Screening Routers

A screening router is the most basic type of firewall and uses only the packet filtering capability to control and monitor network traffic that passes though the border. Screening routers on a server with packet filtering can block traffic between networks or, for example, traffic to or from specific hosts on an IP port level. For example, you can let employees on your intranet use Telnet, but you can bar any Telnet activity from the Internet. Direct communication is usually permitted between multiple hosts on the private network and the Internet. The following figure shows a basic example of how a screening router works.

Figure 1-1 Firewall Using Screening Routers

The risk of break-in is large with this type of firewall because each host on the private network is exposed to the Internet and is still a potential break-in point. Unauthorized users can detect and use internal addresses to access information within the firewall. To avoid this, screening routers can be set to look at the source address of each incoming IP header instead of the destination address, and drop private addresses that come from the Internet.

Bastion Hosts

A bastion host represents the private network on the Internet. The host is the point of contact for incoming traffic from the Internet, and as a proxy server allows intranet clients access to external services.

A bastion host runs only a few services, such as, e-mail, FTP, Domain Name System (DNS), or Web services. Internet users must use the bastion host to access a service. A bastion host does not require any authentication or store any company-sensitive data.

Dual-Homed Hosts

A dual-homed host is based on a server with at least two network interfaces. The host acts as a router between the network and the interfaces to which it is attached. To implement a dual-homed host type of firewall, the routing function is disabled. Therefore, an IP packet from one network (for example, the Internet) is not routed directly to the other network (for example, the intranet). Systems inside and outside the firewall can communicate with the dual-homed host but cannot communicate directly with each other.

A dual-homed host blocks direct traffic between the private (protected) network and the Internet. The following figure provides an example of a configuration in which a WAN router provides general WAN connectivity, packet filtering, and access to the Novell BorderManager server. Private network users can access the Internet by using Proxy Services which are running on the Novell BorderManager server.

The router allows traffic only to and from the Novell BorderManager server. Break-in is limited to other hosts reachable from the Internet, although any illegal access severely compromises security.

Figure 1-2 Dual-Homed Host Firewall

Screened Hosts

A screened host uses a combination of a bastion host and a screening router, as shown in the following figure. The screening router adds security by providing Internet access to deny or permit certain traffic from the bastion host. It is the first stop for traffic, which can continue only if the screening router lets it through.

For additional security, you could set up a bastion host for each type of service: HTTP, FTP, and e-mail. The screening router then sends the corresponding traffic to the appropriate bastion host.

In this example, the Novell BorderManager server and the WAN router can be reached from the Internet. In addition, the Novell BorderManager server acts as a screening router on the private network. Using Network Address Translation (NAT) and packet filtering, the Novell BorderManager server can be configured to block traffic on specific ports, and only a select number of services can communicate with it.

This type of firewall is fairly secure because security risk is limited to the Novell BorderManager server.

Figure 1-3 Screened Host Firewall

Screened Subnets

The screened subnet is a variation of a screened host. In screened subnetting, the bastion host is placed on its own subnetwork. Two screening routers are used to do this: one between the subnet and the private network (with the bastion host) and the other between the subnet and the Internet. The first screening router between the private network and the screened subnet denies all services from crossing into the subnet. The screened subnet allows only specified services. An example of a screened subnet firewall is shown in the following figure.

In this configuration, the Novell BorderManager server is used as a proxy server. Both IP routing and IP forwarding are disabled to prevent any direct access between the private network and the public Internet.

Figure 1-4 Screened Subnet Firewall

Tri-Homed Hosts

A tri-homed host combines elements of a screening router and a screened host, thereby overcoming the limitations of each. Security is centered on the screening routers by using interfaces for the Internet, the intranet, and the subnets that contain the bastion hosts and application servers. An example of a tri-homed host is shown in the following figure.

Figure 1-5 Tri-Homed Host

Packet Filtering

Packet filtering is the basic method for protecting the intranet border. Packet filters work at the Network layer of the OSI model. The limitation of packet filtering is that it cannot distinguish usernames.

Packet filters filter data based on service type, port number, interface number, source address, and destination address, among other criteria. For example, a packet filter can permit or deny service advertisements on an interface. You can use incoming and outgoing filters to dictate what information passes into or out of your intranet.

Network Address Translation

Network Address Translation (NAT) maps private IP addresses to public IP addresses. NAT can perform this mapping both dynamically and statically. An alternative to NAT is a circuit-level gateway.

Circuit-Level Gateways

A circuit-level gateway works at the Session layer in the OSI model, which means that even more information is required before packets are allowed or denied. Access is determined based on address, DNS domain name, or the NDS or eDirectory username. Special client software must be installed on the workstation. Circuit-level gateways can bridge different network protocols, such as, IPX to IP.

Your username is checked and granted access before the connection to the router is established. Compare this with NAT, where only the private source IP address is used to gain access. NAT performance is greater than circuit-level gateway performance but circuit-level gateways are more secure.

Application Proxies

In a circuit-level gateway, after a virtual pipe is established between the client and host, any application can be used across the connection. The reason is that circuit-level gateways cannot determine the application-level contents of packets being sent between the client and host during a transmission. An application-level proxy works as a proxy server to intercept information running across a gateway, preventing direct communication between the client and the host.

An application proxy is specific to an application, for example, an FTP proxy or SMTP proxy. An application proxy accepts only packets that are generated by protocols that the proxy can copy, forward, and filter.

Virtual Private Networks

Virtual Private Networks (VPNs) allow two hosts to exchange data using a secure channel. The data stream is encrypted for security. A VPN can be configured as a connection between two endpoints or between many endpoints. You can connect two offices over an Internet connection, or connect several offices to create a secure private network. Remote VPN clients are also supported.

Packet Filtering

Packet filters provide network-level security at the router by permitting or denying packets based on a predefined set of rules. Novell BorderManager supports Routing Information Protocol (RIP) filters and packet forwarding filters to control the service and route information for the common protocol suites, including IPX and TCP/IP.

A packet filtering router, for example, can filter IP packets based on the source or destination IP address and the TCP/UDP port number, and can filter based on the source or destination interfaces. Filters can also block connections to or from specific hosts or networks and to specific ports.

Specific services and protocols can also be filtered. For example, X Window System*, RPC, and rlogin services should be blocked because they can create an open threat to corporate security. Refer to Section 2.0, Packet Filtering Overview and Planning for more information on packet filters.

Network Address Translation

NAT does not require special client software and can be used by hosts on any platform that use the gateway as a route to the Internet. NAT enables any IP host on your local network to access the Internet without you assigning a globally unique IP addresses to each system.

Novell BorderManager provides both dynamic and static IP network address translation. For static IP address translation, tables are defined with sets of public IP addresses. These tables are then used to map the source addresses of packets being sent through the firewall to their public addresses.

NAT also acts as a filter, allowing only certain outbound and inbound connections. The type of filtering that occurs is determined by whether NAT is configured to operate in dynamic or static mode.

For detailed information on NAT, refer to Section 4.0, NAT Overview and Planning.

Proxy Services

Proxy Services provides application-level security by providing application proxies that forward and filter connections for such services as HTTP, Gopher, FTP, SMTP, RealAudio*, and DNS. In general, Proxy Services only allows services for which there are proxies. For example, if a gateway has a proxy for FTP, then only FTP is allowed into the protected subnet; all other services are blocked.

TTP proxy improves performance by locally caching frequently requested Internet information and optimizing WAN bandwidth use. The client (browser) makes a request directly to a proxy, which locates the object in its cache and returns the object to the client. If the object is not in the cache, the proxy retrieves it from the origin Web server on the Internet, stores it in the cache, and returns the object to the client. Benefits include reduced Internet traffic and reduced request load on the object source, which in turn reduce delays in returning information to the client.

Proxy Services also allows protocol filtering. You can set up the firewall to filter FTP connections and deny use of the FTP put command. This can be useful if you do not want users writing to an anonymous FTP server.

When using the proxy server (or gateway), you can hide the names and addresses of internal systems—the gateway is the only hostname known outside the system. Also, traffic can be logged before it reaches the internal hosts. Proxy Services improves security by hiding private network domain names and addresses and sending all requests through a single gateway.

For detailed information on Proxy Services, refer to Section 5.0, Proxy Services Overview and Planning.

Access Control

Access control controls Internet and intranet access at the Application layer by allowing or denying access requests made through proxy servers and VPNs. By controlling access at the Application layer, you can attain a higher level of security than you can with packet filtering, which controls access only at the Network layer. Access control can also use usernames instead of source or destination IP addresses.

Access control involves establishing a set of rules. Each time an access request is made, the Novell BorderManager server searches for the rules that apply to the request. If no rule is found, the request is denied (the default). You can create access control rules at the Country, Organization, Organizational Unit, and Server object levels. Rules can be based on criteria such as users, groups, IP addresses, or services. With access rules, you can control access to network and Web services, proxy services, VPNs, and URLs.

In general, firewall security should provide the following levels of access control:

For detailed information on access control, refer to Section 3.0, Access Control Overview and Planning.

Virtual Private Networks

A VPN is used to transfer sensitive company information across an untrusted network, such as the Internet, in a secure fashion by encapsulating and encrypting the data. For site-to-site VPN, only the VPN members must be running the VPN software; for client-to-site VPN, the VPN client must also be running the VPN software.

Client-to-site VPNs can use two types of secure connections:

Site-to-site VPNs can use the following types of secure connections:

Both intranet and Internet site-to-site VPNs can be deployed in one of two ways: