Saturday, May 9, 2009

Perimeter protection using Juniper Firewalls

I am re-publishing one of my earlier papers on Juniper Firewalls, even though this talks about an older version, the features are still relevant today.

Perimeter protection using Juniper Firewalls

In this information age where worms, viruses and various other Internet attacks proliferate, securing the perimeter becomes more and more critical for any organization. This paper looks at an economical solution for a small organization to protect the perimeter.

The solution presented in this paper involves the use of low end Juniper Firewalls.

Internet attacks are performed in a variety of ways and Juniper Firewalls provide protection for many of these attacks, below is a brief description of various ways an attacker may try to intrude into an organization’s network.


  • Ping Sweeps
To understand the network layout an attacker uses various reconnaissance techniques including pinging various internal hosts that may or may not respond to pings

Juniper Firewall can reject all Ping requests after a specified threshold.

  • Port Scanning
The purpose of this method is to identify the open ports and once an open ports is found further scanning can be done to identify the version of the application and exploit the vulnerabilities found in that application.

Juniper Firewall can detect and drop the scan attempts after a specific threshold. The Firewall can also detect and stop the scans with various options like SYN-FIN, no flags, all flags etc.

  • IP options scanning.
An attacker uses this scanning option as a reconnaissance step to gain more knowledge of the network. Majority of these options are never used in a typical network and Juniper Firewall can detect these scan

  • IP spoofing attacks.
An attacker uses IP spoofing technique -where it makes the intermediary device to think that the packet came from a trusted source- to gather more information about the network and attack the network.

Juniper Firewalls can be configured to drop this kind of packets.

  • Denial-Of-Service attacks.
Denial-of-service attack is an attempt to make a targeted device resource unavailable to its users by sending huge amount of traffic to that device. If such an attack originates from multiple source devices or networks then it is called Distributed Denial-Of-Service attack. These attacks can take many forms like SYN floods, UDP floods, ICMP floods etc

Juniper Firewall can prevent such attempts by assigning thresholds that limit the number of permitted session from a source IP and to a destination IP. It can also be configured to use SYN proxy to identify and drop incomplete sessions. Similar protection can be configured to protect from ICMP and UDP flood attacks.

Apart from these protections, the Juniper Firewall can also protect against OS specific attacks like Ping of Death, WinNuke and Teardrop attacks

  • Malicious URL protection
Some URLs entered by the attacker facilitate attacks based on legal but malicious HTTP requests designed to break the server. Many exploits on Web servers have been based on URLs that were technically legal but employed buffer overflows or similar techniques.

Juniper Firewall examines the data payload of all HTTP packets, if it identifies a malicious URL it blocks that packet from passing through the firewall. The Firewall can also be configured to look at fragmented packets.
  • Virus scanning
A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Juniper Firewall supports both internal and external scanning for viruses.

  • Spyware protection.
Spyware is a program that gathers user information through the user's Internet connection without the user’s knowledge, usually for advertising purposes.

Juniper Firewall can be configured to block incoming spyware, adware, keyloggers, and related malware to prevent it from penetrating the organizations perimeter.

  • Web filtering
Web filtering enables an organization to manage Internet access by preventing access to inappropriate web content.
Juniper Firewall supports both integrated and external web filtering

  • Deep Inspection
Deep Inspection is a mechanism for filtering the traffic permitted by the firewall, where it examines Layer 3 and Layer 4 packet headers and Layer 7 application content and protocol characteristics in an effort to detect and prevent attacks

With the Deep Inspection enabled, the Juniper Firewall scans the packet for patterns that match those defined in one or more groups of attack signatures or protocol anomalies, which you can either define yourself or download to the security.


Conclusion

Firewalls are the first line of defense for organizations that do not own the perimeter Routers and care must be taken to configure the device to properly ward off various attacks. Even though securing the perimeter is an integral part of Information security, organizations should practice Defense-In-Depth strategy where security is provided in layers to protect the various information assets.

No comments: