With the whole of the networking world
moving toward inhabiting a single global village, we inevitably
have to start thinking about locking our doors and bolting our
windows. It has to be recognized that no computer system can ever
be 100% secure, but it has to be secure enough to deter the casual
hacker—we don't want some spotty adolescent spiriting away our
corporate secrets from his bedroom using nothing more than a cheap
PC, a modem, and a few lines of code downloaded from the Hackers
'R' Us Web site.
One in five respondents to a recent survey admitted that
intruders had broken into, or had tried to break into, their
corporate networks, via the Internet, during the preceding twelve
months. This is even more worrying than it sounds, since most
experts agree that the majority of break-ins go undetected.
For example, attacks by the Defense Information Systems Agency
(DISA) on 9000 U.S. Department of Defense computer systems had an
88% success rate but were detected by less that one in twenty of
the target organizations. Of those organizations, only five per
cent actually reacted to the attack (Source: NCSA).
The first step in securing our networks is not to rush out and
buy the best firewall or encryption software we can find, however.
Instead, some thought and effort should be put into developing a
comprehensive, yet manageable, corporate security policy. This
needs to cover everything from anti-virus protection to business
recovery strategy. It should cover network access, password policy,
authentication methods, and how and when encryption should be
employed. It should also cover physical security aspects too, such
as building access, shredding of sensitive documents, and physical
security of PCs and file servers. But when it comes to implementing
the security policy, one of the major tools available to the
network administrator is the firewall.
What Is A Firewall?
There are a number of definitions of the firewall, but perhaps
the simplest is "a mechanism used to protect a trusted network from
an untrusted network." A firewall is a system, or group of systems,
that enforces an access control policy between two networks, and
thus should be viewed as an implementation of policy.
The bottom line is that a firewall is only as good as the
security policy it supports. However, it is also true to say that a
completely secure firewall is not always transparent to the user,
and this can often lead to problems of users trying to circumvent
the corporate security policy to get around some unpopular
restrictions imposed by the firewall.
In addition to providing protection from outside attacks, many
firewalls today can present just a single IP address to the outside
world (known as Network Address Translation, or NAT), thus hiding
the real structure of your network from prying eyes. They will also
usually provide full auditing and reporting facilities.
One thing to bear in mind right from the outset is that a
firewall is not simply for protecting a corporate network from
unauthorized external access via the Internet, it can also be used
internally to prevent unauthorized access to a particular subnet,
workgroup, or LAN within a corporate network.
Figures from the FBI suggest that 70% of all security problems
originate from inside an organization. Thus, for example, if your
Research and Development department has its own server, you could
protect it and the department's workstations behind a firewall,
while still allowing them to remain a part of the corporate-wide
network.
One caveat here, however. Be aware that there are few firewalls
on the market today that can provide wire speed throughput even at
100Mbps, let alone Gigabit speeds. While this is not always an
issue when the firewall is sitting in front of a slow Internet
link, it can cause some serious bottlenecks if you try to put it on
a Gigabit backbone.
With recent advances in processing speeds and multi-processor
implementations, we are beginning to see dedicated appliances that
can provide wire speed throughput on a Fast Ethernet network with a
proxy server architecture, and even higher speeds when configured
as stateful inspection devices. Careful network design and load
balancing across multiple firewall devices are still prerequisites
for Gigabit networks and above, however.
Firewall Architectures
When looking at today's firewall products, there are three main
architectures currently in use:
Static Packet Filtering
Working at the Network Layer of the OSI stack, packet filters make
simple deny or permit choices depending on the source/destination
network address and port number contained within the packet,
determined by a number of rules defined by the administrator.
Packet filtering is fast, transparent (no changes are required
at the client), flexible, and cheap (most routers will provide
packet filtering capabilities, pure packet filter firewalls do not
require powerful hardware on which to run). However, packet filter
firewalls are traditionally difficult to configure and provide
relatively poor logging capabilities.
Dynamic Packet Filtering/Stateful Inspection
Some vendors are touting this as the third generation of firewall
architectures, but it is really just an extension of the basic
packet filtering architecture employed by most routers, and is
becoming more and more common in even the most basic firewall
products. With the release of version 2.4 of the Linux kernel,
stateful packet filtering is even available in your basic Linux
distributions.
Stateful Inspection occurs at the MAC or Network Layer, thus
making it fast and preventing suspect packets from travelling up
the protocol stack.
Unlike static packet filtering, however, Stateful Inspection is
capable of making its decisions based on all the data in the packet
(corresponding to all the levels of the OSI stack), although it is
rare that all seven layers are examined in any great depth in
practice.
The state of the connection is monitored at all times (hence
Stateful Inspection), allowing the actions of the firewall to vary
based on the administrator-defined rules and the state of previous
conversations. In effect, the firewall is capable of remembering
the state of each ongoing conversation across it and dynamically
modifying the packet filter rules to suit (hence Dynamic Packet
Filtering), thus allowing it to more effectively determine
which inbound packets are part of an existing session and which are
"rogue" packets.
Proxy Servers
A Proxy Server firewall acts as an intermediary for user requests,
setting up a second connection to the desired resource either at
the application layer (an application level gateway) or at the
session or transport layer (a circuit level gateway).
A strong application proxy works at all seven layers of the OSI
model, performing such tasks as verifying the RFC-required
three-way handshake, which are normally omitted by pure stateful
inspection devices. It will also ensure that protocol header
lengths meet with RFC guidelines, hence preventing an entire class
of buffer overrun attacks. Proxy code actually "stands in" for both
client and server operations, relaying valid requests between the
trusted and untrusted networks via the proxies. Unlike Packet
Filter and Stateful Inspection firewalls, a direct connection is
never allowed between the two networks. It is important to note
that the application proxy actually builds a new datagram from
scratch, only copying known acceptable commands to the new datagram
before forwarding it to the server behind the firewall. The
datagram that enters the firewall from the outside is thus not the
datagram that is delivered to the server, and thus the proxy
effectively breaks the client server model (but in a good way).
With other technologies such as packet filtering there is still
a direct connection between the client and server, albeit one that
is monitored closely for abnormalities in a Stateful Inspection
architecture. However, the nature of the direct connection does
still provide the means for attackers to either hide data in unused
datagram headers or to bury dangerous commands within the data
area. This is simply not an issue with Proxy Servers.
The penalties paid for this level of security are performance
(Proxy Server firewalls have large processor and memory
requirements in order to support many simultaneous users) and
flexibility (since the introduction of new Internet applications
and protocols can often involve significant delays while new
proxies are developed specifically to support them). Once again,
recent advances in processor speeds and SMP platforms are beginning
to provide effective arguments against the performance criticism in
well-designed systems, whilst the provision of generic proxies can
allow unsupported protocols to be handled by the firewall.
While static packet filtering alone is usually confined to the
router these days and not considered strong enough for enterprise
class firewall devices, the differences between the remaining two
architectures are negligible in most real world environments.
True proxy servers are undoubtedly the safest, but can impose a
severe overhead in heavily loaded networks if not designed
properly. Dynamic packet filtering is definitely faster, though
most of the high-end firewalls are hybrids these days,
incorporating elements of all three architectures and, arguably,
the best of all worlds.
One final consideration is the underlying operating system. Good
firewall code will not help if the OS on which the firewall is
running is itself not secured. While a dedicated firewall OS could
be considered the best solution to this problem, general-purpose
operating systems can offer a secure platform providing they are
hardened sufficiently before the firewall is installed.
However, at the end of the day, it is just as important to
ensure that you have a comprehensive security policy in place and
that your firewall is configured and managed effectively, as it is
to have a firewall in the first place.
After all, a badly configured firewall could lead to a false
sense of security—and that could be worse than leaving
yourself unprotected.
About the Author
Bob Walder, a leading authority on network
security, is one of the founders of The NSS Group. Since leaving
behind the world of IT management in 1991, Bob has been at the
cutting edge of new technology and has invested much of his time in
advising on, testing and certifying a range of security products on
behalf of end user organisations, vendors and certification bodies.
He is also a regular contributor of technical articles to the major
networking and security titles.
The NSS Group is Europe’s foremost independent network and
security testing facility. With labs in Cambridge in the UK and
Carcasonne in the south of France, The NSS Group offers a range of
specialist networking and security services to vendors and end user
organisations throughout Europe and the United States. For more
information, visit
www.nss.co.uk or e-mail
info@nss.co.uk.
