SECURITY via FIREWALLS

Transcription

1 SECURITY via FIREWALLS 1. Introduction Firewall technology has matured to the extent that today s firewalls can coordinate security with other firewalls and intrusion detection systems. They can scan for viruses and malicious code in electronic mail and web pages. Firewalls are now standard equipment for Internet connections. Home users who connect to commercial Internet service providers via dial-up or via cable/dsl are also using personal firewalls and firewall appliances to secure their connections. Firewalls protect sites from exploitation of inherent vulnerabilities in the TCP/IP protocol suite. Additionally, they help mitigate security problems associated with insecure systems and the problems inherent in providing robust system security for large numbers of computers. There are several types of firewalls, ranging from boundary routers that can provide access control on Internet Protocol packets, to more powerful firewalls that can close more vulnerabilities in the TCP/IP protocol suite, to even more powerful firewalls that can filter on the content of the traffic. The type of firewall to use depends on several factors, including the size of the site, the amount of traffic, the sensitivity of systems and data, and the applications required by the organization. The choice of firewall should largely be driven by its feature set, rather than the type of firewall, however. A standard firewall configuration involves using a router with access control capability at the boundary of the organization s network, and then using a more powerful firewall located behind the router. Firewall environments are made up of firewall devices and associated systems and applications designed to work together. For example, one site may use a firewall environment composed of a boundary router, a main firewall, and intrusion detection systems connected to the protected network and the network between the router and main firewall. To provide secure remote access, the firewall may incorporate a virtual private network (VPN) server to encrypt traffic between the firewall and telecommuters or between the firewall and other sites on the Internet. The firewall environment may incorporate specialized networks for locating externally accessible servers such as for websites and . The configuration of the firewall environment must be done carefully so as to minimize complexity and management, but at the same time provide adequate protection for the organization s networks. As always, a policy is essential. Firewalls are vulnerable themselves to misconfigurations and failures to apply needed patches or other security enhancements. Accordingly, firewall configuration and administration must be performed carefully and organizations should also stay current on new vulnerabilities and incidents. While a firewall is an organization s first line of defense, organizations should practice a defense in depth strategy, in which layers of firewalls and other security systems are used throughout the network. Most importantly, organizations should strive to maintain all systems in a secure manner and not depend solely on the firewall to stop security threats. Organizations need backup plans in case the firewall fails. Modern firewalls are able to work in conjunction with tools such as intrusion detection monitors and /web content scanners for viruses and harmful application code. But firewalls alone do not provide complete protection from Internet-borne problems. As a result, they are just one part of a total information security program. Generally firewalls are viewed as the first line of defense, however it may be better to view them as the last line of defense for an organization; organizations should still make the security of their internal systems a high priority. Internal servers, personal computers, and other systems should be kept up-to-date with security patches and anti-virus software.[11] Network firewalls are devices or systems that control the flow of network traffic between networks employing differing security postures. In most modern applications, firewalls and firewall environments are discussed in the context of Internet connectivity and the TCP/IP protocol suite. However, firewalls have applicability in network environments that do not include or require Internet connectivity. For example, many corporate enterprise networks employ firewalls to restrict connectivity to and from internal networks servicing more sensitive functions, such as the accounting or personnel department. By employing firewalls to control connectivity to these areas, an organization can prevent unauthorized access to the respective systems and resources within the more sensitive areas. The inclusion of a proper firewall or 1

2 firewall environment can therefore provide an additional layer of security that would not otherwise be available. An Internet firewall is a system or group of systems that enforces a security policy between an organization s network and the Internet. The firewall determines which inside services may be accessed from the outside, which outsiders are permitted access to the permitted inside services, and which outside services may be accessed by insiders. For a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be inspected (Figure 1.1).The firewall must permit only authorized traffic to pass, and the firewall itself must be immune to penetration. Unfortunately, a firewall system cannot offer any protection once an attacker has gotten through or around the firewall. It is important to note that an Internet firewall is not just a router, a bastion host, or a combination of devices that provides security for a network. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dialin and dial out, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent. [1] Figure 1.1 Security Policy Creates a Perimeter Defense 1.1. Why we need secure networks In recent years organizations have become increasingly dependent on the Internet for communications and research. Regardless of the organization type, users on private networks are demanding access to Internet services such as Internet mail, Telnet and File Transfer Protocol. In addition, because of Internet s powerful and easy available medium, many organizations use it for business transactions. The Internet has also opened possibilities of efficient use and availability of shared resources across a multi-platform computing environment. The recent explosion of the World Wide Web is responsible, in large part, for further tremendous growth of the Internet and even bigger needs for accessing it. With the spread of Internet protocols and applications, there has been a growth in their abuse as well. Dependence of an organization on the Internet has changed the potential vulnerability of the organization s assets, and security has become one of the primary concerns when an organization connects its private network to the Internet. Connection to the Internet exposes an organization s private data and networking infrastructure to Internet intruders. Many organizations have some of their most important data, such as their financial records, research results, design of new products, etc., on their computers that are attractive for attackers who are out there on the Internet. A wide variety of threats face computer systems and the information they process which can result in significant financial and information losses. Security is concerned with making sure that "nosy" people cannot break into the organization s private network, read or steal confidential data or worse yet, modify it in order to sabotage that organization. It also deals with other types of attacks. Examples include service interruption, interception of sensitive or data transmitted, use of computer s resources and so on. Most network based computer security crimes are unreported. Companies do not want to reveal that their computer systems and data have been compromised. Even if a company s data isn t damaged and attackers didn t actually do anything to computer infrastructure, there are serious consequences of breaches. The most serious would be shaking people s confidence in that organization Security problems The Internet suffers from severe security-related problems. Some of the problems are a result of inherent vulnerabilities in the TCP/IP services, and the protocols that the services implement, while others are a result of the complexity of host configuration and vulnerabilities introduced in the software development process. These and a variety of other factors have all contributed to making unprepared sites open to the Internet attackers [2]. The Internet attacks range from simple probing to extremely sophisticated forms of information theft. The TCP/IP protocol suite, which is very widely 2

3 used today, has a number of serious security flaws. Some of these flaws exist because hosts rely on IP source address for authentication, while others exist because network control mechanisms have minimal or non-existent authentication [3], Unfortunately some individuals have taken advantage of potential weaknesses in the TCP/IP protocol suite and have launched a variety of attacks based on these flaws. Some of these attacks are: TCP Initial Sequence Number (ISN) guessing: When a virtual circuit is created in a TCP environment, the two hosts need to synchronize the Initial Sequence Number (ISN). However, there is a way for an intruder to predict the ISN and construct a TCP packet sequence without ever receiving any responses from the server. This allowed an intruder to spoof a trusted host on a local network. Reply messages are received by the real host, which will attempt to reset the connection. Prediction of the random ISN is possible because in Berkeley systems, the ISN variable is incremented by constant amount once per second, and by half that amount each time a connection is initiated. Thus, if one initiates a legitimate connection and observes the ISN used, one can calculate, with a high degree of confidence, ISN used on the next connection attempt. Source IP address spoofing attacks: Every IP packet contains the host address of the sender and intended receiver. Some applications only accept packets from 'trusted' hosts, a determination made by examining the source address carried in the packet. Unfortunately, there is little in most TCP/IP software implementation that would prevent someone from placing any address that they want in the packet's source address field, thus fooling the target machine that packets are coming from a trusted machine. Source routing attacks: The source station can specify the route that a packet should take in a TCP open request for return traffic. In such cases the replies may not reach the source station if a different path is followed. TCP synchronization (SYN) flooding: In a SYN flooding attack, the attacking host continuously sends thousands of setup requests each second. The destination host responds with an acknowledgement for every request and waits for the confirmations that are never going to come in. The target host is essentially frozen; it is spending all of its processing time and resources trying to respond to those illegitimate requests, and could not effectively handle a legitimate connection. Tiny fragment attack: For this type of attack, the intruder uses the IP fragmentation feature to create extremely small fragments and force the TCP header information into a separate packet fragment. Because many router and firewall filters only act on the first part of a larger message, and take no actions on any fragments that contain the remainder of the message, if the first fragment is accepted all other fragments are also allowed to pass Security policy Before implementing any security tools, software, or hardware, an organization must have some security plan. A site security plan could be developed only after an organization has determined what it needs to protect and the level of protection that it needs. Request for Comments (RFC) 1244 is a site security handbook, that provides guidance to site administrators on how to deal with security issues on the Internet [3]. A security policy is an overall scheme needed to prevent unauthorized users from accessing resources on the private network, and to protect against unauthorized export of private information. A security policy must be part of an overall organization security scheme; that is, it must obey existing policies, regulations and laws that the organization is subjected to. A site security policy is needed to establish how both internal and external users interact with a company s computer network, how the computer architecture topology within an organization will be implemented, and where computer equipment will be located. One of the goals of a security policy should be to define procedures to prevent and respond to security incidents. It is very important that once a security policy is developed and in place, everyone in the organization must practice this. Stance A key decision when developing a security policy is the stance of the firewall design. The stance is the attitude of the designers. It is determined by the cost of failure of the firewall and the designers estimate of that likelihood. It is also based on the designers opinions of their own abilities. At one end of the scale is a philosophy that says, We ll run it unless you can show me that it s broken. People at the other end say, Show me that it s both safe and necessary; otherwise, we won t run it. Those who are completely off she scale prefer to pull the plug on the network, rather than take any risks at all. Such a move is too extreme, but understandable. 3

4 Why would a company risk losing its secrets for the benefits of network connection? [4] The stance of a firewall system describes the fundamental security philosophy of the organization. An Internet firewall may take one of two diametrically opposed stances: Everything not specifically permitted is denied. This stance assumes that a firewall should block all traffic, and that each desired service or application should be implemented on a case-bycase basis. This is the recommended approach. It creates a very secure environment, since only carefully selected services are supported. The disadvantage is that it places security ahead of ease of use, limiting the number of options available to the user community. [1] Everything not specifically denied is permitted. This stance assumes that a firewall should forward all traffic, and that each potentially harmful service should be shut off on a case-by-case basis. This approach creates a more flexible environment, with more services available to the user community. The disadvantage is that it puts ease of use ahead of security, putting the network administrator in a reactive mode and making it increasingly difficult to provide security as the size of the protected network grows. [1] 2. THE FIREWALL A number of security problems with the Internet mentioned in section 1.2 could be reduced through the use of existing techniques and tools. The most widely known and widely used tool to provide protection against unwanted intruders into corporate networks is the firewall [4]. A firewall is not simply a set of hardware components such as a router, host computer, or some combination of these that provides security to a network, rather it is an approach to security. It helps implement a larger corporate security policy that defines the services and access to be permitted. Consequently, the various ways of configuring the equipment that compose a firewall system will depend upon a site s particular security policy, budget and overall operation. There are a number of definitions of a firewall. For example, a firewall can be defined as a barrier between two networks that is used as a mechanism to protect an internal, often called the trusted network, from an external network, called the untrusted network. A firewall system is usually located at a point at which protected internal network and a public network, such as the Internet, connect (Figure 2.1.). The main function of a firewall is to centralize access control at the Internet connection. With this in mind it is clear that a firewall simplifies security management, since network security is consolidated on the firewall system rather than being distributed to every host in the entire private network. It can also be used to completely hide the users on the private network from the external network. The firewall system is responsible for allowing access for authorized individuals and at the same time for shielding a site from protocols and services that can be abused from hosts outside the private network. Thus rules, specified by the private network administrator, defining authorized traffic should be defined to the firewall and enforced by it. Any traffic not specifically authorized according to these rules must be blocked by the firewall. Of course, for a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be examined. The firewall itself should also be secure and immune to penetration [2]. Figure 2.1. Schematic of firewall Firewall systems can be deployed within private networks as well. In such cases the firewall will protect parts of the internal network from other parts of that same network, rather than from the Internet. This is very useful technology because not everyone in an organization needs access to the same services and data, and some subnets of an organization need a higher level of security. A firewall deployed within a corporate network will prevent unauthorized access to particular subnets, workgroups, or LANs, such as the accounting workgroup, research and development department, etc., from the rest of the network. This is particularly important because many sources claim that 70 percent of all security problems originate from inside an organization. Today, most firewall systems use one or more of three types of firewall technology: packet filtering, circuit gateways and application gateways [4]. We will discuss all of them in more detail in the next chapter. There are different implementations of firewalls that can be arranged in different ways. Historically there have been two approaches in the firewall security issues. One approach implied that adequate level of security could be achieved using packet filters available in most routers. The other, and more accepted 4

5 approach in today s world, suggested that packet filtering could be used, but only in conjunction with proxy systems and proper authentication. 2.1 Basic Firewall Design Decisions When designing an Internet firewall, there are a number of decisions that must be addressed by the network administrator: The stance of the firewall The overall security policy of the organization The financial cost of the firewall The components or building blocks of the firewall system[1] 2.2.Firewall Policy A firewall policy dictates how the firewall should handle applications traffic such as web, , or telnet. The policy should describe how the firewall is to be managed and updated. Before a firewall policy can be created, some form of risk analysis must be performed on the applications that are necessary for accomplishment of the organization s mission. The results of this analysis will include a list of the applications and how those applications will be secured. The process to create this list is not detailed here13, however, it will require knowledge of the vulnerabilities associated with each application and the cost-benefits associated with the methods used for securing the applications. Risk analysis of the organization s information technology infrastructure should be weighed based on an evaluation of the following elements: threats, vulnerabilities, and countermeasures in place to mitigate vulnerabilities, and the impact if sensitive data is compromised. The goal is to understand and evaluate these elements prior to establishing a firewall policy. The result of the risk analysis will dictate the manner in which the firewall system handles network applications traffic. The details of which applications can traverse a firewall, and under what exact circumstances such activities can take place, should be documented in the form of an applications traffic matrix, as shown in Table 4.1. The steps involved in creating a firewall policy are as follows: -Identification of network applications deemed necessary, -Identification of vulnerabilities associated with applications, -Cost-benefits analysis of methods for securing the applications, -Creation of applications traffic matrix showing protection method, and Testing Firewall Policy Policies are implemented every day but these policies are rarely checked and verified. For nearly all companies or agencies, firewall and security policies should be audited and verified at least quarterly. In many cases, firewall policy can be verified using one of two methodologies. The first methodology, and by far the easiest, is to obtain hardcopies of the firewall configurations and compare these hardcopies against the expected configuration based on defined policy. All organizations, at a minimum, should utilize this type of review. The second methodology involves actual in-place configuration testing. In this methodology, the organization utilizes tools that assess the configuration of a device by attempting to perform operations that should be prohibited. Although these reviews can be completed with public-domain tools, many organizations, especially those subject to regulatory requirements, will choose to employ commercial tools. While the second methodology is more rigorous, both methodologies should be employed. The goal is to make sure that the firewalls (as well as any other security-related devices) are configured exactly as they should be, based upon the written policy. It is also important that the firewall system itself be tested using security assessment tools. These tools should be used to examine the underlying firewall operating system, as well as the firewall software and implementation. As before, these assessment tools can be public domain or commercial (or both) Physical Security Of The Firewall Environment The physical security of the firewall, for the firewall environment, is sometimes overlooked. If the devices are located in a nonsecure area, they are susceptible to damage from intruders and at a higher risk to accidental damage. Therefore, firewall devices should be secured behind locked doors. Some organizations locate their firewall environments in secured computing facilities, complete with guards and other physical security alarms. 5

6 Another factor in physical security is the quality of the electrical and network connections and environment control. The firewall facility should have backup power supplies and pos-sibly redundant connections to external networks. Some form of air-conditioning and air filtration is also typically a requirement. Lastly, the firewall facility should be protected, as is reasonable, from natural disasters such as fire and flood. Fire suppressant systems are usually standard equipment in computing facilities.[11] 2.3 Components of the Firewall System After making decisions about firewall stance, security policy, and budget issues, the organization can determine the specific components of its firewall system. A typical basic firewall is composed of one or more of the following building blocks: Packet-filtering router Application-level gateway (or proxy server) Circuit-level gateway Basic firewalls will operate on a smaller number of layers; more advanced firewalls will cover a larger number of layers. In terms of functionality, firewalls capable of examining a larger number of layers are more thorough and effective. Additional layer coverage also increases the configuration granularity present in the firewall; adding layer awareness al-lows the firewall to accommodate advanced applications and protocols. Increasing the layers a firewall can examine also allows the firewall to provide services that are very user-oriented, such as user authentication. A firewall that function with layers 2 and 3 only does not usually deal with specific users, but a higher end application-proxy gateway firewall can enforce user authentication as well as logging events to specific users. Modern firewalls operate on the following OSI model layers as shown in Figure 2.1.[11] Figure 2.1 OSI Layers Operated on Modern Firewalls 3. TYPES OF FIREWALLS 3.1. Packet filtering firewall The most basic, fundamental type of firewall is called a packet filter. Packet filter firewalls are essentially routing devices that include access control functionality for system addresses and communication sessions. The access control functionality of a packet filter firewall is governed by a set of directives collectively referred to as a ruleset. In their most basic form, packet filters operate at Layer 3 (Network) of the OSI model. This basic functionality is designed to provide network access control based upon several pieces of information contained in a network packet: -The source address of the packet, i.e., the Layer 3 address of the computer system or device the network packet originated from (an IP address such as ). -The destination address of the packet, i.e., the Layer 3 address of the computer system or device the network packet is trying to reach (e.g., ). -The type of traffic, that is, the specific network protocol being used to communicate between the source and destination systems or devices (often Ethernet at Layer 2 and IP at Layer 3). -Possibly some characteristics of the Layer 4 communications sessions, such as the source and destination ports of the sessions (e.g., TCP:80 for the destination port be-longing to a web server, TCP:1320 for the source port belonging to a personal computer accessing the server). -Sometimes, information pertaining to which interface of the router the packet came from and which interface of the router the packet is destined for; this is useful for routers with 3 or more network interfaces. Packet filter firewalls are commonly deployed within TCP/IP network infrastructures; however, they can also be deployed in any network infrastructure that relies on Layer 3 addressing, including IPX (Novell NetWare) networks. In the context of modern network infrastructures, firewalling at Layer 2 is used in load balancing and/or high-availability applications in which two or more firewalls are employed to increase throughput or for fail-safe operations. 6

7 3.1.1.Boundary Routers Packet filter firewalls have two main strengths: speed and flexibility. Since packet filters do not usually examine data above Layer 3 of the OSI model, they can operate very quickly. Likewise, since most modern network protocols can be accommodated using Layer 3 and below, packet filter firewalls can be used to secure nearly any type of network communication or protocol. This simplicity allows packet filter firewalls to be deployed into nearly any enterprise network infrastructure. An important point is that their speed and flexibility, as well as capability to block denial-of-service and related attacks, makes them ideal for placement at the outermost boundary with an untrusted network. The packet filter, referred to as a boundary router, can block certain attacks, possibly filter un-wanted protocols, perform simple access control, and then pass the traffic onto other fire-walls that examine higher layers of the OSI stack. Figure 3.1 Packet Filter used as Boundary Router Figure 3.1 shows a packet filter used as a boundary router. The router accepts packets from the untrusted network connection, which typically would be another router owned or controlled by the Internet Service Provider (ISP). The router then performs access control according to the policy in place, e.g., block SNMP (Simple Network Management Protocol), permit HTTP (Hypertext Transport Protocol), etc. It then passes the packets to other more powerful firewalls for more access control and filtering operations at higher layers of the OSI stack Basic Weaknesses Associated with Packet Filters Packet filter firewalls also possess several weaknesses: Because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities or functions. For example, a packet filter firewall cannot block specific application commands; if a packet filter firewall allows a given application, all functions available within that application will be permitted. -Because of the limited information available to the firewall, the logging functionality present in packet filter firewalls is limited. Packet filter logs normally contain the same information used to make access control decisions (source address, destination address, and traffic type). -Most packet filter firewalls do not support advanced user authentication schemes. Once again, this limitation is mostly due to the lack of upperlayer functionality by the firewall. -They are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing. Many packet filter firewalls cannot detect a network packet in which the OSI Layer 3 addressing information has been altered. Spoofing attacks are generally employed by intruders to bypass the security controls implemented in a firewall platform. -Finally, due to the small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configurations. In other words, it is easy to accidentally configure a packet filter firewall to allow traffic types, sources, and destinations that should be denied based upon an organization s information security policy. Consequently, packet filter firewalls are very suitable for high-speed environments where logging and user authentication with network resources are not important. Since current firewall technology includes many features and functionality, it is difficult to identify a single firewall that contains only packet filter features. The closest example would be a network router employing coded access control lists to handle network traffic. The simplicity of packet filter firewalls also easily facilitates the implementation of high-availability and hot failover8 solutions; several vendors offer hardware and software solutions for both high-availability and hot 7

8 failover. Most SOHO (Small Office Home Office) firewall appliances and default operating system firewalls are packet filter firewalls Stateful Inspection Firewalls Stateful inspection firewalls are packet filters that incorporate added awareness of the OSI model data at Layer 4. Stateful inspection evolved from the need to accommodate certain features of the TCP/IP protocol suite that make firewall deployment difficult. When a TCP (connection-oriented transport) application creates a session with a remote host system, a port is also created on the source system for the purpose of receiving network traffic from the destination system. According to the TCP specifications, this client source port will be some number greater than 1023 and less than According to convention, the destination port on the re-mote host will likely be a lownumbered. port, less than Packet filter firewalls must permit inbound network traffic on all of these.high-numbered. ports for connection-oriented transport to occur, i.e., return packets from the destination system. Opening this many ports creates an immense risk of intrusion by un-authorized users who may employ a variety of techniques to abuse the expected conventions. In essence, stateful inspection firewalls add Layer 4 awareness to the standard packet filter architecture. Stateful inspection firewalls share the strengths and weaknesses of packet filter firewalls, but due to the state table implementation, stateful inspection firewalls are generally considered to be more secure than packet filter firewalls. A stateful inspection firewall also differs from a packet filter firewall in that stateful inspection is useful or applicable only within TCP/IP network infrastructures. Stateful in-spection firewalls can accommodate other network protocols in the same manner as packet filters, but the actual stateful inspection technology is relevant only to TCP/IP. For this reason, many texts classify stateful inspection firewalls as representing a superset of packet filter firewall functionality. 3.3 Application-Proxy Gateway Firewalls Application-Proxy Gateway firewalls are advanced firewalls that combine lower layer access control with upper layer (Layer 7 Application Layer) functionality. Application-proxy gateway firewalls do not require a Layer 3 (Network Layer) route between the inside and outside interfaces of the firewall; the firewall software performs the routing. In the event the application-proxy gateway software ceases to function, the fire-wall system is unable to pass network packets through the firewall system. All network packets that traverse the firewall must do so under software (application-proxy) control. Each individual application-proxy, also referred to as a proxy agent, interfaces directly with the firewall access control ruleset to determine whether a given piece of network. traffic should be permitted to transit the firewall. In addition to the ruleset, each proxy agent has the ability to require authentication of each individual network user. This user authentication can take many forms, including the following: -User ID and Password Authentication, -Hardware or Software Token Authentication, -Source Address Authentication, and -Biometric Authentication. Application-proxy gateway firewalls have numerous advantages over packet filter firewalls and stateful inspection packet filter firewalls. First, application-proxy gateway firewalls usually have more extensive logging capabilities due to the firewall being able to examine the entire network packet rather than just the network addresses and ports. For example, application-proxy gateway logs can contain application-specific commands within the network traffic. Another advantage is that application-proxy gateway firewalls allow security administrators to enforce whatever type of user authentication is deemed appropriate for a given enterprise infrastructure. Application-proxy gateways are capable of authenticating users directly, as opposed to packet filter firewalls and stateful inspection packet filter firewalls which normally authenticate users based on the network layer address of the system they reside on. Given that network layer addresses can be easily spoofed, the authentication capabilities inherent in application-proxy gateway architecture are superior to those found in packet filter or stateful inspection packet filter firewalls. Finally, given that application-proxy gateway firewalls are not simply Layer 3 devices, they can be made less vulnerable to address spoofing attacks. The advanced functionality of application-proxy gateway firewalls also fosters several disadvantages when compared to packet filter or stateful inspection packet filter firewalls. First, because of the full 8

9 packet awareness found in application-proxy gateways, the firewall is forced to spend quite a bit of time reading and interpreting each packet. For this reason, application-proxy gateway firewalls are not generally well suited to high-bandwidth or real-time applications. To reduce the load on the firewall, a dedicated proxy can be used to secure less time-sensitive services such as and most web traffic. Another disadvantage is that application-proxy gateway firewalls tend to be limited in terms of support for new network applications and protocols. An individual, application-specific proxy agent is required for each type of network traffic that needs to transit a firewall. Most application-proxy gateway firewall vendors provide generic proxy agents to support undefined network protocols or applications. However, those generic agents tend to negate many of the strengths of the application-proxy gateway architecture and they simply allow traffic to tunnel through the firewall Dedicated Proxy Servers Dedicated proxy servers differ from applicationproxy gateway firewalls in that they retain proxy control of traffic but they do not contain firewall capability. They are typically deployed behind traditional firewall platforms for this reason. In typical use, a main firewall might accept inbound traffic, determine which application is being targeted, and then hand off the traffic to the appropriate proxy server, e.g., an proxy server. The proxy server typically would perform filtering or logging operations on the traffic and then for-ward it to internal systems. A proxy server could also accept outbound traffic directly from internal systems, filter or log the traffic, and then pass it to the firewall for outbound delivery. An example of this would be an HTTP proxy deployed behind the firewall; users would need to connect to this proxy en route to connecting to external web servers. Typically, dedicated proxy servers are used to decrease the work load on the firewall and to perform more specialized filtering and logging that otherwise might be difficult to per-form on the firewall itself. As with application-proxy gateway firewalls, dedicated proxies allow an organization to enforce user authentication requirements as well as other filtering and logging on any traffic that traverses the proxy server. The implications are that an organization can restrict outbound traffic to certain locations or could examine all outbound for viruses or restrict internal users from writing to the organization s web server. Security experts have stated that most security problems occur from within an organization; proxy servers can assist in foiling internally based attacks or malicious behavior. At the same time, filtering outbound traffic will place a heavier load on the firewall and increase administration costs. Figure 3.2 Application Proxy Configuration In addition to authentication and logging functionality, dedicated proxy servers are useful for web and content scanning, including the following: -Java. applet or application filtering (signed versus unsigned or universal), -ActiveX control filtering (signed versus unsigned or universal), - JavaScript filtering, -Blocking specific Multipurpose Internet Multimedia Extensions (MIME) types for example,.application / msword for Microsoft Word documents -Virus scanning and removal, -Macro virus scanning, filtering, and removal, -Application-specific commands, for example, blocking the HTTP delete command, and -User-specific controls, including blocking certain content types for certain users. Figure 2.8 shows a sample diagram of a network employing dedicated proxy servers for HTTP and placed behind another firewall system. In this case, the proxy could be the organization.s SMTP gateway for outbound . The main firewall would hand off inbound to the proxy for content scanning, and then the could be made 9

10 available to internal users by some means, e.g., POP or IMAP. The HTTP proxy would handle outbound connections to external web servers and possibly filter for active content. Many organizations enable caching of frequently used web pages on the proxy, thereby reducing traffic on the firewall Hybrid Firewall Technologies Recent advances in network infrastructure engineering and information security have caused a blurring of the lines. that differentiate the various firewall platforms discussed earlier. As a result of these advances, firewall products currently incorporate functionality from several different classifications of firewall platforms. For example, many Application-Proxy Gateway firewall vendors have implemented basic packet filter functionality in order to provide better support for UDP (User Datagram) based applications. Likewise, many packet filter or stateful inspection packet filter firewall vendors have implemented basic application-proxy functionality to offset some of the weaknesses associated with their firewall platform. In most cases, packet filter or stateful inspection packet filter firewall vendors implement application proxies to provide improved network traffic logging and user authentication in their firewalls. Nearly all major firewall vendors have introduced hybridization into their products in some way, shape, or form, so it is not always a simple matter to decide which specific firewall product is the most suitable for a given application or enterprise infrastructure. Hybridization of firewall platforms makes the pre-purchase product evaluation phase of a firewall project important. Supported feature sets, rather than firewall product classification, should drive the product selection Network Address Translation Network Address Translation (NAT) technology was developed in response to two major issues in network engineering and security. First, network address translation is an effective tool for.hiding. the network-addressing schema present behind a firewall environment. In essence, network address translation allows an organization to deploy an addressing schema of its choosing behind a firewall, while still maintaining the ability to connect to external resources through the firewall. Second, the depletion of the IP address space has caused some organizations to use NAT for mapping nonroutable IP addresses to a smaller set of legal addresses, according to RFC SOCKS One of the ways to do proxying is using the SOCKS protocol. SOCKS is an open, industrystandard protocol advanced by the Authenticated Firewall Traversal working group of the Internet Engineering Task Force (IETF). SOCKS is a very robust circuit level gateway firewall. It was designed to allow TCP-based applications to traverse firewalls in a secure and controlled manner. SOCKS enables easy conversion of existing client/server applications into proxy versions of those same applications [8]. SOCKS establishes a secure proxy data channel between two computers in a client/server environment. The application client makes a request to SOCKS to communicate with the application server. SOCKS then establishes a proxy circuit to the application server and relays the application data between the client and the server. From the client s perspective SOCKS is transparent, while from the server s perspective SOCKS is a client. With SOCKS there is no need for a special application server on the firewall, nor do the users need to perform double connections. However the user does have to use a specified version of the application client that is SOCKS aware, and there should be a generic SOCKS server to allow the user s intended access. SOCKS is an example of the proxy system that requires a custom client, because it requires a change to all existing clientbased software to use the SOCKS libraries, a process known as socksifying. The SOCKS package includes the following components: The SOCKS server, which runs on UNIX system The SOCKS client library for UNIX system SOCKSified version of several standard UNIX client programs 3.8.Benefits of packet filtering routers The primary advantages of packet filtering are fast performance, flexibility, and transparency. The packet filtering router does not require specialized user training or cooperation. The end users are unaware of the presence of the firewall and they can use their standard client programs. Packet filtering routers offer minimum security but at very low cost. Low cost comes from the fact that packet filtering capabilities are available in many hardware and software routing products, both available commercially and freely over the Internet. They can 10

11 be an appropriate choice for a low risk environment [8] Benefits of proxy systems There are many benefits to the deployment of proxy systems as well. The system administrator has complete control over which services are allowed, since the absence of the proxy for a service means that the service is completely blocked. The firewall can be configured to hide host names and IP addresses behind the firewall, so that all hosts outside the local network see only the gateway. Proxy systems can be used to enforce authentication that will reside only on the gateway, lowering the importance of the internal host security. Proxies provide superior logging capability at the application level. Finally, the filtering rules are much simpler for a proxy system than for a packet filtering router Limitations of firewalls The fact that all the proposed security of the system is based on the security of the firewall is also its weakness. Because of that it is important to have the firewall correctly administrated. One open breach and an intruder can attack whatever system he wants. Another limitation of the firewalls is that they cannot protect against attacks that do not pass the firewall. A centralized choke point that an organization had in mind to establish with the installation of the firewall is useless if there is an effective way for an attacker to go around it. For example, there can be dozens of unsecured dial-up lines from a protected network that can be attacked easily. These types of connections should be forbidden by the organization s security policy, and users should know that they are not allowed to get their own connection to the external world. Firewall systems cannot protect an organization from traitors and inside spies that have their own passwords and access to private network resources, nor from outsiders who stole passwords from legitimate users. They can easily copy sensitive information onto floppy or zip disks and take them out from an organization Limitations of packet filtering routers In addition to previously mentioned common limitations to all firewalls, packet filtering routers have a disadvantage that packet filtering rules become long and complex quickly, making it difficult to manage and thus reducing overall security [8]. Also the packet filtering rules are very difficult to get right, because people do not usually think in terms of packets, IP addresses or port numbers. Not only are packet filters difficult to configure correctly, but also they are easy to get wrong allowing unintentional access to the private network. Once configured it is hard to test rule implementations. Another limitation is that some protocols are difficult or impossible to allow safely with packet filtering only. Packet filtering routers provide little or no useful logging, and strong user authentication is not supported with some packet filtering routers Limitations of proxy systems Probably the greatest limitation of the proxy systems is that they either require users to use modified clients (for each of the services that users need separate software should be installed), or may force users to change their normal work pattern by adding steps when making the connection. Another difficulty is when a new service of interest for an organization is not supported by a proxy. In such cases an organization has to deny the service until the firewall vendor develops a secure proxy for a particular service. Clearly, new services may not be introduced to an organization s users on a timely basis. Also the proxy systems are more expensive than packet filtering routers. 4. FIREWALL ARCHITECTURE 4.1. Introduction Having introduced the principles underlying the packet filter and proxy systems, we can now observe how these components can be configured to build an effective Internet firewall system. Those components can be used either alone or together, and there is a lot of flexibility in how they can be combined. It is important, though, that potential benefits and drawbacks of possible architectures are explored before they are implemented. There is no single correct answer for the design and deployment of Internet firewalls for every organization. Only after making decisions about the security policy, the technical background of their staff, budget issues, and possible threat of attacks, can the organization make a decision about specific components of its firewall systems. Although there is a lot of variation in architectures, the most common are: Dual-homed hosts Screened hosts, and Screened subnets 11

12 4.2. Dual-homed hosts Dual-homed host is a TCP/IP term that refers to a host with two network interface cards (NICs), one for each required interface. Each NIC is connected to a network and has its own IP address, as shown in Figure 4.1. The dual-homed host could act as a router between the networks these interfaces are attached to. However, to implement a dualhomed host type of firewall architecture, the host s IP routing capability should be disabled. If the IP forwarding capability is disabled, the host can provide network traffic isolation between these two networks it connects to. Systems on both side of the firewall can communicate with the dualhomed host, but there is no exchange of network traffic between these two systems. Because dualhomed hosts allow absolutely no access to internal networks, they provide a very high level of control. A dual-homed host can provide access to network services only by proxying them or by having users log into the dual-homed host. Dualhomed hosts that do not use proxy services require users to have accounts on the gateway for access to the Internet. This is not recommended and can present security problems by itself, as having multiple user accounts on a firewall can lead to users mistakes and consequently to intruders attacks. Allowing access to the Internet services on the dual-homed host is less problematic and safer with setting up proxies. This type of firewall implements the following security stance all services that are not specifically permitted are prohibited, since no services can pass the dualhomed host except those for which proxies are established. This approach has the same disadvantages as proxy systems, i.e. proxies may not be available for all services an organization might be interested in. To increase protection of the private network two-stage security can be established. In addition to an application-level gateway, a packet filtering router can be placed between the Internet and the private network. The network between the packet filtering router and the gateway is called a screened subnet. On the screened subnet are usually placed information servers such as , Gopher, or WWW machines that are open to outside users (Figure 4.1.). This ability of the screened subnet to isolate traffic concerned with an information server from the other traffic of the site, adds to security because the dual homed host would prevent intruders from further attacking site systems, although they could possibly break into the information server. Figure 4.1. Dual-homed host firewall with router Screened hosts The screened host firewall combines a packet filtering router and an application gateway which has only one network interface [7]. The packet filtering router is placed between the internal and external network as a first line of defense. The application gateway is configured with only one network interface card that is connected to the internal network (Figure 4.2.). The packet filtering router is configured in such a way that it sends all received traffic from the external network to the application gateway first. Only traffic that passes filtering rules imposed by the screening router would be delivered to the application gateway. However, the screened host firewall can be made more flexible by permitting the packet filtering router to pass certain trusted services directly to the internal network. Configured this way, the screened host firewall is more flexible than the dual-homed host firewall although at some expense to security [8]. The applications that may be considered trusted might be those for which proxy service does not exist or those for which the risk of using such services has been evaluated and found acceptable. For example services such as Network time Protocol, which is considered low-risk could be allowed. It is also fairly common to allow Domain Name Service so that hosts on the inside of the packet filter can access Internet services. It is possible to combine these two approaches for different services. Some trusted services may be allowed directly via packet filtering as mentioned above, while others may be permitted only indirectly they have to pass through the application gateway first. Implementation of a particular service depends on the organization s security policy. Consequently, the packet filtering router has to filter application traffic according to the following rules: Inbound traffic from the Internet hosts to the application gateway is passed Inbound trusted traffic is passes directly to the intended internal host All other inbound traffic is rejected 12

13 Router rejects any outbound traffic that did not come from the application gateway As we mentioned before rules for the packet filtering router can be complex and difficult to get right. However, in the case of the screened subnet architecture, the router only needs to limit traffic to the application gateway. Because of this, rules for the packet filtering router don t have to be as complex as if the packet filter were used alone. Figure 4.2. A screened host architecture 4.4. Screened subnet The screened subnet architecture employs two packet filtering routers and a bastion host. This firewall system creates the most secure firewall system architecture by adding an exterior router to the screened host architecture that further isolates the internal network from the Internet. To break into the internal network with this type of architecture, an attacker would have to get past both routers, meaning that even if the bastion host is breached, the intruder would have to break into the interior router (see Figure 4.3). In figure 4.3 two routers are used to create an inner, screened subnet. The screened subnet functions as a small, isolated network positioned between the Internet and the private network. Although both the untrusted external network and the internal network can access the screened subnet, no network traffic can flow between them through the screened subnet. This subnet is sometimes referred to as the 'demilitarized zone' (DMZ) network. This DMZ network houses the bastion host, information servers, modem pools, and other public servers. The external router could be set up to advertise only the DMZ network to the Internet, i.e. the bastion host, information and other public servers would be the only systems known from the Internet. This ensures that the private network is 'invisible' and that it cannot be known to the Internet via routing table and DNS information exchange. Inside routers, on the other hand, advertise the DMZ network only to the private network. Because the systems on the private network do not have direct routes to the Internet, they can access the Internet only via the proxy services residing on the bastion host. The exterior router protects both the DMZ network and the internal network from the incoming traffic. It protects against the standard attacks such as IP address spoofing, source routing attacks, etc., and manages Internet access to the DMZ network. The outer router permits inbound and application traffic to the bastion host only. It is possible though that FTP, WWW and other such information inqueries may go directly to the information server without going through the bastion host first. Any other inbound traffic is rejected. For the outbound traffic is just opposite; all outbound traffic to the Internet is routed, but any traffic intended to an inside host is rejected. The inside router provides a second line of defense, managing DMZ access to the private network. It permits inbound traffic that originates from the bastion host only. All other traffic, such as FTP and WWW, is directed by the external router to the bastion host or to the appropriate information server. Accordingly, all such traffic on the inside router will be rejected. The outbound traffic is directed only to the bastion host, or possibly to the information server [8]. Figure 4.2. Screened subnet architecture Screened subnets are more secure than screened hosts because of the additional DMZ network. However, screened subnets can be made to allow the same 'trusted' application to bypass the bastion host, thereby subverting the policy. Another disadvantage of screened subnets is their dependence on routers for a large portion of the security provided. As noted earlier, packet filtering routers are sometimes complex to configure and potential mistakes can open security holes. References: [1] 3 Com Technical Papers Internet Firewalls and Security, A Technology Overview 13

14 [2] Dragana Vasic,. Network Securıty And Internet Fırewalls, An Information Technology Master s Project [3] Bellovin, S. M. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, Vol. 19, No. 2, (1989): [4] Bellovin, S. M. and Cheswick, W. R. Network Firewalls. IEEE Communication Magazine Vol. 32, No. 9 (1994): [5] Muftic, S. Security Mechanisms for Computer Networks. Chichester, England: Ellis Horwood Limited, [6] Chapman, D. B. Network (In) Security Trough IP Packet Filtering. Proceedings of the Third Usenix UNIX Security Symposium. pp , Baltimore, MD, Sept [7] Chapman, D. B. and Zwicky, E. D. Building Internet Firewalls. Sebastopol, CA: O Reilly & Associates, Inc., [8] Simonds, F. Network Security: Data and Voice Communications. New Yourk: McGraw-Hill, [9] Siyan, K. and Hare, C. Internet Firewalls and Network Security. Indianapolis, IN: New Riders Publishing, [10] Mischler, D. F. IPRoute PC-based Router V0.97 White Paper, [11] John Wack, Ken Cutler, Jamie Pole Guidelines on Firewalls and Firewall Policy, NIST Special Publication