GeodSoft logo   GeodSoft

Ten Practical Security Steps

3. Use a modern firewall with stateful inspection and a tight rule set customized to your site. This may include capabilities that are described as proxying and dynamic Network Address Translation.

Firewalls and Network Address Translation (NAT) are included together because the two functions usually come together in commercial products and nearly always run on the same computer when open source, UNIX like, operating systems are used to build custom firewalls. Any firewall worth considering today, includes sophisticated stateful inspection which allows state rules to be applied to the otherwise stateless UDP and ICMP protocols.

No firewall's default rule set should ever be used; each rule set should be customized to allow only the protocols and services used and needed at the site. No stateless traffic of any kind should be allowed in either direction. Incoming traffic should be limited only to specific IP addresses and ports that are public or semi public servers. These are most likely HTTP and SMTP. FTP and DNS will also be common. If HTTP and SMTP servers are on different machines, don't allow HTTP traffic to the mail server or SMTP traffic to the web server.

Outgoing traffic should be almost as restrictive. Only those services needed for work related functions should be allowed; generally they will be allowed to any IP address. If you have to be, you may be more permissive with outbound traffic as long as it's stateful. Some protocols such as FTP and streaming audio are somewhat complex because they have return traffic that is initiated by the remote server. The better commercial firewalls recognize this and if the service is enabled, allow the return traffic without opening arbitrary high TCP or UDP ports. Even the free, open source UNIX firewalls don't need to be "punched full of holes" to accomodate these services. Do not open large blocks of TCP or UDP ports to accomodate one service. Consult with your vendor or the appropriate news group or mailing lists. If your firewall requires this, then get a modern firewall that does what a firewall should in 2001 and not what they did in 1995.

Consistent use of stateful inspection in both directions accomplishes two things. For outbound traffic it eliminates the need to open the entire high TCP or UDP port range to incoming traffic. Inbound high port traffic is not allowed in unless it is a response to locally initiated outbound requests. Inbound stateful inspection to public servers assures a normal TCP traffic flow starting with SYN and SYN/ACK packets. It prevents many invalid packet types that may be used for denial of service attacks. If only valid TCP conversations are allowed to open ports, it largely removes system level (IP stack) errors and restricts errors to application (server) level errors. Except for possible buffer overflows which may have unpredictable consequences, remote attackers are limited pretty much to generating server error messages and exploiting application specific vulnerabilities.

Don't negate an essential part of network security because you don't know how to accomodate your user's needs with your current technology. Let them know you're working on it (be sure you are). This is a good place to hire a security expert. With the right border technology, all protocols that should be allowed on the Internet, can be handled with reasonable security.

Purists correctly say that Network Address Translation (NAT) does not provide firewall protection. This is certainly true of static NAT where there is a hardwired connection between internal and external IP address and ports that goes both ways. Dynamic NAT, where one or a few IP addresses serve a large internal population of IP addressess and dynamically assign outgoing ports and possibly IP addresses does, for all practical purposes, provide rather strong firewall-like protection to the machines using the dynamic services. If you have an existing Internet connection you've already settled on dynamic NAT, static NAT or real IP addresses. If you have static NAT, even though you have sufficient external IP addresses, switching to dynamic NAT may get some protection and ability to use services that packet filtering with static NAT does not. If you have existing hardware NAT such as provided by Instant Internet and its competitors, carefully consider how this may be located relative to your firewall to get the maximum security.

Once your firewall and NAT rules are in place, you shouldn't need to change them unless new services need to be passed through the firewall.

Finally, if you have a tight custom rule set, your firewall will provide a tremendous amount of protection to your computers behind it but it may itself be vulnerable to attack. If practical use a bridging firewall which is not visible as a network device. A bridged firewall with no IP address cannot be attacked remotely but it also cannot be administered remotely. If you need to use a standard routing firewall, then make it as secure as possible (see below) as it could be the best point of attack for potential intruders.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
10 Security Steps >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.