AN AUDIT AND RISK HANDLING PROTOTYPE FOR FIREWALL TECHNOLOGY. by ESTÉE VAN DER WALT DISSERTATION

(1)

AN AUDIT AND RISK HANDLING PROTOTYPE FOR FIREWALL TECHNOLOGY

by

ESTÉE VAN DER WALT

DISSERTATION

Submitted in compliance with the requirements for the degree

MAGISTER SCIENTIAE in the subject of COMPUTER SCIENCE in the FACULTY OF SCIENCE at the

RAND AFRIKAANS UNIVERSITY

Supervisor:

PROF. J.H.P ELOFF

(2)

Abstract

Throughout the years, computer networks have grown in size and complexity. This growth attributed to the need for network security. As more and more people use computers and the Internet, more confidential documentation are being kept on computers and sent to other locations over a network.

To implement network security, the security administrator should firstly identify all the needs, resources, threats and risks of the organisation to ensure that all areas of the network is included within the network security policy. The network security policy contains, amongst others, the information security services needed within the organisation’s network for security. These

information security services can be implemented via many different security mechanisms. Firewalls are but one of these security mechanisms.

Today, firewalls are implemented in most organisations for network security purposes. The author, however, feels that the implementation of only a firewall is not enough. Tools such as log file analysers and risk analysers can be added to firewall technology to investigate and analyse the current network security status further for an indication of network failure or attacks not easily detectable by firewalls.

Firewalls and these tools do, however, also have their own problems. Firewalls rarely use the information stored within its log files and the risk handling services provided are not very effective. Most analysis tools use only one form of log file as input and therefore report on only one aspect of the network’s security. The output of the firewalls is rarely user-friendly and is often not real-time. The detection of security problems is consequently a very difficult task for any security administrator.

(3)

analysis tool that performs log file- and risk analysis of the underlying networks of the organisation. Although the prototype represents only an example of the functionality added to a firewall, it illustrates the concept of the necessity and value of implementing such a tool for network security

purposes.

The FA solves the problems found in firewalls, log file- and risk analysis tools by reporting on the latest security status of the network through the use of a variety of log files. The FA uses not only the firewall log files as input to cover a greater area of the network in its analysis process, but also Windows NT log files. The real-time reports of the FA are user-friendly and aid the security administrator immensely in the process of implementing and enforcing network security.

(4)

Opsomming

Netwerksekerheid kan baie kompleks raak en meer so in die geval waar ‘n verkeidenheid van hulpbronne, netwerke en persone betrokke is. Soos rekenaars deesdae meer en meer gebruik word, neem die hoeveelheid konfidentiële inligting wat gestoor en gestuur word oor enige vorm van netwerk drasties toe. Netwerksekerheid is dus essensieël tot die implementering en die behoud van ‘n veilige netwerk.

Alvorens netwerksekerheid geïmplementeer kan word moet die

sekureitsadministrateur eers alle behoeftes, hulpbronne, netwerkbedrygings en risikos in die netwerk identifiseer. Alle areas van die netwerk sal dus deur die netwerksekuritetisbeleid gedek word. Hier sekuriteitsbeleid omskryf, onder andere, the sekuriteitsdienste wat benodig sal word in die netwerk om

netwerksekerheid te verseker. Hierdie sekuriteitsdienste kan deur ‘n

verskeidenheid van sekuriteitsmeganismes geïmplementeer word waarvan vuurmure een is.

Die outeur voel egter dat die implementasie van slegs ‘n vuurmuur nie genoeg sal wees vir sekuriteitsdoeleindes nie. Ekstra sagteware, soos loglêer- en risiko analiseerders, kan gebruik word om die netwerkstatus te ondersoek vir enige verdere aanduidings van suksesvolle aanvalle en netwerkfalings wat nie deur die vuurmuur opgespoor kon word nie.

Vuurmure en die bogenoemde sagteware is egter ook nie perfek nie.

Vuurmure maak nie voldoende gebruik van die inligting omvat in die loglêers nie en die risikohanteringsdienste is onvoldoende. Aangesien die meeste analise sagteware slegs van een loglêerbron gebruik maak, is die verslae nie altyd verteenwoordigend van die hele netwerk nie. Die verslae is ook baie selde gebruikersvriendelik en meestal verouderd. Die opsporing van sekuriteitsprobleme is dus baie moeilik vir enige sekuriteitsadministrateur.

(5)

Na aanleiding van die laasgenoemde probleme het die navorser ‘n prototipe ontwikkel om hierdie probleme aan te spreek. Hierdie prototipe staan bekend as die vuurmuur analiseerder (VA). Die VA lewer intydse,

gebruikersvriendelike verslae. Die VA maak ook gebruik van verskeie loglêerbronne om sodoende ‘n groter area tydens die ondersoek van

netwerksekuriteit te dek. Die sekuriteitsadministrateur word dus ondersteun deur die VA tydens die implementering en onderhoud van die sekuriteitsbeleid van die organisasie.

(6)

TABLE OF CONTENTS

Research objectives and overview ...1

1.1 Introduction ...1

1.2 Network security...2

1.3 Terminology ...3

1.4 Research objectives ...5

1.5 Outline of the dissertation...6

Firewalls within the context of network security...10

2.2. Network security...11

2.3 The identification process...11

2.4 The network security policy ...14

2.5 Information security services (ISS)...17

2.5.1 Identification and authentication ...18

2.5.2 Authorisation (logical access control) ...19

2.5.3 Confidentiality ...20 2.5.4 Data integrity...21 2.5.5 Non-repudiation or non-denial ...21 2.5.6 Availability...22 2.5.7 Audit ...22 2.5.8 Risk handling ...22

2.6 Network security mechanisms...23

2.6.1 State-of-the-art security mechanisms ...24

a) Prevention mechanisms...24

b) Detection mechanisms...26

c) Recovery mechanisms...26

2.7 Firewalls and network security ...27

2.8 Conclusion ...27

Firewalls...29

(7)

3.3 The components of a firewall ...32

3.4 Firewall filtering techniques ...35

3.4.1 Old-generation filtering techniques ...35

a) Packet filtering ...36

b) Application-level gateway (proxy server) ...37

c) Circuit-level gateways ...38

3.4.2 New-generation firewall filters...39

a) Stateful multi-layer inspection (SMLI)/stateful inspection firewall...39

b) SOCKS ...40

3.5 Firewalls and ISS ...40

3.5.1 Identification and authentication ...40

3.5.2 Authorisation...41 3.5.3 Confidentiality ...41 3.5.4 Integrity ...42 3.5.5 Non-repudiation ...43 3.5.6 Availability...44 3.5.7 Audit ...44 3.5.8 Risk handling ...44 3.6 Conclusion ...44 Firewall logs ...46 4.1 Introduction ...46 4.2 Log files...47

4.2.1 Network log files [INNO98] ...47

4.2.2 Application log files [INNO98] ...48

4.2.3 A combination of both ...48

4.3 Log file analysers ...49

4.3.1 Application log file analysers...49

4.3.2 Network log file analysers ...50

4.3.3 Combined log file analysers...50

4.4 Firewall log file analysers ...51

4.5 The audit ISS ...52

(8)

4.7 Firewall risk analyser...54

A conceptual model ...57

5.2 The concept ...58

5.3 Firewall analyser (FA) ...61

The FA: A prototype...66

6.2 Scenario ...67

6.2.1 Without the FA ...67

6.2.2 With an FA ...69

6.3 The FA ...70

6.3.1 The start-up screen...71

6.3.2 Configuration screens...71

6.4 The FA reports ...75

6.4.1 A firewall log file report ...75

6.4.2 Network analysis reports ...76

a) Traffic reports...77

b) Connection reports...79

c) WWW statistic reports...82

6.4.3 Risk analysis reports...83

6.5 Summary...87

Technical working of prototype ...89

7.1 Introduction ...89 7.2 Components of the FA ...90 7.2.1 Configuration ...91 7.2.2 Management...92 7.2.3 Log report ...93 7.2.4 Network analysis...93

(9)

7.2.6 Timer ...97 7.3 Conclusion ...97 Summary...99 8.1 Introduction ...99 8.2 The prototype ...99 8.5 Future research ...102 References...105 Article ...111 B.1 Introduction ...112 B.2 Related work ...115

B.3 The Firewall Analyser (FA) ...117

B.4 Log analysis ...120

B.5 Risk analysis ...121

B.6 Conclusion and future work ...124

B.7 Resources...127

Source code methods...129

C.1 The configuration module methods...129

C.2 Management module methods ...130

C.3 The Timer module methods...131

C.4 Log report module methods...131

C.5 Network analysis module methods ...131

C.6 Risk analysis module methods ...133

The FA on the Internet ...136

D.1 The dissertation ...136

D.2 The FA’s source code...137

(10)

LIST OF FIGURES

Figure 1.2: A road map of the dissertation ...7

Figure 3.1: Firewall positioning...31

Figure 3.2: The components of a firewall ...34

Figure 3.3: Packet filtering firewall ...37

Figure 3.4: Application-level firewall ...38

Figure 3.5: Circuit-level gateways ...39

Figure 3.6: An example of a firewall rule ...41

Figure 3.7: Confidentiality in a VPN ...42

Figure 3.8: Integrity in a VPN ...43

Figure 3.9: Non-repudiation and firewalls...43

Figure 4.1: An example of a network log file ...47

Figure 4.2: An example of an application log file...48

Figure 4.3: An example of a firewall log file...49

Figure 4.4: Logging in firewalls...52

Figure 5.1: Our home environment ...58

Figure 5.2: The Internet environment ...60

Figure 5.3: The position of the FA ...62

Figure 5.4: The main components of the FA ...64

Figure 6.1: Scenario without an FA ...67

Figure 6.2: Output of the firewall ...69

Figure 6.3: Scenario with an FA ...70

Figure 6.4: The splash screen...71

Figure 6.5: Path configuration screen ...72

Figure 6.6: Knowledge base configuration ...73

Figure 6.7: FA’s main screen ...75

Figure 6.8: A firewall log file report...76

Figure 6.9: Bytes-sent-and-received network analysis report...78

Figure 6.10: Interface-activity network analysis report ...79

Figure 6.11: Interface-per-protocol network analysis report ...80

Figure 6.12: Protocols-during-the-day network analysis report ...81

(11)

Figure 6.15: Protocol-risk-per-hour graph ...85

Figure 6.16: The login-risk report ...86

Figure 7.1: The FA components...90

Figure 7.2: An example of the declaration of risk values ...92

Figure 8.1: Improved FA architecture ...103

Figure B.1 : Current firewall loopholes ...114

Figure B.2 : The FA components ...119

Figure B.3 : User-per-protocol analysis graph...120

Figure B.4 : Http-risk-per-hour graph ...122

Figure B.5 : The login-risk report...123

Figure B.6 : Solution to the firewall loopholes ...125

(12)

LIST OF TABLES

Table 3.1: Internet information security services vs. firewall components...35

Table 7.1: Information needed vs. the graphical visualisation provided ...94

Table 7.2: Information needed vs. the graphical visualisation provided ...96

(13)

CHAPTER 1

Research objectives and

overview

1.1 Introduction

The need for reliable, available, fast and secure electronic resources plays a very important part in the management, design and success of an

organisation.

Most organisations have at least one intranet to connect printers, computers, servers, telephone systems and fax machines inside the organisation to create a more efficient and reliable working environment. Remote locations are connected via an extranet. The extranet combines the local and remote resources of the organisation into one large virtual network that is available from anywhere inside the organisation’s infrastructure.

Organisations are also connecting to the Internet on a daily basis and exploring the features and applications that the Internet offers by communicating via email, searching for information on the Internet and downloading software from the Internet [PAGU96]. The Internet can be seen as a combination of the networks of different organisations into one large global network that contains an unimaginably large amount of information and other electronic resources.

It is thus evident that many people have access to some form of networked information or resource and that networks are more vulnerable to internal or external attacks, break-ins and viruses than ever before. A need to see who can break into the most “secure” and high profile organisation’s network has

(14)

Chapter 1 Research objectives and overview

also been created within a certain group of people more commonly known as hackers.

Not only are an organisation’s resources at stake, but personal workstations are also under attack [HUMM00]. This is because employees are doing more and more work from home. The security of personal workstations is, however, beyond the scope of this dissertation and the focus will rather be on attacks made on the resources within the close perimeter of an organisation itself and the securing of these resources.

Network security plays a major role in securing the logical assets and resources of an organisation. Without proper network security in place, the organisation’s assets and resources are always vulnerable to attack and the organisation could lose millions. It needs to play a very important role in the infrastructure of the organisation’s IT as well as any other department.

1.2 Network security

Different forms of network security have already been developed to offer protection against all these threats mentioned above. People have, for example, been informed how to keep their information safe using passwords and protecting their computers against other malicious as well as accidental activities. Some network security mechanisms include the use of firewalls, where the information and resources inside an organisation are protected from the ‘outside’ via the use of filters, virus detectors and data stream regulators.

The implementation of network security is very complex and it is therefore implemented as a series of smaller steps:

• During the first step, security-related issues, for example the need for security, the threats to resources and the risks involved with having a

(15)

non- or partially secure system, are identified. This is done via surveys, brainstorming and questioning of the appropriate personnel.

• The identification step is followed by the development of a network security policy. The network security policy must provide strategies on how to handle, minimise or even cancel the threats that put the network and resources in danger of any security breaches. The network

security policy must also identify the information security services needed in the organisation’s network and must have the support and full commitment of management and all the employees within the organisation.

• In the last step the necessary information security services are implemented. Security mechanisms, for example firewalls and

password protection mechanisms, will then be used to implement some of these information security services required.

It is these information security services that are the centre point of network security. Without these information security services there will be no network security. It is thus crucial that all the information security services are defined within the network security policy and consequently implemented on the network.

1.3 Terminology

The following terms and concepts will be used throughout this dissertation:

Network security – Network security is the term used to describe securing any electronic network of an organisation against events that can either be accidental, for example the loss of information owing to a fire or earthquake, or pre-planned with the intent to do something mischievous, for example hacking into the organisation’s network from an Internet cafe.

(16)

Hackers – Some people attack the network with specific intentions. These people can be divided into three groups, i.e. hackers, crackers and phreakers. Hackers break into a network just to get access, whereas crackers break into a network with the intention of stealing, breaking or damaging network

information and resources. Phreakers, on the other hand, break into telephone lines with the intention to steal, break or damage telephone systems. In this dissertation, the term ‘hacker’ will be used to refer to any person attacking an organisation’s network or posing a threat to it.

Security administrator – An administrator is someone who manages the computer networks of the organisation, whether it is to install the firewall or network, maintain the firewall or network, install the necessary software on workstations or implement the defined network security policy. The term ‘security administrator’ will be used throughout this dissertation to describe any type of administrator responsible for implementing network security.

Firewalls – A firewall is software or hardware implemented within the organisation’s network. It is the firewall’s responsibility to protect the

organisation’s network against a wide variety of attacks originating from within or outside its network. The term ‘firewall’ will not refer to any personal firewall [HUMM00] in this dissertation, as the discussion of enforcing and

implementing security on a personal workstation is beyond the scope of this dissertation.

ISS – The term ‘ISS’ will be used to refer to the information security services discussed throughout this dissertation that are valuable for ensuring network security.

Firewall analyser(FA) – The FA is the term used for the prototype developed in this dissertation. The FA provides a solution to some of the current voids or gaps in network security.

(17)

1.4 Research objectives

Firewall technology is one of the security mechanisms that can be

implemented to secure the organisation’s network against the known network security threats. However, firewalls also have problems.

Problem 1: Individual threats are overlooked and the objective is only to protect the network as a whole.

A problem currently experienced in the industry is that firewalls are

implemented to protect the network of an organisation as a whole and the individual network threats are overlooked. The firewall consequently does not really provide the necessary protection from these individual attacks.

Problem 2: No differentiation between ISS.

Owing to the inherent complexity of security, it has to be viewed as a

collection of different security services and not as one large service (firewall) on its own. This means that a firewall should implement some of the defined ISS according to the organisation’s needs. The assumption should never be made that a firewall automatically implements the necessary and expected network security.

Organisations must be able to answer questions such as the following: Does the firewall provide a confidentiality and integrity service? Can the data produced by the firewall be used in a dispute of non-denial?

Problem 3: The information in the log files are not used fully

Another major problem with current firewall technology is with the logging of activities on the firewall. Firewalls often provide enough information about the network activities, but this information is not used owing to the lack of proper firewall management information systems.

(18)

Problem 4: Analyse only on a specific part of the network.

The log file- and risk analysis tools use archived log file information to inspect the current network status. These tools seldom use multiple input sources that leads to the reports only covering a specific part of the organisation’s network. This leaves other network areas vulnerable to attacks.

Problem 5: Reports are not user-friendly.

The reports produced by log file- and risk analysis tools are not very user-friendly. It is thus sometimes difficult for the security administrator to detect possible network security problems.

The objective of this dissertation is to show the importance of network security and the individual ISS offered via a firewall to solve problems 1 and 2. A prototype has also been developed to support the objective for providing a solution to problems 3 to 5. It will be shown how the FA makes effective use of the information in the firewall’s log files to produce real-time, user-friendly reports that covers the whole network and all aspects of network security.

1.5 Outline of the dissertation

Here follows a brief summary of the rest of the dissertation (depicted in figure 1.2):

Chapter 2 – Firewalls within the context of network security

We have established that security is a very important feature in any network. In this chapter the concept of network security is discussed to illustrate the place of firewalls within the context of network security.

(19)

Chapter 3 – Firewalls

In this chapter, firewalls as one of the network security mechanisms are discussed in detail. The different components and their functionality lead the discussion into a definition of the different firewall filtering techniques. The ISS, that the firewall implements, is defined to indicate the value of the firewall as a network security mechanism.

Figure 1.2: A road map of the dissertation

Chapter 2

Firewalls within the context of network security Chapter 3 Firewalls Chapter 4 Firewall logs THE INTERNET ORGANISATION’S NETWORK THE PROTOTYPE Chapter 5 A conceptual model Chapter 6

The FA: A prototype

Chapter 7 Technical working of prototype FIRE W A LL Chapter 1 Introduction Chapter 8 Summary

(20)

Chapter 4 – Firewall logs

A detailed discussion of the audit and risk handling ISS is provided, with the focus on firewalls as the primary network security mechanism. How a firewall can use its log files to implement the audit ISS is discussed. The log files can, for example, determine network activity and the use of certain applications and resources. The concept of the risk analysis ISS is also explained. These concepts are expanded into a detailed analysis of log file and risk analysers.

Chapter 5 – A conceptual model

In this chapter the problems with current network security are demonstrated by means of a practical example. A brief summary is provided of the prototype (FA) developed to improve network security and facilitate the tasks of the security administrator.

Chapter 6 – The firewall analyser: A prototype

After the explanation and introduction to network security, firewalls, audit and risk analysis, this chapter will give a detailed discussion of the prototype developed to improve the status of network security. The components of the FA and their functionality are discussed. The chapter will conclude with the FA’s graphical user interface and a description of each screen and its corresponding function.

Chapter 7 –Technical working of prototype

This chapter will expand on the previous chapter by providing a technical specification of the different components of the FA. A detailed analysis of all the log file information required for generating different FA reports are

provided.

Chapter 8 – Summary

This chapter provides a brief review of the dissertation. A summary of network security, firewalls and the FA is given. To conclude this dissertation, the

(21)

researcher will give her thoughts on future research possibilities in the field of log file and risk analysers to improve network security.

APPENDICES

Appendix A – The references

A list of all the references used in the dissertation.

Appendix B – The article

The article written as part of the research for the dissertation.

Appendix C – The source code methods

A summary of the FA’s Visual Basic 6.0 source code. The actual source code will be downloadable from the Internet, described in Appendix D.

Appendix D – The FA on the Internet

Instructions for downloading source code and an executable of the FA. These instructions include the steps on installing and running the executable.

(22)

CHAPTER 2

Firewalls within the context of

network security

After the birth of the computer, people’s need for information and the sharing of other computer applications, resources and devices grew at an exponential rate. Users connected their computers and devices with some form of cable to have the ability to communicate to others, share information, use the other users’ applications or share devices and resources over the network. As time passed, more and more computers and devices were connected to form a vast and complex network.

The Internet has brought a whole new dimension to the concept of network security. Data and resources can now be shared from almost any location on the globe, provided there is some form of intelligent technology, for example, a computer connected via satellite, optical cable or a normal telephone line to this web of resources and data. With the radical increase of resources, people and networks connecting to the Internet, it has become very complicated to ensure the security of such a network connected to the Internet.

The object of this chapter is to give a solution to the implementation of network security. The process of implementing network security will firstly be described to create an understanding of where firewalls fit in. The remainder of the chapter will provide an introduction into the firewall’s place in the network security.

(23)

Chapter 2 Firewalls within the context of network security

2.2. Network security

Network security can be very complex. The bigger the network, the more complex network security gets. The security administrator thus has a very important and difficult role to fulfil.

The implementation of network security can however be seen as a series of steps leading up to the management of a totally secure network. The first step is to identify all needs, resources, threats and risks within the organisation’s network. This identification process will be introduced in paragraph 2.3. After the identification process, a network security policy must be drawn up as described in paragraph 2.4. This network security policy defines the ISS to be implemented for a secure network.

The ISS is the central point of network security. Without it no network security will exist. Six standard ISS exits but the author has added two extra services that play an integral part of network security. These ISS will be described in detail in paragraph 2.5. The implementation thereof, via network security mechanisms, will be described in paragraph 2.6.

It should become clear through this discussion that the daunting task of implementing network security can be made easier by following a few steps. These steps will lead to the definition of the ISS needed for network security based on the needs and resources of the organisation.

2.3 The identification process

The first step in implementing network security is to identify all network-related assets in the organisation, for example, the network printers, servers,

workstations and cables. It is also necessary to identify the location of data on the network and to differentiate between the network assets of the separate network locations. All the findings are combined to get a holistic view of all the network assets of the organisation.

(24)

After this has been done, the threats to these resources can be identified as well as the risks associated with possible successful attacks. A threat is something or someone that breaks through the security of the network and causes some form of damage to the organisation. A threat can come from the inside or outside the organisation [PAGU96]. Internal threats, for example, an employee within the organisation destroying important information, usually have greater risk to the organisation’s network because it is more difficult to put the necessary security mechanisms in place to prevent these types of attacks. No threat can however be overlooked or deemed unimportant as even the smallest successful attack could cause major damage to the organisation.

There are so many different kinds of network threats that they are usually divided into smaller categories that contain similar types of threats. The next few paragraphs are an effort to categorise some of the main network attacks and threats into four main groups.

a) People can be a threat:

• Hackers – These people attack the organisation’s intranet or extranet for malicious purposes. These attacks can come from anywhere in the world. Hackers use a mimicked password and user ID, for example, to pose as an employee of the company or user of the workstation and thus gain unauthorised access without much hassle [WINK01]. • Theft – Theft or manipulation of information is another type of attack.

Most attackers try to gain user IDs, passwords or other sensitive data that is relatively easy to steal with the use of network “sniffers”

[SIMO96].

• Repudiation – A party to an online purchase denies that the transaction occurred or was authorised.

• Employees – Employees can attack or try to get access to their

(25)

b) Applications not written with malicious intent can also be a threat: • Bugs or configuration problems – A bug in some software can, for

example, provide unwanted access to the internal network or give sensitive information of the organisation to the people using the software without the knowledge of the security administrator.

c) Attacks on a network via applications performing malicious activities: • Denial of service –This type of attack prevents a person from using

his/her own computer and system. An intruder floods the system or network with messages, processes or network requests. A clever attacker can disable services, re-route them or even replace them with others [FEWI98].

• Spoofing – A virtual intruder creates a fake site masquerading as the real one to steal data from unsuspecting customers or just to disrupt business [ECOM01].

• Browser-side risks [W3OR01] - Active content that crashes the browser, damages the user’s system, breaches the user’s privacy or results in the misuse of personal information knowingly or unknowingly provided by the end-user.

• Code can be downloaded from a server to a browser and executed locally on the browser’s host computer. This downloadable code may be an attempt to improperly access and transfer sensitive information to the server [FEWI98].

• Code may contain some form of logic bomb, virus or Trojan horse. d) The threat of interception of data:

• Data alteration – The content of an electronic commerce transaction can be altered en route.

• Network data sent from browser to server or vice versa can be intercepted via network eavesdropping. Eavesdroppers can operate from any point in the pathway between browser and server.

(26)

Chapter 2 Firewalls within the context of network security After all the network threats to an organisation’s network have been identified, it is imperative to address these threats and provide a secure solution. This will be done through the development of a network security policy.

2.4 The network security policy

The network security policy should contain enough information on the users of the network, the resources, workstations, servers, printers, the access rights of the users, possible threats and the ISS that need to be implemented. The different ISS will be elaborated on in the next section of this chapter.

The network security policy is combined with the security policies from other departments and non-technical related security policies to serve as a

requirement document against which technical security solutions can be judged. It may also aid the security administrator’s legal case should the administrator ever need to prosecute a security violation [W3OR01]. It must be kept in mind that the network security policy must be reviewed on a regular basis to ensure that it is up to date and in line with the organisation’s current needs and infrastructure.

But what must the network security policy contain? The network security policy should contain information regarding the following areas [FARN00]:

• An introduction – The introduction will provide general information about the business of the organisation as well as the responsibility organisational structure or a definition of who is responsible for what in the organisation.

• Domain services – The authentication used to provide access to the local domain as well as the rules regarding the use of passwords. This area will also define what should be done with employees’ passwords and domain access when they leave the organisation.

• Email systems – The authentication performed, intrusion detection mechanisms used, physical access procedures into the email server,

(27)

Chapter 2 Firewalls within the context of network security • Web servers – Here the rules regarding the use of internal and external

web servers should be defined.

• Data servers – The intrusion protection mechanisms used, the physical access to data servers, the backups of these servers, auditing and disaster recovery of the data servers.

• Intranet/extranet – A definition of the mechanisms, for example, modems, dial-in access or dail-out access, used for physical access into the networks. The backup of the data, auditing, content filtering and disaster recovery can also be described in this section.

• Firewalls – The implementation, auditing, intrusion detection, authentication and content filtering of the firewall.

• Security incident handling – The notification of intrusion, identification of an incident, handling of an incident, aftermath of an incident, legal implications and responsibilities for incidents.

• Contacts and mailing lists – The people to contact regarding certain areas of the network and security problems should also be defined.

The following is an example of how a network security policy might be defined for a big blue chip organisation:

The security administrator of the organisation would have firstly made a study on the needs, resources, threats and risks of the network as it was defined in the first step of the network security process model at the beginning of this chapter. It was, for example, found that the organisation has servers to handle file transfers and email. These servers can be accessed from anywhere on the web or from any local workstation within the organisation’s different regional offices.

The security administrator thereafter defined a network security policy to outline the rules by which all employees must abide by to protect the defined extranet from threats and attacks. These rules will encompass the many different aspects of the use and misuse of the network and Internet.

(28)

Chapter 2 Firewalls within the context of network security The network security policy will, for example, be as follows:

• Introduction: The introduction section will explain that the company is an investment bank with regional offices around the world. The different roles in the organisation and the responsibilities of each role are

defined. The firewall administrator is, for example, responsible for the implementation, content filtering and intrusion detection on the firewall whereas the IT manager is responsible for the auditing of the firewall. • Domain services: Guidelines for employee passwords to be a minimum

length of 6 characters. These characters must contain a combination of alphabetical and alphanumerical characters. The password and the employee’s domain name, given to them by the security administrator, will give them access to the network. When an employee leaves the organisation, their password and domain name will be deactivated within 5 working days.

• Email systems: Every employee will be given access to the email server via his or her domain name and password. External access will also be given to all management personnel via the Internet. A backup will be made of the email server on a weekly basis in conjunction with the data server backups whereas auditing of the email will only be performed in case an employee is expected of insider trading or misusing the email for personal reasons.

• Web servers: The organisation only has a public web server that contains the web site of the organisation. Anyone can gain access to this information via the Internet. Access is provided via the firewall. • Data servers: According to the position of an employee he or she will

gain access to certain data servers based on their domain name and password. Backups are performed on a weekly basis in conjunction with the mail servers. Intrusion detection and authentication will be performed via the firewall.

• Intranet/Extranet: Dail-in access is given to the extranet of the

organisation. The employee’s domain name and password will provide access. The firewall is responsible for intrusion detection and the

(29)

Chapter 2 Firewalls within the context of network security • Firewalls: The firewall is the main mechanism used for authentication

and intrusion detection. It is thus very important that it is setup and implemented correctly. The firewall is setup to authenticate employees according to their domain name and password as well as giving them access according to their position within the organisation. The IT manager performs auditing of the firewall on a monthly basis to determine the misuse of the network or Internet.

• Security incident handling and contacts: All possible security incidents are reported to the appropriate managers whom in turn decide what action to take.

The network security policy will thus strike a balance between the security needed, the ability of the organisation to implement the necessary security features, for example, the funds available, and the security already in place.

There are, however, no fixed rules on developing current network security policies. The researcher believes that the final policy’s content should give direction to how security should be implemented and not define exactly how this secure status should be achieved.

2.5 Information security services (ISS)

The last step in implementing network security is to implement the ISS needed for a secure network by using the appropriate network security mechanisms. The information security services will be discussed in this section and the appropriate network security mechanisms later in the next.

The ISO has defined six standard information security services for any type of network [ISOS00]. They are identification and authentication, authorisation, confidentiality, integrity, non-repudiation and availability. Two extra information security services have been added by the researcher to the ISO’s list, namely audit and risk handling. These additions seem to go hand in hand with the growing importance of network security. Audit, for example, provides the

(30)

Chapter 2 Firewalls within the context of network security organisation with a log of events that happened on the network. This

information can be used to detect possible security breaches. Risk handling, on the other hand, provides the means to detect possible security risks on the organisation’s network and to implement the appropriate security

mechanisms.

All these services need to be in place for a secure network. The following paragraphs will give a brief description of each one of the aforementioned security services.

2.5.1 Identification and authentication

During the network logon process an employee is asked for his/her name or user ID to distinguish him/her from the other employees or network users. This information together with some authentication information, for example, a password, is then used to authenticate the employees and ensure that they really are who they claim to be [AHUJ96].

Different methods can be used for authentication [SOEL97] [FEWI98]:

• Something the user knows – This is, for example, the password that is associated with the given user ID or perhaps a PIN that the user is asked for.

• Something the user has – This could be a key, badge, smartcard or any other device that can be used to authenticate the user and determine if the person really is who he/she claims to be. • Something the user is – Biometric characteristics are used to

authenticate the user. Fingerprints, handprints, voice patterns,

keystroke patterns, signatures or retina characteristics of the user are stored and used to authenticate the user whenever a logon is

attempted.

• Location – Depending on where the users physically are, they can be authenticated. A person can, for example, only gain access to a workstation at the physical place of the workstation because it is not

(31)

Chapter 2 Firewalls within the context of network security • Any combination of the above four can be used.

Authentication is achieved by giving a user access to the data or resources via their identification ‘token’, for example, their password. These passwords are managed and stored via a user access management tool, for example, Novell Net Enterprise [NOVE02].

Some of these user access management tools use the single sign-on concept to offer authentication [SOEL97]. There are three different methods of single sign-on. With synchronisation the user uses the same ID and password on all the appropriate network systems. Another method is known as scripting, where the user is prompted for his/her ID and password every time access to a specific application is required. Lastly, one server (trusted authentication server) stores all user IDs, user passwords and the applications to which the users have access. Replication servers might also be used to provide

availability. When the users logon, they will gain access to everything on the network for which they have authorisation.

The methods for authentication and logon will affect the setup of the firewall only if the security administrator prefers to make use of the firewall’s

authentication mechanism. Each firewall has its own configuration setup where the authentication method must be defined so that the firewall knows how to treat incoming and outgoing authentication information. It is therefore very important that the methods being used for identification and

authentication be clearly defined by the network security policy.

2.5.2 Authorisation (logical access control)

Different users have access to different resources on the network. It is

important to ensure that only authorised users will have access to the network resources, for example, printers, servers, workstations, fax machines and telephone systems.

(32)

Chapter 2 Firewalls within the context of network security Access control lists are used to keep information about the resources that users may access. The access control list typically holds information about all the users, resources and access rights and can be situated either on the firewall itself or on some network server inside the organisation. On firewalls, the access control lists are typically in the form of access control rules where person A is, for example, only given access to use the ftp protocol service between 13:00 and 14:00 each day of the week. Access can also be allowed per group of users rather than an individual user. This will simplify the access control lists on the firewall or wherever the lists are implemented.

Access control can be classified based on whether the access rights are assigned by the owner of the resources or by the security administrator [OLOV92]. With discretionary access control each individual owner of data specifies his/her own rules for access to the data. On the other hand, as is the case with most networks, the security administrator determines the access rights of users to all the resources on the network with mandatory access control.

2.5.3 Confidentiality

Protection of the confidentiality of network information and messages sent and received over the network means the assurance that only authorised people may view them. To protect the confidentiality, the data is changed in such a way (encrypted) that the contents cannot be understood. Only authorised people should possess the appropriate decryption mechanisms to view the contents of the data intended for them [SOEL97].

There are two basic forms of encryption, for example, symmetric encryption (secret key encryption) and asymmetric encryption (public key encryption). With symmetric encryption the same mathematical formula or encryption key is used for encryption and decryption of the data. Ceaser cipher [BOGA00] is an example of symmetric encryption. Asymmetric encryption, on the other hand, makes use of different but related algorithms, and keys are used for

(33)

Chapter 2 Firewalls within the context of network security whereas private keys are the property of the person to whom they belong and can only be used by that specific person. RSA encryption, AES encryption and elliptic curve encryption [RSAL02] are examples of asymmetric

encryption.

The encryption method and the type of processor used will determine how fast the encryption and decryption will be performed. To generate a 256bit

encryption key will, for example, take more time than generating a 128bit encryption key. The actually speed with which encrypted data are sent over the network will not be affected.

2.5.4 Data integrity

Another security service closely related to confidentiality is integrity. Protecting the data’s integrity means the assurance that only authorised users change the contents of the data on the network [SOEL97].

A variety of different algorithms can be used to implement integrity and check the validity of the data and messages sent over the network. Checksums, one-way hash functions, message digest algorithms such as MD5, MD3 and MD2, and secure hash algorithms are some of the better-known ones

[PVV96].

2.5.5 Non-repudiation or non-denial

A combination of public key and private key encryption can be used for non-repudiation. Encrypting data with the public key of the receiver ensures confidentiality of the data. The data will be confidential because only the receivers will be able to decrypt the message using their private keys. By encrypting with the private keys of the sender, non-repudiation is enforced because only the sender possesses the specific private keys and cannot deny sending that specific message or data [SOEL97].

(34)

Chapter 2 Firewalls within the context of network security Digital signatures provide proof of the origin of the data and can be seen as a unique attachment to all data and messages sent. The digital signature cannot be tampered with or changed by the sender of the corresponding data or message. Digital certificates that contain the sender’s identification and public key are also connected to the message. These certificates are generated and managed by third parties, for example, certificate authority (CA) [WALD98] or a Trusted Third Party (TTP).

2.5.6 Availability

Availability is another service that will ensure that data and resources are available whenever it is needed. This service can, for example, be achieved via replication servers that are available if data could not have been retrieved from the original server. Availability can also be achieved by making regular backups of the network’s data. This will ensure that data is still available whenever something happens to the original data source.

2.5.7 Audit

It has become important to keep track of all the events occurring on the network. Using some type of logging tool can do this. Most operating systems have their own logging tool, but these tools might not provide sufficient

information to detect security breaches. Extra logging tools can be

implemented or installed by creating a personal logging application, buying a generic one or downloading a logging tool for networks from the Internet.

These logs can be useful to many security administrators, as they can

determine the usage of network resources, show the activities on the network of certain specified users, identify possible threats and track security and other problems on the network.

2.5.8 Risk handling

Risk handling has also become a very important security service in a network. With the identification of risks (the probability that a threat for the network will

(35)

Chapter 2 Firewalls within the context of network security materialise), the appropriate countermeasures can then be implemented or activated.

Two methods can be used to identify risks:

• It is the security administrator’s job to identify and document the risks to the network in some form of standard document defined for the

organisation. Identification is usually done manually with their knowledge of possible weak points within the network. Each risk is assigned a predefined risk weight factor to identify critical risks from other non-important risks. The definition of the risk weight factors is kept in a knowledge base somewhere on the network. According to these risk weights, a decision is made on how to control and minimise the identified risks. A critical risk will, for example, be handled as quickly and cost-effectively as possible, whereas non-critical risks will be handled later on.

• Third generation tools and applications are implemented on the

network to show possible security risks to the security administrator. Firewalls these days have, for example, built-in reporting tools from which deductions could be made about the risks within the current network. The security administrator has the responsibility of deciding the importance of the risk and how to minimise it for a more secure network. A risk-analysing tool, for example, Norman Risk Check

[NORM01], can also be implemented to minimise the risk. A firewall or other intrusion detection device can, for example, be implemented to switch a specific network service off when the network is vulnerable or suspicious activity has been detected.

2.6 Network security mechanisms

The last step of enforcing network security is to implement the expected ISS via one or more of the network security mechanisms. Network security mechanisms are concrete procedures, applications or products that can implement ISS and is divided into three categories: [OLOV92]:

(36)

• Prevention mechanisms are mechanisms that enforce network security

during operation of a system by preventing a security violation from occurring, for example, a mechanism restricting physical access to the network such as a network router or firewall.

• Detection mechanisms are used to detect both attempts to violate

network security and successful network security violations, when or after they have occurred in the system, for example, some form of logging tool as described in the previous section of information security services.

• Recovery mechanisms are used after a network security violation has

been detected to restore the system to a pre-security violation state, for example, the use of backups of a previously stable network state.

2.6.1 State-of-the-art security mechanisms

The next few paragraphs will provide a more detailed discussion of different network security mechanisms for implementing network security, as well as where they fit into the previously defined ISS categories.

a) Prevention mechanisms

• An encryption scheme, for instance AES, could be used for

confidentiality. Another tool becoming increasingly popular today is PGP encryption [BHAM00]. Using the PGP public/private key

technology, users can instantly encrypt, sign, decrypt and verify any file, message or folder. PGP encryption keys are however not managed by the organisation. This will thus mean that if you loose or forget your encryption key, the encrypted document cannot be opened or removed. These tools support the confidentiality information security service. • Hashing algorithms, for instance MD2 and MD5, could be used for data

integrity. These tools support the integrity information security service. • Digital signatures can be used to verify a user, authenticate the

contents and verify signatures in case of dispute. These tools support the integrity- and non-repudiation information security service.

(37)

Chapter 2 Firewalls within the context of network security • Access control mechanisms can determine if a user is authorised to

access certain network resources, for example, printers, servers, workstations, fax machines and telephone systems. These tools support the authorisation information security service.

• Someone in the organisation also needs to stay current with relevant security problems and failures [CURT97]. With their knowledge of old as well as new bugs and failure points within an operating system as well as the network, the appropriate prevention mechanism can be implemented before anything ever happens to the network and the damage has been done.

• Firewalls have also become a much used prevention mechanism. It restricts people to enter at a carefully controlled point, preventing intruders from getting close to other security defences. It also restricts people to leave at a controlled point so that no “back doors” are left for re-entry later on. Physically a firewall is a set of components – a router, a host computer or networks with the appropriate software [CHZW95]. Firewalls can implement various ISS that will be described in chapter 3.

Physical protection methods for preventing an attack on the network also require attention. Workstations that do not have any form of disk drive can be used to prevent employees taking information home or unknowingly putting viruses on the network. The network hubs and routers should be protected because these components are responsible for routing the network and someone could easily change the routing or even break the hub or router. Without the routers, no one can reach their intended destinations over the network. Intranet wiring should also be hidden in the ceiling and protected against animals, for example, rats in the roof or ceiling. Network servers should be protected and locked in a safe room to which only authorised people will have access [CURT97]. Servers should be equipped with UPSs (uninterruptible power supplies) to protect them against electrical interference. Servers, workstations and monitors should be properly grounded to protect them against static electricity discharge.

(38)

b) Detection mechanisms

• Anti-virus software can be used to protect the network against different types of virus, worm, logical bomb and Trojan horse attack [SIMO96]. Examples of some state-of-the-art software packages are Norton AntiVirus, Dr Solomons Anti-Virus tools and McAffee VirusScan [AVSV00].

• Most applications produce some form of log file that are used to detect and investigate possible threats and where they originated [OLOV92]. These log files support the audit information security service.

• A manual search for security breaches can also be done and

sometimes users will report detected problems on the network to the appropriate personnel for them to either fix the problem or provide a solution for working around the security problem.

• Intrusion detection systems, for example, RealSecure, Windows NT/2000 Security Event Logs and NetProwler are used to detect attacks and/or computer misuse, and to alert the security administrator upon detection. [INNE01]

• Firewalls can also be used as another security mechanism to detect possible Internet security problems. Some form of alert or warning message will be given to the security administrator to indicate some activity on the network that should be investigated further. These alerts can come in the form of emails or even be a physical alarm to attract someone’s attention to some suspicious or unknown activity on the network.

c) Recovery mechanisms

• Backups of previously safe states can be used to recover a network to a previously secure state. These mechanisms implement the

availability ISS.

• Some applications have built-in recovery mechanisms that are triggered whenever some security breach has been detected on the network.

(39)

Chapter 2 Firewalls within the context of network security A simple example of a recovery mechanism is ‘Scandisk’ that is run by any Microsoft Windows operating system package [COSO00] on startup of a workstation or whenever the shutdown process was improperly done. This application will do a low level check of the workstation or server’s permanent memory to detect possible faulty sectors. These sectors will then be marked as unusable and data that was on these sectors are recovered and written to another part of the memory.

2.7 Firewalls and network security

The previous chapter has mentioned firewalls as being one of the network security mechanisms. It was shown in this chapter that firewalls provide the expected ISS defined within the network security policy. Not all organisations do however use firewalls but the author feels that firewalls are efficient

network security mechanisms that provide most of the expected ISS to an organisation. It should however be noted that firewalls will only implement ISS if they were configured accordingly.

Firewalls will be discussed in the next chapter where a brief introduction to firewalls will firstly be given, before the discussion will turn to how a firewall specifically implements the ISS mentioned in this chapter.

2.8 Conclusion

It is clear that security on any network is very important. Without it, the

organisation is vulnerable to attacks and private and confidential information is available to anyone. The provision of network security is however sometimes a very daunting task. The bigger the network is, the more complex and difficult network security becomes. It is thus imperative that the whole process of defining and implementing network security are divided into smaller steps.

If all these steps are thoroughly performed, the author feels that most areas regarding network security has been covered and the expected ISS are

(40)

Chapter 2 Network security delivered to the company. After all these steps have been performed, the author feels that less future work regarding network security is expected. The only work left to the security administrator is to maintain the expected level of security service defined within the network security policy and ensure that the network security policy remain up to date so that no new and old threats are not overlooked.

(41)

CHAPTER 3

Firewalls

The researcher has shown the importance of network security and the

vulnerability of computer networks to attacks and threats from either inside or outside the organisation. Successful attacks on the organisation’s network can result in a loss of data, money, resources or, in extreme cases, in the closure of the organisation.

Network security is very complex and difficult to implement. Many people are consequently ignorant about network security and do not put enough

resources and energy into finding a solution for the implementation of a totally secured networking environment. The previous chapter proposed a few easy steps to serve as a guideline for implementing network security. The last step described the ISS required for a secure network. Firewalls were introduced as an effective network security mechanism to implement the required ISS.

The objective of this chapter will be to provide a detailed explanation of firewalls, what they are, how they work and how firewalls implement the ISS. This information will serve as an introduction to the prototype, built as part of the research for this dissertation.

3.2 Firewall definition

There are so many different definitions of a firewall today because of the uncertainty about what a firewall actually is and what it does. Here are but a few of the definitions:

(42)

Chapter 3 Firewalls A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of

mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to deny, a firewall really won't help you. It's also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the

connectivity for a large number of hosts therefore have a heavy responsibility. [GPSY97]

In building construction, a firewall is designed to keep a fire from spreading from one part of the building to another. In theory, an Internet firewall serves a similar purpose: it prevents the dangers of the Internet from spreading to your internal network. In practice, an Internet firewall is more like a moat of a medieval castle than a firewall in a modern building. It serves multiple purposes:

It restricts people to entering at a carefully controlled point. It prevents attackers from getting close to your other defences. It restricts people to leaving at a carefully controlled point.

An Internet firewall is most often installed at the point where your protected internal network connects to the Internet… [CHZW95]

A firewall is thus a piece of software or hardware that monitors incoming traffic from unknown networks, for example, the Internet, or from known internal resources and networks. It also monitors outgoing traffic from the protected network to the Internet, other internal resource or another network of the organisation. All IP traffic is logged and can be restricted or stopped at the firewall via some form of rules implemented on the firewall.

(43)

Chapter 3 Firewalls These rules will typically hold three types of information:

• To which user/group of users the rule applies

• The time and date at which the rule should be applied • To which application, protocol or service the rule applies

The rules will thus determine if the grant for a connection of the packet will be permitted or denied.

The position of the firewall will also determine how security is provided. The firewall can be placed at an entry point to any sub network of the organisation or at the main entry point to and from the Internet. The position of the firewall is usually determined by the network security policy of the organisation that was described in chapter 2:

• Organisations may desire to isolate the network from different parts of business. The firewall will then be implemented between their private and public network or even between two private networks. That part of the organisation’s network that is open for use to the public and needs no protection is also better known as the DMZ (demilitarisation zone) depicted in figure 3.1 [HAEN97].

Figure 3.1: Firewall positioning

Internet

Organisation DMZ

(44)

Chapter 3 Firewalls

• Some organisations may desire to isolate their whole internal network from any other potentially unprotected network, such as the Internet. In such a case the firewall will be located at the point of entry into the organisation’s private network.

• A tunnel can be created via a firewall for the information between two entities on the defined network. A VPN (virtual private network) can be created between two firewalls for confidentiality and integrity of

information over the Internet.

There are, however, no fixed rules for the positioning of a firewall. This is left to the security administrator to decide. An investment bank, for example, needs a very high level of security for its e-commerce transactions and

internal web site or intranet. However, this organisation’s public web site does not need any protection because harmless information about the organisation is displayed on it. The organisation will typically settle for a security

architecture where the public web server is located in a DMZ and the rest of the network is located behind a firewall that has very strict rules for allowing people to access the internal web site. The firewall will act as a proxy server and redirect authorised traffic to the appropriate servers for further processing.

3.3 The components of a firewall

A firewall’s characteristics are determined by a few individual components working together as well as the configuration of the firewall. Generic firewall components are depicted in figure 3.2 and can be defined as follows:

• Filters – It is the job of the filters to intercept packets travelling through the firewall. These packets are examined by the defined filtering rules and only authorised packets will be permitted while others will be discarded. The author feels that this component is used most by firewalls due to the fact that all network traffic will pass through the firewall filter before being routed to the appropriate destination.

(45)

Chapter 3 Firewalls Different firewall filtering techniques will be discussed in the next

section.

• Proxy servers - The proxy servers authenticate the user and evaluate the application request. After the firewall filter has validated the

request, it is sent to the appropriate proxy server depending on the type of application and whether the security administrator has configured the firewall accordingly. Email requests will, for example, be routed to the email proxy server. The email proxy server authenticates the user and will then route the request to the appropriate mail server within the organisation. There are different proxy servers for a wide variety of applications [CHZW95], for example email proxy servers, news proxy servers, FTP proxy servers and HTTP proxy servers.

• Domain name service (DNS) – The DNS isolates the name service of the private network from that of the Internet. Internal name resolution and sometimes even a limited amount of external name resolution can be done by the firewall if it was configured accordingly.

• Scheduler – The scheduler is used to backup the log files at a regular interval and is also used to update the log file view regularly. The security administrator will set the interval in accordance to the network security policy.

• Alerter – The alerter is a built-in application to alert the firewall, security or network administrator of a possible attack. The type of alert, whether it is an email or physical alarm, is configured in the firewall settings. • Information database – The firewall contains a database with

information about the users, entities, user groups, filters and rules defined on the firewall.

• Log files – All activity information performed within and by the firewall is stored in a specific file, better known as a log file.

(46)

Chapter 3 Firewalls

Figure 3.2: The components of a firewall

The firewall also has some built-in security services for the implementation of the necessary ISS. A strong authentication system, very good encryption services [ROBI94] and integrity services ensure that the data will remain true, protected and cannot be altered during transmission. Table 3.1 shows how the ISS can be provided by the different firewall components if the firewall was configured to make use of its built-in security services.

The filters, for example, are responsible for evaluating all data passing through the firewall. The filters will determine whether the data is from a trusted source, whether the sender is trusted and whether the receiver is allowed to receive the data. If the firewall was configured to perform

authentication via it’s user management service, it will authenticate the user’s

Filters DNS Scheduler Infor mation databas e Log files Proxy servers Alerter