Previous screen 1-06-20 Internet Security Using Firewalls Vincent C. Jones Payoff Openness has long been the modus operandi on the Internet. Now, as more businesses connect to the Internet as a service to their internal users, Internet access poses a possible threat to enterprise network security. An Internet connection should not (often cannot) be avoided, but businesses can put in place barriers, such as firewalls, to reduce security risks.
Introduction As networks become larger—expanding beyond the desktop, even beyond the walls of the organization to support telecommuters and other traveling employees—the reliability and availability of those networks and their attached systems become paramount. In the past, with traditional terminal-based networks, this expansion of accessibility was not a major security headache. Good password discipline and dial-back modems (to provide physical security for outside connectivity) were sufficient to secure a network, and the emphasis was on Quality Of Service and application usability.
Enterprise Network Security Business users are no longer satisfied with simple terminal access, however. The personal computer revolution includes a desire for peer-to-peer network access from a user's Central Processing Unit to the desired information and services. The “anyone-to-anyone” connectivity implied by peer-to-peer enterprise networking has severe security ramifications. Protection can no longer be concentrated at a single point. Instead, all systems on the network must be defended independently, since each is an autonomous processor with its own resources needing protection. This move from point-to-point communications used by terminal networks to shared- media local area networks such as Ethernet and token ring, where all traffic on the LAN is accessible from any location on the LAN, opens new channels for possible attackers. No special wire-tapping tools or skills are required because any legitimate user can see any traffic, making detection of eavesdroppers next to impossible.
Internet Access as a Fact of Business Life The increasing popularity of the Internet raises yet another threat to enterprise network security, that associated with providing connectivity to the resources of the Internet for internal network users. Technically, connecting to the Internet is easy. Nearly all system vendors support the TCP/IP protocol suite defined and used by the Internet. Many enterprise networks are even based on TCP/IP, as it is the most commonly supported peer-to-peer network architecture. Some enterprise networks are going as far as to use commercial Internet providers as part of their wide area networking connectivity matrix, using the Internet to provide links to other remote offices and on-the-road users. Even those organizations that have all their connectivity needs covered may find the lure of the Internet irresistible. Internet E-mail addresses are becoming increasingly common on business cards. The information resources freely available to Internet users Previous screen boggle the imagination and continue to expand exponentially. Although the Internet has a tradition research- oriented, noncommercial use, it also represents a huge listener base for those organizations that want to get their message out, whether selling computer security services or mail-order baby strollers.
Related Risks From a business standpoint, connecting to the Internet is clearly desirable, but it is not without its risks. Connecting to the Internet without having adequate protection in place simply opens the enterprise network to the thousands of hackers and vandals who inhabit the Internet along with its millions of honest users. Although commercial and even research users are starting to recognize the importance of network security, security tools have continued to lag behind actual practice, even though it is common knowledge that “business as usual” leaves business wide open to attack. Even well-know weaknesses, such as sending clear text passwords over broadcast networks, continue to be tolerated for convenience. Most companies concerned with security will have already taken steps to limit access to the internal network to trustworthy people only. Barriers to entry, such as call-back modems for dial- up access and encryption on external links, may already be in place to protect network traffic and systems from outside attack. Taken in this context, connecting to the Internet is not a new threat; it is simply another avenue for attackers to take. Concentrating exclusively on Internet connection can therefore be self-defeating unless it is also used as an opportunity to examine all weaknesses. Internal systems are only as secure as the weakest barrier to the outside world. The Internet is, however, open to virtually every student, researcher, and modem owner in the world. The fundamental paradigm of Internet protocol development has been openness first. Protocols are designed first and foremost to provide maximum connectivity at minimum cost. The underlying assumption has traditionally been that the only worthy goal is to enable communications, and any feature that might limit those communications (such as security firewalls) must be inherently wrong. The result is that many protocols commonly used on the Internet are difficult to control.
Establishing Firewalls The need to provide connectivity from vulnerable internal network systems to the Internet can be approached in several ways. The correct way, from the viewpoint of the tradition Internet paradigm, is to simply attach the internal network to the Internet using a router and put the responsibility on each individual end system to protect itself. This approach has been proved unrealistic because of the lack of security in typical LAN protocols combined with the broadcast nature of LANs, where one device can see all the traffic to all devices on the network. More common is a firewall approach, where the connection between the internal network and the Internet is filtered through a firewall device to keep out intruders. This method allows those responsible for security to concentrate on a limited number of well- controlled gateway systems rather than having to monitor every user on every system on the internal network. Previous screen Router-Based Packet Filtering Early connections simply programmed packet filters in the router(s)used for the Internet connection (see Exhibit 1). However, this method provides a false sense of security because the filters are hard to program, making mistakes likely, and the architecture of popular TCP/IP application protocols makes it impossible to simply filter out dangerous packets, as the potentially bad packets look identical to control packets essential to protocol operation. Moreover, the routers fail to provide any audit or reporting capability, making it impossible to detect if the filters are even being attacked, let alone determine if they are working properly. Users of this approach usually only find out they have a problem when systems start showing signs of corruption.
Firewall Based on Routers with Packet Filtering
To get around the limitations of router-based packet filtering, host systems were reprogrammed to serve as intelligent filters between the internal and external networks (see Exhibit 2). Logically, this configuration is identical with packet filtering using routers; the only difference is that now the firewall builder is in control of the source code rather than the router vendor. While this solves the problem of missing audit trails and attack alarms, it does not solve the fundamental problem that TCP/IP protocols are inherently hard to secure. It also suffers from the high-defect rate of typical full-powered (and consequently very complex) operating systems and network protocol implementations, exposing the internal network to attack through the firewall host operating system.
Firewall Based on Intelligent Packet Filtering
Using a Bastion Host The next step in the development of firewalls was to modify the TCP/IP application protocols to make them “firewall friendly” (or, at least, less firewall hostile). The firewall host is effectively converted into an application protocol conversion gateway (see Exhibit 3). By running modified versions of standard services on the internal network, it is possible to defend the internal network from a variety of attacks. The router to the Internet is programmed so that only packets addressed to and from the bastion host are allowed through. Inbound packets for any other internal addresses, including the routers themselves, are discarded.
Firewall Based on Bastion Host Application Gateway
Similarly, the router between the “demilitarized zone”(DMZ) network and the internal network is configured to only pass packets to and from the bastion host. For added security (just in case the external router is broken into), this filter can be set to filter on the MAC address of the bastion host as well as its Internet address and TCP/IP port numbers. Previous screen Using Two Addresses. A variation on this scheme is to use two interfaces and two independent Internet addresses on the bastion host; one for connecting to inside hosts and the other for communicating to Internet. Depending on the host platform, this can simplify the programming. The primary disadvantage of this approach is the need to run special versions of dangerous services, such as File Transfer Protocol, on all internal clients. This can be a challenge because there are many different internal platforms, as the modified software may not be available. Depending on the modifications made, there may also be an impact on transparency. For example, to Telnet to an Internet system may require Telneting to the bastion host and requesting a connection to the ultimate destination. Software is available to make this connection transparent on common platforms. Source code is generally available. The key to any firewall approach is to keep it simple. Complex software and algorithms are an invitation to intrusion. Generally, the bastion host is a stripped-down UNIX workstation and only implements those protocols and features essential to firewall operations. This usually rules out most standard UNIX utilities. For example, “send mail” is continually being broken by hackers. Instead, a stripped-down version with no user- friendly features is run on the bastion host.
Using Throttles. Other restriction can be added to the bastion host to enforce organizational security policies. For example, the Digital Equipment Corporation SEAL firewall includes throttles on outbound data, limiting the transfer of data to the outside world to an equivalent of 1,200 bits per second. That way even when hackers do break in, or a dishonest insider leaks information, the losses are limited by the low-bandwidth channel. Most users will never notice the throttle, because it will not affect the update of screens (inbound data) using Telnet or the ability to download files off the Internet. The firewall bastion host may also be used in reverse, screening incoming connections to ensure that only legitimate users can access their home systems from other locations using the Internet. This mode of operation requires the use of one-time passwords (or equivalent challenge-response systems, frequently based on credit-card-sized encryption calculators) to provide any degree of protection.
Using a Public Access Host Another approach to controlling Internet access is not to connect at all. Instead, an external public access host on the Internet is made available to internal users using a separate communications channel (see Exhibit 4), usually asynchronous serial dial-up. This technique tends to be inconvenient because the user's local machine is limited to terminal emulation (with terminal-oriented file transfer such as Kermit or x/y/z modem). It also requires users to learn how to use another operating system, unless the public access host happens to be the same operating system as the internal user's.
Internet Access Through a Public Access System Previous screen The inconvenience of using terminal access to the external system can be alleviated somewhat by using the internal network to access the external system through an outdial terminal server (see Exhibit 5). That allows all users to take advantage of the highest speed available for local hardwired terminal access to the external host, rather than being limited to dial-up modem speeds. It also eliminates an extra cable hanging out of the user's desktop system and allows some services, such as mail, to be delivered locally without going through a terminal interface. The primary disadvantage of the public access system approach is the limitation of services to those accessible by character mode terminals.
Networking a Public Access System
The public access host approach can be very effective at keeping Internet hackers off the internal network, as long as inside users recognize that the public access host is a hostile environment in that it is under the control of outsiders and provides no security. All users should assume that all traffic is monitored and controlled by outsiders and is subject to modification. In other words, unless there is some external mechanism for providing privacy, authentication, and integrity, any information (including account numbers and passwords)passing through the public access system must be assumed to be public knowledge and potentially corrupted. This is usually not a problem, because the Internet is subject to the same limitations (i.e., no assurances of privacy, authentication, or integrity unless provided by higher-level protocols such as privacy-enhanced mail). The point is that unless the public access system is protected at least as well as a direct connection to the Internet, using filtering routers and a well-designed and maintained bastion host, it should still be considered vulnerable. If many users are allowed on the public access host, it becomes very likely that evidence of a skilled attack would remain undetected. In general, once an attack succeeds, it should be assumed that the attackers can cover their tracks. Except for “drop-box safe” style audit trails, the attack is only visible until the intruder succeeds in getting root or equivalent supervisor access, which may be only a matter of minutes after getting any login on the system.
Security Tools Assuming the Internet connection is used to seek out information, the tools provided through traditional file transfer protocol (FTP) and Telnet are sadly lacking. Better security tools, such as Archie and Gopher servers, are attractive. Unfortunately, they also present challenges to secure implementation. It may make sense to provide them on a protected public access host, rather than trying to secure all systems in the network. Internet connectivity can also be used to provide public access to press releases, white papers, and other information. Many organizations provide anonymous file transfer protocol (FTP) service and some are putting up Gopher servers. Here, too, the level of security depends on the environment. Some form of integrity protection above and beyond that built into an anonymous File Transfer Protocol server may be required. The technology is available to validate documents through the use of message digest algorithms and public key signatures. Previous screen Conclusion Firewall technology need not be restricted to attachments to the Internet. It may make sense to place firewalls between the internal networks to limit the damage from untrustworthy insiders or successful penetration of an exterior firewall. No matter what technology is used for a firewall, it is safe to assume that it will be penetrated. The key is to determine what degree of successful penetration is tolerable and what price is acceptable to legitimate users. This should be part of an overall security policy. The challenge is to put enough roadblocks in front of an attacker to make it likely that any attack will be detected before significant damage can be done. Firewalls have limitations, however. They will not thwart insider-assisted attacks. Likewise, they do not protect against virus or Trojan attacks through software or data legitimately imported through the firewall. Nonetheless, firewalls can make an effective contribution to an overall security plan. They can provide a tough shell around the relatively unprotected systems common in typical local area networks, protecting them from attacks from the outside. At the same time, they are only one piece of the security solution, and their efficiency and effectiveness depends largely on the particular needs of the organization and network users. Other tools, from the use of one-time passwords to eliminate eavesdropping attacks to encrypting all data on portable computers carried in the field, are equally important. Although there are tools available to counter every known plan of attack, the problem is that the more effective tools usually are costly, both in terms of purchase price and inconvenience. The challenge to management is to determine the true requirements for security, as well as for usability and connectivity, and select the appropriate level of protection for their needs. Within that context, the variety of firewall approaches described in this article becomes just another class of weapon in the arsenal available for selection against the appropriate targeted weaknesses. It is up to management to ensure that other weaknesses are also protected to provide overall strength against attack. Author Biographies Vincent C. Jones Vincent C. Jones is an independent consultant specializing in the application of TCP/IP and OSI protocols to cooperative, distributed processing in multivendor environments. He can be reached by telephone at (201)568-6626.