st edition June 2005 www.gpcg.
Medical Practice Network Security - Firewall Tutorial INTRODUCTION 4 About this tutorial 4 What are firewalls? 4 Why do you need them? 4 What other computer security do you need? 5 What if your ISP already provides a firewall? 6 Firewall implementation issues 7 Do you have the necessary IT skills in-house? 7 STEP 1: Understanding firewalls in principle 8 STEP 2: Understanding how the Internet works 9 STEP 3: Deciding which firewall product you need 11 STEP 4: Understanding firewall
Acknowledgements The General Practice Computing Group would like to thank the following people for contributing to Medical Practice Network Security – Firewall Tutorial. This resource has been developed as supporting information to the GPCG Computer Security – Firewall Guideline, a companion document to the GPCG Computer Security Self-Assessment Guideline and Checklist for General Practitioners (the Security Guidelines).
INTRODUCTION About this tutorial The information in this tutorial has been put together by the General Practice Computing Group (GPCG) with additional input provided by the Broadband for Health section of the Australian Department of Health and Ageing and State-based officers of the Australian Divisions of General Practice. It is a reference for practice managers, IT service providers and GPs to help you: • understand more about firewalls and why we need them.
Security breaches cost you According to the 2004 Australian Computer Crime and Security Survey by the Australian Computer Emergency Response Team (AUSCERT), the key computer security trends in Australia are: • 95% of respondents reported experiencing computer security incidents in the past 12 months, with the majority of organisations experiencing between one and five incidents.
Other security measures Even with a firewall in place, you still need to take other security measures to protect your internal computer systems, including: • arrangements to control people’s access to the computer system and the types of information they access. • a means for uniquely identifying and authenticating each authorised user of the computer system, such as a user ID and password, a smart card and PIN, or biometrics.
Many ISPs offer fully managed multi-tier firewall services. However, while you may rely on your ISP to provide a network firewall service you may choose to provide your own LAN and personal firewalls. If you are planning to rely solely on your own firewall/s, you need to be confident that you have chosen the right firewall product and that you know how to properly configure and manage the firewall.
STEP 1: Understanding firewalls in principle • A firewall is a means of shielding your private computer system from an untrusted network, like the Internet. • Any outside connection puts your network at some risk, and should be regarded as gateways to an untrusted network, whether or not it is in use. Some standard computer services increase this risk by running less than secure IP protocols such as FTP (File Transfer Protocol) and UDP (User Datagram Protocol).
STEP 2: Understanding how the Internet works Understanding how and why to install a firewall, a basic networking knowledge is required. Here is a simplified explanation of how the Internet works, using analogies with the phone system. You need to understand these basics to be able to manage your firewall. How data is exchanged—TCP/IP and other basics Nowadays, most networks use a protocol called TCP/IP (Transport Control Protocol/Internet Protocol).
Private IP address The Internet uses special Internet addressing schemes to distinguish private local networks from computers participating in the Internet. A computer using any of these reserved addresses, will not be visible directly to the Internet – in the same way your internal phone with its internal extension number cannot be reached directly from the public phone network without your receptionist switching the call through to that extension.
STEP 3: Deciding which firewall product you need The choice of firewall depends on your needs, based on: • the risks to your practice information. • the available IT skills. • your budget (with some solutions). Step 8 of this tutorial includes some suggested firewall products that have been reviewed by General Practice testers.
Figure 2: protecting your private network, and protecting your web server with two separate firewalls in two independent networks using a single Internet connection 3. Built-in web server firewall The poor man’s solution to the previous scenario, which is still viable in most circumstances, is to implement the second firewall directly on your web server.
4. Web server as separate (perimeter) network Once you want to provide web services to the outside world, such as online appointment bookings, you will probably need a slightly different layout. Computers that are exposed to the outside (the Internet) for access – and that includes remote access for maintenance purposes etc – should be placed into a separate ‘perimeter network’ sometimes called a Demilitarized Zone (DMZ).
STEP 4: Understanding firewall technologies Simple versus sophisticated Once you have decided on the general network layout and where to place the firewall, you have to think about what firewall technology to use. Unfortunately, there is no simple right answer that covers every circumstance. Firewalls can use simple or sophisticated methods to do their job. More sophisticated firewalls are usually safer if properly configured, but configuration can be much more difficult.
STEP 5: Understanding different types of firewalls Packet filters Data transferred via TCP/IP protocol is usually sent in the form of ‘packets’. Each packet contains small amounts of data attached to a ‘header’ which has information about the purpose, source and destination of the packet. A packet filtering firewall looks at each packet and, depending on a nominated set of rules, decides whether or not to let them pass through.
Disadvantages of stateful packet filters • Vulnerable to attacks with malformed packets (since it does not know about packet content). • Vulnerable to protocol-based attacks / ‘buffer overflow’ attacks. Examples of stateful packet filters • Linux NetFilter based firewalls. • BSD IPF or OpenBSD IPF based firewalls. • Watchguard Firebox.
Advantages of proxy type firewalls • Protection against malformed packets. • Protection against more protocol based attacks than stateful inspecting packet filters can provide. • More granular control over which protocols will traverse the networks. Disadvantages of proxy type firewalls • Rather complex – needs more powerful hardware and therefore generates more heat and is more prone to technical faults.
STEP 6: Understanding network addressing The first question before you set up your firewall will always be: what address range are you using in your local network? Currently, Internet addresses are unique 32 bit numbers, usually displayed for better memorability as four 8-bit numbers separated by full stops (that is anything from 0.0.0.0 up to 255.255.255.255). Some of these many possible addresses are reserved for special purposes, like local area private networks.
Imagine 8-bit (0 – 255) as 8 little switches. Each switch that is ‘on’ has to be matched by the corresponding switch in your address. The number 255 hence indicates that an exact match is required. The number 0 represents the other extreme: all possible 256 numbers (0 - 255) would match. Thus, a subnet mask of 255.255.255.0 would allow all IP addresses ranging from 192.168.0.0 to 192.168.0.255 to ‘see’ each other.
STEP 7: Understanding ports and firewall configuration What are ports? Ports are special addresses within a network address that are required to access various network services. For example: your address is 1.2.3.4, and you want to access the web server – choose port 80. If you want to access your POP3 email server instead, select the same address but choose port 110. Here is an analogy: You have an office building with a street address, e.g. 8 Smith Lane, Melbourne.
Public ports ‘Public ports’ are 49152 - 65535. These are up for grabs so never rely on these ports delivering the same service. However, this is all entirely voluntary. Nothing stops you from running your web server using port 21 instead of port 80, although it would not be sensible to do that. It is worthwhile remembering that writers of malicious code (backdoors, Trojans etc) do not have to follow convention regarding the port numbers they use.
STEP 8: Suggested firewall products Your choice of firewall depends on both your needs and IT skills, and with some solutions it also depends on your budget. Government Security Adviser (DSD) recommendations The Australian Government also provides recommendations and advice on firewall products, through the Governments Security Advisor, Defence Signals Directorate (DSD).
The list above is not exhaustive – it represents products reviewed up to now. After you make your choice and install your firewall, refer to this tutorial’s checklist before you connect your private network to the firewall. If none of the solutions suggested here suit you, there are further firewall options below, listed according to security requirements. Low security need/low IT expertise This type of medical practice would use a single means of connecting to the Internet (e.g. ADSL or dial-up).
4 Billion products 5 D-Link products 6 Draytek products 7 Dynalink products 8 INEXQ products 9 Linksys products 10 Netcomm products 11 Netgear products 12 SMC products 13 Snapgear products Reviewed products without commercial support: 14 DevilLinux 15 Euronode 16 IPCop 17 NetBSD Firewall Project 18 RedWall 19 Sentry Firewall CD High security needs/high IT expertise This practice does not only grant Internet access to all networked computers, but it does also provide web s
STEP 9: Principles of firewall configuration This section explains the steps necessary for configuring any firewall. Product-specific information is in the section on ‘suggested firewall products’. To configure your firewall, you may need to connect it to a computer. • Make sure that the configuring computer is not connected to any other computer (e.g. via wireless connection) – only one network connection is allowed, and this is between the configuration computer and the firewall.
STEP 10: DIY security audit How to find out if your firewall really works The proof of the pudding is in the eating. The proof of your firewall is in withstanding attacks. Performing a thorough security audit is a task best left to qualified professionals. However, there are some tests that anybody can perform. This section will help you chose security audit products, and understand how to use them and how to interpret the results.
Local Area Security Linux This is a valuable tool chest of network auditing and forensics applications that can be run from CD without needing to install anything. You simply boot your computer from this CD. You can also install it on a USB key instead of a CD, and boot from the USB key if your BIOS supports it. Those familiar with Linux will not be surprised that this 200MB system also doubles up as emergency router and stateful packet inspecting firewall.
Sentinix Before you download, read the step-by-step installation guide to make sure you will be able to do it. Alternatively, you might want to try it out first before installing anything. You can trial it at http://sentinix.org/demo.shtml. Please read the instructions carefully before you click and write down all the user names/passwords you'll need to try everything out. SATAN (Security Administrator Tool for Analysing Networks) Satan is the grandfather of most network security auditing tools.
SAINT SAINT is one of the top ten SANS certified security auditing tools. It is not to be confused with the free network monitoring tool: NetSaint. Free trial versions of SAINT are available. Other useful tools for network security Honeyd This is a useful tool that allows you to create complete virtual networks on a single computer.
STEP 11: How to audit your firewall – step by step Prepare your test scenario You need two computers plus your pre-configured firewall. We will call the attacking computer (from the simulated Internet) Nessus, and the victim (our private network) Honeypot. Figure 5: testbed for firewall auditing Both Nessus and Honeypot will be exposed to the Internet without firewall protection (we have to assume the worst); hence you must not use any computer for this purpose that contains any confidential data.
• Download PHLAK – this is a 400+ Mb large ISO CD image. Use your CD burning software to create a bootable CD from this ISO image. It will not work if you just copy the ISO file onto a data CD. • Boot from your PHLAK CD while connected to the Internet (if you have dial-up Internet only, you can connect after booting PHLAK). • If you booted PHLAK successfully on Nessus, you will see a menu bar like this one: • Select the left hand terminal window icon (on the screenshot above circled in red).
4 If you start the Nessus program for the first time, it will ask you whether you accept the server certificate. Say yes, because it is the one you just created before with ’nessus-mkcert’.
5 If login is successful you will presented with the certificate for visual verification. In the scenario here it is safe again to simply click OK.
A warning will probably pop up telling you that dangerous features have been disabled (those which might crash a victim during scanning). Accept this for now. 6 Time to quickly review the configuration.
7 In the plugin section, simply enable ‘all but dangerous plugins’ for now. For the first scan, you can leave all other configuration options at their default settings. 8 The last thing to do before our first scan is to select the target. Instead of the depicted ‘my.firewalls.ip’ you would enter the public IP address or hostname of your firewall. The Nessus project web site has more information.
9 Now, all that is left to do is to click on the ‘Start the scan’ button at the bottom of the Nessus dialog box. It may take anything from several minutes to several hours. A progress bar will indicate progress. Once finished, a very detailed test report will be displayed.
STEP 12: Firewall checklist – after installation After installation and configuration of your firewall, but before you connect your private network to the Internet via your firewall, please go through this checklist. If there is even one question you cannot answer with yes, reconsider your options before connecting to the Internet.
FURTHER INFORMATION Virtual Private Network Sometimes it may be useful to extend your private network outside your practice building – for example, to connect to a branch surgery, to access your practice network from home or while travelling, or from the local hospital. In most cases, it is not be possible to extend your Ethernet cables to that other location. Sometimes, when there is line of sight, a wireless link might be feasible, but usually distances and geography do not allow this.
Figure 7: Connecting two practices via VPN Another common scenario is connecting to the practice from home or while travelling, using a notebook and a dial-up connection for example. Unless a properly configured VPN router is also carried along, some software will need to be installed in this case. You can save yourself time and effort if your VPN router is compatible with the IPSec standard and does not depend on (costly and possibly in the future unsupported) proprietary client software.
Failover/load balancing Failover The failover principle is to have multiple Internet service providers, and let your gateway device handle the connections for you automatically, depending on needs and availability of service. The problem We are becoming increasingly dependent on the Internet. Email is becoming the mainstream communications medium, not only replacing traditional postal mail but also phone communications to some degree.
Unfortunately, there is no rule regarding which technology is the most reliant at present in Australia. It depends on a variety of technological and vendor specific factors that vary from location to location. If your location allows it, the combination of cable and (A)DSL would usually be the choice with the best performance and lowest cost. In some locations, a wireless Internet provider might be an even better substitute for either cable or (A)DSL.
GLOSSARY Access – The ability to use computer information in some manner. Specific access can be granted to each individual user. Application services - Services that leverage bandwidth to deliver increased functionality and value to subscribers. ASP – Application Service Provider. A third party entity that manages and distributes software-based services and solutions to customers across a wide area network from a central data centre.
Network gateway - An inter-networking system that joins two networks together. A network gateway can be implemented completely in software, completely in hardware, or as a combination of the two. Network interface – A boundary across which two independent systems meet and communicate with each other. Packet - A bundle of data organized for transmission, containing control information (destination, length, origin, etc.) the data itself and error detection and correction bits.
General Practice Computing Group C/- Royal Australian College of General Practitioners 1 Palmerston Crescent South Melbourne, Vic 3205 Tel: (03) 8699 0414 www.gpcg.org.
