In today’s world the Internet has become a valuable resource for many people. However with the benefits of being connected to the Internet there are certain risks that a user must take. In many cases people not only have an interest in the Internet but also in a private network which they are connect to also. It is this private network that can be put in jeopardy when connected to the entire world. When we speak of a private network we are referring to a set of computing resources that are not for the use of the general public. The gaining of unauthorized access to these resources can cause major problem that may include down time, loss or compromise of privileged data or worse. In an effort to impede unauthorized access to private networks the concept of a firewall computer has been designed and implemented.
The term firewall stemmed from its use in the automobile industry. In a vehicle a physical firewall exists between the engine compartment and the passenger area. In the event that the engine caught fire the firewall would provide protection to the occupants while still allowing access to the car’s controls. In a similar manner the firewall computer can provide protection to the inside network from the “raging fire” in the Internet. Firewalls can add many benefits to a network, these include protection from unauthorized entry, logging of Internet use by the internal network, a central gateway to a private network and the outside world. These benefits provide more than just security services to the network.
When considering a firewall computer for a private network it is good to consider the threats that may be targeting your network. One of the most common threats that exists on the internet are just curious hackers. These hackers have little to no knowledge of the information contained inside your network, nor if they did would they have any
interest in it. Their primary interest is just to poke around the Internet until they find a security hole that they can exploit. Another group of hackers are those that have the intent of vandalizing systems that they are able to gain access to. They wish to introduce network or system outages or utilized system resources such as phone lines. In the corporate world there also exists hackers that are breaking in with the intent of retrieving data that is private or privileged. While any of these threats is very undesired it is important to know which ones you would be most subject to since some may prove to be more persistent than others.
After identifying the possible threats that exist one can then begin to examine the different options that are available firewall designs. There are two primary types of firewalls that are in high use in today’s networks. There are IP filtering firewalls and proxy server firewalls. In this report I will be discussing the set up and use of a proxy server firewall using Trusted Information Systems (TIS) Firewall Toolkit version 2.1 (fwtk 2.1.)
The TIS fwtk is available free of charge in source code form, and it can be compiled on many UNIX platforms. The TIS fwtk contains a group of tools that are designed to support the building of firewalls. Each of the kits tools can be used by itself or with any combination of the other tools to build a fire wall that is well suited for the network it is being constructed on.
The goal of this project was to set up a proxy firewall for the 129.174.140.0 network. This network is used for the computer engineering program at George Mason University. The initial interest in a firewall for this network came in the fall of 1998 when the security of roza.gmu.edu was compromised. In this event a hacker was able to
gain access to the root of the Linux system and installed a network port from which the entire operating system was corrupted. In this event while no essential information was lost or compromised a great deal of time had to be spent to rebuild and restore the system.
When beginning to set up a firewall one must determine the architecture that will be used for the firewall host called a “bastion host.” This bastion host will act a an application forwarded, traffic logger and a service provider. In this particular system the use of a dual-homed gateway was most appropriate since the network currently used a gateway router for all Internet traffic. In the dual-homed configuration a bastion host is built with two network interfaces. The toolkit software is used on the system to provide proxy services for common network applications such as FTP, TELNET, and security for SMTP Internet mail. Since this dual homed host is a security critical point in the network it is essential that software on the bastion be as secure as possible.
The first step of the process of building the firewall was to rebuild the Linux kernel of cpenet.gmu.edu, to conform to the requirements of the TIS fwtk software. These requirements included the following settings:
General:
Networking Support (on) Networking Options:
Network firewalls (on) TCP/IP networking (on)
IP forwarding (off) IP firewalling (on)
IP firewall packet logging (on) IP masquerading (on)
IP accounting (on) IP tunneling (off)
IP aliasing (off) IP PC/TCP compatibility (off)
IP reverse ARP (off) Drop Source routed frames (on) Network Device Support:
Network device support (on) Dummy net driver support (on) Ethernet (10 or 100Mbit) (on) Select network card
Once these kernel options were selected in the configuration the kernel was recompiled and tested. This testing of the kernel included the verification that only the bastion host was able to reach the two sides of the network.
The next step of process was to set up the TIS toolkit components that would be used for the network. Each program included in the toolkit allows the setup of a proxy service for the network service in question. To better understand the security provided by a proxy server it is important to understand what a proxy server is does. To begin with it should be understood the only computer in the protected network that has access to the outside Internet. The proxy server provided application level connections between the Internet and the internal network machines. By doing this all Internet traffic is routed to the firewall bastion, packets are then repackaged and sent to the internal client. The bastion acts as a middle man in network transactions that cross the firewall. Since there is no direct path from the internal network to the outside network the security of the
machines is much greater than even an IP filtering firewall.
Proxy tools that are in the toolkit include a telnet proxy, an http proxy, an ftp proxy, an rlogin proxy, and a plugged proxy. The plugged proxy is one that is designed to be flexible and allow for certain ports to be plugged through the firewall when the destination outside of the firewall can be trusted. Each of the used tools have been explained below.
The tn-gw is a proxy gateway server for the telnet network service. The telnet proxy allows users that are authorized to connect the proxy and telnet to a machine on the opposite side of the firewall. The tn-gw proxy is bi-directional, meaning that it can allow both outgoing and incoming telnet connections to be made. The rules for the tn-gw that
have been set up on the cpenet proxy allows inside users direct access to the proxy and outside users that are properly authenticated. Details about the rules and their setup is explained later in the section that covers the netperm-table, which is the file used by the toolkit to set rules for each proxy.
The second proxy that was set up on the bastion was the http-gw. This proxy server provides both http and gopher proxy services. It can be set up to allow for a default httpd server on the inside of the firewall to which http requests are passed to from the outside network. With proxy aware www clients this proxy is almost invisible to the users of the internal network. Once the client has had the cpenet proxy indicated in its preferences the information on the web is retrieved through the proxy.
The third proxy that has been set up on cpenet.gmu.edu was the ftp proxy server. This proxy is set up similar to the telnet gateway in that it allows users inside the firewall direct connections to the proxy. Users on the outside of the firewall may also use the proxy if they authenticate to the server.
Other applications that make up the firewall include an authentication server. The purpose of this application is to provide a service that can authenticate users on the outside of the firewall to access to the different proxy services. The authentication server maintains a database of users that are allowed to access to the different services of the proxy server. Once the user has been authenticated they can then uses the services the same as is they were inside the firewall perimeter. This way authorized users can also connect to computers inside the firewall.
In addition to the applications that make up the proxy servers there are also three files that control the services performed by the bastion. The first of there files is the
services. This file defines the ports and the services that operate on them across the network. It is possible to define ports that suit the needs of the network with the
exception of the reserved section of ports. Once a port has been knocked on then this file will allow the OS to know which service entry in the inetd.conf to look up to start the proper application to service the network request.
Once a service port has been polled and the necessary service has been
determined this file defines the entire path that must be executed to service the request. In this file the standard daemons that service network ports are replaced by the proxy applications. Once the service has been started the third file is read to determine the permissions and parameters for the proxy service. This file resides in the same directory as the proxy applications and is called netperm-table. In this file access permissions can be set for both the inside and the outside of the firewall. Additionally settings that are specific to the particular proxy application can be set here.
For this project I have determined that there are certain operations of the network that by request of the network owner should operate in a transparent manner. In order to accommodate this the tools will need to be modified in a manner that will allow the packet routing of certain networking services. The most important of these services is the secure shell daemon that allows a secure connection between client and a remote host. In order to provide a working firewall I will continue to explore the modifications that can be made in order to provide the most security possible will still being able to provide the desired operation.
In the completion of this project I have learned a great deal about the Unix operating system and the operation of network services over the Internet. I will continue to develop the services and proxies that are hosted on the firewall.
