• No results found

Selecting an Internet Firewall Marcus J. Ranum Payoff

N/A
N/A
Protected

Academic year: 2021

Share "Selecting an Internet Firewall Marcus J. Ranum Payoff"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

83-10-42 Selecting an Internet Firewall

Marcus J. Ranum

Payoff

Internet security risks are, in reality, not that much different from other security problems that organizations face every day. It is the newness of the Internet that makes it seem more different and dangerous than anything else. In approaching Internet security, it should be considered as a fraction of the overall computer security requirements for the entire

organization. Most important, computer security should be handled consistently throughout the enterprise. Without such an approach, a secure firewall may be protecting a wide-open network behind it. If the course of Internet security is uncertain, security should be based on comparable approaches for other vulnerable systems that have previously worked.

Introduction

Many organizations have or are about to have connections to the Internet, but they are alarmed at the risk of being broken into by hackers, industrial spies, or other electronic miscreants. The magnitude of this threat is difficult to assess in concrete terms. However, it is clear that not being connected to the Internet is a business risk as well, which may result in lost revenue, delays in time-to-market, or poor customer perception. As Internet

connectivity becomes a common business infrastructure requirement like the FAX, more and more organizations will face these risks.

The Risks Associated with Internet Connections

Internet security risks are, in reality, not that much different from other security problems that organizations face every day. It is the newness of the Internet that makes it seem more different and dangerous than anything else. In approaching Internet security, it should be considered as a fraction of the overall computer security requirements for the entire

organization. Most important, computer security should be handled consistently throughout the enterprise. Organizations are every bit as likely to be attacked through dial-up access, social engineering, dumpster diving, or PBX/toll fraud as they are over the Internet. It is unfortunate that organizations may invest a huge amount of money and effort in securing their Internet connection, but have unprotected modem pools without even passwords or dial-back, which allow access into the network behind the firewall. Management support and an architectural view of the organization are essential requirements to achieve a consistent security approach. Without a uniform approach, a secure firewall may be protecting a wide-open network behind it. If the course of Internet security is uncertain, security should be based on comparable approaches for other vulnerable systems that have previously worked.

Downtime

Probably the most expensive cost resulting from a break-in is downtime: system manager's time, time-to-market, and clean-up costs. In some cases, public embarrassment may also be a significant factor. Before deciding on any actions that may affect the

organization's systems security, these questions should be asked: · What needs protection?

· How likely is it that someone will want to break, steal, or alter the items needing protection?

(2)

· If they succeed, what will be the expense?

In some cases, the potential damage might be so high that no justification for Internet connectivity exists. Before reaching that conclusion, existing security practices should be examined. Frequently, organizations that have decided not to connect to the Internet permit dial-in access or have other lax security practices that are every bit as risky than a well-secured Internet connection.

Often, organizations with very restrictive firewalls or no formal Internet security policies have dial-out modems scattered around the network, as individuals who need Internet access simply obtain it through commercial Internet service providers. These links are potentially avenues of attack, like any other Internet links.

Sophistication of Attacks

Many managers do not understand the level of sophistication that attackers are showing. As a result, they either over- or underestimate the likelihood that their existing security (if they have any) will be compromised. In the recent past, attacks have been increasing in sophistication, including exploiting protocol level flaws and cryptographic flaws, and employing more clever social engineering tactics. A pattern has emerged wherein highly skilled attackers(called ueberhackers) develop tools for exploiting specific weaknesses, and eventually the tools find their way into the hands of less skilled or completely unskilled novices (called ankle biters) who can still employ them to penetrate sophisticated defenses. Attackers are also persistent and understand how to exploit the often tangled interconnections between corporate networks, modem pools, and other networks (such as X.25 networks or PC LAN software). In the last year, at least three cases were reported of firewalls being compromised from the inside by attackers who gained access to management networks through dial-in modems left unattended on users' desktops.

What implications does this have for the would-be connected site? Simply having a firewall in place does not make an organization invulnerable to attack. Other routes of attack into the network must be secured as well, and constant security awareness is mandated. Organizations with extremely critical data should put it behind internal firewalls and should further compartmentalize their networks to make it harder for attackers to succeed once they are in. In some cases, if data is extremely sensitive or mission-critical systems exist, not having an Internet connection, or having it only on a physically isolated network that is separate from the corporate backbone, should be considered.

Likelihood of Attack

A number of organizations have concluded that security is not a problem for them because “nobody will bother to attack them.” However, when an attacker is choosing a target, he or she usually does not bother researching the target to see if they may be valuable; it is easier to smash in and take a look around. As a result, attacks seem to be random. Systems that have important data are ignored in favor of systems that simply catch the attacker's eye. Recently, attackers that broke into a financial data base system were observed to completely ignore the financial data (worth millions of dollars) in favor of exploiting a back-door connection to a local university's computing center. The

unpredictable nature of attacks makes it difficult to place a value on defenses. For example, a site with a very strong firewall and no important data might come under ferocious attack, and a different site with no security at all in front of mission critical systems may be completely ignored. Unless an organization's data is unimportant and employees' jobs are secure, it is foolish to assume that attackers will ignore any organization.

(3)

How to Assess the Risks of Internet Connections

To assess the risks of Internet connections, three questions should be considered: · If something happens to the network, will it put the organization out of business? · What are the Internet services that the organization wants to use?

· Based on the list of Internet services, should any special requirements be considered that may mandate additional security services?

Mission Critical Networking

The first question to ask when considering Internet connectivity is, “if something happens to the network, will it put the organization out of business?” Connecting to public networks greatly increases that chance of something happening, and that factor must be evaluated in designing an Internet connection. Regardless of whether a security problem could put an organization out of business, the kind of business damage that downtime or system clean-up might cost must be estimated.

Organizations with intellectual property or private data must also consider the potential for disclosure of trade secrets or the liability if a customer's private information is divulged. If an organization, for example, handles patient records, customer financial or credit card information, personal data, customer home addresses and demographic information, corporate attorneys should be consulted for information about effective business practices in the industry, and the data should be protected accordingly.

Service-oriented Requirements Analysis

One approach that is effective in determining what a firewall should do is the process of service-oriented requirements analysis. Rather than simply relying on technical details about what a firewall should provide, a list of the network services of which the

organization wants to take advantage should be compiled. A typical set of Internet services can include:

· Access to the World Wide Web, including FTP. · The ability to send and receive E-mail.

· The option of subscribing to USENET newsgroups. · The ability to Telnet out to remote sites.

Defining Security Requirements for Services

Based on the list of services to be provided to an organization's users, any special requirements should be considered that may mandate additional security services. The organization should determine what kinds of audit trail or records (if any) are required that relate to transactions traveling through the network. An organization's requirements should be modeled on other “real life” services the organization uses, and the security policies should remain consistent. For example, if a security policy states that users cannot FTP data out, those users should not be able to send E-mail or mail floppy disks with data through the postal system. A consistent approach to security is key to a security program that works, or at least, does what the designers intended it to do.

(4)

Another important consideration when approaching security is the growth plan for the organization's network. For example, if a firewall or Internet connection is installed that provides a few services today, will that solution work three years from now? This does not mean that the same hardware will be in place, because the lifecycles of network equipment for Internet connections are fairly short. The basic architecture that is put in place is likely to be viable in the long term.

Different Types of Firewalls

A firewall should be thought of as a gap between two networks, filled with something that lets only a few selected forms of traffic through. The designers of the firewall should be able to explain the mechanism that enforces the separation, as well as the mechanisms that carry data back and forth. Another important aspect of a firewall is how well it protects itself against attack. In other words, the firewall itself should not be easy to break into, because breaking into the firewall will give an attacker an entree into an organization's entire network.

Router Screening

The simplest and most popular form of firewall is router screening. Most commercial routers have some kind of capability built into them to restrict traffic between destinations, while permitting other traffic, for example. Screening routers operate only at the network level and make all their permit or deny decisions based on the contents of the TCP/IP packet header. They are very fast, very flexible, and inexpensive, but they lack the ability to provide detailed audit information about the traffic they transmit. Screening routers have often proved vulnerable to attack, because they also rely on software being correctly configured on the hosts behind them. Many experts, for this reason, prefer to avoid screening routers as a sole defense.

Dual-Homed Gateway

A second form of firewall is the dual-homed gateway, which is a system with two network interfaces that sits on both the protected network and on the public network. Because the gateway can communicate with both networks, it is an ideal place to install software for carrying data back and forth. Such software agents are called proxies and are usually customized for the service that they are intended to provide. For example, a dual-homed gateway that has a proxy for WWW traffic has some form of agent running on it that manages to make requests to the remote networks on behalf of the user.

Proxy Firewalls

Proxy firewalls (also known as application firewalls) are attractive to many sites, because the proxies are able to perform a detailed audit of the data passing through them. According to many experts, they are also more secure, because the software proxies can be customized to specifically deflect known attacks to which the host software behind the firewall might be vulnerable. The main disadvantage of proxy firewalls is that they are sometimes not completely transparent, and they do not support protocols for which a proxy has not been developed.

Dynamic Packet Filtering

Recently, a number of firewalls based on dynamic packet filtering have appeared on the market. A dynamic packet filter firewall is a cross between a proxy firewall and a screening

(5)

router. To the end user, it looks like it is operating only at the network level, but the firewall is examining the traffic as it passes by, just like a proxy firewall's proxy application does. When a user connects out through the firewall, it records that fact and allows data to come back in (i.e., through the firewall) to the user for the duration of that session. Dynamic packet screening firewalls are an attractive technology that is still evolving, but which shows promise for the future.

Security Compromises in Firewalls

Firewalls, like many other security systems, are not perfect. The compromise or trade-off that they usually represent is between ease of use and security. The more rigorously the firewall checks the user's identity and activity, the more likely the user is to feel

interrupted, pestered, and resentful. When choosing a firewall, user resentment should not be discounted as a factor in the decision-making process. Many sites with firewalls have internal networks festooned with uncontrolled dial-in and dial-out modems installed by users to bypass the firewall by subscribing to commercial online services. If the security system chosen is not useful and easy to use, end users will bypass it, unless there is sufficient authority to prevent them.

Proxy firewalls provide more effective auditing and tighter access control than screening router firewalls, but many do not have sufficient capacity to support network connections faster than ethernet speed. If an organization plans on using ATM networks or T3 lines, the only choice may be to use a screening router type firewall.

Case Studies

Following below are three situations where firewalls need to be employed, but the nature of those individuals seeking Internet connectivity presents some interesting challenges. The first two, academia and research laboratories, present common difficulties, and the third, electronic commerce applications, presents other obstacles to implementing a secure Internet connection.

An Academic Organization

Academic organizations, such as universities, typically have the most difficulty setting up a firewall. This may be due to notions of academic freedom and that the user community usually wants to experiment with a variety of features of the network. These users may also tend to resent or circumvent a firewall that interferes with their activities. Moreover,

academic organizations often have independent departmental budgets and semi-autonomous use of the campus network, which makes it difficult to enforce a common security

approach. If one department in the university installs a security system that interferes with the others, they can and do simply purchase new network links to bypass it. One approach that seems to work for academia is to isolate critical computing systems behind internal firewalls. Systems where student records, loan information, and paychecks are processed should be isolated from the main campus networks by placing them behind screening routers or commercial firewalls.

A Research Laboratory

Research laboratories are often another difficult case. Scientists expect to use the network for collaboration and research access to late-breaking information. In many cases, however, the research may be economically significant and should be protected. Systems where patent applications or designs for proprietary products reside, for example, should

(6)

be isolated and protected; or a second network, which is Internet accessible and physically separate from the internal research network, should be considered.

Research laboratories have many of the same problems as academia, because they tend to have user communities that want to be on the cutting edge and they will not tolerate interference. Perhaps more than anything else, it is important to get staff to recognize that intellectual property must be protected. Many research laboratories are connected to the Internet behind commercial proxy-based firewalls that are fairly conservative but which permit access to the Web and other sources of information. Other research laboratories rely on separated networks or isolated systems for storing proprietary information.

An Electronic Commerce Application

As electronic commerce becomes more important, the need to pass commercial traffic into and out of firewalls will become more crucial. Service-oriented requirements analysis is a useful tool for designing and implementing such systems. For example, suppose that an organization wants to put a Web server on an external network and to provide data base access of some sort to a system behind a firewall. In this case, the requirement is to get data back and forth for SQL only. A screening router firewall configured to just allow the SQL data between the outside Web server and the inside server might be chosen. A commercial firewall that permitted some kind of generic proxy or which supported a SQL service might be another option.

Managerial Issues

Previously discussed have been the common security issues surrounding firewalls. Other managerial issues, such as maintenance, building a firewall (as opposed to purchasing a ready-made one), and answering the question is it secure, must be considered.

Maintaining Typical Firewalls

Typical firewalls require about an hour of labor power per week to maintain. This hour does not include the other Internet-related time that the firewall administrator (or someone) will expend. Internet connectivity requires someone to act as postmaster for E-mail, Webmaster (potentially), FTP maintainer, and USENET news manager.

Each of these tasks are time-consuming, and each can become a full-time job for an individual. Often, the firewall administrator becomes responsible for a lot of tasks in addition to firewall maintenance. He or she is usually the first person contacted or

interrupted when someone detects a problem or cannot get their Web browser to talk to the firewall, for example.

Building a Firewall

A number of tools are available for building a firewall. Trusted Information Systems, Inc.'s Internet Firewall Toolkit is a freely available reference implementation of a set of firewall application proxies. It is available through anonymous FTP from

ftp://ftp.tis.com/pub/firewalls/toolkit.When building a firewall by using a router or a router and the toolkit, the router's built-in screening can be advantageous. Brent Chapman and Elizabeth Zwicky's book on firewalls, Building Internet Firewalls, describes some approaches to setting up a screening router.

An important factor to weigh when deciding whether to build or buy a firewall is the cost of staff time. Having an employee devote a week to building a firewall may not be cost effective. In addition, providing support over the long term will further increase costs.

(7)

Before such a variety of commercial firewalls were available, many companies hired consultants to build their firewalls. Today, this is not a cost-effective option, because consultants eventually cost more than purchasing a commercial firewall, and it may not be able to be supported or enhanced over time.

Is the Firewall Secure?

Is a firewall secure? This is a difficult question to answer, because no formal tests exist that can be easily applied to something as flexible as a firewall. A safe rule of thumb is that the more the firewall lets in and out, the less likely it is to be resistant to attack. The only firewall that is absolutely secure is one that is turned off.

If the quality of a firewall from a particular vendor is worrisome, common sense should be applied. The same kinds of questions that would be asked of vendors about any other mission-critical product purchase should be considered. For example, how long have they been in the business, what is the size of their installed base, and do they have independent experts review their design and implementation. A vendor should be able to clearly articulate how the design of their firewall leads to its security. An organization should be wary of accepting a vendor's hand-waving or insinuations that their competitors'products are insecure.

Cost Issues

In addition to managerial concerns, are cost issues. The most commonly asked question is: does more expense buy more security?

Does More Expensive Buy More Security?

A common misconception about firewalls is that what is gotten is what is paid for, and, therefore, the more expensive a firewall, the more secure it is. Unlike PC hardware, which is a commodity market, the firewall market has not yet settled down enough for consistent and competitive pricing to evolve. Most firewalls available commercially cost between $10K and $20K, but the more expensive offerings can cost as much as $80K and upwards. A firewall buyer should show some healthy skepticism when it comes to cost versus value. If a firewall costs twice as much as another, the seller should be able to clearly explain why its product is twice as good.

Costs and Delivery

Before purchasing a firewall, it is important to be familiar with what typical installations involve and what are the deliverables that can be expected of a vendor.

A Typical Firewall Installation

Most firewalls used to be sold as consulting packages. When a firewall was sold, part of its cost was installation and support, usually involving a consultant from the vendor arriving onsite and assisting with the installation. Many of the sites that were connecting to the Internet had no local TCP/IP expertise, so the firewall installer's job often also

encompassed configuring routing and other tasks like setting up internal domain name servers and sendmail. Some vendors still provide such a level of service, and others simply ship a power-on-and-configure turnkey solution.

Typically, when a firewall is installed, the Internet connection must be ready, but not connected to the protected network. The firewall installer arrives, tests the machine's basic function, and then may lead a meeting in which to work out the details of how the firewall

(8)

will be configured: what access control policy should be put in place, where E-mail should be routed, and where logging information should be forwarded, for example. Once the installer clearly understands how the firewall should be configured, it is connected to the Internet side and tested for correct operation with the network. Then, the firewall's access control rules are installed and checked, and it is connected to the protected network. Typically, some basic interoperation tests are performed, such as Web access and E-mail sending and receipt. When everything checks out positively, the organization is connected to the Internet.

What Vendors Typically Provide with a Firewall

Most vendors provide some kind of support period for basic questions pertaining to the firewall. Many provide an installation service such as the one previously described, which is valuable because the organization is given an opportunity to tailor its firewall in a way that makes sense for it, while having a qualified vendor support ready to help. Often, a difficult part of setting up a firewall is getting the various software packages behind the firewall to talk correctly to it. Some vendors provide direct support as far as hooking PC LAN mail systems into the firewall's mailer or configuring domain name servers. If an organization does not have technical skills in these areas, having a vendor that is able and willing to support a custom configuration is a big time and energy saver.

Some Internet Service Providers (ISPs) offer a supported firewall as part of their connectivity service. For organizations that are new to TCP/IP or that are in a hurry, this is an attractive option, because the network support, leased line support, and firewall support are all supplied by the same vendor. The single most important service that vendors can provide with their firewalls is an understanding of how to make a sensible security policy. Unless an organization is certain that it understands what traffic it's letting into and out of its network, it is not safe to just install a firewall that lets users point and click to decide what information to allow through.

Some firewalls can be configured to allow through things that they normally should not, on the assumption that users are experts and know what they are doing. Support from the vendor in getting everything set up with a reasonable baseline helps keep an

organization from having a firewall that is accidentally configured to allow an attack through it.

What Vendors Typically do not Provide with a Firewall

Vendors typically do not configure internal legacy systems to work with the firewall. For example, most firewalls assume that they are talking to Internet on one side and a TCP/IP network on the other. Usually, it is the customer's responsibility to have TCP/IP capable systems on the inside network, which the firewall can interact with. For E-mail, firewalls mostly support only Simple Mail Transfer Protocol (SMTP), and it is the customer's responsibility to have an SMTP compatible system someplace on the inside. Often, it is also the customer's responsibility to know any system specific configuration changes necessary to get that internal SMTP system to forward all Internet outbound mail to the firewall. Unless an organization is buying a firewall from an independent service provider, it is usually the customer's responsibility to have a class C IP network address and domain name allocated.

Conclusion

Choosing a firewall is a lot like choosing a car. The natural assumption is that choosing a car is easy because by the time most drivers can afford one, they already have accumulated a lot of the information needed to be able to assess quickly and easily the cost/benefit

(9)

performance and convenience tradeoffs that different cars represent. The best way to ensure that a firewall is suitable is to gather enough information so that a choice can be made wisely. Books, such as the following, are also available: Firewalls and Internet Security:

Pursuing the Wily Hacker by Bill Cheswick and Steve Bellovin, published by

Addison-Wesley and Building Internet Firewallsby Brent Chapman and Elizabeth Zwicky, published by O'Rielly and Associates.

Author Biographies

Marcus J. Ranum

Marcus J. Ranum, Chief Scientist at V-One Corporation, is the principal author of several major Internet firewall products, including the DEC SEAL, the TIS Gauntlet, and TIS Internet Firewall Toolkit. Ranum has been managing UNIX systems and network security for over 13 years, including configuring and managing whitehouse.gov during its first year of operation. Ranum's personal website address is: http://www.clark.net/pub/mjr. V-One Corporation's website address is: http://www.v-one.com.

References

Related documents

application-level gateway bastion host circuit-level gateway distributed firewalls DMZ firewall host-based firewall IP address spoofing IP security (IPsec) packet filtering

FIREWALLS LECTURE 8: SECURITY • Packets Filters Internet SECURITY PERIMETER PRIVATE NETWORK Packet- filtering

Packet Filtering Firewalls Firewall/Router Data Link Network Internet Physical Input Filter Access Rules Data Link Network Router Internal Network Physical Output Filter

© David Morgan 2011 Firewalls Firewalls David Morgan Firewall types Firewall types  Packet filter – linux, iptables-based – Windows XP’s built-in – router device built-ins

Firewalls provide a focus point (at the boundary of a trusted enclave) to enforce security policies, such as control of access, protocols, and applications. Using

Server authentication will fail if proxy is between client and server and proxy wants to examine traffic by decrypting on behalf of both sides Proxy can work as a client and

Cheswick at AT&T Laboratories and Marcus Ranum described a third generation firewall known as application layer firewall, also known as proxy based firewalls.. Marcus Ranum's

TCP/IP Internet Router Firewall Gateway Computer Web Server DMZ Subnet Firewall System Architecture Architecture Firewalls