Firewall Security Practices

Professor Terrence Linkletter

Central Washington University

Submitted by
Brian McDougall, Justin Carroll, Kenny Law

June 1, 2017
Contents
Table of Figures............................................................................ 3
Executive Summary......................................................................4
Problem Statement....................................................................... 5
Preventing Data Breaches.............................................................5
Zone Rules for Firewalls................................................................7
Next Generation Firewalls...........................................................11
Conclusions................................................................................12
Recommendations......................................................................12
References.................................................................................13

2
Table of Figures
Figure 1: Examples of zones as applied to interfaces......................................8
Figure 2: Example of firewall zones.................................................................9
Figure 3: Implementation of traditional firewall DMZ.....................................10
Figure 4: Implementation of DMZ using firewall zone rules...........................10

3
Executive Summary
Data breaches are a major concern to a business of any size, with average
costs of data breaches reaching up to $4 million dollars. Small businesses
must especially take note, as 60% of small businesses that have a data
breach are out of business within 6 months from the date of the attack.
Proper firewall configuration, implementation, and technologies are one of
the most important steps a business can take to assure confidentiality,
integrity, and availability of data and services, and to prevent data breaches.
There are numerous firewall vendors and models in the market. Each has
different features and characteristics. Each can be implemented and
configured in numerous ways to protect a network. In general, however, they
all perform the same function- to securely control the flow of data in and out
of the network.
One popular method for implementation is to use Zone Policies. Network
segments can be defined by these zones and the firewall manages what
communications are allowed to travel from zone to zone (interzonal), and
within zones (intrazonal). Intrazonal policies might apply to communications
between web administrators within their own department, while interzonal
policies could regulate web administrators access to accounting systems,
and vice versa.
The traditional firewall is sufficient facing known issues and conventional
attack. It blocks suspected incoming and outgoing packages when the
information in layer 2, 3 and 4 is matching with the key filtering words in the
access list. However, traditional firewalls could provide a false sense of
security while invaders use unknown methods or high level encrypted
malware.
All businesses should consider implementing a Next generation firewall
solution (NGFW). The NGFW was designed to prevent both known and
unknow threats using proactive methods. Further, NGFWs can prevent zero-
day attacks by sharing the known threat list on the cloud rather than wait for
another patch to be released.

4
Problem Statement
Data breaches are occurring more and more in the industry of information
technology. It is important that security administrators and chief information
officers have an understanding of proper implementations of firewalls to
ensure confidentiality, integrity, and availability of services and data.
Preventing Data Breaches

Data breaches are a serious threat to businesses of all sizes, with average
attacks costing up to $4 million dollars (Langdon, 2017). Furthermore, it has
been found that up to sixty percent of small businesses struck by a data
breach are out of business within six months from the date of the attack
(Langdon, 2017). One solution that every organization should use to combat
these data breaches is a network firewall. But there are many steps beyond
just the installation of a firewall for a business to have a properly configured
firewall setup.

Effective firewall configuration and design is much more than just a list of
rules and policies that are implemented in a network firewall to prevent theft
of data. Preventing data breaches, means thinking about vulnerabilities for
which an organization may be most susceptible, and not only focusing on
outside attacks but insider attacks as well.

With the growth of the Internet, many organizations focused their

security efforts on defending against outside attackers who are not
authorized to access the systems. Firewalls were the primary focus of
these efforts. Money was spent building a strong perimeter defense,
resulting in what Bill Cheswick from Bell Labs famous describes years
ago as, A crunchy shell around a soft, chewy center (Cantrell et. al,
2006, p. 76).

Because of this, an organization can have the strongest network firewall in

the world and still have data breached, so policies must be implemented to
work in conjunction with a firewall, and with these policies employees will be
the human firewall working with the network firewall to keep data
safe. Attackers can get into a network through Human Resources or
Accounting departments by sending in resumes or requests for payroll
information that are actually viruses or spear phishing attempts (Langdon,
2017). As such, showing employees examples of data breaches and giving
training on what suspicious messages may look like will be very effective at
preventing data breaches.

5
After non-technical staff have been trained on how to be the human firewall
that an organization needs, the next step in preventing a data breach
is configuring physical security of where the network firewall will be (Cantrell
et. al, 2006, p. 75). This means controlling physical access to the servers,
network devices, access to cabling, and also making certain to have proper
configurations and security for wireless access (Cantrell et. al, 2006, p. 75). A
practice that is currently used by many IT departments at organizations is
designing a firewall as a list of rules, however, there are three issues with
configuring a firewall in this method (Liu, 2011, p. 9). First, it is not easy to
configure the order of these rules properly; second, ensuring that all types of
valid traffic are allowed and invalid traffic is blocked; last, it typically results
in a large number of rules (Liu, 2011, p. 10). A structured firewall design can
help resolve all of the aforementioned problems. Implemented a structured
design requires two steps, using a firewall decision diagram, which is then
converted by a program into a compact, full function, sequences of rules
(Liu, 11). This ensures that a designer will consider all types of traffic that
need to be stopped and allowed to prevent breaches and maintain access
when they are laying out their plan (Liu, 2011, p. 11).

There are specific designs and implementations for rules that will need to be
considered to prevent data breaches with a network firewall. A default policy
will need to be determined, such as default drop, whereby any traffic that is
not matched to an explicit rule is dropped which is recommended, or a
default accept, where traffic is automatically accepted and black lists are
used to block unwanted traffic (Ellington, 2015). Default accept will provide
more service availability, but will be very difficult to manage, and can result
in intruders getting in if there is not a rule to explicitly block them.

The next consideration is whether to drop the packets that are not allowed or
to reject them. When packets are set to drop in a firewall, it does not send
any confirmation to the sender to let them know the information was not
received, which can result in those attempting to steal information having to
take more time to find out information about the network (Ellington, 2015).
There is a downside to this, in that legitimate traffic will also not receive a
notification and may be frustrated by a lack of access with no reason to
indicate why a service is not working (Ellington, 2015).

The reject option, however, does inform the sender through an Internet
Control Message Protocol packet that their connection has been refused. The
upside to this is that if the sender is legitimate traffic they can get in touch

6
with an administrator to help them check their connections to make sure
they are able to reach the correct port (Ellington, 2015). The significant
downside to utilizing reject methods, is that it makes it easier for a would-be
hacker to determine what ports are opened and closed on a network, thus
allowing them to penetrate a network faster and exfiltrate data without as
many issues (Ellington, 2015).

If a hacker does happen to make it through all of the defenses and does
manage to gain access to the network, having a filter in place for egress
traffic will help prevent them from exfiltrating the information they are trying
to steal (Piscitello, n.d.). The best method for filtering egress traffic, is to
specifically deny all outbound traffic, then configure the specific rules to
grant access to authorized services only (Piscetello, n.d.).

After all of these steps have been implemented, it is still extremely important
to test and audit the systems in place to ensure that the likelihood of a data
breach is low, and if one does result, the damages are minimized. Training
non-technical employees will be instrumental in protecting the network, and
having an acceptable use policy that informs them of appropriate behavior
pertaining to network activity will also help. Then taking the time to design
the firewall properly, with proper physical security that restricts access to the
network devices, and having the right rules for the business will help harden
the perimeter defenses for the network. Because the Internet and technology
is ever-evolving, it will be important to update these rules on a regular basis
to ensure that data at the organization is kept safe.

Zone Rules for Firewalls

Firewall Implementation
There are numerous firewall vendors and models in the market. Each have
different features, vulnerabilities, complexity, and effectiveness in different
applications. In a general sense, however, they all perform the same
function:
Currently, the main function of a firewall is to centralize access control
for a network by keeping an eye on both inbound and outbound traffic
and preventing unauthorized users and malicious code form entering a
networkFirewalls are designed to be transparent to authorized
network users and very intrusive to unauthorized users. When set up
well, they can provide a vigorous authentication system, block

7
 unauthorized traffic, and hide vulnerable network systems (Basta,
Basta, & Brown, 2014, p. 183).
There are numerous ways to implement firewall security as well. They can be
configured to perform IP packet-filtering at layer three, application filtering at
layer seven, TCP/UDP filtering at layer 4, and more. At the most basic level,
each Security policy rule must identify where the traffic came from and
where it is going (Palo Alto Networks, Inc., 2017).

Zone-Based Policies
Traffic enters and exits a firewall through interfaces. Each interface is
configured to allow traffic from certain sources to pass through it. The
firewall decides what to do with a packet based on whether it matches any
security policy rule that has previously been configured by authorized
administrators. These rules pertain to how traffic is allowed to move between
interfaces which are members of zones. These security zones consist of
groups of interfaces to which policies may be applied.
There are two steps to implementing zone policy rules to interfaces. First, the
zone must be created and configured, with its accompanying traffic control
rules. Then, interfaces can be configured to be members of the zone rule
(Watkins & Wallace, 2008, p. 373). See Figure 1. for some examples of
different zones that might be applied to firewall interfaces.
By default, all traffic to and from an interface is dropped when that interface
is a member of a security zone. To allow traffic to and from an interface, its
zone must be paired with another zone and then a policy is applied to the
zone pair. If the policy is configured to allow traffic pass between these
zones, then packets are allowed to travel from one zone to the other.

Figure 1: Examples of zones as applied to interfaces.

8
 (From: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-
os/getting-started/network-segmentation-for-a-reduced-attack-
surface#_60864)

Interzonal Policies
Interzonal communications are those communications that originate in one
zone, with destinations in another zone or zones. For example (see Figure 2.),
an employee at a workstation in Zone A may need to access a server in Zone
B. Since the source and destination of the communication are in separate
zones, this is considered an interzonal communication.
The firewall recognizes that the communication originates in Zone A, an
internal zone that is trusted by Zone B, and allows the communication in
that direction. Likewise, when the server in Zone B replies to the employees
workstation in Zone A, the communication is most likely allowed. But a next-
gen firewall may have been configured to analyze the contents of packets
heading in this direction. It may search for, and block, any packets containing
personally identifiable information such as social security numbers, or
applications and services that are off limits to employees in Zone A.
Likewise, the firewall may be configured to be extra picky in deciding what
types of interzonal communications are allowed between computers in Zone
C, the internet, and servers in Zone B. Obviously, Joe Schmoe, sitting at
home in his parents basement, should not have access to the important
data stored on vital company servers. Exceptions may be configured to allow
teleworking employees to VPN into the network from authorized devices.
Besides controlling the flow of packets between zones, interzonal policies can
be set to monitor communications occurring between zones for event logging
and notification purposes.

9
 Figure 2: Example of firewall zones.

Intrazonal Policies
While interzonal rules apply to communications between two or more
different zones, intrazonal rules apply to communications within a single
zone (Jdelio, 2016). Intrazonal policies give admins the ability to regulate
what types of communications may occur within the zone.
For example, administrators may wish to disallow port scanning of the
servers in Zone B, not only from sources outside the zone (interzonal), but
from sources within the same zone as well. Intrazonal policies can also be
used to monitor communications occurring within a zone for event logging
and notification purposes.

Example Implementation
In traditional firewall implementation schemes, a Demilitarized Zone (DMZ)
can be set up between two firewalls. The DMZ may contain a web server that
should be kept accessible to customers and vendors through the internet.
These visitors from the internet should not, however, be able to access the
internal networks of the organization. In this case, two firewalls are
implemented: one between the web server and the internet, and one
between the internal network and the web server (see Figure 3).
The outside firewall may control the flow of traffic to an extent, but the
internal firewall has much stricter rules as to what types of communications

10
are allowed through it. Using next-gen firewalls, implementing zone rules,
our example DMZ can be accomplished with only one firewall

Figure 3: Implementation of traditional firewall DMZ.

Using zone rules, a single next-gen firewall can be configured to create

proper network segmentation for a DMZ. In this case, the single firewall has
separate rules for its various combinations of zone pairs. Such rules may be
set to allow traffic from the Internet Zone to the DMZ Zone (see Figure 4.),
but not to the Internal Servers Zone or Office Workstations Zone.
Meanwhile, a separate zone policy can be configured to ensure that web
administrators can manage the web server, located in the DMZ Zone, from
their computers in the Office Workstations Zone. Other zone policies may be
put in place to allow access to the Internet Zone, or the servers in the
Internal Servers Zone, from computers in the Office Workstations Zone.

Figure 4: Implementation of DMZ using firewall zone rules.

11
Next Generation Firewalls
Advantages of Next-Gen Firewalls
Now we understand why a firewall is one of the most well-known security
tools used today. The traditional firewall format can be software built into an
OS, or hardware based that need professional configuration. Still the primary
functions of firewalls are monitoring and controlling the incoming, and
outgoing network traffic. With the new technology development in the past
decade, the traditional firewall may not be able to guard our property as
safely as before. We need a more advanced and intelligent tool which is the
next generation firewall (NGFW). What is a NGFW? Why do we need them?
How will it overcome issues which traditional firewalls cannot?
Disadvantages of Traditional Firewalls
Traditional firewalls defend from the inside or outside by checking every
package passing through their interfaces and between different security
zones, as well as other policies. It checks the packages with strategies like
access lists (ACLs) set by the administrator. They are considered either
trusted or un-trusted in the filtering process. It used for controlling
communications from the public network to internal networks and from
malicious employees. It tracks the information from layers 2 to 4, but this
feature is not enough for security use today. When malicious content is
hidden in upper layers, they can bypass the traditional firewall. Those threats
are not just created by external hackers, but by internal employees.
According to Mike Burkitt, the FBI and CSI awards last year that as many as
97 percent of all computer security breaches today go completely
undetected (Burkitt, n.d.). There are two reasons why those threats can
bypass the firewall, as claimed by another article from the Intronis Guest
Blog (2016), is high level encrypted malware. Firewalls that rely on payload
visibility would miss them. In a world of increasing data breaches, it is clear
traditional firewalls cannot handle the issues on their own. Intronis Guest
Blog also mentioned traditional firewall issue with IPS. This feature is only
able to catch already-known malware, but not zero-day vulnerabilities. Such
problems are not easily prevented. It is wise to gear up and take the
initiative.
Reasons to Implement the NexGen Firewall
One of the major purpose of NGFWs is patching these previously mentioned
issues. Instead of waiting for traffic to pass through the firewall with virus list,
NGFWs are more proactive. According to Laurence Cruz (2017) NGFWs
perform deeper examinations of the passed packets which can be performed
on a wider range of layers than traditional firewalls are capable of. The NGFW
can track information from layer 2 to the highest layer 7. Packet analysis
refers to millions of well-known malware signatures. Administrators can also
fix problems after an intrusion, like the zero-day or attacks with unknown
methods. It takes less time to discover new threats because NGFWs refer to
a threats database stored on cloud servers. Users can prevent further cost

12
and fix the problems more quickly. When NGFWs encounter encrypted data,
Intronis Guest Blog stated that NGFWs can gather headers and the
unencrypted parts of the data stream for the security team to analyze
encrypted traffic. This advanced and intelligent combination makes sure
each package is well checked and give feedback when suspects appear in
the networks (Intronis Guest Blog, 2016).
Todays next-gen firewalls can analyze new threats and react to zero-day
attacks in less time. Traditional firewalls facing these same kinds of
intrusions could create a false sense of security instead of effectively
protecting our network and data. Upgrading to NGFWs, which are able to act
proactively and inspect deeply, is necessary or we can potentially suffer
heavy losses in the future.

Conclusions
Organizations of all sizes should implement best practices for firewalls to
prevent ensure the confidentiality, integrity, and availability of their data and
networks, and to prevent data breaches. There is ample evidence to indicate
that organizations who do not opt to take the steps necessary to protect their
data, will have heavy consequences to face. Next-gen firewalls provide
improved management capabilities, as well as new features and deeper,
more comprehensive analysis of data passing through them.

Recommendations
In the current technological era, data and network services are integral parts
of most any business, large or small, and it is important that organizations
recognize the need for funding new technologies, training of staff, or third-
party help with regard to firewalls. This is because firewalls are one of the
most essential pieces to the C.I.A. triad. Organizations that make use of next-
gen firewall technologies, various types of zone rules in firewalls, and correct
application of traditional firewalls will have an advantage over those who
neglect to implement these latest security tools.

13
References
Basta,A., Basta,N., & Brown,M. (2014). Computer security and penetration
testing (2nded.). Stamford, CT: Cengage Learning.
Burkitt, Mike. The failure of the traditional firewall. Computer Weekly.com.
Retrieved from http://www.computerweekly.com/feature/The-failure-of-
the-traditional-firewall

Cantrell, C., Henmi, A., Lucas, M., & Singh, A. (2006). Firewall policies and
VPN configurations. Rockland, MA: Syngress.

Cruz, Laurence. (2017). What's unique about Cisco's latest next-generation

firewall? Cisco the Network. Retrieved from
https://newsroom.cisco.com/feature-content?articleId=1820653

Ellington, J. (2015, August 20). How to Choose and Effective Firewall Policy.
Retrieved May 07, 2017, from
https://www.digitalocean.com/community/tutorials/how-to-choose-an-
effective-firewall-policy-to-secure-your-servers

Intronis Guest Blog (2016). 3 Reasons Your SMB Customers Need a Next-
Gen Firewall--Stat! MSPmentor. Retrieved from
http://mspmentor.net/blog/3-reasons-your-smb-customers-need-next-
gen-firewall-stat
Jdelio. (2016, February 3). What are Universal, Intrazone and Interzone
Rules? Retrieved from
https://live.paloaltonetworks.com/t5/Management-Articles/What-are-
Universal-Intrazone-and-Interzone-Rules/ta-p/57491

Langdon, A. (2017, April 19). Tech DataSecurity. Retrieved May 07, 2017,
from http://blog.techdata.com/security/to-prevent-data-breaches-build-
a-strong-human-firewall

Liu, A. X. (2011). Firewall design and analysis. Danvers, MA: World Scientific.

Palo Alto Networks, Inc. (2017). Segment Your Network Using Interfaces and
Zones. Retrieved from
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-
os/getting-started/segment-your-network-using-interfaces-and-zones

Piscitello, D. (n.d.). Firewall Best Practices - Egress Traffic Filtering. Retrieved

May 07, 2017, from http://securityskeptic.typepad.com/the-security-
skeptic/firewall-best-practices-egress-traffic-filtering.html

14
Watkins,M., & Wallace,K. (2008). CCNA Security Official Exam Certification
Guide. Indianapolis, IN: Cisco Press.

15