Your company uses many different applications to accomplish tasks, and the Gauntlet Firewall provides proxy services for these applications. You want to be able to create rules that allow certain groups to use certain services. You could create rules for each service you are offering. However, creating rules for each service would be quite a time consuming and detailed effort. The Gauntlet Firewall includes the idea of service groups, which allow you to create rules for a set of services.
The following sections explain the concepts of service groups and service group rules and describe how to configure them:
Data traffic passing through the Gauntlet Firewall is generally handled through the use of services (also known as proxies). Services are applications running on the firewall that take a data stream from one interface and pass it to another interface. Most communications through the firewall occur through services. Each service is designed to handle one specific TCP or UDP protocol or port number. All services log the service requests and the results of those requests. Some services provide blocking of certain data elements, such as Java or ActiveX.
The firewall determines whether to permit or deny traffic on the basis of the source address and the type of protocol used. When a host system attempts to communicate across the firewall using a specific protocol such as TELNET or FTP, the firewall uses the source address of the client host to determine what services have been specified for this address or the network groups to which it may belong. The firewall applies sets of rules to decide:
whether the service is permitted or denied for this host (for example, the TELNET proxy service for the TELNET protocol)
further requirements, such as authentication or permitted destinations
Instead of defining a group of individual services for one set of hosts and then defining the same group of services for another set of hosts, you can create a service group. A service group is a collection of services that are defined as a unit and that can be applied against a network group or specific hosts.
The service group can specify:
Which services are available (for example, allow TELNET, FTP, and rlogin proxy services)
What destination hosts are permitted or denied (for example, deny access to all hosts in the bigu.edu domain)
Authentication requirements (for example, require authentication)
The initial Gauntlet configuration defines two service groups: a trusted service group and an untrusted service group.
By default, the trusted service group is applied to that network group made up of the trusted networks, which are usually inside your security perimeter. This service group:
Allows requests to be sent to any destination
Permits access to some of the more commonly used proxies: finger, FTP, Gopher, HTTP, aHTTP, the Info Server, LDAP, lp, NetShow, NNTP, POP3, RealAudio/RealVideo, Rlogin, SSL, TELNET, VDOLive and whois.
Does not generally require users to authenticate, but simply passes their requests through the firewall
Allows users to change their passwords for strong authentication systems
By default, the untrusted service group is applied to that network group made up of the outside (untrusted) networks. This service group:
Allows requests to be sent to any destination
Permits access to a restricted group of protocols: TELNET, rlogin, FTP, NNTP, the Info Server, and POP3
Requires users to authenticate with the authentication server that is on the firewall
Notice that the untrusted service group does not allow access to the HTTP protocol. You do not want outside users, especially people all over the Internet, using the HTTP protocol to gain access to Web servers on your internal network.
In addition, the untrusted service group does not allow users to change their passwords for strong authentication systems or allow access to the Gauntlet Firewall Manager. Because of the widespread use of packet sniffers and a multitude of other hacker tools, configuring the firewall and typing reusable passwords are extremely risky activities when done from an untrusted network. You run the risk of exposing this information to everyone and severely compromising your network security.
Services that are included within a service group are members of that group. Services that are not included within a service group are non-members. For example, by default, the HTTP service is a member of the trusted service group; this allows trusted hosts to use the HTTP proxy to access Web servers on an outside network. The HTTP service is a non-member of the untrusted service group; this prohibits untrusted hosts on an outside network from using the service to access a Web server on an inside network.
Define a new service group whenever it is convenient to specify a set of general services to govern a single host or group of hosts. Often, changing business conditions or new requirements necessitate changes to the flow of information to or from an organization.
For example, until recently, the hosts in the research department at Big University have been governed by the default trusted service group and rules, which allows access to any destination on the outside networks. The research department has been providing advance research information to a group within Yoyodyne Corporation. Because of a contract dispute, the management at Big University has decided that the research department cannot give any more information to Yoyodyne. To ensure compliance, the firewall must not allow hosts in the research department to make network connections to any systems at Yoyodyne.
This example situation is an appropriate time to create a new service group. To implement the new service group, the firewall administrator at Big University:
Creates a new service group called “no-yoyo”
Adds all of the same services to no-yoyo as are in the trusted service group
Adds a condition to the no-yoyo group that denies access to the destination yoyodyne.com
Removes the service group rule that makes hosts in the research department use the trusted service group
Adds a service group rule that makes hosts in the research department use the no-yoyo service group
The hosts in the research department continue to operate under the same services as the rest of the university, except they are now prohibited from accessing the yoyodyne.com systems.
In the future, when management at Big University determines that the hosts in the math department need to be prohibited from accessing yoyodyne.com as well, the firewall administrators don't create a new service group. Instead, they apply the “no-yoyo” service group to the math department hosts.
To access service group configuration:
This section explains how to configure service groups. It discusses:
When defining and setting up service groups, firewall administrators should plan for a number of groups that span a range from most restrictive to least restrictive services. The exact number of groups required will vary, depending on the size and diversity of the organization and the kinds of communications necessary to accommodate business requirements.
For example, in a small organization that has a limited number of users with uniform trust and levels of responsibilities assumed among all, the minimum trusted and untrusted service groups may be adequate. However, a large institution with multiple departments and diverse levels of trust (for example, Finance versus Engineering) may require a tailored set of service groups that will be applied on a departmental need-to-know basis.
Service groups should be designed so that they provide a required set of member services and associated rules that cover particular business or technical requirements, and no more. In particular, a service group that will be applied to control an untrusted network group or hosts should be limited to the absolute minimum set of services required.
In most cases, firewall administrators find it much easier to initially create a service group with the minimum number of member services required and add new services or liberalize existing service group rules later in response to a particular requirement. It is more difficult to grant a liberal set of services at the beginning and then attempt to remove access to a particular service or destination when users have grown accustomed to having that access.
To create a service group:
In the Service Groups window, click Add.
The Add Service Group window displays.
Provide information about the new service group.
Group Name
Name of the new service group.
Description
Description for the service group.
Select the services you want to include in (make members of) your service group:
Click the service you would like to add from the list of services not included.
Click >> to add the service to the list of included services.
Set other options for your service group.
Enforce Authentication
Specifies whether this service group requires authentication for those service members that support authentication.
Authserver
IP address of the host running the authentication server. By default, this is 127.0.0.1, indicating that the authentication server is running on the firewall.
TCP port on which the authentication server is running. By default, this is port 7777.
Specifies whether users can change their passwords when connecting from hosts that use this service group.
Add destination restrictions for your service group. Refer to Chapter 4, “Destination Access,” for more information about destination restrictions.
Click OK.
Proceed to “Adding Service Group Rules” to create rules specifying which networks will use your new service group. Remember to enable the services, as well.
When one or more changes need to be made to an existing service group, you can modify the settings for that service group.
To modify a service group:
Select the service group you wish to modify.
Click Modify.
The Modify Service Group window displays.
Change the settings for this service group.
Click OK.
Once a service group has been defined along with its additional parameters and destinations, it may be applied to a network group, network, or specific host. The network or host may be permitted to use the service group, which means that it may use the member services, subject to the additional parameter requirements and destinations. Or the network may be denied the right to use the service group, which means that it is specifically denied access to the member services in the group.
Order of precedence is important when dealing with firewall rules. Applications and services read tables from the top to the bottom. They use the first rule that applies for a particular attribute.
 | Note: If there are multiple rules in the table that could apply for an attribute, the first one found is the one used. Any subsequent conflicting rules are ignored. |
Rules that are higher in the list have a higher order of precedence than rules that are lower in the list. In other words, a higher rule will be interpreted by the firewall before rules further down, and if two rules are encountered that match a given situation but contradict each other, the first one encountered will apply. In general, the more specific rules need to be listed first.
For example, consider the rules menu in Table 3-1:
Table 3-1. Example Rules Menu 1
Rule | Source | Services | Access |
|---|---|---|---|
1 | Research | no-yoyo | Permit |
2 | Research | * | Deny |
In Rule 1, Research is permitted to use the services specified in the no-yoyo service group. Rule 2 denies access to any other services not covered in Rule 1. Assume you reverse the rules, as shown in Table 3-2:
Table 3-2. Example Rules Menu 2
Rule | Source | Services | Access |
|---|---|---|---|
1 | Research | * | Deny |
2 | Research | no-yoyo | Permit |
Research is now denied access to all services in Rule 1. Any services that may have been granted by Rule 2 are ignored.
To access service group rules configuration:
In the Rules window, click Add.
The Add Security Rule Definition window displays.
Provide information about your rule.
Network group, network, or host for which this rule applies.
Specifies whether this rule permits or denies access. If permitted, the services specified in the next section will be available for use by the source system or network. If denied, the services in the next section will be denied to the source.
Services or service groups for which this rule applies.
Click OK.
Order your new service group rule, as described below, so that your firewall uses your rule in the right order.
To modify an existing rule:
In the Rules window, select the rule you wish to modify.
Click Modify.
The Modify Security Rule Definition window displays.
Change settings as needed.
Click OK.
To delete a rule:
In the Rules window, select the rule you wish to delete.
Click Delete.