Hackers have computers too and want to keep their own machines free of intrusion
from the Internet. Paradoxically, these computers may be the most secure
computers on the Internet, because the hackers use free software that they can
examine for security problems, they are the first to discover (or create)
security weaknesses, and they fix their own systems as soon as loopholes are
discovered. They share the security fixes with anyone who wants them, and you
can take advantage of this fast response to new threats in your own network by
using the same software they do. Free firewalls often suffer from a few of the
same class problems: Weak or missing logging and alerting features No real-time
firewall monitoring capability Weak or missing graphical user interface
Difficult command prompt-based configuration
These problems all stem from the fact that the software is developed primarily
by a single individual or small team rather than by a corporation. Small teams
don't have the time or money to spend on ancillary problems like ease of use or
sophisticated alerting and logging mechanisms. These features, when present, are
nearly always provided by an add-on package developed by a different developer.
Free software is developed for people who deeply understand the problem to be
solved and the operating system upon which the software runs. With network
security being a strong point but ease-of-use being a weakness of these free
packages, several companies have built businesses around "finishing" the free
firewalls and selling the result. If you look closely, you'll find that under
the hood of many of the commercial firewalls a Linux or BSD kernel running
IPChains or ipf. For plug-and-play security that may be the better solution, but
if you're not afraid to roll your own firewall, then this could be for
you.
Linux and IPChains or IPTables
Linux is an Internet
phenomenon that baffles many people in the traditional computer software
industry. Linux was an educational project of a Finnish college student named
Linus Torvalds that has gone much further than originally expected. Using free
software tools developed for Richard Stallaman's GNU (Gnu's Not Unix) project,
he wrote a simple operating system for his computer because he didn't like DOS
and Windows, and nothing else was available for which he could get source code.
He posted his code to the Internet and other people got interested, suggested
changes, and (most importantly) sent their own additional code back to Linus to
extend the little operating system. Now the little operating system is as fully
complex and powerful as Windows NT or traditional Unix, and all of the source
code is still available for anyone to browse, change, and fix for security
problems.
Note The biggest security advantage to Linux, according to
Linux advocates, is that once a security problem in the operating system is
understood, it can be diagnosed and fixed in hours or minutes, and a security
patch will be posted to the Internet minutes later. Software or detailed
instructions for stopping any intrusion threat is typically made available
through security newsgroups and websites within a day of the threat being found.
Contrast this to the time it usually takes commercial operating system companies
to acknowledge a security problem, prepare a work-around, and then deliver an
operating system update (hint: it usually takes longer than a day).
A
significant addition to the Linux core operating system is the ability to
perform packet filtering and Network Address Translation in the operating system
itself. Originally called IP Masquerade because of its NAT ability, the system
is now called IPChains or IPTables (depending on the version you're using—both
are present in current distributions and either or both can be used), because it
allows the administrator to set up chains or tables of rules that a packet must
satisfy when it arrives at the Linux computer, is routed within the computer to
another adapter, or exits the computer to another network.
IPChains and
IPTables provide NAT and packet filtering. Protocol inspection must be provided
by a higher-level service. TIS FWTK is an excellent proxy server package that
interoperates well with IPChains on Linux, as well as with ipf for OpenBSD.
Another less complete but easier to install for Linux option is to use Squid,
which is a good HTTP proxy. Other stream-based protocols (such as SMTP, NNTP,
POP, and DNS) can just be redirected to other computers using IPChains, which
redirects socket connections according to rule sets you define but does not
examine the redirected stream to ensure that it is in fact an SMTP, NNTP, POP,
or DNS transaction.
Major Feature Set
Linux with IPChains or
IPTables supports the following major features:
Packet-filtering rules
are applied to every packet as it arrives, transits the Linux routing stack, and
exits. IPChains is stateless; IPTables is stateful. This is the primary
functional difference between them.
Proxies may be established by
protocol-specific content filters provided by higher-level services such as TIS
FWTK, Apache, or Squid. Network Address Translation (dynamic or static) is
performed for packets transiting the routing stack to hidden, internal
networks.
DMZs can be established either by filtering access to an
externally visible protected subnetwork or by redirecting virtual public
addresses to address-translated protected hosts.
VPN firewall-to-firewall
and firewall-to-remote client options are provided as additional Linux
components that can be downloaded from the Internet at no cost.
Port
redirection is natively provided by IPChains and IPTables. · Clever use of
IPChains or IPTables with Squid or FWTK can give you transparent proxies. ·
Linux with FWTK easily gives you reverse proxies (HTTP, SMTP, FTP, etc.) as
well. · Linux with installable packages such as PoPToP or FreeS/WAN gives you
platform generic VPN options (PPTP, IPSec, etc.)
Additional packages
convert the regular Linux syslog reporting system to store logging information
to databases and give you e- mail notification.
Security
Linux
filters packets before they are delivered to the IP stack for processing,
allowing you to protect your computer from malformed packets and other IP-level
attacks. Linux provides the full range of options for packets filtering on: the
SYN bit, source and destination IP addresses, source and destination ports,
packet type, and most other TCP/IP header data elements. Network Address
Translation is built into the packet filter, so you can use the same rules to
specify the kinds of packets that will be translated and the kinds that will
not.
Since Linux does not inspect the data portions of the packets it
manipulates, you will need a proxy server to ensure that the traffic traversing
a particular port conforms to the protocol for that port (that only HTTP
requests and replies are going over port 80, for example). Also, many web
servers will also act as HTTP proxies, and you can use servers for
store-and-forward protocols (such as SMTP and NNTP) without modification as
protocol proxies for their services. Ideally, you will run these services on a
different computer than your firewall, and you will use address translation to
redirect the appropriate traffic to and from these servers.
The Linux
filtering software evaluates every packet received by the network adapters in
the firewall computer according to a set of rules you established when you
installed the software. The rules are applied in order, one at a time, until the
filter finds a rule that matches the packet and specifies a terminal action,
such as ACCEPT or DROP. Since the rules are applied in order, it is vitally
important to craft the rules in the right order.
A useful feature of
IPChains (and the feature that gives it its name) is the bundling of sets of
rules into chains. IPChains starts out with three—INPUT, FORWARD, and OUTPUT.
You can establish additional chains and use a rule in INPUT, FORWARD, or OUTPUT
to direct packet analysis to the appropriate chain for that type of traffic.
This structured rule management makes it easier to reason about the security of
the firewall and thereby makes it easier to secure the firewall. IPTables works
similarly, but provides stateful inspection.
Cost and Support
You
can find many versions of Linux distributed at no cost. You can also purchase it
from several different vendors, including the very popular Red Hat, but you
don't have to buy even those copies more than once. Install it on as many
servers as you feel like, and protect as many clients as you want. The biggest
costs for using Linux are the cost of the computer used to run it and the cost
of the time spent by you or the administrator to configure and manage
it.
Minimum platform requirements for Linux are easy to meet and should
not be expensive:
A distribution of Linux with IPChains or IPTables 486
processor or better, including any processor architecture for which a version of
Linux exists At least two network interfaces 200MB of disk space 32MB
RAM
The Trusted Information Systems Firewall Toolkit (TIS
FWTK)
The TIS FWTK is the granddaddy of freely available firewalls.
You can download versions for Linux, NetBSD, Solaris, as well as just about any
other flavor of Unix you can think of. If you need a firewall and you have a
spare Unix workstation collecting dust in a corner, this may be the firewall for
you.
FWTK was created for the Defense Advanced Research Projects Agency
(DARPA) by TIS when DARPA realized that no packet filter would be secure enough
to filter protocol content. After fulfilling the terms of their contract with
DARPA (which includes making the code public domain), TIS further extended the
firewalling concept into a commercial suite known as the Gauntlet Firewall. TIS
was acquired by NAI recently, making Gauntlet Firewall a component of the PGP
Active Security Suite. FWTK is now maintained by an Internet consortium at http://www.fwtk.org/.
FWTK
is not a packet filter. Instead it comes with protocol-scrubbing proxies for
Telnet, Rlogin, SMTP, FTP, HTTP, and X-Windows. In addition, it comes with a
generic TCP passthrough redirector (a SOCKS proxy). FWTK also extends its
security controls into the Unix LAN environment, providing centralized network
login and resource control using the netacl and authserv utilities.
Major
Feature Set
FWTK supports the following major
features:
Protocol-specific content filters are provided by included
proxy components Centralized network login and resource access control for Unix
computers is maintained using the TIS security mechanisms.
Minor Feature
Set
FWTK supports the following minor features:
Performance of
FWTK is relatively fast. Command-line based configuration requires more skill in
administration, but allows you to store policies in text files and use scripting
tools for dynamic policy management. Remote management using secure shell (SSH)
or a web interface allows you to manage your firewall from other computers in
your LAN. Address Translation and forwarding for sockets are performed using the
FWTK generic TCP plug-board.
Security
FWTK does not filter packets
before they are delivered to the IP stack for processing. You must use some
other package to protect your computer from malformed packets and other IP-level
attacks (IPChains for Linux or ipf for OpenBSD are good choices). FWTK is a
proxy server; it examines the data portions of IP packets to ensure that the
traffic traversing a particular port conforms to the protocol for that port
(that only HTTP requests and replies are going over port 80 for example). This
ensures, for example, that a hacker doesn't use port 80 to access a Trojan horse
with its own protocol because your packet filter allows packets in the network
to port 80 for HTTP services. FWTK evaluates data received by the network
adapters in the firewall computer according to a set of rules established in its
net-perm rule table. The rules are defined according to the port to which the
data was sent, while permissions are defined according to the source and
destination of the data.
Cost and Support The FWTK is freely
downloadable, and you can use it without licensing fees. The greatest costs are
the time it takes to set it up and the time spent by you or the administrator to
configure and manage it.
Minimum platform requirements for FWTK (on
Linux) are easy to meet and should not be expensive:
486 processor or
better At least two network interfaces 200MB of disk space 32MB
RAM
FreeBSD
FreeBSD and Drawbridge Linux isn't the only
free operating system out there—another free Unix operating system shares its
tradition of software freely distributed with source code. It is called FreeBSD,
and is also used widely (although less visibly) on the Internet to provide
network services including web serving, routing, and firewalling. When the Texas
A&M University found themselves under concerted network attack from a horde
of hackers, they needed a flexible and stable platform that they could build on
to create a firewall that fit their specific needs; they chose FreeBSD and they
called the resulting packet filter Drawbridge.
Drawbridge, unlike
IPChains, is not a part of the operating system; it's a user-level program that
directly controls the network adapters of the host computer. Like other packet
filters, Drawbridge uses lists of rules to process packets. Since it was
developed at a university where all of the computers are expected to be a part
of the Internet as a whole, Drawbridge does not perform Network Address
Translation.
Where the TAMU software shines, however, is in its ability
to report and act on suspicious activity using the components called tcplogger,
udplogger, netwatch, and netstat. Universities have lots of interesting
computers that are juicy targets for hackers. Unfortunately, the threat doesn't
just come from the outside—university network administrators have to protect
themselves from attacks from within their computer labs as well. Since
universities are based on the precept of fostering communication, not
restricting it, a draconian security policy isn't practical. Instead the
administrators keep a watchful eye on network activity and stay ready to swiftly
respond to threats.
Major Feature Set
FreeBSD with Drawbridge
supports the following major features:
Packet filtering rules are applied
to every packet by Drawbridge before being passed to the FreeBSD network stack.
Protocol specific content filters are provided by higher-level services such as
Apache and Jigsaw. VPN firewall-to-firewall and firewall- to-remote client
options are provided as additional ·
Minor Feature Set
FreeBSD
with Drawbridge supports the following minor features:
Performance of
FreeBSD with Drawbridge is fast. It can easily handle a busy LAN connection to
the Internet. Command-line based configuration requires more skill in
administration but allows you to store policies in text files and use scripting
tools for dynamic policy management. Remote management using secure shell (ssh)
or remote control software such as VNC allows you to manage your firewall from
other computers in your LAN.
Security
Drawbridge filters packets
before they are delivered to the IP stack for processing, allowing you to
protect your computer from malformed packets and other IP-level attacks.
Drawbridge provides the full range of options for packets filtering on: the SYN
bit, source and destination IP addresses, source and destination ports, packet
type, and so on. Since Drawbridge does not inspect the data portions of the
packets it manipulates, you will need a proxy server to ensure that the traffic
traversing a particular port conforms to the protocol for that port (that only
HTTP requests and replies are going over port 80, for example). Many web servers
will also act as HTTP proxies, and you can use servers for store and forward
protocols (such as SMTP and NNTP) unmodified as protocol proxies for their
services. Ideally, you will run these services on a different computer than your
firewall, and you will use address translation to redirect the appropriate
traffic to and from these servers. Drawbridge evaluates every packet received by
the network adapters in the firewall computer according to a set of rules stored
in its database in RAM (loaded when Drawbridge starts). The rules are applied in
order, one at a time, until Drawbridge finds a rule that matches the packet and
specifies a terminal action, such as ACCEPT or DROP. Since the rules are applied
in order, it is vitally important to craft the rules in the right order. The
tcplogger, udplogger, netwatch, and netstat utilities (which don't necessarily
have to run on the same computer as Drawbridge) scan all of the packets crossing
or passing by the computer they are run on. Sophisticated analysis algorithms
identify suspicious activity such as root logon attempts from off-campus,
excessive FTP traffic coming from a computer that shouldn't be hosting an FTP
server, and so on.
Cost and Support
Drawbridge is distributed at
no cost. Install it on as many servers as you feel like, and protect as many
clients as you want. The biggest costs for using Drawbridge are the cost of the
computer used to run it and the cost of the time spent by you or the
administrator to configure and manage it.
Minimum platform requirements
for FreeBSD with Drawbridge are easy to meet and should not be
expensive:
486 processor or better At least two network interfaces 200MB
of disk space 32MB RAM
OpenBSD and Ipf
Another free
operating system is rapidly becoming the security standard against which other
operating systems are being compared (and unfavorably at that). OpenBSD was
created by a group of security-minded BSD programmers who were unhappy with the
deplorable frequency with which hackers had been finding holes in modern
operating systems. Thus, they made their own version of BSD, which they
proactively comb for security vulnerabilities and which they completely review
whenever a new kind of security hole is found.
Ipf for OpenBSD performs
the same function (packet filtering and Network Address Translation) as IPChains
or IPTables does for Linux and DrawBridge does for FreeBSD. If you want
application proxies, you will have to install another service on top of Open-
BSD—such as Squid or the TIS FWTK.
Major Feature Set
OpenBSD with
ipf supports the following major features:
Stateless packet-filtering
rules are applied to every packet as it arrives, transits the OpenBSD routing
stack, and exits. Proxies may be established by protocol-specific content
filters provided by higher-level services such as TIS FWTK, Apache, or Squid.
Network Address Translation (dynamic or static) is performed for packets
transiting the routing stack to hidden, internal networks. DMZs can be
established either by filtering access to an externally visible, protected
subnetwork or by redirecting virtual public addresses to address-translated,
protected hosts. VPN firewall-to-firewall and firewall-to-remote client options
are provided using built-in IPSec functionality. Port redirection is natively
provided by ipf. · Clever use of ipf with Squid or FWTK can give you transparent
proxies. · OpenBSD with FWTK easily gives you reverse proxies (HTTP, SMTP, FTP,
etc.) as well. Additional packages convert the regular OpenBSD Syslog reporting
system to store logging information to databases and give you e- mail
notification.
Minor Feature Set
OpenBSD with ipf supports the
following minor features:
Performance of OpenBSD packet firewalling is
fast. Since it is integrated with the OpenBSD IP stack, the packet filter avoids
the overhead of other firewalls that are implemented as user-level programs.
This solution can easily handle a busy LAN connection to the Internet, even with
Network Address Translation enabled. Command-line based configuration requires
more skill in administration, but allows you to store policies in text files and
use scripting tools for dynamic policy management. Remote management (using
secure shell (ssh) or remote control software such as VNC)
·
Security
OpenBSD has one of the most robust IP-level packet
filters you can get. Not only does it protect against typical attacks such as
source routing, malformed packets, and so on, but it also guards against more
esoteric threats such as connection hijacking by TCP sequence number prediction.
Ipf gives you all the regular rule options, such as filtering on the SYN bit,
source and destination IP addresses, source and destination ports, packet type,
and most other TCP/IP header data elements. Network Address Translation is built
into the packet filter, so you can use the same rules to specify the kinds of
packets that will be translated and the kinds that will not.
Since
OpenBSD does not inspect the data portions of the packets it manipulates, you
will need a proxy server to ensure that the traffic traversing a particular port
conforms to the protocol for that port (that only HTTP requests and replies are
going over port 80, for example). (See the sections on Squid and the TIS FWTK
package.) Also, many web servers will also act as HTTP proxies, and you can use
servers for store-and-forward protocols (such as SMTP and NNTP) without
modification as protocol proxies for their services. Ideally, you will run these
services on a computer other than your firewall, and you will use address
translation to redirect the appropriate traffic to and from these
servers.
The OpenBSD filtering software evaluates every packet received
by the network adapters in the firewall computer, according to a set of rules
you established when you installed the software. The rules are applied in order,
one at a time, until the filter finds a rule that matches the packet and
specifies a terminal action, such as ACCEPT or DROP. Since the rules are applied
in order, it is vitally important to craft the rules in the right
order.
Cost and Support
You can download OpenBSD from http://www.openbsd.org/ for
free, or you can order the installation CD-ROMs for a modest price. The biggest
costs for using OpenBSD are the cost of the computer used to run it and the cost
of the time spent by you or the administrator to configure and manage
it.
One great feature of OpenBSD is the online installation option that
works entirely over the Internet. The process is simple: You download a boot
floppy image, write it to an actual floppy, and use it to boot. The boot floppy
asks for IP address information upon boot and then connects to the OpenBSD
download site automatically, downloading and installing OpenBSD from the remote
site. It's as fast as your download would have been anyway, completely
up-to-date, and eliminates the CD-ROM/file shuffle that would normally take
place. Other OS vendors should take a lesson from this very modern installation
option.
Minimum platform requirements for OpenBSD are easy to meet and
should not be expensive:
A recent distribution of OpenBSD · 486 processor
or better, including any processor architecture for which a version of OpenBSD
exists At least two network interfaces · 200MB of disk space · 32MB RAM
·
Packet Filtering with DOS and IPRoute
Some readers who
have been using the Internet for a decade or more may be wondering why modern
packet filters require a computer as powerful as a supercomputer used to be just
to push packets around. After all, a Pentium computer is a fast processor, and
even 8 megabytes of RAM is a lot compared to the computers of a decade ago, all
of which operated on the Internet just fine. Many organizations have plenty of
obsolete 286 and 386 computers lying around.
IPRoute is a packet filter
and Network Address Translator that runs on DOS, allowing you to use those
older, less powerful computers. IPRoute is not exactly free (there is a $50
license fee), but then neither is DOS. because the money you will save by
recycling your otherwise useless computers more than makes up the difference in
cost.
Just because IPRoute runs on DOS doesn't mean it is limited in
functionality. It is a fully functional packet filter, and NAT, and even
provides dial-on-demand IP connections for home networks and workgroups that use
modems to connect to the Internet. This functionality makes IPRoute especially
useful for home offices and very small companies that don't have a constant IP
connection.
Major Feature Set
IPRoute supports the following major
features:
Stateless Packet Filtering Packet-filtering rules are applied
to every packet as it arrives, transits the IPRoute routing stack, and exits.
Network Address Translation is performed for packets transiting the routing
stack to hidden,internal networks. IPRoute will automatically establish dial-up
connections for intermittent IP links. VPN between IPRoute installations is
included in U.S.- only distributions of the software. IPRoute includes the
ability to combine dial-up connections to increase available
bandwidth.
Minor Feature Set
IPRoute supports the following minor
features:
Performance of IPRoute on top of DOS isn't the fastest,
especially on an older and slower computer, but then IPRoute is most often used
for slower Internet connections such as dial-up analog modems or ISDN anyway.
IPRoute is entirely sufficient for connection speeds less than
1Mbs.
Command-line based configuration requires more skill in
administration but allows you to store policies in text files and use scripting
tools for dynamic policy management.
Address Translation and forwarding
for sockets is performed using the IPRoute rules allowing you to redirect
traffic for particular services (such as HTTP, SMTP, and POP) to protected
internal servers.
Security
Since DOS doesn't have a built-in IP
protocol stack, IPRoute implements one, as well as the packet-filtering and NAT
functions. All packets are processed by the packet filter before being routed or
translated. IPRoute provides the full range of packet- filtering options,
including the SYN bit, source and destination IP addresses, source and
destination ports, packet type, and so on. Because IPRoute does not inspect the
data portions of the packets, and because DOS is a single-tasking operating
system, you will need a proxy server running on another computer to ensure that
the traffic traversing a particular port conforms to the protocol for that port
(that only HTTP requests and replies are going over port 80, for example). Many
web servers will also act as HTTP proxies, and you can use servers for
store-and-forward protocols (such as SMTP and NNTP) unmodified as protocol
proxies for their services. Ideally you should use address translation to
redirect the appropriate traffic to and from these servers.
IPRoute
evaluates every packet received by the network adapters in the firewall computer
according to a set of rules stored in its database in RAM (loaded when IPRoute
starts). The rules are applied in order, one at a time, until IPRoute finds a
rule that matches the packet and specifies a terminal action, such as ACCEPT or
DROP. Since the rules are applied in order, it is vitally important to craft the
rules in the right order.
Cost and Support
IPRoute is commercial
software; you have to pay a $50 license to run it. You can down-load a 30-day,
time-limited evaluation copy to try it out, however. Technically, you must also
have a licensed copy of MS-DOS, but IPRoute should run just fine on
FreeDOS.
Minimum platform requirements for IPRoute can be met by almost
any IBM compatible computer that you can actually get to boot:
286
processor or better · At least two network interfaces, with DOS packet drivers ·
A floppy or hard drive (capacity unimportant)
Last Word
Are
you looking for freedom from licensing costs, or are you more concerned with
freedom from configuration hassles? Do you want to be free to fix the bugs in
the software yourself, or is it more important that you be able to require the
vendor to fix the security hole? The firewalls reviewed in this article are not
without cost even monetary cost because the time it takes you to set them up has
value too (presumably).
That said, a system administrator well versed in
Unix lore and proficient with scripting tools may in fact be better able to
tailor these firewalls to your network's needs than he or she would be able to
make Firewall-1 or a handful of SonicWALLs do the job. The tool must fit the
job, and the tool must fit the tool user.
We use both free and
proprietary firewalls in networks we manage. For the majority of our
medium-sized customers, we have dedicated firewalls connecting their LANs to the
Internet. These devices are easy to set up, require little maintenance, and have
all the features our customers need. Our own requirements are a little more
so-phisticated, however, because we must protect our own servers, maintain IPSec
connections to our clients' networks for monitoring and rapid incident response,
and have access back into our own network from roaming laptops wherever we may
be, even behind a NAT. Oftentimes, we have to use one VPN connection from a
laptop to get to where we can use another VPN connection to remotely fix a
client problem, and VPN client software is notoriously unfriendly to other VPN
software running on the same computer. For that reason, we have a heavy-duty
commercial firewall protecting our LAN and maintaining VPN connections to our
clients (isolating the clients from each other), while we VPN into
(DMZ-isolated) free-software based servers for remote and bounce-through access.
This mixed bag of technology suits us, because we have to understand the systems
anyway.
Be first to comment this article
