|
|
Corporate networks are built assuming certain levels of trust in how the information passing through them is accessed and used. When they're hooked into public networks, like the Internet, a safer -- and more intelligent route -- leads security administrators to trust no one on the outside.
In this page, we will examine fire wall that protects network and system vulnerabilities on systems attached to the Internet, as well as for private networks.
To help answer any questions you may have about where fire wall is needed and used, this on line tutorial will explain security technologies used to defend against attacks initiated from both within and without an organization. The on line tutorial will examine the pieces of the security puzzle to see how to best fit them together for effective defenses and coverage. In the page, we'll explore several security methods that are used wherever the Internet and corporate networks intersect. These include the uses of:
Figure 1 illustrates the basic design for a secure network infrastructure. As you see, the infrastructure relies upon layers of devices that serve specific purposes, and provide multiple barriers of security that protect, detect, and respond to network attacks, often in real time.
A router is a network traffic-managing device that sits in between sub-networks and routes traffic intended for, or emanating from, the segments to which it's attached. Naturally, this makes them sensible places to implement packet filtering rules, based on your security polices that you've already developed for the routing of network traffic.
Straight Packet Filtering mechanisms allow communication originating from one side or the other. To enable two-way traffic, you must specify a rule for each direction. Packet filtering firewalls identify and control traffic by examining the source, destination and port
A firewall insulates a private network from a public network using carefully established controls on the types of request they will route through to the private network for processing and fulfillment. For example, an HTTP request for a public Web page will be honored, whereas an FTP request to a host behind the firewall may be dishonored. Firewalls typically run monitoring software to detect and thwart external attacks on the site, and are needed to protect internal corporate networks. Firewalls appear primarily in two flavors; application level gateways and proxy servers. Other uses of firewalls include technologies such as Virtual Private Networks that use the Internet to tunnel private traffic without the fear of exposure
A slightly more specific definition of a firewall comes from William Cheswick and Steven Bellovin, two engineers with AT&T who wrote the classic Firewalls and Internet Security (Addison Wesley, 1994). They based the book on their experience developing a firewall to protect AT&T connections to the Internet. Cheswick and Bellovin define a firewall as a collection of components or a system placed between two networks and possessing the following properties:
* All traffic from inside to outside, and vice-versa, must pass through it;
* Only authorized traffic, as defined by the local security policy, is allowed
to pass through it; and
* The system itself is highly resistant to penetration.
Put simply, a firewall is a mechanism used to protect a trusted network from an untrusted network, usually while still allowing traffic between the two. Typically, the two networks in question are an organization's internal (trusted) network and the (untrusted) Internet. However, nothing in the definition of a firewall ties the concept to the Internet. We traditionally define the Internet as the worldwide network of networks that uses TCP/IP for communications. We define an internet as any connected set of networks. Although many firewalls are currently deployed between the Internet and internal networks, there are good reasons for using firewalls in any internet, or intranet, such as a company's WAN. There will be more about this use of firewalls later in this chapter.
Another approach to firewalls views them as both policy and the implementation of that policy in terms of network configuration. Physically, a firewall comprises one or more host systems and routers, plus other security measures such as advanced authentication in place of static passwords. As shown in Figure 1.1, a firewall may consist of several different components, including filters, or screens, that block transmission of certain classes of traffic, and a gateway, which is a machine or set of machines relaying services between the internal and external networks by means of proxy applications. The intermediate area occupied by the gateway we often refer to as the demilitarized zone (DMZ). These terms will all be explained in more detail, starting with traffic.
When we say that all traffic from inside to outside and vice-versa, must pass through a firewall, we refer to data transported by the TCP/IP protocol suite. Figure 1.2 illustrates a diagram of TCP/IP, showing the way the protocol is layered and the manner in which addresses are used. To control TCP/IP traffic, one must gain a solid understanding of how it is structured.
A protocol is a formal description of messages to be exchanged and rules to be followed in order for two or more systems to exchange information in a manner that both parties will understand . The TCP/IP protocol suite, officially referred to as the Internet Protocol Suite in Internet standards documents, gets its name from its two most important protocols, TCP and IP. Network applications present data to TCP, the Transmission Control Protocol. TCP divides the data into chunks, called packets, and gives each one a number. These packets could represent text, graphics, sound or video--anything digital that the network can transmit. The sequence numbers help to ensure that the packets can be reassembled correctly at the receiving end. Thus, each packet consists of content, or data, and the information that the protocol needs to do its work, called the protocol header.
TCP then presents the data to the Internet Protocol, or IP, the purpose of which is to provide basic host-to-host communication. IP attaches to the packet, in a protocol header, the address from which the data comes and the address of the system to which it is going. IP is technically referred to as an unreliable datagram service. In this context, the rather alarming term "unreliable" simply means that upper-level protocols should not depend upon IP to deliver the packet every time. IP always does its best to make the delivery to the requested destination host, but if it fails for any reason, it just drops the packet.
This is where the higher-level protocol, TCP, comes in. TCP uses the sequence numbers to reassemble the packets in the right order and request re-transmission of any packets that got lost along the way. It can do this even if some of the packets take different routes to reach their destination, which makes the combination of TCP/IP a very reliable protocol.
TCP uses another piece of information to make ensure that the data reaches the right application when it arrives at a system. This is the port number, lying within the range 1 to 65535. The number does not represent a physical port, like the serial port to which a modem or mouse might be attached, but is more like a regional memory address. Ports 1 to 1,023 are reserved for server applications, although servers can use higher port numbers as well. Higher port numbers are dynamically assigned to client applications as needed. Some applications use standard port numbers; for example, an FTP program will connect to port 21 on the FTP server. Thus, data to be transmitted by TCP/IP has a port from which it is coming and a port to which it is going, plus an IP source and destination address. Firewalls can use these addresses to control the flow of information.
For more about TCP/IP basics, I recommend Intranet and Internet Firewall Strategies by Edward Amoroso and Ronald Sharp, (Ziff Davis Press, 1996). Like Cheswick and Bellovin, Amoroso and Sharp were engineers at AT&T Labs, but whereas Cheswick and Bellovin developed a firewall to protect AT&T from the outside, Amoroso and Sharp developed a trademarked internal firewall, called CWTG or Computer Watch Trusted Gateway. For more advanced reading on TCP/IP we recommend TCP/IP Tutorial and Technical Overview, (5th Edition, Prentice Hall, 1995) by Eamon Murphy, Steve Hayes and Matthias Enders, a trio of IBM engineers.
When TCP/IP sends data packets on their merry way, the packets seldom go straight from the host system that generated them to the client that requested them. Along the way they normally pass through one or more routers. In this, TCP/IP transmissions differ from LAN communications, which broadcast over a shared wire.
To look at how TCP/IP routes packets, and how this allows sites to filter for security, let us first examine old-fashioned LAN communications. Suppose five PCs reside on a LAN. If PC #2 wants to send some data to PC #4, it shouts out over the network and hopes that PC #4 hears it. The other three systems on the same wire will also hear the same data. This is true of both Ethernet and Token Ring, the two most widely used LAN protocols. This method of communication, in which a number of computers share the same wiring, increases efficiency, limits distance and scope. It also limits the number of computers that can talk on the same wire.
Early efforts to enable computers to communicate with each other over long distances used telephone lines and switches to connect calls from one specific computer to another in a remote location (the X.25 protocol was developed for this). A connection between two computers might pass through several switches until it reached its final destination. When LANs emerged it made sense for all the computers on one LAN to have access to the machine that had access to the remote connection, thus creating a WAN. LAN protocols, however, were incompatible with X.25, and the machine hosting the connection to the WAN tended to get overworked.
Next came a special type of switch called a router, which could take over the work of making external connections, and could also convert LAN protocols, specifically IP, into WAN protocols. Routers have since evolved into specialized computers. The typical router is about the same size as a VCR, although smaller models and rackmounted units for major interconnections have entered the market.
Basically, routers look at the address information in TCP/IP packets and direct them accordingly. Data packets transmitted over the Internet from the Web browser on a PC in Florida to a Web server in Pennsylvania will pass through numerous routers along the way, each of which makes decisions about where to direct the traffic. Figure 1.3 shows the traceroute program in action, listing the path the data takes.
Suppose the Web browser is on a PC on a LAN with a PPP connection to an Internet Service Provider (ISP). A router, or a computer acting as a router, will likely direct the packets out from the LAN to the ISP. Routers at the ISP will send the data to a backbone provider, which will route it, often in several hops, to the ISP that serves the machine that hosts the Web site.
Routers make their routing decisions based on tables of data and rules. It is possible to manipulate these rules by means of filters so that, for example, only data from certain addresses may pass through the router. In effect, this turns a router that can filter packets into an access-control device, or firewall. If the router can generate activity logs, this further enhances its value as a security device. We will discuss how this works in more detail in the next chapter.
Internet firewalls are often referred to as secure Internet gateways. Like the gates in a medieval walled city, they control access to and from the network.
In firewall parlance, a gateway is a computer that provides relay services between two networks. A firewall may consist of little more than a filtering router as the controlled gateway. Traffic goes to the gateway instead of directly entering the connected network. The gateway machine then passes the data, in accordance with access-control policy, through a filter, to the other network or to another gateway machine connected to the other network.
In some configurations, called dual-homed gateways, one computer containing two network connectors acts as the gateway. Alternatively, a pair of machines can create a miniature network referred to as the DMZ (see Figure 1.4). Typically, the two gateways will have more open communication through the inside filter than the outside gateway has to other internal hosts. The outside filter can be used to protect the gateway from attack, while the inside gateway is used to guard against the consequences of a compromised gateway [Ches94].
By concentrating access control, firewalls become a focal point for the enforcement of security policy. Some firewalls take advantage of this to provide additional security services, including traffic encryption and decryption. In order to communicate in encryption mode, the sending and receiving firewalls must use compatible encrypting systems. Current standards efforts in encryption and key management have begun to allow different manufacturers' firewalls to communicate securely, but these efforts have a ways to go before the customer can assume compatibility. Firewall-to-firewall encryption is thus used for secure communication over the public Internet between known entities with prior arrangement, rather than for any-to-any connections. Nevertheless it is a powerful feature, enabling the creation of virtual private networks (VPN) as a lower-cost alternative to a leased line or a value-added network (VAN).
Verifying the authenticity of system users is another important part of network security, and firewalls can perform sophisticated authentication, using smart cards, tokens and other methods. Firewalls can also protect other external network connections, such as remote dial-in. A company can apply the same traffic-restricting protections, enhanced by authentication.
While the phenomenal growth of Internet connections has understandably focused attention on Internet firewalls, modern business practices continue to underscore the importance of internal firewalls. Mergers, acquisitions, reorganizations, joint ventures and strategic partnerships all place additional strains on security as the scope of the network's reach expands. Someone outside the organization may suddenly need access to some, but not all, internal information. Multiple networks designed by different people, according to different rules, must somehow trust each other. In these circumstances, firewalls play an important role in enforcing access-control policies between networks and protecting trusted networks from those that are untrusted.
Consider a manufacturing company that has, over time, developed separate networks within the sales, marketing, payroll, accounting and production departments. Although users in one department may wish to access certain other networks, it is probably unnecessary and undesirable for all users to have access to all networks. Consequently, when connecting the networks, the organization may choose to limit the connection, either with packet-filtering routers or with a more complex firewall.
In a WAN that must offer any-to-any connectivity, other forms of application-level security can protect sensitive data. However, segregating the networks by means of firewalls greatly reduces many of the risks involved; in particular, firewalls can reduce the threat of internal hacking--that is, unauthorized access by authorized users, a problem that consistently outranks external hacking in information-security surveys. By adding encryption to the services performed by the firewall, a site can create very secure firewall-to-firewall connections. This even enables wide-area networking between remote locations over the Internet. By using authentication mechanisms on the firewall, it is possible to gain a higher level of confidence that persons outside the firewall who request data from inside the firewall--for example, salespersons on the road needing access to an inventory database--are indeed who they claim to be.
Diagrams of the various configurations of filters and gateways help when planning a firewall defense, but the system administrator must not lose sight of the broader definition of a firewall as an implementation of security policy. A firewall is an approach to security; it helps implement a larger security policy that defines the services and access to be permitted. In other words, a firewall is both policy and the implementation of that policy in terms of network configuration, host systems and routers, as well as other security measures such as advanced authentication in place of static passwords.
Two levels of network policy directly influence the design, installation and use of a firewall system. Network service access policy is a higher-level, issue-specific policy that defines those services to be allowed or explicitly denied from the restricted network. This policy also proscribes the way in which these services will be used, and the conditions for exceptions to this policy. Firewall design policy is a lower-level policy that describes how the firewall will actually go about restricting the access and filtering the services as defined in the network service access policy. We will examine both levels of policy in the following sections.
While focusing on the restriction and use of internetwork services, the network service access policy should also include all other outside network access, including dial-in and SLIP/PPP connections. After all, restrictions upon one type of network service access can often lead users to try others, so those other points of entry must also contain equal protections. For example, if restricting access to the Internet via a firewall prevents users from browsing the Web, some will likely create dial-up PPP connections in order to obtain this service. These non-sanctioned, ad hoc connections are likely to be improperly secured, opening the network to attack.
Network service access policy should stand as an extension of a strong site-security policy and an overall policy regarding the protection of information resources in the organization. This includes everything from document shredders to virus scanners, remote access to removable media tracking.
Typically, a firewall implements one of two general network service access policies: either allowing access to the Internet from the site but allowing no access to the site from the Internet; or allowing some access from the Internet, but only to selected systems such as information servers and e-mail servers. Some firewalls also implement network service access policies that allow certain users access from the Internet to selected internal hosts, but only if necessary and only when combined with advanced authentication.
At the highest level, the overall organizational policy might state the following principles:
Below this statement of principles come site-specific policies covering physical access to the property, general access to information systems and specific access to services on those systems. The firewall's network service access policy is formulated at this level.
For a firewall to function as the company desires, the network service access policy should exist prior to the implementation of the firewall. The policy must be realistic and sound. A realistic policy provides a balance between protecting the network from known risks on the one hand and providing users reasonable access to network resources on the other. If a firewall system denies or restricts services, only a strong network service access policy will prevent the firewall's access controls from being modified or circumvented on an ad hoc basis. A sound, management-backed policy can provide this defense against user resistance.
The firewall design policy is specific to the firewall and defines the rules used to implement the network service access policy. The company must design the policy in relation to, and with full awareness of, issues such as the firewall's capabilities and limitations, and the threats and vulnerabilities associated with TCP/IP. As mentioned earlier, firewalls generally implement one of two basic design policies:
Firewalls that implement the first policy (the permissive approach) allow all services to pass into the site by default, with the exception of those services that the service-access policy has identified as disallowed. Firewalls that implement the second policy (the restrictive approach) deny all services by default, but then pass those services that have been identified as allowed. This restrictive second policy follows the classic access model used in all areas of information security.
The permissive first policy is less desirable, since it offers more avenues for circumventing the firewall. With this approach, users could access new services not currently addressed by the policy. For example, they could run denied services at non-standard TCP/UDP ports that are not specifically mentioned by the policy.
This is where firewall design comes in. Certain firewalls can implement either a permissive or a restrictive design policy. A company can also choose to locate those systems requiring services that should not be passed through the firewall on screened subnets, separated from other site systems. Some use this approach for Web servers, which are partially shielded by packet filtering but are not sheltered behind the firewall. (If the Web server calls information from, or feeds data to, internal database systems, then that connection between the Web server and the internal machines should be well protected.)
All the types of firewalls are functionally equivalent. The type of mechanism used determines the granularity of the firewall: how much security work it can accomplish. Packet filters are least granular. Application gateway firewalls are the most granular. A Packet Inspection firewall can be made almost as granular as an application gateway firewall.
However, just because a particular product is characterized as a particular type of firewall does not mean that it does all of the security processing possible with that kind of firewall.
If you have question about this page send me E-mail to
Young-Seock Cha