Firewall

Lesson about firewalls, routers, ...

Inf503 vt -00

Firewall

Gruppmedlemmar: Aleksandra Petkovic, Edvard Boras,
Deniz Misirli,

Date: 6/3 2000

Introducktion

The term firewall has seen limited use since the late 1980s to describe a device to block unwanted network traffic while allowing other traffic to pass. The first published description of a "modern" firewall including use of that name was in 'Practical Unix Security' written in 1990 and published in 1991. The first description of a firewall, although not by that name, was also in 1990, in a paper by Bill Cheswick. A few of the industry pioneers tried to track down the etymology of the word as described in this context. They found several references from the mid-80's that used the word to describe a damage-limiting device. The earliest use they found that seems to correspond to a security device was by Steve Bellovin, in some email to Phil Karn, in 1987. But the context suggests that Phil knew what Steve meant, yet Steve doesn't think he invented it.

With the explosive growth of the Internet and computer networks in the last few years, and the large number of security problems associated with them, firewalls have had increasing popularity as a way of protecting systems from unauthorized access, either from the Internet or from other unrelated networks within the organization.Very significant is the threat that an intruder would penetrate a system connected to the Internet. This threat is significant for two reasons: network-connected system holds millions, billions, or more bytes of data; and the user of system attached to a LAN, one of whose hosts is connected to a wide area network, may be unaware of the threat to all stored data. Thus, protection of network-conected resources is very important.

Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done. Many traditional-style corporations and data centers have computing security policies and practices that must be adhered to. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security - it often plays an important role as a security blanket for management. Lastly, a firewall can act as your corporate "ambassador" to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth.

The simplest form of protection of sensitive resources is not to connect them to any system accessible from outside the organisation. s security perimetar. Physical isolations is totally effective against outside attack, but many users need, and more want, acces to the outside.

Ideally, we want a filter that will let through only desirable interactions. Two problems of controlling access are determining what constitutes desirable ( or not desirable) interaction, and permiting desirable interactions, blocking the others, and not interfering too severely with users. operations. The model is like a defansive medieval castle: these castles hed strong and solid walls with slits through which archers could shoot arrows.These slits were so narrow that it was almost impossible to shoot an arrow through it from the outside. This kind of computer defense is called a firewalls.

Figure9-30

As shown in Figure 9-30 peoople expect a firewall to be a solid brick wall protecting some computing resurces. In fact, a firewall is a brick wall through which people intentionally break holes, with the intention of carefully controlling what goes through the holes. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network. Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool.

What is a Firewall?

A firewall is a process that filters all traffic between a protected or "inside" network and a less trustworthy or "outside" network.The purposse of a firewall is to keep "bad" things outside a protected environment.Firewalls implement a security policy. The policy might be to prevent any access from outside ( while still allowing traffic to pass from the inside to the outside). Alternatively, it might be to permit access only from certain places, from certain users, or for certain activities. Part of the challenge of protecting a network with a firewall is determining the security policy that meets the needs of the installation.A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea what kind of access you want to permit or deny, or you simply permit someone or some product to configure a firewall based on what they or it think it should do, then they are making policy for your organization as a whole.

Design of Firewalls

A firewall is a special form of reference monitor. Three qualities of reference monitor are:Always invoked Tamperproof Small and simple enough for rigorous analysisBy careful positioning of a firewall within a network, we can ensure that all network access that we want to control must pass through it. This meets the always-invoked condition. A firewall is typically well isolated, making it highly immune to modification. Usually a firewall is implemented on a separate computer, with direct connections generally just to the outside and inside networks. This isolation is expected to meet the tamperproof requirement. And firewall designers strongly recommend keeping the functionality of the firewall simple.

What can a firewall protect against?

Some firewalls permit only Email traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems. Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it. Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.

What can't a firewall protect against?

Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network.

Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool.

Firewalls can't protect very well against things like viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security- consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack -- attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of sendmail and ghostscript, a freely-available PostScript viewer. Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when the machine is rebooted. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, modems, and Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet -- and the vast majority of viruses are caught via floppy disks.

Types of Firewalls

The term firewall is used rather loosely. Three different things are known as firewalls:

Screening routers
Proxy gateways
Guards

They all do different things; no one is necessarly right and the others wrong.

Screening Router

A screening router is the simplest and, in some situations, the most effective type of firewall;it is the basic component of most firewalls.

Screening Routers use packet filtering technology to route data between internal and external computers. The rule set used by the screening router is called the security policy. Because the computer systems on the Internet rely on the weak security built into the TCP/IP protocol to communicate, additional security is required to minimise the risk of access into private information. An example of one weakness in the TCP/IP protocol is that the address of a computer is a configurable option. A potential intruder can gain access into the internal network simply by configuring their system to appear to be a trusted internal system. This type of break-in is known as spoofing.The screening router and the firewall router by design are placed between the internal and external networks. This configuration while limiting the possible attack through a defined point on the network also puts an enormous pressure on the router solution. The router solutions can permit or deny an entire services like FTP(file transfer protocol) or Telnet but it does not have the ability to control specific operations within a service.

A screening router can be a commercial router or a host-based router with some kind of packet-filtering capability. Typical screeing routers have the ability to block traffic between networks or specific hosts, on an IP port level. Some firewalls consist of nothing more than a screening router.

Host tend not to be connected directly to a wide area neetwork; more ofen, hosts are connected to a router, which is a computer that, as its name implies, routes a communication toward its target. A router has the rather simple task of receiving each packet, consulting stored routing tables, and passing the packet to one of several physical ports that will get the packet to its destination as shown in Figure 9-31. A router usually works in both directions, passing packets both to the left and to the right in our figure. That is, the router takes packeets from the local network and dispatches them either to wide area network 1 or wide area network 2, as appropriate; it also receives packets from both wide area networks and passes ones with addresses in the local network to it.

For example, suppose an international company has three LANs, at three locations throughout the world, as shown in Figure 9-32. In this example, the router has two sides:

We say that the local LAN is on the inside of the router and the two connections to distant LANs through wide area networks are on the outside. The company might want communication only among the three LANs of the corporate network. They could use a screening router on the LAN at 100.24.4.0 to allow only communications destined to the host at 100.24.4.0, and allow out only communications addressed to address 144.27.5.3 or 192.19.33.0

Packet-level filtering operates at a very fine (detailed) level of granularity. A packet is a small subunit of communication, typically a few hundred bytes, and a router could pass many thousands of packets in a second. Thas, the screening rules have to be ones that the router can check and apply quickly, without significantly impeding the traffic flow. Also, a router is designed to look only at packet headeer information. Depending on the protocol, a header may contain source and destination addresses, protocol, source and destination ports, packet length, sequencing, priority, and error correction information, so these are the only kinds of conditions on which router can filter.

Screening routers can perform the very important service of ensuring the validity of inside addresses. Inside hosts typically trust other inside hosts for all the reasons described as characteristics of LANs. But the only way an inside hosst has to distinguish another inside host is the address shown in the source field of a message. Source addresses in packets can be forged, so that an inside application might think it was communicating with another host on the inside, instead of an outside forger. A router sits between the inside network and the outside net, so it can know whether a packet from the outside is forging an inside address, as shown in Figure 9-33.

A screening router might be configured to block all packets from the outside that claimed their source address was an inside address. In this example, the router blocks all packets claiming to come from any address of the form 100.50.25.x ( but ,of course, it permits in any packets with destination 100.50.25.x).

Guards

A Guard is just a more sophisticated Proxy Gateway. In other words it�s a Proxy Gateway that have more functions than just mirroring of inside and outside traffic.

two examples where you�ll need a Guard:

A school wants it�s students to be able to acces the WWW but, because of the slow speed of it�s connection to the web, it will allow only so many characters per downloaded image (that is, allowing text mode and simple graphics, but disallowing complex graphics, animations, music, or the like).

A company wants to allow its employees to fetch files via FTP. However, in order to prevent introduction of viruses, it will pass all incoming files through a virus scanner. Even though many of these files will be nonexecutable text or graphics, the company administrator thinks that the expense of scanning those (which would pass) will be negligible.

Comparison chart

Screening Router	Proxy gateway	Guard
Simplest	Somewhat complex	Most complex
Sees only addresses and service protocol type	Sees full text of communication	Sees full text of communication
Auditing difficult	Can audit activity	Can audit activity
Screens based on connection rules	Screens based on behavior of proxies	Screens based on interpretation of message content
Complex addressing rules can make configuration tricky	Simple proxies can substitute for complex addressing rules	Complex guard functionality can limit assurance

"If a purchased firewall will do 80 percent of what you need, then you can not justify building your own firewall."

It is estimated that 2/3 of the cost is for software and training and 1/3 is assigned to the hardware. Another estimate is that maintenance cost is 12 % percent of the software price.

Firewall Software:

SOCKS
Karlbridge
Screend
TIS Firewall Toolkit

Toolkits used when building firewalls.

For a Firewall to function properly:

Properly configured

Standard thumbrule is to deny all data except the one explicitly permitted, instead of the other: permit all data except the one explicitly forbidden.

Maintained

Even though a firewall is able to get the work done by itself it is important to maintain the software / hardware. The software should be updated when available.

Specified level of security

A firewall will only do what it is built and configured for, nothing else. The firewall is not an intelligent guardian, it only do what you tell it to.

Never think it is unbreachable

A system can always be breached, no matter how secure you think it is. It is important to include that way of thinking in the organisation.

Updated on system changes

Upon organisational changes the firewall configuration should be updated or changed.

Inherent weakness in firewalls:

Once a firewall is successfully breached the whole system is available. "all-or-nothing"

Unless there is another firewall behind the first firewall. "Defense in depth"

Often taken for granted.

As before, the firewall is not intelligent but does what you tell it to, hopefully.

Only minor control over the content on the inside.

The purpose of the firewall is to control traffic betwwen the inside and the outside. If a computer on the inside is connected to a modem the function of the firewall is more or less rendered useless.

Solution:

Several firewalls in tandem "Defense In Depth"

Every company LAN or department could have it. s own firewall or several firewall configurations depending on the wanted security.

General criteria:

NIST 800-10 (National Institute of Standards and Technology)

Deny services except those explicitly permitted.
Support your policy, not impose one.

A firewall shouldn. t be a burden to the company, it should be a helpful tool.

Flexibility toward new services and policies is important.

As with any system it has to be flexible for changes.

If the firewall uses an operating system, it must be secure.

A chain is never stronger than it. s weakest link.

Ease of configuration.

The configuration possibilities has to be easy to understand, easy to change and easy to overview.

Ease of management.

Same as the above.