AN AUDIT AND RISK HANDLING PROTOTYPE FOR FIREWALL TECHNOLOGY. by ESTÉE VAN DER WALT DISSERTATION

Transcription

1 AN AUDIT AND RISK HANDLING PROTOTYPE FOR FIREWALL TECHNOLOGY by ESTÉE VAN DER WALT DISSERTATION Submitted in compliance with the requirements for the degree MAGISTER SCIENTIAE in the subject of COMPUTER SCIENCE in the FACULTY OF SCIENCE at the RAND AFRIKAANS UNIVERSITY Supervisor: PROF. J.H.P ELOFF JULY 2002

2 Abstract Throughout the years, computer networks have grown in size and complexity. This growth attributed to the need for network security. As more and more people use computers and the Internet, more confidential documentation are being kept on computers and sent to other locations over a network. To implement network security, the security administrator should firstly identify all the needs, resources, threats and risks of the organisation to ensure that all areas of the network is included within the network security policy. The network security policy contains, amongst others, the information security services needed within the organisation s network for security. These information security services can be implemented via many different security mechanisms. Firewalls are but one of these security mechanisms. Today, firewalls are implemented in most organisations for network security purposes. The author, however, feels that the implementation of only a firewall is not enough. Tools such as log file analysers and risk analysers can be added to firewall technology to investigate and analyse the current network security status further for an indication of network failure or attacks not easily detectable by firewalls. Firewalls and these tools do, however, also have their own problems. Firewalls rarely use the information stored within its log files and the risk handling services provided are not very effective. Most analysis tools use only one form of log file as input and therefore report on only one aspect of the network s security. The output of the firewalls is rarely user-friendly and is often not real-time. The detection of security problems is consequently a very difficult task for any security administrator. To address the problems, the researcher has developed a prototype that improves on these problems. The firewall analyser (FA) is a prototype of an An audit and risk handling prototype for firewall technology Page ii

3 analysis tool that performs log file- and risk analysis of the underlying networks of the organisation. Although the prototype represents only an example of the functionality added to a firewall, it illustrates the concept of the necessity and value of implementing such a tool for network security purposes. The FA solves the problems found in firewalls, log file- and risk analysis tools by reporting on the latest security status of the network through the use of a variety of log files. The FA uses not only the firewall log files as input to cover a greater area of the network in its analysis process, but also Windows NT log files. The real-time reports of the FA are user-friendly and aid the security administrator immensely in the process of implementing and enforcing network security. An audit and risk handling prototype for firewall technology Page iii

4 Opsomming Netwerksekerheid kan baie kompleks raak en meer so in die geval waar n verkeidenheid van hulpbronne, netwerke en persone betrokke is. Soos rekenaars deesdae meer en meer gebruik word, neem die hoeveelheid konfidentiële inligting wat gestoor en gestuur word oor enige vorm van netwerk drasties toe. Netwerksekerheid is dus essensieël tot die implementering en die behoud van n veilige netwerk. Alvorens netwerksekerheid geïmplementeer kan word moet die sekureitsadministrateur eers alle behoeftes, hulpbronne, netwerkbedrygings en risikos in die netwerk identifiseer. Alle areas van die netwerk sal dus deur die netwerksekuritetisbeleid gedek word. Hier sekuriteitsbeleid omskryf, onder andere, the sekuriteitsdienste wat benodig sal word in die netwerk om netwerksekerheid te verseker. Hierdie sekuriteitsdienste kan deur n verskeidenheid van sekuriteitsmeganismes geïmplementeer word waarvan vuurmure een is. Die outeur voel egter dat die implementasie van slegs n vuurmuur nie genoeg sal wees vir sekuriteitsdoeleindes nie. Ekstra sagteware, soos loglêer- en risiko analiseerders, kan gebruik word om die netwerkstatus te ondersoek vir enige verdere aanduidings van suksesvolle aanvalle en netwerkfalings wat nie deur die vuurmuur opgespoor kon word nie. Vuurmure en die bogenoemde sagteware is egter ook nie perfek nie. Vuurmure maak nie voldoende gebruik van die inligting omvat in die loglêers nie en die risikohanteringsdienste is onvoldoende. Aangesien die meeste analise sagteware slegs van een loglêerbron gebruik maak, is die verslae nie altyd verteenwoordigend van die hele netwerk nie. Die verslae is ook baie selde gebruikersvriendelik en meestal verouderd. Die opsporing van sekuriteitsprobleme is dus baie moeilik vir enige sekuriteitsadministrateur. An audit and risk handling prototype for firewall technology Page iv

5 Na aanleiding van die laasgenoemde probleme het die navorser n prototipe ontwikkel om hierdie probleme aan te spreek. Hierdie prototipe staan bekend as die vuurmuur analiseerder (VA). Die VA lewer intydse, gebruikersvriendelike verslae. Die VA maak ook gebruik van verskeie loglêerbronne om sodoende n groter area tydens die ondersoek van netwerksekuriteit te dek. Die sekuriteitsadministrateur word dus ondersteun deur die VA tydens die implementering en onderhoud van die sekuriteitsbeleid van die organisasie. An audit and risk handling prototype for firewall technology Page v

6 TABLE OF CONTENTS Research objectives and overview Introduction Network security Terminology Research objectives Outline of the dissertation...6 Firewalls within the context of network security Introduction Network security The identification process The network security policy Information security services (ISS) Identification and authentication Authorisation (logical access control) Confidentiality Data integrity Non-repudiation or non-denial Availability Audit Risk handling Network security mechanisms State-of-the-art security mechanisms...24 a) Prevention mechanisms...24 b) Detection mechanisms...26 c) Recovery mechanisms Firewalls and network security Conclusion...27 Firewalls Introduction Firewall definition...29 An audit and risk handling prototype for firewall technology Page vi

7 3.3 The components of a firewall Firewall filtering techniques Old-generation filtering techniques...35 a) Packet filtering...36 b) Application-level gateway (proxy server)...37 c) Circuit-level gateways New-generation firewall filters...39 a) Stateful multi-layer inspection (SMLI)/stateful inspection firewall...39 b) SOCKS Firewalls and ISS Identification and authentication Authorisation Confidentiality Integrity Non-repudiation Availability Audit Risk handling Conclusion...44 Firewall logs Introduction Log files Network log files [INNO98] Application log files [INNO98] A combination of both Log file analysers Application log file analysers Network log file analysers Combined log file analysers Firewall log file analysers The audit ISS The risk handling ISS...54 An audit and risk handling prototype for firewall technology Page vii

8 4.7 Firewall risk analyser Conclusion...56 A conceptual model Introduction The concept Firewall analyser (FA) Conclusion...64 The FA: A prototype Introduction Scenario Without the FA With an FA The FA The start-up screen Configuration screens The FA reports A firewall log file report Network analysis reports...76 a) Traffic reports...77 b) Connection reports...79 c) WWW statistic reports Risk analysis reports Summary...87 Technical working of prototype Introduction Components of the FA Configuration Management Log report Network analysis Risk analysis...95 An audit and risk handling prototype for firewall technology Page viii

9 7.2.6 Timer Conclusion...97 Summary Introduction The prototype Future research References Article B.1 Introduction B.2 Related work B.3 The Firewall Analyser (FA) B.4 Log analysis B.5 Risk analysis B.6 Conclusion and future work B.7 Resources Source code methods C.1 The configuration module methods C.2 Management module methods C.3 The Timer module methods C.4 Log report module methods C.5 Network analysis module methods C.6 Risk analysis module methods The FA on the Internet D.1 The dissertation D.2 The FA s source code D.3 The FA executable An audit and risk handling prototype for firewall technology Page ix

10 LIST OF FIGURES Figure 1.2: A road map of the dissertation...7 Figure 3.1: Firewall positioning...31 Figure 3.2: The components of a firewall...34 Figure 3.3: Packet filtering firewall...37 Figure 3.4: Application-level firewall...38 Figure 3.5: Circuit-level gateways...39 Figure 3.6: An example of a firewall rule...41 Figure 3.7: Confidentiality in a VPN...42 Figure 3.8: Integrity in a VPN...43 Figure 3.9: Non-repudiation and firewalls...43 Figure 4.1: An example of a network log file...47 Figure 4.2: An example of an application log file...48 Figure 4.3: An example of a firewall log file...49 Figure 4.4: Logging in firewalls...52 Figure 5.1: Our home environment...58 Figure 5.2: The Internet environment...60 Figure 5.3: The position of the FA...62 Figure 5.4: The main components of the FA...64 Figure 6.1: Scenario without an FA...67 Figure 6.2: Output of the firewall...69 Figure 6.3: Scenario with an FA...70 Figure 6.4: The splash screen...71 Figure 6.5: Path configuration screen...72 Figure 6.6: Knowledge base configuration...73 Figure 6.7: FA s main screen...75 Figure 6.8: A firewall log file report...76 Figure 6.9: Bytes-sent-and-received network analysis report...78 Figure 6.10: Interface-activity network analysis report...79 Figure 6.11: Interface-per-protocol network analysis report...80 Figure 6.12: Protocols-during-the-day network analysis report...81 Figure 6.13: Top-5-web-sites network analysis report...82 Figure 6.14: Http-risk-per-hour report...84 An audit and risk handling prototype for firewall technology Page x

11 Figure 6.15: Protocol-risk-per-hour graph...85 Figure 6.16: The login-risk report...86 Figure 7.1: The FA components...90 Figure 7.2: An example of the declaration of risk values...92 Figure 8.1: Improved FA architecture Figure B.1 : Current firewall loopholes Figure B.2 : The FA components Figure B.3 : User-per-protocol analysis graph Figure B.4 : Http-risk-per-hour graph Figure B.5 : The login-risk report Figure B.6 : Solution to the firewall loopholes Figure B.7 : Improved FA architecture An audit and risk handling prototype for firewall technology Page xi

12 LIST OF TABLES Table 3.1: Internet information security services vs. firewall components...35 Table 7.1: Information needed vs. the graphical visualisation provided...94 Table 7.2: Information needed vs. the graphical visualisation provided...96 Table B.1 : Tools vs functionality An audit and risk handling prototype for firewall technology Page xii

13 CHAPTER 1 Research objectives and overview 1.1 Introduction The need for reliable, available, fast and secure electronic resources plays a very important part in the management, design and success of an organisation. Most organisations have at least one intranet to connect printers, computers, servers, telephone systems and fax machines inside the organisation to create a more efficient and reliable working environment. Remote locations are connected via an extranet. The extranet combines the local and remote resources of the organisation into one large virtual network that is available from anywhere inside the organisation s infrastructure. Organisations are also connecting to the Internet on a daily basis and exploring the features and applications that the Internet offers by communicating via , searching for information on the Internet and downloading software from the Internet [PAGU96]. The Internet can be seen as a combination of the networks of different organisations into one large global network that contains an unimaginably large amount of information and other electronic resources. It is thus evident that many people have access to some form of networked information or resource and that networks are more vulnerable to internal or external attacks, break-ins and viruses than ever before. A need to see who can break into the most secure and high profile organisation s network has An audit and risk handling prototype for firewall technology Page 1

14 Chapter 1 Research objectives and overview also been created within a certain group of people more commonly known as hackers. Not only are an organisation s resources at stake, but personal workstations are also under attack [HUMM00]. This is because employees are doing more and more work from home. The security of personal workstations is, however, beyond the scope of this dissertation and the focus will rather be on attacks made on the resources within the close perimeter of an organisation itself and the securing of these resources. Network security plays a major role in securing the logical assets and resources of an organisation. Without proper network security in place, the organisation s assets and resources are always vulnerable to attack and the organisation could lose millions. It needs to play a very important role in the infrastructure of the organisation s IT as well as any other department. 1.2 Network security Different forms of network security have already been developed to offer protection against all these threats mentioned above. People have, for example, been informed how to keep their information safe using passwords and protecting their computers against other malicious as well as accidental activities. Some network security mechanisms include the use of firewalls, where the information and resources inside an organisation are protected from the outside via the use of filters, virus detectors and data stream regulators. The implementation of network security is very complex and it is therefore implemented as a series of smaller steps: During the first step, security-related issues, for example the need for security, the threats to resources and the risks involved with having a An audit and risk handling prototype for firewall technology Page 2

15 Chapter 1 Research objectives and overview non- or partially secure system, are identified. This is done via surveys, brainstorming and questioning of the appropriate personnel. The identification step is followed by the development of a network security policy. The network security policy must provide strategies on how to handle, minimise or even cancel the threats that put the network and resources in danger of any security breaches. The network security policy must also identify the information security services needed in the organisation s network and must have the support and full commitment of management and all the employees within the organisation. In the last step the necessary information security services are implemented. Security mechanisms, for example firewalls and password protection mechanisms, will then be used to implement some of these information security services required. It is these information security services that are the centre point of network security. Without these information security services there will be no network security. It is thus crucial that all the information security services are defined within the network security policy and consequently implemented on the network. 1.3 Terminology The following terms and concepts will be used throughout this dissertation: Network security Network security is the term used to describe securing any electronic network of an organisation against events that can either be accidental, for example the loss of information owing to a fire or earthquake, or pre-planned with the intent to do something mischievous, for example hacking into the organisation s network from an Internet cafe. An audit and risk handling prototype for firewall technology Page 3

16 Chapter 1 Research objectives and overview Hackers Some people attack the network with specific intentions. These people can be divided into three groups, i.e. hackers, crackers and phreakers. Hackers break into a network just to get access, whereas crackers break into a network with the intention of stealing, breaking or damaging network information and resources. Phreakers, on the other hand, break into telephone lines with the intention to steal, break or damage telephone systems. In this dissertation, the term hacker will be used to refer to any person attacking an organisation s network or posing a threat to it. Security administrator An administrator is someone who manages the computer networks of the organisation, whether it is to install the firewall or network, maintain the firewall or network, install the necessary software on workstations or implement the defined network security policy. The term security administrator will be used throughout this dissertation to describe any type of administrator responsible for implementing network security. Firewalls A firewall is software or hardware implemented within the organisation s network. It is the firewall s responsibility to protect the organisation s network against a wide variety of attacks originating from within or outside its network. The term firewall will not refer to any personal firewall [HUMM00] in this dissertation, as the discussion of enforcing and implementing security on a personal workstation is beyond the scope of this dissertation. ISS The term ISS will be used to refer to the information security services discussed throughout this dissertation that are valuable for ensuring network security. Firewall analyser (FA) The FA is the term used for the prototype developed in this dissertation. The FA provides a solution to some of the current voids or gaps in network security. An audit and risk handling prototype for firewall technology Page 4

17 Chapter 1 Research objectives and overview 1.4 Research objectives Firewall technology is one of the security mechanisms that can be implemented to secure the organisation s network against the known network security threats. However, firewalls also have problems. Problem 1: Individual threats are overlooked and the objective is only to protect the network as a whole. A problem currently experienced in the industry is that firewalls are implemented to protect the network of an organisation as a whole and the individual network threats are overlooked. The firewall consequently does not really provide the necessary protection from these individual attacks. Problem 2: No differentiation between ISS. Owing to the inherent complexity of security, it has to be viewed as a collection of different security services and not as one large service (firewall) on its own. This means that a firewall should implement some of the defined ISS according to the organisation s needs. The assumption should never be made that a firewall automatically implements the necessary and expected network security. Organisations must be able to answer questions such as the following: Does the firewall provide a confidentiality and integrity service? Can the data produced by the firewall be used in a dispute of non-denial? Problem 3: The information in the log files are not used fully Another major problem with current firewall technology is with the logging of activities on the firewall. Firewalls often provide enough information about the network activities, but this information is not used owing to the lack of proper firewall management information systems. An audit and risk handling prototype for firewall technology Page 5

18 Chapter 1 Research objectives and overview Problem 4: Analyse only on a specific part of the network. The log file- and risk analysis tools use archived log file information to inspect the current network status. These tools seldom use multiple input sources that leads to the reports only covering a specific part of the organisation s network. This leaves other network areas vulnerable to attacks. Problem 5: Reports are not user-friendly. The reports produced by log file- and risk analysis tools are not very userfriendly. It is thus sometimes difficult for the security administrator to detect possible network security problems. The objective of this dissertation is to show the importance of network security and the individual ISS offered via a firewall to solve problems 1 and 2. A prototype has also been developed to support the objective for providing a solution to problems 3 to 5. It will be shown how the FA makes effective use of the information in the firewall s log files to produce real-time, user-friendly reports that covers the whole network and all aspects of network security. 1.5 Outline of the dissertation Here follows a brief summary of the rest of the dissertation (depicted in figure 1.2): Chapter 2 Firewalls within the context of network security We have established that security is a very important feature in any network. In this chapter the concept of network security is discussed to illustrate the place of firewalls within the context of network security. An audit and risk handling prototype for firewall technology Page 6

19 Chapter 1 Research objectives and overview Chapter 3 Firewalls In this chapter, firewalls as one of the network security mechanisms are discussed in detail. The different components and their functionality lead the discussion into a definition of the different firewall filtering techniques. The ISS, that the firewall implements, is defined to indicate the value of the firewall as a network security mechanism. Chapter 1 Introduction Chapter 3 Firewalls Chapter 4 Firewall logs Chapter 2 Firewalls within the context of network security ORGANISATION S NETWORK FIREWALL THE INTERNET THE PROTOTYPE Chapter 5 A conceptual model Chapter 6 The FA: A prototype Chapter 7 Technical working of prototype Chapter 8 Summary Figure 1.2: A road map of the dissertation An audit and risk handling prototype for firewall technology Page 7

20 Chapter 1 Research objectives and overview Chapter 4 Firewall logs A detailed discussion of the audit and risk handling ISS is provided, with the focus on firewalls as the primary network security mechanism. How a firewall can use its log files to implement the audit ISS is discussed. The log files can, for example, determine network activity and the use of certain applications and resources. The concept of the risk analysis ISS is also explained. These concepts are expanded into a detailed analysis of log file and risk analysers. Chapter 5 A conceptual model In this chapter the problems with current network security are demonstrated by means of a practical example. A brief summary is provided of the prototype (FA) developed to improve network security and facilitate the tasks of the security administrator. Chapter 6 The firewall analyser: A prototype After the explanation and introduction to network security, firewalls, audit and risk analysis, this chapter will give a detailed discussion of the prototype developed to improve the status of network security. The components of the FA and their functionality are discussed. The chapter will conclude with the FA s graphical user interface and a description of each screen and its corresponding function. Chapter 7 Technical working of prototype This chapter will expand on the previous chapter by providing a technical specification of the different components of the FA. A detailed analysis of all the log file information required for generating different FA reports are provided. Chapter 8 Summary This chapter provides a brief review of the dissertation. A summary of network security, firewalls and the FA is given. To conclude this dissertation, the An audit and risk handling prototype for firewall technology Page 8

21 Chapter 1 Research objectives and overview researcher will give her thoughts on future research possibilities in the field of log file and risk analysers to improve network security. APPENDICES Appendix A The references A list of all the references used in the dissertation. Appendix B The article The article written as part of the research for the dissertation. Appendix C The source code methods A summary of the FA s Visual Basic 6.0 source code. The actual source code will be downloadable from the Internet, described in Appendix D. Appendix D The FA on the Internet Instructions for downloading source code and an executable of the FA. These instructions include the steps on installing and running the executable. An audit and risk handling prototype for firewall technology Page 9

22 CHAPTER 2 Firewalls within the context of network security 2.1 Introduction After the birth of the computer, people s need for information and the sharing of other computer applications, resources and devices grew at an exponential rate. Users connected their computers and devices with some form of cable to have the ability to communicate to others, share information, use the other users applications or share devices and resources over the network. As time passed, more and more computers and devices were connected to form a vast and complex network. The Internet has brought a whole new dimension to the concept of network security. Data and resources can now be shared from almost any location on the globe, provided there is some form of intelligent technology, for example, a computer connected via satellite, optical cable or a normal telephone line to this web of resources and data. With the radical increase of resources, people and networks connecting to the Internet, it has become very complicated to ensure the security of such a network connected to the Internet. The object of this chapter is to give a solution to the implementation of network security. The process of implementing network security will firstly be described to create an understanding of where firewalls fit in. The remainder of the chapter will provide an introduction into the firewall s place in the network security. An audit and risk handling prototype for firewall technology Page 10

23 Chapter 2 Firewalls within the context of network security 2.2. Network security Network security can be very complex. The bigger the network, the more complex network security gets. The security administrator thus has a very important and difficult role to fulfil. The implementation of network security can however be seen as a series of steps leading up to the management of a totally secure network. The first step is to identify all needs, resources, threats and risks within the organisation s network. This identification process will be introduced in paragraph 2.3. After the identification process, a network security policy must be drawn up as described in paragraph 2.4. This network security policy defines the ISS to be implemented for a secure network. The ISS is the central point of network security. Without it no network security will exist. Six standard ISS exits but the author has added two extra services that play an integral part of network security. These ISS will be described in detail in paragraph 2.5. The implementation thereof, via network security mechanisms, will be described in paragraph 2.6. It should become clear through this discussion that the daunting task of implementing network security can be made easier by following a few steps. These steps will lead to the definition of the ISS needed for network security based on the needs and resources of the organisation. 2.3 The identification process The first step in implementing network security is to identify all network-related assets in the organisation, for example, the network printers, servers, workstations and cables. It is also necessary to identify the location of data on the network and to differentiate between the network assets of the separate network locations. All the findings are combined to get a holistic view of all the network assets of the organisation. An audit and risk handling prototype for firewall technology Page 11

24 Chapter 2 Firewalls within the context of network security After this has been done, the threats to these resources can be identified as well as the risks associated with possible successful attacks. A threat is something or someone that breaks through the security of the network and causes some form of damage to the organisation. A threat can come from the inside or outside the organisation [PAGU96]. Internal threats, for example, an employee within the organisation destroying important information, usually have greater risk to the organisation s network because it is more difficult to put the necessary security mechanisms in place to prevent these types of attacks. No threat can however be overlooked or deemed unimportant as even the smallest successful attack could cause major damage to the organisation. There are so many different kinds of network threats that they are usually divided into smaller categories that contain similar types of threats. The next few paragraphs are an effort to categorise some of the main network attacks and threats into four main groups. a) People can be a threat: Hackers These people attack the organisation s intranet or extranet for malicious purposes. These attacks can come from anywhere in the world. Hackers use a mimicked password and user ID, for example, to pose as an employee of the company or user of the workstation and thus gain unauthorised access without much hassle [WINK01]. Theft Theft or manipulation of information is another type of attack. Most attackers try to gain user IDs, passwords or other sensitive data that is relatively easy to steal with the use of network sniffers [SIMO96]. Repudiation A party to an online purchase denies that the transaction occurred or was authorised. Employees Employees can attack or try to get access to their organisation s network from their workstation at home via the Internet. An audit and risk handling prototype for firewall technology Page 12

25 Chapter 2 Firewalls within the context of network security b) Applications not written with malicious intent can also be a threat: Bugs or configuration problems A bug in some software can, for example, provide unwanted access to the internal network or give sensitive information of the organisation to the people using the software without the knowledge of the security administrator. c) Attacks on a network via applications performing malicious activities: Denial of service This type of attack prevents a person from using his/her own computer and system. An intruder floods the system or network with messages, processes or network requests. A clever attacker can disable services, re-route them or even replace them with others [FEWI98]. Spoofing A virtual intruder creates a fake site masquerading as the real one to steal data from unsuspecting customers or just to disrupt business [ECOM01]. Browser-side risks [W3OR01] - Active content that crashes the browser, damages the user s system, breaches the user s privacy or results in the misuse of personal information knowingly or unknowingly provided by the end-user. Code can be downloaded from a server to a browser and executed locally on the browser s host computer. This downloadable code may be an attempt to improperly access and transfer sensitive information to the server [FEWI98]. Code may contain some form of logic bomb, virus or Trojan horse. d) The threat of interception of data: Data alteration The content of an electronic commerce transaction can be altered en route. Network data sent from browser to server or vice versa can be intercepted via network eavesdropping. Eavesdroppers can operate from any point in the pathway between browser and server. An audit and risk handling prototype for firewall technology Page 13

26 Chapter 2 Firewalls within the context of network security After all the network threats to an organisation s network have been identified, it is imperative to address these threats and provide a secure solution. This will be done through the development of a network security policy. 2.4 The network security policy The network security policy should contain enough information on the users of the network, the resources, workstations, servers, printers, the access rights of the users, possible threats and the ISS that need to be implemented. The different ISS will be elaborated on in the next section of this chapter. The network security policy is combined with the security policies from other departments and non-technical related security policies to serve as a requirement document against which technical security solutions can be judged. It may also aid the security administrator s legal case should the administrator ever need to prosecute a security violation [W3OR01]. It must be kept in mind that the network security policy must be reviewed on a regular basis to ensure that it is up to date and in line with the organisation s current needs and infrastructure. But what must the network security policy contain? The network security policy should contain information regarding the following areas [FARN00]: An introduction The introduction will provide general information about the business of the organisation as well as the responsibility organisational structure or a definition of who is responsible for what in the organisation. Domain services The authentication used to provide access to the local domain as well as the rules regarding the use of passwords. This area will also define what should be done with employees passwords and domain access when they leave the organisation. systems The authentication performed, intrusion detection mechanisms used, physical access procedures into the server, the backup of and the auditing of . An audit and risk handling prototype for firewall technology Page 14

27 Chapter 2 Firewalls within the context of network security Web servers Here the rules regarding the use of internal and external web servers should be defined. Data servers The intrusion protection mechanisms used, the physical access to data servers, the backups of these servers, auditing and disaster recovery of the data servers. Intranet/extranet A definition of the mechanisms, for example, modems, dial-in access or dail-out access, used for physical access into the networks. The backup of the data, auditing, content filtering and disaster recovery can also be described in this section. Firewalls The implementation, auditing, intrusion detection, authentication and content filtering of the firewall. Security incident handling The notification of intrusion, identification of an incident, handling of an incident, aftermath of an incident, legal implications and responsibilities for incidents. Contacts and mailing lists The people to contact regarding certain areas of the network and security problems should also be defined. The following is an example of how a network security policy might be defined for a big blue chip organisation: The security administrator of the organisation would have firstly made a study on the needs, resources, threats and risks of the network as it was defined in the first step of the network security process model at the beginning of this chapter. It was, for example, found that the organisation has servers to handle file transfers and . These servers can be accessed from anywhere on the web or from any local workstation within the organisation s different regional offices. The security administrator thereafter defined a network security policy to outline the rules by which all employees must abide by to protect the defined extranet from threats and attacks. These rules will encompass the many different aspects of the use and misuse of the network and Internet. An audit and risk handling prototype for firewall technology Page 15

28 Chapter 2 Firewalls within the context of network security The network security policy will, for example, be as follows: Introduction: The introduction section will explain that the company is an investment bank with regional offices around the world. The different roles in the organisation and the responsibilities of each role are defined. The firewall administrator is, for example, responsible for the implementation, content filtering and intrusion detection on the firewall whereas the IT manager is responsible for the auditing of the firewall. Domain services: Guidelines for employee passwords to be a minimum length of 6 characters. These characters must contain a combination of alphabetical and alphanumerical characters. The password and the employee s domain name, given to them by the security administrator, will give them access to the network. When an employee leaves the organisation, their password and domain name will be deactivated within 5 working days. systems: Every employee will be given access to the server via his or her domain name and password. External access will also be given to all management personnel via the Internet. A backup will be made of the server on a weekly basis in conjunction with the data server backups whereas auditing of the will only be performed in case an employee is expected of insider trading or misusing the for personal reasons. Web servers: The organisation only has a public web server that contains the web site of the organisation. Anyone can gain access to this information via the Internet. Access is provided via the firewall. Data servers: According to the position of an employee he or she will gain access to certain data servers based on their domain name and password. Backups are performed on a weekly basis in conjunction with the mail servers. Intrusion detection and authentication will be performed via the firewall. Intranet/Extranet: Dail-in access is given to the extranet of the organisation. The employee s domain name and password will provide access. The firewall is responsible for intrusion detection and the authentication of the user. An audit and risk handling prototype for firewall technology Page 16

29 Chapter 2 Firewalls within the context of network security Firewalls: The firewall is the main mechanism used for authentication and intrusion detection. It is thus very important that it is setup and implemented correctly. The firewall is setup to authenticate employees according to their domain name and password as well as giving them access according to their position within the organisation. The IT manager performs auditing of the firewall on a monthly basis to determine the misuse of the network or Internet. Security incident handling and contacts: All possible security incidents are reported to the appropriate managers whom in turn decide what action to take. The network security policy will thus strike a balance between the security needed, the ability of the organisation to implement the necessary security features, for example, the funds available, and the security already in place. There are, however, no fixed rules on developing current network security policies. The researcher believes that the final policy s content should give direction to how security should be implemented and not define exactly how this secure status should be achieved. 2.5 Information security services (ISS) The last step in implementing network security is to implement the ISS needed for a secure network by using the appropriate network security mechanisms. The information security services will be discussed in this section and the appropriate network security mechanisms later in the next. The ISO has defined six standard information security services for any type of network [ISOS00]. They are identification and authentication, authorisation, confidentiality, integrity, non-repudiation and availability. Two extra information security services have been added by the researcher to the ISO s list, namely audit and risk handling. These additions seem to go hand in hand with the growing importance of network security. Audit, for example, provides the An audit and risk handling prototype for firewall technology Page 17

30 Chapter 2 Firewalls within the context of network security organisation with a log of events that happened on the network. This information can be used to detect possible security breaches. Risk handling, on the other hand, provides the means to detect possible security risks on the organisation s network and to implement the appropriate security mechanisms. All these services need to be in place for a secure network. The following paragraphs will give a brief description of each one of the aforementioned security services Identification and authentication During the network logon process an employee is asked for his/her name or user ID to distinguish him/her from the other employees or network users. This information together with some authentication information, for example, a password, is then used to authenticate the employees and ensure that they really are who they claim to be [AHUJ96]. Different methods can be used for authentication [SOEL97] [FEWI98]: Something the user knows This is, for example, the password that is associated with the given user ID or perhaps a PIN that the user is asked for. Something the user has This could be a key, badge, smartcard or any other device that can be used to authenticate the user and determine if the person really is who he/she claims to be. Something the user is Biometric characteristics are used to authenticate the user. Fingerprints, handprints, voice patterns, keystroke patterns, signatures or retina characteristics of the user are stored and used to authenticate the user whenever a logon is attempted. Location Depending on where the users physically are, they can be authenticated. A person can, for example, only gain access to a workstation at the physical place of the workstation because it is not accessible via the Internet. An audit and risk handling prototype for firewall technology Page 18

31 Chapter 2 Firewalls within the context of network security Any combination of the above four can be used. Authentication is achieved by giving a user access to the data or resources via their identification token, for example, their password. These passwords are managed and stored via a user access management tool, for example, Novell Net Enterprise [NOVE02]. Some of these user access management tools use the single sign-on concept to offer authentication [SOEL97]. There are three different methods of single sign-on. With synchronisation the user uses the same ID and password on all the appropriate network systems. Another method is known as scripting, where the user is prompted for his/her ID and password every time access to a specific application is required. Lastly, one server (trusted authentication server) stores all user IDs, user passwords and the applications to which the users have access. Replication servers might also be used to provide availability. When the users logon, they will gain access to everything on the network for which they have authorisation. The methods for authentication and logon will affect the setup of the firewall only if the security administrator prefers to make use of the firewall s authentication mechanism. Each firewall has its own configuration setup where the authentication method must be defined so that the firewall knows how to treat incoming and outgoing authentication information. It is therefore very important that the methods being used for identification and authentication be clearly defined by the network security policy Authorisation (logical access control) Different users have access to different resources on the network. It is important to ensure that only authorised users will have access to the network resources, for example, printers, servers, workstations, fax machines and telephone systems. An audit and risk handling prototype for firewall technology Page 19

32 Chapter 2 Firewalls within the context of network security Access control lists are used to keep information about the resources that users may access. The access control list typically holds information about all the users, resources and access rights and can be situated either on the firewall itself or on some network server inside the organisation. On firewalls, the access control lists are typically in the form of access control rules where person A is, for example, only given access to use the ftp protocol service between 13:00 and 14:00 each day of the week. Access can also be allowed per group of users rather than an individual user. This will simplify the access control lists on the firewall or wherever the lists are implemented. Access control can be classified based on whether the access rights are assigned by the owner of the resources or by the security administrator [OLOV92]. With discretionary access control each individual owner of data specifies his/her own rules for access to the data. On the other hand, as is the case with most networks, the security administrator determines the access rights of users to all the resources on the network with mandatory access control Confidentiality Protection of the confidentiality of network information and messages sent and received over the network means the assurance that only authorised people may view them. To protect the confidentiality, the data is changed in such a way (encrypted) that the contents cannot be understood. Only authorised people should possess the appropriate decryption mechanisms to view the contents of the data intended for them [SOEL97]. There are two basic forms of encryption, for example, symmetric encryption (secret key encryption) and asymmetric encryption (public key encryption). With symmetric encryption the same mathematical formula or encryption key is used for encryption and decryption of the data. Ceaser cipher [BOGA00] is an example of symmetric encryption. Asymmetric encryption, on the other hand, makes use of different but related algorithms, and keys are used for encryption and decryption. Public keys of people are available publicly, An audit and risk handling prototype for firewall technology Page 20

33 Chapter 2 Firewalls within the context of network security whereas private keys are the property of the person to whom they belong and can only be used by that specific person. RSA encryption, AES encryption and elliptic curve encryption [RSAL02] are examples of asymmetric encryption. The encryption method and the type of processor used will determine how fast the encryption and decryption will be performed. To generate a 256bit encryption key will, for example, take more time than generating a 128bit encryption key. The actually speed with which encrypted data are sent over the network will not be affected Data integrity Another security service closely related to confidentiality is integrity. Protecting the data s integrity means the assurance that only authorised users change the contents of the data on the network [SOEL97]. A variety of different algorithms can be used to implement integrity and check the validity of the data and messages sent over the network. Checksums, one-way hash functions, message digest algorithms such as MD5, MD3 and MD2, and secure hash algorithms are some of the better-known ones [PVV96] Non-repudiation or non-denial A combination of public key and private key encryption can be used for nonrepudiation. Encrypting data with the public key of the receiver ensures confidentiality of the data. The data will be confidential because only the receivers will be able to decrypt the message using their private keys. By encrypting with the private keys of the sender, non-repudiation is enforced because only the sender possesses the specific private keys and cannot deny sending that specific message or data [SOEL97]. An audit and risk handling prototype for firewall technology Page 21

34 Chapter 2 Firewalls within the context of network security Digital signatures provide proof of the origin of the data and can be seen as a unique attachment to all data and messages sent. The digital signature cannot be tampered with or changed by the sender of the corresponding data or message. Digital certificates that contain the sender s identification and public key are also connected to the message. These certificates are generated and managed by third parties, for example, certificate authority (CA) [WALD98] or a Trusted Third Party (TTP) Availability Availability is another service that will ensure that data and resources are available whenever it is needed. This service can, for example, be achieved via replication servers that are available if data could not have been retrieved from the original server. Availability can also be achieved by making regular backups of the network s data. This will ensure that data is still available whenever something happens to the original data source Audit It has become important to keep track of all the events occurring on the network. Using some type of logging tool can do this. Most operating systems have their own logging tool, but these tools might not provide sufficient information to detect security breaches. Extra logging tools can be implemented or installed by creating a personal logging application, buying a generic one or downloading a logging tool for networks from the Internet. These logs can be useful to many security administrators, as they can determine the usage of network resources, show the activities on the network of certain specified users, identify possible threats and track security and other problems on the network Risk handling Risk handling has also become a very important security service in a network. With the identification of risks (the probability that a threat for the network will An audit and risk handling prototype for firewall technology Page 22

35 Chapter 2 Firewalls within the context of network security materialise), the appropriate countermeasures can then be implemented or activated. Two methods can be used to identify risks: It is the security administrator s job to identify and document the risks to the network in some form of standard document defined for the organisation. Identification is usually done manually with their knowledge of possible weak points within the network. Each risk is assigned a predefined risk weight factor to identify critical risks from other non-important risks. The definition of the risk weight factors is kept in a knowledge base somewhere on the network. According to these risk weights, a decision is made on how to control and minimise the identified risks. A critical risk will, for example, be handled as quickly and cost-effectively as possible, whereas non-critical risks will be handled later on. Third generation tools and applications are implemented on the network to show possible security risks to the security administrator. Firewalls these days have, for example, built-in reporting tools from which deductions could be made about the risks within the current network. The security administrator has the responsibility of deciding the importance of the risk and how to minimise it for a more secure network. A risk-analysing tool, for example, Norman Risk Check [NORM01], can also be implemented to minimise the risk. A firewall or other intrusion detection device can, for example, be implemented to switch a specific network service off when the network is vulnerable or suspicious activity has been detected. 2.6 Network security mechanisms The last step of enforcing network security is to implement the expected ISS via one or more of the network security mechanisms. Network security mechanisms are concrete procedures, applications or products that can implement ISS and is divided into three categories: [OLOV92]: An audit and risk handling prototype for firewall technology Page 23

36 Chapter 2 Firewalls within the context of network security Prevention mechanisms are mechanisms that enforce network security during operation of a system by preventing a security violation from occurring, for example, a mechanism restricting physical access to the network such as a network router or firewall. Detection mechanisms are used to detect both attempts to violate network security and successful network security violations, when or after they have occurred in the system, for example, some form of logging tool as described in the previous section of information security services. Recovery mechanisms are used after a network security violation has been detected to restore the system to a pre-security violation state, for example, the use of backups of a previously stable network state State-of-the-art security mechanisms The next few paragraphs will provide a more detailed discussion of different network security mechanisms for implementing network security, as well as where they fit into the previously defined ISS categories. a) Prevention mechanisms An encryption scheme, for instance AES, could be used for confidentiality. Another tool becoming increasingly popular today is PGP encryption [BHAM00]. Using the PGP public/private key technology, users can instantly encrypt, sign, decrypt and verify any file, message or folder. PGP encryption keys are however not managed by the organisation. This will thus mean that if you loose or forget your encryption key, the encrypted document cannot be opened or removed. These tools support the confidentiality information security service. Hashing algorithms, for instance MD2 and MD5, could be used for data integrity. These tools support the integrity information security service. Digital signatures can be used to verify a user, authenticate the contents and verify signatures in case of dispute. These tools support the integrity- and non-repudiation information security service. An audit and risk handling prototype for firewall technology Page 24

37 Chapter 2 Firewalls within the context of network security Access control mechanisms can determine if a user is authorised to access certain network resources, for example, printers, servers, workstations, fax machines and telephone systems. These tools support the authorisation information security service. Someone in the organisation also needs to stay current with relevant security problems and failures [CURT97]. With their knowledge of old as well as new bugs and failure points within an operating system as well as the network, the appropriate prevention mechanism can be implemented before anything ever happens to the network and the damage has been done. Firewalls have also become a much used prevention mechanism. It restricts people to enter at a carefully controlled point, preventing intruders from getting close to other security defences. It also restricts people to leave at a controlled point so that no back doors are left for re-entry later on. Physically a firewall is a set of components a router, a host computer or networks with the appropriate software [CHZW95]. Firewalls can implement various ISS that will be described in chapter 3. Physical protection methods for preventing an attack on the network also require attention. Workstations that do not have any form of disk drive can be used to prevent employees taking information home or unknowingly putting viruses on the network. The network hubs and routers should be protected because these components are responsible for routing the network and someone could easily change the routing or even break the hub or router. Without the routers, no one can reach their intended destinations over the network. Intranet wiring should also be hidden in the ceiling and protected against animals, for example, rats in the roof or ceiling. Network servers should be protected and locked in a safe room to which only authorised people will have access [CURT97]. Servers should be equipped with UPSs (uninterruptible power supplies) to protect them against electrical interference. Servers, workstations and monitors should be properly grounded to protect them against static electricity discharge. An audit and risk handling prototype for firewall technology Page 25

38 Chapter 2 Firewalls within the context of network security b) Detection mechanisms Anti-virus software can be used to protect the network against different types of virus, worm, logical bomb and Trojan horse attack [SIMO96]. Examples of some state-of-the-art software packages are Norton AntiVirus, Dr Solomons Anti-Virus tools and McAffee VirusScan [AVSV00]. Most applications produce some form of log file that are used to detect and investigate possible threats and where they originated [OLOV92]. These log files support the audit information security service. A manual search for security breaches can also be done and sometimes users will report detected problems on the network to the appropriate personnel for them to either fix the problem or provide a solution for working around the security problem. Intrusion detection systems, for example, RealSecure, Windows NT/2000 Security Event Logs and NetProwler are used to detect attacks and/or computer misuse, and to alert the security administrator upon detection. [INNE01] Firewalls can also be used as another security mechanism to detect possible Internet security problems. Some form of alert or warning message will be given to the security administrator to indicate some activity on the network that should be investigated further. These alerts can come in the form of s or even be a physical alarm to attract someone s attention to some suspicious or unknown activity on the network. c) Recovery mechanisms Backups of previously safe states can be used to recover a network to a previously secure state. These mechanisms implement the availability ISS. Some applications have built-in recovery mechanisms that are triggered whenever some security breach has been detected on the network. An audit and risk handling prototype for firewall technology Page 26

39 Chapter 2 Firewalls within the context of network security A simple example of a recovery mechanism is Scandisk that is run by any Microsoft Windows operating system package [COSO00] on startup of a workstation or whenever the shutdown process was improperly done. This application will do a low level check of the workstation or server s permanent memory to detect possible faulty sectors. These sectors will then be marked as unusable and data that was on these sectors are recovered and written to another part of the memory. 2.7 Firewalls and network security The previous chapter has mentioned firewalls as being one of the network security mechanisms. It was shown in this chapter that firewalls provide the expected ISS defined within the network security policy. Not all organisations do however use firewalls but the author feels that firewalls are efficient network security mechanisms that provide most of the expected ISS to an organisation. It should however be noted that firewalls will only implement ISS if they were configured accordingly. Firewalls will be discussed in the next chapter where a brief introduction to firewalls will firstly be given, before the discussion will turn to how a firewall specifically implements the ISS mentioned in this chapter. 2.8 Conclusion It is clear that security on any network is very important. Without it, the organisation is vulnerable to attacks and private and confidential information is available to anyone. The provision of network security is however sometimes a very daunting task. The bigger the network is, the more complex and difficult network security becomes. It is thus imperative that the whole process of defining and implementing network security are divided into smaller steps. If all these steps are thoroughly performed, the author feels that most areas regarding network security has been covered and the expected ISS are An audit and risk handling prototype for firewall technology Page 27

40 Chapter 2 Network security delivered to the company. After all these steps have been performed, the author feels that less future work regarding network security is expected. The only work left to the security administrator is to maintain the expected level of security service defined within the network security policy and ensure that the network security policy remain up to date so that no new and old threats are not overlooked. An audit and risk handling prototype for firewall technology Page 28

41 CHAPTER 3 Firewalls 3.1 Introduction The researcher has shown the importance of network security and the vulnerability of computer networks to attacks and threats from either inside or outside the organisation. Successful attacks on the organisation s network can result in a loss of data, money, resources or, in extreme cases, in the closure of the organisation. Network security is very complex and difficult to implement. Many people are consequently ignorant about network security and do not put enough resources and energy into finding a solution for the implementation of a totally secured networking environment. The previous chapter proposed a few easy steps to serve as a guideline for implementing network security. The last step described the ISS required for a secure network. Firewalls were introduced as an effective network security mechanism to implement the required ISS. The objective of this chapter will be to provide a detailed explanation of firewalls, what they are, how they work and how firewalls implement the ISS. This information will serve as an introduction to the prototype, built as part of the research for this dissertation. 3.2 Firewall definition There are so many different definitions of a firewall today because of the uncertainty about what a firewall actually is and what it does. Here are but a few of the definitions: An audit and risk handling prototype for firewall technology Page 29

42 Chapter 3 Firewalls A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to deny, a firewall really won't help you. It's also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the connectivity for a large number of hosts therefore have a heavy responsibility. [GPSY97] In building construction, a firewall is designed to keep a fire from spreading from one part of the building to another. In theory, an Internet firewall serves a similar purpose: it prevents the dangers of the Internet from spreading to your internal network. In practice, an Internet firewall is more like a moat of a medieval castle than a firewall in a modern building. It serves multiple purposes: It restricts people to entering at a carefully controlled point. It prevents attackers from getting close to your other defences. It restricts people to leaving at a carefully controlled point. An Internet firewall is most often installed at the point where your protected internal network connects to the Internet [CHZW95] A firewall is thus a piece of software or hardware that monitors incoming traffic from unknown networks, for example, the Internet, or from known internal resources and networks. It also monitors outgoing traffic from the protected network to the Internet, other internal resource or another network of the organisation. All IP traffic is logged and can be restricted or stopped at the firewall via some form of rules implemented on the firewall. An audit and risk handling prototype for firewall technology Page 30

43 Chapter 3 Firewalls These rules will typically hold three types of information: To which user/group of users the rule applies The time and date at which the rule should be applied To which application, protocol or service the rule applies The rules will thus determine if the grant for a connection of the packet will be permitted or denied. The position of the firewall will also determine how security is provided. The firewall can be placed at an entry point to any sub network of the organisation or at the main entry point to and from the Internet. The position of the firewall is usually determined by the network security policy of the organisation that was described in chapter 2: Organisations may desire to isolate the network from different parts of business. The firewall will then be implemented between their private and public network or even between two private networks. That part of the organisation s network that is open for use to the public and needs no protection is also better known as the DMZ (demilitarisation zone) depicted in figure 3.1 [HAEN97]. Internet DMZ Organisation Figure 3.1: Firewall positioning An audit and risk handling prototype for firewall technology Page 31

44 Chapter 3 Firewalls Some organisations may desire to isolate their whole internal network from any other potentially unprotected network, such as the Internet. In such a case the firewall will be located at the point of entry into the organisation s private network. A tunnel can be created via a firewall for the information between two entities on the defined network. A VPN (virtual private network) can be created between two firewalls for confidentiality and integrity of information over the Internet. There are, however, no fixed rules for the positioning of a firewall. This is left to the security administrator to decide. An investment bank, for example, needs a very high level of security for its e-commerce transactions and internal web site or intranet. However, this organisation s public web site does not need any protection because harmless information about the organisation is displayed on it. The organisation will typically settle for a security architecture where the public web server is located in a DMZ and the rest of the network is located behind a firewall that has very strict rules for allowing people to access the internal web site. The firewall will act as a proxy server and redirect authorised traffic to the appropriate servers for further processing. 3.3 The components of a firewall A firewall s characteristics are determined by a few individual components working together as well as the configuration of the firewall. Generic firewall components are depicted in figure 3.2 and can be defined as follows: Filters It is the job of the filters to intercept packets travelling through the firewall. These packets are examined by the defined filtering rules and only authorised packets will be permitted while others will be discarded. The author feels that this component is used most by firewalls due to the fact that all network traffic will pass through the firewall filter before being routed to the appropriate destination. An audit and risk handling prototype for firewall technology Page 32

45 Chapter 3 Firewalls Different firewall filtering techniques will be discussed in the next section. Proxy servers - The proxy servers authenticate the user and evaluate the application request. After the firewall filter has validated the request, it is sent to the appropriate proxy server depending on the type of application and whether the security administrator has configured the firewall accordingly. requests will, for example, be routed to the proxy server. The proxy server authenticates the user and will then route the request to the appropriate mail server within the organisation. There are different proxy servers for a wide variety of applications [CHZW95], for example proxy servers, news proxy servers, FTP proxy servers and HTTP proxy servers. Domain name service (DNS) The DNS isolates the name service of the private network from that of the Internet. Internal name resolution and sometimes even a limited amount of external name resolution can be done by the firewall if it was configured accordingly. Scheduler The scheduler is used to backup the log files at a regular interval and is also used to update the log file view regularly. The security administrator will set the interval in accordance to the network security policy. Alerter The alerter is a built-in application to alert the firewall, security or network administrator of a possible attack. The type of alert, whether it is an or physical alarm, is configured in the firewall settings. Information database The firewall contains a database with information about the users, entities, user groups, filters and rules defined on the firewall. Log files All activity information performed within and by the firewall is stored in a specific file, better known as a log file. An audit and risk handling prototype for firewall technology Page 33

46 Chapter 3 Firewalls Filters Proxy servers Scheduler DNS Information database Log files Alerter Figure 3.2: The components of a firewall The firewall also has some built-in security services for the implementation of the necessary ISS. A strong authentication system, very good encryption services [ROBI94] and integrity services ensure that the data will remain true, protected and cannot be altered during transmission. Table 3.1 shows how the ISS can be provided by the different firewall components if the firewall was configured to make use of its built-in security services. The filters, for example, are responsible for evaluating all data passing through the firewall. The filters will determine whether the data is from a trusted source, whether the sender is trusted and whether the receiver is allowed to receive the data. If the firewall was configured to perform authentication via it s user management service, it will authenticate the user s An audit and risk handling prototype for firewall technology Page 34

47 Chapter 3 Firewalls request and thus provide the authentication ISS to provide efficient network security. Table 3.1: Internet information security services vs. firewall components Filters X X Identification and authentification Authorisation Confidentiality Integrity Non-repudiation Availability Audit Risk handling Proxy servers X X X X X Domain name services X X Scheduler X X Alerter X X Information database X X X X Log files X X X The different firewall filtering techniques used by the firewall s filter component will be investigated next. This will show that filtering can be achieved via different means. It is important to this research as it forms an integral part of any firewall technology. Without filtering there is no firewall. 3.4 Firewall filtering techniques Firewalls use different filtering techniques to offer the appropriate protection for the organisation. The different filtering techniques use different means of inspecting incoming or outgoing IP traffic. A distinction can be made between old- and new-generation filtering techniques Old-generation filtering techniques An audit and risk handling prototype for firewall technology Page 35

48 Chapter 3 Firewalls These filters were the first to be developed to control incoming and outgoing IP traffic through a centralised point in the network, better known as a firewall. A distinction can be made between three older filtering techniques. a) Packet filtering One method of restricting the flow of information from one network to another is packet filtering. Packet filtering is generally the smallest and simplest form of security used in a firewall [GPSY97]. With packet filtering depicted in figure 3.3, the firewall examines the content of each data packet to make a decision whether to route this information to its intended destination or not. The type of router used in a packet-filtering firewall is known as a screening router [CHZW95]. An ordinary router simply looks at the destination address of each packet and picks the best way it knows to send the packet towards its destination. A screening router, on the other hand, looks at the packets more closely and decides whether it should route the packet or not. Each TCP/IP packet is evaluated in detail, and information [CHZW95] such as the IP source address, IP destination address, protocol, TCP or UDP source port, TCP or UDP destination port and ICMP message type will be used in the grant decision. The screening router also knows on which network or resource the packet arrives and on which it will leave. The packet filtering firewall [SIMO96] will reduce the risk of security breaches, the time that will be spent on coping with intrusions and the cost and possibility of disruptions in the business. Packet filtering is very fast [GAUN01], easy to employ and rather inexpensive. The rules, however, are very complex and so, also, are the filtering tables. There are many hardware, software and maintenance costs. This does not make the firewall very scalable when security needs increase. An audit and risk handling prototype for firewall technology Page 36

49 Chapter 3 Firewalls Internet Private network IP packets Figure 3.3: Packet filtering firewall b) Application-level gateway (proxy server) Firewalls using this filtering technique are also known as bastion- or hostbased firewalls. Application gateways, depicted in figure 3.4, use specially written code for specific applications. These codes are called proxy services and these services are passed between clients and servers in the gateway. A proxy service requires two components: A proxy server This runs on the firewall host and relays application packets to the proxy client. A proxy client This is inside the private network and communicates with the proxy server rather than directly with the user [CHZW95]. The purpose of a proxy server is to intercept the user access to the application, identify and authenticate the user and ensure that the user is authorised to access the application. It then permits the user to access the appropriate server. Transparency is the main benefit of proxy servers. To the user, a proxy server presents an illusion that the user is dealing directly with the server. To the real server the proxy server presents the illusion that the real server is dealing directly with the user [CHZW95]. Application gateways are much simpler and An audit and risk handling prototype for firewall technology Page 37

50 Chapter 3 Firewalls more secure than packet filtering because code has been specifically designed for certain applications, for example or protocols, FTP and HTTP. Only those services for which a proxy exists are allowed through [SIMO96] [GAUN01] [WACA95]. Internet In HTTP proxy Out Private network In FTP proxy Out Figure 3.4: Application-level firewall c) Circuit-level gateways Circuit-level firewalls, depicted in figure 3.5, operate as intelligent filters making sure that the trusted and untrusted networks never come into direct contact. A handshake process at the beginning of the session includes the exchange of TCP packets in the correct order and format for the information flow to proceed [WEBB98]. The circuit-level gateway then simply relays TCP connections from the external host to the internal host. All traffic is thus directed to the proxy s address and it appears to come from the proxy and not the original sender s computer. There will never be a direct connection between the internal host/network and the external host/network, because every connection (incoming/outgoing) will always first connect to the firewall and from there be relayed to the appropriate location [HAEN97]. Less complex rules need to be defined than with packet filtering but only those applications for which a proxy server exists will be allowed. An audit and risk handling prototype for firewall technology Page 38

51 Chapter 3 Firewalls HTTP Internet In proxy FTP proxy In Out Private network Figure 3.5: Circuit-level gateways New-generation firewall filters The new-generation filtering techniques, on the other hand, have extended the functionality offered by the older filtering techniques to provide even more flexibility and a wider choice in setting up the expected level of security. a) Stateful multi-layer inspection (SMLI)/stateful inspection firewall SMLI is also known as a stateful inspection firewall. The firewall contains a collection of predefined states in which connections could be found. The state of the TCP/IP connection is important because both hosts must agree to the connection before traffic can be allowed and information is sent. Some states are, for example, listen, wait, closed and received. Incoming packets are inspected and evaluated at the network layer until the firewall has enough information to determine the state of the current connection. Each attempted connection will then be compared to the predefined states of connections defined in the firewall [GAUN01]. If the state of the connection is friendly or deemed to be valid and authorised, the connection is allowed and packets will be passed through the firewall. The firewall is completely transparent to both users and applications. An audit and risk handling prototype for firewall technology Page 39

52 Chapter 3 Firewalls b) SOCKS SOCKS is short for the SOCK-et-S protocol. This was an internal development name at first that remained after the protocol s release. SOCKS define a protocol that allows TCP applications to traverse firewalls in a secure and controlled manner, gaining authenticated access through the firewall to an external network [WALD97]. All applications are first transformed into a universal format before being sent to the proxy server in the firewall, where application packets are taken care of and relayed to the appropriate application server or host. SOCKS can also be constructed to function within a circuit-level gateway. It acts as a proxy at the session layer to mediate client/server connections for transactions on an intranet or the Internet. SOCKS are application-independent and apply security services on a session-by-session basis. 3.5 Firewalls and ISS The fact that a firewall is a security mechanism implies that it implements the ISS needed to protect the organisation s network. The ISS provided are determined largely by the configuration of the firewall. The configuration of the firewall allows the security administrator to choose which ISS to implement and how it should be used on the organisation s network. The rest of this section will elaborate on how a firewall implements the eight ISS discussed in chapter Identification and authentication The firewall can identify and authenticate users. Users are identified and authenticated by the firewall s authentication service without compromising their password to the unprotected network [WACA95]. The authentication service usually comes in some form of user management tool built into the firewall s internal architecture. The firewall receives the users ID, An audit and risk handling prototype for firewall technology Page 40

53 Chapter 3 Firewalls authenticates the users and logs them onto the private network with the appropriate and valid user ID and password for a specific application. This kind of double identification and authentication are used particularly with FTP and TELNET application logins. External users log onto the firewall with their user ID and password. The firewall authenticates them and their request is sent to the appropriate application server that will do another identification and authentication [AHUJ96] Authorisation The security administrator is in charge of defining the rules and filters of the firewall. It is in these firewall filters that certain users can be given certain access to specified resources and computer hosts. These firewall filters therefore have access control lists, as depicted in figure 3.6. Allow FTP puts Workstation A Universe* This rule will allow workstation A to perform FTP puts to any other computer in the organisation or on the Internet (universe*). Figure 3.6: An example of a firewall rule Confidentiality The type of encryption service used by the firewall will largely determine the confidentiality of data passing through the firewall s filter. The firewall will encrypt designated data passing through the filter with the chosen encryption key. The type of encryption available will depend on what has been built into the internal architecture of the firewall. An audit and risk handling prototype for firewall technology Page 41

54 Chapter 3 Firewalls The corresponding decryption key should then be used by the other firewall in the case of a VPN depicted in figure 3.7, or by the other resource to decrypt the data for it to be used. Internet Encryption of info Decryption of info Company A Company B Figure 3.7: Confidentiality in a VPN Integrity It is sometimes necessary to make sure that the data and information received are valid. The firewall can provide this assurance by making use of the built-in integrity service on the data or information. The integrity service is usually offered via a choice of different hash algorithms to perform the integrity checks. When the firewall sends data, the integrity information is sent with the data. By using the corresponding integrity mechanism on received data depicted in figure 3.8, the validity of the data can be investigated before it is accepted. An audit and risk handling prototype for firewall technology Page 42

55 Chapter 3 Firewalls Add integrity header Internet + header + header Check validity Company A Company B Figure 3.8: Integrity in a VPN Non-repudiation Some firewalls use private and public keys to ensure the confidentiality of information. Using the information contained in the private and public keys can enforce non-repudiation. This information will legally bind someone to certain information because they cannot deny the possession of a specific private encryption key. Internet Info with digital signature Info with digital signature Figure 3.9: Non-repudiation and firewalls The original and destination applications must also take responsibility for enforcing non-repudiation because they should contain the appropriate non- An audit and risk handling prototype for firewall technology Page 43

56 Chapter 3 Firewalls repudiation mechanisms, for example the use of digital signatures depicted in figure Availability Firewalls can ensure the availability of information in different instances. If the firewalls DNS component is not working, all DNS requests can be routed to another DNS server. User management information can be stored on a separate server to ensure that the information is available to multiple firewalls when they are configured to use the same information. More than one proxy server can also be defined for file requests, for example. This will instigate that file server requests will be redirected to another file server if the current one was unavailable. The firewall also performs load balancing where requests are sent and handled by more than one server to ensure that all requests are handled and data and information are always available Audit A firewall itself has logging capabilities. Most IP traffic and actions occurring on firewalls are logged and can be backed up for further use to, for example, examine network usage. Other software can use these log files to provide the security administrator with useful information. This software can be bought, downloaded for free from the Internet or developed in-house Risk handling Firewalls do not have a built-in risk analyser, but the researcher has developed a prototype that can be installed on the firewall. The applications will use the logs of the firewall to show possible risks on the network. 3.6 Conclusion Firewalls are network security mechanisms that can be implemented and used to provide the expected ISS to the organisation, as defined in the network security policy. It was shown in this chapter that a firewall consists of An audit and risk handling prototype for firewall technology Page 44

57 Chapter 3 Firewalls different components that could enforce different ISS via the configuration of the security services built into the internal firewall architecture. It should however be noted that the ISS will only be provided by the firewall if it was configured to do so. From this introduction to firewall technology, it should have become clear that the implementation of firewall technology should rather be seen as the implementation of each individual ISS, than the concept of implementing a firewall for network security as a whole. With this mindset the author feels that more focus will be placed on the implementation of the individual ISS. This in turn will result in the assurance that each ISS defined in the network security policy has been dealt with. This in turn will result in the improved implementation of network security. Firewall technology do however have some problems: Appropriate risk handling ISS is not delivered by a firewall The log files of a firewall are usually not very user-friendly and are hard to understand and use Due to these problems, the author has developed a prototype that offers a solution. An audit and risk handling prototype for firewall technology Page 45

58 CHAPTER 4 Firewall logs 4.1 Introduction The eight ISS for a secure computer environment have been discussed in the previous chapters. It was shown that some of these ISS could be implemented with network security mechanisms. These network security mechanisms are available in a variety of forms, ranging from password protection to firewalls. Chapter 3 discussed firewalls in detail to explain their functioning and how firewalls offer network security to support the eight ISS. In this chapter the focus will be on how firewalls can support the audit and risk handling ISS specifically. Firstly, log files will be defined and a distinction will be made between three different groups of log files. It will be shown how the log files created by the firewall will be an important role-player in the support of the audit and risk handling ISS. Log file- and risk analysers will then be defined. These analysers will be extended to incorporate the log files of firewalls and descriptions of current state-of-the-art analysers will be included. These firewall log file- and risk analysers can be implemented to make the most of the information contained in firewall log files and use it to improve the organisation s network security. This information will give the appropriate background information for the discussion of the prototype to follow. An audit and risk handling prototype for firewall technology Page 46

59 Chapter 4 Firewall logs 4.2 Log files Many computer hardware and software applications have some form of logging capability or logging tool. These logging tools are used to perform auditing of the organisation s network and to produce output better known as log files. These log files can be in many different formats, ranging from being printed onto a screen to importing the log files into a database for further calculations. The different log files can be divided into three main groups: Network log files [INNO98] Hardware and applications keep track of network activities and traffic by creating log files containing all the necessary information, for example an Windows NT system log file depicted in figure 4.1. This log file shows, amongst other things, that some SMTP service could not be started, resulting in a 116 event error code message and warns that the file server is at or near full capacity through the 2013 event error code. Combining all this information, the security administrator can identify possible attacks to the network and create reports on the current network and Internet activity. Figure 4.1: An example of a network log file An audit and risk handling prototype for firewall technology Page 47

60 Chapter 4 Firewall logs Application log files [INNO98] These log files contain information about a specific application s activities, for example the SQL server database log file depicted in figure 4.2. Information is logged, for example which user used the application, when the application was used and critical activities done on the application. From this the security administrator can obtain information on the usage of an application and users not certified to use the application. Figure 4.2: An example of an application log file A combination of both A firewall log file, depicted in figure 4.3, contains both network- and application-specific information. This combination enhances the functioning of the firewall. No network activity was, for example, logged but the applicationspecific information in the log file shows that the firewall was shut down. The combination of the two log files thus explains why no network activity was logged and no traffic went through the firewall. An audit and risk handling prototype for firewall technology Page 48

61 Chapter 4 Firewall logs Figure 4.3: An example of a firewall log file 4.3 Log file analysers Most log files, as they are known today, are not very user-friendly. A log file analyser is an application that uses the log files provided from some sort of logging tool or application to analyse the log files and provide an understandable output to everyone. This output can be used for many different things, for example as a statistics provider or a network usage analyser, and/or to identify security problem areas in the network. There are generic and self-developed log file analysers available for the three different groups of log files mentioned in the previous paragraph: Application log file analysers Most applications have some form of log file to keep track of activities occurring within the application. Windows NT s event viewer [MICR01], for example, is a very good example of a tool that keeps a log of actions being performed on the Windows NT platform and also serves as a log file analyser. The logs can be viewed in a user-friendly manner and analysed content is viewable in easily understandable graphs. From these graphs the security administrator is able to verify that the application s security corresponds with the organisation s network security policy. An audit and risk handling prototype for firewall technology Page 49

62 Chapter 4 Firewall logs Network log file analysers A whole range of network log file analysers is currently available. Analog [TURN99], for example, is a program that analyses the log files from a web server. It shows which pages are most popular, from which countries people are visiting and from which sites they tried to follow broken links. Some other examples of commercial network log file analysers are MK Stats [WEBT98], NetIntellect from WMT Webmanage [NETI98], NetAuditNow [NETA01] and Hitlist for Web traffic analysis from MarketWare [MARK99] Combined log file analysers These log file analysers provide both application- and network-related information. Firewall log file analysers fall under this category. The following are a few commercial firewall log file analysers available on the Internet: WebTrends WebTrends processes any type of web server log file and produces comprehensive reports for the organisation in real-time mode. Enterprise-wide reports on the organisation web site s effectiveness are also provided [WEBT99]. NestWatch - This log analyser produces reports especially useful for network transfer usage monitoring, Web statistics and ISP transfer usage [NEST99]. Telemate from Telemate Software - This company originally created reports for the accounting and usage of phones. The reports are very rigid but quite extensive. Reptor - Reptor analyses the log file and generates traffic summaries and alert messages based on defined conditions [WANK01]. Raptor Firewall Log File Analyser and Report Generation - This tool allows administrators to generate reports showing various protocol usages and busiest times of the day. Configuration files allow the customisation of reports and the addition of protocol description for better readability [BROW00]. An audit and risk handling prototype for firewall technology Page 50

63 Chapter 4 Firewall logs The next section will describe log file analysers that use only the log files from firewalls as input to perform network analysis. 4.4 Firewall log file analysers Firewall log file analysers are developed with the specific purpose of analysing the log files of specific firewalls. The output of firewall log file analysers is very useful to security administrators. A firewall log file analyser will, for example, provide complete network usage information. From this information the security administrator can detect possible security loopholes and monitor the network to ensure that the defined network security policy of the organisation is enforced. The security administrator will also be able to correctly and easily manage the firewall with all the necessary information and statistics available through the firewall log file analyser [BURG98]. The firewall log file analyser only uses the current firewall log files for analysis. It does not have the capability to import other network- or application-specific log files that could enhance its output. If a Windows NT log file could, for example, also be used in the network analysis, security breaches could be traced to a specific computer and the NT log file would show which user was logged in at the time and date in question. The output is usually also not very user-friendly and can thus not be put to better use because its format and contents are difficult to decipher and understand. The FA, as proposed as part of this research work, offers a solution to the above shortcomings of current commercial firewall log file analysers and will be discussed in chapters 6 and 7. An audit and risk handling prototype for firewall technology Page 51

64 Chapter 4 Firewall logs 4.5 The audit ISS All the different components of a firewall, depicted in figure 4.4, play some part in producing the firewall log file itself or entries in the firewall log file for auditing purposes. Log files will be generated and stored only when the firewall was configured to do so. Each firewall component has been described in detail in chapter 3 and their individual roles are as follows: Scheduler The scheduler is used to provide the capability to log activities on the network during specific, defined times. The firewall log file can, for example, be updated once every minute or the update can be done in real-time. The scheduler is also used to back up the log files at regular predetermined times. FIREWALL Scheduler Filters Logging facility service Proxy servers DNS Alerter Log files Information database Risk analyser Log file analyser Figure 4.4: Logging in firewalls An audit and risk handling prototype for firewall technology Page 52

65 Chapter 4 Firewall logs Firewall log files These are the files where all the information about the activities on the network and firewall is collected. The firewall log files are therefore the output provided to the security administrator. Filters The filters either do or do not allow data to pass through the firewall. If the filters disallow a specific piece of data, an entry will be made in the firewall log file stating which filter was applied and why the data was not allowed. The firewall log file will also contain an entry for all data that successfully passed through the filters. Information database A database is used to store the configuration information of the firewall and its log files. Information, for example where the firewall log files must be saved, will be stored here. Proxy servers Service requests directed by proxy servers to the actual internal servers are logged in the firewall log files. The request for a web page, for example, will be redirected to the appropriate web server and this activity will be logged in the firewall s log file. DNS All DNS name lookups using the firewall host files are logged in the firewall log files. Internal host names, for example, are mapped to the appropriate IP address within the local host file of the firewall. This ensures that only the firewall is aware of all internal hosts and thus hides their identities from the outside world. Alerter Whenever a fault on the firewall or suspicious activity has been detected on the firewall, the alerter will notify the security administrator thereof. This information is logged in the firewall log files. Different log files will typically represent network activities of different days of the organisation. These firewall log files can be analysed further with a firewall log file analyser, as discussed earlier in this chapter. The firewall log file analyser will enhance the audit ISS supported by the firewall and organise the information into a user-friendly format for use by the security administrator. An audit and risk handling prototype for firewall technology Page 53

66 Chapter 4 Firewall logs 4.6 The risk handling ISS Besides the audit ISS, firewalls should also be able to support the risk handling ISS. Risk can be defined as the possibility that threats to objects in a computerised network will realise. The higher the possibility of a threat being realised, the greater the risk to the organisation. As more employees and individuals at home are given Internet access, the appeal of the Internet continues to grow. More organisations need to actively monitor Internet traffic and usage patterns, and block employees access to certain Internet sites [JESS98]. It is very important that security administrators be aware of the risks, for example employees abusing their Internet access for personal issues and unauthorised people trying to gain access to the private data of the organisation through the firewall. Firewall risk analysers use the firewall log files very effectively to investigate risks and show which areas in the network need more security and/or attention. State-of-the-art risk analysers, for example CycSecure [CYCO01], provide risk handling support to the security administrators. The existence of these commercial state-of-the-art risk analysers is, however, very limited. It only reports on the risks specific to the application it was developed for or a certain area of the network. The FA on the other hand solves this issue by using different log files from different applications and the network to insure that all areas of the organisation s network are covered when risk analysis are performed. 4.7 Firewall risk analyser A firewall risk analyser can be implemented with the firewall to provide the risk handling ISS to enhance the functionality of a firewall as well as the security of the organisation s network. An audit and risk handling prototype for firewall technology Page 54

67 Chapter 4 Firewall logs Firewall risk analysis can serve various purposes: For identification Possible risks on the network can be identified, for example users being routed wrongly to a server that contains private and confidential information. The risk of certain users on the network can be determined, for example the firewall log showing a specific user that repeatedly used the PING and FINGER protocols (common with hackers). The risk of certain protocols on the network can be determined, for example a high Internet or usage risk. Possible attacks to the private network can be identified in the firewall log files. The higher the frequencies of the attacks, the greater the risk they pose to the organisations. The risk of certain resources can be established, for example a file server that gets an abnormally high number of hits. Risks to the firewall itself can be identified to the security administrator, for example the unexpected shutdown of a firewall. The firewall risk analyser can also identify risks towards certain changes in the configuration of the firewall. A new filter, for example, could be implemented in the firewall but result in the firewall log file showing an abnormally high Internet usage risk. To provide solutions Certain risk actions or solutions can be provided to the security administrator. According to the risks identified, the security administrator can change the configuration of the firewall to prevent certain risks. Risks can be prioritised to see which risks are more important and need more attention. The network security policy of the organisation can be modified to implement countermeasures against the risks. It is important for the security administrator to have a good understanding of how the firewall risk analyser works, what information it offers and how he could use the output of the firewall risk analyser. The whole process involved in the risk handling ISS and how the firewall risk analyser provides these services must be clear. An audit and risk handling prototype for firewall technology Page 55

68 Chapter 4 Firewall logs 4.8 Conclusion The audit and risk handling ISS are very important. The firewall log files play a very important role in both these ISS. The log files of a firewall can be categorised as network- and application-type log files. This combination provides a very powerful source of information on what is happening on the firewall as well as the whole network of the organisation. These log files can be used to provide the security administrator with valuable information on the status of the network. The appropriate risk analysis will be performed by using these log files as the main input source. From the risk analysis conducted, the appropriate action can be taken to minimise or even remove these risks. The problem however with current audit and risk analysis tools is that they only use one of the above type of log files. The author developed the FA as a solution to this problem. The FA will use any type of log file as part of it analysis process. By doing this, the FA ensures that all areas regarding the security of the organisation s network are covered. The FA will be discussed in the following chapters. The FA will also produce user-friendly reports that is easy to understand and can be used by the security administrator during the maintenance of network security. An audit and risk handling prototype for firewall technology Page 56

69 CHAPTER 5 A conceptual model 5.1 Introduction It was shown in the previous chapters that network security can be very complex but is an important role player in meeting the need for protection from threats against an organisation s network. A whole range of different network security mechanisms can be implemented to provide the ISS needed for a secure networking environment. Of these network security mechanisms, firewalls are a very popular mechanism used by many different organisations [SMIT99]. In the previous chapters it was shown that firewalls can provide most of the ISS, depending on the security services built into the internal architecture of the firewall and whether the firewall was configured to use these services or not. One major flaw of firewalls, however, is that while there are excellent audit ISS through logging, this information is seldom used to benefit the provision of better network security within the organisation. The risk handling ISS offered are also not effective. Network security can be improved if an audit- and risk handling tool is built on top of an existing firewall. This tool will evaluate all information gathered by the firewall and perform the appropriate counteractions. If, for example, the audit tool detects activities carrying a risk to the organisation, the security administrator will be notified and he can change the current network security policy to provide the maximum protection. The rest of this chapter will be devoted to the concept of such an audit- and risk handling tool. An audit and risk handling prototype for firewall technology Page 57

70 Chapter 5 A conceptual model 5.2 The concept We live, eat and sleep in our homes. A house is generally the most important object to different people from many different races and cultural backgrounds. This is not just because it provides shelter, but it is also used to store all of our most prized possessions. There are, however, many dangers and threats in this environment as depicted in figure 5.1. Very good protection is necessary to ensure the safety of the home as well as the people within it. Threats to the home environment HOME Safety mechanisms Figure 5.1: Our home environment Different security mechanisms can be used to protect the home. These mechanisms can range from something very simple, for example a wall around the home, guard dogs protecting the perimeter of the home, locks on windows and doors, an electrified fence and/or security guards. More complex security mechanisms consist of more than one component and can offer different types and levels of protection, for example a home alarm system. The type of alarm system implemented as well as its architecture will determine the type and level of security provided. An audit and risk handling prototype for firewall technology Page 58

71 Chapter 5 A conceptual model An alarm system consists of many different components performing different tasks. These tasks can be grouped into three main areas: Monitoring and detection Some components will monitor the environment in which they were implemented. The environment will constantly be checked for suspicious activity, a possible threat or intrusion. These possible threats will be evaluated further to determine whether action should be taken. Motion detectors will, for example, detect small movements of a mouse. Because the object is so small, it seems to be no threat and no action will therefore be taken. Monitoring and detection components include infrared eyes, motion detectors, voice-activated doors, security pin code access doors and sensors detecting the breaking of windows. Taking action After a definite threat has been detected, some components will be notified or take the appropriate action, removing or isolating the threat. These types of components include sirens, an automatic call to a control centre or the isolation of the area where intrusion has been detected via the automatic locking of doors. Controlling the alarm system Some components control the working and functioning of the overall alarm system. There are, for example, always control boxes to the alarm system that will handle the communication between different alarm system components. However, an alarm system cannot be regarded as a security mechanism offering the home complete protection. Depending on the architecture and type of alarm system implemented, some areas might still be unprotected. Some alarm system components are also very easily deactivated. Some control boxes, for example, do not work if no power is provided to the alarm system. Sometimes, uninformed actions, for example a hailstorm breaking a window, can wrongly activate the alarm. Just as homes need protection, a computerised network also needs protection from threats brought by the people using it or other data, as discussed in An audit and risk handling prototype for firewall technology Page 59

72 Chapter 5 A conceptual model chapter 2. The computerised network of an organisation can be seen as the home needing protection and the people and data can be seen as the outside world that poses a threat to the organisation s network. Protection is offered to the organisation s network via network security mechanisms, and firewalls are one of these mechanisms depicted in figure 5.2. Threats Sniffer LOCAL NETWORK Router Virus scanner Figure 5.2: The Internet environment A firewall can be seen as the alarm system of the organisation s network. It is a complex security mechanism that contains different components each having a predefined task. As with the home alarm system, these tasks can be grouped into three main areas: Monitoring and detection The filtering component monitors all activities on the network. All incoming and outgoing traffic first has to go through some form of filter. The filter identifies and authorises the data passing through the firewall. The authorisation is done by evaluating the data against rules predefined in the filters of the firewall. A rule stating, for example, that only SMTP outgoing data should be allowed will not authorise outgoing HTTP data. A rule allowing the specific data must exist before the data will be allowed to pass. An audit and risk handling prototype for firewall technology Page 60

73 Chapter 5 A conceptual model Taking action The alerter in the firewall will be notified of any possible intrusion. According to this firewall s configuration, the appropriate countermeasures will then be taken. The appropriate person dealing with intrusions could, for example, be notified or a siren could be activated to let the security administrator know that a possible intrusion has been detected. Controlling the firewall There are a few components in a firewall that are required for the working and correct functioning of the firewall. Proxy servers and the local DNS component will redirect incoming traffic to the appropriate location. The scheduler is used to apply certain firewall housekeeping activities at predefined times, for example backing up the log file of the day or activating a rule on the filter at a specific time. A firewall does, however, still have some security problems. Some possible intrusion might have been masked and not detected by the firewall. The security administrator might also make some uninformed decisions based on a network security policy and not on what is actually happening on the internal network of the organisation. The network security policy should reflect the security needs of the organisation, but will need some adjustment from time to time as the infrastructure and security needs of the organisation changes. There is a potential solution to reduce the risk of the above problems occurring. An extra component, defined as the firewall analyser (FA), can be implemented as a plug-in to the firewall. 5.3 Firewall analyser (FA) The FA monitors the firewall log files as well as other log files on the network, for example, a Windows NT log file. This information is analysed and provides a summary of network activity and risks occurring on the internal network of the organisation. Informed decisions can now be taken based on the current status of the internal network of the organisation. An audit and risk handling prototype for firewall technology Page 61

74 Chapter 5 A conceptual model The FA can be placed anywhere as long as it has access to the firewall and other log files. Some might think to place the firewall analyser before the firewall, but this leaves it open to attacks and threats without the added protection of the firewall. Others might think to place the FA inside the network. This implies that the FA must always have secure access to the firewall itself and its log files. In view of the above, the researcher feels that the FA should be placed on the firewall server or machine as depicted in figure 5.3. This gives the FA exclusive access to the firewall and its log files without the added secure access needed between the two for the FA to import its main input source data. It is important to note that the FA is not there to replace some of the functionalities of the firewall but to fulfil a supplementary role to the security of the computerised network and make the task of the security administrator easier. Internet Internet FA FA Firewall Local network Figure 5.3: The position of the FA An audit and risk handling prototype for firewall technology Page 62

75 Chapter 5 A conceptual model The FA should also gather information from the security administrator about acceptable risk levels of a range of different types of traffic or protocols on the organisation s network. Once all the information is gathered, the FA should analyse this information, compute a summary of the activities by using the input sources and display it with graphs to the security administrator. The FA should use the input sources and perform a risk analysis on the private network traffic to provide the security administrator with a current network risk status. This will indicate problem areas or areas in the private network being a threat to the organisation s resources and data. It will be presented visually via graph colours differentiating one risk from another. There are three types of risk indicators in the FA: Green risk This indicates that the inspected activity or protocol contains little risk and is no threat to the immediate networking environment of the organisation. All data and resources are thus reasonably safe. Yellow risk This risk indicates that the evaluated activity or protocol might be a threat to the organisation s resources and data. The security administrator should monitor this activity or protocol closely, but no immediate action or countermeasures need to be taken. However, if this activity is of little or no threat to the organisation s network, the security administrator should rethink the risk input previously provided to the FA. Red risk The security administrator should take immediate action because a threat was detected and no security mechanism is currently providing security against this threat. The type of risk detected will therefore determine the action to be taken. These actions will depend on the network security policy representing the security needs of the organisation. This whole process of information gathering through the importation of log files is done in real-time. This means that any summary or conclusion made by the FA is based on current information. Actions taken or not taken by the security administrator can be An audit and risk handling prototype for firewall technology Page 63

76 Chapter 5 A conceptual model based on the current risk assessments made as activities and actions are taking place on the organisation s private network. Notification of a detected or possible intrusion as well as risks will therefore happen instantaneously. The FA differs from other audit- and risk analysis software in that it will not only use the log files of the application it was designed for, but can import log files from both firewalls and the Windows NT platform. The FA also use the information that was acquired through the audit analysis to perform risk analysis and produce output reports to explain which areas in the organisation s network contain risk and needs further attention from the security administrator. Log file analysis Firewall Risk analysis Figure 5.4: The main components of the FA 5.4 Conclusion It was shown that firewalls offer protection against threats like the security doors protecting us in our homes. The problem with this scenario, however, is the windows that are still left open for someone to break into our homes. Any An audit and risk handling prototype for firewall technology Page 64

77 Chapter 5 A conceptual model private network would welcome any extra security mechanisms for extra protection, detection and closing of possible security loopholes. The FA is therefore an addition to the implementation of ISS on the firewall. It serves as a monitor to the organisation s network and locates those loopholes left open rather than protecting the network from a specific threat. What makes the FA even more unique is that this whole process is done in real time. This ensures that the immediate risks and threats to the organisation s network are detected for appropriate counteractions to be taken immediately. The rest of the dissertation will provide a detailed description of the prototype of the FA, developed as part of the research for this dissertation. An audit and risk handling prototype for firewall technology Page 65

78 CHAPTER 6 The FA: A prototype 6.1 Introduction The importance of firewalls as one of the network security mechanisms to implement some of the ISS has been explained. It was shown how the information gathered in the firewall could be used to achieve and uphold better audit and risk handling information security services. There are, however, still a few problems and shortcomings in the security provided by current commercial security mechanisms that were discussed in the previous chapters. The solution discussed briefly in chapter 5 will now be discussed in detail as part of the prototype that was developed for this research. The FA analyses log files from the firewall and Windows NT [MICR01] to provide user-friendly information on the organisation s network and its associated risks. The FA can be divided into a log file- and risk analysis component. The log file analysis component, in short, analyses the chosen log files to produce a report of the network activities. The risk analysis component, on the other hand, performs risk analysis, using the chosen log files and a risk knowledge base to provide the security administrator with a summary of network risks. In this chapter a scenario will firstly be sketched of security without the FA. The scenario will then be modified to show the difference the FA could make to the provision of a secure computerised environment. Lastly, the FA itself and its output will be discussed. An audit and risk handling prototype for firewall technology Page 66

79 Chapter 6 The FA: A prototype 6.2 Scenario Many different activities take place on an organisation s network on a daily basis. Employees browse the Internet, send and receive , browse newsgroups, transfer files and may even communicate with one another via their terminals in a chat session. The following scenarios sketch typical daily network activities, the only difference being that the first scenario, depicted in figure 6.1, shows the information available to the security administrator through a firewall, whereas the second scenario shows the information available to the security administrator with an FA added to the environment. This discussion will, furthermore, revolve around the various steps in the process to record daily network activities. These steps, with their associated protocols, are indicated in the figures by the numbers and then referred to in the text Without the FA http 1 http 2 INTERNET http 4 http 3 SARAH shttp 5 ftp 8 shttp 6 ftp 7 MR HACKER firewall log files 10 ping 9 evaluating firewall log files 11 SECURITY ADMINISTRATOR Figure 6.1: Scenario without an FA An audit and risk handling prototype for firewall technology Page 67

80 Chapter 6 The FA: A prototype (1) Sarah is a producer at a broadcasting corporation. She has an assignment to do but needs the latest version of Microsoft multimedia player for this task. She is not concerned because she is an affiliate member of Microsoft and can download it from their web site. She opens her browser and browses to Microsoft multimedia player s home page. (2) The firewall receives the request, checks the validity of the information and redirects the request to the web site. An entry is made in the firewall s log file. (3) The Microsoft multimedia player home page is sent back to Sarah s workstation. (4) The firewall receives the information, checks the validity of the information and redirects the traffic to Sarah s browser. An entry is made in the firewall s log file. (5) Sarah enters her Microsoft user name and password and requests the latest version of Microsoft multimedia player to be downloaded. She also indicates that she wants to save the file on a remote file server. (6) The firewall receives the request, checks the validity of the information and redirects it back to the Microsoft multimedia player web site. An entry is made in the firewall s log file. (7) The Microsoft multimedia player is sent to the remote server. (8) The firewall receives the file, checks the validity of the file and sends it to the remote file server. An entry is made in the log file of the firewall. (9) The firewall receives a ping request from outside the network from Mr Hacker. An entry is made in the log file of the firewall and the expected information is sent back to Mr Hacker. (10) The security administrator at this point wants to inspect the network for anything suspicious and he wants to pinpoint problem areas on the network. He knows how to check for hits on the remote file server. He opens the log file of the firewall and sees a text file, depicted in figure 6.2, containing a great deal of information. (11) He takes the data in the log file and tries to determine where possible threats are. He achieves nothing as the log file is not very user-friendly and various calculations are required to identify possible threats within the network. An audit and risk handling prototype for firewall technology Page 68

81 Chapter 6 The FA: A prototype Figure 6.2: Output of the firewall With an FA Had the security administrator been warned about the requests from Mr Hacker, he would have known that a follow-up on these requests was required. He would have checked all connections made by Mr Hacker to determine his intentions. Steps 1 to 9 of the previous scenario are the same with or without an FA because the existence of an FA will not change the activities on the network or how these activities are logged by the firewall. Let us take a look at the same scenario depicted in figure 6.3, picking up from step 10, this time with an FA in place. (10) The security administrator at this point wants to inspect the network for anything suspicious and he wants to pinpoint problem areas in the network. He opens the FA application and selects the log files to include in the network analysis. (11) The FA displays user-friendly information to the security administrator. A whole range of reports is available to choose from. (12) One of the reports shows a very high count in the ping protocol. Hackers use this An audit and risk handling prototype for firewall technology Page 69

82 Chapter 6 The FA: A prototype protocol to gather network information. The security administrator is a little worried but will first investigate further. (13) He does some research on the host of the ping requests. He pinpoints the host in the USA and notes that this IP address is not from their US office. He suspects that this might have been a possible attack and monitors the network more frequently for any recurring activities from Mr Hacker. The security administrator also implements a filter on the firewall to block any traffic from Mr Hacker just to make sure that no requests from Mr Hacker will be accepted in the future. http 1 http 2 INTERNE http 4 http 3 SARAH shttp 5 shttp 6 ftp 7 MR HACKER ftp 8 ping 9 FA interprets firewall log files 11 connect to FA 10 change security 13 reads reports 12 SECURITY ADMINISTRATOR Figure 6.3: Scenario with an FA 6.3 The FA The value of the FA is clear in the last scenario. Without the FA, the security administrator might have overlooked the possible ping attack defined within the previous scenario. The FA is an application consisting of a start-up An audit and risk handling prototype for firewall technology Page 70

83 Chapter 6 The FA: A prototype screen, a few configuration screens, the main screen and a variety of reports. A screenshot of each of these screens will follow, with a brief description of its functionality The start-up screen This screen, depicted in figure 6.4, is the first screen to be displayed when the FA is opened. The security administrator has a choice whether to open the FA with the enter button or exit it with the exit button. When the enter button is selected the main screen is shown to the security administrator. Figure 6.4: The splash screen Configuration screens These screens enable the security administrator to configure the FA to conform to the organisation s network setup and security needs as defined in the network security policy. The paths to the old log files, current log file, Windows NT log files and database can be changed, as depicted in figure 6.5. The old log files are all the firewall log files of previous days, whilst the current log file path point to An audit and risk handling prototype for firewall technology Page 71

84 Chapter 6 The FA: A prototype the current day s firewall log file. The database path is the path to the FA s database that is used to perform audit and risk analysis. Lastly, the Windows NT log file paths are the paths to the Window NT event viewer s log files located on the organisation s network. The Windows NT log file paths are also required when it needs to be included in the risk analysis computation process. Only those needed for the risk reports are thus included in the configuration setup and the unnecessary paths can be removed. Figure 6.5: Path configuration screen The knowledge base configuration screen, depicted in figure 6.6, is used to input the risk weight and threshold values. The top of the screen is used to input the risk weights on a scale from 1 to 10, 1 being the smallest, regarding certain risk areas of the network. These risk areas range from the bytes sent over the network to the users on the network. The threshold is defined to determine at what point the risk area will be regarded as a risk to the organisation. An audit and risk handling prototype for firewall technology Page 72

85 Chapter 6 The FA: A prototype Figure 6.6, for example, depicts that a 60% difference between the bytes sent and received over the network will be regarded as a risk weight of 4 and any risk weight of 2 or more will be regarded as a risk. When a 100% difference between the bytes sent and received has thus been detected in the compilation process of the risk reports, the FA will show that a risk has been detected and the security administrator will need to investigate the risk area to decrease the risk to an acceptable level. Web site- and protocol risk weights and thresholds can be defined in the bottom part of the knowledge base configuration screen. A general threshold value of 3 has, for example, been defined for web sites and lycos.com has been given a risk weight of 8. When a risk report is generated regarding web sites being access, the FA will thus use this information to indicate a risk when a threshold of 3 or more has been reached. Figure 6.6: Knowledge base configuration An audit and risk handling prototype for firewall technology Page 73

86 Chapter 6 The FA: A prototype The security administrator will change the values in the knowledge base configuration screen to reflect the network security policy that was defined in chapter 2. These values in the knowledge base will determine the outcome of the risk analysis reports. It is therefore crucial to ensure that these values are and remain up to date with the most recent network security policy of the organisation The main screen The main screen of the FA, depicted in figure 6.7, gives the security administrator access to other screens and reports of the FA. The security administrator can: View the contents of one of the log files, as shown in 6.4.1, by choosing the table and selecting the show table button. Change the configuration of the FA by selecting the configuration menu. This will take the security administrator to one of the configuration screens defined previously. Choose which archived log files to include in the network and risk analysis process by selecting the log files from the list and adding them to the list of tables with the > button. Log files can also be removed by selecting them from the table list and selecting the < button or remove all log files with the << button. Choose whether to use the current log file by selecting the corresponding checkbox on the screen. The FA can generate a realtime report if the current log file is included in the analysis. Start the network or risk analysis process by selecting the corresponding buttons. The security administrator can see one of the network analysis reports, discussed in 6.4.2, by selecting the log file analyser button. The security administrator can see one of the risk analysis reports, discussed in 6.4.3, by selecting the risk analyser button. Exit the FA application by selecting the file menu option and choosing the exit option. An audit and risk handling prototype for firewall technology Page 74

87 Chapter 6 The FA: A prototype Figure 6.7: FA s main screen 6.4 The FA reports There are three main groups of reports. Each group has a different physical appearance and reports on different activities and traffic on the organisation s network A firewall log file report This report shows the contents of a chosen firewall log file. It is in table format, as depicted in figure 6.8. The actual content within the log file are split into the fields of information that can be contained within the log file, for example, the date, time, firewall name, An audit and risk handling prototype for firewall technology Page 75

88 Chapter 6 The FA: A prototype general information, the user, authentication used and the amount of bytes sent or received. Each entry within the log file is then evaluated and the data is rendered into a table format. Figure 6.8: A firewall log file report Network analysis reports After network analysis has been conducted, the security administrator will be shown a report screen from which the appropriate reports can be shown. These reports will provide valuable information on the activities taking place on the network. The chosen report s graph will be displayed in the main area of the screen and the graph s format can be changed. By clicking on a point on the graph created, the specific values will also be shown on the screen. With the use of 3D graph types, the user will also have the ability to rotate the graph into the expected position or view. For each report the associated risks and risk values will be displayed on the right-hand side of the screen. The security administrator can use this area to access a related risk analysis report very quickly. The FA has three groups of network analysis reports: An audit and risk handling prototype for firewall technology Page 76

89 Chapter 6 The FA: A prototype Traffic reports These reports will summarise the amount of data that went through the firewall and to and from the Internet. Connection reports These reports indicate who has been connected to what during which times. WWW statistic reports These reports are more web-specific and will summarise which web sites have been accessed and how popular the sites were. a) Traffic reports These reports provide information on the amount of traffic handled by the network: Bytes-sent-per-day network analysis report This report provides a summary of the total number of bytes sent from within the private network per day. Security administrators will investigate any abnormally high levels of data sent for possible malicious activities on the network. The bytes-sent-and-received risk report is associated with this report. Bytes-received-per-day network analysis report This report provides a summary of the total number of bytes received from outside the protected network per day. Security administrators must investigate any abnormally high levels of data received for possible malicious activities or attacks from outside the network. The bytes-sent-andreceived risk report is associated with this report. Bytes-sent-and-received-per-day network analysis report This report, depicted in figure 6.9, combines the previous two graphs into one. Security administrators must investigate any abnormally high differences between the data sent and received. These abnormalities could show possible malicious activities on the network. The bytessent-and-received risk report is associated with this report. An audit and risk handling prototype for firewall technology Page 77

90 Chapter 6 The FA: A prototype Figure 6.9: Bytes-sent-and-received network analysis report Activity-per-day network analysis report This report shows the number of activities logged per day. Risk reports on the activity-perinterface and the activity-per-user are associated with this network activity analysis report. Interface-activity network analysis report This report, depicted in figure 6.10, provides the distribution of all the activities logged over the interfaces on the organisation s private network. Further investigation of that specific interface is necessary. Risk reports on the activity-perinterface and the activity-per-user are associated with this report. User-activity network analysis report This report provides the distribution of all the activities logged for the users on the private network. Abnormally high user-activity levels can indicate possible malicious activities by people, which require further investigation. The risk reports on the activity-per-user are associated with this report. An audit and risk handling prototype for firewall technology Page 78

91 Chapter 6 The FA: A prototype Figure 6.10: Interface-activity network analysis report b) Connection reports These reports provide information about the protocols, users and hosts of the organisation s network: Protocol-usage analysis This report shows how many activities were logged by each protocol. High protocol activity levels, for example, indicate possible malicious activities attempted on the network. Protocol-risk-per-hour is associated to indicate the noted risk of certain protocols. HTTP-risk-per-hour is associated with this report to indicate the risk accumulated by users visiting identified web sites. User-per-protocol network analysis report This report shows the number of times a protocol was used by each of the users in the organisation s protected network. Risk values on the activity-per-user, HTTP-risk-per-hour and protocol-risk-per-hour are associated with this report to indicate possible dangers to administrators. An audit and risk handling prototype for firewall technology Page 79

92 Chapter 6 The FA: A prototype User-per-interface network analysis report This report provides the number of times an interface was used by each of the users in the organisation s protected network. Risk values on the activity-per-user and activity-per-interface are associated with this report to indicate possible dangers to administrators. Interface-per-protocol network analysis report An interface is also known as a computer. This report, depicted in figure 6.11, provides the number of times a protocol was used on each of the protected interface of the network. For example, the computer with an IP address of had 4000 SMTP connections. Risk values on the activity-per-interface, HTTP-risk-per-hour and protocol-risk-per-hour are associated with this report to indicate possible dangers to administrators. The security administrator can also choose to analyse only a specific interface s protocol activity. Figure 6.11: Interface-per-protocol network analysis report An audit and risk handling prototype for firewall technology Page 80

93 Chapter 6 The FA: A prototype User-during-the-day network analysis report This report provides the user activity during the day. Certain times of the day will require different threshold values. If these threshold values are exceeded, however, it could pose a risk to the organisation, for example, some employee using the network for personal use. The risk value of the activity-per-user is associated with this report to assist in the investigation of possible user risk. Figure 6.12: Protocols-during-the-day network analysis report Protocols-during-the-day network analysis report This report, depicted in figure 6.12, provides the protocol activity during the day. Certain protocols will require different threshold values. If these threshold values are exceeded, however, it could pose a risk to the organisation. The HTTP-risk-per-hour and protocol-risk-per-hour are associated with this report to assist in the investigation of possible An audit and risk handling prototype for firewall technology Page 81

94 Chapter 6 The FA: A prototype protocol risk. Security administrators also have the option to only do an analysis on a specific, indicated protocol. c) WWW statistic reports These reports cover various viewpoints of web access statistics on the client domain and browsers. There could be a wide variety of reports, but the FA implements only one of these reports as an illustration: Top-5-web-sites network analysis report This report, depicted in figure 6.13, shows the top five web sites visited by users from inside the protected network. The web-site-risk-per-hour value is associated with this report to indicate the risk that users visited certain specified dangerous web sites. Figure 6.13: Top-5-web-sites network analysis report An audit and risk handling prototype for firewall technology Page 82

95 Chapter 6 The FA: A prototype Risk analysis reports After analysis of all the chosen log files, the security administrator will be shown a main risk analysis report screen. From this screen the security administrator can choose from different risk reports to be displayed. The reports are generated using the information from the chosen log files as well as the information stored in the knowledge base mentioned previously. A graph will be displayed in the main area of the screen and the graph s format can be changed. A summary of the risk value will be displayed next to the graph in a robot style - red if the threshold was exceeded, yellow if the risk is equal to the threshold and green otherwise. On the right-hand side of the screen, quick access is provided to the associated network analysis reports. The following risk analysis reports are available in the FA: Bytes-sent-and-received risk report The difference between the bytes sent and received per day will be calculated. The risk of these percentages will also be calculated. This report thus shows possible dangerous levels of traffic activity on the network. The bytes-sent-andreceived network analysis report can be used to investigate the reason for the risk value indicated. Activity-per-interface risk report The amount of activity recorded at each interface is calculated. This report shows possible dangerous levels of activity at specific interfaces. The activity-per-day, interfaceactivity, user-per-interface and interface-per-protocol network analysis reports can be used to investigate the reason for the indicated risk value. Security administrators also have the ability to calculate the risk for only one specified interface s activity. Activity-per-user risk report The amount of activity recorded for each user is calculated. This report shows users posing a high risk to the organisation. The activity-per-day, interface-activity, user-activity, userper-interface, interface-per-protocol and user-in-the-day network analysis reports can be used to investigate the reason for the risk value indicated. An audit and risk handling prototype for firewall technology Page 83

96 Chapter 6 The FA: A prototype Http-risk-per-hour report Certain times of the day are given certain risk weight factors as defined in the risk knowledge base. The risk of http traffic on the network is calculated. The report, depicted in figure 6.14, shows the http risk to the organisation over the time of the day. The security administrator can then implement certain countermeasures to reduce this risk, for example he/she can restrict http access during certain times of the day. The protocol-usage, userper-protocol, interface-per-protocol and protocols-during-the-day network analysis reports can be used to investigate the reason for the indicated risk value. Figure 6.14: Http-risk-per-hour report Web-site-risk-per-hour report Web sites that pose a risk to the organisation are defined in the knowledge base. This graph indicates the risk that web sites pose to the organisation during periods in the day. The top-5-web-site network analysis report can be used to An audit and risk handling prototype for firewall technology Page 84