Firewall Foundations – 1. Posture
This is the first installment of a new series entitled Firewall Foundations. The articles will not present deep theoretical discussions of firewalls nor will it be manufacturer specific, my goal is to discuss broad topics and ideas as they relate to firewall policy design and secure implementation.
Posture is defined as the relative disposition of the parts of something. We are not talking about your mother telling you to sit up straight or don’t slouch when you walk but we are speaking of approaching a firewall from a particular posture or disposition. There are only two initial postures in firewall policies as they pertain to outbound traffic (from a trusted set of hosts to an untrusted set of hosts):
1. Default Deny, Explicit Allow
2. Default Allow, Explicit Deny
I think this is a very clear concept but I’ll elaborate for clarification. First, it is important to verbalize the correct assumption that these postures are only dealing with outbound traffic. Every firewall since Moses denies incoming connections by default, anything else and it would be called a switch, not a firewall.
Posture 1 (Default Deny, Explicit Allow). This attitude starts with disposition that the firewall will deny all outbound traffic by default and ports will only be opened where there is a clear documented business case and the reward out weighs the risk.
Posture 2 (Default Allow, Explicit Deny). This attitude starts with the disposition that the firewall will allow all outbound traffic by default and it will only deny traffic that is causing harm or deemed a risk to the internal network.
I will not attempt to summarize 20 years of security thought within this post so I will give brief opinions and then you will have to do the research on your own.
Network security for many years consisted or a hard outer shell and a soft chewy center – meaning that as long as your firewall blocked the appropriate incoming ports then you were secure. These days are over. However, many IT administrators decide that by using the Default ALLOW posture they will avoid many initial headaches. Headaches like (the boss loves his bittorrent, the undocumented finance application that uses outbound ports for imaging, etc…).
Allow me to be blunt… using a “Default Allow” policy in 2008 is dumb, risky, and you should lose your job for it. Clear?
Here are two scenarios to illustrate my point.
Scenario 1: The mailroom clerk is surfing myspace and is infected with a drive-by-download. The malware installs a trojan and calls home, at which point it is given 20,000 email addresses to spam over the next 7 days. It opens the mailer and starts delivering spam out port 25 on your IP. Within 48 hours your IP address is blacklisted by SPAMHAUS and 37 other RBL’s as a spammer and you spend a week clearing your IP address before you ever get a chance to discover the infected machine. Sound like fun?
Scenario 2:A disgruntled HR employee is quitting and decides to make a profit by selling a large amount of personal data to an unamed Russian man paying in Egold. The open their mail client and send the email via an encrypted SMTP SSL connection via port 965.
Both of these scenarios could have been prevented by using a Default Deny, Explicit Allow firewall posture.
Scenario 1 Prevention: The only allowed outbound SMTP connection would be from the internal mail server IP address.
Scenario 2 Prevention: Port 965 would not be allowed outbound.
Simply said we live in a world where outbound traffic is as important as inbound traffic from a security perspective. Obviously this is a very small step in a layered approach and not a full solution. Unfortunately I’ve seen this done incorrectly hundreds of times. I concede that transitioning from the allow approach to a deny approach is time consuming and problematic but it is well worth the time and pays dividends in the long run.
Stay tuned for the next Firewall Foundation – Proxies vs Packet Filters