Imagine that your office is at the end of a lane. You need to have parcels
and letters delivered and picked up by deliverymen all day long therefore, you
keep your lane in good maintenance.
One day a crowd of clowns swarms down your lane and into your house,
completely overrunning it. The deliverymen have to jostle with the clowns to
reach you. Your business starts to slow down as the deliveries and collections
are nowhere near as the usual and, eventually, your business gradually comes to
a halt. You've just had a denial of service attack on your business.
When you find out that the clowns are coming from a local circus, you resolve
to do something about it.
The
top of your lane opens on to a bigger road, and halfway up that road is a
checkpoint that stops all travelers and tells them the best route to get to
their destination. You tell the checkpoint to turn away any travelers coming
from the circus. This seems to work and life goes back to normal, with the
deliverymen resuming their normal work. You've just solved the denial of
service attack by getting someone 'upstream' to ignore any information
coming from the place that attacked you.
Then, one day, the clowns return and there are more of them than ever before.
They are again overrunning your house and blocking your lane. There are so many
of them that your deliverymen can't get anywhere near your house and your
business stop instantly.
You call the checkpoint and complain. But it says it has not allowed anyone
from the circus into your lane and doesn't know where these new clown are
coming from. You investigate and discover that the circus owners have broken
into 1,000 houses in the area, turned them into circuses, and have sent hundreds
of clowns to your house from each one. Now you despair, because there are far
too many points of origin for the checkpoint to check and your business can't
function with a lane full of clowns stopping the delivery men getting through.
You've just had a distributed denial of service attack on your business.
At this point, you have to take emergency action to stop your house falling
apart under the weight of clowns crowding into it, so you board up the front
door and all the windows. The clowns are still filling your lane, but now they
can't get into your house, though neither can any deliverymen though. But your
house is not in danger of collapsing anymore. You then call your delivery
companies and tell them that they shouldn't deliver for a few days; your
business is suspended till further notice.
The only way your business can start up again is if the circus owners stop
sending the clowns, or you manage to find the circus owners and get them
arrested.
Now step back to the real world. The house is a server in your office
connected to the Internet, the lane is the connection to your ISP, and the
bigger road is a larger connection to the rest of the Internet. The checkpoint
in our little story is a router-a machine that, quite literally, sends
information on the best route to its destination. The deliverymen are packets,
parcels of information traveling back and forth to the server. The clowns are
also packets, however they are sent maliciously and carry useless information
simply meant to fill your connection and grind your server to a halt with their
size and number. If all the malicious packets are coming from the same place, it
is sometimes possible for a router upstream from the server to stop the packets
from getting through. However, if the malicious packets are coming from hundreds
of different places-usually from home computers, which have been infected with
a trojan and are being controlled by a criminal mind-then it is almost
impossible to block them all. That results in the server being attacked and its
connection swamped. When that happens to your server, the rate at which
information goes back and forth to you slows (lags), and eventually stops...at
which point the server splits. All a server administrator can do then is to make
the server unreachable and wait for the attack to stop.
One of the basic forms of a denial of service (DoS) attack involves flooding
a target system with so much data, traffic, or commands that it can no longer
perform its core functions. When multiple machines are gathered together to
launch such an attack, it is known as a distributed denial of service attack, or
DDoS.
Firewalls
To help protect against DoS attacks or DDoS Attacks, you can use a firewall.
A firewall is a system designed to prevent unauthorized access to or from a
private network. Firewalls can be implemented in both hardware and software, or
a combination of both. Firewalls are frequently used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially intranets. All messages entering or leaving the intranet pass through
the firewall, which examines each message and blocks those that do not meet the
specified security criteria.
There are several types of firewall techniques.
-
Packet filter: Looks at each packet entering or
leaving the network and accepts or rejects it based on user-defined rules.
Packet filtering is fairly effective and transparent to users, but it is
difficult to configure. In addition, it is susceptible to IP spoofing.
IP Spoofing is a technique used to gain unauthorized access
to computers, whereby the intruder sends messages to a computer with an IP
address indicating that the message is coming from a trusted host. To engage in
IP spoofing, a hacker has to find an IP address of a trusted host and then
modify the packet headers of the malware so that it appears that the packets are
coming from that host.
Newer routers and firewall arrangements can offer protection
against IP spoofing.
-
Application gateway: Applies security mechanisms
to specific applications, such as FTP and Telnet servers. This is very
effective, but can impose performance degradation and slowdown of traffic. -
Circuit-level gateway: Applies security mechanisms
when a TCP or UDP connection is established. Once the connection has been
made, packets can flow between the hosts without further checking. -
Proxy server: Intercepts all messages entering and
leaving the network. The proxy server effectively hides the true network
addresses.
In practice, many firewalls use two or more of these
techniques in concert.
A firewall is considered a first line of defense in
protecting private information. For greater security, data can be encrypted,
however, encryption is a costlier method and the encryption device has to be
installed on both the ends to have a successful communication. A firewall
protects your network from unwanted Internet traffic. The primary functions of a
firewall are to let good traffic pass through while bad traffic gets blocked.
The most important part of a firewall is its access control feature that
distinguishes between good and bad traffic.
Software Firewall
These are programs that run on your computer and nestle themselves between
your network card software drivers and your operating system. They intercept
attacks before your operating system can even acknowledge them.
However, even the software firewalls can crash due to heavy
packet floods and can be disabled easily by malicious code or a trojan running
from within the computer intercepting and disabling the firewall. With the
absence of being able to detect malicious code, running on the system and as
Trojans and malicious codes are changing everyday; it's easy to disable
software firewalls.
Firewalls With Stateful Packet Inspection
A new trend in home networking firewalls is called stateful packet
inspection, an advanced form of firewall that examines each and every packet of
data as it travels through the firewall. This firewall scans for problems in the
packet that might be a symptom of a DoS or more advanced attacks.
Most people are never subjected to such attacks, but many
areas of the Internet invite these attacks. Most often, these attacks come from
involvement in certain kinds of competitive on-line gaming and questionable
websites.
However, these types of firewalls are available mostly with
cable modems or cable routers, ISDN routers etc, which are cheap and good for
networks of 2 to 20 computers. They are available for $30 to $2000.
High-speed networks have high-speed viruses and worms, which
are continually probing and trying to access your computer system. Firewall
protection has gone from a luxury to a requirement.
The largest problem with today's networks is spam and
viruses, with AOL reporting 80 percent of all its email being spam.
Large corporate website and network outages caused by viruses
and Internet are not uncommon and frequently make the news. What we don't hear
about is the ongoing problem on a personal level. Most people neglect to update
their workstations with patches. They have virus software that has not
been updated ever.
Once a problem strikes a network or home computer, software
is usually the first solution to be tried. Yes, some virus and firewall software
will assist your computer in removing the unwanted intruders. But they cannot
guarantee a 100 percent trouble-free environment.
Shopping for an enterprise firewall can be intimidating if
you've never done it before.
The process can become easier with a little background
knowledge, an understanding of firewalls' features, and knowing what questions
to ask the vendors.
Factors for Choosing Firewalls
One of the first things you need to figure out is what type of firewall best
suits your needs.
There are six basic types of firewalls.
-
Embedded
-
Enterprise software-based
-
Enterprise hardware-based
-
SOHO software
-
SOHO hardware
-
Specialty
All of these firewall types typically offer stateful packet
inspection or proxy capabilities. These are two techniques that firewalls use to
make decisions on what traffic to allow or deny into and out of your intranet.
In the early days of firewall development, most firewalls
offered only one of these types of traffic passing architectures. Today,
firewalls with hybrid architectures offer both techniques.
Stateful packet inspection firewalls examine protocol packet
header fields while proxy firewalls filter services at the application level.
These firewalls learn and remember connection states and evaluate new traffic
transactions against prior connection histories. Proxy firewalls are able to
create virtual connections and can hide the internal client IP address making it
more difficult to discern the topology of the protected intranet.
Embedded firewalls are embedded into either a router or a
switch and are sometimes referred to as choke-point firewalls. They come
standard with certain routers, and can also be purchase as add-on modules to be
installed into a router or switch. Due to the wide variety of different
protocols used on the Internet, not all services are handled efficiently by
embedded firewalls. Because embedded firewalls work at the IP level, they will
not be able to protect your network from application-level exploits such as
viruses, worms, and trojan-horse programs. In some cases, embedded firewalls
might offer greater performance gains, but they typically offer fewer features
for protecting your networks. Embedded firewalls are often stateless in nature
and pass packets without consideration of prior connection states.
Software-based firewalls are software packages containing
firewall software that you install on top of an existing operating system and
hardware platform. If you have a server with an enterprise-class operating
system that is available for use, purchasing a software-based firewall is a
reasonable choice.
Also, if you are a small organization and want to combine a
firewall with another application server (such
as your website server), adding on a software-based firewall is reasonable. If
you are a large organization, you will probably want to create a security
perimeter network, known as a DMZ (demilitarized zone), and will therefore
probably want to separate your firewall from all other applications.
Software-based firewalls come in both small office/home
office (SOHO) models and enterprise models. Hardware-based firewalls are the
same thing as appliance firewalls. The entire firewall is bundled into a turnkey
system and when you buy it, you get a hardware device that has the software
already inside it. Hardware-based firewalls, or appliance firewalls, also come
in both SOHO and enterprise models.
Specialty firewalls are firewalls with a certain application
focus. For example, there are some security servers with built-in, firewall-type
rules that are made particularly for filtering content, or security messaging
servers.
As security technologies become more advanced, sometimes the
product segments start to blur and you need to understand what the product
actually does, and not rely on its vendor-marketed product definition.
Users, Locations, and Numbers
A consideration that should be very high on your list is how many users do
you need to protect, and how many firewalls will you need? The number of users
you are going to protect will determine whether you need an enterprise-class
firewall or a SOHO firewall. (You can certainly use an enterprise firewall, even
for one user, but you might be paying a lot more than you need to pay, and might
end up with features you will never use.)
Most firewall vendors rate their firewalls for a certain
range of user connections. Typically, the more users you need to support, the
more RAM and processing power you will need in your firewall.
Gurpreet Singh Senior Technology Officer at Mantec
Consultants