|
Once a security strategy and network security policy have been decided a means of implementation is required. The generic term "Firewall" is increasingly being used to describe the combination of hardware, software and management activities that are used to effect the policy.
Internet firewalls are a means of protecting networks by implementing access control to and from the Internet. In practice this is achieved by controlling the means of communication between the two networks, the TCP/IP suite of protocols. [Wack95] describes a Firewall as an approach to security. He uses the term Firewall to mean the strategies and policies and the term Firewall System to refer to the hardware and software elements that implement the policy.
[Chap95] notes that in practice an Internet firewall is more like a moat around a castle than a firewall in a modern building.(1)
A Firewall System is a collection of components that is placed between two networks and possesses the following properties :
In other words a Firewall System is a mechanism used to protect a trusted network whilst it is connected to an untrusted network.
Typically, the two networks in question are an organisation's internal network (trusted) and the Internet (untrusted). But there is nothing in the definition of a firewall that ties the concept to the Internet. Although the majority of firewalls are currently deployed between the Internet and internal networks, there are good reasons for using firewalls when connecting any trusted network with a less trusted network, be it internal or external.
A firewall can enforce security policy. The firewall is the means by which the network access security policy is implemented. Internet services considered to be insecure can be restricted and access to or from certain hosts can be restricted.
A firewall can log activity effectively.
A firewall can limit your exposure to the untrusted network by controlling/restricting access to/from it to the level defined in the security policy. This includes controlling what users use the Internet for.
A firewall can be a focus for security decisions - a choke point. All traffic to or from the Internet must pass through it. By focusing defences on this point they can reduce internal system security overhead since they allow an organisation to concentrate security efforts on a limited number of machines.
Whilst firewalls provide good protection at the lower levels of the TCP/IP model, they provide almost no protection against higher level protocols [Ches94].
[Ches94] notes that any data that is passed by the firewall still has the potential to cause problems which, were these to be exploited deliberately would be labelled as denial of service or data driven attacks. For example a firewall offers no protection against viruses contained in files transferred via ftp or as MIME attachment to an e-mail message(2).
A firewall can't protect against malicious insiders. A firewall cannot differentiate between hosts on the same side of a network therefore any Internet Host can spoof any other Internet Host and any internal host can spoof any other internal host.
A firewall can't protect against connections that don't go through it (i.e. backdoors). Firewalls can restrict the access to certain facilities and users will sometimes bypass the firewall to gain access to those facilities. A good example would be a firewall that didn't allow access to the World Wide Web. Users on that network may establish point to point connections with an Internet service provider over a normal telephone line and introduce Internet connectivity behind the firewall. This type of threat can only be addressed by management procedures which are embodied in the organisations security policies.
A firewall can't protect against completely new threats if the security strategy is different from "deny everything unless specifically permitted." Again this is dealt with within the security policy by basing it on just such a strategy.
A packet filtering system selectively routes packets between internal and external hosts according to rules that reflect the organisation's network security policy. Packet filtering may occur in a router, in a bridge, or on an individual host and operates at the network layer.
Screening Router
The type of router used in a packet filtering firewall is called a screening router(3) [Chap95]. It is configured with rules to block or filter protocols and addresses and is installed at the external network gateway. Internal users usually have direct access to the Internet while all or most access to site systems from the Internet is blocked. However, the router could allow selective access to systems and services, depending on the policy. Inherently dangerous services such as NIS, NFS, and X Windows are usually blocked [Chap95].
The screening router passes or rejects an IP packet based on information contained on the packet's header. The main information used is :-
IP Source and Destination Address - By filtering packets on the IP source and destination address the screening router is able to effectively block access to or from any site or host that is not trusted.
TCP or UDP source and destination port - The screening router makes use of the TCP "well known ports" to permit, deny, or re-route access to particular Internet services. For example many firewalls block all inward traffic except for email by rejecting all externally sourced packets bound for any port other than port 25, the Simple Mail Transfer Protocol port. The screening router can also route all World Wide Web traffic (port 80) to a particular host.
A screening router is also able to base routing decisions on information not found in the packet header, for example the source and destination interfaces.
A packet filtering router can implement either of the design policies discussed earlier(4), however it suffers a number of disadvantages:-
These disadvantages become magnified as the security needs of a protected site become more complex and stringent. Screening routers alone are therefore considered to be inadequate for effective security(5) [Ches92, Ches92, Ranu93, Ches94, Chap95] and several firewall architectures, such as the screened host and screened subnet, have evolved to overcome these limitations. These provide additional security in packet filtering firewall implementations by utilising additional routers, hosts and perimeter networks. Before examining these architectures it will be useful to examine application level gateways, the means by which control of network traffic is extended from the network and transport layers to the application layer.
Application level gateways are specialised application or server programs that run on a firewall host. These programs provide a safety barrier between the internal user and the Internet. Instead of connecting to the Internet directly with, say, a World Wide Web browser, the internal user connects to the application level gateway instead. The application level gateway then establishes the connection with the required world wide web server on the Internet and acts as a go-between for the session.
Application gateways operate at the application layer and can therefore provide access controls at the application protocol level(6) and can handle store and forward as well as interactive traffic [Siya95] [Chap95].
The main disadvantage of application level gateways is that they require special purpose code to provide each service that is relayed. However, this means that they therefore implement a policy of "deny everything unless explicitly permitted" by default, which is often advantageous from a security perspective.
Application level proxies understand the application protocol and are therefore able to control the session based on the operations being requested. For example an application level proxy is able to block FTP PUT commands whilst permitting FTP GET commands.
The custom application acts as a "proxy" between the client and the server(7). Because all data between the client and the server is routed through the application proxy it is able to both control the session and provide detailed logging. This ability to log and control all incoming and outgoing traffic is one of the main advantages of application level gateway.
Circuit Level Gateway
Another type of application level gateway is called the circuit level gateway [Ches94]. Circuit-level proxies do not interpret the application protocols but they authenticate the user before establishing the circuits. They relay packets between the two communicating end-points but are not able to do any additional processing or filtering based on the protocol.
The advantage of circuit level gateways is that they provide services for a wide range of different protocols however they require special client software that has had system calls replaced with secure equivalents from a library such as Socks [Kobl92]. This re-introduces the problem that host based security does not scale well. As the size of the network increases the task of managing secure clients becomes increasingly time consuming and prone to error.
In general application level proxies use modified procedures and circuit level gateways use modified clients(8) [Chap95].
The packet filtering technologies that are used in screening routers provide an efficient and general way to control network traffic. They have the advantage that no changes are required to host or client applications because they operate at the transport and network layers. Application level gateways extend control of network traffic to the application layer, and have the advantage that because they can understand the application protocol they can implement a finer degree of control and provide detailed logs.
Firewalls bring these components together to provide extremely effective network based security control. To illustrate this, several "standard" Internet firewall architectures or configurations are presented.
The simplest firewall architecture utilises a dual homed host. A dual-homed host is a computer that has separate network connections to two networks, as illustrated in figure 3. Such a host could act as a router between the two networks, however, this routing function is disabled when dual-homed hosts are used in firewall architectures.
Because the routing function is disabled the host isolates the two networks from each other whilst retaining the ability to see traffic on both networks. Systems inside the internal network can communicate with the dual homed host via one network interface, and systems on the Internet via the other, however these systems cannot communicate with each other directly.
In a dual homed host architecture the dual homed host itself is critical to the network's security. Such hosts are often referred to as Bastion Hosts in the firewall literature [Ches94, Wack95, Stall95, Siya95].
A dual homed host can only provide services by proxying them(9). Where proxies are not available a screened host or screened subnet architecture provide extra options for providing new and/or untrusted services.
In this architecture, illustrated in figure 4, the primary security is provided by packet filtering and a bastion host sits on the internal network providing the required application.
The screening router's packet filtering rules are configured such that the bastion host is the only host accessible from the Internet. Connections to the Internet may be routed through an application proxy on the bastion host, or in some cases, allowed directly through the screening router, depending on the network security policy.
[Stall95] and [Siya95] argue that the screened host architecture adds an additional layer of security to the dual homed host architecture, as an attacker has to first bypass the screening router, and then the bastion host. [Wack95] on the other hand argues that the screened host architecture, whilst more flexible than the dual homed host architecture, is less secure because the screening router is allowed to pass certain "trusted" services around the bastion host. Noting that the screened host architecture may, at first sight, appear to be less secure than the dual homed host architecture, [Chap95] states that this is misleading as the dual homed host itself may fail in some unexpected way, and that the two are therefore as secure as each other in practice.
However [Wack95]'s argument still holds - the additional flexibility afforded in the screened host architecture is provided at some cost to security.
With both the dual homed host and screened host architectures, the trusted network is vulnerable if the bastion host is compromised. The impact of the bastion host being compromised can be reduced by isolating it on a perimeter network(10). The simplest way to provide a perimeter network is to add an additional screening router to the screened host architecture. This architecture, illustrated in figure 5, is called the screened subnet architecture. The bastion host is then located on the perimeter network between the two screening routers.
An attacker that successfully compromises the bastion host now will only be able to access the perimeter net. The trusted network is still protected by the internal screening router. Whilst the attacker will be able to use packet sniffer software on the perimeter network, he will not be able to collect passwords for, or to examine sensitive files on, the trusted network unless these are passed via the DMZ, which is itself a security weakness.
The main components of firewalls have been presented, and the main firewall architectures have been examined. There are many variations of these architectures, for example providing internal and external demilitarised zones. These are discussed at some length in the literature. [Chap95] and [Siya95] both provide considerably more detail about additional architectures, and about configuring and implementing those discussed here.
(1) The Firewall literature is full of references to dragons, castles and other medieval lore. Two protagonists are largely responsible for this :
Steven M. Bellovin, a computer security researcher with AT&T titled his 1992 paper "There be dragons" [Bell932] and used several dialogues from J.R.R. Tolkien's Lord of the Rings and The Hobbit about the existence of, and dangers posed by, live dragons.
Marcus J Ranum who developed the first commercial application gateway or proxy server popularised the term Bastion Host referring to the extra defences (Bastions) that medieval castles had to protect them from intruders [Chap95].
Alluding to medieval castles and battles with dragons has had an interesting effect on the press, who are able to present stories of computer networks being attacked and damaged as a latter day struggle between romanticised forces of Good and Evil.
(2) In the case of viruses contained in e-mail one solution is to check all incoming mail with anti-virus software. Such software can generally now examine compressed or encoded files and will quarantine any messages with viruses or that it is not able to confirm does not contain a virus. The broader point still remains however, that if an application is poorly implemented the firewall will offer no protection from the consequences [Ches94].
(3) An ordinary router uses each packet's IP destination address to determine whether or not it can route the packet. A screening router looks more closely at a packet to determine whether or not is should route the packet [Chap95].
(4)If the router does not filter on source port or filter on inbound as well as outbound packets, it may become difficult to implement a " deny everything unless specifically permitted" policy [Chap95].
(5) [Moli95] presents an architecture for advanced packet filtering and argues screening routers alone can provide effective security.
(6) For application level gateways to be effective some form of IP level segregation between the Internet and the trusted network, such as a screening router or dual-homed host that doesn't route packets, must have been implemented.
(7) Application level gateways are often called "proxy servers".
(8) This is because the user connects to the host that is providing the application proxy rather than to the real host on the Internet. The real host's address must somehow be provided to the application proxy so that it can establish the other half of the connection. In the case of an application level gateway the real address can be included in the application protocol because the application level gateway understands the application protocol. However circuit level gateways do not understand the application protocol and the real address must be provided by some other means, hence the use of modified client software that provides the destination address to the proxy application.
(9) Strictly speaking this is not true, as services could be provided if users are allowed to log in to the dual-homed host itself. However this is a significant security risk [Ches94, Chap95, Siya95, Hugh95] and most users find it too inconvenient [Chap95].
(10) The perimeter network is often referred to as the demilitarised zone (DMZ).