What is Gateway Level security

what is gateway security in network and what is comprehensive gateway security suite, and what is web security gateway pdf free download

RogersMullis,United States,Teacher

Published Date:13-08-2017

Your Website URL(Optional)

Comment

GATEWAY SECURITY DEVICES 26.1 INTRODUCTION. Onceconsideredsufficienttoprotectanentireorganiza- tionfromexternalthreats,thefirewallisstillperhapsthemostrecognizedanddeployed network-security devices for Internet-connected operations. However, earlier firewall generationsmadesecuritydecisionswithlittlecontextualsupportotherthantheorigin anddestination ofthepacketstraversingaparticular allowedpath. As communications capabilities and functionality demands increased, so too did thefirewall’sneedtoinspectandenforceallowedpathsusingmorecomplexprotocols and require ever-increasing throughput. This evolution transformed the firewall into a true gateway security device (GSD)—able to provide allowed path enforcement using a combination of techniques which once required additional security devices to accomplish. Properly selected and deployed GSDs are one security layer designed to handle these increasingly complex scenarios. The GSD is effective only with a full under- statingofthecapabilitiesandlimitations—bothoperationalandfailureconditions—of consolidating multiple security functions into a single device. By providing allowed path enforcement more intelligently and accurately, combined with the added rigor of genuinely understanding expected network flows, GSDs provide sufficient additional defense-in-depth layers throughout theorganization. Although this chapter focuses on the GSD as a combined security device, the con- ceptscoveredareusefulforunderstandingandevaluatingthefunctionalityofindividual network-security devices. Every organization must make risk and performance deci- sions by weighing this approach against maintaining independent devices that focus onaparticularsecurity function. 26.1.1 Business Requirements Outpacing Security. Technological ad- vancementcontinuestotransformanenterprise’sabilitytomanagethedatalifecycle. Thepervasivenessofmobiledevicesandmovetowardcloud-computingresourcesthat are no longer solely controlled or consumed by the organization continues to redefine the perimeter. Users are increasing demands for unfettered access to corporate data from anywhere on any device (including those not controlled by the organization).INTRODUCTION 26 · 3 This dynamic environment increases the need for layered security architectures with deeperawarenessofcontent andcontext. 26.1.2 Demand-Driven Processing. Enterprises not possessing the requi- site internal human or technological expertise to achieve the organization’s goals for information technology (IT) have long looked to outsourced solutions to meet their needs. Software as a Service (SaaS) provides offerings such as productivity applica- tions, collaboration, and email (e.g., Microsoft Office365) and customer relationship management (CRM) (e.g., salesforce.com). Infrastructure- and Platform-as-a-Service (IAAS and PAAS, respectively) provide on-demand storage and computing (e.g., Amazon Web Services—S3/EC2or Rackspace Open Cloud). Outsourced offerings continue to mature and redefine how enterprises develop, manage, and present their information. Virtualizationtechnologycontinuestoprovideopportunitiestouseinternalprocess- ing capabilities more efficiently. Although providing better performance, it can also diminish security in that existing offerings are not necessarily as mature as dedicated securityinfrastructure.WheninternalandInternetfacingsystemsmustoperateonthe samevirtualarchitecture,thiscreatesadditionalriskassystemsnowinteractatthehy- pervisorandvirtualswitch(vSwitch)levelwheretraditionalnetwork-securitydevices areunabletoinspectandenforcetrafficatthislevel. SeeChapter 68inthisHandbook formoredetailsabout securityandoutsourcing. 26.1.3 Ubiquitous Mobility. Today’sbusinessclimatedemandstheabilityfor employeestoworkfromanywhere,andthisneedformobilityandflexibilitycontinues asignificantshiftinhoworganizationsdefineandprotecttheirperimeters.Employees may use a variety of systems whether at work, home, or on the road. The level of accessandfunctionalityrequiredextendswellbeyondemailintoenterpriseapplications and data. As functional mobility stretches from company-owned to personal devices, organizations must have a method to ensure a compromised mobile device does not weaken theexisting internaloroutsourced securitycontrols. 26.1.4 Regulatory and Industry Compliance. Federalregulatoryrequire- mentscontinuetohaveasignificantimpactonhoworganizationsmanageriskthrough dataprotection,retention,andprivacyactivities—manyhavingsignificantauditingand reporting requirements. The Sarbanes-Oxley Act (SOX) focuses on controls and procedures designed to preservetheintegrity ofpublically tradedorganizations’ financialreporting. The Gramm-Leach-Bliley Act (GLBA)—specific to financial institutions— concentratesontheprotection ofcustomerdataandprivacy. The Health Information Portability and Accountability Act (HIPAA) requires protectionofindividuallyidentifiablehealthinformationsuchaspersonallyiden- tifiableinformation (PII)andprotected healthinformation (PHI). Industry-specificrequirementscontinuetoappearandevolveinanefforttoaddress the minimum security requirements to operate with or within a specific industry. The Payment Card Industry Data Security Standard (PCI DSS) establishes baseline requirements for the protection of cardholder data during processing, transmission, and storage. PCI DSS requires organizations to determine their level of involvement26 · 4 GATEWAY SECURITY DEVICES with the cardholder data. Once established, this determines which requirements are necessary todemonstrate compliance withthestandard. Eachcriticalinfrastructuresector—asdefinedintheUnitedStatesbytheDepartment of Homeland Security—has a Sector-Specific Plan (SSP), which provides representa- tiveorganizationsandagencieswiththerisk-managementtoolsandstrategiesspecific to the protection of each industry. One of the more mature programs is North Ameri- can Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP). NERC CIP addresses multiple physical and digital security elements of the North Americanpowersystem,includinggatewayprotectionthroughtheestablishmentofan electronic securityperimeter. SeeChapter 64ofthisHandbook formoredetailsonGLBA, SOX,andPCIDSS. 26.2 BASIC CONCEPTS AND TERMINOLOGY. Greater demands for mo- bility, new models for business interaction, and leveraging Internet-based processing capabilities continue toforcetheevolution oftraditionalperimeter protections. 26.2.1 General Capabilities. Withthesubstantialprocessingrequirementsof specialized network security systems (e.g., IPS or anti-spam), organizations tradition- ally architected security infrastructures that leveraged dedicated solutions/devices for each function. However, current generation GSD processing capabilities provide the opportunity tocombine manyoftheseoncededicated systemsinto asingle device. 26.2.2 Uniﬁed Threat Management. Unified threat management (UTM) combineselementssuchasanti-malware,anti-spam,IDS/IPS,VPN,applicationproxy, and content filtering—transforming the firewall into the original iteration of the GSD. These added capabilities allow the UTM to provide greater control and inspection at the application layer. However, typically there was only marginal management and performance integrationbetween featuresets. 26.2.3 Next-Generation Firewall. Thenext-generationfirewall(NGFW)is the latest evolution in stated capabilities that complements and surpasses those of the UTM. Instead of just bolting multiple security technologies on top of one another, the NGFW provides tighter integration of each level of security. These new capabilities include greater protocol awareness and more granular allowed path enforcement. The NGFWisabletoprofileprotocolsregardlessofportchosen.Thisincreasestheability todetectdeceptivebehaviorsuchasencryptedpayloadsoverprotocolsthatwouldnot normally use encryption. This generation of GSD also has the ability to adjust policy dynamically—extendingprotection tootherpartsofthesecurityinfrastructure. 26.2.4 Web Application Firewalls. GSDsprovideadditionalcapabilitiesto inspectandenforceallowedpathsforWeb-basedcommunications.However,thecom- plexity of the current and next-generation Web protocols may outpace the security provided by this device. The Web application firewall (WAF) provides more robust HTTP protocol inspection capabilities. The WAF provides customizable rules to pro- tect against common payload-based attacks such as SQL injection, XSS (cross-site scripting), and command injection. This platform can also serve as a virtual patch for Webapplications—legacy(nopatches possible)oronesawaiting unreleasedpatches. 26.2.5 Firewall Architectures Changing. Assecurityvendorsworktokeep pace with these changes with more functionality and higher performance, it is theBASIC CONCEPTS AND TERMINOLOGY 26 · 5 customer’s responsibility to understand the advantages and disadvantages each pro- posedprotectionsolution.Suchanalysisprovidesthenecessaryinsightfortheorgani- zation to deploy the most appropriate architecture to meet the necessary security and performance requirements. 26.2.6 Packet Filtering. Routing devices gave rise to first-generation fire- walling capabilities. Packet filtering is a set of explicit rules describing the allowed pathsnetworktrafficmaytravel.Therules,intheformofanaccesscontrollist(ACL), independently evaluate one or more portions of each packet’s header to make the allowedpathdecision. The packet filter acts on each packet as an individual entity without respect of the packet(s) that come before or after. Although this method provides the security with the least overhead of other firewall architectures, it is vulnerable to several network andtransportlayerattacks. Internet Protocol (IP)spoofing is specially crafting a packet in an effort to deceive the router into accepting traffic that appears legitimate. The attacker will configure a packettolooklikeitoriginatedfromtheinternalnetworkeventhoughitiscominginto the external interface. ALand attack sends a spoofed TCP SYN packet to a host with thesourceanddestinationIPandportbeingequalandcancauseadenialofserviceon a vulnerable network stack. TheTeardrop attack intentionally fragments a packet and manipulates the fragment offset where the preceding fragment’s offset overlaps with theoffsetofthenextfragment.Whenthereceivingsystemreassemblestheoverlapping fragments, thenetwork stackwillcrash, causingadenialofservice. AlthoughboththeLandandTeardropattacksrequireavulnerableend-device,initial packet filters did not have contextual understanding to stop such attacks. Mitigation for the Teardrop attack includes implementing packet reassembly—recombining the fragments into the original packet to ensure the recombined packet does not violate basicIPpacketspecifications—beforeforwarding toitsnexthop. For details of these and other denial-of-service attacks, see Chapter 18 in this Handbook. Current generations GSDs use stateful inspection (covered next) in an effort to overcome many of the limitations of packet filtering. However, many nonsecurity- related devices use packet filters to provide basic protection of their administrative interfaces andmonitoring functions. 26.2.7 Stateful Inspection. Statefulinspectionidentifiesandtracksadditional parameters within each packet, adding context by representing flows along allowed paths as network connections instead of individual packets. Even though IP and User Datagram Protocol (UDP) are connectionless protocols, the firewall creates a virtual connection to emulate its connection-oriented counterparts. Although the specific pa- rameterstrackedinthestatetablevaryacrossGSDvendors,thetableresidesinmemory formoreefficientprocessing. Since a packet filter inspects packets individually, it does not affect firewalls in a load-balanced or fail-over architecture. However, to ensure sustained connections in high availability architectures, stateful inspection must establish and maintain a synchronizedcopyofthestatetableineachofitshighavailabilitymembers.Although somevendorsstillmaintainthatadirectserialconnectionisthemostreliableconnection method,highlyavailablesolutionsareunlikelytobeinaphysicalproximitynecessary for serial connection and typically take advantage of existing network connections to maintain thestate synchronization.26 · 6 GATEWAY SECURITY DEVICES 26.2.8 Application Layer Gateway. As threats became more sophisticated acrossexistingallowedpaths,firewallsaddedapplication-layergateway(ALG)protec- tion. Each application-specific proxy (e.g., HTTP, RPC, FTP, etc.) acts as the allowed path broker for the connection, creating a separate, backend connection to the other host. Although the full connection is actually two independent sessions, this dual- ity is transparent to the requester and the server. Being a brokered connection adds an additional layer of defense by re-writing potentially malformed requests, validat- ing/enforcing protocol compliance, and not allowing direct communication between clientandserver. The detailed payload analysis increases the amount of time the firewall spends evaluating each packet potentially reducing throughput for other network traffic and increasingtheneedforsufficientprocessingresource.TheALGmayalsocreateissues such as poor performance for protocols requiring minimal overhead in addition to un- expectedcompatibilityissuesduetovendor-specificprotocolimplementations.Active reviewandmanagement willhelptominimize theALG’simpact onoperations. 26.2.9 Current Gateway Security Devices. Thefirewallevolvedyetagain as attacks continued to increase in complexity and scale. Stateful filtering and appli- cationlayergatewayfunctionalitybeingeffectiveatprotectingagainstspecificknown attack vectors. However, the sophistication of the newer generation attacks quickly revealed those two features were unable to provide the necessary level of protection. Theadditional capabilities integratedintothefirewall gaverisetotheGSD. TheinitialiterationofGSDisknownasunifiedthreatmanagement(UTM).UTMis the consolidation of the firewall with multiple additional security platforms (e.g., net- workintrusion-preventionsystems,contentfilter,anti-spam,etc.)intoasingledevice. UTMvendorsthatonlyhadastrongpresenceinoneortwooftheprotectionmeasures had to either integrate a third-party security product or build their own offering to fill out the full protection suite. This was also an opportunity to consolidate management and monitoring capabilities to create a unified platform. However, the UTM would prove somewhat inefficient, as each packet travels serially through the different se- curity engines, severely impacting performance as the number of protections enabled increases. The most current generation of GSDs—known as next generation firewalls (NGFWs)—providegreaterapplicationdetection,awareness,andenforcementinaddi- tiontotighterintegrationofallsecuritylayers.Increasingtheprocessingandinspection capabilitiesalonewerenotenoughtomeetthedemandsofthecurrentgenerationappli- cationprotocols.Theseprotocolsaremorecomplexinformandfunction,eventhough they may follow the traditional allowed path such as HTTP. The NGFW must also be able to decode and understand the application’s inner workings regardless of port andenforceonallorsubsetsoftheprotocol.NGFWsprocesspacketsthoughselected security engines in parallel to increase performance and focus the protection needs to thespecifictype oftrafficdetected. 26.2.10 Host Environment Context. Althoughthischapterfocusesongate- way security devices from a network perspective, comparable host-based protections warrant coverage, as they are an important defense-in-depth component and have certain capabilities that the network-based GSDs cannot provide. With mobility and ubiquitous information access being central themes surrounding today’s personal and business environments, the host-level protection is an ever-present fixture. The host’sBASIC CONCEPTS AND TERMINOLOGY 26 · 7 movement from relying on the network security measures to local context and envi- ronmentally aware security measures will provide more robust and flexible security whereverthehostgoes. Host-based security—aside from basic firewalling—has additional complexity and considerationsduetotheprotectionrequirementsoftheadditionalelements(software, services, etc.) running. The host’s ability to understand its local environment allows for more granular protection and visibility. Instead of focusing purely on port-based network access, the increase environmental context defines what applications and services can: access or receive network traffic, access or change other services, or executecodeinavirtualmachine (VM)toverifyexpectbehavior(s). 26.2.11 Firewall Platforms. GSDs continue to advance in form, function, and contextual understanding to provide allowed path enforcement at all layers of the networkstack.Maliciousactorscontinuetodevelopincreasinglytargetedandeffective codethattravelsonanotherwiseallowedpath.Thesemoredetailednetworkinspection requirements dictates that every organization select the most appropriate platform to meetitssecurityandperformance needs. 26.2.12 Routing Devices. As the need to transmit data within a network and beyond increased, routing device were adapted to provide native and then modular securityservices. 26.2.12.1 AccessControlLists. RoutingdeviceACLstypicallyproviderudi- mentary allowed path enforcement with minimal performance impact. ACLs permit or deny individual network packets based on a combination of parameters from the headersuchassourceanddestination IPaddressesand/or TCP/UDP port. Routing device–based security services matured to provide enhanced capabilities based on their contextual understanding of the network. Routing devices can sup- port several stateful inspection techniques, the most rudimentary being the ability to trackconnectionsbasedsolelyontheacknowledgement(ACK)flagsofanestablished connection. However, this method is more susceptible to spoofed packets directed at the intended target than traditional stateful inspection based on a table of established connections. Routing platforms can also provide anti-spoofing capabilities based on network topology. When enabled, the routing device will make forwarding decisions based on its understanding of connected and learned routes and only allow source IPs tooriginatefromtheappropriate interface. 26.2.12.2 Hardware Modules. With bandwidth increasing into the tens to hundreds of Gigabits per second (and beyond), routing device manufacturer needed to offload the security functions to a dedicated vendor-specific module (or line card). The module provides logical protection for one or more allowed paths while using the backplane to achieve higher data rates and provide protection based on one or moreofthefirewallarchitecturesdescribedabove.Someroutingvendorsalsosupport modules—similartoabladeserver—allowingothersecurityvendorstointegratetheir technology deeperintotheroutinginfrastructure. 26.2.13 Appliances. The GSD appliance emerged as a way to shed complex security decisions from routing devices onto a dedicated security platform. Appliance form factors, capabilities, and limitations vary among GSD vendors with the GSD application integratingintothechosen hardwareplatform.26 · 8 GATEWAY SECURITY DEVICES 26.2.13.1 Proprietary. A proprietary hardware-based GSD appliance manu- facturer is able to establish and retain tight controls over all aspects of the platform. Thehardwareispurpose-builttointeroperatewiththeGSDsoftwareandprovidesdif- ferentlevelsofperformanceandfunctionality.High-performancecomponentssuchas application-specificinstructionsetsaretypicallyproprietary.However,thevendorwill balance the cost effectiveness of the platform by choosing commercial-off-the-shelf (COTS)hardware fortheutility components (e.g.,network interfaces andRAM). The accompanyingproprietary,hardware-specificoperatingsystem(OS)allowsthevendor tomaintain tightcontrolsoninteroperability, configuration, andsoftware revisions. 26.2.13.2 HardwareIndependent. HardwareindependentGSDappliances transfer responsibility to the customer to procure hardware that meets a specific set of requirements while allowing the GSD vendor to retain responsibility for developing the GSD application and/or OS. The GSD uses either a customized version of an OS (typically Linux or Berkeley Software Distribution BSD) or installs directly onto a customer-provided baseOS. A GSD application installed on a proprietary (or premodified) OS reduces native security exposures through vendor custom hardening of OS mechanisms to remove nonessential features and functionality while maintaining the tight controls described inthesectionabove. TheGSDapplicationmayalsobeabletoinstallonspecificversionsofthecustomer’s native OS choice, providing the customer the most flexibility in choosing a GSD appliance. The GSD application will make some hardening changes but leaves much oftheoperatingsystemmanagementtothecustomer.Thisincreasestheriskofinsecure and/or underperforming implementations due to the GSD vendor not fully controlling OSconfigurations, patches, andinteroperability. 26.2.13.3 Soft Appliance. The soft appliance augments the hardware inde- pendent/proprietaryOSGSDintoabootableplatformthatcanrunonconsumer-grade equipment. This platform is more suited for point-in-time protection needs, such as main GSD device failure, fast-turn deployments, and testing. Before deploying a soft appliance, the customer must temper the potential “flexibility” of this solution with other considerations such as manageability (configuration, logging, etc.), scalability, andrequiredfunctionality. 26.2.13.4 Embedded Appliance. In addition to high-end, scalable devices, GSDvendorsalsorecognizedtheopportunitytoserviceothermarketssuchasproviding specializedcapabilitiesonplatformsscaledtomeettheneedsofconsumersandsmall- to-medium businesses (SMBs). SMBsarelesslikelytohavesufficientfundingordedicatedsecuritystafftopurchase, manage,andmonitormultiplesecuritydevices.TheSMB-gradeGSDsprovideamore economical all-in-one device, due to its smaller form factor, simplified user interface, andlowerperformancerequirements.Inadditiontoprovidingthestandardwiredand/or wirelessconnectivityoptions,thedevicetypicallyprovidesafullcomplementofUTM security functionality. 26.2.14 Virtualization. GSD vendors now provide solutions ranging from leveraging the virtual environment to provide independent network security capa- bilities to embedding granular protections at the hypervisor level. Instead of requiringNETWORK-SECURITY MECHANISMS 26 · 9 afullinstallation,someGSDvendorswillprovideapreinstalledvirtualappliancethat minimizes total deployment time. It is important to ensure that the virtualized GSD maintains itspriorityinobtaining andsustaining resourcesfromtheVMinstance. A VM-capable GSD acts as an independent network security entity. Instead of having dedicated hardware, the GSD leverages the hypervisor’s hardware abstraction layertogainaccesstothenecessaryresources.Thisimplementationprovideshardware appliance-like capabilities to control the allowed paths based on what networks route throughtheGSD VMinstance. AVM-embeddedGSDvirtualapplianceintegrateswiththehypervisortogainlow- levelaccesstotheentireVMhost/cluster.TheGSDnowhasvisibilityintopreviously inaccessiblecommunicationpathsandisabletoconductallowedpathenforcementfor bothinter-andintra-VM communications. 26.2.15 Host-Based Agents. Asmobiledevicesdemandgreaterinternalnet- work access—including data to be stored local to the device—so did the requirement for those host-based protections to be able to minimize the additional risk of allowing suchaccess.Antiviruscapabilities,althougharguablyonlymarginallyeffectiveagainst new and emerging threats, still maintain a necessary presence to filter known attacks vectors. Firewalling capabilities at the network and application level reduce the host’s network-facing threat profile. The Host Intrusion Prevention System (HIPS) provides protection against known and potentially unknown threats because of its ability to inspectuptotheapplication layer. When network-security devices fail to detect a threat, host-based protection has additionalmeasurestodetectlocalanomalousbehaviorduetoitsincreasedcontextual awarenessofhowthehost—theapplicationsandtheoperatingsystem—shouldbehave, thusallowingthehostanadvantageindetectingemergingthreats.However,organiza- tions should not underestimate the administrative overhead necessary to manage and monitor thisprotection. SeeChapter 27ofthisHandbook formoredetailsonhost-based protections. 26.3 NETWORK-SECURITY MECHANISMS. Networksecurity,oncesynony- mouswiththefirewall,continuesitsgrowthinbothscopeanddepth.Governmentand organizations are requiring security to be baked into the systems and solutions they produceorpurchase. It is entirely possible for an attack to originate from a system not coinciding with a direct perimeter attack. These attack vectors include likely exposures, such as an employee mobile device infected with malicious code while traveling; the new USB flash drive an employee receives at a conference; or a vendor providing legitimate supportthatplugs his/herlaptopinto theinternalnetwork. Those who are selecting network security systems must be able to decipher the hyperbole from reality to ensure the device(s) deployed realistically address(es) the specific risks pertinent to the organization. Gateway security devices maintain their basic allowed path control heritage but now are far more advanced in their ability to integrateprotection withinthepayloadandbeyond. 26.3.1 Allowed Paths. Network-security devices provide allowed-path pro- tections to ensure network traffic only flows in expected and intended ways. Unfortu- nately, this base level of enforcement is insufficient because application-layer attacks (e.g., client-side browser exploits) leverage these traditional allowed paths. Regula- tory and compliance security requirements are also driving the deployment of more26 · 10 GATEWAY SECURITY DEVICES capableallowed-pathenforcementmechanismsdeeperintotheinternalnetworktopro- tectintellectualproperty,customer/partnerdata,andindustrialcontrolsystems(ICSs). To manage allowed-path risk effectively, organizations must define and baseline theirexpectedtrafficflowsbothinternallyandexternally.Thebaselineisvitallyimpor- tant when the only indication of compromise may be an unusual—though apparently benign—interaction betweensystems thatdonottypically interactwithoneanother. 26.3.2 Tunneling. Tunneledaccessintotheinternalnetworkforthepurposesof remoteaccess,informationsharing,andcommerceisessentialformostorganizations. Thesetunnels,typicallyintheformofavirtualprivatenetwork(VPN),useencryption toprotecttheconfidentialityofthetransferreddata.IftheGSDdoesnotterminatethe tunnel,ittypicallyonlyprovidesnetworkandtransportlayerallowedpathenforcement through to the termination endpoint. This scenario fragments the inspection of the encapsulatedtraffic,requiringtheterminationendpointitselforanothersecuritydevice post-decryptiontoprovideadditionalprotectionthroughallowedpathenforcementand application layerinspection. SeeChapter 32formoreinformation onGSDVPNcapabilities 26.3.3 Anti-Spooﬁng. One of the most readily exploited vulnerabilities of the IP protocol is spoofing . Due to this inherent weakness in the IPv4 protocol, a host’s networkstackiscapableofproducingpacketsthatcanappeartooriginatefromanyIP addressand/orportchosen.Thisattackisanefforttodeceivethereceivinghostand/or any network protection in between into believing the originating host is following an allowed path. Due to the simplicity of executing spoofing attacks, GSD vendors developedandimplementedseveraleffectivemethodstothwartthesetypesofattacks. The network topology is a key element in the GSD’s ability to determine what traffic should beoriginated fromeachofitsphysical and/orlogicalinterfaces. One common anti-spoofing method is explicit definition of the network topology on a per-interface basis. This provides an efficient method for the GSD to determine whether the packet’s source IP address entering an interface matches what the GSD expects to be the source network. If not, the packet fails to meet the criteria and is dropped. Although simple and effective, the disadvantage is the manual management oftheper-interface networkdefinitions. Another method is to learn the network topology by leveraging the routing table to makethesametypeofper-interfaceanti-spoofingdecisions.Thefirewallgoesthrough thesameprocessofevaluatingifthepacket’ssourceIPmatcheswhatshouldbeorigi- natingfromthatinterface.However,thisdoesnotrequireongoingmanualintervention whennetworkchangesoccur,astheroutingengineupdatesthisinformation.Although this method creates less administrative overhead, two disadvantages include problems ifthenetwork usesasymmetric routingand/orfalls preytoaroutepoisoning attack. Both of these anti-spoofing measures are highly effective when evaluating whether network traffic is originating from the appropriate interface. However, the focus re- mains solely on preventing internal network address compromise. Since not all of the IP networks in existence are actually allocated and/or in use, these “bogon” networks are another method used to launch spoofing attacks. Since “bogon” network traffic is originating on the external interface, the GSD would not block this based on common anti-spoofing rules. Updated lists are readily available allowing the security adminis- trator to enforce “bogon” protections. Some GSDs have a feature that automatically updates thelist onarecurring basis,providing automatedprotection.NETWORK-SECURITY MECHANISMS 26 · 11 26.3.4 Network Address Translation. Network address translation (NAT) is a mechanism that maps internal (typically private RFC 1918) network addresses to one or more publicly routable IP addresses. This is an essential function in IPv4 due totheincreasingshortageofpublicallyroutableaddress.Duetoitsabilitytomaskthe internalnetworkaddressing,NATquicklybecamethoughtofasasecuritymechanism. Realistically,NATonlyensuresnetworktrafficmaintainstheirtranslations—butithas noinherentsecurity capabilities suchaspayload inspection. To ensure sustained connections in high availability architectures, NAT must es- tablish and maintain a synchronized copy of the translation table with each high availability member. This mechanism follows the same serial or network connection usedtomaintain thestate table. 26.3.5 Intrusion Detection. GSDs inherently provide detective controls at multiple layers. These distinct controls (e.g., firewall, intrusion detection/prevention system, etc.) provide greater visibility into the types and scopes of potential incidents whenproperlyconfiguredandmonitored.Theloggingandalertingcapabilitiesassoci- atedwitheachcontrolareimportantandnecessarymechanismsforsecuritypersonnel tousetounderstandthecurrentstateoftheperimeter.Withthisinformation,itispossi- bletodevelopactionableintelligencetodetectandactonanomalousand/ormalicious behaviorbefore, during, andafteranincident. RespondingtoalertsandreviewingalloftheinformationgeneratedbytheGSDcan beextraordinarilytimeconsuming.However,itisimportantthatthesecurityadminis- tratortakethenecessarystepstoensuretimelyandaccuratelogreviews.Withoutsuch reviews, it is easy to overlook issues such as pre- and post-attack-related traffic and systemmisconfigurations.LogsalsoprovideanexcellentopportunityforGSDtuning, including rule-baseoptimization andreducing falsepositives(postverification). Properly planned and configured alerting and logging mechanisms are essential. Whendonepoorly,thesemechanismscanoverloadthesupportstaffwithunnecessary orextraneousinformation,makingthemlessefficientandeffectiveataddressingactual securityissues. 26.3.6 Intrusion Prevention/Response. Although logs and alerts are use- ful for detecting and investigating security incidents, these mechanisms are passive and cannot provide threat protection. Firewalls evolved to include automated active mechanisms torespondtosecurity eventsandprovideactiveprotection. See Chapter 27 of this Handbook for more details on intrusion detection and pre- vention. 26.3.6.1 Connection Termination. The essence of perimeter defense is to protect the internal network by blocking connection attempts that do not follow the establishedallowedpathpolicy.OnemethodforTCP-basedprotocolsistorespondto theinitiator(andsometimestheintendedrecipient)withareset(RST)packet,severing the connection. The most common method—which works for connection-oriented and connectionless protocols—is to drop the packet without a response. As firewalls evolved into richer functioning GSDs, this protection grew to include blocking based onmalicious activityoccurring attheapplication layer. Inversely,attackerscanuseconnectionterminationasamethodtodeterminewhere and what type of network-security devices are in use. This context may provide them additionalinsightonpotentialmethodstobypassand/oradverselyimpactthesecurity26 · 12 GATEWAY SECURITY DEVICES platform.Thoughthissituationisunavoidablenomatterwhatterminationmechanism isemployed, itisanother reasontoapplydefensesinlayers. 26.3.6.2 Adaptive Threat Mitigation. AlthoughtheGSD’spolicyprovides the main enforcement mechanism, vendors quickly realized that this was insufficient, asattackerscontinuallydevelopadditionalmethodstothwarttheseprotections.GSDs include several enhanced capabilities that allow the device to adapt to specific threat conditions andprovidetargetedprevention. Sinceattackersemploymethodstochangeattacksourcestoavoiddetection,anditis notalwayspracticaltofollowarigidwhitelisting(leastprivilege)strategy,organizations typically opt to use blacklists as an additional level of protection. Some GSDs use dynamic object groups to update these lists on a predetermined schedule helping minimize administrative overhead. TheuseofthresholdsprovidestheGSDamoreefficientmethodtoaddressconsistent attacksthatwouldotherwisefollowthesamepolicy-basedevaluationforeveryattempt. One common threshold type is event quantity/type over a given set of time (e.g., total number of packets per second or x number of packets per second across multiple destination IP addresses). Once breached, the GSD will typically automatically block all traffic from the origin IP address for a predetermined time period. This type of adaptive technique requires additional processing resources and requires tuning to ensurethisdoes notimpactlegitimatenetwork flows. Being primarily perimeter devices, GSDs typically have minimal visibility into the internal, trusted network. However, modern security infrastructures can leverage multiple threat detection methods across the network to provide more comprehensive protection. Once detected, the device can leverage the security management infras- tructure to update other security device policies—automatically providing additional protection or containment. This capability is also integrating with host-based protec- tions to drive protection deeper into the network. If a host detects a threat while on an untrusted network, the infrastructure would learn about this and adapt network protections beforethedeviceconnects toaninternal network. 26.3.6.3 System-Level Actions. As an added layer of defense, gateway se- curity devices typically have built-in mechanisms to detect and respond to threats against the platform itself. Following an implicit deny model, the excepted behavior is to fail secure (e.g., shutdown the firewall) and not pass traffic. However, as this automatic response affects the functionality of the security device, it is important for theadministratortounderstandandtestthisfunctionalitypriortodeploymenttoensure this response behavior is consistent with the protection and availability needs of the organization. 26.3.6.4 Application Inspection. The ability to protect allowed paths based on IP and/or port combinations provides marginal benefit when matched against the growingprotocolcomplexityandconfigurability.AsGSDsevolved,sodidtheabilityto evaluateandenforceallowedpathsbasedontheapplicationlayer.Thiscapabilityranges frombasicprotocolevaluationssuchasanRFCconformancechecktofullapplication layergateways.Dependingonthetypeofapplicationlayerprotocol,adedicateddevice maybenecessaryinhighcapacity, security, and/or reliabilityenvironments. WAFs. Web application firewalls (WAFs) provide targeted enforcement within an HTTP(S)allowedpath.WAFscanmorereadilydetectandpreventcommonWebserver attackssuchasXSSandSQLinjectionandtypicallyhaveaddedcapabilitiestoprotectNETWORK-SECURITY MECHANISMS 26 · 13 morecomplexWeb2.0(e.g.,AJAX)andWebservices(e.g.,SOAPorJSON)protocols. ItisalsopossibletoprotectotherwisevulnerableWebserversfromexploitsbywriting protection rules that detect and nullify the application layer attack traffic. The WAFs granularruledevelopment isalsobettersuitedtoprotectcustom Webapplications. Proxy Servers. The forwarding proxy enforces outgoing Internet connections by intercepting and controlling access based on criteria such as user ID, time of day, and/or whitelist/blacklist. Depending on the type and configuration, the forwarding proxy can either broker the outbound connection and make requests on behalf of the client or just enforce the particular allowed path. Classic forwarding proxies requires client-side configuration to enforced Internet-bound communications. A transparent proxy is a forwarding proxy that operates as a “bump-on-the-wire”—sitting in-line or offaspanport—andtypically doesnotrequireclient-side configuration. Conversely, a reverse proxy provides protection to inbound allowed paths. The inboundconnectionterminatesattheproxy,andtheproxyitselfestablishesthesecond halfoftheconnectiondirectlywiththeapplicationserver.Beingabrokeredconnection, this adds an additional layer of defense for inbound traffic by rewriting potentially malformedrequestsand/ornotallowingdirectcommunicationtotheapplicationserver. ApplicationIdentity.InadditiontosourceanddestinationIPaddress,networkfire- walls typically rely on the destination port to make a final allowed path determination forcommonprotocols(e.g.,HTTP—TCPport80).However,itistrivialtoevadeupper layer inspection (e.g., proxy or WAF) by changing the destination port to something that bypasses the application layer inspection but still follows an allowed path. Cur- rent generation security devices must be able to profile all network traffic based on application typeinsteadofdestination port. Application identification must be able to dissect the traffic and understand the subsystems/protocols embedded within the main communication flow. For example, Skype not only inherently provides video conferencing but also file transfer and chat services. With add-ons, functionality can extend to remote desktop sharing/control. By having this detailed level of application understanding, it is possible for granular enforcementofoneormoreprotocolsubsets.Thisprofilingalsoincludesdetermining commonprotocolsonunexpectedportsandencryptedtrafficoveracommonclear-text protocol—whether encryptedornot. 26.3.7 Encryption. Confidentialityprotectionforsensitivedata-in-motioncon- tinuestogrowduetotheneedtominimizetheriskofcompromisingpersonal/personnel data and/or intellectual property. This creates a distinct need to provide allowed path enforcementwhenusingencryptionservicestoorthroughtheGSD.Duetothecompu- tationally complexity, encryption protocols can significantly reduce GSD throughput without offloading encryption services to an add-on, on-board device, or dedicated externaldevicestomeettheencryption needs. SeeChapter 7ofthisHandbook formoredetailsonencryption. Inspection. The integration of encryption into network and application flows in essential to protect the confidentiality of the data-in-motion. Although not necessarily malicious, these encrypted sessions reduce the effectiveness of any network-security device(s) attempting to inspect the protected payloads. In addition to the typical VPN and HTTPS Web traffic, the GSD must also be able to identify encrypted communi- cations regardless of port or service. The two main methods for inspecting encrypted trafficaredirecttermination andon-the-fly decryption. In the first method, the GSD terminates the encrypted connection. This provides an opportunity to inspect the once tunneled communication. Once inspected and if26 · 14 GATEWAY SECURITY DEVICES permitted, the GSD may pass the remained of the communication decrypted or re- encryptthesession tomaintaintheconfidentiality protectiontotheendpoint. In the second method, the GSD will use escrowed encryption keys to decrypt network flows passively. Besides meeting the additional performance requirements to conductpassivedecryption,anotherpossibleweaknessistheinabilitytoprovidefully synchronousresponsestodetectedthreat—potentiallyallowingsomemalicioustraffic acrossanallowedpath beforetheenforcementoccurs. VPN. A virtual private network (VPN) is an encapsulated network overlaying an existing set of physical and logical networks. A common VPN implementation is for a remote client connection—allowing an authorized user to access the internal networkthroughanencryptedtunnel.Onceestablished,VPNclientscanaccessinternal networks and/or systems while protecting the confidentiality of the connection. Site- to-site VPNs allow authorized remote locations to gain direct internal network access formultiple usersoverasingleconnection. Since there is little to no control when mobile systems leave the confines of the internalnetwork,thefidelityofthemobiledeviceisaconcern.Theriskofcompromise at every level—from physical to operating system to applications and beyond—can exposetheinternalnetworktoincreasedriskduringaVPNsession.Withoutterminating VPNsessionsdirectlyontheGSD,itisstillpossibletoincreasevisibilityandadditional allowed path enforcement once the unencrypted traffic leaves the VPN termination device—seetheDeployment section foradditional details andconsiderations. SeeChapter 32ofthisHandbook formoredetailsonVPNs. Acceleration. Using Secure Sockets Layer (SSL) and Transport Layer Security (TLS)toprotectWeb-basedtrafficorIPsectoprotectVPNtrafficcreatesapotentialbar- riertocomprehensiveallowedpathenforcement.Sincetheencryptedtrafficpotentially fragmentsallowedpathenforcements,GSDsevolvedtobecapableofterminatingthese connections to add an additional layer of inspection. However, encryption/decryption ismathematicallyintensiveandrequiressufficientprocessingresourcestoensurethese processes do not impact GSD throughput. When it is necessary for the GSD to termi- nateorinspectencryptedtraffic,theuseofahardwareencryptionmoduleisacommon methodtooff-loadthisprocessingburdenandminimizeimpacttoothertrafficflowing through theGSD. 26.3.8 Identity-Based Enforcement. By integrating with enterprise direc- tory services using mechanisms such as Lightweight Directory Access Protocol (LDAP) or Remote Access Dial-In User Service (RADIUS), GSDs are able to make identity-based decisions. Instead of allowing or denying access to an allowed path by source IP, the GSD can authorize access per user or based on group membership and include this authorization data in logs. This additional detail enhances reporting and auditing capabilities, providing more specific information about a particular connec- tion well beyond just the IP address or DNS name of the host requesting allowed path traversal. 26.3.9 Complex Protocol Engines. Complexprotocols,includingthoseused to deliver feature rich Web applications, IP telephony, or specialized protocols, such as those used by industrial control systems (ICSs), are an intrinsic necessity for many organizations.Duetotheever-increasingneedtoshareinformationandaccessregard- less of mobile device form factor or location, these complex protocols are traversing the GSD. Even with successful detection of an application in-use, it is a continualNETWORK-SECURITY MECHANISMS 26 · 15 development race for the GSD to be able to understand and enforce the intricacies of eachprotocol. Today’sWeb-basedapplicationscontinuallydevelopnewfunctionalitytomeetcus- tomerdemand.SocialmediaWebsitesofferviablebusinessmodelsandmaynecessitate someoralluserswithinanorganizationtoaccessthisservicetoconductbusiness.Due to ever-present personal elements (e.g., chat/comments, games, etc.), the GSDs must beabletodissecttheconnectionandselectivelypermitsomeorallofthefunctionality offeredbythehostapplication. IP telephony protocols such as session initiation protocol (SIP) and real-time pro- tocol (RTP) are typically intolerant to latency and jitter—which are introducible by GSDs. ICS protocols introduce vendor-specific protocol dependencies/intricacies and are even less tolerant to network variations. The loss or slowness of ICS commu- nications can be as severe as damage to equipment or death when impacting safety systems. Although an internal or external network perimeter is a logical point of inspection, the GSD is not necessarily the appropriate device to conduct such detailed protocol inspections. Instead, these situations may warrant additional security layers using specialized devicesfortheapplication layerorspecialty protocolenforcement. 26.3.10 Content Control and Data Leakage Prevention. Organiza- tional policies establish the behavioral expectations of its employees. The Acceptable UsePolicy(orsimilarly named) typicallycoversmatters specifictouseoftechnology resources;however,thepolicyitselfcannotprovideactiveprotection.Contentfiltering (CF) bridges the gap between technical and nontechnical policy enforcement. This enforcement typically focuses on internal users attempting to access information re- sources outside of the organization. By filtering heavily used protocols such as HTTP and SMTP, the organization can minimize user access to information not fitting the organization’s definition ofbusinessuse. This technology has several methods for inspecting, classifying, and filtering con- tent.Inspectiontakesmultipleforms,includingresidingin-line,out-of-bandtomonitor passingtrafficwithoutimpactingthephysicalconnection,orinconjunctionwithproxy redirection. Classification occurs through multiple methods, including vendor-defined categories,blacklists,and/orreputationscoringbasedonIPaddressand/orDNSname. Thisalsoallowstheorganizationtochoosetouseasubsetoftheprovidepolicyand/or selectively develop a whitelist to provide more granular enforcement. The filtering feature logs and/or severs the connections allowing the organization to customize its responsetodetectedpolicyviolations,includingredirectiontoa“notforbusinessuse” Web page and/or automatic administrative and/or managerial notification of repeated violations. SeeChapter 31ofthisHandbook formoredetailsoncontent filtering. 26.3.10.1 InformationClassiﬁcationandEnforcement. Anoverlooked but important aspect of information assurance is the proper classification of informa- tion/data into categories. This allows the organization to determine the risk reduction efforts necessary to protect each information level/type. Similar to the classification processusedbygovernments,identifyingthesensitiveinformationincreasestheability to enforce not only who has access to the information but also where and how this information canbetransferred. Digital rights management (DRM) and data loss prevention (DLP) are two cur- rent generation technologies for addressing these information-specific risks. DRM26 · 16 GATEWAY SECURITY DEVICES focusesonthedefinitionandenforcementofdata-at-rest—typicallyattheinformation repositorylevel.GSDsmayincludeDLPprotectionssuchasenforcingdata-in-motion protections,includingdenyingthetransferoffilesbasedoncontent/designationand/or requiring encryptionforsensitivedata. 26.3.10.2 Anti-malware. A contemporary attack vector is to target a com- monlyusedWebsite/serviceandinjectmalware.Althoughthecontentfiltermaymake an initial decision to allow the connection based on the specific site name, it may also have the added capability to intercept and block the malicious content before it ever reachesthehost.Thisfunctionalitymakesitpossibletoevaluatedifferenttypesoftraf- ficsuchasSMTPattachmentsandHTTPdownloads.Althoughthistypeofapplication layerprotectioncandramaticallyreducetheGSDthroughput,itispossibletoredirect thescanningtoanadditionalmodulewithintheGSDwithdedicatedprocessingpower ortoadedicated network anti-malware appliance. 26.3.10.3 Active Content. Active code used on HTTP connections—such as Silverlight, Java, AJAX, and Flash—provides a foundation for a rich Web experi- ence but also increases security risk due to their application-focused functionality. Maliciousemailattachments—suchasdocumentswithembeddedcode—arecommon components ofphishing andspamcampaigns. In conjunction with host-based protections, the GSD can decrease the risk of ac- tive code by preventing specific types from ever reaching the endpoint and/or scan- ning the active code in a sandbox prior to allowing the active code to traverse the allowed path. SeeChapter 17ofthisHandbook formoredetailsonmobile code. 26.3.10.4 Caching. Althoughtheaggregatecostofbandwidthcontinuestofall, organizationscontinuetolookforopportunitiestomanagethesefrequentlycongested circuits more efficiently. Proxy servers typically integrate caching mechanisms to storefrequentlyusedInternetcontentlocally, increasinglocalthroughputbyreducing Internet-bound traffic. The GSD may also be able to provide similar caching services, givensufficientstorage capacityandprocessing resources. 26.3.11 IPv6. TheallocationofthelastremainingavailableIPv4addressblocks to Regional Internet Registries (RIR) occurred in 2011—indicating the world is “out of IPv4 addresses.” Although one may argue that statement is overly dramatic, mass migrationtoIPv6isstilloccurringataslowerpacethanonemayexpect,eventhough IPv6 was developed in the late 1990s. While organizations continue to develop their individual transition plans, it is likely that IPv6 is already in their environment. Many modern operating systems and devices have dual IPv4 and IPv6 network stacks, with some enabled by default. IPv6 and its associated transition technologies have specific security implications thattheGSDmustunderstand andenforce. 26.3.11.1 Perimeter Security Concerns. Addressing. IPv6 is more flexible in its approach to dynamic addressing. Instead of solely relying on DHCP, an IPv6 device can address itself through stateless ad- dress autoconfiguration (SLAAC). The host uses a unique identifier (typically its own Message Authentication Code (MAC) address) in addition to the Neighbor Discovery (ND) protocol to complete the automatic addressing. Since there is no authenticationNETWORK-SECURITY MECHANISMS 26 · 17 requirement, the GSD must prevent external devices from attempting to act as an internalrouter duringtheaddressing process. ThesignificantincreaseofavailableaddressesinanyparticularIPv6networkmakes it infeasible to discover devices and network topology using traditional port scanning methodologies. By using the multicast listener discovery (MLD) protocol, an attacker can send a probe to the link-local multicast address (ff02::1) and listen for responses. The GSD must block this capability at the perimeter to prevent external devices from attempting todiscoverinternal hostsandtopologies. Tunneling.Withoutubiquitousend-to-endIPv6connectivity,thereareseveralIPv6 transition technologies (such as 6to4 and Teredo) that allow IPv6 capable systems to tunnelcommunicationoverlegacyIPv4networks.Aswithothertunneledtraffic,tobe effective, the GSD must not only be able to enforce the appropriate allowed path for thetunneledtraffic butalsoinspect theencapsulated IPv6packet. IPv6 also has native support for IPsec (both AH and ESP). Configuration and use of IPsec in an IPv6 environment requires the same discipline in choosing and configuringcryptographicoptionsasIPv4.ItisalsopossibletouseIPv4IPsectoprotect IPv6transitiontechnologytunnelsasunencryptedtunnelsessionswouldotherwisebe vulnerable tointerception and/or manipulation. GlobalConnectivity.Networkaddresstranslation(NAT)isanessentialelementfor IPv4 Internet connectivity due to the relatively “small” number of publically routable 128 addresses. The size of the IPv6 address space (2 addresses) provides for global IP interconnectivity without the need (or definition) of a NAT replacement. IPv6 devices willnowcommunicatenativelyacrosstheInternet—changingperimeterdynamicsyet again. With IPv6 enabled, it is essential for GSD to enforce strict ingressand egress filtering. Mobility.MobileIPv6(MIPv6)allowshoststomaintainaccesstothehomenetwork while physically roaming to other locations and uncontrolled networks. A user would beabletoleavetheofficenetworkandtravelfromoneappointmenttoanotherwithout losing connectivity to the internal network. Since the device can move network to networkwithoutdroppingtheinternalconnection,MIPv6alsocreatespotentialissues withstatefulinspectioniftheGSDdoesnotunderstandtheprotocol.Iftheorganization chooses not to support MIPv6, the GSD should filter Type 2 Routing Header (RH2) packets. 26.3.12 Additional Considerations 26.3.12.1 Host Protection. Although firewalls and GSDs play a crucial role inprotectingtheoverallnetworkinfrastructure,itisneithercostfeasiblenorpossibleto deploythesedevicesatallpointsinsidethenetwork.Individualhostsmusthaveaway to protect themselves from threats independent of network-security devices. Unlike the network, a host has a contextual understanding of what the system can, is, and/or should be doing. Beyond the simple allow and deny functionality, contextual security measurescandetectunexpectedsystemconfigurationchangessuchasservicechanges oranapplication behaving inanunexpected manner. When a host leaves the internal network, it becomes an extension of the network protection profile. By providing adequate local protections at the network and appli- cationlevels,themobileendpointhelpstomitigatepotentialissuesuponreconnecting totheinternalnetwork.Itisalsocrucialtodeterminethelevelofprotectionnecessary and how each of these additional levels of security will affect system performance, management, andend-user impact.26 · 18 GATEWAY SECURITY DEVICES 26.3.12.2 Network. Hostsneedtobeabletodeterminethetypesandappropri- atenessofinboundandoutboundtraffic.Thesenetworkrestrictionsmayvaryfromthe internalnetworktouncontrollednetworks.Incertaincircumstances,allnetworktraffic maybesuspectandscrutinizedfurther.Forexample,whenontheinternalnetwork,the hostallowsmostinboundandoutboundtraffic.Ifthehostwereonanuncontrollednet- work,itwouldnotallowanynonestablishednetworkflows.Simplehost-basednetwork protections are not enough; additional host protection mechanisms such as intrusion preventioncandetectandstop networkandapplication-based attacks. 26.3.12.3 Applications Access. The host’s contextual awareness also helps dictate the ability for applications to execute as well as send and/or receive data. The goalistoensureonlytheappropriateapplicationsand/orserviceshavenetworkaccess. The host protection policy may allow applications to establish outbound connections, but never listen (nor accept nonestablished inbound packets). For example, an HTTP serverusesadaemontolistenforconnectionattempts.TheHTTPclientwillattemptto makeaconnectiontotheHTTPserverdaemon.Byusingahostprotectionmechanism, itwould bepossible topreventoneorbothofthese actions. 26.3.12.4 Hybrid Protections. The host intrusion prevention system (HIPS) functionssimilarlytoanetworkintrusionpreventionsystem(NIPS)bydetectingknown attackpatternsand/oranomalousbehaviors.Hybridhostprotectionsbuildonthehost’s contextualawarenessandprovidetheabilitytomonitorotherunusualapplicationlevel activity suchaschanges tobinaries, servicemanipulation, andspawnedlisteners. 26.4 DEPLOYMENT 26.4.1 Zoned Architecture. In a contemporary interpretation of the screened subnetarchitecture,zonesdefinedifferenttypesand/orsensitivitiesofnetworks,appli- cations,and/orservices.Thisprovidestheabilitytomanageallowedpathsatthemacro level(perzone)inadditiontothetraditionalallowedpaths(specifichostsorservices). As requirements drive security deeper into the network, the zoning concept is equally effectivewhenusedtomanageandprotect internalandexternalnetworks. 26.4.1.1 PerimeterZones. Theborderroutermaintainsthearchitecture’sfirst line of defense against external attacks. The ACL(s) on this router should mirror the basic allowed-path configuration of the external (untrusted) firewall interface and providesseveralimportant benefits. The GSD is able to operate at optimal efficiency, since traffic rejected based on border router’s packet-filtering rules normally would never reach the firewall. This permits the firewall to focus, in terms of load, on protocol inspection. If, for example, thefirewallreceivesapacketthatshouldneverhavemadeitpassedtheborderrouter’s ACL, the firewall can assume that the router is not behaving normally. The firewall is then free to respond appropriately, with such actions as terminating all connections fromaspecifichost. 26.4.1.2 ExternalServiceZones. Thenecessityformobilityandaccessibil- ityplacessignificantdemandsonInternet-facing systemsinadditiontoincreasingthe administrativeoverheadofmanagingexternalaccess.Thesectionsbelowprovideonly asampling ofpossible externalservicezonearchitectures.DEPLOYMENT 26 · 19 Utility. Instead of lumping systems such as Web, DNS, and email onto a single network, there may be an advantage by implementing zones. Utility servers such as DNSandemailcouldlogicallybeonthesamenetwork.Webserverstypicallydemand greaterbandwidth,andbyusingthisconcept,canprotecttheentirezonewithasimple inbound accessrule. Extranet.Extranetsystemscreateadditionalcomplexitysincetheyprovidetheuser interface, while internal systems may provide the relevant content. Zoning provides more flexibility by allowing external connections to reach the Extranet servers while providingthosesame serversaccesstointernal resources. VPN. VPN networks are also an opportunity to use zoning. Since the VPN con- nectiondevicemustbeInternetfacing,thisrequirestwodifferentnetworksconnected to the firewall. The external, Internet-facing (VPN untrusted) interface would only allowafewprotocolsforinboundandoutboundencryptedtraffic.Thesecondnetwork (VPN trusted) is for unencrypted network traffic moving to and from the internal net- work. This architecture also provides extra internal network protection in the event of a compromise of the VPN device as well as creating a traffic inspection point that is unimpeded byencryption. 26.4.1.3 Internal Service Zones. With the increasing prevalence of non- company-owned assets and more complex data flows, organizations continue to look for better methods to protect internal networks. The sections below provide only a sampling ofpossible internalservice zonearchitectures. AdministrativeandMonitoringSystems.Organizationstypicallylimitdirectaccess tonetworkandsecuritydevices.Byrequiringalladministrativeandmonitoringtraffic to originate from a specific host and/or network, a zone can effectively reduce each device’s threat profile. This zone would not only allow minimal noninitiated inbound traffic but would also limit outbound connections to the managed and monitored systems. High-ValueSystems. Organizations relying heavily on intellectual property and/or other protect data types (e.g., personal and financial information) have an intrinsic need to provide higher level protections to protect their investments. Zoning provides anadditionallayerofprotectionbyminimizingunnecessaryinformationflowsto/from thesehigh-value systems. IndustrialControlSystems. Incidents such as Stuxnet and Night Dragon are stark remindersthateventhoughcertainsystemtypesareconsideredextremelycomplexand less accessible, it is only a matter of time before successful compromise is possible. Manufacturing organizations with significant investments in industrial control and supervisorycontrolanddataacquisition(SCADA)systemscan(orhaverequirements to)isolatetheseenvironments asanadditionallayerofprotection and/orcompliance. 26.4.2 GSD Positioning. The increased use of encrypted protocols such as SSL/TLS and IPsec can blind network protections. Certain GSDs have the ability to terminateencryptedsessions,thoughtheincreasedprocessingandbandwidthrequire- ments may exceed the limits of the device. If concerned, the security architecture should deploy appropriate countermeasures at strategic locations that avoid encrypted traffic. This way, the GSD can focus on its primary role of detecting and preventing malicious activity. 26.4.2.1 Inline. Placing the GSD inline creates a choke point for active en- forcement on all network traffic that flows through it. When a malicious packet enters26 · 20 GATEWAY SECURITY DEVICES the GSD, protocol analysis will detect the anomaly and will not allow it to flow out the other interface. Although bandwidth limitations are a typical concern, improperly configured inline devices may also present a denial-of-service condition. With proper infrastructure planning anddeployment, itispossible tominimizethese risks. 26.4.2.2 Controlling Encrypted Trafﬁc. Since mobile devices frequently ventureoutsideofthecontrollednetwork,onelogicalplacetoevaluatetrafficisonthe unencrypted side of the connection. This may be on the backside of a SSL terminator (in some cases on the server itself) or on the unencrypted side of a VPN connection. The second option is to use the GSD to inspect (e.g., termination and/or passive de- cryption) the traffic before forwarding the traffic onto its final destination. This level offunctionalityrequiressubstantialprocessingresourcesbutmaybeanecessityifthe security layersdownstream areinsufficient. 26.5 MANAGEMENT AND MONITORING STRATEGIES. Regardless of vendor claims, network-security devices are never a plug-and-play endeavor. It is essential to take additional steps to define the security requirements for managing and monitoring GSD components. This approach helps ensure a well-rounded security posture. 26.5.1 Monitoring. Firewalls and GSDs provide complex functionality; moni- toringsuchsystemsmustgobeyondjustverifyingsystemavailabilityandcoverdevice health, availability, andintegrity. 26.5.1.1 Health. Metrics such as processor utilization, available RAM, and number of connections all have an impact on overall functionality. A centralized management console may provide the ability to monitor and alert on these metrics. If this functionality is unavailable, it may be necessary to use monitoring protocols such as Simple Network Management Protocol (SNMP) and/or Remote Monitoring (RMON) to gather these statistics. The GSD must tightly restrict the systems able to poll using these methods because of the inherent insecurities of the aforementioned monitoringprotocols.Bytrendingthesemetrics,itmaybepossibletodeterminewhen it is time to increase bandwidth or purchase systems that are capable of meeting the newthroughput orprocessing needs. 26.5.1.2 Availability. When GSDs are unavailable, the network functionality candramaticallydiminish.AsimpletestofsystemavailabilityisusingICMPto“ping” oneormoreinterfacestoensurethedeviceitselfisresponding.However,thisapproach can be deceptive. Just because the device itself responds, does not mean it is properly forwarding traffic. It is also advisable to send probes (e.g., ICMP, traceroute, or other queries) to something on the other side of each interface to ensure the other device is actually receiving the packets to ensure valid results. This approach provides a better overallpictureoftheGSDavailability. 26.5.1.3 Integrity. Theabilitytotrustnetworksecuritysystemscomponentsis vital.ThepossibilityofarootkitcompromisingafirewallorGSDisnowareality.These systems must have the ability to protect against modification of system components such as ceasing operation and/or alerting the change. If this embedded functionality were unavailable, it is possible to write a script to generate cryptographic hashes of criticalsystem components andverifyagainstaknowntrusted version.MANAGEMENT AND MONITORING STRATEGIES 26 · 21 26.5.2 Policy. TheGSDpolicyisthecoredefinitionforprovidingandprotecting allowed paths. Most security systems process packets starting at the beginning of the policy and continue until there is either a match or reaching the end of the rule base (which should be an explicit “deny any”). As discussed later in this chapter, there are situations whererulesmayprocessbeforeorafterthemainrulebase. Centralized management consoles provide intuitive GUIs to configure and easily manage one or more firewall and GSD policies. Certain platforms also provide the abilitytomanage policiesdirectlyfrom thedevice. 26.5.2.1 DeﬁningAllowedPaths. Allowedpathsidentifyspecificprotocols usedtoimplementcommunication.InatypicalInternetenvironment,businessservices requireallowedpathssuchasHTTP(S),SMTP,andDNS.Theserequirementswillvary, butforanenvironment,eachallowedpathshoulddirectlyrelatetotherequiredservice. Starting from an implicit or explicit (depending on the platform) “deny any” rule, allowed paths will be added as “allow” rules, such as PERMIT HTTP, with specifics determined bythefollowingsections. Although network addressing does not provide effective authentication of systems orusers,restrictiveendpointscanmakeitmuchmoredifficultforanattackertoexploit anotherwisestraightforwardvulnerability.Itisalsoimportanttoidentifytheendpoints carefully, particularly in cases where these endpoints might reside on internal rather thanextranetorutilityzones. The direction of traffic, indicated by the source of the connection initiation, is usefulfortheruledefinitionsforseveralreasons.First,rulescanbewrittensothatonly responsestointernallyoriginatedallowedpathsareallowedinfromtheuntrustedzone, rather than explicitly permitting the protocol bidirectionally. In addition, the firewall mayprocessrulesatdifferent timesbasedondesignand/orconfiguration. 26.5.2.2 Complexity of GSD Policies. Standard firewall rules operate on simple Boolean principles. For example, allow or deny network traffic that is going from host or network X to Y on port Z. The complexities required of GSDs evalu- ating network traffic are dramatically higher. For example, this evaluation could be a combination of a Boolean test to verify an inbound email address is from a trusted source,verifymessagecontentsareacceptable,andscananattachmentforviruses.Ad- ministrators must understand the higher-level protocols to ensure that the GSD policy matchesthetypesofprotectionsexpectedandrequired.Asthenumberandcomplexity oftherulesincreases, sodotheprocessing requirements fortheGSD. Beyond the basic firewall capabilities, GSD policies typically include per-rule en- forcementoftheadditionalsecuritymeasures.Forexample,theGSDonlyusesnetwork and/ortransportlayerfilteringtorestrictaccesstotheorganization’sVPNterminators. The policy may include WAF protections, but only for the utility zones. Inbound and outbound Web and file transfer traffic may have the additional requirement for NIPS inspection. Although this level of customization adds some administrative overhead, selectively (rather than broadly) applying additional protections in this manner can reducetheperformance impactoftheaddedprotections. 26.5.2.3 ChangeManagement. Whethermanagingoneoronehundredpoli- cies, an essential element is to have a process to track policy changes. Change man- agement can be cumbersome but has several advantages. First, this provides back-out information if a change were to cause issues. Second, it provides an audit trail of