Firewall Policies/Rulesets phần 2

Because the DMZ has a single interface for all traffic going to either the Internet or the internal network
Nội dung trích xuất từ tài liệu:
Firewall Policies/Rulesets phần 2 Figure 10-4. One-Armed DMZ and ACLs [View full size image]Because the DMZ has a single interface for all traffic going to either the Internet or theinternal network, building and applying an ACL to that interface will functionally act asan ingress filter to the internal network but as an egress filter to the Internet. This willmake the ACL even more complex to design and implement.The good news is that the same seven steps in building an effective ACL for traffic fromthe Internet to the DMZ should be applied in this situation, so the methodology remainsconsistent.Access from the Internet to an Internal SegmentBuilding an ACL to control traffic from the Internet to an internal segment is functionallyno different from the previously discussed ACL scenarios. What differs, however, is thatthe traffic is going to come from a completely untrusted network and potentially havedirect access to internal resources. Now, the knee-jerk response to this type ofimplementation is to simply not allow it. I have found that there are few constants innetwork security, however, and whereas 99 percent of the situations that call for directaccess to internal resources can probably be worked around in another fashion, there isalways that 1 percent that, for whatever reason, you just cannot do anything about. Inthose cases, you need to be absolutely certain of what you are allowing through the use ofyour ingress filter.Additionally, although technically not an ingress-filtering issue, you should stronglyconsider using a firewall that does a true application proxy of the service you areadvertising to ensure that only the kind of communications at the application layer thatyou want to permit are indeed being permitted. An example of this is something like theMicrosoft ISA Firewall using its application publishing features to grant access to theresource.Egress FiltersPractically speaking, egress filters are almost identical to ingress filters. The differencelies in what an egress filter applies to. Unlike ingress filters, egress filters apply to trafficthat is coming from a trusted network to an untrusted network. As a result, egress filterstypically are applied either on firewall interfaces that connect to the internal network or toa DMZ segment. A simple way of thinking of ingress and egress filters is that an ingressfilter filters traffic coming in, and an egress filter filters traffic going out.Unlike ingress filters, however, many firewalls default to allowing all traffic from atrusted source to an untrusted source. This is particularly true when it comes to the CiscoSecure PIX Firewall, which uses the concept of interface security levels to determinewhich networks will automatically be configured to permit traffic.The upside of this kind of configuration is that the firewall can be plugged into thenetwork, and then with virtually no configuration, internal hosts can access external(typically Internet-based) resources. From a usability and simplicity perspective, this is agood thing. Unfortunately, from a security perspective it is a very, bad thing because thatsame simplicity means that even malicious traffic is going to be permitted by default.Implementing an Egress Filter for Internal TrafficPerhaps the biggest problem, and reason, that people do not implement egress filters fortheir internal traffic is that egress filters can be incredibly complex to get right. Ingressfilters are relatively straightforward. You know the handful of services and systems thatusers will need access to, and you configure the ACL accordingly. Because mostfirewalls today perform stateful packet inspection, the return traffic for connectionspermitted by the ingress filter is automatically permitted. With an egress filter, there ispotentially a much, much larger list of ports that must be opened. Although it is easy toassume that your users really just need HTTP and maybe HTTPS Internet access, thetruth is that you probably have users who use all kinds ports to talk to all sorts oflegitimate external resources. Similarly, if there are resources in the DMZ that your usersneed access to, your egress filter is going to need to accommodate those conversations,too.TipTraditionally, egress filtering has always come as an afterthought to ingress filtering. Thefocus was always on keeping malicious traffic out, not necessarily restricting traffic thatis going out. With the types of Internet worms and distributed denial-of-service (DDoS)attacks that have been propagating recently, more companies are looking to egressfiltering to prevent their systems from being used to spread worms or participate in DDoSattacks. In addition, more companies are looking to better control the kinds of data that isexposed to the Internet through Trojans and similar programs which can easily bebrought into the internal network on a laptop, and then in a completely unrestrictedfashion connect back to the malicious user externally. To prevent this, it is a good idea toreally approach your egress filter from the minimalist perspective. For example, youremployees almost certainly do not need to make Simple Mail Transfer Protocol (SMTP)connections to external resources. Only your Internet gateway mail server does. So inyour egress filter, ensure that you block SMTP traffic from all internal hosts except theInternet mail gateway. Although this is a laborious and time-consuming process to buildthe initial list, and it is painful to implement (because you will almost certainly overlooksomething), after the egress filter has been implemented it is relatively easy to maintainand provides a dramatic increase in the security posture of your organization.Once again, the same methodology that is used to build an ingress filter applies tobuilding an egress fi ...