Previous screen 1-06-20 Internet Security Using Firewalls Vincent C. Jones Payoff Openness has long been the modus operandi on the Internet. Now, as more businesses connect to the Internet as a service to their internal users, Internet access poses a possible threat to enterprise network security. An Internet connection should not (often cannot) be avoided, but businesses can put in place barriers, such as firewalls, to reduce security risks. Introduction As networks become larger—expanding beyond the desktop, even beyond the walls of the organization to support telecommuters and other traveling employees—the reliability and availability of those networks and their attached systems become paramount. In the past, with traditional terminal-based networks, this expansion of accessibility was not a major security headache. Good password discipline and dial-back modems (to provide physical security for outside connectivity) were sufficient to secure a network, and the emphasis was on Quality Of Service and application usability. Enterprise Network Security Business users are no longer satisfied with simple terminal access, however. The personal computer revolution includes a desire for peer-to-peer network access from a user's Central Processing Unit to the desired information and services. The “anyone-to-anyone” connectivity implied by peer-to-peer enterprise networking has severe security ramifications. Protection can no longer be concentrated at a single point. Instead, all systems on the network must be defended independently, since each is an autonomous processor with its own resources needing protection. This move from point-to-point communications used by terminal networks to shared- media local area networks such as Ethernet and token ring, where all traffic on the LAN is accessible from any location on the LAN, opens new channels for possible attackers. No special wire-tapping tools or skills are required because any legitimate user can see any traffic, making detection of eavesdroppers next to impossible. Internet Access as a Fact of Business Life The increasing popularity of the Internet raises yet another threat to enterprise network security, that associated with providing connectivity to the resources of the Internet for internal network users. Technically, connecting to the Internet is easy. Nearly all system vendors support the TCP/IP protocol suite defined and used by the Internet. Many enterprise networks are even based on TCP/IP, as it is the most commonly supported peer-to-peer network architecture. Some enterprise networks are going as far as to use commercial Internet providers as part of their wide area networking connectivity matrix, using the Internet to provide links to other remote offices and on-the-road users. Even those organizations that have all their connectivity needs covered may find the lure of the Internet irresistible. Internet E-mail addresses are becoming increasingly common on business cards. The information resources freely available to Internet users Previous screen boggle the imagination and continue to expand exponentially. Although the Internet has a tradition research- oriented, noncommercial use, it also represents a huge listener base for those organizations that want to get their message out, whether selling computer security services or mail-order baby strollers. Related Risks From a business standpoint, connecting to the Internet is clearly desirable, but it is not without its risks. Connecting to the Internet without having adequate protection in place simply opens the enterprise network to the thousands of hackers and vandals who inhabit the Internet along with its millions of honest users. Although commercial and even research users are starting to recognize the importance of network security, security tools have continued to lag behind actual practice, even though it is common knowledge that “business as usual” leaves business wide open to attack. Even well-know weaknesses, such as sending clear text passwords over broadcast networks, continue to be tolerated for convenience. Most companies concerned with security will have already taken steps to limit access to the internal network to trustworthy people only. Barriers to entry, such as call-back modems for dial- up access and encryption on external links, may already be in place to protect network traffic and systems from outside attack. Taken in this context, connecting to the Internet is not a new threat; it is simply another avenue for attackers to take. Concentrating exclusively on Internet connection can therefore be self-defeating unless it is also used as an opportunity to examine all weaknesses. Internal systems are only as secure as the weakest barrier to the outside world. The Internet is, however, open to virtually every student, researcher, and modem owner in the world. The fundamental paradigm of Internet protocol development has been openness first. Protocols are designed first and foremost to provide maximum connectivity at minimum cost. The underlying assumption has traditionally been that the only worthy goal is to enable communications, and any feature that might limit those communications (such as security firewalls) must be inherently wrong. The result is that many protocols commonly used on the Internet are difficult to control. Establishing Firewalls The need to provide connectivity from vulnerable internal network systems to the Internet can be approached in several ways. The correct way, from the viewpoint of the tradition Internet paradigm, is to simply attach the internal network to the Internet using a router and put the responsibility on each individual end system to protect itself. This approach has been proved unrealistic because of the lack of security in typical LAN protocols combined with the broadcast nature of LANs, where one device can see all the traffic to all devices on the network. More common is a firewall approach, where the connection between the internal network and the Internet is filtered through a firewall device to keep out intruders. This method allows those responsible for security to concentrate on a limited number of well- controlled gateway systems rather than having to monitor every user on every system on the internal network. Previous screen Router-Based Packet Filtering Early connections simply programmed packet filters in the router(s)used for the Internet connection (see Exhibit 1). However, this method provides a false sense of security because the filters are hard to program, making mistakes likely, and the architecture of popular TCP/IP application protocols makes it impossible to simply filter out dangerous packets, as the potentially bad packets look identical to control packets essential to protocol operation. Moreover, the routers fail to provide any audit or reporting capability, making it impossible to detect if the filters are even being attacked, let alone determine if they are working properly. Users of this approach usually only find out they have a problem when systems start showing signs of corruption. Firewall Based on Routers with Packet Filtering To get around the limitations of router-based packet filtering, host systems were reprogrammed to serve as intelligent filters between the internal and external networks (see Exhibit 2). Logically, this configuration is identical with packet filtering using routers; the only difference is that now the firewall builder is in control of the source code rather than the router vendor. While this solves the problem of missing audit trails and attack alarms, it does not solve the fundamental problem that TCP/IP protocols are inherently hard to secure. It also suffers from the high-defect rate of typical full-powered (and consequently very complex) operating systems and network protocol implementations, exposing the internal network to attack through the firewall host operating system. Firewall Based on Intelligent Packet Filtering Using a Bastion Host The next step in the development of firewalls was to modify the TCP/IP application protocols to make them “firewall friendly” (or, at least, less firewall hostile). The firewall host is effectively converted into an application protocol conversion gateway (see Exhibit 3). By running modified versions of standard services on the internal network, it is possible to defend the internal network from a variety of attacks. The router to the Internet is programmed so that only packets addressed to and from the bastion host are allowed through. Inbound packets for any other internal addresses, including the routers themselves, are discarded. Firewall Based on Bastion Host Application Gateway Similarly, the router between the “demilitarized zone”(DMZ) network and the internal network is configured to only pass packets to and from the bastion host. For added security (just in case the external router is broken into), this filter can be set to filter on the MAC address of the bastion host as well as its Internet address and TCP/IP port numbers. Previous screen Using Two Addresses. A variation on this scheme is to use two interfaces and two independent Internet addresses on the bastion host; one for connecting to inside hosts and the other for communicating to Internet. Depending on the host platform, this can simplify the programming. The primary disadvantage of this approach is the need to run special versions of dangerous services, such as File Transfer Protocol, on all internal clients. This can be a challenge because there are many different internal platforms, as