Firewalls are a CONCEPT -- NOT a Network Component of your Network.
© LD Rich & EF Batey 1995,1996,1997,1998,1999

Living in a time when it is a National Pasttime to intrude secretly on the information of others, while we lack an official cold war, our electronic information is as much at risk as the educational records of schools or the financial records of the banks.

Considerations essential to the simple firewall:

• A FIREWALL IS: A system to discourage: intrusion into a network, denial of service to networks or damage to / compromise of these networks from without the area of trust.

• They ARE NOT a substitute for, nor an alternative to C2 compliance. And C2 compliance may be of little value without them.

• Some networks are very small and the political and social issues of their organizations are suited to single point of entry networks. Internet Protocol (IP) networks are easiest to route and thus protect.

• Other networks beside multiple points of regular entry (high speed dedicated) have communications servers for intermittent external and remote entry.

• Regardless of whether there is one or many entries, there must be closely shared access and responsibility between the entry point managers.

• Firewall design presented here is intended for servicing of one entry point. One of several procedures are needed to amend this design for multiple entry points. Those include a wide bastion (protected and isolated net) or multiple routers or / and bastion (safe zone) hosts.

   
    Public <--> ( Cisco 2514 or bigger ) <--> Safe 
   Internet                |                 Network
                           |
        Bastion Host <-- B.Net --> CommServers
  

• Call these P-Net, S-Net, B-Host, C-Serv and B-Net for this discussion.

WHY a simple firewall and WHAT are its parts:

• Substantial commercial offerings in the $25,000 to $250,000 range are available which may or may not include training, support and the other network hardware required.

• Fully packaged, simple firewalls are usualy still without the added items of training, comm servers and router(s).

• The fwtk mailing list or same or similar in Usenet newsgroups are essential for firewall administrators. The risks change daily and this is a strong force in favor of personal involvement in firewalls vs turnkey answers.

• A simple firewall is:
  • one or two routers, e.g. Cisco 2514 or Livingston IRX, chosen for attention to security and leadership in the security and support arena,
  • a Unix (Berkeley) Bastion Host, e.g. P-90/P-100, 8-32M RAM PC, 1-2 Gig SCSI, SVGA Monitor and very vanilla adapter/drivers and ether cards chosen from the FreeBSD and / or BSDI part lists.
  • Operating system chosen from FreeBSD or BSDI depending on support needed,
  • The TIS FireWall tool kit as developed for the DOD.
  • Packet filtering in the router As suggested by NISE East Document, copied here, limit to what is needed, mail, ftp, http, etc.
  • Packet proxies in the Bastion, (above, + or -), and,
  • Some broadly communicated practice and policy to the users,
  • A few etheernet adapters from AUI to 10BaseT or thin-net.

  ANY of these missing will defeat any firewall very fast.

Tasks expected of the simple firewall:

• There are a wide range of Firewalls, both bought and created:
• It will pass MOST ALL packets from P-Net to B-Host and if allowed to S-Net and the reverse.
• B-Host will offer the reduced public Domain Name Services (BIND) to the outside and forward S-Net DNS requests safely to the outside.
• The B-Host will forward in and outbound SMTP (RFC822) e-mail either inward or outward after setting on it to see no externals try to play with the internal email ports.
• Strong authentication is not directly enabled in the entry firewall as some may wish electronic cards versus the skey scheme.

Specific Role Tasks:

• Router: packet filter most packets from outside and back with Bastion Host
• Router: packet filter most packets from inside and back with Bastion Host
• B-Host: Provide outside limited DNS and forward internal requests.
• B-Host: proxy hyper text (HTTP) requests for inside users, serve outside inquiries where allowed.
• B-Host: proxy ftp and telnet, related services without port mods to native software on PCs and larger hosts.
• B-Host: proxy / filter / protect mail forwarding, news and such.

Specific Components, Hardware:

• 486-Fast, P-90 or P-100 Mother board, min 16MB Ram, 256+Cache
• Preferably Adaptec SCSI-2 for m/b disk controller
• SCSI CD-ROM 2s or 4Speed
• One to 4 gig SCSI disk
• Vanilla 16 bit ethernet card
• Vanilla SVGA Controller, keyboard, mouse and monitor
• Existing Cisco 2514, 4500 or equiv router supporting packet filtering at the same levels.
• Livingston Portmaster or equiv comm server to support remote login and supporting secure RADIUS authentication.

Funding Work for Federal DOD Efforts.. At NSWC PHD, Contacts:

• Hourly rate, $55.26 (accelerated),
• Typical limited firewall, 80.0 hrs,
• UIC N63394.

Personal Contact Info

  Home
    Everett F. Batey II, WA6CRE, +1 805 985-3146 Voice        
    2970 Luff Court         Display Pager . .  +1 805 655-2017 
    Oxnard, CA  93035-2421    

      PERSONAL AND URGENT .  +1 800 380-6999 (California Personal 800)
      Voice Mail  . . . . .  +1 805 340.6471 <2>='Ev'     

    For DOD Business .. 
  Office                   Voice +1 805 982-7180 DSN-551-7180 
    US Naval Surface Warfare Center - Port Hueneme Division   
    PHD-NSWC (ex-NSWSES) - Code 4A05                          
    Port Hueneme, CA  93043-5007              email efb