Filtering Plan
“Getting information off the internet is like taking a drink from a fire hydrant.” (Kapor) Twenty-four hours a day, on the other side of a network’s firewall there are potential threats that will at some point turn their sights on that network. The first line of defense from that attack is going to be the firewall and then a handful of devices behind it. Part of this protection is the filtering the flow of packets as they come into the network. For this, a plan is needed
There are two methodologies that can be used in planning what gets filtered. One is to start with a completely open firewall, and begin to filter out everything that doesn’t need to enter. The other option is to close the firewall completely off and then allow the things that do need to get through. The latter is a better approach, but that becomes clearer when an inventory is taken of what needs access to the outside world. Currently the organization uses an e-mail server to manage staff email, a web server hosting our website, video conferencing, and general internet access. This relatively short list shows that it is much simpler to allow a list of things than it is to deny access to all those we don’t use.
The first filter to define should be the general web service:
| protocol | out | in |
| HTTP (ports 80 & 443) | allow | Directed to web server |
Obviously, the need for users to reach the internet is important; there would be no reasonable way to do business without that access. However, web requests that come inward to the network need to be automatically redirected to the internal web server which is hosting the website. This web server is in a DMZ separated from the internal network by another firewall.
The next service to open is the e-mail server:
| protocol | Out | in |
| POP3/IMAP | Filter | tunnel |
The majority of the users are going to be on-site and inside the network when accessing their work e-mail. In order to protect the network from certain attacks, the only way to access e-mail from off-site is to tunnel into the network using a VPN. This e-mail server is also in the DMZ.
The final service that needs to be allowed through is the video conferencing. Different video conference services use different ports, but for the time being we are using Dwyco Video Conferencing there is a wide range of ports that have to be opened.
| protocol | Out | in |
| UDP ports 12000-16090 | blocked | allow |
| TCP ports 1024-5000 | blocked | allow |
| TCP ports 6700-6702 | blocked | allow |
| TCP port 6880 | blocked | allow |
There are several risks with this particular service because it opens up such a wide range of ports. It may be a good idea in the very near future to look at other solutions as long as they are financially viable. (Practically Networked)
Regarding VPN’s, the fact that many companies now have offices in many different places creates the need for those offices to be able to communicate securely together. To design a secure network that is going to exist in a single building is quite a bit easier since all of the connections exist in a single controllable space that can be reasonably connected together physically. However, once those assets are spread to other buildings that aren’t within a short distance of one another, it forces the use of the internet to transfer information between the two unless there is enough money for direct connections via fiber optics. Since that is usually too expensive to be practical, the need for security can be met by using a virtual private network. This allows the data that is going to be traveling through the internet to be secure using encryption. There are a number of uses for such a setup. Not only would two remote office locations be able to communicate securely, but home offices as well. This also would allow users to setup remote access to their workstations without needing to compromise the integrity of the firewall to do it. As a tool the VPN can essentially be used in any instance where there is a need for a secure connection to the network.
The dangers that exist on the internet today are overwhelming but not impossible to deal with. Filtering a connection right as it comes in contact with a private network is the best practice for keeping that private network as secure as possible. There are no perfect solutions, and there will always be risks, but structuring the network in such a way that it limits the potential points of entry is essential in keeping it secure.
References
Cheswick, W. R., Bellovin, S. M., & Rubin, A. D. (2003). Firewalls and Internet Security Second Edition: Repelling the Wily Hacker. Boston: Addison-Wesley.
Kapor, M. (n.d.). Internet Quotation Appendix. Retrieved 7 9, 2010, from Harvard Cyber Law: http://cyber.law.harvard.edu/archived_content/people/reagle/inet-quotations-19990709.html
Practically Networked. (n.d.). Special Application Port List. Retrieved July 10, 2010, from Practically Networked: http://www.practicallynetworked.com/sharing/app_port_list.htm