Background and Firewall Basics

Before being able to understand a firewalls, it's important  to understand the basic principles that make firewalls work.

What is a network firewall?

A  firewall is a system or group of systems that enforces an access control policy between two networks. The  actual means by which this  is accomplished varies  widely, but in principle, the firewall can be thought  of as a pair of mechanisms:  one which exists to block traffic, and the other which exists to permit traffic. Some firewalls  place a greater emphasis on blocking traffic, while others emphasize permitting  traffic. Probably the most  important thing to recognize  about a firewall is that  it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to  deny, a firewall really won't help you. It's also  important to recognize  that the firewall's configuration, because it is a mechanism  for enforcing policy, imposes its policy on everything behind it. Administrators  for firewalls managing the connectivity for a large number of hosts therefore  have a heavy responsibility.

Why  would I want a firewall?

The  Internet, like any other  society, is plagued with  the kind of people who  enjoy the electronic equivalent of writing on other people's walls with spray paint,  tearing their mailboxes off, or just sitting in  the street blowing their  car horns. Some people  try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep unauthorised  people out of your network  while still letting you get your job done.

Many traditional-style corporations and data centers have computing  security policies and practices that must be adhered to.  In a case where a company's policies dictate how data  must be protected, a firewall is very important, since  it is the embodiment of the corporate policy. Frequently,  the hardest part of hooking to the Internet, if you're a large company, is not  justifying the expense  or effort, but convincing management that it's safe  to do so. A firewall provides not only real security--it often plays an important role as a security blanket for management.

Lastly,  a firewall can act as your  corporate ``ambassador''  to the Internet. Many corporations  use their firewall systems  as a place to store public information about corporate  products and services,  files to download, bug-fixes, and so forth. Several of these systems have become  important parts of the  Internet service structure  and have reflected well on their organisational sponsors.

What can a firewall protect against?

Some firewalls permit only email  traffic through them, thereby protecting the network against any attacks other  than attacks against the  email service. Other firewalls  provide less strict protections,  and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from  the ``outside'' world.  This, more than anything,  helps prevent vandals from  logging into machines on  your network. More elaborate  firewalls block traffic  from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect  you against any type of network-borne attack if  you unplug it.

Firewalls  are also important since  they can provide a single ``choke point'' where security and audit can be imposed.  Unlike in a situation where  a computer system is being  attacked by someone dialing in with a modem, the firewall  can act as an effective  ``phone tap'' and tracing tool. Firewalls provide  an important logging and  auditing function; often  they provide summaries  to the administrator about  what kinds and amount of  traffic passed through  it, how many attempts there  were to break into it,  etc.

This is an important point: providing this ``choke point'' can serve the same purpose on your network  as a guarded gate can for  your site's physical premises.  That means anytime you  have a change in ``zones''  or levels of sensitivity, such a checkpoint is appropriate. A company rarely has only  an outside gate and no  receptionist or security  staff to check badges on  the way in. If there are  layers of security on your  site, it's reasonable to  expect layers of security on your network.

What can't a firewall protect against?

Firewalls  can't protect against attacks that don't go through the  firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately  for those concerned, a magnetic tape can just as effectively be used to export data. Many organisations that are terrified (at a management level) of Internet connections have  no coherent policy about  how dial-in access via  modems should be protected. It's silly to build a 6-foot thick steel door when you  live in a wooden house, but there are a lot of organizations out there  buying expensive firewalls  and neglecting the numerous other back-doors into their  network. For a firewall to work, it must be a part of a consistent overall  organisational security architecture. Firewall  policies must be realistic and reflect the level of security in the entire network. For example, a  site with top secret or classified data doesn't  need a firewall at all: they shouldn't be hooking  up to the Internet in the first place, or the systems  with the really secret  data should be isolated from the rest of the corporate network.

Another  thing a firewall can't  really protect you against  is traitors or people inside  your network i.e a disgruntled  employee. While an industrial  spy might export information  through your firewall,  he's just as likely to  export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means  for information to leak from your organisation than a firewall! Firewalls also cannot protect you  against stupidity. Users  who reveal sensitive information  over the telephone are good targets for social  engineering; an attacker  may be able to break into your network by completely bypassing your firewall, if he can find a ``helpful'' employee inside who can  be fooled into giving access  to a modem pool. Before deciding this isn't a problem  in your organisation, ask yourself how much trouble  a contractor has getting  logged into the network or how much difficulty a user who forgot his password has getting it reset. If the people on the help  desk believe that every call is internal, you have a problem.

Lastly,  firewalls can't protect against tunneling over most application protocols to trojaned or poorly written  clients. There are no magic bullets and a firewall is not an excuse to not  implement software controls on internal networks or  ignore host security on  servers. Tunneling ``bad''  things over HTTP, SMTP, and other protocols is quite simple and trivially  demonstrated. Security  isn't ``fire and forget''.

What about viruses ?

Firewalls  can't protect very well against things like viruses. There are too many ways  of encoding binary files  for transfer over networks,  and too many different  architectures and viruses to try to search for them  all. In other words, a  firewall cannot replace  security-consciousness  on the part of your users.  In general, a firewall  cannot protect against  a data-driven attack--attacks  in which something is mailed  or copied to an internal  host where it is then executed. This form of attack has occurred in the past against various versions of sendmail, ghostscript, and  scripting mail user agents  like OutLook.

Organisations  that are deeply concerned about viruses should implement organisation-wide virus  control measures. Rather than trying to screen viruses  out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when  the machine is rebooted.  Blanketing your network with virus scanning software will protect against viruses  that come in via floppy disks, modems, and Internet. Trying to block viruses  at the firewall will only protect against viruses  from the Internet--and  the vast majority of viruses  are caught via floppy disks.

Nevertheless,  an increasing number of firewall vendors are offering  ``virus detecting'' firewalls.  They're probably only useful for naive users exchanging Windows-on-Intel executable  programs and malicious-macro-capable  application documents. There are many firewall-based  approaches for dealing  with problems like the  ``ILOVEYOU'' worm and related  attacks. A strong firewall  is never a substitute for sensible software that recognises the nature of what it's handling--untrusted  data from an unauthenticated  party--and behaves appropriately. Do not think that because  ``everyone'' is using that mailer or because the vendor is a gargantuan multinational  company, you're safe. In  fact, it isn't true that  ``everyone'' is using any mailer, and companies that specialize in turning technology invented elsewhere into something that's ``easy  to use'' without any expertise  are more likely to produce  software that can be fooled.

Design and Implementation Issues

What are some of the basic design decisions in a firewall?

There  are a number of basic design  issues that should be addressed by whoever has been tasked with the responsibility of designing, specifying,  and implementing or overseeing  the installation of a firewall.

The  first and most important  decision reflects the policy  of how your company or  organisation wants to operate the system: is the firewall  in place explicitly to  deny all services except  those critical to the mission of connecting to the Net, or is the firewall in place  to provide a metered and  audited method of ``queuing'' access in a non-threatening  manner? There are degrees  of paranoia between these positions; the final stance  of your firewall might  be more the result of a  political than an engineering decision.

The  second is: what level of  monitoring, redundancy, and control do you want? Having established the acceptable risk level by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a  risk assessment, and sort the almost always conflicting  requirements out into a shopping list that specifies what you plan to implement.

The  third issue is financial. We can't address this one  here in anything but vague  terms, but it's important to try to quantify any proposed solutions in terms  of how much it will cost  either to buy or to implement or cost your orgainsation if you do not have protection  and key business systems  are compromised.

What are the basic types of firewalls?

   Conceptually, there are two types of firewalls:

1  Network layer

2  Application layer

They are not as different as  you might think, and latest technologies are blurring  the distinction to the  point where it's no longer  clear if either one is  ``better'' or ``worse.''  As always, you need to  be careful to pick the  type that meets your needs.

Which  is which depends on what  mechanisms the firewall uses to pass traffic from  one security zone to another. The International Standards  Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services  that ``higher-level'' layers  depend on. In order from  the bottom, these layers  are physical, data link, network, transport, session, presentation, application.

The  important thing to recognize  is that the lower-level the forwarding mechanism,  the less examination the  firewall can perform. Generally speaking, lower-level firewalls  are faster, but are easier  to fool into doing the  wrong thing.

Network  layer firewalls

These  generally make their decisions  based on the source, destination  addresses and ports in  individual IP packets.  A simple router is the ``traditional'' network  layer firewall, since it  is not able to make particularly  sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern network layer firewalls have become increasingly sophisticated, and now maintain internal information  about the state of connections  passing through them, the  contents of some of the data streams, and so on. One thing that's an important  distinction about many  network layer firewalls  is that they route traffic  directly though them, so  to use one you either need  to have a validly assigned  IP address block or to  use a ``private internet''  address block ,Network  layer firewalls tend to be very fast and tend to be very transparent to  users.

Application  layer firewalls

These  generally are hosts running proxy servers, which permit  no traffic directly between networks, and which perform  elaborate logging and auditing of traffic passing through them. Since the proxy applications are software components  running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as  network address translators,  since traffic goes in one ``side'' and out the other,  after having passed through an application that effectively masks the origin of the  initiating connection.  Having an application in  the way in some cases may  impact performance and  may make the firewall less  transparent. Early application  layer firewalls such as those built using the TIS  firewall toolkit, are not particularly transparent to end users and may require some training. Modern application  layer firewalls are often fully transparent. Application layer firewalls tend to  provide more detailed audit reports and tend to enforce  more conservative security  models than network layer firewalls.

What are proxy servers and how  do they work?

A  proxy server (sometimes referred to as an application  gateway or forwarder) is  an application that mediates  traffic between a protected  network and the Internet. Proxies are often used instead of router-based  traffic controls, to prevent  traffic from passing directly  between networks. Many  proxies contain extra logging or support for user authentication.  Since proxies must ``understand''  the application protocol  being used, they can also implement protocol specific  security (e.g., an FTP proxy might be configurable  to permit incoming FTP  and block outgoing FTP).

Proxy  servers are application specific. In order to support  a new protocol via a proxy, a proxy must be developed  for it.

Please call 0870 421 4023 to find out more about  firewalls and how your  company can implement an access control policy,  or e-mail firewall.team@Whitehelm.com requesting more information.