|
|
Internet Firewall Essentialsby Eric HallProxy and Bastion ServersOne solution to these problems has been to utilize proxy servers or bastion hosts. These systems run from simple application redirectors to complete fully-intelligent routers that act as application agents on behalf of your network. At the low end of the scale, products such as the CERN HTTPD server can provide proxy connections to remote FTP, Gopher and HTTP servers on behalf of your internal clients, thereby preventing them from connecting to remote systems directly. This has the effect of making these specific connections somewhat secure, as you can trust your proxy server to a certain degree, and do not have to allow any incoming connections from outside sources. At the high-end, complete security-centric products that offer communication replacement functions don't allow any direct connections at all, and force everything to be exa mined and filtered for suitability. For example, BorderWare's Firewall Server offers proxy functionality like the CERN offering, but also provide public and private DNS servers, secure mail servers, and a variety of other functions. Since these products have multiple adapters, they essentially act as intelligent routers, rewriting packets in memory on a per-connection basis, rather than simply forwarding packets between the external and internal interfaces. These types of products can be extremely expensive, but they are also your best bet if this level of security is required. Additional ConcernsThere are other issues and concerns that even the fully-functional bastion systems offer no value with. You still have to concern yourself with some of the essential puzzlers of Internet security. For example, IP addresses can be spoofed, so that a sinister host appears to be a trusted host. This is often accomplished through the use of IP's source-routing option, which essentially tells the routers not use their normal routes for delivery of the packet, but to send it via the router identified in the packet's header. This lets a hacker use another system's IP address, and get the packets back, regardless of what routes are in between him and the destination. Some of the higher-end products allow you to disable or ignore the source routing bit, but not all of them. Disabling source routing can be a good thing to do. For Internet connectivity, you generally have one path out of your network, and that's through the ISP. If you disable source routing, you'll just return the packets back through your normal routing channels. The ISP will have to deliver the packets to the destination as they see fit. As your response packets will not have source-routing headers (since you've turned it off), the responses will follow the Internet's general routing tables. Also, you will need to find out what the firewall product you are considering does when it rejects a packet. Does it send an ICMP "host unreachable" message back to the originating system, or does it send an ICMP "host administratively unreachable" message, or does it not do anything at all? Each of these scenarios have different security implications, and may make a difference in your choice of product. The ICMP "host administratively unreachable" message will tell a hacker that a firewall is specifically blocking a specific port, which may be more information that you want to give out. The ICMP "host unreachable" error can be interpreted literally by older systems, who will then stop trying to send any packets at all to that host, which may not be the desired effect, either. Sending nothing back at all will cause the originating system to continually try to establish the connection until the application or stack times out, which can be annoying to end users who have made a simple mistake. Sending nothing back is probably the safest method of the three, since a hacker cannot tell whether or not a port is blocked or simply not in use, but only that no responses come back at all. Additional Firewall Resources Updated November 15, 1996 
 |