1 DATA SECURITY MANAGEMENT FIREWALL MANAGEMENT AND INTERNET ATTACKS Jeffery J. Lowder INSIDE Laying the Groundwork for a Firewall; Firewalls and the Local Security Policy; Firewall Evaluation Criteria; Firewall Techniques; Developing a Firewall Policy and Standards; Firewall Standards; Legal Issues Concerning Firewalls; Firewall Contingency Planning Network connectivity can be both a blessing and a curse. On the one hand, network connectivity can enable users to share files, exchange e- mail, and pool physical resources. Yet network connectivity can also be a risky endeavor if the connectivity grants access to would-be intruders. The Internet is a perfect case in point. Designed for a trusted environment, many contemporary exploits are based on vulnerabilities inherent to the protocol itself. According to a recent dissertation by John Howard on Internet unauthorized access incidents reported to the Computer Emergency Response Team (CERT), there were 4567 incidents between 1989 and 1996, with the number of incidents increasing each year at a rate of 41 to 62 percent. In light of this trend, many organizations are implementing firewalls to protect their internal network from the untrusted Internet. LAYING THE GROUNDWORK FOR A FIREWALL Obtaining management support for a firewall prior to implementation can be very useful after the firewall is implemented. When a firewall is implemented on a network for the first time, it will almost surely be the source of many complaints. For example: Organizations that have never before had firewalls almost al- PAYOFF IDEA Many people incorrectly believe that a firewall is a panacea for their network security concerns; many more believe that they have configured their firewalls correctly when, in fact, they have not. This article addresses the security issues specific to firewall management: choosing a firewall, how to lay the groundwork for a firewall, implementing a firewall, conducting firewall operations, and establishing and enforcing firewall policy and standards. 06/99 Auerbach Publications 1999 CRC Press LLC
2 ways do not have the kind of documentation necessary to support user requirements. If the firewall hides information about the internal network from the outside network, this will break any network transactions in which the remote system uses an access control list and the address of the firewall is not included in that list. Certain types of message traffic useful in network troubleshooting (e.g., PING, TRACEROUTE) may no longer work. All of these problems can be solved, but the point is that coordination with senior management prior to installation can make life much easier for firewall administrators. Benefits of Having a Firewall So how does one obtain management support for implementation of a firewall? The security practitioner can point out the protection that a firewall provides: protection of the organization s network from intruders, protection of external networks from intruders within the organization, and protection from due care lawsuits. The security practitioner can also list the positive benefits a firewall can provide: Increased ability to enforce network standards and policies. Without a firewall or similar device, it is easy for users to implement systems that the Information Services (IS) department does not know about, that are in violation of organizational standards or policies, or both. In contrast, organizations find it very easy to enforce both standards and policies with a firewall that blocks all network connections by default. Indeed, it is not uncommon for organizations to discover undocumented systems when they implement such a firewall for the first time. Centralized internetwork audit capability. Because all or most traffic between the two networks must pass through the firewall (see below), the firewall is uniquely situated to provide audit trails of all connections between the two networks. These audit trails can be extremely useful for investigating suspicious network activity, troubleshooting connectivity problems, measuring network traffic flows, and even investigating employee fraud, waste, and abuse. Limitations of a Firewall Even with all of these benefits, firewalls still have their limitations. It is important that the security practitioner understand these limitations because if these limitations allow risks that are unacceptable to management, it is up to the security practitioner to present additional safeguards to minimize these risks. The security practitioner must not allow manage-
3 ment to develop a false sense of security simply because a firewall has been installed. Firewalls provide no data integrity. It is simply not feasible to check all incoming traffic for viruses. There are too many file formats and often files are sent in compressed form. Any attempt to scan incoming files for viruses would severely degrade performance. Firewalls have plenty of processing requirements without taking on the additional responsibility of virus detection and eradication. Firewalls do not protect traffic that is not sent through it. Firewalls cannot protect against unsecured, dial-up modems attached to systems inside the firewall; internal attacks; social engineering attacks; or data that is routed around them. It is not uncommon for an organization to install a firewall, then pass data from a legacy system around the firewall because its firewall did not support the existing system. Firewalls may not protect anything if they have been compromised. Although this statement should be obvious, many security practitioners fail to educate senior management on its implications. All too often, senior management approves either directly or through silence a security posture that positively lacks an internal security policy. Security practitioners cannot allow perimeter security via firewalls to become a substitute for internal security. Firewalls cannot authenticate datagrams at the transport or network layers. A major security problem with the TCP/IP is that any machine can forge a packet claiming to be from another machine. This means that the firewall has literally no control over how the packet was created. Any authentication must be supported in one of the higher layers. Firewalls provide limited confidentiality. Many firewalls have the ability to encrypt connections between two firewalls (using a socalled virtual private network, or VPN), but they typically require that the firewall be manufactured by the same vendor. A firewall is no replacement for good host security practices and procedures. Individual system administrators still have the primary responsibility for preventing security incidents. FIREWALLS AND THE LOCAL SECURITY POLICY Cheswick and Bellovin (1994) define a firewall as a system with the following set of characteristics: All traffic between the two networks must pass through the firewall. Only traffic that is authorized by the local security policy will be allowed to pass. The firewall itself is immune to penetration.
4 Like any security tool, a firewall merely provides the capability to increase the security of the path between two networks. It is the responsibility of the firewall administrator to take advantage of this capability; and no firewall can guarantee absolute protection from outside attacks. The risk analysis should define the level of protection that can be expected from the firewall; the local security policy should provide general guidelines on how this protection will be achieved; and both the assessment and revised policy should be accepted by top management prior to firewall implementation. Despite the fact that, according to Atkins et al., 1 all traffic between the two networks must pass through the firewall, in practice this is not always technically feasible or convenient. Network administrators supporting legacy or proprietary systems may find that getting them to communicate through the firewall may not be as easy as firewall vendors claim, if even possible. And even if there are no technical obstacles to routing all traffic through the firewall, users may still complain that the firewall is inconvenient or slows their systems down. Thus, the local security policy should specify the process by which requests for exceptions 1 will be considered. As Bellovin 2 states, the local security policy defines what the firewall is supposed to enforce. If a firewall is going to allow only authorized traffic between two networks, then the firewall has to know what traffic is authorized. The local security policy should define authorized traffic, and it should do so at a somewhat technical level. The policy should also state a default rule for evaluating requests: either all traffic is denied except that which is specifically authorized, or all traffic is allowed except that which is specifically denied. Network devices that protect other network devices should themselves be protected against intruders. (If the protection device were not secure, intruders could compromise the device and then compromise the system[s] that the device was supposed to protect.) FIREWALL EVALUATION CRITERIA Choosing the right firewall for an organization can be a daunting task, given the complexity of the problem and the wide variety of products from which to choose. Yet the following criteria should help the security practitioner narrow the list of candidates considerably. Performance. Firewalls always impact the performance of the connection between the local and remote networks. Adding a firewall creates an additional hop for network packets to travel through; if the firewall must authenticate connections, that creates an additional delay. The firewall machine should be powerful enough to make these delays negligible.
5 Requirements support. A firewall should support all of the applications that an organization wants to use across the two networks. Virtually all firewalls support fundamental protocols like SMTP, Telnet, FTP, and HTTP; strong firewalls should include some form of circuit proxy or generic packet relay. The security practitioner should decide what other applications are required (e.g., Real Audio, VDOLive, S-HTTP, etc.) and evaluate firewall products accordingly. Access control. Even the simplest firewalls support access control based on IP addresses; strong firewalls will support user-based access control and authentication. Large organizations should pay special attention to whether a given firewall product supports a large number of user profiles and ensure that the firewall can accomodate increased user traffic. Authentication. The firewall must support the authentication requirements of the local security policy. If implementation of the local security policy will entail authenticating large numbers of users, the firewall should provide convenient yet secure enterprisewide management of the user accounts. Some firewalls only allow the administrator to manage user accounts from a single console; this solution is not good enough for organizations with thousands of users who each need their own authentication account. Moreover, there are logistical issues that need to be thought out. For example, suppose the local security policy requires authentication of all inbound telnet connections. How will geographically separated users obtain the proper authentication credentials (e.g., passwords, hard tokens, etc.)? Physical security. The local security policy should stipulate the location of the firewall, and the hardware should be physically secured to prevent unauthorized access. The firewall must also be able to interface with surrounding hardware at this location. Auditing. The firewall must support the auditing requirements of the local security policy. Depending on network bandwidth and the level of event logging, firewall audit trails can become quite large. Superior firewalls will include a data reduction tool for parsing audit trails. Logging and alarms. What logging and alarms does the security policy require? If the security policy dictates that a potential intrusion event trigger an alarm and mail message to the administrator, the system must accommodate this requirement. Customer support. What level of customer support does the firewall vendor provide? If the organization requires 24-hour-a-day, 365-daysa-year technical support, is it available? Does the vendor provide training courses? Is self-help online assistance, such as a Web page or a mailing list, available? Transparency. How transparent is the firewall to the users? The more transparent the firewall is to the users, the more likely they will be to
6 support it. On the other hand, the more confusing or cumbersome the firewall, the more likely the users are to resist it. EXHIBIT 1 Sample Packet Filter Configuration Rule Number Action Local Host Local Port Remote Host Remote Port 0 Allow WWW server 80 * * 1 Deny * * * * FIREWALL TECHNIQUES There are three different techniques available to firewalls to enforce the local security policy: packet filtering, application-level gateways, and circuit-level gateways. These techniques are not mutually exclusive; in practice, firewalls tend to implement multiple techniques to varying extents. This section defines these firewall techniques. Packet Filtering Packet filters allow or drop packets according to the source or destination address or port. The administrator makes a list of acceptable and unacceptable machines and services, and configures the packet filter accordingly. This makes it very easy for the administrator to filter access at the network or host level, but impossible to filter access at the user level (see Exhibit 1). The packet filter applies the rules in order from top to bottom. Thus, in Exhibit 1, rule 0 blocks all network traffic by default; rule 1 creates an exception to allow unrestricted access on port 80 to the organization s Web server. But what if the firewall administrator wanted to allow telnet access to the Web server by the Webmaster? The administrator could configure the packet filter as shown in Exhibit 2. The packet filter would thus allow telnet access (port 23) to the Web server from the address or addresses represented by <machine room>, but the packet filter has no concept of user authentication. Thus, unauthorized individuals originating from the <machine room> address(es) would be allowed telnet access to the WWW server, while authorized individuals originating from non-<machine room> address(es) would be denied access. In both cases, the lack of user authentication would prevent the packet filter from enforcing the local security policy. Application-Level Gateways Unlike packet filters, application-level gateways do not enforce access control lists. Instead, application-level gateways attempt to enforce con-
7 EXHIBIT 2 Packet Filter Configuration to Allow Telnet Access from <machine room> to <www-server> Rule Number Action Local Host Local Port Remote Host Remote Port 0 Allow WWW server 80 * * 1 Allow WWW server 23 <machine room> * 2 Deny * * * * nection integrity by ensuring that all data passed on a given port is in accordance with the protocol for that port. This is very useful for preventing transmissions prohibited by the protocol, but not handled properly by the remote system. Consider, for example, the Hypertext Transmission Protocol (HTTP) used by WW servers to send and receive information, normally on port 80. Intruders have been able to compromise numerous servers by transmitting special packets outside the HTTP specification. Pure packet filters are ineffective against such attacks because they can only restrict access to a port based on source and destination address; but an application gateway could actually prevent such an attack by enforcing the protocol specification for all traffic on the related port. The application gateway relays connections in a manner similar to that of the circuit-level gateway (see below), but it provides the additional service of checking individual packets for the particular application in use. It also has the additional ability to log all inbound and outbound connections. Circuit-Level Gateways A circuit-level gateway creates a virtual circuit between the local and remote networks by relaying connections. The originator opens a connection on a port to the gateway, and the gateway in turn opens a connection on that same port to the remote machine. The gateway machine relays data back and forth until the connection is terminated. Because circuit-level gateways relay packets without inspecting them, they normally provide only minimal audit capabilities and no application-specific controls. Moreover, circuit-level gateways require new or modified client software that does not attempt to establish connections with the remote site directly; the client software must allow the circuit relay to do its job. Still, circuit relays are transparent to the user. They are well-suited for outbound connections in which authentication is important but integrity is not. See Exhibit 3 for a comparison of these firewall techniques.
8 EXHIBIT 3 Advantages and Disadvantages of Firewall Techniques Firewall Technique Advantages Disadvantages Packet filtering Application-level gateways Circuit-level gateways Completely transparent Easy to filter access at the host or network level Inexpensive: can use existing routers to implement Application-level security Strong user access control Strong logging and auditing support Ability to conceal internal network Transparent to user Excellent for relaying outbound connections Reveals internal network topology Does not provide enough granularity for most security policies Difficult to configure Does not support certain traffic Susceptible to address spoofing Limited or no logging, alarms No user authentication Requires specialized proxy for each service Slower to implement new services Inconvenient to end users No support for client software that does not support redirection Inbound connections risky Must provide new client programs DEVELOPING A FIREWALL POLICY AND STANDARDS Reasons for Having Firewall Policy and Standards There are a number of reasons for writing formal firewall policies and standards, including: Properly written firewall policies and standards will address important issues that may not be covered by other policies. Having a generic corporate policy on information systems security is not good enough. There are a number of specific issues that apply to firewalls but would not be addressed, or addressed in adequate detail, by generic security policies. A firewall policy can clarify how the organization s security objectives apply to the firewall. For example, a generic organizational policy on information protection might state that, Access to information is granted on a need-to-know basis. A firewall policy would interpret this objective by stating that, All traffic is denied except that which is explicitly authorized. An approved set of firewall standards makes configuration decisions much more objective. A firewall, especially one with a restrictive configuration, can become a hot political topic if the firewall administrator wants to block traffic that a user really wants. Specifying the decision-making process for resolving such issues in a formal set of standards will make the process much more consistent to all users.
9 Everyone may not always get what he or she wants, but at least the issue will be decided through a process that was adopted in advance. Policy and Standards Development Process The following process is recommended as an efficient, comprehensive way to develop a firewall policy. If the steps of this process are followed in order, the security practitioner can avoid making time-wasting oversights and errors in the policy. (See also Exhibit 4.) 1. Risk analysis. An organization should perform a risk analysis prior to developing a policy or a set of standards. The risk analysis will not only help policy-makers identify specific issues to be addressed in the document itself, but also the relative weight policy-makers should assign to those issues. 2. Identify list of topics to cover. A partial listing of topics is suggested under Policy Structure later in this article; security policy-makers should also identify any other relevant issues that may be relevant to the organization s firewall implementation. 3. Assign responsibility. An organization must define the roles and responsibilities of those accountable for administering the firewall. If necessary, modify job descriptions to reflect the additional responsibility for implementing, maintaining, and administering the firewall, as well as establishing, maintaining, and enforcing policy and standards. 4. Define the audience. Is the policy document intended to be read by IS personnel only? Or is the document intended to be read by the entire organization? The document s audience will determine its scope, as well as its degree of technical and legal detail. 5. Write the policy. Because anyone can read the document, write without regard to the reader s position within the organization. When it is necessary to refer to other organizational entities, use functional references whenever possible (e.g., Public Relations instead of Tom Smith, Public Relations). Be sure to list a contact person for readers who may have questions about the policy. 6. Identify mechanisms to foster compliance. A policy is ineffective if it does not encourage employees to comply with the policy. Therefore, the individual(s) responsible for developing or maintaining the policy must ensure that adequate mechanisms for enforcement exist. These enforcement mechanisms should not be confused with the clause(s) of a policy that specify the consequences for noncompliance. Rather, enforcement mechanisms should include such administrative procedures as awareness and training, obtaining employee signatures on an agreement that specifies the employee has read and understands the policy and will comply with the intent.
10 7. Review. New policies should be reviewed by representatives from all major departments of the organization not just IS personnel. A special effort should be made to resolve any disagreements at this stage: the more low- and mid-level support that exists for a policy, the easier it will be to implement that policy. EXHIBIT 4 Policy Development Process 1. Risk analysis 2. Identify list of topics to cover 3. Assign responsibility for policy 4. Define the audience 5. Write the policy 6. Identify mechanisms to foster compliance 7. Review After the policy has been coordinated with (and hopefully endorsed by) department representatives, the policy should be submitted to senior management for approval. It is extremely important that the most seniorlevel manager possible sign the policy. This will give the IS security staff the authority it needs to enforce the policy. Once the policy is adopted, it should be reviewed on at least an annual basis. A review may have one of three results: no change, revisions to the policy, or abandoning the policy. Policy Structure A policy is normally understood as a high-level document that outlines management s general instructions on how things are to be run. Therefore, an organizational firewall policy should outline that management expects other departments to support the firewall, the importance of the firewall to the organization, etc. The structure of a firewall policy should look as follows: Background. How does the importance of the firewall relate to overall organizational objectives (e.g., the firewall secures information assets against the threat of unauthorized external intrusion)? Scope. To whom and what does this policy apply? Definitions. What is a firewall? What role does it play within the enterprise? Responsibilities. What resources and respective responsibilities need to be assigned to support the firewall? If the default configuration of the firewall will be to block everything that is not specifically allowed, who is responsible for requesting exceptions? Who is autho-
11 rized to approve these requests? On what basis will those decisions be made? Enforcement. What are the consequences for failing to meet the administrative responsibilities? How is noncompliance addressed? Frequency of review. How often will this policy be reviewed? With which functions in the organization? Policy coordinator. Who is the point of contact for this policy? Date of last revision. When was this policy last revised? Firewall Standards Firewall standards can be defined minimally as a set of configuration options for a firewall. (Although firewall standards can and should address more than mere configuration issues, all firewall standards cover at least this much.) Exhibit 5 presents a sample outline for firewall standards. Because all firewalls come with default configurations, all firewalls have default standards. The job of the security practitioner is to draft a comprehensive set of standards governing all aspects of firewall implementation, usage, and maintenance, including but not limited to: protection of logs against unauthorized modification frequency of logs review how long logs will be retained when the logs will be backed up to whom the alarms will be sent Legal Issues Concerning Firewalls If firewall audit trails need to be capable of being presented as evidence in a court of law, it is worthwhile to provide a warning banner to warn users about what sort of privacy they can expect. Many firewalls can be configured to display a warning banner on telnet and FTP sessions. Exhibit 6 shows an example of such a warning. FIREWALL CONTINGENCY PLANNING Firewall Outage What would be the impact on an organization if the firewall was unavailable? If the organization has routed all of its Internet traffic through a firewall (as it should), then a catastrophic hardware failure of the firewall machine would result in a lack of Internet connectivity until the firewall machine is repaired or replaced. How long can the organization tolerate an outage? If the outage were a catastrophic hardware failure, do you know how you would repair or replace the components? Do you know how long it would take to repair or replace the components?
12 EXHIBIT 5 Sample Outline of Firewall Standards I. Definition of terms II. Responsibilities of the firewall administrator III. Statement of firewall limitations a. Inability to enforce data integrity b. Inability to prevent internal attacks IV. Firewall configuration a. Default policy (allow or deny) on network connections b. Physical location of firewall c. Logical location of firewall in relation to other network nodes d. Firewall system access policy 1. Authorized individuals 2. Authentication methods 3. Policy on remote configuration e. Supported services 1. Inbound 2. Outbound f. Blocked services 1. Inbound 2. Outbound g. Firewall configuration change management policy V. Firewall audit trail policy a. Level of granularity (e.g., we will have one entry for each FTP or HTTP download) b. Frequency of review (e.g., we will check the logs once a day) c. Access control (e.g., access to firewall audit trails will be limited to the following individuals) VI. Firewall intrusion detection policy a. Alarms 1. Alarm thresholds 2. Alarm notifications (e.g., , pager, etc.) b. Notification procedures 1. Top management 2. Public relations 3. System administrators 4. Incident response teams 5. Law enforcement 6. Other sites c. Response priorities (e.g., human safety, containment, public relations) d. Documentation procedures VII. Backups a. Frequency of incremental backups b. Frequency of system backups c. Archive of backups (e.g., we will keep backups for one year) d. Off-site backup requirements VIII. Firewall outage policy a. Planned outages b. Unplanned outages 1. Reporting procedures IX. Firewall standards review policy (e.g., this policy will be reviewed every six months)
13 EXHIBIT 6 Sample Warning Banner Per AFI requirement: Welcome to USAFAnet United States Air Force Academy This is an official Department of Defense (DoD) computer system for authorized use only. All data contained on DoD computer systems is owned by DoD and may be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed in any manner by authorized personnel. THERE IS NO RIGHT TO PRIVACY ON THIS SYSTEM. Authorized personnel may give any potential evidence of crime found on DoD computer systems to law enforcement officials. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES EXPRESS CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING, AND DISSEMINATION BY AUTHORIZED PERSONNEL. Do not discuss, enter, transfer, process, or transmit classified/sensitive national security information of greater sensitivity than this system is authorized. USAFAnet is not accredited to process classified information. Unauthorized use could result in criminal prosecution. If you do not consent to these conditions, do not log in! If the organization has a firewall, the odds are that a firewall outage would have a significant impact on that organization. (If the connection between the two networks was not important to the organization, why would that organization have the connection and protect it with a firewall?) Therefore, the security practitioner must also develop contingency plans for responding to a firewall outage. These contingency plans must address three types of failures: hardware, software, and evolutionary (failure to keep pace with increasing usage requirements). In the case of a hardware failure, the security practitioner has three options: repair, replacement, or removal. Firewall removal is a drastic measure that is not encouraged, it drastically reduces security while disrupting any user services that were specially configured around the firewall (e.g., Domain Name Service, proxies, etc.). Smaller organizations may choose to repair their hardware because it is cheaper, yet this may not always be an option and may not be quick enough to satisfy user requirements. Conversely, access can be restored quickly by swapping in a hot spare, but the cost of purchasing and maintaining such redundancy can be prohibitive to smaller organizations. Significant Attacks, Probes, and Vulnerabilities To be effective, the firewall administrator must understand not only how attacks and probes work, but also must be able to recognize the appropriate alarms and audit trail entries. There are three attacks in particular with which every Internet firewall administrator should be familiar. Internet Protocol (IP) Source Address Spoofing. IP Source Address Spoofing is not an attack itself. It is a vulnerability that can be exploited