Network Security and Firewalls A Summary B.Sc. Degree in IT Management Institute of Technology, Carlow (Prepared by Paul Barry)
Network Security and Firewalls As the Internet becomes all-persuasive, the nature of the activities occurring on the Internet are increasingly becoming critical to the health of the organizations that connect their own networks to it. Gone are the days of connecting a network to the Internet, establish connectivity then moving onto others things. The Internet is not the safe, friendly, academic world it used to be. In addition to enabling improved business-to-business and business-tocustomer communications (among other things), connecting to the Internet opens up a network to an increasingly sophisticated community of computer crackers 1, viruses, electronic eavesdroppers and sundry other attacks. Once attached to the Internet, in addition to taking advantage of its many benefits, the connected organization needs to protect itself from electronic attack. Network security has, as a consequence, become an important discipline within the Internet-connected world, and within computing in general. In this essay, a survey of the network security techniques available to todays network manager are presented, with an emphasis toward the latter part of this essay on Firewall technologies. 1.1 A Taxonomy of Security Attacks There are four main categories of network security attack: Interruption - an attack on the availability of a network asset. Interception - an attack on the confidentiality of network data. Modification - an attack on the integrity of network resources. Fabrication - an attack on the authenticity of a network user. 1 Also known as script-kiddies. 1
2 Network attacks can further be categorized as being either passive or active. Passive attacks occur within a setting that makes in impossible (or impractical) to identify the occurrence of the attack. Traffic Analysis is an example of a passive attack - a copy of transmitted data is taken and analyzed in an attempt to determine some useful information. Active attacks are more blatant, in that they result in active changes to the transmitted data, making them easier to identify (usually after the fact, when it is far too late). Examples of this type of attack include masquerading, replay, modification and denial-of-service. 1.2 Dealing With Attacks: Security Services When it comes to protecting a network against attacks, a classification of security services has been defined: Confidentiality - protecting transmitted data against passive attacks and network analysis. Typically, cryptographic technologies are employed. Authentication - ensuring that the communication is indeed authentic. This service assures a recipient that any received data is from the source that it claims to be from (and vice-versa). Integrity - ensuring that messages are received in exactly the same form that they were sent, i.e. without any unauthorized changes. Non-repudiation - providing a means by which neither the sender nor the receiver can deny a transmitted message. Access Control - limiting and controlling an authenticated users access to network resources. Typically, access control is tailored to an individual s access rights. Availability - implementing countermeasures to guard against the loss or reduction of a network service. 1.3 Network Security Models Two broad models have been defined for discussing Network Security. In the first, there is one insecure communications channel and four participants. The participants are:
3 Sender - one of the two principals in the transaction, this participant wishes to use the insecure channel to send data securely to the other principal. Receiver - the other principal in the transaction, this participant will receive data over the insecure channel from the other principal. Trusted Third Party - depending on the security services chosen and how they are implemented, a trusted third party may be required to enable secure communications between the two principals. Opponent - the bad guy (or girl), intent on capturing and interpreting the data being transmitted between the principals, and - if this is not possible - disruption of the insecure channel may also be a goal (resulting in a denial-of-service attack). The other model relates to network access. In this model, there is a collection of (hopefully) protected information systems. A mechanism is implemented to protect these systems from unwanted access from an insecure network. This mechanism is essentially a gatekeeper function and is typically manifested in some type of firewall system. The single participant in this model is the Opponent, who is intent in achieving unauthorized access to the information systems on some protected internal network. On the Internet, the Opponent is typically a human, however, a growing collection of automated software tools (and, in some cases, computer viruses) would also be classed as a participant in this model. 1.4 The Role of Cryptography In order to provide the security services identified above, security managers and implementors rely heavily on the Science of Cryptography. The ability to securely encrypt data prior to transmission and then decrypt it upon receipt are key techniques within the Network Security world. This section briefly describes these important techniques. 1.4.1 Conventional Symmetric Encryption Conventional encryption technologies are thousands of years old, and they all operate in a common way. A shared secret key is used to encrypt the data
4 to be transmitted using a published algorithm. The data is then transmitted over the insecure channel by the Sender, then the Receiver decrypts the data using the shared secret key and another published algorithm. Typically, conventional encryption technologies are strong at ensuring confidentiality within an insecure network. The strength of any particular conventional encryption technology is directly related to the size of the shared secret key. Due to the mathematics involved, it becomes computationally infeasible to break a conventional encryption technology by brute-force techniques. A small key-size, say 56 bits, is easily breakable by brute-force. For example, DES (the Data Encryption Standard), which uses 56 bit keys, was publicly broken in 1998 by the Electronic Frontier Foundation. However, it is relatively easy to prove that a key of 128 bits or greater is all but impossible to break by brute-force, which explains why most modern conventional encryption technologies use a key-size of 128 bits or more. Triple-DEA (the successor to DES) uses 168 bits. Of course, if the algorithm is compromised, it does not matter how large the key-size is. And, it is a case of pack-up and go home if the shared secret key becomes public. The practice of secure shared secret-key distribution is an important aspect of conventional encryption technology. 1.4.2 Public-key Cryptography Like conventional encryption technologies, public-key cryptography uses a published encryption and decryption algorithm. Unlike conventional encryption technologies, public-key cryptography has two keys, one private (which is kept secret) and one public (which is widely published, in fact, essentially given away). Data that is to be transmitted can be encrypted with either the public-key or the private-key. Typically, public-key cryptography is strong at providing authentication security services. Key-size again plays an important role in public-key cryptography, the longer the key, the stronger the encryption. With the public-key being so widely distributed, a trusted third party is often employed to verify that the public-key does in fact belong to the Sender or Receiver claiming to own it. Public-key cryptography is also applied to the production of digital signatures.
5 1.5 Security Applications In response to the growing threat of Internet attack, a number of security applications and tools have been developed. Two common classifications can be identified: infrastructural and application-specific. 1.5.1 Infrastructural Security Tools This type of tool provides protection to an entire network, from an infrastructural point-of-view. Two network-based (application-layer) authentication technologies are popular, and these are the Kerberos system and the X.509 standard. At the network-layer, the IPsec enhancement to IPv4 provides an encryption service to all IP-bound network traffic. When it comes to managing a diverse, heterogeneous network, Release 3 of the Simple Network Management Protocol (SNMP) has been built to operate securely. 1.5.2 Application-Specific Security Tools This type of tool provides protection to one specific application domain. On the Internet, tools to assist in the protection of electronic mail messages and web-based transactions have recently come to prominence. Electronic mail security technologies include Pretty Good Privacy (PGP) and the security extensions to MIME, called S/MIME. Web-based transactions can be protected by Secure Sockets Layer (SSL) technologies (built into most modern web browsers and web servers), whereas credit-card transactions (and all of the participants in the transaction) can be protected by conformance to the Secure Electronic Transaction (SET) standard. 1.6 Firewalls Taking their name from the construction industry, the network firewall is a network device that is positioned between a network to be protected and the Internet. In effect, a firewall is a manifestation of an organization s security policies as they relate to in-bound network traffic arriving from the Internet, and out-bound network traffic going to the Internet, from a protected internal network.
6 1.6.1 Firewall Design Goals Modern firewall technology has a number of design goals, as follows: Checking All Traffic - network traffic to and from the Internet must be passed through the firewall so that it can be checked against the organizations security policies. This checking is referred to as filtering. Forwarding Authorized Traffic Only - network traffic that satisfies the organizations security policies may pass. All other network traffic is logged, then discarded, as it is treated as suspect. Better to be safe than sorry. Avoiding Being Compromised - the firewall itself needs to be developed in such a way that it itself is immune to penetration. Under no circumstances should a faulty firewall allow any network traffic to bypass the security policies 2. When it comes to using a firewall to control access, four types of control (or filters) can be identified, thus: Service - based on the protocol port-number associated with a particular Internet service, application-layer network traffic is either blocked or allowed to pass. Additionally, traffic can be filtered by IP address (or IP address range), both for inbound and outbound network traffic. Direction - network traffic can be filtered on inbound connections, outbound connections, or both inbound and outbound connections. User - based on the identity of a user, network traffic can flow through the firewall assuming the user is authorized to generate network traffic of an approved type. Generally, this control filter is applied to users on the protected network side of the firewall. Behaviour - filters are applied to control how a particular service is used. For example, web pages may be scanned for Java applets (and the applets discarded), or incoming e-mail may be scanned for known viruses, while outgoing e-mails may be scanned for inappropriate use of language. 2 Although this seems like an unlikely occurrence, the http://www.cert.org website recently highlighted security problems with firewalls based upon the Gauntlet technology, which forms the basis of many commercial firewall products. For more details see: http://www.cert.org/advisories/ca-2001-25.html.
7 In providing these filter and control services, a firewall can be thought of as a single choke-point on a network, though which all inbound and outbound network traffic passes. As such, it is the ideal location within which to implement a site-wide auditing and logging facility. 1.6.2 Firewall Types As firewall technology has developed, a number of distinct types of implementation have come to prominence. Each type will now be discussed. The Packet-Filtering Router/Firewall Adding packet-filtering rules to an appropriately sophisticated router is one of the most effective means of implementing a network firewall (and most modern routers support such setting of rules). In essence, the router is configured to inspect every chunk of inbound and outbound network traffic. The chunk of network traffic is then checked against each of the rules, looking for a match. If a match is not found, the default policy configured on the router is enacted, with a default policy of discard being the most conservative and safest option. If a match is found, the router then examines the policy associated with the rule to decide what to do with the chunk of network traffic, either discard the chunk or forward the chunk. When processing IP datagrams, UDP datagrams or TCP segments, the packet-filtering router is primarily interested in examining the header fields of the datagram or segment. The actual data (or application protocol data) is of lesser interest to the packet-filtering router. (As is the case with most routers - they typically do not concern themselves with application-layer data, as they are designed to route Internet datagrams as quickly as possible, without delay). A few example rules should help clarify how packet-filtering routers are typically configured. A rule may look like this: block;payroll;*;www.hotmail.com;*; which blocks (discards) network traffic from the internal system called payroll
8 using any protocol port-number (the * wild-card) to the www.hotmail.com Internet server using any protocol port-number (the * wild-card, again) 3. Here is another example rule: allow;mailsys;25;*;*; which allows (forwards) network traffic to the internal system called mailsys using protocol port-number 25 (the well-known protocol port-number for SMTP, the Simple Mail Transfer Protocol, which is used by all Internetbased e-mail systems). Network traffic is allowed from any Internet server (the * wild-card) using any protocol port-number (the * wild-card, again). A final example is: block;*;*;*;>1023; which blocks (discards) all network traffic from any internal system (the * wild-card) using any protocol port-number (the * wild-card, again) to any system (the * wild-card, yet again) using a protocol port-number that is greater that 1023 (that is, a protocol port-number outside the range of the well-known protocol port-number assignments). Packet-filtering routers have a number of advantages: Simplicity - it is relatively straightforward to configure packet-filtering on modern routers (and the recent move toward web-based router configuration tools makes this even easier). Transparency - as the firewall mechanism is centralized in the router (at the edge of the organization s network), users are generally unaware of its existence. That is, it is transparent to them, and this is a good thing. Good Performance - routers are designed and optimized to process chunks of network data as quickly as possible and, as long as the packet-filtering rule-set is kept to a relatively small size, implementing packet-filtering does not add significantly to the router s processing overhead. 3 Remember that each end of an Internet connection (when using TCP) has its own individual protocol-port number, which explains the double use of the * wild-card in this and subsequent examples.
9 Packet-filtering routers also have some disadvantages: Incorrectly Specified Rules - getting the rule-set right can be difficult, and sometimes strange combinations of seemingly correct rules can be easily compromised. Lack of Authentication - network traffic either passes through the packet-filtering router or it does not. There s no real notion of the network traffic being authenticated. Despite these disadvantages, deploying a packet-filtering router as a firewall is very popular due mainly to the importance placed on the advantages. Packet-filtering routers are also open to a number of attacks. The IP Spoofing attack attempts to send network traffic from the Internet through the firewall by tinkering with the Source IP Address of the sending IP datagram. By changing the source IP address to an IP address on the protected side of the firewall (that is, an IP address of an internal network device), a packet-filtering router that has been configured to allow all traffic with a source IP address on the protected network to pass through the firewall may allow the spoofed network traffic onto the protected network. This can be easily dealt with by arranging that the packet-filtering router only allow network traffic through if the IP datagram claiming to be from the protected internal network is in fact arriving on the protected internal network s router interface. The Source Route attack exploits a mechanism built into IPv4 which allows a network device to explicitly direct an IP datagram to follow a specified route into or out of the protected internal network. This can sometimes result in the packet-filtering router allowing such traffic through. The solution to this attack is to disallow the use of this option with any IP datagram, whether the network traffic is inbound or outbound. The Small Fragment attack creates IP datagrams that are two things: fragmented and very small. So small in-fact that the TCP header information will not fit into a single IP datagram, but is instead fragmented into a collection of IP datagram fragments. If the packet-filtering router is not configured to watch for datagrams like this, some traffic may pass through the packet-filtering router that ought not to. The solution is to inspect all IP datagrams and discard any that indicate that fragmentation has occurred and that also indicate that TCP header information is in the IP datagram
10 fragment. A further precaution would be to automatically treat as suspicious any IP datagrams that are very small and part of a larger, fragmented original. The Application-Level Gateway/Firewall Unlike firewalls that are based on packet-filtering technology, and which operate at the Network and Transport Layer, the Application-Level Gateway acts as a proxy on behalf of users on the protected side of the internal network, and on behalf of unknown users on the Internet. In effect, the applicationlevel gateway pretends to be the internal network user when communicating with the insecure Internet for inbound and outbound network traffic. For example, if a HTTP application-level gateway in installed on the protected internal network, a user on the network that starts a web-browser and then requests a connection to a website on the Internet, would have the request relayed to the application-level gateway (the proxy). If the applicationlevel gateway has been configured to allow such a request to succeed, it (that is, the proxy) contacts the website in question and requests the resource requested by the user s web-browser on behalf of the user. Once received, the resource is then transferred to the user s web-browser. In addition to providing a mechanism whereby the request can be checked prior to it being fulfilled, the application-level gateway can log and audit the entire communication. This is seen as a prime advantage of this approach. It is also generally regarded as easier to configure an application-level gateway than it is to configure a packet-filtering router, as anything not covered by the Application Layer rule-set configured on the application-level gateway is discarded. By operating at a higher, more abstract level, the configuration is regarded by many to be easier and less prone to error. The prime disadvantage is the additional overhead introduced to all the communications that pass through the application-level gateway. The Circuit-Level Gateway/Firewall The Circuit-Level Gateway does not allow TCP connections between two endpoints (one internal and the other external) to come into existence. Instead, the circuit-level gateway establishes two TCP connections: one between the circuit-level gateway and a user of the internal protected network, and another between the circuit-level gateway and an external network device on
11 the Internet. These connections are only established if they are determined to be allowed, and if they are, and once they are established, all network traffic flows from the internal user to the external network device without further checking. What constitutes an allowed connection is determined by the local network manager and his/her level of trust of the users of the internal protected network. 1.6.3 The Role of the Bastion Host The term Bastion Host is used to refer to a networked system that plays a central role in enabling the implementation of a firewall on a protected internal network. In effect, the bastion host runs the application-level gateway or the circuit-level gateway. The bastion host has a number of characteristics. It typically runs on a secure operating system (often referred to as a trusted system). Only those services required are installed as proxies on the bastion host, and they are usually configured to allow a restricted set of functionality, in addition to running within chrooted sand-boxes. Each proxy is designed to operate in isolation: if a proxy is compromised or goes off-line, the other proxies installed on the bastion will not be affected by this. 1.7 Selected Firewall Configurations Of course, it is far from the case that only one of the types of firewall system discussed in the last section are deployed in an attempt to secure a protected internal network. Typically, sites implement a combination of firewall mechanisms. Three popular configurations are described in the subsections which follow. 1.7.1 Bastion/Packet-Filtering Combo In this setup, a single packet-filtering router connects the organization s protected internal network to the Internet. On the internal side of the packetfiltering router, a single bastion host is deployed. The packet-filtering router is configured to accept (that is, forward) inbound network traffic that contains an IP destination address of the bastion host, as well as accept outbound network traffic with a source IP address of the bastion host. All other net-
12 work traffic is blocked (that is, discarded). Note that, with this configuration, both network-level and application-level filtering is occurring (as the bastion host is acting a the sole proxy to services on the Internet and services on the protected internal network). This is seen as this configurations greatest advantage, coupled with the fact that an intruder needs to compromise two firewall systems in order to attack the protected internal network. Note that the bastion host is connected to the protected internal network with a single connection (that is, the bastion host is single-homed). This can, under extreme circumstances, cause security problems. Specifically, if the packet-filtering router is compromised, network traffic will no longer be forced to travel through the bastion host, but could instead travel to any network-attached device which shares the bastion host s LAN segment. 1.7.2 Dual-Homed Bastion/Packet-Filtering Combo This firewall configuration is essentially the same as the previous configuration, but for the fact that the bastion host now has two separate network connections (that is, the bastion host is dual-homed). On a standard PC, this configuration can easily be implemented by installing two network interface cards (NICs) into the bastion host. One network interface is connection to a small LAN segment that contains the packet-filtering router that connects to the Internet. The other network interface connects to the protected internal network. As before, the packet-filtering router is configured to accept inbound network traffic that contains an IP destination address of the bastion host, as well as accept outbound network traffic with a source IP address of the bastion host. All other network traffic is blocked (that is, discarded). If, with this configuration, the packet-filtering router is compromised, the only physical path the network traffic can take is to still go through the bastion host, where it would (presumably) be filtered, determined to be suspect, and subsequently discarded (as well as logged and audited). 1.7.3 Dual Bastion/Dual Packet-Filtering Combo The most paranoid of all firewall configurations involves adding a second packet-filtering router to the previous setup. The second packet-filtering router is installed on between the bastion host and the protected internal network, and in configured to only accept outbound and inbound network
13 traffic to and from the bastion host from the protected internal network. There are now three levels of protection: a packet-filtering router connected to the Internet, a packet-filtering router connected to the protected internal network and the dual-homed bastion host on its own LAN segment in the middle 4. Critically, the protected internal network is effectively invisible to the Internet, and the Internet is effectively invisible to the protected internal network. The key point is this: if an internal network cannot be seen from the Internet, how can it possibly be attacked? 1.8 Conclusion Network security is a complicated business. As more advanced and sophisticated mechanisms are developed to protect Internet-attached network resources, equally determined efforts are made to compromise the security mechanisms in place. A healthy dose of security paranoia should fester inside all network managers responsible for network security, as complacency will inevitably lead to disaster. No network can claim to be totally secure (as such a notion is folly). However, a network can claim to be as protected as is humanly possible. Security policies need to be constantly reviewed and revised. Hardware and software firewall systems need to be kept up-to-date. It is a case of it s only a matter of time for the network manager that fails to develop the skills and practices that keep them one step ahead of the Internet crackers and script-kiddies. If you are a network manager, be afraid, be very afraid. Foster paranoia, and trust no one. 4 Such as LAN segment is often referred to as a demilitarized zone or DMZ.
Bibliography [1] Simon Singh, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, Fourth Estate Ltd., 1999. ISBN: 1-85702-879-1. (This is a book on cryptography that is written for those of us that do not have a third-level qualification in Mathematics but still need to understand this important technology). [2] William Stallings, Network Security Essentials: Applications and Standards, Prentice-Hall Inc., 2000. ISBN: 0-13-016093-8. (An excellent overview of the entire field). 14