Nations without controlled borders cannot ensure the security and safety of
their citizens, nor can they prevent piracy and theft. Networks without
controlled access cannot ensure the security or privacy of stored data, nor can
they keep network resources from being exploited by hackers. The communication
efficiency provided by the Internet has caused a rush to attach private networks
directly to it. Direct Internet connections make it easy for hackers to exploit
private network resources. Prior to the Internet, the only widely available way
for a hacker to connect from home to a private network was by direct dialing
with modems and the public telephony network. Remote access security was a
relatively small issue
When you connect your private network to the Internet, you are actually
connecting your network directly to every other network that's attached to the
Internet directly. There's no inherent central point of security control in
fact, there's no inherent security at all. Firewalls are used to create security
checkpoints at the boundaries of private networks. At these checkpoints,
firewalls inspect all packets passing between the private network and the
Internet and determine whether to pass or drop the packets depending on how they
match the policy rules programmed into the firewall. If your firewall is
properly configured, is capable of inspecting every protocol you allow to pass,
and contains no serious exploitable bugs, your network will be as free from risk
as possible.
There are literally hundreds of firewall products available,
and there are different theories from different security experts on how
firewalls should be used to secure your network. This article will explore the
operation of a generic firewall in detail, outline the important features you
need in a firewall, and discuss how firewalls should be deployed in networks of
any size.
Firewall Elements
Firewalls keep your Internet
connection as secure as possible by inspecting and then approving or rejecting
each connection attempt made between your internal network and external networks
like the Internet. Strong firewalls protect your network at all software layers
from the Data Link layer up through the Application layer.
Firewalls sit
on the borders of your network, connected directly to the circuits that provide
access to other networks. For that reason, firewalls are frequently referred to
as border security. The concept of border security is important without it,
every host on your network would have to perform the functions of a firewall
themselves, needlessly consuming computer resources and increasing the amount of
time required to connect, authenticate, and encrypt data in local area,
high-speed networks. Firewalls allow you to centralize all external security
services in machines that are optimized for and dedicated to the task.
Inspecting traffic at the border gateways also has the benefit of preventing
hacking traffic from consuming the bandwidth on your internal network.
By
their nature, firewalls create bottlenecks between the internal and external
networks, because all traffic transiting between the internal network and the
external must pass through a single point of control. This is a small price to
pay for security. Since external leased-line connections are relatively slow
compared to the speed of modern computers, the latency caused by firewalls can
be completely transparent. For most users, relatively inexpensive firewall
devices are more than sufficient to keep up with a standard T1 connection to the
Internet. For businesses and ISPs whose Internet traffic is far higher, a new
breed of extremely high-speed (and high-cost) firewalls have been developed,
which can keep up with even the most demanding private networks. Some countries
actually censor the Internet using high-speed firewalls.
Firewalls
function primarily by using three fundamental methods:
Packet
Filtering Rejects TCP/IP packets from unauthorized hosts and reject connection
attempts to unauthorized services.
Network Address Translation (NAT)
Translates the IP addresses of internal hosts to hide them from outside
monitoring. You may hear of NAT referred to as IP masquerading.
Proxy
Services Makes high-level application connections on behalf of internal hosts in
order to completely break the network layer connection between internal and
external hosts.
You can use devices or servers that perform only one of
the above functions; for instance, you could have a router that performs packet
filtering, and then a proxy server in a separate machine. This way, the packet
filter must either pass traffic through to the proxy server, or the proxy server
must sit outside your network without the protection of packet filtering. Both
are more dangerous than using a single firewall product that performs all the
security functions in one place. Most firewalls also perform two other important
security services:
Encrypted Authentication Allows users on the public
network to prove their identity to the firewall, in order to gain access to the
private network from external locations.
Virtual Private Networking
Establishes a secure connection between two private networks over a public
medium like the Internet. This allows physically separated networks to use the
Internet rather than leased-line connections to communicate. VPNs are also
called encrypted tunnels.
Some firewalls also provide additional
subscription-based services that are not strictly related to security, but which
many users will find useful:
Virus Scanning Searches inbound data streams
for the signatures of viruses. Keeping up with current virus signatures requires
a subscription to the virus update service provided by the firewall
vendor.
Content Filtering Allows you to block internal users from
accessing certain types of content by category, such as pornography, hate-group
propaganda, pornography, hacking information, and pornography. Keeping up with
the current list of blocked sites for a specific category also requires a
subscription.
Nearly all firewalls use these basic methods to provide a
security service. There are literally hundreds of firewall products on the
market now, all vying for your security dollar. Most are very strong products
that vary only in superficial details.
Packet Filters
The
first Internet firewalls were simply packet filters, and packet filtering
remains one of the key functions of today's firewalls. Filters compare network
protocols (such as IP) and transport protocol packets (such as TCP) to a
database of rules and forward only those packets that conform to the criteria
specified in the database of rules. Filters can either be implemented in routers
or in the TCP/IP stacks of servers.
Filters implemented inside routers
prevent suspicious traffic from reaching the destination network, whereas TCP/IP
filter modules in servers merely prevent that specific machine from responding
to suspicious traffic. The traffic still reaches the network and could target
any machine on it. Filtered routers protect all the machines on the destination
network from suspicious traffic. For that reason, filtering in the TCP/IP stacks
of servers (such as that provided by Windows NT+) should only be used in
addition to router filtering, not instead of it.
Filters typically
follow these rules:
Drop inbound connection attempts but allow
outbound connection attempts to pass.
Eliminate TCP packets bound for
those ports that shouldn't be available to the Internet (such as the NetBIOS
session port) but allow packets that should be available (such as SMTP) to pass.
Most filters can specify exactly which server a specific sort of traffic should
go to for instance, SMTP traffic on port 25 should only go to the IP address of
a mail server.
Restrict inbound access to certain IP
ranges.
Sophisticated filters examine the states of all connections that
flow through them, looking for the telltale signs of hacking, such as source
routing, ICMP redirection, and IP spoofing. Connections that exhibit these
characteristics are dropped.
Internal clients are generally allowed to
create connections to outside hosts, and external hosts are usually prevented
from initiating connection attempts. When an internal host decides to initiate a
TCP connection, it sends a TCP message to the IP address and port number of the
public server (for example, http://www.linuxexposed.com/ to connect to Linux Exposed's
website). In the connection initiation message, it tells the remote server what
its IP address is and on which port it is listening for a response (for example,
localhost:2050).
The external server sends data back by transmitting it
to the port given by the internal client. Since your firewall inspects all the
traffic exchanged between both hosts, it knows that the connection was initiated
by an internal host attached to its internal interface, what that host's IP
address is, and on what port that host expects to receive return traffic. The
firewall then remembers to allow the host addressed in the connection message to
return traffic to the internal host's IP address only at the port
specified.
When the hosts involved in the connection close down the TCP
connection, the firewall removes the entry in its state table (its connection
memory) that allows the remote host to return traffic to the internal host. If
the internal host stops responding before closing the TCP connection (because,
for example, it has crashed), or if the protocol in question does not support
sessions (for example, UDP), the firewall will remove the entry in its state
table after a programmed timeout of a few minutes.
Operating System
Filtering
You might not be aware that most versions of UNIX and
Windows include packet filtering in the TCP/IP protocol interface. You can use
this filtering in addition to a strong firewall to control access to individual
servers; you can also use this filtering to provide an additional measure of
internal security inside your organization without the cost of a firewall. Just
as filtering alone is not sufficient to protect your network entirely, your
operating system's internal filtering is not sufficient to create a completely
secure environment.
Security Limitations of Packet
Filtering
Filtering does not completely solve the Internet security
problem. First, the IP addresses of computers inside the filter are present in
outbound traffic, which makes it somewhat easy to determine the type and number
of Internet hosts inside a filter and to target attacks against those addresses.
Filtering does not hide the identity of hosts inside the
filter.
Additionally, filters cannot check all the fragments of an IP
message based on higher-level protocols like TCP headers because the header
exists only in the first fragment. Subsequent fragments have no header
information and can only be compared to IP level rules, which are usually
relaxed to allow some traffic through the filter. This allows bugs in the
destination IP stacks of computers on the network to be exploited, and could
allow communications with a Trojan horse installed inside the network. More
modern true firewalls support rebuilding fragmented packets and then applying
firewall rules to them.
Finally, filters are not complex enough to check
the legitimacy of the protocols inside the network layer packets. For example,
filters don't inspect the HTTP packets contained in TCP packets to determine if
they contain exploits that target the web browser or web server on your end of
the connection. Most modern hacking attempts are based upon exploiting these
higher-level services because firewalls have nearly eliminated successful
Network layer-hacking beyond the nuisance of denial-of-service
attacks.
General Rules for Packet Filtering
There are two
basic approaches you can take to security: Pessimistic, where you disable all
access except that which you know is necessary, and optimistic, where you allow
all traffic except that which you know is harmful. For security purposes, you
should always take a pessimistic approach, because the optimistic approach
presumes that you know every possible threat in advance, which is not possible.
Consider the following general guidelines when you use packet
filtering:
Disallow all protocols and addresses by default, and then
explicitly allow services and hosts you wish to support.
Disallow all
connection attempts to hosts inside your network. By allowing any inbound
connections, you allow hackers to establish connections to Trojan horses or
exploit bugs in service software.
Filter out and do not respond to ICMP
redirect and echo (ping) messages. Drop all packets that are TCP source routed.
Source routing is rarely used for legitimate purposes.
Drop all external
routing protocol (RIP, OSPF) updates bound for internal routers. No one outside
your network should be transmitting RIP updates.
Consider disallowing
fragments beyond number zero, since this functionality is largely obsolete and
often exploited.
Place public service hosts like web servers and SMTP
servers outside your packet filters rather than opening holes through your
packet filters.
Do not rely upon packet filtering alone to protect your
network.
Network Address Translation
Network Address
Translation (NAT) solves the problem of hiding internal hosts. NAT is actually a
network layer proxy: A single host makes requests on behalf of all internal
hosts, thus hiding their identity from the public network. Windows 2000,2003 and
XP, Linux, and many modern UNIX operating systems provide this function as part
of the operating system distribution. Windows NT does not.
NAT hides
internal IP addresses by converting all internal host addresses to the address
of the firewall. The firewall then retransmits the data payload of the internal
host from its own address using the TCP port number to keep track of which
connections on the public side map to which hosts on the private side. To the
Internet, all the traffic on your network appears to be coming from one
extremely busy computer.
NAT effectively hides all TCP/IP-level
information about your internal hosts from prying eyes on the Internet. Address
translation also allows you to use any IP address range you want on your
internal network even if those addresses are already in use elsewhere on the
Internet. This means you don't have to request a large block of IP addresses
from ARIN or reassign network numbers from those you simply plugged in before
you connected your network to the Internet.
Finally, NAT allows you to
multiplex a single public IP address across an entire network. Many small
companies rely upon the services of an upstream Internet service provider that
may be reluctant to provide large blocks of addresses because their own range is
relatively restricted. You may want to share a single dial-up or cable modem
address without telling your ISP. These options are all possible using network
address translation.
On the down side, NAT is implemented only at the
TCP/IP level. This means that information hidden in the data payload of TCP/IP
traffic could be transmitted to a higher-level service and used to exploit
weaknesses in higher-level traffic or to communicate with a Trojan horse. You'll
still have to use a higher-level service like a proxy to prevent higher-level
service security breaches.
Additionally, many protocols also include the
host's IP address in the data payload, so when the address is rewritten while
passing through the NAT, the address in the payload becomes invalid. This occurs
with active-mode FTP, H.323, IPSec, and nearly every other protocol that relies
upon establishing a secondary communication stream between the client and the
server.
NAT is also a problem for network administrators who may want to
connect to clients behind the NAT for administrative purposes. Because the NAT
has only one IP address, there's no way to specify which internal client you
want to reach. This keeps hackers from connecting to internal clients, but it
also keeps legitimate users at bay as well. Fortunately, most modern NAT
implementations allow you to create port-forwarding rules that allow internal
hosts to be reached.
Proxies
NAT solves many of the
problems associated with direct Internet connections, but it still doesn't
completely restrict the flow of packets through your firewall. It's possible for
someone with a network monitor to watch traffic coming out of your firewall and
determine that the firewall is translating addresses for other machines. It is
then possible for a hacker to hijack TCP connections or to spoof connections
back through the firewall.
Application-level proxies prevent this. They
allow you to completely disconnect the flow of network-level protocols through
your firewall and restrict traffic only to higher-level protocols like HTTP,
FTP, and SMTP. Application-level proxies are a combination of a server and a
client for the specific protocol in question. For example, a web proxy is a
combination of a web server and a web client. The protocol server side of the
proxy accepts connections from clients on the internal network, and the protocol
client side of the proxy connects to the public server. When the client side of
the proxy receives data from the public server, the server side of the proxy
application sends it to the ultimate inside client.
Application proxies
(like Microsoft Proxy Server or Squid) are unlike Network Address Translators
and filters in that the Internet client application is (usually) set up to talk
to the proxy. For instance, you tell Internet Explorer the address of your web
proxy, and Internet Explorer sends all web requests to that server rather than
resolving the IP address and establishing a connection
directly.
Application proxies don't have to run on firewalls; any server,
either inside or outside your network, can perform the role of a proxy. Without
a firewall, you still don't have any real security, so you need both. At least
some sort of packet filter must be in place to protect the proxy server from
network layer denial-of-service attacks (like the infamous "ping of death").
And, if the proxy doesn't run on the firewall, you'll have to open a channel
through your firewall one way or another. Ideally, your firewall should perform
the proxy function. This keeps packets from the public side from being forwarded
through your firewall.
Some firewall proxies are more sophisticated than
others. Some have the functionality of an IP filter and masquerade, so they can
simply block outbound connection attempts (on port 80 in the case of HTTP) to
remote hosts rather than having the client software configured to address the
proxy service specifically. The firewall proxy then connects to the remote
server and requests data on behalf of the blocked client. The retrieved data is
returned to the requesting client using the firewall's NAT functionality in
order to look just like the actual remote server. Proxies that operate in this
manner are said to be transparent.
Security proxies are even capable of
performing application-level filtering for specific content. For instance, some
firewall HTTP proxies look for tags in HTML pages that refer to Java or ActiveX
embedded applets and then strip out that content from them. This prevents the
applet from executing on your client computers and eliminates the risk that a
user will accidentally download a Trojan horse. This sort of filtering is
extremely important because filtering, proxying, and masquerading can't prevent
your network from being compromised if your users are lured into downloading a
Trojan horse embedded in an ActiveX applet.
You may have noticed that as
we climb through the networking layers, the security services have gotten more
specific. For instance, filtering is specific to IP and then to TCP and UDP.
Applications that use IP with other protocols like Banyan Vines must use special
high-cost or unusually robust firewalls.
Proxies are extremely specific
because they can only work for a specific application. For instance, you must
have a proxy software module for HTTP, another proxy module for FTP, and another
module for Telnet. As these protocols evolve (HTTP is particularly fast moving),
the proxy module for that protocol will have to be updated.
Many
protocols are either proprietary or rare enough that no security proxies exist.
Proxies don't exist for proprietary application protocols like Lotus Notes, so
those protocols must either be sent through a Network layer filter or be proxied
by a generic TCP proxy that regenerates the packet but simply transfers the
payload. SOCKS is a specific form of generic proxy, which are sometimes called
circuit-level gateways. Although generic proxying cannot prevent attacks from
the content of a protocol, it is still more secure than filtered routing because
the Network layer packets are completely regenerated and thus scrubbed of
malformations that might not be detected by the firewall.
In many cases,
you "roll-your-own" proxy by using a combination of the protocol server and the
protocol's client on the same machine. For example, say you've got a network
that is disconnected from the Internet, but a Windows server has two network
interfaces, one on the Internet and one on the private network. If you use the
Terminal Services functionality of Windows 2000/2003 to attach to the server on
its public side, you can then run a Terminal Services client on that machine to
reach a machine on the interior of the network. In practice, this actually works
a lot better than you might presume, although it's not a particularly good
security practice.
Whenever possible, use proxy servers for all
application protocols. Consider disallowing services for which you do not have
proxy servers. Use high-level proxies capable of stripping executable content,
like ActiveX and Java, from web pages.
Virtual Private
Networks
Virtual Private Networks (VPNs), also called encrypted
tunnels, allow you to securely connect two physically separated networks over
the Internet without exposing your data to viewing by unauthorized intermediate
parties. VPNs by themselves could be subject to redirection attempts, spoofed
connection initiation, and all manner of hacking indignity while the tunnel is
being established. But when implemented as an integral part of a firewall, the
firewall authentication and security services can be used to prevent
exploitation while the tunnel is being established.
Once established,
VPNs are impervious to exploitation so long as the encryption remains secure.
And, since firewalls sit at the Internet borders, they exist at the perfect
terminal points for each end of the tunnel. Essentially, your private networks
can pass traffic as if they were two subnets in the same domain.
VPNs
also allow users to address remote internal hosts directly by their hidden IP
addresses; Network Address Translators and packet filters would prevent this if
the connection attempt came directly from the Internet.
Use leased lines
rather than VPNs whenever it is cost effective. Use VPNs for all communications
over the Internet between organizational units when leased lines are not
available or are cost prohibitive. If you are using VPNs as your primary
connection method between organizational units, you'll have far better
performance if you use the same ISP at every site, because the VPN traffic won't
have to be routed through the congested commercial Internet exchanges. Never
communicate private information between organizational units over the Internet
without using some form of encryption. Unencrypted packet headers contain
valuable nuggets of information about the structure of your internal
network.
Technically, leased lines are not guaranteed to be secure
either, but they are free of Internet hackers. If you need to secure your data
from the possibility of government wiretaps or serious corporate espionage, you
should use a VPN over leased lines as well.
Encrypted
Authentication
Encrypted authentication allows external users on the
Internet to prove to a firewall that they are authorized users and thereby
authorized to open a connection through the firewall to the internal network.
The encrypted authentication might use any number of secure authentication
protocols. Once the connection is established, it may or may not be encrypted,
depending upon the firewall product in use and whether additional software has
been installed on the client to support tunneling.
Using encryption
authentication is convenient because it occurs at the transport level between a
client software package and the firewall. Once the connection is open, all
normal application software and operating system logon software will run without
hindrance so you don't have to use special software packages that support your
specific firewall.
Creating Effective Border Security
To
maintain the absolute minimum level of effective Internet security, you must
control your border security using firewalls that perform all three of the basic
firewall functions (packet filtering, Network Address Translation, and
high-level service proxying). Your firewalls must also be dedicated primarily to
the performance of firewall functions; avoid the temptation to run other
services such as mail, web, or other public services on the firewall unless the
service software comes from the firewall software vendor. Even in this case, be
aware that you are increasing your risk, because a bug in any of the high-level
services running on your firewall might be exploited to bypass the firewall
completely. This recommendation is not as theoretical as it sounds: Unix
Sendmail is notorious for the number of buffer-overrun attacks it has been
susceptible to, as is Internet Information Services, the Windows web server. If
these services run on your firewall, it can be compromised easily.
Again,
simply minimize the services running on the firewalls. This reduces the
complexity of the software running on the machine, thereby reducing the
probability that a bug in the operating system or security software will allow a
security breach. In the case of Windows, very few of the services in the service
Control Panel are needed for a computer running only as a firewall. Turn off all
services that the server will allow you to shut off and set them to start
manually. In the case of Linux, install only those packages necessary for the
operation of the firewall, or select the "firewall" installation option if the
distribution has one. Normally, you won't have to deal with this because the
firewall software installation program will shut down all unnecessary services
for you. If it doesn't, look elsewhere for firewall software.
It's always
tempting to pile services like HTTP, FTP, Telnet, Gopher, and mail onto the same
machine you use as an Internet router and firewall because it's cheaper and
because that machine probably has a lot of spare compute time and disk space.
Unfortunately, few operating systems are both secure enough and bug-free enough
to guarantee that services won't interfere with each other or that a service
won't crash the firewall. It's also quite probable that a high-level service
running on the firewall, even if it doesn't affect other security services,
could provide a way to circumvent the security services of the firewall. And
lastly many services contain logon banners or automatically generated error
pages that identify the firewall product you are using. This could be dangerous
if hackers have found a weakness in your specific firewall. You want to make it
difficult to determine which operating system your firewall is
running.
You must also enforce a single point of control in your firewall
policy. If you have more than one firewall in your company (perhaps one firewall
attaching each remote office to the Internet), you need to make absolutely
certain they are all configured the same way. Enterprise firewall management
software features aid in this endeavor.
Comparing Firewall
Functionality
There is a common misconception among network
administrators that a firewall has to be based on the same operating system as
the network file servers Unix firewalls for Unix-based networks and NT firewalls
for Windows NT-based networks. In fact, there's no functional reason why the
operating system used by a firewall should be the same as that used by the
network, since (and only in very special circumstances) you'll never run any
other software on the firewall computer. In fact, these days, most firewalls
come as preconfigured computers running a completely proprietary operating
system.
All firewalls filter TCP/IP traffic, and in most cases you'll set
them up once and leave them to do their job, with minor tweaks as security
policies and work habits change in the organization. Some firewalls run
proprietary operating systems that aren't related to Unix or Windows at all;
they are just as appropriate on any network.
The second most important
factor in choosing a firewall operating system (after security, of course) is
familiarity the administrator should be familiar with the user interface and
know how to configure the firewall correctly. Most Windows-based firewalls are
easier to set up than Unix-based firewalls, but many Unix-based firewalls are
catching up by using Java or web-based graphical interfaces that run remotely on
the administrator's PC.
Some firewall vendors claim that their products
are superior to firewalls based on Windows or standard versions of Unix because
the products are based on a "hardened" implementation of the TCP/IP protocol
stack or a theoretically more secure operating system. They also claim that bugs
in Windows NT or Unix releases can be exploited to get past the firewall
software of their competitors. While this may be true, those vendors can't prove
that similar bugs don't exist in their own software. In fact, there's no
practical way to prove that complex code is bug free, and firewall vendors are
no more likely to get it absolutely right than are large vendors like Microsoft
or Sun.
One major advantage of using a widely available operating system
as the foundation of a firewall is that the code is put through its paces by
millions of users. Bugs are more likely to be found and corrected, and patches
are available far sooner and with greater regularity than is true for
proprietary products provided by smaller vendors who usually don't have the
programming resources to throw at problems as they arise. On the down side,
common operating systems are subject to far more hacking attempts than uncommon
ones; Windows bears the brunt of hacking attempts because it's the most common
operating system and because hackers hate Microsoft. For this reason, it's the
most often compromised operating system, although Unix (including Linux) isn't
theoretically any more secure.
Many firewall products that are based on a
standard operating system don't rely on the standard TCP/IP stack or
higher-level services that ship with the operating system; they implement their
own TCP/IP stack so that they can have absolute control over its operation. The
base operating system serves only as a platform for the firewall software,
providing functions like booting, multitasking, and user
interface.
Firewall products vary in the following
ways:
Security Some firewall products are fundamentally flawed
because they rely too heavily on the host operating system, because they contain
bugs that can be exploited, or because there is a flaw in the authentication
protocol used for remote authentication.
Interface Some firewalls are
very difficult to configure because you must administer them via Telnet or an
attached console and learn some cryptic command-line interface. Others use very
intuitive graphical interfaces that make configuration easy and obvious (well,
obvious to us geeks, anyway).
Enterprise Functionality Some firewalls are
fortresses unto themselves, while others use a centrally maintained security
policy that is replicated among all firewalls in the enterprise.
Security
Features Many firewalls offer important security features such as virtual
private networking and encrypted authentication to allow remote office
networking with a high degree of security. In many firewalls, VPN is an
extra-cost feature that must be enabled by purchasing an additional
license.
Service Features Some firewalls include services such as FTP,
Telnet, HTTP, and so forth so that you don't have to dedicate a machine to those
functions. These features can be convenient, but they're often somewhat obsolete
in functionality and can reduce the security of the firewall if they aren't
properly implemented. Also, many services reveal a copyright that tells hackers
exactly which firewall product you are using and allows them to target any
weaknesses it may have.
Your primary criterion for firewalls should be
security. The next most important feature is ease of use for you; you must be
able to correctly configure a firewall for it to work correctly. Flashy
features, performance, and services galore are tertiary considerations after the
key issues of security and ease of use.
What Problems cant do for
you
No network attached to the Internet can be made completely
secure. Firewalls are extremely effective and they will keep the hacking masses
at bay, but there are so many different ways to exploit network connections that
no method is entirely secure. Many administrators mistakenly assume that once
their firewall is online and shown to be effective, their security problem is
gone. That's simply not the case.
For example, let's say that the only
thing you allow through your firewall is e-mail. An employee gets a message from
a branch office asking him to e-mail a CAD file to them. So the employee looks
at the From address, verifies that it's correct, clicks reply, attaches the
file, and unknowingly sends the CAD file to the hackers who forged the e-mail
request because the Reply-to address isn't the same as the From address. Your
firewall can't realistically do anything about this type of exploitation because
many typical users have different From and Reply-to addresses for very valid
reasons, (like they send mail from multiple e-mail addresses but only want to
receive mail at linux exposed.
Another problem firewalls can't solve is
protection against protocols you decide to allow. For example, if you have a
Windows-based IIS public web server on your network, your firewall must forward
port 80 to it. Hackers can then attach to the web server as if they were typical
web browsers and then exploit the hundreds of known bugs in IIS to gain remote
administrative access to it. Once they have control of your web server, they're
"inside" your network, and can use that web server to proxy an attack to the
interior of your network, unless you have additional firewall policy preventing
it.
There is another serious threat to the security of your network:
hidden border crossings. Modems provide the ability for any user on your network
to dial out to their own Internet service provider and completely circumvent
your firewall. Modems are cheap and they come in most computers sold these days.
All modern client operating systems come with the software required for setting
up modems to connect to a dial-up Internet service provider. And it's a good bet
that most of your computer-savvy employees have their own dial-up networking
accounts they could use from work.
Most users don't understand that all
IP connections are a security risk. Modem PPP connections to the Internet are
bidirectional just like leased lines. And there's a good chance that their
client has file sharing turned on, so their computer can be exploited directly
from the Internet.
It's quite common for businesses with firewalls to
allow unrestricted file and print sharing among peers because it's an easy and
efficient way for users to transfer files. If one of those users is dialed into
the Net, it's also an easy and efficient way for hackers to transfer your files.
Remember that the AOL dialer provides PPP service, so it's not any more secure
than any other dial-up ISP.
Border Security Options
Once
you've got your firewall running on the border between your private network and
the Internet, you're going to run into a problem. How do you provide the public
services your customers need while securing your internal network from attack?
There is more than one answer to this question, and which one is right depends
entirely upon your security posture and the level of service you need to
provide.
Methods used by companies to protect their networks range from
the simple to the complex, the risky to the very secure. Such methods include
the following (in order of security risk from highest to lowest):
1.
Filtered packet services 2. Single firewall with internal public
servers 3. Single firewall with external public servers 4. Dual firewalls
or DMZ firewalls 5. Enterprise firewalls 6.
Disconnection
Filtered Packet Services
Most Internet
service providers provide packet filtering as a value-added service for
leased-line customers. For a small monthly charge (generally about $100), your
ISP will set up their firewall to filter traffic into and out of your network.
Some ISPs also offer proxy servers and NAT, but you may still be at risk from
security attacks by other customers served by that ISP. Remember that all
hackers have ISPs too.
There are a number of problems with filtered
firewall services:
Packet filters can be exploited more easily than
complete firewalls. Your security is in the hands of a third party. Their
motivations may not always coincide with yours, especially if a legal dispute
arises between your company and theirs. The responsibility for reliability isn't
controllable. · It's not in the best interest of the ISP to alert you that there
has been a compromise. · There's rarely any provision for alarming and alerting.
· Configuration is a difficult and error-prone administrative hassle.
Reconfiguration is also a pain in the neck if the ISP doesn't have a strong
customer support ethic.You are probably vulnerable to the ISP's other
subscribers, who are usually inside the same firewall.
Even if the
firewall service provided by an ISP were complete, it would still never be a
good idea to put the security of your network in the hands of another
organization. You don't know anything about your ISP's employees, and you don't
know what measures your ISP might take if for some reason a dispute arose
between your company and theirs. Add to that these simple facts: most people who
can hack do so at least occasionally and many good hackers work for the people
who can get them closest to the action.
Locally control and administer
all security services for your network. Don't put responsibility for the
security of your network in the hands of an external organization. Don't rely
solely on packet filters for security protection from the
Internet.
The Single-Firewall Approach
The simplest
complete border security solution is that of the single firewall. With one
firewall and one connection to the Internet, you have a single point of
management and control.
A single firewall with public servers exposed to
the Internet You have a problem if you intend to provide public services like an
FTP site or website, or if you want to operate a mail server. You must either
open a connection through your firewall to an internal host, or you must expose
your public server to the Internet without the protection of a firewall. Both
methods are risky.
The problem with putting public servers, like mail
servers, outside your firewall is that they are at risk for unrestricted
hacking. You can set these computers up so that they don't contain much useful
information, but hacking attempts could easily cause denial of service if your
servers are crashed, or at least cause embarrassment if hackers modify your web
pages.
The problem with opening a path through your firewall for
externally sourced connection attempts is that inappropriate packets could
potentially make their way onto your internal network if they look like packets
that conform to the rules used by your packet filter. It also means that a
hacker who manages to exploit a bug in high-level service software might gain
control of a computer inside your network a very dangerous situation. For this
reason, most organizations put public servers outside their firewalls and simply
do not allow any external connections in through the firewall.
Dual
Firewalls and Demilitarized Zones
You can reduce the risk of having
exposed public servers with two firewalls and two levels of firewall protection.
Basically, you put the first firewall at your Internet connection and secure
your web servers behind it. It provides strong security, but allows connection
attempts from the Internet for the services you want to provide.
Between
that network and your internal network, you place a second firewall with a
stronger security policy that simply does not allow external connection attempts
and hides the identity of internal clients.
Two firewalls acting in
concert to completely protect a network Most modern firewall products allow the
use of demilitarized zones (DMZ), which provide the functionality of having two
firewalls by having different security policies for each attached interface in
the firewall. With three interfaces external network, internal network, and
public server network you can customize your security policy to block connection
attempts to your internal network but pass certain protocols to your public
servers. This allows you the functionality of two firewalls using a single
product. This is sometimes referred to as a trihomed firewall.
Always use
a DMZ firewall or dual firewalls if you need to provide public services and
protect an interior network. Every different security policy requires its own
firewall or network interface.
Enterprise
Firewalls
Enterprise firewalls are those products that share a
single, centralized firewall policy among multiple firewalls. Enterprise
firewalls allow you to retain central control of security policy without having
to worry about whether or not the policy is correctly implemented on each of the
firewalls in your organization. The firewall policy is usually defined on a
security workstation, and then replicated to each firewall in your organization
using some means of secure authentication.
The most secure way to provide
service on the Internet and access for internal users is not to connect your
internal network to the Internet at all, but to have a separate network used
only for Internet-related services. This is called the disconnected security
model.
The disconnected security model provides the most protection from
Internet intrusion. This method is absolutely impenetrable from the Internet
because no connection exists between the internal and the external networks. The
public-access servers for web, FTP, and mail are located on a small network
segment that is attached to the Internet along with a few clients. The client
stations contain e-mail, news, and web browsers but no sensitive information.
Employees travel to the external clients to check their e-mail, browse the web,
or perform any other Internet-related task.
This model has three very
important benefits:
The private network is absolutely secure. Data
can't flow freely between the external and internal networks. You may consider
putting a high-capacity removable media drive on one of the clients to
facilitate large file transfers when necessary but this can be a security
problem!
It's free. It doesn't require esoteric software or sophisticated
hardware, and you can use outdated computers for the client stations.
It
provides a natural disincentive for employees to waste time surfing the web
randomly or downloading content that could cause legal liability
problems.
And of course, there is one very important detractor: Employees
hate it (and we love it). They have to travel to access stations, which are
typically located in one central area. Transferring files becomes problematic.
It can cause a work bottleneck if there aren't enough access stations. Many
employees simply won't use it, which reduces the efficiency of e-mail and other
such important business tools.
The disconnected security model provides
the greatest incentive for employees to blow off your security policy and dial
up the Internet with their modem. Make sure your security policy prevents that
and that your users understand why you've chosen this model.
In a
nutshell, disconnection is the most secure and the least efficient way to
connect your employees to the Internet.
Don't attach your network to
public networks if it can possibly be avoided. Use the disconnected network
model to provide Internet access to your users rather than to your network. Use
a web and FTP hosting service rather than computers on your own network to
provide your customers with information about your company. This puts the web
hosting agency at risk rather than your own network and allows you to provide no
public services.
Be first to comment this article
