what is gateway security in network and what is comprehensive gateway security suite, and what is web security gateway pdf free download
RogersMullis,United States,Teacher
Published Date:13-08-2017
Your Website URL(Optional)
Comment
GATEWAY SECURITY DEVICES
26.1 INTRODUCTION. Onceconsideredsufficienttoprotectanentireorganiza-
tionfromexternalthreats,thefirewallisstillperhapsthemostrecognizedanddeployed
network-security devices for Internet-connected operations. However, earlier firewall
generationsmadesecuritydecisionswithlittlecontextualsupportotherthantheorigin
anddestination ofthepacketstraversingaparticular allowedpath.
As communications capabilities and functionality demands increased, so too did
thefirewall’sneedtoinspectandenforceallowedpathsusingmorecomplexprotocols
and require ever-increasing throughput. This evolution transformed the firewall into
a true gateway security device (GSD)—able to provide allowed path enforcement
using a combination of techniques which once required additional security devices to
accomplish.
Properly selected and deployed GSDs are one security layer designed to handle
these increasingly complex scenarios. The GSD is effective only with a full under-
statingofthecapabilitiesandlimitations—bothoperationalandfailureconditions—of
consolidating multiple security functions into a single device. By providing allowed
path enforcement more intelligently and accurately, combined with the added rigor of
genuinely understanding expected network flows, GSDs provide sufficient additional
defense-in-depth layers throughout theorganization.
Although this chapter focuses on the GSD as a combined security device, the con-
ceptscoveredareusefulforunderstandingandevaluatingthefunctionalityofindividual
network-security devices. Every organization must make risk and performance deci-
sions by weighing this approach against maintaining independent devices that focus
onaparticularsecurity function.
26.1.1 Business Requirements Outpacing Security. Technological ad-
vancementcontinuestotransformanenterprise’sabilitytomanagethedatalifecycle.
Thepervasivenessofmobiledevicesandmovetowardcloud-computingresourcesthat
are no longer solely controlled or consumed by the organization continues to redefine
the perimeter. Users are increasing demands for unfettered access to corporate data
from anywhere on any device (including those not controlled by the organization).INTRODUCTION 26 · 3
This dynamic environment increases the need for layered security architectures with
deeperawarenessofcontent andcontext.
26.1.2 Demand-Driven Processing. Enterprises not possessing the requi-
site internal human or technological expertise to achieve the organization’s goals for
information technology (IT) have long looked to outsourced solutions to meet their
needs. Software as a Service (SaaS) provides offerings such as productivity applica-
tions, collaboration, and email (e.g., Microsoft Office365) and customer relationship
management (CRM) (e.g., salesforce.com). Infrastructure- and Platform-as-a-Service
(IAAS and PAAS, respectively) provide on-demand storage and computing (e.g.,
Amazon Web Services—S3/EC2or Rackspace Open Cloud). Outsourced offerings
continue to mature and redefine how enterprises develop, manage, and present their
information.
Virtualizationtechnologycontinuestoprovideopportunitiestouseinternalprocess-
ing capabilities more efficiently. Although providing better performance, it can also
diminish security in that existing offerings are not necessarily as mature as dedicated
securityinfrastructure.WheninternalandInternetfacingsystemsmustoperateonthe
samevirtualarchitecture,thiscreatesadditionalriskassystemsnowinteractatthehy-
pervisorandvirtualswitch(vSwitch)levelwheretraditionalnetwork-securitydevices
areunabletoinspectandenforcetrafficatthislevel.
SeeChapter 68inthisHandbook formoredetailsabout securityandoutsourcing.
26.1.3 Ubiquitous Mobility. Today’sbusinessclimatedemandstheabilityfor
employeestoworkfromanywhere,andthisneedformobilityandflexibilitycontinues
asignificantshiftinhoworganizationsdefineandprotecttheirperimeters.Employees
may use a variety of systems whether at work, home, or on the road. The level of
accessandfunctionalityrequiredextendswellbeyondemailintoenterpriseapplications
and data. As functional mobility stretches from company-owned to personal devices,
organizations must have a method to ensure a compromised mobile device does not
weaken theexisting internaloroutsourced securitycontrols.
26.1.4 Regulatory and Industry Compliance. Federalregulatoryrequire-
mentscontinuetohaveasignificantimpactonhoworganizationsmanageriskthrough
dataprotection,retention,andprivacyactivities—manyhavingsignificantauditingand
reporting requirements.
The Sarbanes-Oxley Act (SOX) focuses on controls and procedures designed to
preservetheintegrity ofpublically tradedorganizations’ financialreporting.
The Gramm-Leach-Bliley Act (GLBA)—specific to financial institutions—
concentratesontheprotection ofcustomerdataandprivacy.
The Health Information Portability and Accountability Act (HIPAA) requires
protectionofindividuallyidentifiablehealthinformationsuchaspersonallyiden-
tifiableinformation (PII)andprotected healthinformation (PHI).
Industry-specificrequirementscontinuetoappearandevolveinanefforttoaddress
the minimum security requirements to operate with or within a specific industry.
The Payment Card Industry Data Security Standard (PCI DSS) establishes baseline
requirements for the protection of cardholder data during processing, transmission,
and storage. PCI DSS requires organizations to determine their level of involvement26 · 4 GATEWAY SECURITY DEVICES
with the cardholder data. Once established, this determines which requirements are
necessary todemonstrate compliance withthestandard.
Eachcriticalinfrastructuresector—asdefinedintheUnitedStatesbytheDepartment
of Homeland Security—has a Sector-Specific Plan (SSP), which provides representa-
tiveorganizationsandagencieswiththerisk-managementtoolsandstrategiesspecific
to the protection of each industry. One of the more mature programs is North Ameri-
can Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).
NERC CIP addresses multiple physical and digital security elements of the North
Americanpowersystem,includinggatewayprotectionthroughtheestablishmentofan
electronic securityperimeter.
SeeChapter 64ofthisHandbook formoredetailsonGLBA, SOX,andPCIDSS.
26.2 BASIC CONCEPTS AND TERMINOLOGY. Greater demands for mo-
bility, new models for business interaction, and leveraging Internet-based processing
capabilities continue toforcetheevolution oftraditionalperimeter protections.
26.2.1 General Capabilities. Withthesubstantialprocessingrequirementsof
specialized network security systems (e.g., IPS or anti-spam), organizations tradition-
ally architected security infrastructures that leveraged dedicated solutions/devices for
each function. However, current generation GSD processing capabilities provide the
opportunity tocombine manyoftheseoncededicated systemsinto asingle device.
26.2.2 Unified Threat Management. Unified threat management (UTM)
combineselementssuchasanti-malware,anti-spam,IDS/IPS,VPN,applicationproxy,
and content filtering—transforming the firewall into the original iteration of the GSD.
These added capabilities allow the UTM to provide greater control and inspection at
the application layer. However, typically there was only marginal management and
performance integrationbetween featuresets.
26.2.3 Next-Generation Firewall. Thenext-generationfirewall(NGFW)is
the latest evolution in stated capabilities that complements and surpasses those of the
UTM. Instead of just bolting multiple security technologies on top of one another, the
NGFW provides tighter integration of each level of security. These new capabilities
include greater protocol awareness and more granular allowed path enforcement. The
NGFWisabletoprofileprotocolsregardlessofportchosen.Thisincreasestheability
todetectdeceptivebehaviorsuchasencryptedpayloadsoverprotocolsthatwouldnot
normally use encryption. This generation of GSD also has the ability to adjust policy
dynamically—extendingprotection tootherpartsofthesecurityinfrastructure.
26.2.4 Web Application Firewalls. GSDsprovideadditionalcapabilitiesto
inspectandenforceallowedpathsforWeb-basedcommunications.However,thecom-
plexity of the current and next-generation Web protocols may outpace the security
provided by this device. The Web application firewall (WAF) provides more robust
HTTP protocol inspection capabilities. The WAF provides customizable rules to pro-
tect against common payload-based attacks such as SQL injection, XSS (cross-site
scripting), and command injection. This platform can also serve as a virtual patch for
Webapplications—legacy(nopatches possible)oronesawaiting unreleasedpatches.
26.2.5 Firewall Architectures Changing. Assecurityvendorsworktokeep
pace with these changes with more functionality and higher performance, it is theBASIC CONCEPTS AND TERMINOLOGY 26 · 5
customer’s responsibility to understand the advantages and disadvantages each pro-
posedprotectionsolution.Suchanalysisprovidesthenecessaryinsightfortheorgani-
zation to deploy the most appropriate architecture to meet the necessary security and
performance requirements.
26.2.6 Packet Filtering. Routing devices gave rise to first-generation fire-
walling capabilities. Packet filtering is a set of explicit rules describing the allowed
pathsnetworktrafficmaytravel.Therules,intheformofanaccesscontrollist(ACL),
independently evaluate one or more portions of each packet’s header to make the
allowedpathdecision.
The packet filter acts on each packet as an individual entity without respect of the
packet(s) that come before or after. Although this method provides the security with
the least overhead of other firewall architectures, it is vulnerable to several network
andtransportlayerattacks.
Internet Protocol (IP)spoofing is specially crafting a packet in an effort to deceive
the router into accepting traffic that appears legitimate. The attacker will configure a
packettolooklikeitoriginatedfromtheinternalnetworkeventhoughitiscominginto
the external interface. ALand attack sends a spoofed TCP SYN packet to a host with
thesourceanddestinationIPandportbeingequalandcancauseadenialofserviceon
a vulnerable network stack. TheTeardrop attack intentionally fragments a packet and
manipulates the fragment offset where the preceding fragment’s offset overlaps with
theoffsetofthenextfragment.Whenthereceivingsystemreassemblestheoverlapping
fragments, thenetwork stackwillcrash, causingadenialofservice.
AlthoughboththeLandandTeardropattacksrequireavulnerableend-device,initial
packet filters did not have contextual understanding to stop such attacks. Mitigation
for the Teardrop attack includes implementing packet reassembly—recombining the
fragments into the original packet to ensure the recombined packet does not violate
basicIPpacketspecifications—beforeforwarding toitsnexthop.
For details of these and other denial-of-service attacks, see Chapter 18 in this
Handbook.
Current generations GSDs use stateful inspection (covered next) in an effort to
overcome many of the limitations of packet filtering. However, many nonsecurity-
related devices use packet filters to provide basic protection of their administrative
interfaces andmonitoring functions.
26.2.7 Stateful Inspection. Statefulinspectionidentifiesandtracksadditional
parameters within each packet, adding context by representing flows along allowed
paths as network connections instead of individual packets. Even though IP and User
Datagram Protocol (UDP) are connectionless protocols, the firewall creates a virtual
connection to emulate its connection-oriented counterparts. Although the specific pa-
rameterstrackedinthestatetablevaryacrossGSDvendors,thetableresidesinmemory
formoreefficientprocessing.
Since a packet filter inspects packets individually, it does not affect firewalls in
a load-balanced or fail-over architecture. However, to ensure sustained connections
in high availability architectures, stateful inspection must establish and maintain a
synchronizedcopyofthestatetableineachofitshighavailabilitymembers.Although
somevendorsstillmaintainthatadirectserialconnectionisthemostreliableconnection
method,highlyavailablesolutionsareunlikelytobeinaphysicalproximitynecessary
for serial connection and typically take advantage of existing network connections to
maintain thestate synchronization.26 · 6 GATEWAY SECURITY DEVICES
26.2.8 Application Layer Gateway. As threats became more sophisticated
acrossexistingallowedpaths,firewallsaddedapplication-layergateway(ALG)protec-
tion. Each application-specific proxy (e.g., HTTP, RPC, FTP, etc.) acts as the allowed
path broker for the connection, creating a separate, backend connection to the other
host. Although the full connection is actually two independent sessions, this dual-
ity is transparent to the requester and the server. Being a brokered connection adds
an additional layer of defense by re-writing potentially malformed requests, validat-
ing/enforcing protocol compliance, and not allowing direct communication between
clientandserver.
The detailed payload analysis increases the amount of time the firewall spends
evaluating each packet potentially reducing throughput for other network traffic and
increasingtheneedforsufficientprocessingresource.TheALGmayalsocreateissues
such as poor performance for protocols requiring minimal overhead in addition to un-
expectedcompatibilityissuesduetovendor-specificprotocolimplementations.Active
reviewandmanagement willhelptominimize theALG’simpact onoperations.
26.2.9 Current Gateway Security Devices. Thefirewallevolvedyetagain
as attacks continued to increase in complexity and scale. Stateful filtering and appli-
cationlayergatewayfunctionalitybeingeffectiveatprotectingagainstspecificknown
attack vectors. However, the sophistication of the newer generation attacks quickly
revealed those two features were unable to provide the necessary level of protection.
Theadditional capabilities integratedintothefirewall gaverisetotheGSD.
TheinitialiterationofGSDisknownasunifiedthreatmanagement(UTM).UTMis
the consolidation of the firewall with multiple additional security platforms (e.g., net-
workintrusion-preventionsystems,contentfilter,anti-spam,etc.)intoasingledevice.
UTMvendorsthatonlyhadastrongpresenceinoneortwooftheprotectionmeasures
had to either integrate a third-party security product or build their own offering to fill
out the full protection suite. This was also an opportunity to consolidate management
and monitoring capabilities to create a unified platform. However, the UTM would
prove somewhat inefficient, as each packet travels serially through the different se-
curity engines, severely impacting performance as the number of protections enabled
increases.
The most current generation of GSDs—known as next generation firewalls
(NGFWs)—providegreaterapplicationdetection,awareness,andenforcementinaddi-
tiontotighterintegrationofallsecuritylayers.Increasingtheprocessingandinspection
capabilitiesalonewerenotenoughtomeetthedemandsofthecurrentgenerationappli-
cationprotocols.Theseprotocolsaremorecomplexinformandfunction,eventhough
they may follow the traditional allowed path such as HTTP. The NGFW must also
be able to decode and understand the application’s inner workings regardless of port
andenforceonallorsubsetsoftheprotocol.NGFWsprocesspacketsthoughselected
security engines in parallel to increase performance and focus the protection needs to
thespecifictype oftrafficdetected.
26.2.10 Host Environment Context. Althoughthischapterfocusesongate-
way security devices from a network perspective, comparable host-based protections
warrant coverage, as they are an important defense-in-depth component and have
certain capabilities that the network-based GSDs cannot provide. With mobility and
ubiquitous information access being central themes surrounding today’s personal and
business environments, the host-level protection is an ever-present fixture. The host’sBASIC CONCEPTS AND TERMINOLOGY 26 · 7
movement from relying on the network security measures to local context and envi-
ronmentally aware security measures will provide more robust and flexible security
whereverthehostgoes.
Host-based security—aside from basic firewalling—has additional complexity and
considerationsduetotheprotectionrequirementsoftheadditionalelements(software,
services, etc.) running. The host’s ability to understand its local environment allows
for more granular protection and visibility. Instead of focusing purely on port-based
network access, the increase environmental context defines what applications and
services can: access or receive network traffic, access or change other services, or
executecodeinavirtualmachine (VM)toverifyexpectbehavior(s).
26.2.11 Firewall Platforms. GSDs continue to advance in form, function,
and contextual understanding to provide allowed path enforcement at all layers of the
networkstack.Maliciousactorscontinuetodevelopincreasinglytargetedandeffective
codethattravelsonanotherwiseallowedpath.Thesemoredetailednetworkinspection
requirements dictates that every organization select the most appropriate platform to
meetitssecurityandperformance needs.
26.2.12 Routing Devices. As the need to transmit data within a network and
beyond increased, routing device were adapted to provide native and then modular
securityservices.
26.2.12.1 AccessControlLists. RoutingdeviceACLstypicallyproviderudi-
mentary allowed path enforcement with minimal performance impact. ACLs permit
or deny individual network packets based on a combination of parameters from the
headersuchassourceanddestination IPaddressesand/or TCP/UDP port.
Routing device–based security services matured to provide enhanced capabilities
based on their contextual understanding of the network. Routing devices can sup-
port several stateful inspection techniques, the most rudimentary being the ability to
trackconnectionsbasedsolelyontheacknowledgement(ACK)flagsofanestablished
connection. However, this method is more susceptible to spoofed packets directed at
the intended target than traditional stateful inspection based on a table of established
connections. Routing platforms can also provide anti-spoofing capabilities based on
network topology. When enabled, the routing device will make forwarding decisions
based on its understanding of connected and learned routes and only allow source IPs
tooriginatefromtheappropriate interface.
26.2.12.2 Hardware Modules. With bandwidth increasing into the tens to
hundreds of Gigabits per second (and beyond), routing device manufacturer needed
to offload the security functions to a dedicated vendor-specific module (or line card).
The module provides logical protection for one or more allowed paths while using
the backplane to achieve higher data rates and provide protection based on one or
moreofthefirewallarchitecturesdescribedabove.Someroutingvendorsalsosupport
modules—similartoabladeserver—allowingothersecurityvendorstointegratetheir
technology deeperintotheroutinginfrastructure.
26.2.13 Appliances. The GSD appliance emerged as a way to shed complex
security decisions from routing devices onto a dedicated security platform. Appliance
form factors, capabilities, and limitations vary among GSD vendors with the GSD
application integratingintothechosen hardwareplatform.26 · 8 GATEWAY SECURITY DEVICES
26.2.13.1 Proprietary. A proprietary hardware-based GSD appliance manu-
facturer is able to establish and retain tight controls over all aspects of the platform.
Thehardwareispurpose-builttointeroperatewiththeGSDsoftwareandprovidesdif-
ferentlevelsofperformanceandfunctionality.High-performancecomponentssuchas
application-specificinstructionsetsaretypicallyproprietary.However,thevendorwill
balance the cost effectiveness of the platform by choosing commercial-off-the-shelf
(COTS)hardware fortheutility components (e.g.,network interfaces andRAM). The
accompanyingproprietary,hardware-specificoperatingsystem(OS)allowsthevendor
tomaintain tightcontrolsoninteroperability, configuration, andsoftware revisions.
26.2.13.2 HardwareIndependent. HardwareindependentGSDappliances
transfer responsibility to the customer to procure hardware that meets a specific set of
requirements while allowing the GSD vendor to retain responsibility for developing
the GSD application and/or OS. The GSD uses either a customized version of an OS
(typically Linux or Berkeley Software Distribution BSD) or installs directly onto a
customer-provided baseOS.
A GSD application installed on a proprietary (or premodified) OS reduces native
security exposures through vendor custom hardening of OS mechanisms to remove
nonessential features and functionality while maintaining the tight controls described
inthesectionabove.
TheGSDapplicationmayalsobeabletoinstallonspecificversionsofthecustomer’s
native OS choice, providing the customer the most flexibility in choosing a GSD
appliance. The GSD application will make some hardening changes but leaves much
oftheoperatingsystemmanagementtothecustomer.Thisincreasestheriskofinsecure
and/or underperforming implementations due to the GSD vendor not fully controlling
OSconfigurations, patches, andinteroperability.
26.2.13.3 Soft Appliance. The soft appliance augments the hardware inde-
pendent/proprietaryOSGSDintoabootableplatformthatcanrunonconsumer-grade
equipment. This platform is more suited for point-in-time protection needs, such as
main GSD device failure, fast-turn deployments, and testing. Before deploying a soft
appliance, the customer must temper the potential “flexibility” of this solution with
other considerations such as manageability (configuration, logging, etc.), scalability,
andrequiredfunctionality.
26.2.13.4 Embedded Appliance. In addition to high-end, scalable devices,
GSDvendorsalsorecognizedtheopportunitytoserviceothermarketssuchasproviding
specializedcapabilitiesonplatformsscaledtomeettheneedsofconsumersandsmall-
to-medium businesses (SMBs).
SMBsarelesslikelytohavesufficientfundingordedicatedsecuritystafftopurchase,
manage,andmonitormultiplesecuritydevices.TheSMB-gradeGSDsprovideamore
economical all-in-one device, due to its smaller form factor, simplified user interface,
andlowerperformancerequirements.Inadditiontoprovidingthestandardwiredand/or
wirelessconnectivityoptions,thedevicetypicallyprovidesafullcomplementofUTM
security functionality.
26.2.14 Virtualization. GSD vendors now provide solutions ranging from
leveraging the virtual environment to provide independent network security capa-
bilities to embedding granular protections at the hypervisor level. Instead of requiringNETWORK-SECURITY MECHANISMS 26 · 9
afullinstallation,someGSDvendorswillprovideapreinstalledvirtualappliancethat
minimizes total deployment time. It is important to ensure that the virtualized GSD
maintains itspriorityinobtaining andsustaining resourcesfromtheVMinstance.
A VM-capable GSD acts as an independent network security entity. Instead of
having dedicated hardware, the GSD leverages the hypervisor’s hardware abstraction
layertogainaccesstothenecessaryresources.Thisimplementationprovideshardware
appliance-like capabilities to control the allowed paths based on what networks route
throughtheGSD VMinstance.
AVM-embeddedGSDvirtualapplianceintegrateswiththehypervisortogainlow-
levelaccesstotheentireVMhost/cluster.TheGSDnowhasvisibilityintopreviously
inaccessiblecommunicationpathsandisabletoconductallowedpathenforcementfor
bothinter-andintra-VM communications.
26.2.15 Host-Based Agents. Asmobiledevicesdemandgreaterinternalnet-
work access—including data to be stored local to the device—so did the requirement
for those host-based protections to be able to minimize the additional risk of allowing
suchaccess.Antiviruscapabilities,althougharguablyonlymarginallyeffectiveagainst
new and emerging threats, still maintain a necessary presence to filter known attacks
vectors. Firewalling capabilities at the network and application level reduce the host’s
network-facing threat profile. The Host Intrusion Prevention System (HIPS) provides
protection against known and potentially unknown threats because of its ability to
inspectuptotheapplication layer.
When network-security devices fail to detect a threat, host-based protection has
additionalmeasurestodetectlocalanomalousbehaviorduetoitsincreasedcontextual
awarenessofhowthehost—theapplicationsandtheoperatingsystem—shouldbehave,
thusallowingthehostanadvantageindetectingemergingthreats.However,organiza-
tions should not underestimate the administrative overhead necessary to manage and
monitor thisprotection.
SeeChapter 27ofthisHandbook formoredetailsonhost-based protections.
26.3 NETWORK-SECURITY MECHANISMS. Networksecurity,oncesynony-
mouswiththefirewall,continuesitsgrowthinbothscopeanddepth.Governmentand
organizations are requiring security to be baked into the systems and solutions they
produceorpurchase.
It is entirely possible for an attack to originate from a system not coinciding with
a direct perimeter attack. These attack vectors include likely exposures, such as an
employee mobile device infected with malicious code while traveling; the new USB
flash drive an employee receives at a conference; or a vendor providing legitimate
supportthatplugs his/herlaptopinto theinternalnetwork.
Those who are selecting network security systems must be able to decipher the
hyperbole from reality to ensure the device(s) deployed realistically address(es) the
specific risks pertinent to the organization. Gateway security devices maintain their
basic allowed path control heritage but now are far more advanced in their ability to
integrateprotection withinthepayloadandbeyond.
26.3.1 Allowed Paths. Network-security devices provide allowed-path pro-
tections to ensure network traffic only flows in expected and intended ways. Unfortu-
nately, this base level of enforcement is insufficient because application-layer attacks
(e.g., client-side browser exploits) leverage these traditional allowed paths. Regula-
tory and compliance security requirements are also driving the deployment of more26 · 10 GATEWAY SECURITY DEVICES
capableallowed-pathenforcementmechanismsdeeperintotheinternalnetworktopro-
tectintellectualproperty,customer/partnerdata,andindustrialcontrolsystems(ICSs).
To manage allowed-path risk effectively, organizations must define and baseline
theirexpectedtrafficflowsbothinternallyandexternally.Thebaselineisvitallyimpor-
tant when the only indication of compromise may be an unusual—though apparently
benign—interaction betweensystems thatdonottypically interactwithoneanother.
26.3.2 Tunneling. Tunneledaccessintotheinternalnetworkforthepurposesof
remoteaccess,informationsharing,andcommerceisessentialformostorganizations.
Thesetunnels,typicallyintheformofavirtualprivatenetwork(VPN),useencryption
toprotecttheconfidentialityofthetransferreddata.IftheGSDdoesnotterminatethe
tunnel,ittypicallyonlyprovidesnetworkandtransportlayerallowedpathenforcement
through to the termination endpoint. This scenario fragments the inspection of the
encapsulatedtraffic,requiringtheterminationendpointitselforanothersecuritydevice
post-decryptiontoprovideadditionalprotectionthroughallowedpathenforcementand
application layerinspection.
SeeChapter 32formoreinformation onGSDVPNcapabilities
26.3.3 Anti-Spoofing. One of the most readily exploited vulnerabilities of the
IP protocol is spoofing . Due to this inherent weakness in the IPv4 protocol, a host’s
networkstackiscapableofproducingpacketsthatcanappeartooriginatefromanyIP
addressand/orportchosen.Thisattackisanefforttodeceivethereceivinghostand/or
any network protection in between into believing the originating host is following
an allowed path. Due to the simplicity of executing spoofing attacks, GSD vendors
developedandimplementedseveraleffectivemethodstothwartthesetypesofattacks.
The network topology is a key element in the GSD’s ability to determine what traffic
should beoriginated fromeachofitsphysical and/orlogicalinterfaces.
One common anti-spoofing method is explicit definition of the network topology
on a per-interface basis. This provides an efficient method for the GSD to determine
whether the packet’s source IP address entering an interface matches what the GSD
expects to be the source network. If not, the packet fails to meet the criteria and is
dropped. Although simple and effective, the disadvantage is the manual management
oftheper-interface networkdefinitions.
Another method is to learn the network topology by leveraging the routing table to
makethesametypeofper-interfaceanti-spoofingdecisions.Thefirewallgoesthrough
thesameprocessofevaluatingifthepacket’ssourceIPmatcheswhatshouldbeorigi-
natingfromthatinterface.However,thisdoesnotrequireongoingmanualintervention
whennetworkchangesoccur,astheroutingengineupdatesthisinformation.Although
this method creates less administrative overhead, two disadvantages include problems
ifthenetwork usesasymmetric routingand/orfalls preytoaroutepoisoning attack.
Both of these anti-spoofing measures are highly effective when evaluating whether
network traffic is originating from the appropriate interface. However, the focus re-
mains solely on preventing internal network address compromise. Since not all of the
IP networks in existence are actually allocated and/or in use, these “bogon” networks
are another method used to launch spoofing attacks. Since “bogon” network traffic is
originating on the external interface, the GSD would not block this based on common
anti-spoofing rules. Updated lists are readily available allowing the security adminis-
trator to enforce “bogon” protections. Some GSDs have a feature that automatically
updates thelist onarecurring basis,providing automatedprotection.NETWORK-SECURITY MECHANISMS 26 · 11
26.3.4 Network Address Translation. Network address translation (NAT)
is a mechanism that maps internal (typically private RFC 1918) network addresses to
one or more publicly routable IP addresses. This is an essential function in IPv4 due
totheincreasingshortageofpublicallyroutableaddress.Duetoitsabilitytomaskthe
internalnetworkaddressing,NATquicklybecamethoughtofasasecuritymechanism.
Realistically,NATonlyensuresnetworktrafficmaintainstheirtranslations—butithas
noinherentsecurity capabilities suchaspayload inspection.
To ensure sustained connections in high availability architectures, NAT must es-
tablish and maintain a synchronized copy of the translation table with each high
availability member. This mechanism follows the same serial or network connection
usedtomaintain thestate table.
26.3.5 Intrusion Detection. GSDs inherently provide detective controls at
multiple layers. These distinct controls (e.g., firewall, intrusion detection/prevention
system, etc.) provide greater visibility into the types and scopes of potential incidents
whenproperlyconfiguredandmonitored.Theloggingandalertingcapabilitiesassoci-
atedwitheachcontrolareimportantandnecessarymechanismsforsecuritypersonnel
tousetounderstandthecurrentstateoftheperimeter.Withthisinformation,itispossi-
bletodevelopactionableintelligencetodetectandactonanomalousand/ormalicious
behaviorbefore, during, andafteranincident.
RespondingtoalertsandreviewingalloftheinformationgeneratedbytheGSDcan
beextraordinarilytimeconsuming.However,itisimportantthatthesecurityadminis-
tratortakethenecessarystepstoensuretimelyandaccuratelogreviews.Withoutsuch
reviews, it is easy to overlook issues such as pre- and post-attack-related traffic and
systemmisconfigurations.LogsalsoprovideanexcellentopportunityforGSDtuning,
including rule-baseoptimization andreducing falsepositives(postverification).
Properly planned and configured alerting and logging mechanisms are essential.
Whendonepoorly,thesemechanismscanoverloadthesupportstaffwithunnecessary
orextraneousinformation,makingthemlessefficientandeffectiveataddressingactual
securityissues.
26.3.6 Intrusion Prevention/Response. Although logs and alerts are use-
ful for detecting and investigating security incidents, these mechanisms are passive
and cannot provide threat protection. Firewalls evolved to include automated active
mechanisms torespondtosecurity eventsandprovideactiveprotection.
See Chapter 27 of this Handbook for more details on intrusion detection and pre-
vention.
26.3.6.1 Connection Termination. The essence of perimeter defense is to
protect the internal network by blocking connection attempts that do not follow the
establishedallowedpathpolicy.OnemethodforTCP-basedprotocolsistorespondto
theinitiator(andsometimestheintendedrecipient)withareset(RST)packet,severing
the connection. The most common method—which works for connection-oriented
and connectionless protocols—is to drop the packet without a response. As firewalls
evolved into richer functioning GSDs, this protection grew to include blocking based
onmalicious activityoccurring attheapplication layer.
Inversely,attackerscanuseconnectionterminationasamethodtodeterminewhere
and what type of network-security devices are in use. This context may provide them
additionalinsightonpotentialmethodstobypassand/oradverselyimpactthesecurity26 · 12 GATEWAY SECURITY DEVICES
platform.Thoughthissituationisunavoidablenomatterwhatterminationmechanism
isemployed, itisanother reasontoapplydefensesinlayers.
26.3.6.2 Adaptive Threat Mitigation. AlthoughtheGSD’spolicyprovides
the main enforcement mechanism, vendors quickly realized that this was insufficient,
asattackerscontinuallydevelopadditionalmethodstothwarttheseprotections.GSDs
include several enhanced capabilities that allow the device to adapt to specific threat
conditions andprovidetargetedprevention.
Sinceattackersemploymethodstochangeattacksourcestoavoiddetection,anditis
notalwayspracticaltofollowarigidwhitelisting(leastprivilege)strategy,organizations
typically opt to use blacklists as an additional level of protection. Some GSDs use
dynamic object groups to update these lists on a predetermined schedule helping
minimize administrative overhead.
TheuseofthresholdsprovidestheGSDamoreefficientmethodtoaddressconsistent
attacksthatwouldotherwisefollowthesamepolicy-basedevaluationforeveryattempt.
One common threshold type is event quantity/type over a given set of time (e.g., total
number of packets per second or x number of packets per second across multiple
destination IP addresses). Once breached, the GSD will typically automatically block
all traffic from the origin IP address for a predetermined time period. This type of
adaptive technique requires additional processing resources and requires tuning to
ensurethisdoes notimpactlegitimatenetwork flows.
Being primarily perimeter devices, GSDs typically have minimal visibility into
the internal, trusted network. However, modern security infrastructures can leverage
multiple threat detection methods across the network to provide more comprehensive
protection. Once detected, the device can leverage the security management infras-
tructure to update other security device policies—automatically providing additional
protection or containment. This capability is also integrating with host-based protec-
tions to drive protection deeper into the network. If a host detects a threat while on
an untrusted network, the infrastructure would learn about this and adapt network
protections beforethedeviceconnects toaninternal network.
26.3.6.3 System-Level Actions. As an added layer of defense, gateway se-
curity devices typically have built-in mechanisms to detect and respond to threats
against the platform itself. Following an implicit deny model, the excepted behavior
is to fail secure (e.g., shutdown the firewall) and not pass traffic. However, as this
automatic response affects the functionality of the security device, it is important for
theadministratortounderstandandtestthisfunctionalitypriortodeploymenttoensure
this response behavior is consistent with the protection and availability needs of the
organization.
26.3.6.4 Application Inspection. The ability to protect allowed paths based
on IP and/or port combinations provides marginal benefit when matched against the
growingprotocolcomplexityandconfigurability.AsGSDsevolved,sodidtheabilityto
evaluateandenforceallowedpathsbasedontheapplicationlayer.Thiscapabilityranges
frombasicprotocolevaluationssuchasanRFCconformancechecktofullapplication
layergateways.Dependingonthetypeofapplicationlayerprotocol,adedicateddevice
maybenecessaryinhighcapacity, security, and/or reliabilityenvironments.
WAFs. Web application firewalls (WAFs) provide targeted enforcement within an
HTTP(S)allowedpath.WAFscanmorereadilydetectandpreventcommonWebserver
attackssuchasXSSandSQLinjectionandtypicallyhaveaddedcapabilitiestoprotectNETWORK-SECURITY MECHANISMS 26 · 13
morecomplexWeb2.0(e.g.,AJAX)andWebservices(e.g.,SOAPorJSON)protocols.
ItisalsopossibletoprotectotherwisevulnerableWebserversfromexploitsbywriting
protection rules that detect and nullify the application layer attack traffic. The WAFs
granularruledevelopment isalsobettersuitedtoprotectcustom Webapplications.
Proxy Servers. The forwarding proxy enforces outgoing Internet connections by
intercepting and controlling access based on criteria such as user ID, time of day,
and/or whitelist/blacklist. Depending on the type and configuration, the forwarding
proxy can either broker the outbound connection and make requests on behalf of the
client or just enforce the particular allowed path. Classic forwarding proxies requires
client-side configuration to enforced Internet-bound communications. A transparent
proxy is a forwarding proxy that operates as a “bump-on-the-wire”—sitting in-line or
offaspanport—andtypically doesnotrequireclient-side configuration.
Conversely, a reverse proxy provides protection to inbound allowed paths. The
inboundconnectionterminatesattheproxy,andtheproxyitselfestablishesthesecond
halfoftheconnectiondirectlywiththeapplicationserver.Beingabrokeredconnection,
this adds an additional layer of defense for inbound traffic by rewriting potentially
malformedrequestsand/ornotallowingdirectcommunicationtotheapplicationserver.
ApplicationIdentity.InadditiontosourceanddestinationIPaddress,networkfire-
walls typically rely on the destination port to make a final allowed path determination
forcommonprotocols(e.g.,HTTP—TCPport80).However,itistrivialtoevadeupper
layer inspection (e.g., proxy or WAF) by changing the destination port to something
that bypasses the application layer inspection but still follows an allowed path. Cur-
rent generation security devices must be able to profile all network traffic based on
application typeinsteadofdestination port.
Application identification must be able to dissect the traffic and understand the
subsystems/protocols embedded within the main communication flow. For example,
Skype not only inherently provides video conferencing but also file transfer and chat
services. With add-ons, functionality can extend to remote desktop sharing/control.
By having this detailed level of application understanding, it is possible for granular
enforcementofoneormoreprotocolsubsets.Thisprofilingalsoincludesdetermining
commonprotocolsonunexpectedportsandencryptedtrafficoveracommonclear-text
protocol—whether encryptedornot.
26.3.7 Encryption. Confidentialityprotectionforsensitivedata-in-motioncon-
tinuestogrowduetotheneedtominimizetheriskofcompromisingpersonal/personnel
data and/or intellectual property. This creates a distinct need to provide allowed path
enforcementwhenusingencryptionservicestoorthroughtheGSD.Duetothecompu-
tationally complexity, encryption protocols can significantly reduce GSD throughput
without offloading encryption services to an add-on, on-board device, or dedicated
externaldevicestomeettheencryption needs.
SeeChapter 7ofthisHandbook formoredetailsonencryption.
Inspection. The integration of encryption into network and application flows in
essential to protect the confidentiality of the data-in-motion. Although not necessarily
malicious, these encrypted sessions reduce the effectiveness of any network-security
device(s) attempting to inspect the protected payloads. In addition to the typical VPN
and HTTPS Web traffic, the GSD must also be able to identify encrypted communi-
cations regardless of port or service. The two main methods for inspecting encrypted
trafficaredirecttermination andon-the-fly decryption.
In the first method, the GSD terminates the encrypted connection. This provides
an opportunity to inspect the once tunneled communication. Once inspected and if26 · 14 GATEWAY SECURITY DEVICES
permitted, the GSD may pass the remained of the communication decrypted or re-
encryptthesession tomaintaintheconfidentiality protectiontotheendpoint.
In the second method, the GSD will use escrowed encryption keys to decrypt
network flows passively. Besides meeting the additional performance requirements to
conductpassivedecryption,anotherpossibleweaknessistheinabilitytoprovidefully
synchronousresponsestodetectedthreat—potentiallyallowingsomemalicioustraffic
acrossanallowedpath beforetheenforcementoccurs.
VPN. A virtual private network (VPN) is an encapsulated network overlaying an
existing set of physical and logical networks. A common VPN implementation is
for a remote client connection—allowing an authorized user to access the internal
networkthroughanencryptedtunnel.Onceestablished,VPNclientscanaccessinternal
networks and/or systems while protecting the confidentiality of the connection. Site-
to-site VPNs allow authorized remote locations to gain direct internal network access
formultiple usersoverasingleconnection.
Since there is little to no control when mobile systems leave the confines of the
internalnetwork,thefidelityofthemobiledeviceisaconcern.Theriskofcompromise
at every level—from physical to operating system to applications and beyond—can
exposetheinternalnetworktoincreasedriskduringaVPNsession.Withoutterminating
VPNsessionsdirectlyontheGSD,itisstillpossibletoincreasevisibilityandadditional
allowed path enforcement once the unencrypted traffic leaves the VPN termination
device—seetheDeployment section foradditional details andconsiderations.
SeeChapter 32ofthisHandbook formoredetailsonVPNs.
Acceleration. Using Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)toprotectWeb-basedtrafficorIPsectoprotectVPNtrafficcreatesapotentialbar-
riertocomprehensiveallowedpathenforcement.Sincetheencryptedtrafficpotentially
fragmentsallowedpathenforcements,GSDsevolvedtobecapableofterminatingthese
connections to add an additional layer of inspection. However, encryption/decryption
ismathematicallyintensiveandrequiressufficientprocessingresourcestoensurethese
processes do not impact GSD throughput. When it is necessary for the GSD to termi-
nateorinspectencryptedtraffic,theuseofahardwareencryptionmoduleisacommon
methodtooff-loadthisprocessingburdenandminimizeimpacttoothertrafficflowing
through theGSD.
26.3.8 Identity-Based Enforcement. By integrating with enterprise direc-
tory services using mechanisms such as Lightweight Directory Access Protocol
(LDAP) or Remote Access Dial-In User Service (RADIUS), GSDs are able to make
identity-based decisions. Instead of allowing or denying access to an allowed path by
source IP, the GSD can authorize access per user or based on group membership and
include this authorization data in logs. This additional detail enhances reporting and
auditing capabilities, providing more specific information about a particular connec-
tion well beyond just the IP address or DNS name of the host requesting allowed path
traversal.
26.3.9 Complex Protocol Engines. Complexprotocols,includingthoseused
to deliver feature rich Web applications, IP telephony, or specialized protocols, such
as those used by industrial control systems (ICSs), are an intrinsic necessity for many
organizations.Duetotheever-increasingneedtoshareinformationandaccessregard-
less of mobile device form factor or location, these complex protocols are traversing
the GSD. Even with successful detection of an application in-use, it is a continualNETWORK-SECURITY MECHANISMS 26 · 15
development race for the GSD to be able to understand and enforce the intricacies of
eachprotocol.
Today’sWeb-basedapplicationscontinuallydevelopnewfunctionalitytomeetcus-
tomerdemand.SocialmediaWebsitesofferviablebusinessmodelsandmaynecessitate
someoralluserswithinanorganizationtoaccessthisservicetoconductbusiness.Due
to ever-present personal elements (e.g., chat/comments, games, etc.), the GSDs must
beabletodissecttheconnectionandselectivelypermitsomeorallofthefunctionality
offeredbythehostapplication.
IP telephony protocols such as session initiation protocol (SIP) and real-time pro-
tocol (RTP) are typically intolerant to latency and jitter—which are introducible by
GSDs. ICS protocols introduce vendor-specific protocol dependencies/intricacies and
are even less tolerant to network variations. The loss or slowness of ICS commu-
nications can be as severe as damage to equipment or death when impacting safety
systems.
Although an internal or external network perimeter is a logical point of inspection,
the GSD is not necessarily the appropriate device to conduct such detailed protocol
inspections. Instead, these situations may warrant additional security layers using
specialized devicesfortheapplication layerorspecialty protocolenforcement.
26.3.10 Content Control and Data Leakage Prevention. Organiza-
tional policies establish the behavioral expectations of its employees. The Acceptable
UsePolicy(orsimilarly named) typicallycoversmatters specifictouseoftechnology
resources;however,thepolicyitselfcannotprovideactiveprotection.Contentfiltering
(CF) bridges the gap between technical and nontechnical policy enforcement. This
enforcement typically focuses on internal users attempting to access information re-
sources outside of the organization. By filtering heavily used protocols such as HTTP
and SMTP, the organization can minimize user access to information not fitting the
organization’s definition ofbusinessuse.
This technology has several methods for inspecting, classifying, and filtering con-
tent.Inspectiontakesmultipleforms,includingresidingin-line,out-of-bandtomonitor
passingtrafficwithoutimpactingthephysicalconnection,orinconjunctionwithproxy
redirection. Classification occurs through multiple methods, including vendor-defined
categories,blacklists,and/orreputationscoringbasedonIPaddressand/orDNSname.
Thisalsoallowstheorganizationtochoosetouseasubsetoftheprovidepolicyand/or
selectively develop a whitelist to provide more granular enforcement. The filtering
feature logs and/or severs the connections allowing the organization to customize its
responsetodetectedpolicyviolations,includingredirectiontoa“notforbusinessuse”
Web page and/or automatic administrative and/or managerial notification of repeated
violations.
SeeChapter 31ofthisHandbook formoredetailsoncontent filtering.
26.3.10.1 InformationClassificationandEnforcement. Anoverlooked
but important aspect of information assurance is the proper classification of informa-
tion/data into categories. This allows the organization to determine the risk reduction
efforts necessary to protect each information level/type. Similar to the classification
processusedbygovernments,identifyingthesensitiveinformationincreasestheability
to enforce not only who has access to the information but also where and how this
information canbetransferred.
Digital rights management (DRM) and data loss prevention (DLP) are two cur-
rent generation technologies for addressing these information-specific risks. DRM26 · 16 GATEWAY SECURITY DEVICES
focusesonthedefinitionandenforcementofdata-at-rest—typicallyattheinformation
repositorylevel.GSDsmayincludeDLPprotectionssuchasenforcingdata-in-motion
protections,includingdenyingthetransferoffilesbasedoncontent/designationand/or
requiring encryptionforsensitivedata.
26.3.10.2 Anti-malware. A contemporary attack vector is to target a com-
monlyusedWebsite/serviceandinjectmalware.Althoughthecontentfiltermaymake
an initial decision to allow the connection based on the specific site name, it may also
have the added capability to intercept and block the malicious content before it ever
reachesthehost.Thisfunctionalitymakesitpossibletoevaluatedifferenttypesoftraf-
ficsuchasSMTPattachmentsandHTTPdownloads.Althoughthistypeofapplication
layerprotectioncandramaticallyreducetheGSDthroughput,itispossibletoredirect
thescanningtoanadditionalmodulewithintheGSDwithdedicatedprocessingpower
ortoadedicated network anti-malware appliance.
26.3.10.3 Active Content. Active code used on HTTP connections—such as
Silverlight, Java, AJAX, and Flash—provides a foundation for a rich Web experi-
ence but also increases security risk due to their application-focused functionality.
Maliciousemailattachments—suchasdocumentswithembeddedcode—arecommon
components ofphishing andspamcampaigns.
In conjunction with host-based protections, the GSD can decrease the risk of ac-
tive code by preventing specific types from ever reaching the endpoint and/or scan-
ning the active code in a sandbox prior to allowing the active code to traverse the
allowed path.
SeeChapter 17ofthisHandbook formoredetailsonmobile code.
26.3.10.4 Caching. Althoughtheaggregatecostofbandwidthcontinuestofall,
organizationscontinuetolookforopportunitiestomanagethesefrequentlycongested
circuits more efficiently. Proxy servers typically integrate caching mechanisms to
storefrequentlyusedInternetcontentlocally, increasinglocalthroughputbyreducing
Internet-bound traffic. The GSD may also be able to provide similar caching services,
givensufficientstorage capacityandprocessing resources.
26.3.11 IPv6. TheallocationofthelastremainingavailableIPv4addressblocks
to Regional Internet Registries (RIR) occurred in 2011—indicating the world is “out
of IPv4 addresses.” Although one may argue that statement is overly dramatic, mass
migrationtoIPv6isstilloccurringataslowerpacethanonemayexpect,eventhough
IPv6 was developed in the late 1990s. While organizations continue to develop their
individual transition plans, it is likely that IPv6 is already in their environment. Many
modern operating systems and devices have dual IPv4 and IPv6 network stacks, with
some enabled by default. IPv6 and its associated transition technologies have specific
security implications thattheGSDmustunderstand andenforce.
26.3.11.1 Perimeter Security Concerns.
Addressing. IPv6 is more flexible in its approach to dynamic addressing. Instead
of solely relying on DHCP, an IPv6 device can address itself through stateless ad-
dress autoconfiguration (SLAAC). The host uses a unique identifier (typically its own
Message Authentication Code (MAC) address) in addition to the Neighbor Discovery
(ND) protocol to complete the automatic addressing. Since there is no authenticationNETWORK-SECURITY MECHANISMS 26 · 17
requirement, the GSD must prevent external devices from attempting to act as an
internalrouter duringtheaddressing process.
ThesignificantincreaseofavailableaddressesinanyparticularIPv6networkmakes
it infeasible to discover devices and network topology using traditional port scanning
methodologies. By using the multicast listener discovery (MLD) protocol, an attacker
can send a probe to the link-local multicast address (ff02::1) and listen for responses.
The GSD must block this capability at the perimeter to prevent external devices from
attempting todiscoverinternal hostsandtopologies.
Tunneling.Withoutubiquitousend-to-endIPv6connectivity,thereareseveralIPv6
transition technologies (such as 6to4 and Teredo) that allow IPv6 capable systems to
tunnelcommunicationoverlegacyIPv4networks.Aswithothertunneledtraffic,tobe
effective, the GSD must not only be able to enforce the appropriate allowed path for
thetunneledtraffic butalsoinspect theencapsulated IPv6packet.
IPv6 also has native support for IPsec (both AH and ESP). Configuration and
use of IPsec in an IPv6 environment requires the same discipline in choosing and
configuringcryptographicoptionsasIPv4.ItisalsopossibletouseIPv4IPsectoprotect
IPv6transitiontechnologytunnelsasunencryptedtunnelsessionswouldotherwisebe
vulnerable tointerception and/or manipulation.
GlobalConnectivity.Networkaddresstranslation(NAT)isanessentialelementfor
IPv4 Internet connectivity due to the relatively “small” number of publically routable
128
addresses. The size of the IPv6 address space (2 addresses) provides for global IP
interconnectivity without the need (or definition) of a NAT replacement. IPv6 devices
willnowcommunicatenativelyacrosstheInternet—changingperimeterdynamicsyet
again. With IPv6 enabled, it is essential for GSD to enforce strict ingressand egress
filtering.
Mobility.MobileIPv6(MIPv6)allowshoststomaintainaccesstothehomenetwork
while physically roaming to other locations and uncontrolled networks. A user would
beabletoleavetheofficenetworkandtravelfromoneappointmenttoanotherwithout
losing connectivity to the internal network. Since the device can move network to
networkwithoutdroppingtheinternalconnection,MIPv6alsocreatespotentialissues
withstatefulinspectioniftheGSDdoesnotunderstandtheprotocol.Iftheorganization
chooses not to support MIPv6, the GSD should filter Type 2 Routing Header (RH2)
packets.
26.3.12 Additional Considerations
26.3.12.1 Host Protection. Although firewalls and GSDs play a crucial role
inprotectingtheoverallnetworkinfrastructure,itisneithercostfeasiblenorpossibleto
deploythesedevicesatallpointsinsidethenetwork.Individualhostsmusthaveaway
to protect themselves from threats independent of network-security devices. Unlike
the network, a host has a contextual understanding of what the system can, is, and/or
should be doing. Beyond the simple allow and deny functionality, contextual security
measurescandetectunexpectedsystemconfigurationchangessuchasservicechanges
oranapplication behaving inanunexpected manner.
When a host leaves the internal network, it becomes an extension of the network
protection profile. By providing adequate local protections at the network and appli-
cationlevels,themobileendpointhelpstomitigatepotentialissuesuponreconnecting
totheinternalnetwork.Itisalsocrucialtodeterminethelevelofprotectionnecessary
and how each of these additional levels of security will affect system performance,
management, andend-user impact.26 · 18 GATEWAY SECURITY DEVICES
26.3.12.2 Network. Hostsneedtobeabletodeterminethetypesandappropri-
atenessofinboundandoutboundtraffic.Thesenetworkrestrictionsmayvaryfromthe
internalnetworktouncontrollednetworks.Incertaincircumstances,allnetworktraffic
maybesuspectandscrutinizedfurther.Forexample,whenontheinternalnetwork,the
hostallowsmostinboundandoutboundtraffic.Ifthehostwereonanuncontrollednet-
work,itwouldnotallowanynonestablishednetworkflows.Simplehost-basednetwork
protections are not enough; additional host protection mechanisms such as intrusion
preventioncandetectandstop networkandapplication-based attacks.
26.3.12.3 Applications Access. The host’s contextual awareness also helps
dictate the ability for applications to execute as well as send and/or receive data. The
goalistoensureonlytheappropriateapplicationsand/orserviceshavenetworkaccess.
The host protection policy may allow applications to establish outbound connections,
but never listen (nor accept nonestablished inbound packets). For example, an HTTP
serverusesadaemontolistenforconnectionattempts.TheHTTPclientwillattemptto
makeaconnectiontotheHTTPserverdaemon.Byusingahostprotectionmechanism,
itwould bepossible topreventoneorbothofthese actions.
26.3.12.4 Hybrid Protections. The host intrusion prevention system (HIPS)
functionssimilarlytoanetworkintrusionpreventionsystem(NIPS)bydetectingknown
attackpatternsand/oranomalousbehaviors.Hybridhostprotectionsbuildonthehost’s
contextualawarenessandprovidetheabilitytomonitorotherunusualapplicationlevel
activity suchaschanges tobinaries, servicemanipulation, andspawnedlisteners.
26.4 DEPLOYMENT
26.4.1 Zoned Architecture. In a contemporary interpretation of the screened
subnetarchitecture,zonesdefinedifferenttypesand/orsensitivitiesofnetworks,appli-
cations,and/orservices.Thisprovidestheabilitytomanageallowedpathsatthemacro
level(perzone)inadditiontothetraditionalallowedpaths(specifichostsorservices).
As requirements drive security deeper into the network, the zoning concept is equally
effectivewhenusedtomanageandprotect internalandexternalnetworks.
26.4.1.1 PerimeterZones. Theborderroutermaintainsthearchitecture’sfirst
line of defense against external attacks. The ACL(s) on this router should mirror
the basic allowed-path configuration of the external (untrusted) firewall interface and
providesseveralimportant benefits.
The GSD is able to operate at optimal efficiency, since traffic rejected based on
border router’s packet-filtering rules normally would never reach the firewall. This
permits the firewall to focus, in terms of load, on protocol inspection. If, for example,
thefirewallreceivesapacketthatshouldneverhavemadeitpassedtheborderrouter’s
ACL, the firewall can assume that the router is not behaving normally. The firewall
is then free to respond appropriately, with such actions as terminating all connections
fromaspecifichost.
26.4.1.2 ExternalServiceZones. Thenecessityformobilityandaccessibil-
ityplacessignificantdemandsonInternet-facing systemsinadditiontoincreasingthe
administrativeoverheadofmanagingexternalaccess.Thesectionsbelowprovideonly
asampling ofpossible externalservicezonearchitectures.DEPLOYMENT 26 · 19
Utility. Instead of lumping systems such as Web, DNS, and email onto a single
network, there may be an advantage by implementing zones. Utility servers such as
DNSandemailcouldlogicallybeonthesamenetwork.Webserverstypicallydemand
greaterbandwidth,andbyusingthisconcept,canprotecttheentirezonewithasimple
inbound accessrule.
Extranet.Extranetsystemscreateadditionalcomplexitysincetheyprovidetheuser
interface, while internal systems may provide the relevant content. Zoning provides
more flexibility by allowing external connections to reach the Extranet servers while
providingthosesame serversaccesstointernal resources.
VPN. VPN networks are also an opportunity to use zoning. Since the VPN con-
nectiondevicemustbeInternetfacing,thisrequirestwodifferentnetworksconnected
to the firewall. The external, Internet-facing (VPN untrusted) interface would only
allowafewprotocolsforinboundandoutboundencryptedtraffic.Thesecondnetwork
(VPN trusted) is for unencrypted network traffic moving to and from the internal net-
work. This architecture also provides extra internal network protection in the event of
a compromise of the VPN device as well as creating a traffic inspection point that is
unimpeded byencryption.
26.4.1.3 Internal Service Zones. With the increasing prevalence of non-
company-owned assets and more complex data flows, organizations continue to look
for better methods to protect internal networks. The sections below provide only a
sampling ofpossible internalservice zonearchitectures.
AdministrativeandMonitoringSystems.Organizationstypicallylimitdirectaccess
tonetworkandsecuritydevices.Byrequiringalladministrativeandmonitoringtraffic
to originate from a specific host and/or network, a zone can effectively reduce each
device’s threat profile. This zone would not only allow minimal noninitiated inbound
traffic but would also limit outbound connections to the managed and monitored
systems.
High-ValueSystems. Organizations relying heavily on intellectual property and/or
other protect data types (e.g., personal and financial information) have an intrinsic
need to provide higher level protections to protect their investments. Zoning provides
anadditionallayerofprotectionbyminimizingunnecessaryinformationflowsto/from
thesehigh-value systems.
IndustrialControlSystems. Incidents such as Stuxnet and Night Dragon are stark
remindersthateventhoughcertainsystemtypesareconsideredextremelycomplexand
less accessible, it is only a matter of time before successful compromise is possible.
Manufacturing organizations with significant investments in industrial control and
supervisorycontrolanddataacquisition(SCADA)systemscan(orhaverequirements
to)isolatetheseenvironments asanadditionallayerofprotection and/orcompliance.
26.4.2 GSD Positioning. The increased use of encrypted protocols such as
SSL/TLS and IPsec can blind network protections. Certain GSDs have the ability to
terminateencryptedsessions,thoughtheincreasedprocessingandbandwidthrequire-
ments may exceed the limits of the device. If concerned, the security architecture
should deploy appropriate countermeasures at strategic locations that avoid encrypted
traffic. This way, the GSD can focus on its primary role of detecting and preventing
malicious activity.
26.4.2.1 Inline. Placing the GSD inline creates a choke point for active en-
forcement on all network traffic that flows through it. When a malicious packet enters26 · 20 GATEWAY SECURITY DEVICES
the GSD, protocol analysis will detect the anomaly and will not allow it to flow out
the other interface. Although bandwidth limitations are a typical concern, improperly
configured inline devices may also present a denial-of-service condition. With proper
infrastructure planning anddeployment, itispossible tominimizethese risks.
26.4.2.2 Controlling Encrypted Traffic. Since mobile devices frequently
ventureoutsideofthecontrollednetwork,onelogicalplacetoevaluatetrafficisonthe
unencrypted side of the connection. This may be on the backside of a SSL terminator
(in some cases on the server itself) or on the unencrypted side of a VPN connection.
The second option is to use the GSD to inspect (e.g., termination and/or passive de-
cryption) the traffic before forwarding the traffic onto its final destination. This level
offunctionalityrequiressubstantialprocessingresourcesbutmaybeanecessityifthe
security layersdownstream areinsufficient.
26.5 MANAGEMENT AND MONITORING STRATEGIES. Regardless of
vendor claims, network-security devices are never a plug-and-play endeavor. It is
essential to take additional steps to define the security requirements for managing and
monitoring GSD components. This approach helps ensure a well-rounded security
posture.
26.5.1 Monitoring. Firewalls and GSDs provide complex functionality; moni-
toringsuchsystemsmustgobeyondjustverifyingsystemavailabilityandcoverdevice
health, availability, andintegrity.
26.5.1.1 Health. Metrics such as processor utilization, available RAM, and
number of connections all have an impact on overall functionality. A centralized
management console may provide the ability to monitor and alert on these metrics.
If this functionality is unavailable, it may be necessary to use monitoring protocols
such as Simple Network Management Protocol (SNMP) and/or Remote Monitoring
(RMON) to gather these statistics. The GSD must tightly restrict the systems able to
poll using these methods because of the inherent insecurities of the aforementioned
monitoringprotocols.Bytrendingthesemetrics,itmaybepossibletodeterminewhen
it is time to increase bandwidth or purchase systems that are capable of meeting the
newthroughput orprocessing needs.
26.5.1.2 Availability. When GSDs are unavailable, the network functionality
candramaticallydiminish.AsimpletestofsystemavailabilityisusingICMPto“ping”
oneormoreinterfacestoensurethedeviceitselfisresponding.However,thisapproach
can be deceptive. Just because the device itself responds, does not mean it is properly
forwarding traffic. It is also advisable to send probes (e.g., ICMP, traceroute, or other
queries) to something on the other side of each interface to ensure the other device is
actually receiving the packets to ensure valid results. This approach provides a better
overallpictureoftheGSDavailability.
26.5.1.3 Integrity. Theabilitytotrustnetworksecuritysystemscomponentsis
vital.ThepossibilityofarootkitcompromisingafirewallorGSDisnowareality.These
systems must have the ability to protect against modification of system components
such as ceasing operation and/or alerting the change. If this embedded functionality
were unavailable, it is possible to write a script to generate cryptographic hashes of
criticalsystem components andverifyagainstaknowntrusted version.MANAGEMENT AND MONITORING STRATEGIES 26 · 21
26.5.2 Policy. TheGSDpolicyisthecoredefinitionforprovidingandprotecting
allowed paths. Most security systems process packets starting at the beginning of the
policy and continue until there is either a match or reaching the end of the rule base
(which should be an explicit “deny any”). As discussed later in this chapter, there are
situations whererulesmayprocessbeforeorafterthemainrulebase.
Centralized management consoles provide intuitive GUIs to configure and easily
manage one or more firewall and GSD policies. Certain platforms also provide the
abilitytomanage policiesdirectlyfrom thedevice.
26.5.2.1 DefiningAllowedPaths. Allowedpathsidentifyspecificprotocols
usedtoimplementcommunication.InatypicalInternetenvironment,businessservices
requireallowedpathssuchasHTTP(S),SMTP,andDNS.Theserequirementswillvary,
butforanenvironment,eachallowedpathshoulddirectlyrelatetotherequiredservice.
Starting from an implicit or explicit (depending on the platform) “deny any” rule,
allowed paths will be added as “allow” rules, such as PERMIT HTTP, with specifics
determined bythefollowingsections.
Although network addressing does not provide effective authentication of systems
orusers,restrictiveendpointscanmakeitmuchmoredifficultforanattackertoexploit
anotherwisestraightforwardvulnerability.Itisalsoimportanttoidentifytheendpoints
carefully, particularly in cases where these endpoints might reside on internal rather
thanextranetorutilityzones.
The direction of traffic, indicated by the source of the connection initiation, is
usefulfortheruledefinitionsforseveralreasons.First,rulescanbewrittensothatonly
responsestointernallyoriginatedallowedpathsareallowedinfromtheuntrustedzone,
rather than explicitly permitting the protocol bidirectionally. In addition, the firewall
mayprocessrulesatdifferent timesbasedondesignand/orconfiguration.
26.5.2.2 Complexity of GSD Policies. Standard firewall rules operate on
simple Boolean principles. For example, allow or deny network traffic that is going
from host or network X to Y on port Z. The complexities required of GSDs evalu-
ating network traffic are dramatically higher. For example, this evaluation could be
a combination of a Boolean test to verify an inbound email address is from a trusted
source,verifymessagecontentsareacceptable,andscananattachmentforviruses.Ad-
ministrators must understand the higher-level protocols to ensure that the GSD policy
matchesthetypesofprotectionsexpectedandrequired.Asthenumberandcomplexity
oftherulesincreases, sodotheprocessing requirements fortheGSD.
Beyond the basic firewall capabilities, GSD policies typically include per-rule en-
forcementoftheadditionalsecuritymeasures.Forexample,theGSDonlyusesnetwork
and/ortransportlayerfilteringtorestrictaccesstotheorganization’sVPNterminators.
The policy may include WAF protections, but only for the utility zones. Inbound and
outbound Web and file transfer traffic may have the additional requirement for NIPS
inspection. Although this level of customization adds some administrative overhead,
selectively (rather than broadly) applying additional protections in this manner can
reducetheperformance impactoftheaddedprotections.
26.5.2.3 ChangeManagement. Whethermanagingoneoronehundredpoli-
cies, an essential element is to have a process to track policy changes. Change man-
agement can be cumbersome but has several advantages. First, this provides back-out
information if a change were to cause issues. Second, it provides an audit trail of
Advise:Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.