address book. The result is a message that many times appears to have come from someone the recipient trusts. This misplaced trust may cause the recipient to open a message, never suspecting that the content may have a copy of the virus that will be perpetuated. Some of the more common file types that are susceptible to computer viruses have the following extensions: exe, bat, vbs, scr, pif, and doc. Files with the “doc” extension are Microsoft Word files. These files are susceptible because of the macro programming language capabilities that are available in Microsoft Word and several other Microsoft Office products.

The increase in viruses and the publicity surrounding them has created a related threat—the virus hoax. A virus hoax is a message that informs the recipient of an e-mail message of a virus threat that may have a potentially devastating outcome. The message seems to come from a credible source and informs the recipient to notify everyone they know of the danger; however, the goal of a virus hoax is to clog e-mail systems with a message that has no real credibility. Some of the signs that an e-mail message may be a hoax are that it typically reports dire consequences that a virus may inflict, using very emphatic terms which are frequently all capitalized; it typically is believable, citing a source that may be associated with a credible organization; and it typically calls for action by usually requesting the recipients to send the message to everyone they know. The intended result is loss of time and energy to deal with the issue at hand.

There are a couple of things that can be done to protect agencies from these annoying and potentially destructive distractions. Minimally, every desktop computer should have an antivirus software application installed on it. It is preferable to install antivirus software at the server level as well, if possible. This is typically a more controlled environment that information system professionals can monitor, hopefully reducing the chance of error or omission. Antivirus software examines files and looks for patterns that have been previously associated with known viruses (see Figure 2-2: Antivirus Software Pattern Searching). The antivirus software can be configured to look at all files or only selected files that may be more prone to infection. Second, just like human viruses, computer viruses are capable of being mutated. Antivirus software uses a list of known viruses to match potential viruses it may detect. This list of virus definitions should be updated regularly on all computers. Most of the larger providers of antivirus software are capable of being configured to update these files automatically on a computer as long as the computer has access to the Internet. Finally, much should be learned about what viruses and hoaxes are being circulated. There are several mailing lists that can be subscribed to that provide early warning information. F-Secure, Symantec, and McAfee are very reputable antivirus software providers that offer this service. The Web sites of these vendors are also extremely helpful in dealing with both viruses and virus hoaxes.

Figure 2-2: Antivirus Software Pattern Searching

References

  • Generally Accepted System Security Principles (GASSP) as defined by the International Information Security Foundation. http://web.mit.edu/security/www/GASSP/gassp11.html.
  • The National Institute of Standards and Technology – Computer Security Division, Computer Security Resource Center (NIST CSD CSRC) maintains a compilation of many computer-related security best practices. http://csrc.nist.gov/.
  • IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of data at the IP layer. IPsec has been deployed widely to implement VPNs. http://www.ietf.org/html.charters/ipsec-charter.html.