Basic Firewall Configuration
When configuring a firewall, it is vital to start with a knowledge of what you're trying to protect and why. This information, hopefully stated in a security policy, should in fact have guided the choice of a firewall. It will affect decisions from firewall topology to the actual rules programmed. If at all possible, consider creating a security policy before implementing a firewall.
Basic firewall configuration should:
- Protect your network from TCP/IP attacks, probes and scans.
- Protect your network from denial of service (DoS) attacks.
In addition, depending upon your security policy and the type of firewall you have, it may also:
- Provide Network Address Translation (NAT).
- Provide authentication or encryption services.
- Protect against malicious code such as viruses, worms and Trojans.
- Provide web filtering.
Since the additional configurations a firewall may require are quite vendor-specific, we will not be addressing them here. For more information, consult your vendor's documentation.
Protecting Against TCP/IP Attacks, Probes and Scans
The TCP/IP protocols have been around since the early 1980's—more than enough time for hackers to discover its weaknesses. It is very important for firewall administrators to know what the basic TCP/IP vulnerabilities are and the approach one should take to addresses these problems. Exact configurations, of course, will be specific to your particular firewall product.
TCP/IP Port-Specific Vulnerabilities
- TCP Port 21: FTP (File Transfer Protocol) - FTP servers provide a great service, but unfortunately, by their very nature they open up very big security holes. FTP servers that allow anonymous logins are both used to launch attacks on the server itself, by connecting to the C: drive and downloading viruses or overwriting/deleting files, and also to store pirated files and programs. Preventing attacks on FTP servers involves configuring them not to accept anonymous logins, and then only allowing access to port 21 through your firewall to that particular server. Better still, place it on a perimeter network of your firewall. A perimeter network, also called a "DMZ," is used to segregate inherently insecure servers that require a higher degree of network access from the rest of your network. An FTP server on a DMZ that has been compromised will not be able to be used to attack the rest of your network. Of course, if you don't have an FTP server, you may not need to configure your firewall to include a perimeter network.
- TCP Port 23: Telnet - Telnet is a wonderful service that provides access to servers and other devices. Accessing a server via Telnet is very much like being physically located at the server console. Protecting against Telnet is simple: block all access to port 23 from the outside and perimeter networks to the inside. Protect your internal servers from attack from the inside as well; configure them to accept telnet connections from very few sources or block it completely.
- TCP Port 25: SMTP (Simple Mail Transport Protocol) Attacks - Email servers are favorite targets of attacks because most email programs are large and complex and the servers they run on by definition have to be accessible to the outside world. Protect against SMTP attacks by ensuring your email server doesn't relay mail and by putting your email servers on a perimeter network. Two of the most common attacks are:
- Buffer overrun - an attacker enters more characters in an email field (such as the To: field) than is expected by an email server. If these extra characters contain executable code, then an error could be generated and hackers could gain access to the server and the network.
- SPAM attack - The SMTP protocol was set up so that a message didn't have to go directly from the originator's email server to the recipient's email server. It could be relayed by one or more mail servers in the middle. Unfortunately, that capability is now routinely abused by spammers who use email servers that haven't disabled this relay feature to forward a single message to thousands of unwilling recipients.
- TCP and UDP Port 53: DNS (Domain Name Service) - DNS is one of the core protocols of the Internet. Without it, host (computer or domain) to IP address translation would not exist. If you host your own DNS you must take care that attackers can't modify your DNS entries or download a copy of your DNS records (a process called a zone transfer). Configure your firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server (the one downstream from you such as the one at your ISP). Consider creating two DNS servers: one on your perimeter network, the other on the internal network. The perimeter DNS will answer queries from the outside; the internal one will respond to all internal lookups. If you have a stateful inspection firewall, configure it to allow replies to this internal DNS server, but deny connections being initiated from it.
- TCP Port 79: Finger - Finger is a service that enumerates all the services you have available on your network servers; as such, it is an invaluable tool in probing or scanning a network prior to an attack. Since you want to deny as much of that knowledge to attackers as you can, block port 79.
- TCP Ports 109-110: POP (Post Office Protocol) - The Post Office Protocol is an easy-to-use email protocol, but sadly it has a number of insecurities. The most insecure version is POP3 which runs on port 110. If your email server requires POP3, block all access to port 110 except to that server. If you don't use POP3, block port 110 entirely.
- TCP Ports 135 and 137: NetBIOS - NetBIOS is the Microsoft Windows protocol used for file and print sharing. Since the last thing you probably want is for users on the Internet to connect to your servers' files and printers, block it. Period.
- UDP Port 161: SNMP (Simple Network Management Protocol) - Since SNMP makes the remote management of devices possible, it poses inherent security risks. SNMP stores configuration and performance parameters in a database that is then accessible via the network. If you leave an SNMP server open to the Internet, hackers can gain a large amount of very valuable information about your network. If you use SNMP, allow access to port 161 from the internal network only; otherwise, block it entirely.
For more information on TCP/IP port vulnerabilities, see FAQ Firewalling.
Protecting Against Denial of Service Attacks
There are three other types of attacks that firewalls should protect against: denial of service (DOS) attacks, distributed denial of service (DDOS) attacks, and IP Spoofing.
Denial of Service Attacks
Denial of service attacks attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services. One of the primary DOS attacks uses Ping, an ICMP (Internet Control Message Protocol) service which sends a brief request to a remote computer asking it to echo back its IP address. Ping attacks (dubbed the "Ping of Death") take two forms. In the first, the attacker deliberately creates a very large ping packet and then transmits it to a victim. Because ICMP can't deal with large packets, the receiving computer is unable to accept delivery and crashes or hangs. Ping attacks can be even simpler than that. In the second form, an attacker will send thousands of ping requests to a victim so that its processor time is taken up answering ping requests, preventing the processor from responding to other, legitimate requests.
To protect against ping attacks, tighten control over ICMP. Block ICMP echo requests and replies, and ensure there is a rule blocking "outgoing time exceeded" messages and "unreachable" messages.
Distributed Denial of Service Attacks/IP Spoofing
DDOS attacks and IP spoofing are related. DDOS attacks are when attackers gain access to a wide number of PCs and then use them to launch a coordinated attack against a victim. DDOS attacks often rely on home computers, since they are less frequently protected (they can also use worms and viruses). However, if IP spoofing is used, attackers can gain access to a PC within a protected network by obtaining its IP address and then using it in packet headers.
To protect against both, block traffic coming into the network that contains IP addresses from the internal network. In addition, block the following private IP, illegal and unroutable addresses:
For more detailed information on protecting your server from DDoS attacks, see this article from Cisco.
Finally, be sure to keep your anti-virus software up-to-date, your firewall software patched and up-to-date, and consult your vendor's documentation for more information.
Next: Packets & Protocols