How to build a secure enterprise firewall

The following is what I have carefully provided for you. Welcome to reading.

Firewall is a key component to ensure network security, but it is onl

How to build a secure enterprise firewall

The following is what I have carefully provided for you. Welcome to reading.

Firewall is a key component to ensure network security, but it is only the beginning of secure enterprise network. For administrators, it is necessary to pay attention to the design of multiple firewalls that support failover. The final result of this firewall design should be a combination of easy management, high efficiency, high availability and high security, and the cost should be lower.

How many firewalls do you need?

There have been many arguments about the design principles of firewall. A major issue in the debate is whether it is better to have several firewalls. The author thinks that two firewalls are generally not much better than one firewall. Because in most attacks, the vulnerability of the firewall itself rarely becomes a problem. Hackers usually don't need to conquer the firewall, because they can enter through an open port and take advantage of the loopholes in the server behind the firewall. In addition, the firewall itself has nothing to attract hackers, because any wise administrator will configure the firewall to discard those attempts to connect to the firewall. For example, even if there is a known SSH vulnerability on the user's firewall, this threat can only come from a well-protected management workstation designated by the firewall, not to mention that this workstation is turned off. In fact, the biggest problem of firewall is poor maintenance and poor strategy and network design. In the security incidents related to firewall, the damage caused by human factors accounts for about 99%. To make matters worse, if you implement firewalls from multiple vendors, the cost will force users to give up some issues that need special attention. It is better for users to spend limited resources on strengthening a platform instead of making an all-out attack.

Design goal of firewall

A good firewall strategy and network design should be able to reduce rather than eliminate the following security risks:

◆ Attacks on DMZ services from the Internet.

◆ Any part of the enterprise network attacks the Internet.

◆ Enterprise users or servers attack DMZ servers.

◆ The ◆DMZ server attacks users, servers or damages itself.

◆ Threats from partners and extranet.

◆ Threats from remote departments connected through WAN.

These goals may sound a bit excessive because they are basically not traditional methods, but they all have their own reasons.

The first point is very obvious, that is, restricting the attempt to access the service port of DMZ server through the Internet, which greatly reduces their chances of being conquered. For example, on an SMTP mail server, Internet communication is only allowed through TCP port 25. Therefore, if this SMTP server happens to have a vulnerability in its server service or program, it will not be exposed to the Internet. Worms and hackers are always concerned about the vulnerability of port 80.

The next one may sound a little strange. Why should we care about protecting public networks through our own networks? Of course, no citizen should spread malicious code, which is the minimum requirement. But this is also to better protect our own network connection. Take the SQL slammer worm as an example. If we deploy a better firewall strategy, we can prevent denial of service attacks on the Internet and save Internet resources.

The most difficult thing to deal with is internal threats. Most expensive firewalls cannot protect the network from internal attackers through traditional design. If a malicious user connects a laptop infected with malicious code to the network at home or elsewhere, the consequences can be imagined. Good network design and firewall strategy should be able to protect DMZ servers from the risks brought by servers and users, just like the risks from the Internet.

There is another side to this story. Because the DMZ server is exposed on the public Internet, it may be destroyed by hackers or worms. It is very important for administrators to take measures to limit the threats that DMZ servers may pose to internal servers or user workstations. In addition, a strong firewall policy can also prevent the DMZ server from further self-destruction. If a server is destroyed by hackers through some known or unknown vulnerabilities, the first thing they do is to let the server download a rootkit. Firewall policy should prevent downloading such things.

It can further reduce threats from extranet partners and remote office WANs. Routers connecting these networks are protected by WAN technologies, such as frame relay, tunnel, leased line, etc. These routers can also be protected by firewalls. The cost of using the firewall features on each router to realize security is too high, which not only causes high hardware cost, but also is very difficult to set up and manage. Enterprise firewall can provide simple and centralized security management for WAN and extranet through additional functions other than traditional firewall.

The key point is that the firewall can restrict communication in different network areas, which are divided according to logical organization and functional purpose. However, the firewall can't limit and protect the host from other hosts in the same subnet, because the data will never be checked through the firewall. This is why the more fields a firewall supports, the more useful it will be in a scientifically designed enterprise network. Because some major vendors support the convergence of interfaces, it is much easier to divide regions. A single Gigabit port can easily support multiple areas and is faster than several fast Ethernet ports.

Implement a good firewall strategy

The first key part of the security firewall architecture is the design of policies. The most important concept to achieve these goals is the need to use principles. In firewall policy, this simply means that a service must be blocked or denied by default unless there is a clear reason to use it. In order to realize the preset service blocking rules, only one firewall policy needs to be implemented globally at the end of all policy sets, that is, all rules are discarded, which means that the default behavior of the firewall is to discard any packet from any source to any destination. This rule is the last rule in any firewall policy, because a communication has been blocked before it has a chance to enter. Once this basic behavior is realized, it is necessary to implement some carefully designed rules for specific sources, specific services, access to specific target addresses, etc. Generally speaking, the more accurate these rules are, the safer the network will be.

For example, users can be allowed to use some common external service ports, such as HTTP, FTP, media services and so on. , but other services and programs are allowed to communicate unless there is a clear reason. After finding special reasons according to the needs of enterprises, after verification and approval, it is necessary to add some strictly controlled and targeted rules. A common mistake made by administrators is that they extend user licenses to services and DMZ networks. Rules that apply to users forwarding data outward usually do not apply to servers. After careful consideration, the administrator will find out why the Web server does not need to browse the Web. A server is a server, which mainly provides services and rarely becomes a client. A basic problem is that it is difficult for DMZ or server to initiate communication first. Usually, the server will accept the request, but it is almost impossible to accept the requested service from the public Internet, except for the XML and EDI applications of enterprise partners. There are other exceptions, such as the websites of legitimate vendors that provide drivers and software updates, but all exceptions should be strictly and accurately defined. Following these strict standards can greatly reduce the possibility of server damage, and it is better to achieve this level. As long as this strategy is deployed, even if the server is not patched, it can prevent the spread of worms in the internal subnet.