Examples of service-specific policies
Connecting to the Internet makes a wide range of services available to internal users and a wide range of system accesses available to external users. Driven by the needs of the business or mission side of the organization, policy has to be clearly written to state which services to allow or disallow to both inside and outside networks.
A wide range of Internet services are available. The most popular services, such as FTP, Telnet, HTTP, etc., were discussed earlier in this tutorial. Other common services include the following:
- Berkeley Software Distribution (BSD) UNIX "r" commands, such as rsh, rlogin, rcp, etc., are designed to allow UNIX system users to execute commands on remote systems. Most implementations do not support authentication or encryption and are very dangerous to use over the Internet.
- Post Office Protocol (POP) is a client-server protocol for retrieving electronic mail from a server. POP is a TCP-based service that supports the use of non-reusable passwords for authentication, known as APOP. POP does not support encryption, so retrieved e-mail is vulnerable to eavesdropping.
- Network News Transfer Protocol (NNTP) is used to support Usenet newsgroups. NNTP is a TCP-based service that implements a store-and-forward protocol. Although NNTP is a relatively simple protocol, there have been attacks against common NNTP server software. NNTP servers should not be run on the firewall, but standard proxy services are available to pass NNTP.
- Finger and whois are similar functions. Finger is used to retrieve information about system users. Finger often gives out more information than is necessary; for most organizations, finger should be disabled or limited at the firewall. Whois is very similar and should also be disabled or limited at the firewall.
- The UNIX remote printing protocols lp and lpr allow remote hosts to print using printers attached to other hosts. Lpr is a storeand- forward protocol, whereas lp uses the rsh function to provide remote printing capabilities. In general, lp and lpr should be disabled at the firewall unless vendor-supplied proxies are available.
- NFS allows disk drives to be made accessible to users and systems across the network. NFS uses a very weak form of authentication and is not considered safe to use across untrusted networks. NFS should not be allowed through a firewall.
- Real Audio provides for the delivery of digitized audio over TCP/IP networks; to take advantage of the multimedia capabilities of the World Wide Web, a number of new services have been developed.
Which Internet services to allow or deny must be driven by the needs of the organization. A sample security policy for some of these Internet services that might be required by a typical organization is illustrated in Table-1 below and Table-2 shows the managerial-level concerns.
Table-1: Service-Specific PoliciesService | Status | Auth | Status | Auth | Simple Policy |
---|---|---|---|---|---|
FTP | Yes | No | Yes | Yes | FTP access should be allowed from the internal network to the external. Strong authentication should be required for FTP access from the outside to the inside. |
Telnet | Yes | No | Yes | Yes | Telnet access should be allowed from the inside network to the outside network. For the Telnet from the outside to the inside network, authentication should be required. |
Rlogin | Yes | No | Yes | Yes | Rlogin to organization hosts from external networks requires written approval from the Network Services Manager and the use of strong authentication. |
HTTP | Yes | No | No | No | All WWW servers intended for access by external users should be hosted outside the organization firewall. No inbound HTTP should be allowed through the organization firewall. |
SSL | Yes | No | Yes | Yes | Secure Sockets Layer sessions using client-side certificates is required when SSL sessions are to be passed through the organization firewall. |
POP3 | No | No | Yes | No | The organization Post Office Protocol server is to be hosted inside the organization firewall. The firewall should pass POP traffic only to the POP server. The use of APOP is required. |
NNTP | Yes | No | No | No | No external access should be allowed to the NNTP server. |
Real Audio | No | No | No | No | There is currently no business requirement for supporting streaming audio sessions through the organization firewall. Any business units requiring such support should contact a network services manager. Warning: Real or not, this can be a problem. There are many headaches caused by various spywares that people install from web sites. It's a constant battle, letting users have a high level of control over their PC, and keeping them from installing every cute little widget they run into on the Internet. It's better to do high-security work and button everything down! Lowsecurity workplaces are a nightmare. Also, tools like QuickTime and Windows Media Player are also doing stuff with streaming audio and video. |
LP | Yes | No | No | No | Inbound lp services are to be disabled at the organization firewall. |
finger | Yes | No | No | No | Inbound finger services are to be disabled at the organization firewall. |
gopher | Yes | No | No | No | Inbound gopher services are to be disabled at the organization firewall. |
whois | Yes | No | No | No | Inbound whois services are to be disabled at the organization firewall. |
SQL | Yes | No | No | No | Connections from external hosts to internal databases must be approved by the network services manager and use approved SQL proxy services. |
Rsh | Yes | No | No | No | Inbound rsh services are to be disabled at the organization firewall. |
Other, such as NFS | No | No | No | No | Access to any other service not mentioned above should be denied in both directions so that only Internet services we have the need for and we know about are allowed and all others are denied. |
Auth, whether any form of authentication (strong or otherwise) is performed before the service can be used; Status, whether users can use the service.
Table-2 Managerial ConcernsPurpose | Protocols | What | Why |
---|---|---|---|
Users have a single external e-mail address. | Does not reveal business information. | ||
SMTP | A single server or cluster of servers provides e-mail service for organization. | Centralized e-mail is easier to maintain. SMTP servers are difficult to configure securely. | |
POP3 | POP users must use AUTH identification. | Prevents password sniffing | |
IMAP | Groups are encouraged to transition to IMAP. | Better support for travel, encryption | |
Usenet bews | NTTP | Blocked at firewall | No business need |
WWW | HTTP | Directed to www.my.org | Centralized WWW is easier to maintain. WWW servers are difficult to configure securely. |
* | All others | Router |
Put server machine outside the firewall | No | Yes |
Put server machine on the service network | No | Yes |
Put server machine on protected network | Yes | No |
Put server machine on the firewall itself | No | No |
Server should be accessed by everyone on the Internet | No | Yes |
In this tutorial:
- Firewall Security Policy
- Firewall protection
- Firewall architectures
- Multi-homed host
- Screened host
- Screened subnet
- Types of firewalls
- Packet-filtering gateways
- Application gateways
- Hybrid or complex gateways
- Routing versus forwarding
- IP spoofing
- DNS and mail resolution
- Intranet
- Network trust relationships
- Virtual private networks
- Qualification of the firewall administrator
- Remote firewall administration
- Firewall backup
- System integrity
- Physical firewall security
- Firewall incident handling
- Upgrading the firewall
- Revision/update of firewall policy
- Examples of service-specific policies